diff --git a/roles/osbs-install-openshift/README.md b/roles/osbs-install-openshift/README.md deleted file mode 100644 index 6a0ec4a21f..0000000000 --- a/roles/osbs-install-openshift/README.md +++ /dev/null @@ -1,58 +0,0 @@ -install-openshift -================= - -Installs OpenShift v3 from various sources. Currently supports installing RPM -from COPR and building and installing the RPM from source code. - -This role is part of -[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for -deploying OpenShift build service. Please refer to that github repository for -[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md) -and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues). - -Role Variables --------------- - -You need to specify which method of installation you want to use. Valid options -are `copr` (default) and `source`. - - install_openshift_method: copr - -You must specify particular version that should be installed from the COPR. -Can be in either `version` or `version-release` format. - - install_openshift_copr_version: 1.0.5 - -When building from source, you need to specify the version of the built package. - - install_openshift_source_version: 1.0.5 - -Git commit to build packages from. - - install_openshift_source_commit: c66613fded194b10ce4e4e1c473fbfc0a511405b - -File name of the tarball to be downloaded from github. - - install_openshift_source_archive: openshift-{{ install_openshift_source_commit }}.tar.gz - -Directory for rpmbuild. - - install_openshift_source_rpmbuild_dir: "{{ ansible_env.HOME }}/rpmbuild" - -Example Playbook ----------------- - - - hosts: builders - roles: - - role: install-openshift - install_openshift_method: copr - -License -------- - -BSD - -Author Information ------------------- - -Martin Milata <mmilata@redhat.com> diff --git a/roles/osbs-install-openshift/defaults/main.yml b/roles/osbs-install-openshift/defaults/main.yml deleted file mode 100644 index 463f6530dd..0000000000 --- a/roles/osbs-install-openshift/defaults/main.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# methods: copr, source, fedora -install_openshift_method: fedora - -# copr-specific variables - -# specify particular version that should be installed from copr -# can be either VERSION or VERSION-RELEASE -install_openshift_copr_version: 1.0.8 - -# variables for source build - -# version of the built package -install_openshift_source_version: 1.0.5 - -# git commit to build package from -install_openshift_source_commit: c66613fded194b10ce4e4e1c473fbfc0a511405b - -# name of the tarball to download from github -install_openshift_source_archive: openshift-{{ install_openshift_source_commit }}.tar.gz - -# rpmbuild directory -install_openshift_source_rpmbuild_dir: "{{ ansible_env.HOME }}/rpmbuild" - -# update package from copr to the latest version? -osbs_update_packages: false diff --git a/roles/osbs-install-openshift/files/maxamillion-epel-openshift.repo b/roles/osbs-install-openshift/files/maxamillion-epel-openshift.repo deleted file mode 100644 index b3948bf875..0000000000 --- a/roles/osbs-install-openshift/files/maxamillion-epel-openshift.repo +++ /dev/null @@ -1,8 +0,0 @@ -[maxamillion-fedora-openshift] -name=Copr repo for fedora-openshift owned by maxamillion -baseurl=https://copr-be.cloud.fedoraproject.org/results/maxamillion/fedora-openshift/epel-7-$basearch/ -skip_if_unavailable=True -gpgcheck=1 -gpgkey=https://copr-be.cloud.fedoraproject.org/results/maxamillion/fedora-openshift/pubkey.gpg -enabled=1 -enabled_metadata=1 \ No newline at end of file diff --git a/roles/osbs-install-openshift/files/maxamillion-fedora-openshift.repo b/roles/osbs-install-openshift/files/maxamillion-fedora-openshift.repo deleted file mode 100644 index c6b4d4a9d6..0000000000 --- a/roles/osbs-install-openshift/files/maxamillion-fedora-openshift.repo +++ /dev/null @@ -1,8 +0,0 @@ -[maxamillion-fedora-openshift] -name=Copr repo for fedora-openshift owned by maxamillion -baseurl=https://copr-be.cloud.fedoraproject.org/results/maxamillion/fedora-openshift/fedora-$releasever-$basearch/ -skip_if_unavailable=True -gpgcheck=1 -gpgkey=https://copr-be.cloud.fedoraproject.org/results/maxamillion/fedora-openshift/pubkey.gpg -enabled=1 -enabled_metadata=1 diff --git a/roles/osbs-install-openshift/meta/.galaxy_install_info b/roles/osbs-install-openshift/meta/.galaxy_install_info deleted file mode 100644 index 14182b0644..0000000000 --- a/roles/osbs-install-openshift/meta/.galaxy_install_info +++ /dev/null @@ -1 +0,0 @@ -{install_date: 'Thu Jan 7 17:30:46 2016', version: master} diff --git a/roles/osbs-install-openshift/meta/main.yml b/roles/osbs-install-openshift/meta/main.yml deleted file mode 100644 index b55db33f88..0000000000 --- a/roles/osbs-install-openshift/meta/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -galaxy_info: - author: Martin Milata - description: Install OpenShift v3 from various sources - company: Red Hat - issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues - license: BSD - min_ansible_version: 1.2 - platforms: - - name: EL - versions: - - 7 - - name: Fedora - versions: - - 21 - - 22 - categories: - - cloud - - development - - packaging -dependencies: [] diff --git a/roles/osbs-install-openshift/tasks/main.yml b/roles/osbs-install-openshift/tasks/main.yml deleted file mode 100644 index ad0f13ee8c..0000000000 --- a/roles/osbs-install-openshift/tasks/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- include: method_fedora.yml - when: install_openshift_method == 'fedora' - -- include: method_copr.yml - when: install_openshift_method == 'copr' - -- include: method_source.yml - when: install_openshift_method == 'source' diff --git a/roles/osbs-install-openshift/tasks/method_copr.yml b/roles/osbs-install-openshift/tasks/method_copr.yml deleted file mode 100644 index d507367cd1..0000000000 --- a/roles/osbs-install-openshift/tasks/method_copr.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: setup repository - copy: - src: maxamillion-fedora-openshift.repo - dest: /etc/yum.repos.d/maxamillion-fedora-openshift.repo - when: is_fedora is defined - -- name: setup repository - copy: - src: maxamillion-epel-openshift.repo - dest: /etc/yum.repos.d/maxamillion-epel-openshift.repo - when: is_rhel is defined - -- name: install openshift - action: "{{ ansible_pkg_mgr }} name={{ item }} state={{ osbs_update_packages | ternary('latest', 'present') }}" - with_items: - - origin-master - - origin-node diff --git a/roles/osbs-install-openshift/tasks/method_fedora.yml b/roles/osbs-install-openshift/tasks/method_fedora.yml deleted file mode 100644 index ee11fde1ad..0000000000 --- a/roles/osbs-install-openshift/tasks/method_fedora.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: install openshift - action: "{{ ansible_pkg_mgr }} name={{ item }} state={{ osbs_update_packages | ternary('latest', 'present') }}" - with_items: - - origin-master - - origin-node diff --git a/roles/osbs-install-openshift/tasks/method_source.yml b/roles/osbs-install-openshift/tasks/method_source.yml deleted file mode 100644 index d07f166722..0000000000 --- a/roles/osbs-install-openshift/tasks/method_source.