- update excluders to latest, in non-upgrade scenarios do not update

- check both available excluder versions are at most of upgrade target version
- get excluder status through status command
- make excluders enablement configurable

playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade.yml

@@ -46,7 +46,7 @@
   tags:
   - pre_upgrade
 
-- include: ../../../../common/openshift-cluster/disable_excluder.yml
+- include: ../../../../common/openshift-cluster/upgrades/disable_excluder.yml
   tags:
   - pre_upgrade
 

playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade_control_plane.yml

@@ -54,7 +54,7 @@
   tags:
   - pre_upgrade
 
-- include: ../../../../common/openshift-cluster/disable_excluder.yml
+- include: ../../../../common/openshift-cluster/upgrades/disable_excluder.yml
   tags:
   - pre_upgrade
 

playbooks/byo/openshift-cluster/upgrades/v3_3/upgrade_nodes.yml

@@ -47,7 +47,7 @@
   tags:
   - pre_upgrade
 
-- include: ../../../../common/openshift-cluster/disable_excluder.yml
+- include: ../../../../common/openshift-cluster/upgrades/disable_excluder.yml
   tags:
   - pre_upgrade
 

playbooks/byo/openshift-cluster/upgrades/v3_4/upgrade.yml

@@ -46,7 +46,7 @@
   tags:
   - pre_upgrade
 
-- include: ../../../../common/openshift-cluster/disable_excluder.yml
+- include: ../../../../common/openshift-cluster/upgrades/disable_excluder.yml
   tags:
   - pre_upgrade
 

playbooks/byo/openshift-cluster/upgrades/v3_4/upgrade_control_plane.yml

@@ -54,7 +54,7 @@
   tags:
   - pre_upgrade
 
-- include: ../../../../common/openshift-cluster/disable_excluder.yml
+- include: ../../../../common/openshift-cluster/upgrades/disable_excluder.yml
   tags:
   - pre_upgrade
 

playbooks/byo/openshift-cluster/upgrades/v3_4/upgrade_nodes.yml

@@ -47,7 +47,7 @@
   tags:
   - pre_upgrade
 
-- include: ../../../../common/openshift-cluster/disable_excluder.yml
+- include: ../../../../common/openshift-cluster/upgrades/disable_excluder.yml
   tags:
   - pre_upgrade
 

playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade.yml

@@ -46,7 +46,7 @@
   tags:
   - pre_upgrade
 
-- include: ../../../../common/openshift-cluster/disable_excluder.yml
+- include: ../../../../common/openshift-cluster/upgrades/disable_excluder.yml
   tags:
   - pre_upgrade
 

playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml

@@ -54,7 +54,7 @@
   tags:
   - pre_upgrade
 
-- include: ../../../../common/openshift-cluster/disable_excluder.yml
+- include: ../../../../common/openshift-cluster/upgrades/disable_excluder.yml
   tags:
   - pre_upgrade
 

playbooks/byo/openshift-cluster/upgrades/v3_5/upgrade_nodes.yml

@@ -47,7 +47,7 @@
   tags:
   - pre_upgrade
 
-- include: ../../../../common/openshift-cluster/disable_excluder.yml
+- include: ../../../../common/openshift-cluster/upgrades/disable_excluder.yml
   tags:
   - pre_upgrade
 

playbooks/common/openshift-cluster/config.yml

@@ -27,6 +27,9 @@
     when: openshift_docker_selinux_enabled is not defined
 
 - include: disable_excluder.yml
+  vars:
+    # the excluders needs to be disabled no matter what status says
+    with_status_check: false
   tags:
   - always
 

playbooks/common/openshift-cluster/disable_excluder.yml

@@ -3,9 +3,15 @@
   hosts: l_oo_all_hosts
   gather_facts: no
   tasks:
+
+  # During installation the excluders are installed with present state.
+  # So no pre-validation check here as the excluders are either to be installed (present = latest)
+  # or they are not going to be updated if already installed
+
+  # disable excluders based on their status
   - include_role:
       name: openshift_excluder
-      tasks_from: status
-  - include_role:
-      name: openshift_excluder
-      tasks_from: unexclude
+      tasks_from: disable
+    vars:
+      openshift_excluder_package_state: present
+      docker_excluder_package_state: present

playbooks/common/openshift-cluster/initialize_openshift_version.yml

@@ -19,6 +19,9 @@
     when: "not openshift.common.is_atomic | bool and 'Plugin \"search-disabled-repos\" requires API 2.7. Supported API is 2.6.' in yum_ver_test.stdout"
 
