diff --git a/ocp-prep/README.md b/ocp-prep/README.md new file mode 100644 index 0000000..2407e8e --- /dev/null +++ b/ocp-prep/README.md @@ -0,0 +1,469 @@ +# OCP-Prep Playbook +## Author: Bill Strauss + +OCP-prep was created as a supporting repo to the deployment of OpenShift 3.X, and to house playbooks and roles to be ran prior to an OpenShift 3.X deployment. Its purpose is to automate deployment-preparation tasks, as well as assisting with the streamlining of the OpenShift deployment process. Its core focus is to prepare for an OpenShift 3.X deployment (specifically version 3.11) in a disconnected environment, utilizing a Gluster storage backend, but has some functionality to support other OCP (OpenShift Container Platform) architectures as well. + +## OCP-Prep Tasks + +This repo (currently) includes the following automated tasks: + +- [SSH Key](playbooks/configure_ssh) generation and dissemination. +- [Satellite](playbooks/configure_satellite) subscription/registration. +- Installation of OpenShift-specific and additional/recommended [Packages](playbooks/package_install). +- Preparing for an OCP deployment in a [FIPS](playbooks/FIPS_env_preparation) enabled environment. This includes changes to both the bastion/ansible host as well as the nodes within the OCP cluster. +- Configuration of [OCP storage](playbooks/configure_ocp_storage), including wiping specified drives, creating/mounting filesystems, etc.. +- Configuration of [Docker storage](playbooks/configure_docker_storage). +- Configuration of [rsyslog](playbooks/configure_rsyslog) for OCP advanced auditing. +- Initial configuration of [htpasswd](playbooks/configure_htpasswd), including generating username/password hash and incorporating these values into the inventory file, in preparation for using htpasswd authentication as part of the OCP deployment. + +## Inventory Options + +**Note:** Most of the important variables are included in "inventories/"your env"/group_vars/all.yml" and will be described, in detail, in their respective sections below. Locations of additional variables (if any), are also addressed/highlighted in their respective sections below. + +**Note:** Within the file mentioned above, each task has a True/False Boolean to indicate which task(s) to perform. If not specified, they all default to "False", meaning they will not be included/ran when the playbook is implemented unless otherwise specified as an "-e" variable entered at the time the command is ran. + +## Playbook execution + +If password authentication is NOT required to access the nodes: + +```bash +> ansible-playbook -i playbooks/OpenShift_deploy_prep.yml +``` + +If password authentication IS required to access any OCP nodes AND the "ssh keygen" playbook has yet to be run: + +```bash +> ansible-playbook -i playbooks/OpenShift_deploy_prep.yml --ask-pass +``` + +## Primary Prerequisites + +A complete and properly structured inventory/hosts file must exist. See OCP installation documentation for details on how to build an OCP inventory file. + +All nodes in the OCP cluster must be identified in the inventory file, and be included in their respective groups in the inventory file. + +All nodes in the OCP cluster must be online and accessible. + +SSH handshake must be accepted, and their respective host keys added to .ssh/known_hosts file on the bastion/ansible host, for each node specified in the inventory file. + +If OCP Advanced Auditing is to be deployed, the location of the adv-audit.yaml file must be specified in your inventory file (a default/example adv-audit.yaml file is provided at (./files/adv-audit.yaml). Proper structure for the auditing portion of your inventory file can be found in the [Advanced Auditing](https://docs.OpenShift.com/container-platform/3.11/install_config/master_node_configuration.html#master-node-config-advanced-audit) portion of the Red Hat OpenShift documentation. + +# SSH Keygen Playbook + +This playbook calls/runs the roles and tasks necessary to generate the ssh keys for the bastion/ansible host (if it doesn't exist) and disseminate the pubkey to all hosts in the OCP cluster. + +## Prerequisites + +Same as the primary prerequisites. + +## Roles/Tasks + +main role + +This role calls the main task + +main task + +This task calls the individual tasks listed below + +ssh\_dir\_create task + +This task will create the /home/current_user/.ssh directory if it doesn't exist + +ssh\_keygen task + +This task will generate the ssh key for the current user on localhost + +distribute\_ssh\_pubkey task + +This task will copy the newly created (or preexisting) ssh pubkey to the .ssh directory on the remote hosts. + +## Group_Vars/all.yml variables + +| Name | Description | Default| +|---|---|---| +|copy\_ssh\_keys|Run this play|false| +|ansible\_ssh\_user|User that will ssh to remote hosts|| +|ssh\_key\_size|Byte length of ssh key|| + +## Additional variables + +The user's .ssh directory location is specified in the "vars/main.yml" file for this role; however, this shouldn't ever need to be changed. + +## Playbook execution + +If password authentication is NOT required to access the nodes: + +```bash +> ansible-playbook -i playbooks/configure_ssh/main.yml +``` + +If password authentication IS required to access any OCP nodes AND the "ssh keygen" playbook has yet to be run: + +```bash +> ansible-playbook -i playbooks/configure_ssh/main.yml --ask-pass +``` + +# Satellite Subscription/Registration Playbook +This playbook calls/runs the roles and tasks necessary to register all of the OpenShift nodes with a satellite server. It also cleans the repos and performs an update on each node. + +## Prerequisites + +Same as the primary prerequisites. + +If registering with RH Subscription Manager or a Satellite server that requires credentials, you will need to include them using the username/password variables specified below. + +## Roles/Tasks + +main role + +This role calls the main task + +main task + +This task will obtain the necessary satellite packages when a hostname is defined. It then unregisters from the default satellite and then is registered to the new satellite. Lastly, it performs an update on the nodes and cleans temp files created during the task. + +## Group_Vars/all.yml variables + +| Name | Description | Default| +|---|---|---| +|rhsm\_register|Run this play|false| +|rhsm\_server\_hostname|Satellite server hostname|| +|disable\_pkg\_authenticity\_verification|Dictates if gpgcheck should be disabled|no| +|rhsm\_org\_id|The org id|| +|rhsm\_activation\_key|The activation key|| + +## Additional variables + +Within the roles/configure_satellite/tasks/main.yml file, a number of additional optional variables are available for further customization. These include: + +| Name | Description | Default| +|---|---|---| +|rhsm\_username|Username|omit| +|rhsm\_password|Password|omit| +|rhsm\_pool\_ids|Pool IDs|omit| +|rhsm\_pool|Pool(s)|omit| + +Within the roles/configure_satellite/vars/main.yml file, the location to store the temporary file created during this task, is specified. This is named "satellite\_server\_rpm\_tmp\_dir" and is originally set to "/tmp/". + +## Playbook execution + +If password authentication is NOT required to access the nodes: + +```bash +> ansible-playbook -i playbooks/configure_satellite/main.yml +``` + +If password authentication IS required to access any OCP nodes AND the "ssh keygen" playbook has yet to be run: + +```bash +> ansible-playbook -i playbooks/configure_satellite/main.yml --ask-pass +``` + +# Package Install Playbook + +This playbook calls/runs the roles and tasks necessary to install various common, required and useful packages on the OCP cluster hosts as well as localhost. + +## Prerequisites + +Same as the primary prerequisites. + +## Roles/Tasks + +main role + +This role calls the main task + +main task + +This task calls the individual tasks listed below + +package_install task + +This task installs the necessary packages on localhost and the OCP cluster hosts. + +yum_update task + +This task updates localhost and the OCP cluster hosts. + +## Group_Vars/all.yml variables + +| Name | Description | Default| +|---|---|---| +|package_install|Run this play|false| + +## Additional variables + +Within the roles/package_install/vars/main.yml file, you'll also find the following two variables: + +| Name | Description | Default| +|---|---|---| +|localhost\_prep\_pkg\_list|List of packages to be installed on the localhost|| +|nodes\_prep\_pkg\_list|List of packages to be installed on the OCP cluster hosts|| + +The remaining variable in that file can be ignored as it shouldn't be changed. + +## Playbook execution + +If password authentication is NOT required to access the nodes: + +```bash +> ansible-playbook -i playbooks/package_install/main.yml +``` + +If password authentication IS required to access any OCP nodes AND the "ssh keygen" playbook has yet to be run: + +```bash +> ansible-playbook -i playbooks/package_install/main.yml --ask-pass +``` + +# FIPS Environment Preparation Playbook + +This playbook calls/runs the roles and tasks necessary to prepare the environment for an OpenShift/Gluster deployment in a "FIPS enabled" environment. + +## Prerequisites + +Same as the primary prerequisites. + +Should only need to be ran in an environment with FIPS enabled. + +## Roles/Tasks + +main role + +This role calls the main task + +main task + +This task will apply a number of fixes on each host in the OCP cluster, to address issues that may arise in a "FIPS enabled environment. These tasks include: +- Disabling and stopping the "named" service if present +- Addressing a missing SELinux Policy +- Enabling IPv4 IP Forwarding + +It then calls the following task + +update\_local\_install\_files task + +This task will apply a number of "FIPS-related" fixes on the localhost, including: +- Replacing references to older encryption algorithms within certain config files referenced/utilized during an OCP deployment +- Disabling CHAPS authentication within the block storage class template file + +## Group_Vars/all.yml variables + +|update\_ocp\_for\_fips\_env|Run this play|false| + +## Additional variables + +## Playbook execution + +If password authentication is NOT required to access the nodes: + +```bash +> ansible-playbook -i playbooks/FIPS_env_preparation/main.yml +``` + +If password authentication IS required to access any OCP nodes AND the "ssh keygen" playbook has yet to be run: + +```bash +> ansible-playbook -i playbooks/FIPS_env_preparation/main.yml --ask-pass +``` + +# OCP Storage Preparation Playbook + +This playbook calls/runs the roles and tasks necessary to prepare the storage partitions for an OCP deployment with Gluster storage. + +## Prerequisites + +Same as the primary prerequisites. + +## Roles/Tasks + +main role + +This role first prompts the user (twice) requesting that they confirm they want to wipe the storage partitions specified in the variables below, in preparation for an OCP deployment. + +If the user indicates they would like to proceed with the storage partition wipe, the following task is called + +wipe_storage task + +This task will wipe all of the partitions indicated in the "docker\_storage\_disk" (on all OCP hosts) and the "gluster\_storage\_disks" (only on hosts in storage