Combined (squashed) commit for all changes related to adding Contiv support into Openshift Ansible. This is the first (beta) release of Contiv with Openshift and is only supported for Openshift Origin + Bare metal deployments at the time of this commit. Please refer to the Openshift and Contiv official documentation for details of the level of support for different features and modes of operation.

13 files changed, 447 insertions, 0 deletions

diff --git a/roles/contiv/tasks/aci.yml b/roles/contiv/tasks/aci.yml
new file mode 100644
index 000000000..30d2eb339
--- /dev/null
+++ b/roles/contiv/tasks/aci.yml
@@ -0,0 +1,32 @@
+---
+- name: ACI | Check aci-gw container image
+  command: "docker inspect contiv/aci-gw"
+  register: docker_aci_inspect_result
+  ignore_errors: yes
+
+- name: ACI | Pull aci-gw container
+  command: "docker pull contiv/aci-gw"
+  when: "'No such image' in docker_aci_inspect_result.stderr"
+
+- name: ACI | Copy shell script used by aci-gw service
+  template:
+    src: aci_gw.j2
+    dest: "{{ bin_dir }}/aci_gw.sh"
+    mode: u=rwx,g=rx,o=rx
+
+- name: ACI | Copy systemd units for aci-gw
+  template:
+    src: aci-gw.service
+    dest: /etc/systemd/system/aci-gw.service
+  notify: reload systemd
+
+- name: ACI | Enable aci-gw service
+  service:
+    name: aci-gw
+    enabled: yes
+
+- name: ACI | Start aci-gw service
+  service:
+    name: aci-gw
+    state: started
+  register: aci-gw_started
diff --git a/roles/contiv/tasks/default_network.yml b/roles/contiv/tasks/default_network.yml
new file mode 100644
index 000000000..9cf98bb80
--- /dev/null
+++ b/roles/contiv/tasks/default_network.yml
@@ -0,0 +1,15 @@
+---
+- name: Contiv | Wait for netmaster
+  command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" tenant ls'
+  register: tenant_result
+  until: tenant_result.stdout.find("default") != -1
+  retries: 9
+  delay: 10
+
+- name: Contiv | Check if default-net exists
+  command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net ls'
+  register: net_result
+
+- name: Contiv | Create default-net
+  command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net create --subnet={{ contiv_default_subnet }} -e {{ contiv_encap_mode }} -p {{ contiv_default_network_tag }} --gateway={{ contiv_default_gw }} default-net'
+  when: net_result.stdout.find("default-net") == -1
diff --git a/roles/contiv/tasks/download_bins.yml b/roles/contiv/tasks/download_bins.yml
new file mode 100644
index 000000000..28ed50fae
--- /dev/null
+++ b/roles/contiv/tasks/download_bins.yml
@@ -0,0 +1,27 @@
+---
+- name: Download Bins | Create directory for current Contiv release
+  file:
+    path: "{{ contiv_current_release_directory }}"
+    state: directory
+
+- name: Install bzip2
+  yum:
+    name: bzip2
+    state: installed
+
+- name: Download Bins | Download Contiv tar file
+  get_url:
+    url: "{{ contiv_download_url }}"
+    dest: "{{ contiv_current_release_directory }}"
+    mode: 0755
+    validate_certs: False
+  environment:
+    http_proxy: "{{ http_proxy|default('') }}"
+    https_proxy: "{{ https_proxy|default('') }}"
+    no_proxy: "{{ no_proxy|default('') }}"
+
+- name: Download Bins | Extract Contiv tar file
+  unarchive:
+    src: "{{ contiv_current_release_directory }}/netplugin-{{ contiv_version }}.tar.bz2"
+    dest: "{{ contiv_current_release_directory }}"
+    copy: no
diff --git a/roles/contiv/tasks/main.yml b/roles/contiv/tasks/main.yml
new file mode 100644
index 000000000..40a0f9e61
--- /dev/null
+++ b/roles/contiv/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Ensure bin_dir exists
+  file:
+    path: "{{ bin_dir }}"
+    recurse: yes
+    state: directory
+
+- include: download_bins.yml
+
+- include: netmaster.yml
+  when: contiv_role == "netmaster"
+
+- include: netplugin.yml
+  when: contiv_role == "netplugin"