 - include: disable_excluder.yml
+  vars:
+    # the excluders needs to be disabled no matter what status says
+    with_status_check: false
   tags:
   - always
 

playbooks/common/openshift-cluster/reset_excluder.yml

@@ -5,4 +5,4 @@
   tasks:
   - include_role:
       name: openshift_excluder
-      tasks_from: reset
+      tasks_from: enable

playbooks/common/openshift-cluster/upgrades/disable_excluder.yml

@@ -0,0 +1,21 @@
+---
+- name: Record excluder state and disable
+  hosts: l_oo_all_hosts
+  gather_facts: no
+  tasks:
+  - include: pre/validate_excluder.yml
+    vars:
+      #repoquery_cmd: repoquery_cmd
+      #openshift_upgrade_target: openshift_upgrade_target
+      excluder: "{{ item }}"
+    with_items:
+    - "{{ openshift.common.service_type }}-docker-excluder"
+    - "{{ openshift.common.service_type }}-excluder"
+
+  # disable excluders based on their status
+  - include_role:
+      name: openshift_excluder
+      tasks_from: disable
+    vars:
+      openshift_excluder_package_state: latest
+      docker_excluder_package_state: latest

playbooks/common/openshift-cluster/upgrades/pre/validate_excluder.yml

@@ -0,0 +1,22 @@
+---
+# input variables:
+# - repoquery_cmd
+# - excluder
+# - openshift_upgrade_target
+- name: Get available excluder version
+  command: >
+    {{ repoquery_cmd }} --qf '%{version}' "{{ excluder }}"
+  register: excluder_version
+  failed_when: false
+  changed_when: false
+
+- name: Docker excluder version detected
+  debug:
+    msg: "{{ excluder }}: {{ excluder_version.stdout }}"
+
+- name: Check the available {{ excluder }} version is at most of the upgrade target version
+  fail:
+    msg: "Available {{ excluder }} version {{ excluder_version.stdout }} is higher than the upgrade target version {{ openshift_upgrade_target }}"
+  when:
+    - "{{ excluder_version.stdout != '' }}"
+    - "{{ excluder_version.stdout.split('.')[0:2] | join('.') | version_compare(openshift_upgrade_target, '>', strict=True) }}"

roles/openshift_excluder/README.md

@@ -15,8 +15,11 @@ Facts
 
 | Name                       | Default Value | Description                            |
 -----------------------------|---------------|----------------------------------------|
-| docker_excluder_enabled | none          | Records the status of docker excluder |
-| openshift_excluder_enabled | none | Records the status of the openshift excluder |
+| enable_docker_excluder     | enable_excluders | Enable docker excluder. If not set, the docker excluder is ignored. |
+| enable_openshift_excluder  | enable_excluders | Enable openshift excluder. If not set, the openshift excluder is ignored. |
+| enable_excluders           | None             | Enable all excluders
+| enable_docker_excluder_override     | None | indication the docker excluder needs to be enabled |
+| disable_openshift_excluder_override | None | indication the openshift excluder needs to be disabled |
 
 Role Variables
 --------------
@@ -25,6 +28,16 @@ None
 Dependencies
 ------------
 
+Tasks to include
+----------------
+
+- exclude: enable excluders (assuming excluders are installed)
+- unexclude: disable excluders (assuming excluders are installed)
+- install: install excluders (installation is followed by excluder enabling)
+- enable: enable excluders (optionally with installation step)
+- disabled: disable excluders (optionally with installation and status step, the status check that can override which excluder gets enabled/disabled)
+- status: determine status of excluders
+
 Example Playbook
 ----------------
 

roles/openshift_excluder/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# keep the 'current' package or update to 'latest' if available?
+openshift_excluder_package_state: present
+docker_excluder_package_state: present