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -- name: install build packages - action: "{{ ansible_pkg_mgr }} name={{ item }} state=installed" - with_items: - - rpm-build - - rpmdevtools - -- name: install build packages - yum: name=yum-utils state=installed - when: ansible_pkg_mgr == "yum" - -- name: delete rpmbuild directories - file: path={{ install_openshift_source_rpmbuild_dir }}/{{ item }}/ state=absent - with_items: - - RPMS - - SRPMS - - BUILD - - BUILDROOT - -- name: create rpmbuild directories - file: path={{ install_openshift_source_rpmbuild_dir }}/{{ item }}/ state=directory recurse=yes - with_items: - - SPECS - - SOURCES - -- name: upload SPEC - template: src=openshift.spec.j2 dest={{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec - -- name: install build dependencies - command: yum-builddep -y {{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec - when: ansible_pkg_mgr == "yum" - -- name: install build dependencies - command: dnf builddep -y {{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec - when: ansible_pkg_mgr == "dnf" - -- name: download openshift tarball - get_url: - url: https://github.com/openshift/origin/archive/{{ install_openshift_source_commit }}/{{ install_openshift_source_archive }} - dest: "{{ install_openshift_source_rpmbuild_dir }}/SOURCES/{{ install_openshift_source_archive }}" - -- name: run build - command: rpmbuild -bb --clean {{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec - -- name: find the RPMs - command: find {{ install_openshift_source_rpmbuild_dir }}/RPMS/ -type f - register: find_rpms - -- name: install the RPMs - shell: yum -y localinstall {{ install_openshift_source_rpmbuild_dir }}/RPMS/x86_64/*openshift*.rpm - when: ansible_pkg_mgr == "yum" - -- name: install the RPMs - shell: dnf -y install {{ install_openshift_source_rpmbuild_dir }}/RPMS/x86_64/*openshift*.rpm - when: ansible_pkg_mgr == "dnf" - -- name: link /etc/openshift to /etc/origin - file: path=/etc/openshift src=/etc/origin state=link diff --git a/roles/osbs-install-openshift/templates/openshift.spec.j2 b/roles/osbs-install-openshift/templates/openshift.spec.j2 deleted file mode 100644 index 31eabb7712..0000000000 --- a/roles/osbs-install-openshift/templates/openshift.spec.j2 +++ /dev/null @@ -1,337 +0,0 @@ -#debuginfo not supported with Go -%global debug_package %{nil} -%global gopath %{_datadir}/gocode -%global import_path github.com/openshift/origin -%global kube_plugin_path /usr/libexec/kubernetes/kubelet-plugins/net/exec/redhat~openshift-ovs-subnet -%global sdn_import_path github.com/openshift/openshift-sdn - -# docker_version is the version of docker requires by packages -%global docker_verison 1.6.2 -# tuned_version is the version of tuned requires by packages -%global tuned_version 2.3 -# openvswitch_version is the version of openvswitch requires by packages -%global openvswitch_version 2.3.1 -# %commit and %ldflags are intended to be set by tito custom builders provided -# in the rel-eng directory. The values in this spec file will not be kept up to date. -%{!?commit: -%global commit {{ openshift_commit }} -} -%global shortcommit %(c=%{commit}; echo ${c:0:7}) -# OpenShift specific ldflags from hack/common.sh os::build:ldflags -%{!?ldflags: -%global ldflags -X github.com/openshift/origin/pkg/version.majorFromGit 1 -X github.com/openshift/origin/pkg/version.minorFromGit 0+ -X github.com/openshift/origin/pkg/version.versionFromGit v1.0.4-366-gc66613f-dirty -X github.com/openshift/origin/pkg/version.commitFromGit {{ openshift_commit | truncate(7, True, '') }} -X k8s.io/kubernetes/pkg/version.gitCommit 44c91b1 -X k8s.io/kubernetes/pkg/version.gitVersion v1.1.0-alpha.0-1605-g44c91b1 -} - -Name: openshift -# Version is not kept up to date and is intended to be set by tito custom -# builders provided in the rel-eng directory of this project -Version: {{ openshift_version }} -Release: 0%{?dist} -Summary: Open Source Platform as a Service by Red Hat -License: ASL 2.0 -URL: https://%{import_path} -ExclusiveArch: x86_64 -Source0: https://%{import_path}/archive/%{commit}/%{name}-%{commit}.tar.gz - -BuildRequires: systemd -BuildRequires: golang >= 1.4 - - -%description -%{summary} - -%package master -Summary: OpenShift Master -Requires: %{name} = %{version}-%{release} -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd - -%description master -%{summary} - -%package node -Summary: OpenShift Node -Requires: %{name} = %{version}-%{release} -Requires: docker-io >= %{docker_version} -Requires: tuned-profiles-%{name}-node -Requires: util-linux -Requires: socat -Requires: nfs-utils -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd - -%description node -%{summary} - -%package -n tuned-profiles-%{name}-node -Summary: Tuned profiles for OpenShift Node hosts -Requires: tuned >= %{tuned_version} -Requires: %{name} = %{version}-%{release} - -%description -n tuned-profiles-%{name}-node -%{summary} - -%package clients -Summary: Openshift Client binaries for Linux, Mac OSX, and Windows -BuildRequires: golang-pkg-darwin-amd64 -BuildRequires: golang-pkg-windows-386 - -%description clients -%{summary} - -%package dockerregistry -Summary: Docker Registry v2 for OpenShift -Requires: %{name} = %{version}-%{release} - -%description dockerregistry -%{summary} - -%package pod -Summary: OpenShift Pod -Requires: %{name} = %{version}-%{release} - -%description pod -%{summary} - -%prep -%setup -qn origin-%{commit} - -%build - -# Don't judge me for this ... it's so bad. -mkdir _build - -# Horrid hack because golang loves to just bundle everything -pushd _build - mkdir -p src/github.com/openshift - ln -s $(dirs +1 -l) src/%{import_path} -popd - - -# Gaming the GOPATH to include the third party bundled libs at build -# time. This is bad and I feel bad. -mkdir _thirdpartyhacks -pushd _thirdpartyhacks - ln -s \ - $(dirs +1 -l)/Godeps/_workspace/src/ \ - src -popd -export GOPATH=$(pwd)/_build:$(pwd)/_thirdpartyhacks:%{buildroot}%{gopath}:%{gopath} -# Build all linux components we care about -for cmd in openshift dockerregistry -do - go install -ldflags "%{ldflags}" %{import_path}/cmd/${cmd} -done - -# Build only 'openshift' for other platforms -GOOS=windows GOARCH=386 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift -GOOS=darwin GOARCH=amd64 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift - -#Build our pod -pushd images/pod/ - go build -ldflags "%{ldflags}" pod.go -popd - -%install - -install -d %{buildroot}%{_bindir} - -# Install linux components -for bin in openshift dockerregistry -do - echo "+++ INSTALLING ${bin}" - install -p -m 755 _build/bin/${bin} %{buildroot}%{_bindir}/${bin} -done -# Install 'openshift' as client executable for windows and mac -for pkgname in openshift -do - install -d %{buildroot}%{_datadir}/${pkgname}/{linux,macosx,windows} - install -p -m 755 _build/bin/openshift %{buildroot}%{_datadir}/${pkgname}/linux/oc - install -p -m 755 _build/bin/darwin_amd64/openshift %{buildroot}%{_datadir}/${pkgname}/macosx/oc - install -p -m 755 _build/bin/windows_386/openshift.exe %{buildroot}%{_datadir}/${pkgname}/windows/oc.exe -done - -#Install openshift pod -install -p -m 755 images/pod/pod %{buildroot}%{_bindir}/ - -install -d -m 0755 %{buildroot}%{_unitdir} - -mkdir -p %{buildroot}%{_sysconfdir}/sysconfig - -for cmd in oc oadm; do - ln -s %{_bindir}/%{name} %{buildroot}%{_bindir}/$cmd -done -ln -s %{_bindir}/%{name} %{buildroot}%{_bindir}/kubectl - -install -d -m 0755 %{buildroot}%{_sysconfdir}/origin/{master,node} - -for pkgname in openshift -do - install -m 0644 rel-eng/${pkgname}-master.service %{buildroot}%{_unitdir}/${pkgname}-master.service - install -m 0644 rel-eng/${pkgname}-node.service %{buildroot}%{_unitdir}/${pkgname}-node.service - - install -m 0644 rel-eng/${pkgname}-master.