diff --git a/roles/contiv/tasks/netmaster.yml b/roles/contiv/tasks/netmaster.yml
new file mode 100644
index 000000000..5057767b8
--- /dev/null
+++ b/roles/contiv/tasks/netmaster.yml
@@ -0,0 +1,65 @@
+---
+- include: netmaster_firewalld.yml
+  when: has_firewalld
+
+- include: netmaster_iptables.yml
+  when: not has_firewalld and has_iptables
+
+- name: Netmaster | Check is /etc/hosts file exists
+  stat:
+    path: /etc/hosts
+  register: hosts
+
+- name: Netmaster | Create hosts file if it is not present
+  file:
+    path: /etc/hosts
+    state: touch
+  when: not hosts.stat.exists
+
+- name: Netmaster | Build hosts file
+  lineinfile:
+    dest: /etc/hosts
+    regexp: .*netmaster$
+    line: "{{ hostvars[item]['ansible_' + netmaster_interface].ipv4.address }} netmaster"
+    state: present
+  when: hostvars[item]['ansible_' + netmaster_interface].ipv4.address is defined
+  with_items: groups['masters']
+
+- name: Netmaster | Create netmaster symlinks
+  file:
+    src: "{{ contiv_current_release_directory }}/{{ item }}"
+    dest: "{{ bin_dir }}/{{ item }}"
+    state: link
+  with_items:
+    - netmaster
+    - netctl
+
+- name: Netmaster | Copy environment file for netmaster
+  template:
+    src: netmaster.env.j2
+    dest: /etc/default/netmaster
+    mode: 0644
+  notify: restart netmaster
+
+- name: Netmaster | Copy systemd units for netmaster
+  template:
+    src: netmaster.service
+    dest: /etc/systemd/system/netmaster.service
+  notify: reload systemd
+
+- name: Netmaster | Enable Netmaster
+  service:
+    name: netmaster
+    enabled: yes
+
+- name: Netmaster | Start Netmaster
+  service:
+    name: netmaster
+    state: started
+  register: netmaster_started
+
+- include: aci.yml
+  when: contiv_fabric_mode == "aci"
+
+- include: default_network.yml
+  when: contiv_default_network == true
diff --git a/roles/contiv/tasks/netmaster_firewalld.yml b/roles/contiv/tasks/netmaster_firewalld.yml
new file mode 100644
index 000000000..2975351ac
--- /dev/null
+++ b/roles/contiv/tasks/netmaster_firewalld.yml
@@ -0,0 +1,16 @@
+---
+- name: Netmaster Firewalld | Open Netmaster port
+  firewalld:
+    port: "{{ netmaster_port }}/tcp"
+    permanent: false
+    state: enabled
+  # in case this is also a node where firewalld turned off
+  ignore_errors: yes
+
+- name: Netmaster Firewalld | Save Netmaster port
+  firewalld:
+    port: "{{ netmaster_port }}/tcp"
+    permanent: true
+    state: enabled
+  # in case this is also a node where firewalld turned off
+  ignore_errors: yes
diff --git a/roles/contiv/tasks/netmaster_iptables.yml b/roles/contiv/tasks/netmaster_iptables.yml
new file mode 100644
index 000000000..2d0fb95ae
--- /dev/null
+++ b/roles/contiv/tasks/netmaster_iptables.yml
@@ -0,0 +1,21 @@
+---
+- name: Netmaster IPtables | Get iptables rules
+  command: iptables -L --wait
+  register: iptablesrules
+  always_run: yes
+
+- name: Netmaster IPtables | Enable iptables at boot
+  service:
+    name: iptables
+    enabled: yes
+    state: started
+
+- name: Netmaster IPtables | Open Netmaster with iptables
+  command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv"
+  with_items:
+    - "{{ netmaster_port }}"
+    - "{{ contiv_rpc_port1 }}"
+    - "{{ contiv_rpc_port2 }}"
+    - "{{ contiv_rpc_port3 }}"
+  when: iptablesrules.stdout.find("contiv") == -1
+  notify: Save iptables rules
diff --git a/roles/contiv/tasks/netplugin.yml b/roles/contiv/tasks/netplugin.yml
new file mode 100644
index 000000000..ec6c72fe9
--- /dev/null
+++ b/roles/contiv/tasks/netplugin.yml
@@ -0,0 +1,121 @@
+---
+- include: netplugin_firewalld.yml
+  when: has_firewalld
+
+- include: netplugin_iptables.yml
+  when: has_iptables
+
+- name: Netplugin | Ensure localhost entry correct in /etc/hosts
+  lineinfile:
+    dest: /etc/hosts
+    regexp: '^127\.0\.0\.1.*'
+    line: '127.0.0.1 localhost {{ ansible_hostname }}'
