Initial containerization work from @ibotty

copied from https://github.com/eparis/kubernetes-ansible/blob/17f98edd7ff53e649b43e26822b8fbc0be42b233/roles/common/tasks/main.yml

playbooks/common/openshift-cluster/update_repos_and_packages.yml

@@ -8,5 +8,5 @@
           ansible_distribution == "RedHat" and
           lookup('oo_option', 'rhel_skip_subscription') | default(rhsub_skip, True) |
             default('no', True) | lower in ['no', 'false']
-  - openshift_repos
+  - {role: openshift_repos, when: not is_atomic}
   - os_update_latest

playbooks/common/openshift-etcd/config.yml

@@ -87,7 +87,7 @@
     when: etcd_server_certs_missing
   roles:
   - etcd
-  - role: nickhammond.logrotate
+  - { role: nickhammond.logrotate, when: not is_atomic }
 
 - name: Delete temporary directory on localhost
   hosts: localhost

playbooks/common/openshift-master/config.yml

@@ -328,6 +328,7 @@
   roles:
   - openshift_master
   - role: nickhammond.logrotate
+    when: not is_atomic
   - role: fluentd_master
     when: openshift.common.use_fluentd | bool
   post_tasks:

playbooks/common/openshift-node/config.yml

@@ -181,6 +181,7 @@
   - role: flannel
     when: openshift.common.use_flannel | bool
   - role: nickhammond.logrotate
+    when: not is_atomic
   - role: fluentd_node
     when: openshift.common.use_fluentd | bool
   tasks:

roles/docker/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 # tasks file for docker
 - name: Install docker
-  action: "{{ ansible_pkg_mgr }} name=docker state=present"
+  action: "{{ ansible_pkg_mgr }} name=docker state=present" and not is_atomic
   
 - name: enable and start the docker service
   service: name=docker enabled=yes state=started

roles/etcd/tasks/main.yml

@@ -8,7 +8,7 @@
   when: "'ipv4' not in hostvars[inventory_hostname]['ansible_' ~ etcd_interface] or 'address' not in hostvars[inventory_hostname]['ansible_' ~ etcd_interface].ipv4"
 
 - name: Install etcd
-  action: "{{ ansible_pkg_mgr }} name=etcd-2.* state=present"
+  action: "{{ ansible_pkg_mgr }} name=etcd-2.* state=present" and not is_atomic
 
 - name: Validate permissions on the config dir
   file:

roles/fluentd_master/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- fail:
+    msg: "fluentd master is not yet supported on atomic hosts"
+  when: is_atomic
+
 # TODO: Update fluentd install and configuration when packaging is complete
 - name: download and install td-agent
   action: "{{ ansible_pkg_mgr }} name='http://packages.treasuredata.com/2/redhat/7/x86_64/td-agent-2.2.0-0.x86_64.rpm' state=present"

roles/fluentd_node/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- fail:
+    msg: "fluentd node is not yet supported on atomic hosts"
+  when: is_atomic
+
 # TODO: Update fluentd install and configuration when packaging is complete
 - name: download and install td-agent
   action: "{{ ansible_pkg_mgr }} name='http://packages.treasuredata.com/2/redhat/7/x86_64/td-agent-2.2.0-0.x86_64.rpm' state=present"

roles/kube_nfs_volumes/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- fail:
+    msg: "That playbook is not yet supported on atomic hosts"
+  when: is_atomic
+
 - name: Install pyparted (RedHat/Fedora)
   action: "{{ ansible_pkg_mgr }} name=pyparted,python-httplib2 state=present"
 

roles/openshift_examples/defaults/main.yml

@@ -8,7 +8,7 @@ openshift_examples_load_quickstarts: true
 
 content_version: "{{ 'v1.1' if openshift.common.version_greater_than_3_1_or_1_1 else 'v1.0' }}"
 