group) variables. + +Regardless of the answers to the prompts discussed above, the main role then calls the main task. + +main task + +This task will perform the following, with different variations depending on whether or not the host is included in the "etcd" group: +- Create "sysvg" volume group (if it doesn't exist) +- Create etcd/origin logical volumes +- Create etcd/origin filesystems +- Create etcd/origin mountpoints +- Mount etcd/origin filesystems +- Update "container\_file\_t" SELinux policy + +## Group_Vars/all.yml variables + +| Name | Description | Default| +|---|---|---| +|configure\_ocp\_storage|Run this play|false| +|sysvg_pv|Physical volume on which to create the sysvg volume group and the logical volumes/filesystems created therein|| +|docker\_storage\_disk|Disk that will be used for docker storage on all nodes (typically "/dev/sdb" though this may be different in your environment)|| +|gluster\_storage\_disks|Disk that will be used for Gluster storage on storage nodes|| +|etcd\_lv\_size|Size of ETCD logical volume created on all "etcd" nodes|| +|node\_origin\_lv\_size|Size of ORIGIN logical volume created on all nodes EXCEPT etcd nodes|| +|etcd\_origin\_lv\_size|Size of ORIGIN logical volume created on all ETCD nodes|| + +## Additional variables + + +## Playbook execution + +```bash +> ansible-playbook -i playbooks/configure_ocp_storage/main.yml +``` + +If password authentication IS required to access any OCP nodes AND the "ssh keygen" playbook has yet to be run: + +```bash +> ansible-playbook -i playbooks/configure_ocp_storage/main.yml --ask-pass +``` + +# Docker Storage Preparation Playbook + +This playbook calls/runs the roles and tasks necessary to configure and install docker storage. + +## Prerequisites + +Same as the primary prerequisites. + +## Roles/Tasks + +main role + +This role calls the main task + +main task + +This task first calls and runs the below task "docker_install". Afterwards, it configures the "/etc/sysconfig/docker-storage-setup" file, and then proceeds to setup docker storage. Finally, it enables and restarts the docker service. + +docker_install task + +This task installs the version of docker specified in the "docker\_version" variable discussed below. If no version is specified, it will install the latest version of docker. + +## Group_Vars/all.yml variables + +| Name | Description | Default| +|---|---|---| +|configure\_docker\_storage|Run this play|false| + +## Additional variables + +Within the roles/package_install/vars/main.yml file, there is an additional variable "docker\_version", specifying the version of docker to install. As this is item is specific to the version of OCP being deployed, care should be taken to ensure that the version specified in this variable is compatible with the version (major & minor) of OCP being deployed. + +## Playbook execution + +```bash +> ansible-playbook -i playbooks/configure_docker_storage/main.yml +``` + +If password authentication IS required to access any OCP nodes AND the "ssh keygen" playbook has yet to be run: + +```bash +> ansible-playbook -i playbooks/configure_docker_storage/main.yml --ask-pass +``` + +# rsyslog Configuration Playbook + +This playbook will first ensure that all additional rsyslog config files are included via the rsyslog.conf file on each of the master hosts. It then ensures the rsyslog.d directory exists. Lastly, it then generates an rsyslog additional config file from template which is meant to account for OCP audit log configuration. This file is then distributed to the hosts "rsyslog.d/" directory in the "masters" group in the OCP inventory file. + +## Prerequisites + +Same as the primary prerequisites. + +## Roles/Tasks + +main role + +This role calls the main task. + +main task + +This task performs all of the items mentioned above. + +## Group_Vars/all.yml variables + +| Name | Description | Default| +|---|---|---| +|configure_rsyslog|Run this play|false| + +## Additional variables + +All of the variables used to populate the ocp-audit.conf rsyslog config file are specified in defaults/main.yml. These can be changed if necessary, but the variables and their defaults are as follows: + +| Name | Default| +|---|---| +|rsyslog\_ocp\_audit\_log\_input\_file\_name|/var/log/origin/audit-ocp.log| +|rsyslog\_ocp\_audit\_log\_input\_file\_tag|audit_ocp| +|rsyslog\_ocp\_audit\_log\_input\_file\_state\_file|audit-log| +|rsyslog\_ocp\_audit\_log\_input\_file\_facility|local6| + +## Playbook execution + +If password authentication is NOT required to access the nodes: + +```bash +> ansible-playbook -i playbooks/configure_rsyslog/main.yml +``` + +If password authentication IS required to access any OCP nodes AND the "ssh keygen" playbook has yet to be run: + +```bash +> ansible-playbook -i playbooks/configure_rsyslog/main.yml --ask-pass +``` + +# htpasswd Initial Configuration Playbook + +This playbook calls/runs the roles and tasks which first prompts the user to enter username(s) (comma delimited), subsequently prompting the user to enter passwords for each of the previously entered usernames), to be configured as authenticated users for OpenShift. After the user enters the user(s) and passwords, this script will generate the password hashes, and both generate the htpasswd file, and create and insert the "OpenShift\_master\_htpasswd\_file" variable into the specified inventory file, pointing to the htpasswd file that was just generated. If any changes are made to the rsyslog config throughout this play, a handler is notified to restart rsyslog after the play has completed. + +## Prerequisites + +Same as the primary prerequisites. + +## Roles/Tasks + +main