+    state: present
+
+- name: Netplugin | Remove incorrect localhost entry in /etc/hosts
+  lineinfile:
+    dest: /etc/hosts
+    regexp: '^::1. localhost '
+    line: '::1 '
+    state: absent
+
+- include: ovs.yml
+  when: netplugin_driver == "ovs"
+
+- name: Netplugin | Create Netplugin bin symlink
+  file:
+    src: "{{ contiv_current_release_directory }}/netplugin"
+    dest: "{{ bin_dir }}/netplugin"
+    state: link
+
+
+- name: Netplugin | Ensure cni_bin_dir exists
+  file:
+    path: "{{ cni_bin_dir }}"
+    recurse: yes
+    state: directory
+
+- name: Netplugin | Create CNI bin symlink
+  file:
+    src: "{{ contiv_current_release_directory }}/contivk8s"
+    dest: "{{ cni_bin_dir }}/contivk8s"
+    state: link
+
+- name: Netplugin | Copy CNI loopback bin
+  copy:
+    src: loopback
+    dest: "{{ cni_bin_dir }}/loopback"
+    mode: 0755
+
+- name: Netplugin | Ensure kube_plugin_dir and cni/net.d directories exist
+  file:
+    path: "{{ item }}"
+    recurse: yes
+    state: directory
+  with_items:
+    - "{{ kube_plugin_dir }}"
+    - "/etc/cni/net.d"
+
+- name: Netplugin | Ensure contiv_config_dir exists
+  file:
+    path: "{{ contiv_config_dir }}"
+    recurse: yes
+    state: directory
+
+- name: Netplugin | Copy contiv_cni.conf file
+  copy:
+    src: contiv_cni.conf
+    dest: "{{ item }}"
+  with_items:
+    - "{{ kube_plugin_dir }}/contiv_cni.conf"
+    - "/etc/cni/net.d"
+# notify: restart kubelet
+
+- name: Netplugin | Setup contiv.json config for the cni plugin
+  template:
+    src: contiv.cfg.j2
+    dest: "{{ contiv_config_dir }}/contiv.json"
+  notify: restart netplugin
+
+- name: Netplugin | Copy environment file for netplugin
+  template:
+    src: netplugin.j2
+    dest: /etc/default/netplugin
+    mode: 0644
+  notify: restart netplugin
+
+- name: Docker | Make sure proxy setting exists
+  lineinfile:
+    dest: /etc/sysconfig/docker-network
+    regexp: '^https_proxy.*'
+    line: 'https_proxy={{ https_proxy }}'
+    state: present
+  register: docker_updated
+
+- name: Netplugin | Copy systemd unit for netplugin
+  template:
+    src: netplugin.service
+    dest: /etc/systemd/system/netplugin.service
+  notify: reload systemd
+
+- name: systemd reload
+  command: systemctl daemon-reload
+  when: docker_updated|changed
+
+- name: Docker | Restart docker
+  service:
+    name: docker
+    state: restarted
+  when: docker_updated|changed
+
+- name: Netplugin | Enable Netplugin
+  service:
+    name: netplugin
+    enabled: yes
+
+- name: Netplugin | Start Netplugin
+  service:
+    name: netplugin
+    state: started
+  register: netplugin_started
+# notify: restart kubelet
diff --git a/roles/contiv/tasks/netplugin_firewalld.yml b/roles/contiv/tasks/netplugin_firewalld.yml
new file mode 100644
index 000000000..3aeffae56
--- /dev/null
+++ b/roles/contiv/tasks/netplugin_firewalld.yml
@@ -0,0 +1,34 @@
+---
+- name: Netplugin Firewalld | Open Netplugin port
+  firewalld:
+    port: "{{ netplugin_port }}/tcp"
+    permanent: false
+    state: enabled
+  # in case this is also a node where firewalld turned off
+  ignore_errors: yes
+
+- name: Netplugin Firewalld | Save Netplugin port
+  firewalld:
+    port: "{{ netplugin_port }}/tcp"
+    permanent: true
+    state: enabled
+  # in case this is also a node where firewalld turned off
+  ignore_errors: yes
+
+- name: Netplugin Firewalld | Open vxlan port
+  firewalld:
+    port: "8472/udp"
+    permanent: false
+    state: enabled
+  # in case this is also a node where firewalld turned off
+  ignore_errors: yes
+  when: contiv_encap_mode == "vxlan"
+
+- name: Netplugin Firewalld | Save firewalld vxlan port for flanneld
+  firewalld:
+    port: "8472/udp"
+    permanent: true
+    state: enabled
+  # in case this is also a node where firewalld turned off
+  ignore_errors: yes
+  when: contiv_encap_mode == "vxlan"