-examples_base: "/usr/share/openshift/examples"
+examples_base: "{% if is_atomic %}{{ openshift.common.config_base }}{% else %}/usr/share/openshift{% endif %}/examples"
 image_streams_base: "{{ examples_base }}/image-streams"
 centos_image_streams: "{{ image_streams_base}}/image-streams-centos7.json"
 rhel_image_streams: "{{ image_streams_base}}/image-streams-rhel7.json"

roles/openshift_expand_partition/tasks/main.yml

@@ -1,6 +1,13 @@
 ---
 - name: Ensure growpart is installed
-  action: "{{ ansible_pkg_mgr }} name=cloud-utils-growpart state=present"
+  action: "{{ ansible_pkg_mgr }} name=cloud-utils-growpart state=present" and not is_atomic
+
+- name: Determine if growpart is installed
+  command: "rpm -q cloud-utils-growpart"
+  register: has_growpart
+  failed_when: "has_growpart.cr != 0 and 'package cloud-utils-growpart is not installed' not in has_growpart.stdout"
+  changed_when: false
+  when: is_atomic
 
 - name: Grow the partitions
   command: "growpart {{oep_drive}} {{oep_partition}}"

roles/openshift_facts/library/openshift_facts.py

@@ -710,7 +710,8 @@ def set_sdn_facts_if_unset(facts, system_facts):
     if 'common' in facts:
         use_sdn = facts['common']['use_openshift_sdn']
         if not (use_sdn == '' or isinstance(use_sdn, bool)):
-            facts['common']['use_openshift_sdn'] = bool(strtobool(str(use_sdn)))
+            use_sdn = bool(strtobool(str(use_sdn)))
+            facts['common']['use_openshift_sdn'] = use_sdn
         if 'sdn_network_plugin_name' not in facts['common']:
             plugin = 'redhat/openshift-ovs-subnet' if use_sdn else ''
             facts['common']['sdn_network_plugin_name'] = plugin
@@ -1031,6 +1032,7 @@ class OpenShiftFacts(object):
         facts = set_version_facts_if_unset(facts)
         facts = set_aggregate_facts(facts)
         facts = set_etcd_facts_if_unset(facts)
+        facts = self.init_in_docker_facts(facts)
         return dict(openshift=facts)
 
     def get_defaults(self, roles):
@@ -1197,6 +1199,28 @@ class OpenShiftFacts(object):
         self.changed = changed
         return new_local_facts
 
+    def init_in_docker_facts(self, facts):
+        facts['is_atomic'] = os.path.isfile('/run/ostree-booted')
+
+        docker = dict()
+        docker['image_name'] = 'openshift/origin'
+        # TODO: figure out right way to set the version
+        docker['image_version'] = 'latest'
+        docker['image'] = "%s:%s" % (docker['image_name'], docker['image_version'])
+
+        # shared /tmp/openshift vol is for file exchange with ansible
+        # --privileged is required to read the config dir
+        # --net host to access openshift from the container
+        # maybe -v /var/run/docker.sock:/var/run/docker.sock is required as well
+        docker['runner'] = "docker run --rm --privileged --net host -v /tmp/openshift:/tmp/openshift -v {datadir}:{datadir} -v {confdir}:{confdir} -e KUBECONFIG={confdir}/master/admin.kubeconfig {image}".format(confdir=facts['common']['config_base'], datadir=facts['common']['data_dir'], image=docker['image'])
+
+        if facts['is_atomic']:
+            facts['common']['client_binary'] = '%s cli' % docker['runner']
+            facts['common']['admin_binary'] = '%s admin' % docker['runner']
+
+        facts['docker'] = docker
+        return facts
+
 
 def main():
     """ main """

roles/openshift_facts/tasks/main.yml

@@ -6,6 +6,20 @@
     - ansible_version | version_compare('1.9.0', 'ne')
     - ansible_version | version_compare('1.9.0.1', 'ne')
 
+- name: Determine if Atomic
+  stat: path=/run/ostree-booted
+  register: s
+  changed_when: false
+
+- name: Init the is_atomic fact
+  set_fact:
+    is_atomic: false
+
+- name: Set the is_atomic fact
+  set_fact:
+    is_atomic: true
+  when: s.stat.exists
+
 - name: Ensure PyYaml is installed
   action: "{{ ansible_pkg_mgr }} name=PyYAML state=present"
 

roles/openshift_master/tasks/main.yml

@@ -21,6 +21,10 @@
     msg: "openshift_master_cluster_password must be set for multi-master installations"
   when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and (openshift_master_cluster_password is not defined or not openshift_master_cluster_password)
 