role + +This role calls the main task. + +main task + +This task creates the empty htpasswd file in a temporary location. Then, using the username(s)/passwords provided by the user, it generates the password hash(es) and populates the temporary htpasswd file with this data. Lastly, it will enter the "OpenShift\_master\_htpasswd\_file" variable into the specified inventory file, pointing it to this temporary htpasswd file, to be referenced during the OCP deployment. + +## Group_Vars/all.yml variables + +| Name | Description | Default| +|---|---|---| +|configure\_htpasswd|Run this play|false| +|ocp\_inventory\_file|Full path of the OCP inventory file|| + +## Additional variables + +The variable for the temporary location of the htpasswd file that will be created on the localhost is specified in the vars/main.yml file as "htpasswd\_file", defaults to "/tmp/htpasswd" and generally shouldn't need to be changed. + +## Playbook execution + +If password authentication is NOT required to access the nodes: + +```bash +> ansible-playbook -i playbooks/configure_htpasswd/main.yml +``` + +If password authentication IS required to access any OCP nodes AND the "ssh keygen" playbook has yet to be run: + +```bash +> ansible-playbook -i playbooks/configure_htpasswd/main.yml --ask-pass +``` + +## Complete Production Installation Documentation: + +- [OpenShift Container Platform](https://docs.OpenShift.com/container-platform/3.11/install/index.html) +- [OKD](https://docs.okd.io/3.11/install/index.html) (formerly OpenShift Origin) diff --git a/ocp-prep/ansible.cfg b/ocp-prep/ansible.cfg new file mode 100644 index 0000000..6347eee --- /dev/null +++ b/ocp-prep/ansible.cfg @@ -0,0 +1,4 @@ +[defaults] +ansible_ssh_user = +become_user = root +ansible_become = true diff --git a/ocp-prep/files/adv-audit.yaml b/ocp-prep/files/adv-audit.yaml new file mode 100644 index 0000000..c941626 --- /dev/null +++ b/ocp-prep/files/adv-audit.yaml @@ -0,0 +1,29 @@ +apiVersion: audit.k8s.io/v1beta1 +kind: Policy +rules: + + # Do not log node communications or from system service accounts + - level: None + userGroups: ["system:nodes", "system:serviceaccounts"] + resources: + + # Do not log from kub-system accounts + - level: None + users: + - system:apiserver + - system:kube-scheduler + - system:volume-scheduler + - system:kube-controller-manager + - system:node + - system:openshift-master + + # Do not log these read-only URLs + - level: None + nonResourceURLs: + - /healthz* + - /version + - /swagger* + + # A catch-all rule to log all other requests at the metadata level + - level: Metadata + diff --git a/ocp-prep/inventories/development/group_vars/all.yml b/ocp-prep/inventories/development/group_vars/all.yml new file mode 100644 index 0000000..91d6626 --- /dev/null +++ b/ocp-prep/inventories/development/group_vars/all.yml @@ -0,0 +1,57 @@ +##SSH configuration ## +copy_ssh_keys: false +ansible_ssh_user: +ssh_key_size: 2048 + + +## Satellite configuration ## +# Register nodes to satellite +rhsm_register: true +rhsm_server_hostname: "satsrv.example.com" +# Enable/Disable gpgcheck +disable_pkg_authenticity_verification: yes +rhsm_org_id: "" +rhsm_activation_key: "" +rhsm_force_register: false + + +## Package installation +package_install: true + + +## Prepare OCP cluster and configs for deployment in FIPS enabled environment +update_ocp_for_fips_env: true + + +## OCP storage configuration +##### BE CAREFUL!! ###### +##### Setting below value to "True" WILL WIPE whatever drives are specified in the subsequent variables, assuming you answer "yes" to both confirmation prompts!! ##### +configure_ocp_storage: true +# Physical volume on which to create the sysvg volume group and the logical volumes/filesystems created therein +sysvg_pv: "/dev/sda3" +# Disk that will be used for docker storage on all nodes (typically "/dev/sdb" though this may be different in your environment) +docker_storage_disk: "/dev/sdb" +# Disk that will be used for gluster storage on storage nodes +gluster_storage_disks: +- /dev/sdc +#- /dev/sdd +# Size of ETCD logical volume created on all "etcd" nodes +etcd_lv_size: 10G +# Size of ORIGIN logical volume created on all nodes EXCEPT etcd nodes +node_origin_lv_size: 50G +# Size of ORIGIN logical volume created on all ETCD nodes +etcd_origin_lv_size: 25G + + +## Setup docker storage +configure_docker_storage: true + + +## Configure rsyslog for OCP advanced auditing +configure_rsyslog: true + + +## Generate Username/Password hash and add to (and create) local htpasswd file to be referenced by OpenShift deployment process +configure_htpasswd: false +# Path/Filename of OCP inventory file +ocp_inventory_file: '//ocp-prep/inventories//hosts' diff --git a/ocp-prep/inventories/development/hosts b/ocp-prep/inventories/development/hosts new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/inventories/production/group_vars/all.yml b/ocp-prep/inventories/production/group_vars/all.yml new file mode 100644 index 0000000..91d6626 --- /dev/null +++ b/ocp-prep/inventories/production/group_vars/all.yml @@ -0,0 +1,57 @@ +##SSH configuration ## +copy_ssh_keys: false +ansible_ssh_user: +ssh_key_size: 2048 + + +## Satellite configuration ## +# Register nodes to satellite +rhsm_register: true +rhsm_server_hostname: "satsrv.example.com" +# Enable/Disable gpgcheck +disable_pkg_authenticity_verification: yes +rhsm_org_id: "" +rhsm_activation_key: "" +rhsm_force_register: false + + +## Package installation +package_install: true + + +## Prepare OCP cluster and configs for deployment in FIPS enabled environment +update_ocp_for_fips_env: true + + +## OCP storage configuration +##### BE CAREFUL!! ###### +##### Setting