Separated post-install doc from README; additional cleanup

playbooks/openstack/README.md

@@ -6,9 +6,8 @@ etc.). The result is an environment ready for OpenShift installation
 via [openshift-ansible].
 
 We provide everything necessary to be able to install OpenShift on
-OpenStack (including the load balancer servers when necessary). In addition,
-we work on providing integration with the OpenStack-native services (storage,
-lbaas, baremetal as a service, dns, etc.).
+OpenStack. In addition we work on providing integration with the
+OpenStack-native services (storage, lbaas, baremetal as a service, dns, etc.).
 
 
 ## Requirements
@@ -67,12 +66,10 @@ The OpenStack environment must satisfy these requirements:
     the [Minimum Hardware Requirements page][hardware-requirements]
     for production
 * The keypair for SSH must be available in OpenStack
-* `keystonerc` file that lets you talk to the OpenStack services
-   * NOTE: only Keystone V2 is currently supported
+* You must have a`keystonerc` file that lets you talk to the OpenStack services
 
-You may also optionally want:
-
-* External Neutron network with a floating IP address pool
+It is also strongly recommended that you configure an external Neutron network
+with a floating IP address pool.
 
 
 ## Configuration
@@ -137,11 +134,8 @@ openshift_disable_check: disk_availability,memory_availability,docker_storage
 
 **Important**: The default authentication method will allow **any username
 and password** in! If you're running this in a public place, you need
-to set up access control.
+to set up access control by [configuring authentication][configure-authentication].
 
-Feel free to look at
-the [Sample OpenShift Inventory][sample-openshift-inventory] and
-the [configuration][configuration].
 
 ### Advanced Configuration
 
@@ -150,7 +144,7 @@ additional options. These include:
 
 * Set Up Authentication (TODO)
 * [Multiple Masters with a load balancer][loadbalancer]
-* [External Dns][external-dns]
+* [External DNS][external-dns]
 * Multiple Clusters (TODO)
 * [Cinder Registry][cinder-registry]
 
@@ -199,227 +193,12 @@ looks for OpenStack resources and enables Ansible to reference them.
 
 Once installation completes, a few additional steps may be required or useful.
 
