Inicio Explorar Axuda
Rexistro Iniciar sesión
shixiong
/
okd
1
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Rama: master
Ramas Etiquetas
okd
/
roles
/
openshift_node
/
tasks
/
config.yml

config.yml 6.1 KB
Permalink Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207 
  1. ---
    2. 

  2. #### Disable SWAP #####
    3. 

  3. # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory
    4. 

  4. # swapoff is a custom module that comments out swap entries in
    5. 

  5. # /etc/fstab and runs swapoff -a, if necessary.
    6. 

  6. - name: Disable swap
    7. 

  7.   swapoff: {}
    8. 

  8. 

  9. # The atomic-openshift-node service will set this parameter on
    10. 

  10. # startup, but if the network service is restarted this setting is
    11. 

  11. # lost. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1372388
    12. 

  12. - name: Enable IP Forwarding
    13. 

  13.   sysctl:
    14. 

  14.     name: net.ipv4.ip_forward
    15. 

  15.     value: 1
    16. 

  16.     sysctl_file: "/etc/sysctl.d/99-openshift.conf"
    17. 

  17.     reload: yes
    18. 

  18. 

  19. # The base OS RHEL with "Minimal" installation option is
    20. 

  20. # enabled firewalld serivce by default, it denies unexpected 10250 port.
    21. 

  21. # Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1740439
    22. 

  22. - name: Disable firewalld service
    23. 

  23.   systemd:
    24. 

  24.     name: "firewalld.service"
    25. 

  25.     enabled: false
    26. 

  26.   register: service_status
    27. 

  27.   failed_when:
    28. 

  28.   - service_status is failed
    29. 

  29.   - not ('Could not find the requested service' in service_status.msg)
    30. 

  30. 

  31. - name: Setting sebool container_manage_cgroup
    32. 

  32.   seboolean:
    33. 

  33.     name: container_manage_cgroup
    34. 

  34.     state: yes
    35. 

  35.     persistent: yes
    36. 

  36. 

  37. - name: Create temp directory
    38. 

  38.   tempfile:
    39. 

  39.     state: directory
    40. 

  40.   register: temp_dir
    41. 

  41. 

  42. - name: Wait for bootstrap endpoint to show up
    43. 

  43.   uri:
    44. 

  44.     url: "{{ openshift_node_bootstrap_endpoint }}"
    45. 

  45.     validate_certs: false
    46. 

  46.   delay: 10
    47. 

  47.   retries: 60
    48. 

  48.   register: result
    49. 

  49.   until:
    50. 

  50.   - result.status is defined
    51. 

  51.   - result.status == 200
    52. 

  52. 

  53. - name: Fetch bootstrap ignition file locally
    54. 

  54.   uri:
    55. 

  55.     url: "{{ openshift_node_bootstrap_endpoint }}"
    56. 

  56.     dest: "{{ temp_dir.path }}/bootstrap.ign"
    57. 

  57.     validate_certs: false
    58. 

  58.   register: bootstrap_ignition
    59. 

  59. 

  60. # registries.conf is listed twice in the config, the second one is the right one
    61. 

  61. - name: Extract the last registries.conf file from bootstrap.ign
    62. 

  62.   set_fact:
    63. 

  63.     registries_conf: >
    64. 

  64.       {{
    65. 

  65.       bootstrap_ignition.json.storage.files
    66. 

  66.       | selectattr('path', 'match', '/etc/containers/registries.conf')
    67. 

  67.       | list
    68. 

  68.       | last
    69. 

  69.       }}
    70. 

  70. 

  71. - name: Check data URL encoding and extract source data
    72. 

  72.   set_fact:
    73. 

  73.     base64encoded: "{{ registries_conf.contents.source.split(',')[0].endswith('base64') }}"
    74. 

  74.     source_data: "{{ registries_conf.contents.source.split(',')[1] }}"
    75. 

  75. 

  76. - name: Write /etc/containers/registries.conf
    77. 

  77.   copy:
    78. 

  78.     content: "{{ (source_data | b64decode) if base64encoded else (source_data | urldecode) }}"
    79. 

  79.     mode: "{{ '0' ~ registries_conf.mode }}"
    80. 

  80.     dest: "{{ registries_conf.path }}"
    81. 

  81.   register: update_registries
    82. 

  82. 

  83. - name: Restart the CRI-O service
    84. 

  84.   systemd:
    85. 

  85.     name: "crio"
    86. 

  86.     state: restarted
    87. 

  87.   when: update_registries is changed
    88. 

  88. 

  89. - name: Get cluster pull-secret
    90. 

  90.   command: >
    91. 

  91.     oc get secret pull-secret
    92. 

  92.     --kubeconfig={{ openshift_node_kubeconfig_path }}
    93. 

  93.     --namespace=openshift-config
    94. 

  94.     --output=jsonpath='{.data.\.dockerconfigjson}'
    95. 

  95.   delegate_to: localhost
    96. 

  96.   register: oc_get
    97. 

  97.   until:
    98. 

  98.   - oc_get.stdout != ''
    99. 

  99.   retries: 36
    100. 

  100.   delay: 5
    101. 

  101. 

  102. - name: Write pull-secret to file
    103. 

  103.   copy:
    104. 

  104.     content: "{{ oc_get.stdout | b64decode }}"
    105. 

  105.     dest: "{{ temp_dir.path }}/pull-secret.json"
    106. 

  106. 