below value to "True" WILL WIPE whatever drives are specified in the subsequent variables, assuming you answer "yes" to both confirmation prompts!! ##### +configure_ocp_storage: true +# Physical volume on which to create the sysvg volume group and the logical volumes/filesystems created therein +sysvg_pv: "/dev/sda3" +# Disk that will be used for docker storage on all nodes (typically "/dev/sdb" though this may be different in your environment) +docker_storage_disk: "/dev/sdb" +# Disk that will be used for gluster storage on storage nodes +gluster_storage_disks: +- /dev/sdc +#- /dev/sdd +# Size of ETCD logical volume created on all "etcd" nodes +etcd_lv_size: 10G +# Size of ORIGIN logical volume created on all nodes EXCEPT etcd nodes +node_origin_lv_size: 50G +# Size of ORIGIN logical volume created on all ETCD nodes +etcd_origin_lv_size: 25G + + +## Setup docker storage +configure_docker_storage: true + + +## Configure rsyslog for OCP advanced auditing +configure_rsyslog: true + + +## Generate Username/Password hash and add to (and create) local htpasswd file to be referenced by OpenShift deployment process +configure_htpasswd: false +# Path/Filename of OCP inventory file +ocp_inventory_file: '//ocp-prep/inventories//hosts' diff --git a/ocp-prep/inventories/production/hosts b/ocp-prep/inventories/production/hosts new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/inventories/sbx/group_vars/all.yml b/ocp-prep/inventories/sbx/group_vars/all.yml new file mode 100644 index 0000000..91d6626 --- /dev/null +++ b/ocp-prep/inventories/sbx/group_vars/all.yml @@ -0,0 +1,57 @@ +##SSH configuration ## +copy_ssh_keys: false +ansible_ssh_user: +ssh_key_size: 2048 + + +## Satellite configuration ## +# Register nodes to satellite +rhsm_register: true +rhsm_server_hostname: "satsrv.example.com" +# Enable/Disable gpgcheck +disable_pkg_authenticity_verification: yes +rhsm_org_id: "" +rhsm_activation_key: "" +rhsm_force_register: false + + +## Package installation +package_install: true + + +## Prepare OCP cluster and configs for deployment in FIPS enabled environment +update_ocp_for_fips_env: true + + +## OCP storage configuration +##### BE CAREFUL!! ###### +##### Setting below value to "True" WILL WIPE whatever drives are specified in the subsequent variables, assuming you answer "yes" to both confirmation prompts!! ##### +configure_ocp_storage: true +# Physical volume on which to create the sysvg volume group and the logical volumes/filesystems created therein +sysvg_pv: "/dev/sda3" +# Disk that will be used for docker storage on all nodes (typically "/dev/sdb" though this may be different in your environment) +docker_storage_disk: "/dev/sdb" +# Disk that will be used for gluster storage on storage nodes +gluster_storage_disks: +- /dev/sdc +#- /dev/sdd +# Size of ETCD logical volume created on all "etcd" nodes +etcd_lv_size: 10G +# Size of ORIGIN logical volume created on all nodes EXCEPT etcd nodes +node_origin_lv_size: 50G +# Size of ORIGIN logical volume created on all ETCD nodes +etcd_origin_lv_size: 25G + + +## Setup docker storage +configure_docker_storage: true + + +## Configure rsyslog for OCP advanced auditing +configure_rsyslog: true + + +## Generate Username/Password hash and add to (and create) local htpasswd file to be referenced by OpenShift deployment process +configure_htpasswd: false +# Path/Filename of OCP inventory file +ocp_inventory_file: '//ocp-prep/inventories//hosts' diff --git a/ocp-prep/inventories/sbx/hosts b/ocp-prep/inventories/sbx/hosts new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/playbooks/FIPS_env_preparation/main.yml b/ocp-prep/playbooks/FIPS_env_preparation/main.yml new file mode 100644 index 0000000..f92bcef --- /dev/null +++ b/ocp-prep/playbooks/FIPS_env_preparation/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Prepare for OCP deploy in FIPS environment + hosts: nodes + roles: + - role: FIPS_env_preparation + when: + - update_ocp_for_fips_env|default(false) + tags: + - fips_env diff --git a/ocp-prep/playbooks/FIPS_env_preparation/roles b/ocp-prep/playbooks/FIPS_env_preparation/roles new file mode 120000 index 0000000..148b132 --- /dev/null +++ b/ocp-prep/playbooks/FIPS_env_preparation/roles @@ -0,0 +1 @@ +../../roles/ \ No newline at end of file diff --git a/ocp-prep/playbooks/configure_docker_storage/main.yml b/ocp-prep/playbooks/configure_docker_storage/main.yml new file mode 100644 index 0000000..5d1656f --- /dev/null +++ b/ocp-prep/playbooks/configure_docker_storage/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Configure Docker storage + hosts: nodes + roles: + - role: configure_docker_storage + when: + - configure_docker_storage|default(false) + tags: + - docker_storage_config diff --git a/ocp-prep/playbooks/configure_docker_storage/roles b/ocp-prep/playbooks/configure_docker_storage/roles new file mode 120000 index 0000000..148b132 --- /dev/null +++ b/ocp-prep/playbooks/configure_docker_storage/roles @@ -0,0 +1 @@ +../../roles/ \ No newline at end of file diff --git a/ocp-prep/playbooks/configure_htpasswd/main.yml b/ocp-prep/playbooks/configure_htpasswd/main.yml new file mode 100644 index 0000000..2bffe9d --- /dev/null +++ b/ocp-prep/playbooks/configure_htpasswd/main.yml @@ -0,0 +1,28 @@ +--- + +- name: Generate htpasswd username/password - Prompt + gather_facts: false + hosts: localhost + tags: + - configure_htpasswd + tasks: + + - name: Username prompt + pause: + prompt: "Please enter your htpasswd username(s) (comma separated)" + echo: true + register: username + when: configure_htpasswd|default(false) + + - name: Password prompt + pause: + prompt: "Please enter your htpasswd