-### Configure DNS
-
-OpenShift requires two public DNS records to function fully. The first one points to
-the master/load balancer and provides the UI/API access. The other one is a
-wildcard domain that resolves app route requests to the infra node. A private DNS
-server and records are not required and not managed here.
-
-If you followed the default installation from the README section, there is no
-DNS configured. You should add two entries to the `/etc/hosts` file on the
-Ansible host (where you to do a quick validation. A real deployment will
-however require a DNS server with the following entries set.
-
-First, run the `openstack server list` command and note the floating IP
-addresses of the *master* and *infra* nodes (we will use `10.40.128.130` for
-master and `10.40.128.134` for infra here).
-
-Then add the following entries to your `/etc/hosts`:
-
-```
-10.40.128.130 console.openshift.example.com
-10.40.128.134 cakephp-mysql-example-test.apps.openshift.example.com
-```
-
-This points the cluster domain (as defined in the
-`openshift_master_cluster_public_hostname` Ansible variable in `OSEv3`) to the
-master node and any routes for deployed apps to the infra node.
-
-If you deploy another app, it will end up with a different URL (e.g.
-myapp-test.apps.openshift.example.com) and you will need to add that too.  This
-is why a real deployment should always run a DNS where the second entry will be
-a wildcard `*.apps.openshift.example.com).
-
-This will be sufficient to validate the cluster here.
-
-Take a look at the [External DNS](#dns-configuration-variables) section for
-configuring a DNS service.
-
-
-### Get the `oc` Client
-
-The OpenShift command line client (called `oc`) can be downloaded and extracted
-from `openshift-origin-client-tools` on the OpenShift release page:
-
-https://github.com/openshift/origin/releases/latest/
-
-You can also copy it from the master node:
-
-    $ ansible -i inventory masters[0] -m fetch -a "src=/bin/oc dest=oc"
-
-Once you obtain the `oc` binary, remember to put it in your `PATH`.
-
-
-### Logging in Using the Command Line
-
-```
-oc login --insecure-skip-tls-verify=true https://master-0.openshift.example.com:8443 -u user -p password
-oc new-project test
-oc new-app --template=cakephp-mysql-example
-oc status -v
-curl http://cakephp-mysql-example-test.apps.openshift.example.com
-```
-
-This will trigger an image build. You can run `oc logs -f
-bc/cakephp-mysql-example` to follow its progress.
-
-Wait until the build has finished and both pods are deployed and running:
-
-```
-$ oc status -v
-In project test on server https://master-0.openshift.example.com:8443
-
-http://cakephp-mysql-example-test.apps.openshift.example.com (svc/cakephp-mysql-example)
-  dc/cakephp-mysql-example deploys istag/cakephp-mysql-example:latest <-
-    bc/cakephp-mysql-example source builds https://github.com/openshift/cakephp-ex.git on openshift/php:7.0
-    deployment #1 deployed about a minute ago - 1 pod
-
-svc/mysql - 172.30.144.36:3306
-  dc/mysql deploys openshift/mysql:5.7
-    deployment #1 deployed 3 minutes ago - 1 pod
-
-Info:
-  * pod/cakephp-mysql-example-1-build has no liveness probe to verify pods are still running.
-    try: oc set probe pod/cakephp-mysql-example-1-build --liveness ...
-View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
-
-```
-
-You can now look at the deployed app using its route:
-
-```
-$ curl http://cakephp-mysql-example-test.apps.openshift.example.com
-```
-
-Its `title` should say: "Welcome to OpenShift".
-
-
-### Accessing the UI
-
-You can access the OpenShift cluster with a web browser by going to:
-
-https://master-0.openshift.example.com:8443
-
-Note that for this to work, the OpenShift nodes must be accessible
-from your computer and its DNS configuration must use the cluster's
-DNS.
+* [Configure DNS][configure-dns]
+* [Get the `oc` Client][get-the-oc-client]
+* [Log in Using the Command Line][log-in-using-the-command-line]
+* [Access the UI][access-the-ui]
 