+- fail:
+    msg: "openshift_master_ha is not yet supported on atomic hosts"
+  when: openshift_master_ha | bool and is_atomic
+
 - name: Set master facts
   openshift_facts:
     role: master
@@ -79,6 +83,25 @@
 
 - name: Install Master package
   action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-master{{ openshift_version  }} state=present"
+  when: not is_atomic
+
+# TODO: enable when ansible#1993 lands and is widespread enough
+# - name: Docker image present
+#   docker:
+#     image: "{{ openshift.common.docker.image }}"
+#     state: image_present
+#   when: is_atomic
+
+- name: Install Master docker service file
+  template:
+    dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service"
+    src: openshift.docker.master.service
+  register: install_result 
+  when: is_atomic
+
+- name: Reload systemd units                                                                        
+  command: systemctl daemon-reload
+  when: is_atomic and install_result | changed
 
 - name: Re-gather package dependent master facts
   openshift_facts:
@@ -113,6 +136,7 @@
   action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present"
   when: (item.kind == 'HTPasswdPasswordIdentityProvider')
   with_items: openshift.master.identity_providers
+  when: not is_atomic
 
 - name: Ensure htpasswd directory exists
   file:
@@ -251,7 +275,7 @@
 
 - name: Install cluster packages
   action: "{{ ansible_pkg_mgr }} name=pcs state=present"
-  when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker'
+  when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' and not is_atomic
   register: install_result
 
 - name: Start and enable cluster service
@@ -283,6 +307,7 @@
   command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config
   args:
     creates: ~{{ item }}/.kube/config
+  when: not is_atomic
   with_items:
   - root
   - "{{ ansible_ssh_user }}"

roles/openshift_master/templates/openshift.docker.master.service

@@ -0,0 +1,11 @@
+[Unit]
+After=docker.service
+Require=docker.service
+
+[Service]
+EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master
+ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift_docker_image }} start master --config=${CONFIG_FILE} ${OPTIONS}
+ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-master
+
+[Install]
+WantedBy=multi-user.target

roles/openshift_master/vars/main.yml

@@ -5,6 +5,8 @@ openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.js
 openshift_master_session_secrets_file: "{{ openshift_master_config_dir }}/session-secrets.yaml"
 openshift_master_policy: "{{ openshift_master_config_dir }}/policy.json"
 openshift_version: "{{ openshift_pkg_version | default('') }}"
+openshift_docker_image_name: openshift/origin
+openshift_docker_image: "{{ openshift_docker_image_name }}:{{ openshift_pkg_version | default('latest') }}"
 
 openshift_master_valid_grant_methods:
 - auto

roles/openshift_master_ca/tasks/main.yml

@@ -1,9 +1,11 @@
 ---
 - name: Install the base package for admin tooling
   action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_version  }} state=present"
+  when: not is_atomic
 
 - name: Reload generated facts
   openshift_facts:
+  when: install_result | changed
 
 - name: Create openshift_master_config_dir if it doesn't exist
   file:

roles/openshift_master_ca/vars/main.yml

@@ -4,3 +4,6 @@ openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt"
 openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key"
 openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
 openshift_version: "{{ openshift_pkg_version | default('') }}"
+
+openshift_docker_image_name: openshift/origin
+openshift_docker_image: "{{ openshift_docker_image_name }}:{{ openshift_pkg_version | default('latest') }}"

roles/openshift_master_cluster/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- fail:
+    msg: "Not possible on atomic hosts for now"
+  when: is_atomic
+
 - name: Test if cluster is already configured
   command: pcs status
   register: pcs_status

roles/openshift_node/tasks/main.yml

@@ -4,6 +4,10 @@
     msg: "SELinux is disabled, This deployment type requires that SELinux is enabled."
   when: (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise']
 
+- fail:
+    msg: "This playbook does not support using SDN on atomic hosts yet"
+  when: openshift.common.use_openshift_sdn and is_atomic
+
 - name: Set node facts
   openshift_facts:
     role: "{{ item.role }}"
@@ -38,10 +42,11 @@
 # problems because the rpms don't pin the version properly.
 - name: Install Node package
   action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-node{{ openshift_version  }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_version  }} state=present"
+  when: not is_atomic
 