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/${pkgname}-master - install -m 0644 rel-eng/${pkgname}-node.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/${pkgname}-node - install -d -m 0755 %{buildroot}%{_prefix}/lib/tuned/${pkgname}-node-{guest,host} - install -m 0644 tuned/%{name}-node-guest/tuned.conf %{buildroot}%{_prefix}/lib/tuned/${pkgname}-node-guest/tuned.conf - install -m 0644 tuned/%{name}-node-host/tuned.conf %{buildroot}%{_prefix}/lib/tuned/${pkgname}-node-host/tuned.conf - install -d -m 0755 %{buildroot}%{_mandir}/man7 - install -m 0644 tuned/man/tuned-profiles-%{name}-node.7 %{buildroot}%{_mandir}/man7/tuned-profiles-${pkgname}-node.7 - -done - -mkdir -p %{buildroot}%{_sharedstatedir}/%{name} -mkdir -p %{buildroot}%{_sharedstatedir}/origin - - -# Install bash completions -install -d -m 755 %{buildroot}%{_sysconfdir}/bash_completion.d/ -install -p -m 644 rel-eng/completions/bash/* %{buildroot}%{_sysconfdir}/bash_completion.d/ - -%files -%defattr(-,root,root,-) -%doc README.md LICENSE -%{_bindir}/openshift -%{_bindir}/oc -%{_bindir}/oadm -%{_bindir}/kubectl -%{_sharedstatedir}/%{name} -%{_sysconfdir}/bash_completion.d/* -%dir %config(noreplace) %{_sysconfdir}/origin - -%pre -# If /etc/openshift exists symlink it to /etc/origin -if [ -d "%{_sysconfdir}/openshift" ]; then - ln -s %{_sysconfdir}/openshift %{_sysconfdir}/origin -fi - -%files master -%defattr(-,root,root,-) -%{_unitdir}/%{name}-master.service -%config(noreplace) %{_sysconfdir}/sysconfig/%{name}-master -%config(noreplace) /etc/origin/master - -%post master -%systemd_post %{basename:openshift-master.service} - -%preun master -%systemd_preun %{basename:openshift-master.service} - -%postun master -%systemd_postun - -%files node -%defattr(-,root,root,-) -%{_unitdir}/%{name}-node.service -%config(noreplace) %{_sysconfdir}/sysconfig/%{name}-node -%config(noreplace) /etc/origin/node - -%post node -%systemd_post %{basename:openshift-node.service} - -%preun node -%systemd_preun %{basename:openshift-node.service} - -%postun node -%systemd_postun - -%files -n tuned-profiles-openshift-node -%defattr(-,root,root,-) -%{_prefix}/lib/tuned/openshift-node-host -%{_prefix}/lib/tuned/openshift-node-guest -%{_mandir}/man7/tuned-profiles-openshift-node.7* - -%post -n tuned-profiles-openshift-node -recommended=`/usr/sbin/tuned-adm recommend` -if [[ "${recommended}" =~ guest ]] ; then - /usr/sbin/tuned-adm profile openshift-node-guest > /dev/null 2>&1 -else - /usr/sbin/tuned-adm profile openshift-node-host > /dev/null 2>&1 -fi - -%preun -n tuned-profiles-openshift-node -# reset the tuned profile to the recommended profile -# $1 = 0 when we're being removed > 0 during upgrades -if [ "$1" = 0 ]; then - recommended=`/usr/sbin/tuned-adm recommend` - /usr/sbin/tuned-adm profile $recommended > /dev/null 2>&1 -fi - -%files clients -%{_datadir}/%{name}/linux/oc -%{_datadir}/%{name}/macosx/oc -%{_datadir}/%{name}/windows/oc.exe - -%files dockerregistry -%defattr(-,root,root,-) -%{_bindir}/dockerregistry - -%files pod -%defattr(-,root,root,-) -%{_bindir}/pod - -%changelog -* Wed Aug 19 2015 Martin Milata 0.2-9.ansible-osbs -- Modified for ansible-osbs - -* Wed Aug 12 2015 Steve Milner 0.2-8 -- Master configs will be generated if none are found. -- Node configs will be generated if none are found and master is installed. -- All-In-One services removed. - -* Wed Aug 12 2015 Steve Milner 0.2-7 -- Added new ovs script(s) to file lists. - -* Wed Aug 5 2015 Steve Milner 0.2-6 -- Using _unitdir instead of _prefix for unit data - -* Fri Jul 31 2015 Steve Milner 0.2-5 -- Configuration location now /etc/origin -- Default configs created upon installation - -* Tue Jul 28 2015 Steve Milner 0.2-4 -- Added AEP packages - -* Mon Jan 26 2015 Scott Dodson 0.2-3 -- Update to 21fb40637c4e3507cca1fcab6c4d56b06950a149 -- Split packaging of openshift-master and openshift-node - -* Mon Jan 19 2015 Scott Dodson 0.2-2 -- new package built with tito - -* Fri Jan 09 2015 Adam Miller - 0.2-2 -- Add symlink for osc command line tooling (merged in from jhonce@redhat.com) - -* Wed Jan 07 2015 Adam Miller - 0.2-1 -- Update to latest upstream release -- Restructured some of the golang deps build setup for restructuring done - upstream - -* Thu Oct 23 2014 Adam Miller - 0-0.0.9.git562842e -- Add new patches from jhonce for systemd units - -* Mon Oct 20 2014 Adam Miller - 0-0.0.8.git562842e -- Update to latest master snapshot - -* Wed Oct 15 2014 Adam Miller - 0-0.0.7.git7872f0f -- Update to latest master snapshot - -* Fri Oct 03 2014 Adam Miller - 0-0.0.6.gite4d4ecf -- Update to latest Alpha nightly build tag 20141003 - -* Wed Oct 01 2014 Adam Miller - 0-0.0.5.git6d9f1a9 -- Switch to consistent naming, patch by jhonce - -* Tue Sep 30 2014 Adam Miller - 0-0.0.4.git6d9f1a9 -- Add systemd and sysconfig entries from jhonce - -* Tue Sep 23 2014 Adam Miller - 0-0.0.3.git6d9f1a9 -- Update to latest upstream. - -* Mon Sep 15 2014 Adam Miller - 0-0.0.2.git2647df5 -- Update to latest upstream. - -* Thu Aug 14 2014 Adam Miller - 0-0.0.1.gitc3839b8 -- First package diff --git a/roles/osbs-master/README.md b/roles/osbs-master/README.md deleted file mode 100644 index e166f85fed..0000000000 --- a/roles/osbs-master/README.md +++ /dev/null @@ -1,155 +0,0 @@ -osbs-master -=========== - -Main role for deploying OSBS - [OpenShift build -service](https://github.com/projectatomic/osbs-client/), service for building -layered Docker images. - -It performs the necessary configuration of Docker and OpenShift and optionally -opens/closes OpenShift firewall port. It also generates self-signed certificate -that can be used by reverse proxy placed in front of the builder. - -This role is part of -[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for -deploying OpenShift build service. Please refer to that github repository for -[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md) -and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues). - -Role Variables --------------- - -You may need to configure Docker to connect to registries over plain HTTP, or -HTTPS with self-signed certificate (especially when developing OSBS). You can -provide list of such registries in `osbs_docker_insecure_registries` (empty by -default). - - osbs_docker_insecure_registries: [] - -Expose the OpenShift port to the outside world? Set this to `false` when using -authenticating proxy on the localhost. Has no effect if `osbs_manage_firewalld` -is `false`. - - osbs_master_expose_port: true - -Set to false if you don't use firewalld or do not want the playbook to modify -it. - - osbs_manage_firewalld: true - -If you are using authenticating proxy, this role can generate a self-signed certificate that the proxy can use to authenticate itself to OpenShift. The proxy needs the certificate and the key concatenated in one file (`osbs_proxy_cert_file`). OpenShift needs to know the CA of the certificate, which is