-### Running Custom Post-Provision Actions
-
-A custom playbook can be run like this:
-
-```
-ansible-playbook --private-key ~/.ssh/openshift -i inventory/ openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/custom-playbook.yml
-```
-
-If you'd like to limit the run to one particular host, you can do so as follows:
-
-```
-ansible-playbook --private-key ~/.ssh/openshift -i inventory/ openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/custom-playbook.yml -l app-node-0.openshift.example.com
-```
-
-You can also create your own custom playbook. Here are a few examples:
-
-#### Adding additional YUM repositories
-
-```
----
-- hosts: app
-  tasks:
-
-  # enable EPL
-  - name: Add repository
-    yum_repository:
-      name: epel
-      description: EPEL YUM repo
-      baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/
-```
-
-This example runs against app nodes. The list of options include:
-
-  - cluster_hosts (all hosts: app, infra, masters, dns, lb)
-  - OSEv3 (app, infra, masters)
-  - app
-  - dns
-  - masters
-  - infra_hosts
-
-#### Attaching additional RHN pools
-
-```
----
-- hosts: cluster_hosts
-  tasks:
-  - name: Attach additional RHN pool
-    become: true
-    command: "/usr/bin/subscription-manager attach --pool=<pool ID>"
-    register: attach_rhn_pool_result
-    until: attach_rhn_pool_result.rc == 0
-    retries: 10
-    delay: 1
-```
-
-This playbook runs against all cluster nodes. In order to help prevent slow connectivity
-problems, the task is retried 10 times in case of initial failure.
-Note that in order for this example to work in your deployment, your servers must use the RHEL image.
-
-#### Adding extra Docker registry URLs
-
-This playbook is located in the [custom-actions](https://github.com/openshift/openshift-ansible-contrib/tree/master/playbooks/provisioning/openstack/custom-actions) directory.
-
-It adds URLs passed as arguments to the docker configuration program.
-Going into more detail, the configuration program (which is in the YAML format) is loaded into an ansible variable
-([lines 27-30](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml#L27-L30))
-and in its structure, `registries` and `insecure_registries` sections are expanded with the newly added items
-([lines 56-76](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml#L56-L76)).
-The new content is then saved into the original file
-([lines 78-82](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml#L78-L82))
-and docker is restarted.
-
-Example usage:
-```
-ansible-playbook -i <inventory> openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml  --extra-vars '{"registries": "reg1", "insecure_registries": ["ins_reg1","ins_reg2"]}'
-```
-
-#### Adding extra CAs to the trust chain
-
-This playbook is also located in the [custom-actions](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions) directory.
-It copies passed CAs to the trust chain location and updates the trust chain on each selected host.
-
-Example usage:
-```
-ansible-playbook -i <inventory> openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/add-cas.yml --extra-vars '{"ca_files": [<absolute path to ca1 file>, <absolute path to ca2 file>]}'
-```
-
-Please consider contributing your custom playbook back to openshift-ansible-contrib!
-
-A library of custom post-provision actions exists in `openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions`. Playbooks include:
-
-* [add-yum-repos.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-yum-repos.yml): adds a list of custom yum repositories to every node in the cluster
-* [add-rhn-pools.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-rhn-pools.yml): attaches a list of additional RHN pools to every node in the cluster
-* [add-docker-registry.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml): adds a list of docker registries to the docker configuration on every node in the cluster
-* [add-cas.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-rhn-pools.yml): adds a list of CAs to the trust chain on every node in the cluster
-
-
-### Scale Deployment up/down
-
-#### Scaling up
-
-One can scale up the number of application nodes by executing the ansible playbook
-`openshift-ansible-contrib/playbooks/provisioning/openstack/scale-up.yaml`.
-This process can be done even if there is currently no deployment available.
-The `increment_by` variable is used to specify by how much the deployment should
-be scaled up (if none exists, it serves as a target number of application nodes).
-The path to `openshift-ansible` directory can be customised by the `openshift_ansible_dir`
-variable. Its value must be an absolute path to `openshift-ansible` and it cannot
-contain the '/' symbol at the end.
-
-Usage:
-
-```
-ansible-playbook -i <path to inventory> openshift-ansible-contrib/playbooks/provisioning/openstack/scale-up.yaml` [-e increment_by=<number>] [-e openshift_ansible_dir=<path to openshift-ansible>]
-```
+Read the [Post-Install page][post-install] for a full list of options.
 
 
 ## Uninstall
@@ -438,6 +217,7 @@ openstack stack delete --wait --yes openshift.example.com
 [devstack]: https://docs.openstack.org/devstack/
 [tripleo]: http://tripleo.org/
 [packstack]: https://www.rdoproject.org/install/packstack/
+[configure-authentication]: https://docs.openshift.org/latest/install_config/configuring_authentication.html
 [control-host-image]: https://hub.docker.com/r/redhatcop/control-host-openstack/
 [hardware-requirements]: https://docs.openshift.org/latest/install_config/install/prerequisites.html#hardware
 [origin]: https://www.openshift.org/
@@ -447,4 +227,10 @@ openstack stack delete --wait --yes openshift.example.com
 [loadbalancer]: ./configuration.md#multi-master-configuration
 [external-dns]: ./configuration.md#dns-configuration
 [cinder-registry]: ./configuration.md#cinder-backed-registry-configuration
+[post-install]: ./post-install.md
+[configure-dns]: ./post-install.md#configure-dns
+[get-the-oc-client]: ./post-install.md#get-the-oc-client
+[log-in-using-the-command-line]: ./post-install.md#log-in-using-the-command-line
+[access-the-ui]: ./post-install.md#access-the-ui
+[scale-deployment]: ./post-install.md#scale-deployment
 [dynamic]: http://docs.ansible.com/ansible/latest/intro_dynamic_inventory.html

playbooks/openstack/configuration.md

@@ -15,7 +15,6 @@ configuration.
 * [Provider Network Configuration](#provider-network-configuration)
 * [Multi-Master Configuration](#multi-master-configuration)
 * [Provider Network Configuration](#provider-network-configuration)
-* [Security Configuration](#security-configuration)
 * [Cinder-Backed Persistent Volumes Configuration](#cinder-backed-persistent-volumes-configuration)
 * [Cinder-Backed Registry Configuration](#cinder-backed-registry-configuration)
 