password for user {{ item }}" + echo: false + register: passwords + with_items: "{{ username.user_input.split(',') }}" + when: configure_htpasswd|default(false) + + - name: Create and configure local htpasswd file + include_role: + name: configure_htpasswd + when: configure_htpasswd|default(false) diff --git a/ocp-prep/playbooks/configure_htpasswd/roles b/ocp-prep/playbooks/configure_htpasswd/roles new file mode 120000 index 0000000..148b132 --- /dev/null +++ b/ocp-prep/playbooks/configure_htpasswd/roles @@ -0,0 +1 @@ +../../roles/ \ No newline at end of file diff --git a/ocp-prep/playbooks/configure_ocp_storage/main.yml b/ocp-prep/playbooks/configure_ocp_storage/main.yml new file mode 100644 index 0000000..2739e01 --- /dev/null +++ b/ocp-prep/playbooks/configure_ocp_storage/main.yml @@ -0,0 +1,42 @@ +--- + +- name: Prepare storage for OCP installation - Prompt + gather_facts: false + hosts: localhost + tags: + - configure_ocp_storage + tasks: + + - name: Confirm storage wipe + pause: + prompt: "Do you want to wipe the Docker and Gluster storage partitions? (yes/no)" + register: wipe_prompt + when: configure_ocp_storage|default(false) + + - name: Re-confirm storage wipe + pause: + prompt: "Please confirm that you want to wipe the Docker and Gluster storage partitions - NOTE: this WILL delete the existing data on these partitions and can NOT be undone!! (yes/no)" + register: confirm_prompt + when: configure_ocp_storage|default(false) and hostvars['localhost'].wipe_prompt.user_input | bool + + - debug: msg="Storage will NOT be wiped" + when: + - configure_ocp_storage|default(false) + - not hostvars['localhost'].wipe_prompt.user_input | bool or not hostvars['localhost'].confirm_prompt.user_input | bool + +- name: Prepare storage for OCP installation + hosts: nodes,etcd,storage + tags: + - configure_ocp_storage + tasks: + + - name: Wipe storage partitions + include_role: + name: configure_ocp_storage + tasks_from: wipe_storage.yml + when: configure_ocp_storage|default(false) and hostvars['localhost'].wipe_prompt.user_input | bool and hostvars['localhost'].confirm_prompt.user_input | bool + + - name: Configure storage + include_role: + name: configure_ocp_storage + when: configure_ocp_storage|default(false) diff --git a/ocp-prep/playbooks/configure_ocp_storage/roles b/ocp-prep/playbooks/configure_ocp_storage/roles new file mode 120000 index 0000000..148b132 --- /dev/null +++ b/ocp-prep/playbooks/configure_ocp_storage/roles @@ -0,0 +1 @@ +../../roles/ \ No newline at end of file diff --git a/ocp-prep/playbooks/configure_rsyslog/main.yml b/ocp-prep/playbooks/configure_rsyslog/main.yml new file mode 100644 index 0000000..39b34d8 --- /dev/null +++ b/ocp-prep/playbooks/configure_rsyslog/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Configure rsyslog for ocp advanced auditing + hosts: masters + roles: + - role: configure_rsyslog + when: + - configure_rsyslog|default(false) + tags: + - rsyslog diff --git a/ocp-prep/playbooks/configure_rsyslog/roles b/ocp-prep/playbooks/configure_rsyslog/roles new file mode 120000 index 0000000..148b132 --- /dev/null +++ b/ocp-prep/playbooks/configure_rsyslog/roles @@ -0,0 +1 @@ +../../roles/ \ No newline at end of file diff --git a/ocp-prep/playbooks/configure_satellite/main.yml b/ocp-prep/playbooks/configure_satellite/main.yml new file mode 100644 index 0000000..012579c --- /dev/null +++ b/ocp-prep/playbooks/configure_satellite/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Configure satellite + hosts: nodes + roles: + - role: configure_satellite + when: + - rhsm_register|default(false) + tags: + - configure_rhsm diff --git a/ocp-prep/playbooks/configure_satellite/roles b/ocp-prep/playbooks/configure_satellite/roles new file mode 120000 index 0000000..148b132 --- /dev/null +++ b/ocp-prep/playbooks/configure_satellite/roles @@ -0,0 +1 @@ +../../roles/ \ No newline at end of file diff --git a/ocp-prep/playbooks/configure_ssh/main.yml b/ocp-prep/playbooks/configure_ssh/main.yml new file mode 100644 index 0000000..2f30448 --- /dev/null +++ b/ocp-prep/playbooks/configure_ssh/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Generate and Distribute SSH keys + hosts: nodes + roles: + - role: configure_ssh + when: + - copy_ssh_keys|default(false) + tags: + - configure_ssh diff --git a/ocp-prep/playbooks/configure_ssh/roles b/ocp-prep/playbooks/configure_ssh/roles new file mode 120000 index 0000000..148b132 --- /dev/null +++ b/ocp-prep/playbooks/configure_ssh/roles @@ -0,0 +1 @@ +../../roles/ \ No newline at end of file diff --git a/ocp-prep/playbooks/openshift_deploy_prep.yml b/ocp-prep/playbooks/openshift_deploy_prep.yml new file mode 100644 index 0000000..f3042e6 --- /dev/null +++ b/ocp-prep/playbooks/openshift_deploy_prep.yml @@ -0,0 +1,17 @@ +--- + +- import_playbook: configure_ssh/main.yml + +- import_playbook: configure_satellite/main.yml + +- import_playbook: package_install/main.yml + +- import_playbook: FIPS_env_preparation/main.yml + +- import_playbook: configure_ocp_storage/main.yml + +- import_playbook: configure_docker_storage/main.yml + +- import_playbook: configure_rsyslog/main.yml + +- import_playbook: configure_htpasswd/main.yml diff --git a/ocp-prep/playbooks/package_install/main.yml b/ocp-prep/playbooks/package_install/main.yml new file mode 100644 index 0000000..d966f55 --- /dev/null +++ b/ocp-prep/playbooks/package_install/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Ensure required packages are installed + hosts: nodes + roles: + - role: package_install + when: + - package_install|default(false) + tags: + - package_install diff --git a/ocp-prep/playbooks/package_install/roles