roles/openshift_excluder/tasks/adjust.yml

@@ -0,0 +1,23 @@
+---
+# Depending on enablement of individual excluders and their status
+# some excluders needs to be disabled, resp. enabled
+# By default, all excluders are disabled unless overrided.
+- block:
+  - include: init.yml
+  # All excluders that are to be enabled are enabled
+  - include: exclude.yml
+    vars:
+      # Enable the docker excluder only if it is overrided
+      enable_docker_excluder: "{{ enable_docker_excluder_override | default(false) | bool }}"
+      # excluder is to be disabled by default
+      enable_openshift_excluder: false
+  # All excluders that are to be disabled are disabled
+  - include: unexclude.yml
+    vars:
+      # If the docker override  is not set, default to the generic behaviour
+      disable_docker_excluder: "{{ not enable_docker_excluder_override | default(not docker_excluder_on) | bool }}"
+      # disable openshift excluder is never overrided to be enabled
+      # disable it if the docker excluder is enabled
+      disable_openshift_excluder: "{{ openshift_excluder_on | bool }}"
+  when:
+  - not openshift.common.is_containerized | bool

roles/openshift_excluder/tasks/disable.yml

@@ -0,0 +1,26 @@
+---
+# input variables
+# - with_status_check
+# - with_install
+# - excluder_package_state
+# - docker_excluder_package_state
+- include: init.yml
+
+# Install any excluder that is enabled
+- include: install.yml
+  vars:
+    # Both docker_excluder_on and openshift_excluder_on are set in openshift_excluder->init task
+    install_docker_excluder: "{{ docker_excluder_on | bool }}"
+    install_openshift_excluder: "{{ openshift_excluder_on | bool }}"
+  when: docker_excluder_on or openshift_excluder_on
+
+  # if the docker excluder is not enabled, we don't care about its status
+  # it the docker excluder is enabled, we install it and in case its status is non-zero
+  # it is enabled no matter what
+
+# Check the current state of all excluders
+- include: status.yml
+  when: with_status_check | default(docker_excluder_on or openshift_excluder_on) | bool
+
+  # And finally adjust an excluder in order to update host components correctly
+- include: adjust.yml

roles/openshift_excluder/tasks/enable.yml

@@ -0,0 +1,21 @@
+---
+# input variables:
+# - with_install
+- block:
+  - include: init.yml
+
+  - include: install.yml
+    vars:
+      install_docker_excluder: "{{ docker_excluder_on | bool }}"
+      install_openshift_excluder: "{{ openshift_excluder_on | bool }}"
+    when: with_install | default(docker_excluder_on or openshift_excluder_on) | bool
+
+  - include: exclude.yml
+    vars:
+      # Enable the docker excluder only if it is overrided, resp. enabled by default (in that order)
+      enable_docker_excluder: "{{ enable_docker_excluder_override | default(docker_excluder_on) | bool }}"
+      # Enable the openshift excluder only if it is not overrided, resp. enabled by default (in that order)
+      enable_openshift_excluder: "{{ not disable_openshift_excluder_override | default(not openshift_excluder_on) | bool }}"
+
+  when:
+  - not openshift.common.is_containerized | bool

roles/openshift_excluder/tasks/exclude.yml

@@ -1,11 +1,20 @@
 ---
-- include: install.yml
-  when: not openshift.common.is_containerized | bool
+# input variables:
+# - enable_docker_excluder
+# - enable_openshift_excluder
+- block:
+  - name: Enable docker excluder
+    command: "{{ openshift.common.service_type }}-docker-excluder exclude"
+    # if the docker override is set, it means the docker excluder needs to be enabled no matter what
+    # if the docker override is not set, the excluder is set based on enable_docker_excluder
+    when:
+    - enable_docker_excluder | default(false) | bool
 