@@ -47,8 +46,6 @@ In `inventory/group_vars/all.yml`:
 * `openshift_openstack_etcd_flavor`
 
 * `openshift_openstack_external_network_name` OpenStack network providing external connectivity.
-* `openshift_openstack_private_network_name` OpenStack network providing admin/control access for Ansible. It can be merged with other
-cluster networks; there are no special requirements for networking.
 
 * `openshift_openstack_cluster_node_labels` Custom labels for openshift cluster node groups; currently supports app and infra node groups.
 The default value of this variable sets `region: primary` to app nodes and `region: infra` to infra nodes. An example of setting a customized label:
@@ -59,7 +56,7 @@ openshift_openstack_cluster_node_labels:
     mylabel: myvalue
 ```
 
-* `openshift_openstack_provision_user_commands` Allows users to execute shell commands via cloud-init for all of the created Nova servers in the Heat stack, before they are available for SSH connections. Note that you should use custom Ansible playbooks whenever possible. User specified shell commands for cloud-init need to be either strings or lists:
+* `openshift_openstack_provision_user_commands` Allows users to execute shell commands via cloud-init for all of the created Nova servers in the Heat stack, before they are available for SSH connections. Note that you should use [custom Ansible playbooks](./configuration.md#dns-configuration) whenever possible. User specified shell commands for cloud-init need to be either strings or lists:
 
 ```
 - openshift_openstack_provision_user_commands:
@@ -82,7 +79,7 @@ openshift_openstack_cluster_node_labels:
 
 * `openshift_openstack_flat_secgrp` Set to True if you experience issues with sec group rules quotas. It trades security for number of rules, by sharing the same set of firewall rules for master, node, etcd and infra nodes.
 
-* `openshift_openstack_required_packages` List of additional prerequisite packages to be installed before deploying an OpenShift cluster. Ignored if `manage_packages: False`.
+* `openshift_openstack_required_packages` List of additional prerequisite packages to be installed before deploying an OpenShift cluster.
 
 
 ## OpenShift Configuration
@@ -160,27 +157,6 @@ by OpenShift on OSP10 reference architecture, and used in a mixed mode with
 another external DNS server.
 
 
-## Flannel Networking Configuration
-
-In order to configure the
-[Flannel networking](https://docs.openshift.com/container-platform/3.6/install_config/configuring_sdn.html#using-flannel),
-uncomment and adjust the appropriate `inventory/group_vars/OSEv3.yml` group vars.
-Note that the `osm_cluster_network_cidr` must not overlap with the default
-Docker bridge subnet of 172.17.0.0/16. Or you should change the docker0 default
-CIDR range otherwise. For example, by adding `--bip=192.168.2.1/24` to
-`DOCKER_NETWORK_OPTIONS` located in `/etc/sysconfig/docker-network`.
-
-Also note that the flannel network will be provisioned on a separate isolated Neutron
-subnet defined from `osm_cluster_network_cidr` and having ports security disabled.
-Use the `openstack_private_data_network_name` variable to define the network
-name for the heat stack resource.
-
-After the cluster deployment done, you should run an additional post installation
-step for flannel and docker iptables configuration:
-
-    ansible-playbook openshift-ansible-contrib/playbooks/provisioning/openstack/post-install.yml
-
-
 ## Kuryr Networking Configuration
 
 If you opt to use Kuryr for networking, make sure that you review all
@@ -226,28 +202,6 @@ In `inventory/group_vars/all.yml`:
 * `openshift_openstack_provider_network_name` Provider network name. Setting this will cause the `openshift_openstack_external_network_name` and `openshift_openstack_private_network_name` parameters to be ignored.
 