configured in `osbs_proxy_ca_file` and which is the same as the certificate because it is self-signed. - - osbs_proxy_cert_file: /etc/origin/proxy_selfsigned.crt - osbs_proxy_key_file: /etc/origin/proxy_selfsigned.key - osbs_proxy_certkey_file: /etc/httpd/openshift_proxy_certkey.crt - osbs_proxy_ca_file: /etc/origin/proxy_selfsigned.crt - -OpenShift authorization policy - which users should be assigned the view -(read-only), osbs-builder (read-write), and cluster-admin (admin) roles. In -default configuration, everyone has read/write access. The authentication is -handled by the proxy - if you are not using it the everyone connecting from the -outside belongs to the `system:unauthenticated` group. - -Default setup: - - osbs_readonly_users: [] - osbs_readonly_groups: [] - osbs_readwrite_users: [] - osbs_readwrite_groups: - - system:authenticated - - system:unauthenticated - osbs_admin_users: [] - osbs_admin_groups: [] - -Development with authenticating proxy: - - osbs_readonly_users: [] - osbs_readonly_groups: [] - osbs_readwrite_users: [] - osbs_readwrite_groups: - - system:authenticated - osbs_admin_users: [] - osbs_admin_groups: [] - -Example production configuration with only one user starting the builds: - - osbs_readonly_users: [] - osbs_readonly_groups: - - system:authenticated - osbs_readwrite_groups: [] - osbs_readwrite_users: - - kojibuilder - osbs_admin_users: - - foo@EXAMPLE.COM - - bar@EXAMPLE.COM - osbs_admin_groups: [] - -Limit on the number of running pods. - - osbs_master_max_pods: 3 - -[Image garbage -collection](https://docs.openshift.org/latest/admin_guide/garbage_collection.html#image-garbage-collection) -can be configured with following variables: - - osbs_image_gc_high_threshold: 90 - osbs_image_gc_low_threshold: 80 - - -Dependencies ------------- - -OpenShift is expected to be installed on the remote host. This can by -accomplished by the -[install-openshift](https://github.com/projectatomic/ansible-role-install-openshift) -role. - -Example Playbook ----------------- - -Simple development deployment: - - - hosts: builders - roles: - - install-openshift - - osbs-master - - atomic-reactor - -Deployment behind authentication proxy that only allows the *kojibuilder* user -to start builds (and everyone to view them). Set docker to trust registry on -localhost:5000 even though it uses HTTP. - - - hosts: builders - roles: - - install-openshift - - role: osbs-master - osbs_master_expose_port: false - osbs_docker_insecure_registries: [172.42.17.1:5000] - osbs_readonly_users: [] - osbs_readonly_groups: - - system:authenticated - - system:unauthenticated - osbs_readwrite_groups: [] - osbs_readwrite_users: - - kojibuilder - osbs_admin_users: [] - osbs_admin_groups: [] - - atomic-reactor - - role: osbs-proxy - osbs_proxy_type: kerberos - osbs_proxy_kerberos_keytab_file: /etc/HTTP-FQDN.EXAMPLE.COM.keytab - osbs_proxy_kerberos_realm: EXAMPLE.COM - osbs_proxy_ssl_cert_file: /etc/fqdn.example.com.crt - osbs_proxy_ssl_key_file: /etc/fqdn.example.com.key - osbs_proxy_ip_whitelist: - - subnet: 192.168.66.0/24 - user: kojibuilder - -License -------- - -BSD - -Author Information ------------------- - -Martin Milata <mmilata@redhat.com> diff --git a/roles/osbs-master/defaults/main.yml b/roles/osbs-master/defaults/main.yml deleted file mode 100644 index 1d5080e6b5..0000000000 --- a/roles/osbs-master/defaults/main.yml +++ /dev/null @@ -1,114 +0,0 @@ ---- -# set the openshift log level -osbs_openshift_loglevel: 0 - -# docker needs to know which registries are insecure -osbs_docker_insecure_registries: [] - -# Expose the OpenShift port to the outside world? Set this to false when using -# authenticating proxy on the localhost. Has no effect if osbs_manage_firewalld -# is false. -osbs_master_expose_port: true - -# set to false if you don't use firewalld or do not want the playbook to modify it -osbs_manage_firewalld: true - -# these will be generated for proxy so it can authenticate itself -osbs_proxy_cert_file: /etc/origin/proxy_selfsigned.crt -osbs_proxy_key_file: /etc/origin/proxy_selfsigned.key -osbs_proxy_certkey_file: /etc/origin/proxy_certkey.crt - -# CA cert to validate the proxy certificate against -osbs_proxy_ca_file: /etc/origin/proxy_selfsigned.crt - -# openshift authorization - which users should be assigned the view (readonly), -# osbs-builder (readwrite), and cluster-admin (admin) roles -# in default configuration, everyone has read/write access -osbs_readonly_users: [] -osbs_readonly_groups: [] -osbs_readwrite_users: [] -osbs_readwrite_groups: - - system:authenticated - - system:unauthenticated -osbs_admin_users: [] -osbs_admin_groups: [] - -## development w/ auth proxy: -#osbs_readonly_users: [] -#osbs_readonly_groups: [] -#osbs_readwrite_users: [] -#osbs_readwrite_groups: -# - system:authenticated -#osbs_admin_users: [] -#osbs_admin_groups: [] - -## example production configuration: -#osbs_readonly_users: [] -#osbs_readonly_groups: -# - system:authenticated -#osbs_readwrite_groups: [] -#osbs_readwrite_users: -# - kojibuilder -# - "{{ ansible_hostname }}" -# - system:serviceaccount:default:default -#osbs_admin_users: -# - foo@EXAMPLE.COM -# - bar@EXAMPLE.COM -#osbs_admin_groups: [] - -# limit on the number of running pods -osbs_master_max_pods: 3 - -# update packagages to their latest version? -osbs_update_packages: false - -# directory for exporting v1 images to koji -# if not defined, nothing will happen -#osbs_export_dir: /mnt/image-export - -# mount the image export directory -#osbs_export_mount_src: /dev/vda1 -#osbs_export_mount_fs: ext4 - -# configure httpd to publish the directory under following path of default vhost -#osbs_export_http_path: /image-export - -osbs_image_gc_high_threshold: 90 -osbs_image_gc_low_threshold: 80 - - -# Specify different identity providers and options needed for the master-config -# template -# -# Currently supported options are: -# request_header -# htpasswd_provider -osbs_identity_provider: "request_header" - -osbs_identity_request: - name: request_header - challenge: true - login: true - -osbs_identity_htpasswd: - name: htpasswd_provider - challenge: true - login: true - provider_file: /etc/openshift/htpasswd - -# This correlates to the section of OpenShift master-config.yaml for custom -# certificate configuration for the public facing API endpoint -# -# https://docs.openshift.org/latest/install_config/certificate_customization.html -# -# Following values: -# enabled: boolean - used for checking in the config template -# certfile: path to cert (.crt) file -# keyfile: path to key (.key) file -# names: list of names -osbs_named_certificates: - enabled: false - cert_file: - key_file: - names: -osbs_public_api_url: diff --git a/roles/osbs-master/files/docker.service b/roles/osbs-master/files/docker.service deleted file mode 100644 index 80544cf46a..0000000000 --- a/roles/osbs-master/files/docker.service +++ /dev/null @@ -1,32 +0,0 @@ -[Unit] -Description=Docker Application Container Engine -Documentation=http://docs.docker.com -After=network.target -Wants=docker-storage-setup.service - -[Service] -Type=notify -NotifyAccess=all -EnvironmentFile=-/etc/sysconfig/docker -EnvironmentFile=-/etc/sysconfig/docker-storage -EnvironmentFile=-/etc/sysconfig/docker-network -Environment=GOTRACEBACK=crash -ExecStart=/usr/bin/docker daemon \ - --exec-opt native.cgroupdriver=systemd \ - $OPTIONS \ - $DOCKER_STORAGE_OPTIONS \ - $DOCKER_NETWORK_OPTIONS \ - $INSECURE_REGISTRY -ExecStartPost=/usr/local/bin/fix-docker-iptables -LimitNOFILE=1048576 -LimitNPROC=1048576 -LimitCORE=infinity -MountFlags=slave -StandardOutput=null -StandardError=null -TimeoutStartSec=0 -Restart=on-abnormal - -[Install] -WantedBy=multi-user.target - diff --git a/roles/osbs-master/files/fix-docker-iptables.production b/roles/osbs-master/files/fix-docker-iptables.production deleted file mode 100644 index fc84186597..0000000000 --- a/roles/osbs-master/files/fix-docker-iptables.production +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash -xe -# Note: this is done as a script because it needs to be run after -# every docker service restart. -# And just doing an iptables-restore is going to mess up kubernetes' -# NAT table. - -# Delete all old rules -iptables --flush FORWARD - -# Re-insert some basic rules -iptables -A FORWARD -o docker0 -j DOCKER -iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT - -# Now insert access to allowed boxes -# docker-registry -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT - -#koji.fp.o -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT - -# pkgs -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT - -# DNS -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT - -# mirrors.fp.o -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT - -# dl.phx2 -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT - - -# Docker is CRAZY and forces Google DNS upon us..... -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT - -iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited - diff --git a/roles/osbs-master/files/fix-docker-iptables.staging b/roles/osbs-master/files/fix-docker-iptables.staging deleted file mode 100644 index 865a87ec0a..0000000000 --- a/roles/osbs-master/files/fix-docker-iptables.staging +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash -xe -# Note: this is done as a script because it needs to be run after -# every docker service restart. -# And just doing an iptables-restore is going to mess up kubernetes' -# NAT table. -# And it gets even better with openshift! It thinks I'm stupid and need -# to be corrected by automatically adding the "allow all" rules back at -# the top as soon as I remove them. -# To circumvent that, we're just adding a new chain for this, as it seems -# that it doesn't do anything with the firewall if we keep its rules in -# place. (it doesn't check the order of its rules, only that they exist) - -if [ "`iptables -nL | grep FILTER_FORWARD`" == "" ]; -then - iptables -N FILTER_FORWARD -fi -if [ "`iptables -nL | grep 'FILTER_FORWARD all'`" == "" ]; -then - iptables -I FORWARD 1 -j FILTER_FORWARD -fi - -# Delete all old rules -iptables --flush FILTER_FORWARD - -# Re-insert some basic rules -iptables -A FILTER_FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -A FILTER_FORWARD --src 10.1.0.0/16 --dst 10.1.0.0/16 -j ACCEPT - -# Now insert access to allowed boxes -# docker-registry -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT - -#koji.fp.o -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT - -# pkgs.stg -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT - -# DNS -iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT -iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT - -# mirrors.fp.o -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT - -# dl.phx2 -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT -iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT - - -# Docker is CRAZY and forces Google DNS upon us..... -iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT -iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT - -iptables -A FILTER_FORWARD -j REJECT --reject-with icmp-host-prohibited - diff --git a/roles/osbs-master/files/openshift-role-osbs-builder.yml b/roles/osbs-master/files/openshift-role-osbs-builder.yml deleted file mode 100644 index 5ef00af437..0000000000 --- a/roles/osbs-master/files/openshift-role-osbs-builder.yml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: ClusterRole -metadata: - name: osbs-builder -rules: -- attributeRestrictions: null - resources: - - builds/custom - - pods/exec - - pods/portforward - - pods/proxy - - resourcegroup:exposedkube - - resourcegroup:exposedopenshift - - secrets - verbs: - - create - - delete - - get - - list - - update - - watch -- attributeRestrictions: null - resources: - - resourcegroup:allkube - - resourcegroup:allkube-status - - resourcegroup:allopenshift-status - verbs: - - get - - list - - watch -- attributeRestrictions: null - resources: - - imagestreams/layers - verbs: - - get - - update diff --git a/roles/osbs-master/handlers/main.yml b/roles/osbs-master/handlers/main.yml deleted file mode 100644 index 9c61eb05d7..0000000000 --- a/roles/osbs-master/handlers/main.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: restart docker - service: name=docker state=restarted - -- name: restart openshift-master - service: name=origin-master state=restarted - -- name: restart openshift-node - service: name=origin-node state=restarted - -- name: restart httpd - service: name=httpd state=restarted diff --git a/roles/osbs-master/meta/.galaxy_install_info b/roles/osbs-master/meta/.galaxy_install_info deleted file mode 100644 index 14182b0644..0000000000 --- a/roles/osbs-master/meta/.galaxy_install_info +++ /dev/null @@ -1 +0,0 @@ -{install_date: 'Thu Jan 7 17:30:46 2016', version: master} diff --git a/roles/osbs-master/meta/main.yml b/roles/osbs-master/meta/main.yml deleted file mode 100644 index f6019c9b47..0000000000 --- a/roles/osbs-master/meta/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -galaxy_info: - author: Martin Milata - description: OpenShift build service - builder of layered Docker images - company: Red Hat - issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues - license: BSD - min_ansible_version: 1.9 - platforms: - - name: EL - versions: - - 7 - - name: Fedora - versions: - - 21 - - 22 - categories: - - cloud - - development - - packaging -dependencies: [] diff --git a/roles/osbs-master/tasks/export.yml b/roles/osbs-master/tasks/export.yml deleted file mode 100644 index bec5b47450..0000000000 --- a/roles/osbs-master/tasks/export.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -- name: mount the export directory - mount: - name: "{{ osbs_export_dir }}" - src: "{{ osbs_export_mount_src }}" - fstype: "{{ osbs_export_mount_fs }}" - state: mounted - when: osbs_export_mount_src is defined - -- name: set owner of the image export directory - file: - path: "{{ osbs_export_dir }}" - state: directory - owner: apache - group: apache - when: osbs_export_http_path is defined - -- name: configure selinux labels for image export directory - command: /usr/sbin/semanage fcontext --add --type httpd_sys_content_t "{{ osbs_export_dir }}(/.