b/ocp-prep/playbooks/package_install/roles new file mode 120000 index 0000000..148b132 --- /dev/null +++ b/ocp-prep/playbooks/package_install/roles @@ -0,0 +1 @@ +../../roles/ \ No newline at end of file diff --git a/ocp-prep/roles/FIPS_env_preparation/defaults/main.yml b/ocp-prep/roles/FIPS_env_preparation/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/FIPS_env_preparation/files/main.yml b/ocp-prep/roles/FIPS_env_preparation/files/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/FIPS_env_preparation/handlers/main.yml b/ocp-prep/roles/FIPS_env_preparation/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/FIPS_env_preparation/tasks/main.yml b/ocp-prep/roles/FIPS_env_preparation/tasks/main.yml new file mode 100644 index 0000000..755900c --- /dev/null +++ b/ocp-prep/roles/FIPS_env_preparation/tasks/main.yml @@ -0,0 +1,57 @@ +--- + +# Use a 'block' to ensure "become: True" for all tasks since +# # # all of these tasks require elevated privileges +- block: + + # Disable and Stop the named service + - name: Disable and Stop the named service + service: + name: named + enabled: no + state: stopped + ignore_errors: yes + + # Address an issue associated with certain missing SELinux policies + - name: Address Missing SELinux Policy issue (uninstall container-selinux) + yum: + name: container-selinux + state: absent + register: result + until: result is succeeded + ignore_errors: yes + + - name: Address Missing SELinux Policy issue (reinstall/update container-selinux) + yum: + name: container-selinux + state: latest + register: result + until: result is succeeded + + - name: Address Missing SELinux Policy issue (ensure no incomplete/aborted yum transactions) + shell: yum-complete-transaction -y + + - name: Address Missing SELinux Policy issue (add missing SELinux policies) + shell: | + semodule -n -s targeted -d container ; load_policy + semodule -n -s targeted -e container ; load_policy + + # Enable IPv4 IP Forwarding on all OCP machines. This addresses an issue caused by Hardening/Security that disables it by default. + - name: Enable IPv4 IP Forwarding (update sysctl.conf file) + lineinfile: + path: /etc/sysctl.conf + regexp: '^(.*)net.ipv4.ip_forward \= 0$' + line: 'net.ipv4.ip_forward = 1' + state: present + backup: yes + + - name: Enable IPv4 IP Forwarding (update active session) + shell: | + sysctl -w net.ipv4.ip_forward=1 + + become: True + +# Change encryption algorithm value in three key config files required by OCP installation, from MD5 to SHA256 as required by Hardening/Security policies. +- import_tasks: update_local_install_files.yml + delegate_to: localhost + run_once: true diff --git a/ocp-prep/roles/FIPS_env_preparation/tasks/update_local_install_files.yml b/ocp-prep/roles/FIPS_env_preparation/tasks/update_local_install_files.yml new file mode 100644 index 0000000..ffff5d0 --- /dev/null +++ b/ocp-prep/roles/FIPS_env_preparation/tasks/update_local_install_files.yml @@ -0,0 +1,60 @@ +--- + +# Use a 'block' to ensure "become: True" for all tasks since +# # # all of these tasks require elevated privileges +- block: + + # Change encryption algorithm value in three key config files required by OCP installation, from MD5 to SHA256 as required by Hardening/Security policies. + - name: "Address invalid encryption algorithm value (Comment out old hex_md5 line in digests file)" + delegate_to: localhost + lineinfile: + path: /usr/lib/python2.7/site-packages/passlib/handlers/digests.py + regexp: 'hex_md5 = create_hex_hash\(hashlib.md5, "md5"\)' + line: '#hex_md5 = create_hex_hash(hashlib.md5, "md5")' + state: present + backup: yes + + - name: "Address invalid encryption algorithm value (Add new hex_md5 line in digests.py file)" + delegate_to: localhost + lineinfile: + path: /usr/lib/python2.7/site-packages/passlib/handlers/digests.py + insertafter: '#hex_md5 = create_hex_hash\(hashlib.md5, "md5"\)' + line: 'hex_md5 = create_hex_hash(hashlib.sha256, "sha256")' + state: present + + - name: "Address invalid encryption algorithm value (Update hashlib.md5 line in digests.py file)" + delegate_to: localhost + lineinfile: + path: /usr/lib/python2.7/site-packages/passlib/handlers/digests.py + regexp: '^(.*)return hashlib.md5\(data\).hexdigest\(\)$' + line: '\1return hashlib.sha256(data).hexdigest()' + backrefs: yes + + - name: "Address invalid encryption algorithm value (Update crypt_scheme line in htpasswd.py file)" + delegate_to: localhost + lineinfile: + path: /usr/lib/python2.7/site-packages/ansible/modules/web_infrastructure/htpasswd.py + regexp: '^(.*)crypt_scheme=dict\(required=False, default="apr_md5_crypt"\),$' + line: '\1crypt_scheme=dict(required=False, default="des_crypt"),' + backrefs: yes + backup: yes + + - name: "Address invalid encryption algorithm value (Update openshift_client_binary line in stream_secrets.yml file)" + delegate_to: localhost + lineinfile: + path: /usr/share/ansible/openshift-ansible/roles/openshift_examples/tasks/stream_secrets.yml + regexp: '^(.*)item.host \| hash\(''md5''\)(.*)$' + line: '\1item.host | hash(''sha256'')\2' + backrefs: yes + backup: yes + + # Disable CHAPS authentication as a workaround for OCS/Gluster storage issue + - name: "Disable CHAPS authentication - Workaround for OCS/Gluster storage issue (update gluster-block-storageclass.yml.j2 file)" + delegate_to: localhost + lineinfile: + path: /usr/share/ansible/openshift-ansible/roles/openshift_storage_glusterfs/templates/gluster-block-storageclass.yml.j2 + regexp: '^(.