 
-## Security Configuration
-
-Configure required `*_ingress_cidr` variables to restrict public access
-to provisioned servers from your laptop (a /32 notation should be used)
-or your trusted network.
-
-You can use the command ``curl https://api.ipify.org`` to find the external
-IP address of your box (the ansible admin node).
-
-In `inventory/group_vars/all.yml`:
-
-* `openshift_openstack_node_ingress_cidr` Restricts public access to the deployed DNS server and cluster nodes' ephemeral ports range.
-* `openshift_openstack_ssh_ingress_cidr`
-* `openshift_openstack_lb_ingress_cidr`
-
-There is also the `manage_packages` variable (defaults to True) you
-may want to turn off in order to speed up the provisioning tasks. This may
-be the case for development environments. When turned off, the servers will
-be provisioned omitting the ``yum update`` command. This brings security
-implications though, and is not recommended for production deployments.
-
-
 ## Cinder-Backed Persistent Volumes Configuration
 
 You will need to set up OpenStack credentials. You can try putting this in your
@@ -354,73 +308,7 @@ spec:
 
 ## Cinder-Backed Registry Configuration
 
-You can optionally have the playbooks create a Cinder volume and set
-it up as the OpenShift hosted registry.
-
-To do that you need specify the desired Cinder volume name and size in
-Gigabytes in `inventory/group_vars/all.yml`:
-
-    openshift_openstack_cinder_hosted_registry_name: cinder-registry
-    openshift_openstack_cinder_hosted_registry_size_gb: 10
-
-With this, the playbooks will create the volume and set up its
-filesystem. If there is an existing volume of the same name, we will
-use it but keep the existing data on it.
-
-To use the volume for the registry, you must first configure it with
-the OpenStack credentials by putting the following to `OSEv3.yml`:
-
-    openshift_cloudprovider_openstack_username: "{{ lookup('env','OS_USERNAME') }}"
-    openshift_cloudprovider_openstack_password: "{{ lookup('env','OS_PASSWORD') }}"
-    openshift_cloudprovider_openstack_auth_url: "{{ lookup('env','OS_AUTH_URL') }}"
-    openshift_cloudprovider_openstack_tenant_name: "{{ lookup('env','OS_TENANT_NAME') }}"
-
-This will use the credentials from your shell environment. If you want
-to enter them explicitly, you can. You can also use credentials
-different from the provisioning ones (say for quota or access control
-reasons).
-
-**NOTE**: If you're testing this on (DevStack)[devstack], you must
-explicitly set your Keystone API version to v2 (e.g.
-`OS_AUTH_URL=http://10.34.37.47/identity/v2.0`) instead of the default
-value provided by `openrc`. You may also encounter the following issue
-with Cinder:
-
-https://github.com/kubernetes/kubernetes/issues/50461
-
-You can read the (OpenShift documentation on configuring
-OpenStack)[openstack] for more information.
-
-[devstack]: https://docs.openstack.org/devstack/latest/
-[openstack]: https://docs.openshift.org/latest/install_config/configuring_openstack.html
-
-
-Next, we need to instruct OpenShift to use the Cinder volume for its
-registry. Again in `OSEv3.yml`:
-
-    #openshift_hosted_registry_storage_kind: openstack
-    #openshift_hosted_registry_storage_access_modes: ['ReadWriteOnce']
-    #openshift_hosted_registry_storage_openstack_filesystem: xfs
-
-The filesystem value here will be used in the initial formatting of
-the volume.
-
-If you're using the dynamic inventory, you must uncomment these two values as
-well:
-
-    #openshift_hosted_registry_storage_openstack_volumeID: "{{ lookup('os_cinder', openshift_openstack_cinder_hosted_registry_name).id }}"
-    #openshift_hosted_registry_storage_volume_size: "{{ openshift_openstack_cinder_hosted_registry_size_gb }}Gi"
-
-But note that they use the `os_cinder` lookup plugin we provide, so you must
-tell Ansible where to find it either in `ansible.cfg` (the one we provide is
-configured properly) or by exporting the
-`ANSIBLE_LOOKUP_PLUGINS=openshift-ansible-contrib/lookup_plugins` environment
-variable.
-
-
-### Using an existing Cinder volume for the OpenShift registry
-
-You can also use a pre-existing Cinder volume for the storage of your
+You can use a pre-existing Cinder volume for the storage of your
 OpenShift registry.
 