 - name: Install sdn-ovs package
   action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-sdn-ovs{{ openshift_version }} state=present"
-  when: openshift.common.use_openshift_sdn
+  when: openshift.common.use_openshift_sdn and not is_atomic
 
 # TODO: add the validate parameter when there is a validation command to run
 - name: Create the Node config
@@ -57,6 +62,7 @@
     dest: /etc/sysconfig/{{ openshift.common.service_type }}-node
     regexp: "{{ item.regex }}"
     line: "{{ item.line }}"
+    create: true
   with_items:
     - regex: '^OPTIONS='
       line: "OPTIONS=--loglevel={{ openshift.node.debug_level }}"

roles/openshift_node/templates/openshift.docker.node.service

@@ -0,0 +1,11 @@
+[Unit]
+After=docker.service
+Require=docker.service
+
+[Service]
+EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-node
+ExecStart=/usr/bin/docker run --rm --privileged --net=host --name "{{ openshift.common.service_type }}-node" -v /:/rootfs:ro -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift_docker_image }} start node --config=${CONFIG_FILE} ${OPTIONS}
+ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-node
+
+[Install]
+WantedBy=multi-user.target

roles/openshift_node/vars/main.yml

@@ -2,3 +2,6 @@
 openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
 openshift_node_config_file: "{{ openshift_node_config_dir }}/node-config.yaml"
 openshift_version: "{{ openshift_pkg_version | default('') }}"
+
+openshift_docker_image_name: openshift/origin
+openshift_docker_image: "{{ openshift_docker_image_name }}:{{ openshift_pkg_version | default('latest') }}"

roles/openshift_node_certificates/tasks/main.yml

@@ -17,19 +17,19 @@
       --signer-serial={{ openshift_master_ca_serial }}
       --user=system:node:{{ item.openshift.common.hostname }}
   args:
-    chdir: "{{ openshift_generated_configs_dir }}"
     creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
   with_items: nodes_needing_certs
 
 - name: Generate the node server certificate
   command: >
-    {{ openshift.common.admin_binary }} create-server-cert
-      --cert=server.crt --key=server.key --overwrite=true
+    {{ openshift.common.admin_binary }} ca create-server-cert
+      --cert={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt
+      --key={{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.key
+      --overwrite=true
       --hostnames={{ item.openshift.common.all_hostnames |join(",") }}
       --signer-cert={{ openshift_master_ca_cert }}
       --signer-key={{ openshift_master_ca_key }}
       --signer-serial={{ openshift_master_ca_serial }}
   args:
-    chdir: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}"
     creates: "{{ openshift_generated_configs_dir }}/node-{{ item.openshift.common.hostname }}/server.crt"
   with_items: nodes_needing_certs

roles/openshift_repos/tasks/main.yaml

@@ -12,19 +12,20 @@
 
 - name: Ensure libselinux-python is installed
   action: "{{ ansible_pkg_mgr }} name=libselinux-python state=present"
+  when: not is_atomic
 
 - name: Create any additional repos that are defined
   template:
     src: yum_repo.j2
     dest: /etc/yum.repos.d/openshift_additional.repo
-  when: openshift_additional_repos | length > 0
+  when: openshift_additional_repos | length > 0 and not is_atomic
   notify: refresh cache
 
 - name: Remove the additional repos if no longer defined
   file:
     dest: /etc/yum.repos.d/openshift_additional.repo
     state: absent
-  when: openshift_additional_repos | length == 0
+  when: openshift_additional_repos | length == 0 and not is_atomic
   notify: refresh cache
 
 - name: Remove any yum repo files for other deployment types RHEL/CentOS
@@ -35,6 +36,7 @@
   - '*/repos/*'
   when: not (item | search("/files/" ~ openshift_deployment_type ~ "/repos")) and
         (ansible_os_family == "RedHat" and ansible_distribution != "Fedora")
+        and not is_atomic
   notify: refresh cache
 
 - name: Remove any yum repo files for other deployment types Fedora
@@ -45,6 +47,7 @@
   - '*/repos/*'
   when: not (item | search("/files/fedora-" ~ openshift_deployment_type ~ "/repos")) and
         (ansible_distribution == "Fedora")
+        and not is_atomic
   notify: refresh cache
 