diff --git a/roles/contiv/tasks/netplugin_iptables.yml b/roles/contiv/tasks/netplugin_iptables.yml
new file mode 100644
index 000000000..8c348ac67
--- /dev/null
+++ b/roles/contiv/tasks/netplugin_iptables.yml
@@ -0,0 +1,29 @@
+---
+- name: Netplugin IPtables | Get iptables rules
+  command: iptables -L --wait
+  register: iptablesrules
+  always_run: yes
+
+- name: Netplugin IPtables | Enable iptables at boot
+  service:
+    name: iptables
+    enabled: yes
+    state: started
+
+- name: Netplugin IPtables | Open Netmaster with iptables
+  command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv"
+  with_items:
+  - "{{ netmaster_port }}"
+  - "{{ contiv_rpc_port1 }}"
+  - "{{ contiv_rpc_port2 }}"
+  - "{{ contiv_rpc_port3 }}"
+  - "{{ contiv_etcd_port }}"
+  - "{{ kube_master_api_port }}"
+  when: iptablesrules.stdout.find("contiv") == -1
+  notify: Save iptables rules
+
+- name: Netplugin IPtables | Open vxlan port with iptables
+  command: /sbin/iptables -I INPUT 1 -p udp --dport 8472 -j ACCEPT -m comment --comment "vxlan"
+
+- name: Netplugin IPtables | Open vxlan port with iptables
+  command: /sbin/iptables -I INPUT 1 -p udp --dport 4789 -j ACCEPT -m comment --comment "vxlan"
diff --git a/roles/contiv/tasks/ovs.yml b/roles/contiv/tasks/ovs.yml
new file mode 100644
index 000000000..0c1b994c7
--- /dev/null
+++ b/roles/contiv/tasks/ovs.yml
@@ -0,0 +1,28 @@
+---
+- include: packageManagerInstall.yml
+  when: source_type == "packageManager"
+  tags:
+    - binary-update
+
+- name: OVS | Configure selinux for ovs
+  command: "semanage permissive -a openvswitch_t"
+
+- name: OVS | Enable ovs
+  service:
+    name: openvswitch
+    enabled: yes
+
+- name: OVS | Start ovs
+  service:
+    name: openvswitch
+    state: started
+  register: ovs_started
+
+- name: OVS | Configure ovs
+  command: "ovs-vsctl set-manager {{ item }}"
+  with_items:
+    - "tcp:127.0.0.1:6640"
+    - "ptcp:6640"
+
+- name: OVS | Configure ovsdb-server
+  command: "ovs-appctl -t ovsdb-server ovsdb-server/add-remote ptcp:6640"
diff --git a/roles/contiv/tasks/packageManagerInstall.yml b/roles/contiv/tasks/packageManagerInstall.yml
new file mode 100644
index 000000000..2eff1b85f
--- /dev/null
+++ b/roles/contiv/tasks/packageManagerInstall.yml
@@ -0,0 +1,12 @@
+---
+- name: Package Manager | Init the did_install fact
+  set_fact:
+    did_install: false
+
+- include: pkgMgrInstallers/centos-install.yml
+  when: ansible_distribution == "CentOS" and not is_atomic
+
+- name: Package Manager | Set fact saying we did CentOS package install
+  set_fact:
+    did_install: true
+  when: ansible_distribution == "CentOS"
diff --git a/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml b/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml
new file mode 100644
index 000000000..51c3d35ac
--- /dev/null
+++ b/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml
@@ -0,0 +1,33 @@
+---
+- name: PkgMgr CentOS | Install net-tools pkg for route
+  yum:
+    pkg=net-tools
+    state=latest
+
+- name: PkgMgr CentOS | Get openstack kilo rpm
+  get_url:
+    url: https://repos.fedorapeople.org/repos/openstack/openstack-kilo/rdo-release-kilo-2.noarch.rpm
+    dest: /tmp/rdo-release-kilo-2.noarch.rpm
+    validate_certs: False
+  environment:
+    http_proxy: "{{ http_proxy|default('') }}"
+    https_proxy: "{{ https_proxy|default('') }}"
+    no_proxy: "{{ no_proxy|default('') }}"
+  tags:
+    - ovs_install
+
+- name: PkgMgr CentOS | Install openstack kilo rpm
+  yum: name=/tmp/rdo-release-kilo-2.noarch.rpm state=present
+  tags:
+    - ovs_install
+
+- name: PkgMgr CentOS | Install ovs
+  yum:
+    pkg=openvswitch
+    state=latest
+  environment:
+    http_proxy: "{{ http_proxy|default('') }}"
+    https_proxy: "{{ https_proxy|default('') }}"
+    no_proxy: "{{ no_proxy|default('') }}"
+  tags:
+    - ovs_install