 To do that, you need to have a Cinder volume. You can create one by

playbooks/openstack/post-install.md

@@ -0,0 +1,216 @@
+# Post-Install
+
+* [Configure DNS](#configure-dns)
+* [Get the `oc` Client](#get-the-oc-client)
+* [Log in Using the Command Line](#log-in-using-the-command-line)
+* [Access the UI](#access-the-ui)
+* [Run Custom Post-Provision Actions](#run-custom-post-provision-actions)
+
+
+## Configure DNS
+
+OpenShift requires two public DNS records to function fully. The first one points to
+the master/load balancer and provides the UI/API access. The other one is a
+wildcard domain that resolves app route requests to the infra node. A private DNS
+server and records are not required and not managed here.
+
+If you followed the default installation from the README section, there is no
+DNS configured. You should add two entries to the `/etc/hosts` file on the
+Ansible host (where you to do a quick validation. A real deployment will
+however require a DNS server with the following entries set.
+
+First, run the `openstack server list` command and note the floating IP
+addresses of the *master* and *infra* nodes (we will use `10.40.128.130` for
+master and `10.40.128.134` for infra here).
+
+Then add the following entries to your `/etc/hosts`:
+
+```
+10.40.128.130 console.openshift.example.com
+10.40.128.134 cakephp-mysql-example-test.apps.openshift.example.com
+```
+
+This points the cluster domain (as defined in the
+`openshift_master_cluster_public_hostname` Ansible variable in `OSEv3`) to the
+master node and any routes for deployed apps to the infra node.
+
+If you deploy another app, it will end up with a different URL (e.g.
+myapp-test.apps.openshift.example.com) and you will need to add that too.  This
+is why a real deployment should always run a DNS where the second entry will be
+a wildcard `*.apps.openshift.example.com).
+
+This will be sufficient to validate the cluster here.
+
+Take a look at the [External DNS][external-dns] section for
+configuring a DNS service.
+
+
+## Get the `oc` Client
+
+The OpenShift command line client (called `oc`) can be downloaded and extracted
+from `openshift-origin-client-tools` on the OpenShift release page:
+
+https://github.com/openshift/origin/releases/latest/
+
+You can also copy it from the master node:
+
+    $ ansible -i inventory masters[0] -m fetch -a "src=/bin/oc dest=oc"
+
+Once you obtain the `oc` binary, remember to put it in your `PATH`.
+
+
+## Log in Using the Command Line
+
+Once the `oc` client is available, you can login using the URLs specified in `/etc/hosts`:
+
+```
+oc login --insecure-skip-tls-verify=true https://console.openshift.example.com:8443 -u user -p password
+oc new-project test
+oc new-app --template=cakephp-mysql-example
+oc status -v
+curl http://cakephp-mysql-example-test.apps.openshift.example.com
+```
+
+This will trigger an image build. You can run `oc logs -f
+bc/cakephp-mysql-example` to follow its progress.
+
+Wait until the build has finished and both pods are deployed and running:
+
+```
+$ oc status -v
+In project test on server https://master-0.openshift.example.com:8443
+
+http://cakephp-mysql-example-test.apps.openshift.example.com (svc/cakephp-mysql-example)
+  dc/cakephp-mysql-example deploys istag/cakephp-mysql-example:latest <-
+    bc/cakephp-mysql-example source builds https://github.com/openshift/cakephp-ex.git on openshift/php:7.0
+    deployment #1 deployed about a minute ago - 1 pod
+
+svc/mysql - 172.30.144.36:3306
+  dc/mysql deploys openshift/mysql:5.7
+    deployment #1 deployed 3 minutes ago - 1 pod
+
+Info:
+  * pod/cakephp-mysql-example-1-build has no liveness probe to verify pods are still running.
+    try: oc set probe pod/cakephp-mysql-example-1-build --liveness ...
+View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.
+
+```
+
+You can now look at the deployed app using its route:
+
+```
+$ curl http://cakephp-mysql-example-test.apps.openshift.example.com
+```
+
+Its `title` should say: "Welcome to OpenShift".
+
+
+## Access the UI
+
+You can access the OpenShift cluster with a web browser by going to:
+
+https://master-0.openshift.example.com:8443
+
+Note that for this to work, the OpenShift nodes must be accessible