-- name: Enable docker excluder
-  command: "{{ openshift.common.service_type }}-docker-excluder exclude"
-  when: not openshift.common.is_containerized | bool
-
-- name: Enable excluder
-  command: "{{ openshift.common.service_type }}-excluder exclude"
-  when: not openshift.common.is_containerized | bool
+  - name: Enable openshift excluder
+    command: "{{ openshift.common.service_type }}-excluder exclude"
+    # if the openshift override is set, it means the openshift excluder is disabled no matter what
+    # if the openshift override is not set, the excluder is set based on enable_openshift_excluder
+    when:
+    - enable_openshift_excluder | default(false) | bool
+  when:
+  - not openshift.common.is_containerized | bool

roles/openshift_excluder/tasks/init.yml

@@ -0,0 +1,12 @@
+---
+- name: Evalute if docker excluder is to be enabled
+  set_fact:
+    docker_excluder_on: "{{ enable_docker_excluder | default(enable_excluders | default(false)) | bool }}"
+
+- debug: var=docker_excluder_on
+
+- name: Evalute if openshift excluder is to be enabled
+  set_fact:
+    openshift_excluder_on: "{{ enable_openshift_excluder | default(enable_excluders | default(false)) | bool }}"
+
+- debug: var=openshift_excluder_on

roles/openshift_excluder/tasks/install.yml

@@ -1,16 +1,21 @@
 ---
-- name: Install latest excluder
-  package:
-    name: "{{ openshift.common.service_type }}-excluder"
-    state: latest
-  when:
-  - openshift_excluder_enabled | default(false) | bool
-  - not openshift.common.is_containerized | bool
+# input Variables
+# - install_docker_excluder
+# - install_openshift_excluder
+- block:
+
+  - name: Install docker excluder
+    package:
+      name: "{{ openshift.common.service_type }}-docker-excluder"
+      state: "{{ docker_excluder_package_state }}"
+    when:
+    - install_docker_excluder | default(true) | bool
 
-- name: Install latest docker excluder
-  package:
-    name: "{{ openshift.common.service_type }}-excluder"
-    state: latest
+  - name: Install openshift excluder
+    package:
+      name: "{{ openshift.common.service_type }}-excluder"
+      state: "{{ openshift_excluder_package_state }}"
+    when:
+    - install_openshift_excluder | default(true) | bool
   when:
-  - docker_excluder_enabled | default(false) | bool
   - not openshift.common.is_containerized | bool

roles/openshift_excluder/tasks/reset.yml

@@ -1,12 +0,0 @@
----
-- name: Enable docker excluder
-  command: "{{ openshift.common.service_type }}-docker-excluder exclude"
-  when:
-  - docker_excluder_enabled | default(false) | bool
-  - not openshift.common.is_containerized | bool
-
-- name: Enable excluder
-  command: "{{ openshift.common.service_type }}-excluder exclude"
-  when:
-  - openshift_excluder_enabled | default(false) | bool
-  - not openshift.common.is_containerized | bool

roles/openshift_excluder/tasks/status.yml

@@ -1,8 +1,4 @@
 ---
-# Latest versions of the excluders include a status function, old packages dont
-# So, if packages are installed, upgrade them to the latest so we get the status
-# If they're not installed when we should assume they're disabled
-
 - name: Determine if excluder packages are installed
   rpm_q:
     name: "{{ openshift.common.service_type }}-excluder"
@@ -10,49 +6,78 @@
   register: openshift_excluder_installed
   failed_when: false
 
+# docker excluder needs to be enable by default
 - name: Determine if docker packages are installed
   rpm_q:
-    name: "{{ openshift.common.service_type }}-excluder"
+    name: "{{ openshift.common.service_type }}-docker-excluder"
     state: present
   register: docker_excluder_installed
   failed_when: false
 
-- name: Update to latest excluder packages
-  package:
-    name: "{{ openshift.common.service_type }}-excluder"
-    state: latest
-  when:
-  - "{{ openshift_excluder_installed.installed_versions | default([]) | length > 0 }}"
-  - not openshift.common.is_containerized | bool
+# The excluder status function returns 0 when everything is excluded
+# and 1 if any packages are missing from the exclusions list and outputs a warning to stderr
+# # atomic-openshift-excluder status ; echo $?
+# exclude -- All packages excluded
+# 0
+# # atomic-openshift-excluder unexclude
+# # atomic-openshift-excluder status ; echo $?
+# unexclude -- At least one package not excluded
+# 1
 
-- name: Update to the latest docker-excluder packages
-  package:
-    name: "{{ openshift.common.service_type }}-docker-excluder"
-    state: latest
-  when:
-  - "{{ docker_excluder_installed.installed_versions | default([]) | length > 0 }}"
-  - not openshift.common.is_containerized | bool
+- block:
+  - include: init.yml
+  - block:
+    - name: Record openshift excluder status
+      command: "{{ openshift.common.service_type }}-excluder status"
+      register: excluder_status
+      failed_when: false
 