*)?" - when: osbs_export_http_path is defined - -- name: restore selinux labels for image export directory - file: - path: "{{ osbs_export_dir }}" - state: directory - setype: httpd_sys_content_t - recurse: yes - when: osbs_export_http_path is defined - -- name: export the mount directory via http - template: src=httpd-osbs_image_export.conf.j2 dest={{ osbs_export_http_conf }} - notify: - - restart httpd - when: osbs_export_http_path is defined - -- name: open http ports - firewalld: - service: "{{ item }}" - state: enabled - permanent: true - immediate: true - with_items: - - http - - https - when: osbs_export_http_path is defined and osbs_manage_firewalld - -- name: install dependencies for garbage collection script - action: "{{ ansible_pkg_mgr }} name=koji state=installed" - when: osbs_export_koji_hub is defined - -- name: install garbage collection script - template: - src: osbs-remove-finished-docker-tarball.py.j2 - dest: /etc/cron.hourly/osbs-remove-finished-docker-tarball.cron - mode: "0744" - when: osbs_export_koji_hub is defined diff --git a/roles/osbs-master/tasks/main.yml b/roles/osbs-master/tasks/main.yml deleted file mode 100644 index d0b0c25cd8..0000000000 --- a/roles/osbs-master/tasks/main.yml +++ /dev/null @@ -1,132 +0,0 @@ ---- -### docker service ### - -- name: install packages required by osbs - action: "{{ ansible_pkg_mgr }} name=docker state={{ osbs_update_packages | ternary('latest', 'present') }}" - -- name: install openssl for auth proxy cert generation - action: "{{ ansible_pkg_mgr }} name=openssl state=latest" - -- name: configure docker - template: src=sysconfig-docker.j2 dest=/etc/sysconfig/docker backup=yes - notify: restart docker - -- name: ensure docker is running - service: name=docker state=started enabled=yes - -### openshift service ### - -- name: open/close openshift port in the firewall - firewalld: - port: "{{ osbs_openshift_port }}/tcp" - state: "{{ osbs_master_expose_port | ternary('enabled', 'disabled') }}" - permanent: true - immediate: true - when: osbs_manage_firewalld - -- name: apply modifications to /etc/sysconfig/origin - template: src=sysconfig-origin-{{ item }}.j2 dest=/etc/sysconfig/origin-{{ item }} - with_items: - - master - - node - -- name: configure openshift master - template: src=master-config.yaml.j2 dest=/etc/origin/master/master-config.yaml - notify: restart openshift-master - -- name: configure openshift node - template: src=node-config.yaml.j2 dest=/etc/origin/node/node-config.yaml - notify: restart openshift-node - -- name: generate cert for authenticating proxy - self-signed certificate - command: > - openssl req -new -nodes -x509 - -subj "/C=CZ/ST=SelfSigned/L=SelfSigned/O=IT/CN={{ inventory_hostname }}" - -days 3650 - -keyout {{ osbs_proxy_key_file }} - -out {{ osbs_proxy_cert_file }} - -extensions v3_ca - args: - creates: "{{ osbs_proxy_cert_file }}" - register: auth_proxy_cert - -- name: generate cert for authenticating proxy - convert privkey to rsa - command: openssl rsa -in {{ osbs_proxy_key_file }} -out {{ osbs_proxy_key_file }} - when: auth_proxy_cert.changed - -- name: generate cert for authenticating proxy - concatenate cert and key - shell: cat {{ osbs_proxy_cert_file }} {{ osbs_proxy_key_file }} > {{ osbs_proxy_certkey_file }} - args: - creates: "{{ osbs_proxy_certkey_file }}" - -# We need to have openshift restarted in order to configure authentication. -- meta: flush_handlers - -- name: ensure openshift is running - service: name=origin-{{ item }} state=started enabled=yes - with_items: - - master - - node - -- name: wait for openshift to start accepting connections - wait_for: port={{ osbs_openshift_port }} timeout=30 - -- name: copy osbs-builder role definition - copy: src=openshift-role-osbs-builder.yml dest={{ osbs_openshift_home }}/role-osbs-builder.yml - -- name: import the osbs-builder role - shell: "oc replace --force=true --filename={{ osbs_openshift_home }}/role-osbs-builder.yml && touch /etc/origin/osbs-builder-role-imported" - args: - creates: "/etc/origin/osbs-builder-role-imported" - environment: "{{ osbs_environment }}" - -- name: copy role bindings - template: src=openshift-rolebinding.yml.j2 dest={{ osbs_openshift_home }}/rolebinding-{{ item.name }}.yml - with_items: - - name: osbs-readonly - role: view - users: "{{ osbs_readonly_users }}" - groups: "{{ osbs_readonly_groups }}" - - name: osbs-readwrite - role: osbs-builder - users: "{{ osbs_readwrite_users }}" - groups: "{{ osbs_readwrite_groups }}" - - name: osbs-admin - role: cluster-admin - users: "{{ osbs_admin_users }}" - groups: "{{ osbs_admin_groups }}" - -- name: import the role bindings - shell: "oc replace --force=true --filename={{ osbs_openshift_home }}/rolebinding-{{ item }}.yml && touch /etc/origin/role-bindings-imported" - args: - creates: "/etc/origin/role-bindings-imported" - environment: "{{ osbs_environment }}" - with_items: - - osbs-readonly - - osbs-readwrite - - osbs-admin - -- name: copy resource quotas - template: src=openshift-resourcequota.yml.j2 dest={{ osbs_openshift_home }}/resourcequota.yml - -- name: import resource quotas - shell: "oc replace --force=true --filename={{ osbs_openshift_home }}/resourcequota.yml && touch /etc/origin/resource-quotas-imported" - args: - creates: "/etc/origin/resource-quotas-imported" - environment: "{{ osbs_environment }}" - -# Useful when using "oc" to inspect openshift state. -- name: add KUBECONFIG to .bashrc - lineinfile: - dest: "{{ ansible_env.HOME }}/.bashrc" - regexp: "export KUBECONFIG=" - line: "export KUBECONFIG={{ osbs_environment.KUBECONFIG }}" - -- include: export.yml - when: osbs_export_dir is defined - -- name: copy docker iptables script - copy: src="fix-docker-iptables.{{ env }}" dest=/usr/local/bin/fix-docker-iptables mode=0755 - -- name: copy docker service config - copy: src=docker.service dest=/etc/systemd/system/docker.service diff --git a/roles/osbs-master/templates/httpd-osbs_image_export.conf.j2 b/roles/osbs-master/templates/httpd-osbs_image_export.conf.j2 deleted file mode 100644 index b0e32772f8..0000000000 --- a/roles/osbs-master/templates/httpd-osbs_image_export.conf.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# atomic-reactor copies tarballs to this directory (via NFS share) and koji -# downloads it from this place. Garbage collection needs to be done on this -# directory. - -Alias "{{ osbs_export_http_path }}" "{{ osbs_export_dir }}" - - - AllowOverride None - Require all granted - Options +Indexes - diff --git a/roles/osbs-master/templates/master-config.yaml.j2 b/roles/osbs-master/templates/master-config.yaml.j2 deleted file mode 100644 index db1f5e3a26..0000000000 --- a/roles/osbs-master/templates/master-config.yaml.j2 +++ /dev/null @@ -1,188 +0,0 @@ -admissionConfig: - pluginConfig: null -apiLevels: -- v1 -apiVersion: v1 -assetConfig: - extensionDevelopment: false - extensionScripts: null - extensionStylesheets: null - extensions: null - loggingPublicURL: "" - logoutURL: "" -{% if osbs_public_api_url %} - masterPublicURL: https://{{ osbs_public_api_url }}:8443 -{% else %} - masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443 -{% endif %} - metricsPublicURL: "" - publicURL: https://{{ ansible_default_ipv4.address }}:8443/console/ - servingInfo: - bindAddress: 0.0.0.0:8443 - bindNetwork: tcp4 - certFile: master.server.crt - clientCA: "" - keyFile: master.server.key - maxRequestsInFlight: 0 - namedCertificates: null - requestTimeoutSeconds: 0 -controllerLeaseTTL: 0 -controllers: '*' -corsAllowedOrigins: -- 127.0.0.1 -- {{ ansible_default_ipv4.address }}:8443 -- localhost -disabledFeatures: null -dnsConfig: - bindAddress: 0.0.0.0:53 - bindNetwork: tcp4 -etcdClientInfo: - ca: ca.crt - certFile: master.etcd-client.crt - keyFile: master.etcd-client.key - urls: - - https://{{ ansible_default_ipv4.address }}:4001 -etcdConfig: - address: {{ ansible_default_ipv4.address }}:4001 - peerAddress: {{ ansible_default_ipv4.address }}:7001 - peerServingInfo: - bindAddress: 0.0.0.0:7001 - bindNetwork: tcp4 - certFile: etcd.server.crt - clientCA: ca.crt - keyFile: etcd.server.key - namedCertificates: null - servingInfo: - bindAddress: 0.0.0.0:4001 - bindNetwork: tcp4 - certFile: etcd.server.crt - clientCA: ca.crt - keyFile: etcd.server.key - namedCertificates: null - storageDirectory: /var/lib/origin/openshift.local.etcd -etcdStorageConfig: - kubernetesStoragePrefix: kubernetes.io - kubernetesStorageVersion: v1 - openShiftStoragePrefix: openshift.io - openShiftStorageVersion: v1 -imageConfig: - format: openshift/origin-${component}:${version} - latest: false -imagePolicyConfig: - disableScheduledImport: false - maxImagesBulkImportedPerRepository: 5 - maxScheduledImageImportsPerMinute: 60 - scheduledImageImportMinimumIntervalSeconds: 900 -kind: MasterConfig -kubeletClientInfo: - ca: ca.crt - certFile: master.kubelet-client.crt - keyFile: master.kubelet-client.key - port: 10250 -kubernetesMasterConfig: - admissionConfig: - pluginConfig: null - apiLevels: null - apiServerArguments: null - controllerArguments: null - disabledAPIGroupVersions: {} - masterCount: 1 - masterIP: {{ ansible_default_ipv4.address }} - podEvictionTimeout: 5m - proxyClientInfo: - certFile: master.proxy-client.crt - keyFile: master.proxy-client.key - schedulerConfigFile: "" - servicesNodePortRange: 30000-32767 - servicesSubnet: 172.30.0.0/16 - staticNodeNames: - - {{ inventory_hostname }} -masterClients: - externalKubernetesKubeConfig: "" - openshiftLoopbackKubeConfig: openshift-master.kubeconfig -masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443 -networkConfig: - clusterNetworkCIDR: 10.1.0.0/16 - hostSubnetLength: 8 - networkPluginName: "" - serviceNetworkCIDR: 172.30.0.0/16 -oauthConfig: - assetPublicURL: https://{{ ansible_default_ipv4.address }}:8443/console/ - grantConfig: - method: auto - identityProviders: -{% if osbs_identity_provider == "request_header" %} - - name: {{ osbs_identity_request.name }} - challenge: {{ osbs_identity_request.challenge }} - login: {{ osbs_identity_request.login }} - provider: - apiVersion: v1 - kind: RequestHeaderIdentityProvider - clientCA: {{ osbs_proxy_ca_file | default('/etc/origin/master/ca.crt') }} - headers: - - X-Remote-User -{% endif %} -{% if osbs_identity_provider == "htpasswd_provider" %} - - name: {{ osbs_identity_htpasswd.name }} - challenge: {{ osbs_identity_htpasswd.challenge }} - login: {{ osbs_identity_htpasswd.login }} - provider: - apiVersion: v1 - kind: HTPasswdPasswordIdentityProvider - file: {{ osbs_identity_htpasswd.provider_file }} -{% endif %} - masterCA: ca.crt - masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443 - masterURL: https://{{ ansible_default_ipv4.address }}:8443 - sessionConfig: - sessionMaxAgeSeconds: 300 - sessionName: ssn - sessionSecretsFile: "" - templates: null - tokenConfig: - accessTokenMaxAgeSeconds: 86400 - authorizeTokenMaxAgeSeconds: 300 -pauseControllers: false -policyConfig: - bootstrapPolicyFile: policy.json - openshiftInfrastructureNamespace: openshift-infra - openshiftSharedResourcesNamespace: openshift -projectConfig: - defaultNodeSelector: "" - projectRequestMessage: "" - projectRequestTemplate: "" - securityAllocator: - mcsAllocatorRange: s0:/2 - mcsLabelsPerProject: 5 - uidAllocatorRange: 1000000000-1999999999/10000 -routingConfig: - subdomain: router.default.svc.cluster.local -serviceAccountConfig: - limitSecretReferences: false - managedNames: - - default - - builder - - deployer - masterCA: ca.crt - privateKeyFile: serviceaccounts.private.key - publicKeyFiles: - - serviceaccounts.public.key -servingInfo: - bindAddress: 0.0.0.0:8443 - bindNetwork: tcp4 - certFile: master.server.crt - clientCA: ca.crt - keyFile: master.server.key - maxRequestsInFlight: 500 - requestTimeoutSeconds: 3600 -{%if osbs_named_certificates.enabled %} - namedCertificates: - - certFile: {{ osbs_named_certificates.cert_file }} - keyFile: {{ osbs_named_certificates.key_file }} - names: -{% for name in osbs_named_certificates.names %} - - {{ name }} -{% endfor %} -{% else %} - namedCertificates: null -{% endif %} diff --git a/roles/osbs-master/templates/node-config.yaml.j2 b/roles/osbs-master/templates/node-config.yaml.j2 deleted file mode 100644 index a9aaa15f36..0000000000 --- a/roles/osbs-master/templates/node-config.yaml.j2 +++ /dev/null @@ -1,36 +0,0 @@ -allowDisabledDocker: false -apiVersion: v1 -authConfig: - authenticationCacheSize: 1000 - authenticationCacheTTL: 5m - authorizationCacheSize: 1000 - authorizationCacheTTL: 5m -dnsDomain: cluster.local -dnsIP: "" -dockerConfig: - execHandlerName: native -imageConfig: - format: openshift/origin-${component}:${version} - latest: false -iptablesSyncPeriod: 5s -kind: NodeConfig -masterKubeConfig: node.kubeconfig -networkConfig: - mtu: 1450 - networkPluginName: "" -nodeIP: "" -nodeName: localhost -podManifestConfig: null -servingInfo: - bindAddress: 0.0.0.0:10250 - bindNetwork: tcp4 - certFile: server.crt - clientCA: node-client-ca.crt - keyFile: server.key - namedCertificates: null -volumeDirectory: /var/lib/origin/openshift.local.volumes -kubeletArguments: - image-gc-high-threshold: - - "{{ osbs_image_gc_high_threshold }}" - image-gc-low-threshold: - - "{{ osbs_image_gc_low_threshold }}" diff --git a/roles/osbs-master/templates/openshift-resourcequota.yml.j2 b/roles/osbs-master/templates/openshift-resourcequota.yml.j2 deleted file mode 100644 index cc62a6017f..0000000000 --- a/roles/osbs-master/templates/openshift-resourcequota.yml.j2 +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ResourceQuota -metadata: - name: concurrentbuilds -spec: - hard: - pods: {{ osbs_master_max_pods }} diff --git a/roles/osbs-master/templates/openshift-rolebinding.yml.j2 b/roles/osbs-master/templates/openshift-rolebinding.yml.j2 deleted file mode 100644 index 7593580134..0000000000 --- a/roles/osbs-master/templates/openshift-rolebinding.yml.j2 +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: RoleBinding -metadata: - name: {{ item.name }} -roleRef: - name: {{ item.role }} - -{% if item.users == [] %} -userNames: [] -{% else %} -userNames: -{% for u in item.users %} -- {{u}} -{% endfor %} -{% endif %} - -{% if item.groups == [] %} -groupNames: [] -{% else %} -groupNames: -{% for g in item.groups %} -- {{g}} -{% endfor %} -{% endif %} diff --git a/roles/osbs-master/templates/osbs-remove-finished-docker-tarball.py.j2 b/roles/osbs-master/templates/osbs-remove-finished-docker-tarball.py.j2 deleted file mode 100644 index 02ed12ef61..0000000000 --- a/roles/osbs-master/templates/osbs-remove-finished-docker-tarball.py.j2 +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/python - -# This file was installed by ansible from role osbs-master. - -import os -import re -import shutil -import syslog - -import koji - -SERVER = '{{ osbs_export_koji_hub }}' -PARENT = '{{ osbs_export_dir }}' - -session = koji.ClientSession(SERVER) - - -syslog.openlog('remove-finished-docker-tarball') - -for