+from your computer and its DNS configuration must use the cluster's
+DNS.
+
+
+## Run Custom Post-Provision Actions
+
+A custom playbook can be run like this:
+
+```
+ansible-playbook --private-key ~/.ssh/openshift -i inventory/ openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/custom-playbook.yml
+```
+
+If you'd like to limit the run to one particular host, you can do so as follows:
+
+```
+ansible-playbook --private-key ~/.ssh/openshift -i inventory/ openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/custom-playbook.yml -l app-node-0.openshift.example.com
+```
+
+You can also create your own custom playbook. Here are a few examples:
+
+### Add Additional YUM Repositories
+
+```
+---
+- hosts: app
+  tasks:
+
+  # enable EPL
+  - name: Add repository
+    yum_repository:
+      name: epel
+      description: EPEL YUM repo
+      baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/
+```
+
+This example runs against app nodes. The list of options include:
+
+  - cluster_hosts (all hosts: app, infra, masters, dns, lb)
+  - OSEv3 (app, infra, masters)
+  - app
+  - dns
+  - masters
+  - infra_hosts
+
+### Attach Additional RHN Pools
+
+```
+---
+- hosts: cluster_hosts
+  tasks:
+  - name: Attach additional RHN pool
+    become: true
+    command: "/usr/bin/subscription-manager attach --pool=<pool ID>"
+    register: attach_rhn_pool_result
+    until: attach_rhn_pool_result.rc == 0
+    retries: 10
+    delay: 1
+```
+
+This playbook runs against all cluster nodes. In order to help prevent slow connectivity
+problems, the task is retried 10 times in case of initial failure.
+Note that in order for this example to work in your deployment, your servers must use the RHEL image.
+
+### Add Extra Docker Registry URLs
+
+This playbook is located in the [custom-actions](https://github.com/openshift/openshift-ansible-contrib/tree/master/playbooks/provisioning/openstack/custom-actions) directory.
+
+It adds URLs passed as arguments to the docker configuration program.
+Going into more detail, the configuration program (which is in the YAML format) is loaded into an ansible variable
+([lines 27-30](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml#L27-L30))
+and in its structure, `registries` and `insecure_registries` sections are expanded with the newly added items
+([lines 56-76](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml#L56-L76)).
+The new content is then saved into the original file
+([lines 78-82](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml#L78-L82))
+and docker is restarted.
+
+Example usage:
+```
+ansible-playbook -i <inventory> openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml  --extra-vars '{"registries": "reg1", "insecure_registries": ["ins_reg1","ins_reg2"]}'
+```
+
+### Add Extra CAs to the Trust Chain
+
+This playbook is also located in the [custom-actions](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions) directory.
+It copies passed CAs to the trust chain location and updates the trust chain on each selected host.
+
+Example usage:
+```
+ansible-playbook -i <inventory> openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/add-cas.yml --extra-vars '{"ca_files": [<absolute path to ca1 file>, <absolute path to ca2 file>]}'
+```
+
+Please consider contributing your custom playbook back to openshift-ansible!
+
+A library of custom post-provision actions exists in `openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions`. Playbooks include:
+
+* [add-yum-repos.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-yum-repos.yml): adds a list of custom yum repositories to every node in the cluster
+* [add-rhn-pools.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-rhn-pools.yml): attaches a list of additional RHN pools to every node in the cluster
+* [add-docker-registry.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml): adds a list of docker registries to the docker configuration on every node in the cluster
+* [add-cas.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-rhn-pools.yml): adds a list of CAs to the trust chain on every node in the cluster
+
+
+[external-dns]: ./configuration.md#dns-configuration