--- #### Disable SWAP ##### # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory # swapoff is a custom module that comments out swap entries in # /etc/fstab and runs swapoff -a, if necessary. - name: Disable swap swapoff: {} # The atomic-openshift-node service will set this parameter on # startup, but if the network service is restarted this setting is # lost. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1372388 - name: Enable IP Forwarding sysctl: name: net.ipv4.ip_forward value: 1 sysctl_file: "/etc/sysctl.d/99-openshift.conf" reload: yes # The base OS RHEL with "Minimal" installation option is # enabled firewalld serivce by default, it denies unexpected 10250 port. # Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1740439 - name: Disable firewalld service systemd: name: "firewalld.service" enabled: false register: service_status failed_when: - service_status is failed - not ('Could not find the requested service' in service_status.msg) - name: Setting sebool container_manage_cgroup seboolean: name: container_manage_cgroup state: yes persistent: yes - name: Create temp directory tempfile: state: directory register: temp_dir - name: Wait for bootstrap endpoint to show up uri: url: "{{ openshift_node_bootstrap_endpoint }}" validate_certs: false delay: 10 retries: 60 register: result until: - result.status is defined - result.status == 200 - name: Fetch bootstrap ignition file locally uri: url: "{{ openshift_node_bootstrap_endpoint }}" dest: "{{ temp_dir.path }}/bootstrap.ign" validate_certs: false register: bootstrap_ignition # registries.conf is listed twice in the config, the second one is the right one - name: Extract the last registries.conf file from bootstrap.ign set_fact: registries_conf: > {{ bootstrap_ignition.json.storage.files | selectattr('path', 'match', '/etc/containers/registries.conf') | list | last }} - name: Check data URL encoding and extract source data set_fact: base64encoded: "{{ registries_conf.contents.source.split(',')[0].endswith('base64') }}" source_data: "{{ registries_conf.contents.source.split(',')[1] }}" - name: Write /etc/containers/registries.conf copy: content: "{{ (source_data | b64decode) if base64encoded else (source_data | urldecode) }}" mode: "{{ '0' ~ registries_conf.mode }}" dest: "{{ registries_conf.path }}" register: update_registries - name: Restart the CRI-O service systemd: name: "crio" state: restarted when: update_registries is changed - name: Get cluster pull-secret command: > oc get secret pull-secret --kubeconfig={{ openshift_node_kubeconfig_path }} --namespace=openshift-config --output=jsonpath='{.data.\.dockerconfigjson}' delegate_to: localhost register: oc_get until: - oc_get.stdout != '' retries: 36 delay: 5 - name: Write pull-secret to file copy: content: "{{ oc_get.stdout | b64decode }}" dest: "{{ temp_dir.path }}/pull-secret.json" - name: Get cluster release image command: > oc get clusterversion --kubeconfig={{ openshift_node_kubeconfig_path }} --output=jsonpath='{.items[0].status.desired.image}' delegate_to: localhost register: oc_get until: - oc_get.stdout != '' retries: 36 delay: 5 - name: Set l_release_image fact set_fact: l_release_image: "{{ oc_get.stdout }}" - import_tasks: proxy.yml - block: - name: Pull release image command: "podman pull --tls-verify={{ openshift_node_tls_verify }} --authfile {{ temp_dir.path }}/pull-secret.json {{ l_release_image }}" register: podman_pull until: podman_pull.stdout != '' retries: 12 delay: 10 - name: Get machine controller daemon image from release image command: "podman run --rm {{ l_release_image }} image machine-config-operator" register: release_image_mcd environment: http_proxy: "{{ http_proxy | default('')}}" https_proxy: "{{https_proxy | default('')}}" no_proxy: "{{ no_proxy | default('')}}" - block: - name: Pull MCD image command: "podman pull --tls-verify={{ openshift_node_tls_verify }} --authfile {{ temp_dir.path }}/pull-secret.json {{ release_image_mcd.stdout }}" register: podman_pull until: podman_pull.stdout != '' retries: 12 delay: 10 - name: Apply ignition manifest command: "podman run {{ podman_mounts }} {{ podman_flags }} {{ mcd_command }}" vars: podman_flags: "--privileged --rm --entrypoint=/usr/bin/machine-config-daemon -ti {{ release_image_mcd.stdout }}" podman_mounts: "-v /:/rootfs -v /var/run/dbus:/var/run/dbus -v /run/systemd:/run/systemd" mcd_command: "start --node-name {{ ansible_nodename | lower }} --once-from {{ temp_dir.path }}/bootstrap.ign --skip-reboot" - name: Remove temp directory file: path: "{{ temp_dir.path }}" state: absent - name: Reboot the host and wait for it to come back reboot: # reboot_timeout: 600 # default, 10 minutes environment: http_proxy: "{{ http_proxy | default('')}}" https_proxy: "{{ https_proxy | default('')}}" no_proxy: "{{ no_proxy | default('')}}" rescue: - fail: msg: "Ignition apply failed" - block: - name: Approve node CSRs oc_csr_approve: kubeconfig: "{{ openshift_node_kubeconfig_path }}" nodename: "{{ ansible_nodename | lower }}" delegate_to: localhost rescue: - import_tasks: gather_debug.yml - name: DEBUG - Failed to approve node CSRs fail: msg: "Failed to approve node-bootstrapper CSR" - block: - name: Wait for node to report ready command: > oc get node {{ ansible_nodename | lower }} --kubeconfig={{ openshift_node_kubeconfig_path }} --output=jsonpath='{.status.conditions[?(@.type=="Ready")].status}' delegate_to: localhost register: oc_get until: - oc_get.stdout == "True" retries: 36 delay: 5 changed_when: false rescue: - import_tasks: gather_debug.yml - name: DEBUG - Node failed to report ready fail: msg: "Node failed to report ready"