  107. - name: Get cluster release image
    108. 

  108.   command: >
    109. 

  109.     oc get clusterversion
    110. 

  110.     --kubeconfig={{ openshift_node_kubeconfig_path }}
    111. 

  111.     --output=jsonpath='{.items[0].status.desired.image}'
    112. 

  112.   delegate_to: localhost
    113. 

  113.   register: oc_get
    114. 

  114.   until:
    115. 

  115.   - oc_get.stdout != ''
    116. 

  116.   retries: 36
    117. 

  117.   delay: 5
    118. 

  118. 

  119. - name: Set l_release_image fact
    120. 

  120.   set_fact:
    121. 

  121.     l_release_image: "{{ oc_get.stdout }}"
    122. 

  122. 

  123. - import_tasks: proxy.yml
    124. 

  124. 

  125. - block:
    126. 

  126.   - name: Pull release image
    127. 

  127.     command: "podman pull --tls-verify={{ openshift_node_tls_verify }} --authfile {{ temp_dir.path }}/pull-secret.json {{ l_release_image }}"
    128. 

  128.     register: podman_pull
    129. 

  129.     until:
    130. 

  130.       podman_pull.stdout != ''
    131. 

  131.     retries: 12
    132. 

  132.     delay: 10
    133. 

  133. 

  134.   - name: Get machine controller daemon image from release image
    135. 

  135.     command: "podman run --rm {{ l_release_image }} image machine-config-operator"
    136. 

  136.     register: release_image_mcd
    137. 

  137.   environment:
    138. 

  138.     http_proxy: "{{ http_proxy | default('')}}"
    139. 

  139.     https_proxy: "{{https_proxy | default('')}}"
    140. 

  140.     no_proxy: "{{ no_proxy | default('')}}"
    141. 

  141. 

  142. - block:
    143. 

  143.   - name: Pull MCD image
    144. 

  144.     command: "podman pull --tls-verify={{ openshift_node_tls_verify }} --authfile {{ temp_dir.path }}/pull-secret.json {{ release_image_mcd.stdout }}"
    145. 

  145.     register: podman_pull
    146. 

  146.     until:
    147. 

  147.       podman_pull.stdout != ''
    148. 

  148.     retries: 12
    149. 

  149.     delay: 10
    150. 

  150. 

  151.   - name: Apply ignition manifest
    152. 

  152.     command: "podman run {{ podman_mounts }} {{ podman_flags }} {{ mcd_command }}"
    153. 

  153.     vars:
    154. 

  154.       podman_flags: "--privileged --rm --entrypoint=/usr/bin/machine-config-daemon -ti {{ release_image_mcd.stdout }}"
    155. 

  155.       podman_mounts: "-v /:/rootfs -v /var/run/dbus:/var/run/dbus -v /run/systemd:/run/systemd"
    156. 

  156.       mcd_command: "start --node-name {{ ansible_nodename | lower }} --once-from {{ temp_dir.path }}/bootstrap.ign --skip-reboot"
    157. 

  157. 

  158.   - name: Remove temp directory
    159. 

  159.     file:
    160. 

  160.       path: "{{ temp_dir.path }}"
    161. 

  161.       state: absent
    162. 

  162. 

  163.   - name: Reboot the host and wait for it to come back
    164. 

  164.     reboot:
    165. 

  165.     #  reboot_timeout: 600  # default, 10 minutes
    166. 

  166.   environment:
    167. 

  167.     http_proxy: "{{ http_proxy | default('')}}"
    168. 

  168.     https_proxy: "{{ https_proxy | default('')}}"
    169. 

  169.     no_proxy: "{{ no_proxy | default('')}}"
    170. 

  170.   rescue:
    171. 

  171.   - fail:
    172. 

  172.       msg: "Ignition apply failed"
    173. 

  173. 

  174. - block:
    175. 

  175.   - name: Approve node CSRs
    176. 

  176.     oc_csr_approve:
    177. 

  177.       kubeconfig: "{{ openshift_node_kubeconfig_path }}"
    178. 

  178.       nodename: "{{ ansible_nodename | lower }}"
    179. 

  179.     delegate_to: localhost
    180. 

  180. 

  181.   rescue:
    182. 

  182.   - import_tasks: gather_debug.yml
    183. 

  183. 

  184.   - name: DEBUG - Failed to approve node CSRs
    185. 

  185.     fail:
    186. 

  186.       msg: "Failed to approve node-bootstrapper CSR"
    187. 

  187. 

  188. - block:
    189. 

  189.   - name: Wait for node to report ready
    190. 

  190.     command: >
    191. 

  191.       oc get node {{ ansible_nodename | lower }}
    192. 

  192.       --kubeconfig={{ openshift_node_kubeconfig_path }}
    193. 

  193.       --output=jsonpath='{.status.conditions[?(@.type=="Ready")].status}'
    194. 

  194.     delegate_to: localhost
    195. 

  195.     register: oc_get
    196. 

  196.     until:
    197. 

  197.     - oc_get.stdout == "True"
    198. 

  198.     retries: 36
    199. 

  199.     delay: 5
    200. 

  200.     changed_when: false
    201. 

  201. 

  202.   rescue:
    203. 

  203.   - import_tasks: gather_debug.yml
    204. 

  204. 

  205.   - name: DEBUG - Node failed to report ready
    206. 

  206.     fail:
    207. 

  207.       msg: "Node failed to report ready"
    208.