-- name: Record excluder status
-  command: "{{ openshift.common.service_type }}-excluder"
-  register: excluder_status
-  when:
-  - "{{ openshift_excluder_installed.installed_versions | default([]) | length > 0 }}"
-  - not openshift.common.is_containerized | bool
-  failed_when: false
+    # Even though the openshift excluder is enabled
+    # if the status is non-zero, disabled the excluder
+    - name: Override openshift excluder enablement if the status is non-zero
+      set_fact:
+        disable_openshift_excluder_override: true
+      when:
+      - "{{ excluder_status.rc | default(0) != 0 }}"
 
-- name: Record docker excluder status
-  command: "{{ openshift.common.service_type }}-docker-excluder"
-  register: docker_excluder_status
-  when:
-  - "{{ docker_excluder_installed.installed_versions | default([]) | length > 0 }}"
-  - not openshift.common.is_containerized | bool
-  failed_when: false
+    - debug:
+        msg: "Disabling openshift excluder"
+      when:
+      - "{{ excluder_status.rc | default(0) != 0 }}"
+
+    when:
+    - "{{ openshift_excluder_installed.installed_versions | default([]) | length > 0 }}"
+    - "{{ openshift_excluder_on }}"
+
+  - block:
+    - name: Record docker excluder status
+      command: "{{ openshift.common.service_type }}-docker-excluder status"
+      register: docker_excluder_status
+      failed_when: false
 
-- name: Set excluder status facts
-  set_fact:
-    docker_excluder_enabled: "{{ 'false' if docker_excluder_status.rc | default(0) == 0 or docker_excluder_installed.installed_versions | default(0) | length == 0 else 'true' }}"
-    openshift_excluder_enabled: "{{ 'false' if docker_excluder_status.rc | default(0) == 0 or openshift_excluder_installed.installed_versions | default(0) | length == 0 else 'true' }}"
+    # If the docker excluder is installed and the status is non-zero
+    # always enable the docker excluder
+    - name: Override docker excluder enablement if the status is non-zero
+      set_fact:
+        enable_docker_excluder_override: true
+      when:
+      - "{{ docker_excluder_status.rc | default(0) != 0 }}"
 
-- debug: var=docker_excluder_enabled
-- debug: var=openshift_excluder_enabled
+    - debug:
+        msg: "Enabling docker excluder"
+      when:
+      - "{{ docker_excluder_status.rc | default(0) != 0 }}"
+
+    # As the docker excluder status is not satisfied,
+    # re-enable entire docker excluder again
+    # At the same time keep the override set in a case other task would
+    - name: Enable docker excluder
+      command: "{{ openshift.common.service_type }}-docker-excluder exclude"
+
+    # Run the docker excluder status even if the excluder is disabled.
+    # In order to determine of the excluder needs to be enabled.
+    when:
+    - "{{ docker_excluder_installed.installed_versions | default([]) | length > 0 }}"
+
+  when:
+  - not openshift.common.is_containerized | bool

roles/openshift_excluder/tasks/unexclude.yml

@@ -1,12 +1,19 @@
 ---
-- name: disable docker excluder
-  command: "{{ openshift.common.service_type }}-docker-excluder unexclude"
-  when:
-  - docker_excluder_enabled | bool
-  - not openshift.common.is_containerized | bool
+# input variables:
+# - disable_docker_excluder
+# - disable_openshift_excluder
+- block:
+  - include: init.yml
+
+  - name: disable docker excluder
+    command: "{{ openshift.common.service_type }}-docker-excluder unexclude"
+    when:
+    - disable_docker_excluder | default(false) | bool
+
+  - name: disable openshift excluder
+    command: "{{ openshift.common.service_type }}-excluder unexclude"
+    when:
+    - disable_openshift_excluder | default(false) | bool
 
-- name: disable excluder
-  command: "{{ openshift.common.service_type }}-excluder unexclude"
   when:
-  - openshift_excluder_enabled | bool
   - not openshift.common.is_containerized | bool