task_dir in os.listdir(PARENT): - if not task_dir.startswith('task-'): - continue - - match = re.match('^task-(\d+)$', task_dir) - if not match: - continue - task_id = int(match.group(1)) - - if not task_id: - continue - - children_tasks = session.getTaskInfo(task_id) - if 'parent' not in children_tasks or children_tasks['parent'] is None: - continue - parent_task_id = children_tasks['parent'] - builds = session.listBuilds(taskID=parent_task_id) - - for build in builds: - build['state'] = koji.BUILD_STATES.get(build['state'], 'BADSTATE') - - if build['state'] in ('BUILDING', 'BADSTATE'): - continue - - - image_msg = '%s %s %s' % (task_id, build['build_id'], build['state']) - - full_path = os.path.join(PARENT, task_dir) - try: - syslog.syslog('Removing %s (%s)' % (full_path, image_msg)) - shutil.rmtree(full_path) - except OSError, exception: - syslog.syslog('Failed to remove %s (%s): %s' % (full_path, - image_msg, - exception)) diff --git a/roles/osbs-master/templates/sysconfig-docker.j2 b/roles/osbs-master/templates/sysconfig-docker.j2 deleted file mode 100644 index d606a7b639..0000000000 --- a/roles/osbs-master/templates/sysconfig-docker.j2 +++ /dev/null @@ -1,36 +0,0 @@ -# Modify these options if you want to change the way the docker daemon runs -OPTIONS='--selinux-enabled' - -DOCKER_CERT_PATH=/etc/docker - -# If you want to add your own registry to be used for docker search and docker pull use the -# ADD_REGISTRY option to list a set of comma separated registries. -# Note the last registry added will be the first regisry searched. -ADD_REGISTRY='' - -# If you want to block registries from being used, use the -# BLOCK_REGISTRY option to list a set of comma separated registries, and uncommenting -# it. For example adding docker.io will stop users from downloading images from docker.io -# BLOCK_REGISTRY='--block-registry public' - -# If you have a registry secured with https but do not have proper certs destributed, you can -# tell docker to not look for full authorization by adding the registry to the -# INSECURE_REGISTRY line and uncommentin it. -INSECURE_REGISTRY=' -{%- for r in osbs_docker_insecure_registries %} --insecure-registry {{ r }} -{%- endfor %}' - -# On an SELinux system, if you remove the --selinux-enabled option, you -# also need to turn on the docker_transition_unconfined boolean. -# setsebool -P docker_transition_unconfined 1 - -# Location used for temporary files, such as those created by -# docker load and build operations. Default is /var/lib/docker/tmp -# Can be overriden by setting the following environment variable. -# DOCKER_TMPDIR=/var/tmp - -# Controls the /etc/cron.daily/docker-logrotate cron job status. -# To disable, uncomment the line below. -# LOGROTATE=false - -GOTRACEBACK='crash' diff --git a/roles/osbs-master/templates/sysconfig-origin-master b/roles/osbs-master/templates/sysconfig-origin-master deleted file mode 100644 index 86f61888f5..0000000000 --- a/roles/osbs-master/templates/sysconfig-origin-master +++ /dev/null @@ -1,9 +0,0 @@ -OPTIONS="--loglevel=3" -CONFIG_FILE=/etc/origin/master/master-config.yaml - -# Proxy configuration -# Origin uses standard HTTP_PROXY environment variables. Be sure to set -# NO_PROXY for your master -#NO_PROXY=master.example.com -#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT -#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT diff --git a/roles/osbs-master/templates/sysconfig-origin-master.j2 b/roles/osbs-master/templates/sysconfig-origin-master.j2 deleted file mode 100644 index b7b7578c3d..0000000000 --- a/roles/osbs-master/templates/sysconfig-origin-master.j2 +++ /dev/null @@ -1,9 +0,0 @@ -OPTIONS="--loglevel={{osbs_openshift_loglevel}}" -CONFIG_FILE=/etc/origin/master/master-config.yaml - -# Proxy configuration -# Origin uses standard HTTP_PROXY environment variables. Be sure to set -# NO_PROXY for your master -#NO_PROXY=master.example.com -#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT -#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT diff --git a/roles/osbs-master/templates/sysconfig-origin-node b/roles/osbs-master/templates/sysconfig-origin-node deleted file mode 100644 index 886fc79bc3..0000000000 --- a/roles/osbs-master/templates/sysconfig-origin-node +++ /dev/null @@ -1,22 +0,0 @@ -OPTIONS="--loglevel=3" -# /etc/origin/node/ should contain the entire contents of -# /var/lib/origin.local.certificates/node-${node-fqdn} generated by -# running 'atomic-enterprise admin create-node-config' on your master -# -# If if your node is running on a separate host you can rsync the contents -# rsync -a root@atomic-enterprise-master:/var/lib/origin/origin.local.certificates/node-`hostname`/ /etc/origin/node -CONFIG_FILE=/etc/origin/node/node-config.yaml - -# The $DOCKER_NETWORK_OPTIONS variable is used by sdn plugins to set -# $DOCKER_NETWORK_OPTIONS variable in the /etc/sysconfig/docker-network -# Most plugins include their own defaults within the scripts -# TODO: More elegant solution like this -# https://github.com/coreos/flannel/blob/master/dist/mk-docker-opts.sh -# DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450' - -# Proxy configuration -# Origin uses standard HTTP_PROXY environment variables. Be sure to set -# NO_PROXY for your master -#NO_PROXY=master.example.com -#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT -#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT diff --git a/roles/osbs-master/templates/sysconfig-origin-node.j2 b/roles/osbs-master/templates/sysconfig-origin-node.j2 deleted file mode 100644 index 05d9eee353..0000000000 --- a/roles/osbs-master/templates/sysconfig-origin-node.j2 +++ /dev/null @@ -1,22 +0,0 @@ -OPTIONS="--loglevel={{osbs_openshift_loglevel}}" -# /etc/origin/node/ should contain the entire contents of -# /var/lib/origin.local.certificates/node-${node-fqdn} generated by -# running 'atomic-enterprise admin create-node-config' on your master -# -# If if your node is running on a separate host you can rsync the contents -# rsync -a root@atomic-enterprise-master:/var/lib/origin/origin.local.certificates/node-`hostname`/ /etc/origin/node -CONFIG_FILE=/etc/origin/node/node-config.yaml - -# The $DOCKER_NETWORK_OPTIONS variable is used by sdn plugins to set -# $DOCKER_NETWORK_OPTIONS variable in the /etc/sysconfig/docker-network -# Most plugins include their own defaults within the scripts -# TODO: More elegant solution like this -# https://github.com/coreos/flannel/blob/master/dist/mk-docker-opts.sh -# DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450' - -# Proxy configuration -# Origin uses standard HTTP_PROXY environment variables. Be sure to set -# NO_PROXY for your master -#NO_PROXY=master.example.com -#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT -#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT diff --git a/roles/osbs-master/vars/main.yml b/roles/osbs-master/vars/main.yml deleted file mode 100644 index ad57097f30..0000000000 --- a/roles/osbs-master/vars/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -osbs_openshift_home: /var/lib/origin -osbs_openshift_port: 8443 -osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - -osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - -osbs_export_http_conf: /etc/httpd/conf.d/osbs_image_export.conf