 - name: Configure gpg keys if needed
@@ -59,10 +62,11 @@
   - "{{ openshift_deployment_type }}/repos/*"
   notify: refresh cache
   when: (ansible_os_family == "RedHat" and ansible_distribution != "Fedora")
+        and not is_atomic
 
 - name: Configure yum repositories Fedora
   copy: src={{ item }} dest=/etc/yum.repos.d/
   with_fileglob:
   - "fedora-{{ openshift_deployment_type }}/repos/*"
   notify: refresh cache
-  when: (ansible_distribution == "Fedora")
+  when: (ansible_distribution == "Fedora") and not is_atomic

roles/openshift_serviceaccounts/tasks/main.yml

@@ -1,12 +1,19 @@
+- name: tmp dir for openshift
+  file:
+    path: /tmp/openshift
+    state: directory
+    owner: root
+    mode: 700
+
 - name: Create service account configs
   template:
     src: serviceaccount.j2
-    dest: "/tmp/{{ item }}-serviceaccount.yaml"
+    dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
   with_items: accounts
 
 - name: Create {{ item }} service account
   command: >
-    {{ openshift.common.client_binary }} create -f "/tmp/{{ item }}-serviceaccount.yaml"
+    {{ openshift.common.client_binary }} create -f "/tmp/openshift/{{ item }}-serviceaccount.yaml"
   with_items: accounts
   register: _sa_result
   failed_when: "'serviceaccounts \"{{ item }}\" already exists' not in _sa_result.stderr and _sa_result.rc != 0"
@@ -15,14 +22,14 @@
 - name: Get current security context constraints
   shell: >
     {{ openshift.common.client_binary }} get scc privileged -o yaml
-    --output-version=v1 > /tmp/scc.yaml
+    --output-version=v1 > /tmp/openshift/scc.yaml
 
 - name: Add security context constraint for {{ item }}
   lineinfile:
-    dest: /tmp/scc.yaml
+    dest: /tmp/openshift/scc.yaml
     line: "- system:serviceaccount:default:{{ item }}"
     insertafter: "^users:$"
   with_items: accounts
 
 - name: Apply new scc rules for service accounts
-  command: "{{ openshift.common.client_binary }} update -f /tmp/scc.yaml --api-version=v1"
+  command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"

roles/openshift_storage_nfs_lvm/tasks/nfs.yml

@@ -1,6 +1,7 @@
 ---
 - name: Install NFS server
   action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present"
+  when: not is_atomic
   
 - name: Start rpcbind
   service: name=rpcbind state=started enabled=yes

roles/os_env_extras/tasks/main.yaml

@@ -12,4 +12,5 @@
     dest: /root/.vimrc
 
 - name: Bash Completion
-  action: "{{ ansible_pkg_mgr }} name=bash-completion state=present"
+  action: "{{ ansible_pkg_mgr }} name=bash-completion state=present"
+  when: not is_atomic

roles/os_firewall/tasks/firewall/iptables.yml

@@ -5,6 +5,7 @@
   - iptables
   - iptables-services
   register: install_result
+  when: not is_atomic
 
 - name: Check if firewalld is installed
   command: rpm -q firewalld

roles/os_update_latest/tasks/main.yml

@@ -1,3 +1,8 @@
 ---
+- fail:
+    msg: "Update is not yet supported by this playbook on atomic hosts"
+  when: is_atomic
+
 - name: Update all packages
-  action: "{{ ansible_pkg_mgr }} name=* state=latest"
+  action: "{{ ansible_pkg_mgr }} name=* state=latest"
+  when: not is_atomic

roles/os_zabbix/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- fail:
+    msg: "Zabbix config is not yet supported on atomic hosts"
+  when: is_atomic
+
 - name: Main List all templates
   zbx_template:
     zbx_server: "{{ ozb_server }}"

roles/yum_repos/tasks/main.yml

@@ -45,3 +45,4 @@
     src: yumrepo.j2
     dest: /etc/yum.repos.d/{{ item.id }}.repo
   with_items: repo_files
+  when: not is_atomic