*)chapauthenabled: "true"$' + line: '\1chapauthenabled: "false"' + backrefs: yes + + become: true diff --git a/ocp-prep/roles/FIPS_env_preparation/templates/main.yml b/ocp-prep/roles/FIPS_env_preparation/templates/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_docker_storage/defaults/main.yml b/ocp-prep/roles/configure_docker_storage/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_docker_storage/files/main.yml b/ocp-prep/roles/configure_docker_storage/files/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_docker_storage/handlers/main.yml b/ocp-prep/roles/configure_docker_storage/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_docker_storage/tasks/docker_install.yml b/ocp-prep/roles/configure_docker_storage/tasks/docker_install.yml new file mode 100644 index 0000000..fa452d5 --- /dev/null +++ b/ocp-prep/roles/configure_docker_storage/tasks/docker_install.yml @@ -0,0 +1,10 @@ +--- + +# Installs Docker on all OCP machines +- name: Install Docker + become: True + yum: + name: "docker{{ '-' + docker_version if docker_version is defined else '' }}" + state: latest + register: result + until: result is succeeded diff --git a/ocp-prep/roles/configure_docker_storage/tasks/main.yml b/ocp-prep/roles/configure_docker_storage/tasks/main.yml new file mode 100644 index 0000000..41d119c --- /dev/null +++ b/ocp-prep/roles/configure_docker_storage/tasks/main.yml @@ -0,0 +1,41 @@ +--- + +# Use a 'block' to ensure "become: True" for all tasks since +# # all of these tasks require elevated privileges +- block: + + # Install Docker on all nodes in the OpenShift cluster + - import_tasks: docker_install.yml + + # Initial setup of docker storage config files + - name: Prepare docker-storage-setup config file + lineinfile: + path: /etc/sysconfig/docker-storage-setup + regexp: 'STORAGE_DRIVER=overlay2' + state: absent + backup: yes + + # Initial setup of docker storage config files + - name: Setup docker-storage-setup config file + blockinfile: + dest: /etc/sysconfig/docker-storage-setup + marker: "## {mark} added by ansible" + block: | + DEVS={{ docker_storage_disk }} + VG=docker-vg + state: present + create: yes + + # Continuing docker storage setup + - name: Setup docker storage with docker-storage-setup + shell: "docker-storage-setup" + ignore_errors: yes + + # Enables docker services + - name: Enable docker service + service: + name: docker + enabled: yes + state: restarted + + become: True diff --git a/ocp-prep/roles/configure_docker_storage/templates/main.yml b/ocp-prep/roles/configure_docker_storage/templates/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_docker_storage/vars/main.yml b/ocp-prep/roles/configure_docker_storage/vars/main.yml new file mode 100644 index 0000000..2681d54 --- /dev/null +++ b/ocp-prep/roles/configure_docker_storage/vars/main.yml @@ -0,0 +1 @@ +docker_version: "1.13.1" diff --git a/ocp-prep/roles/configure_htpasswd/defaults/main.yml b/ocp-prep/roles/configure_htpasswd/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_htpasswd/files/main.yml b/ocp-prep/roles/configure_htpasswd/files/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_htpasswd/handlers/main.yml b/ocp-prep/roles/configure_htpasswd/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_htpasswd/tasks/main.yml b/ocp-prep/roles/configure_htpasswd/tasks/main.yml new file mode 100644 index 0000000..7a03030 --- /dev/null +++ b/ocp-prep/roles/configure_htpasswd/tasks/main.yml @@ -0,0 +1,27 @@ +--- + +- name: Create local htpasswd file + file: + path: '{{ htpasswd_file }}' + mode: 0664 + state: touch + +- name: Generate username/password hash + no_log: true + shell: htpasswd -b '{{ htpasswd_file }}' '{{ item.item }}' '{{ item.user_input }}' + loop: "{{ passwords.results }}" + +- name: Comment out the openshift_master_htpasswd_users variable in the inventory file (if it exists) + lineinfile: + path: '{{ ocp_inventory_file }}' + regexp: '^openshift_master_htpasswd_users(.*)$' + line: '#openshift_master_htpasswd_users\1' + backrefs: yes + state: present + +- name: Add htpasswd variable to inventory file (if it doesn't exist) + lineinfile: + path: '{{ ocp_inventory_file }}' + regexp: '^openshift_master_htpasswd_file' + insertafter: '^openshift_master_identity_providers' + line: 'openshift_master_htpasswd_file={{ htpasswd_file }}' diff --git a/ocp-prep/roles/configure_htpasswd/templates/main.yml b/ocp-prep/roles/configure_htpasswd/templates/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_htpasswd/vars/main.yml b/ocp-prep/roles/configure_htpasswd/vars/main.yml new file mode 100644 index 0000000..3b29084 --- /dev/null +++ b/ocp-prep/roles/configure_htpasswd/vars/main.yml @@ -0,0 +1,2 @@ +--- +htpasswd_file: '/tmp/htpasswd' diff --git a/ocp-prep/roles/configure_ocp_storage/defaults/main.yml b/ocp-prep/roles/configure_ocp_storage/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_ocp_storage/files/main.yml b/ocp-prep/roles/configure_ocp_storage/files/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_ocp_storage/handlers/main.yml b/ocp-prep/roles/configure_ocp_storage/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_ocp_storage/tasks/main.yml b/ocp-prep/roles/configure_ocp_storage/tasks/main.yml new file mode 100644 index 0000000..509ae13 --- /dev/null +++ b/ocp-prep/roles/configure_ocp_storage/tasks/main.yml @@ -0,0 +1,94 @@ +--- + +# Use a 'block' to ensure "become: True" for all tasks since +# # all of these tasks require elevated privileges +- block: + + # Create sysvg volume group (if it doesn't exist) + #### !!!! MAKE SURE TO CUSTOMIZE all.yml FILE TO REFLECT DESIRED VG CONFIGURATION !!!! #### + - name: Create sysvg volume group (if it doesn't exist) + lvg: + vg: sysvg + pvs: "{{ sysvg_pv }}" + when: inventory_hostname in groups['nodes'] + ignore_errors: true + # Create etcd logical volume on etcd nodes + - name: Create "{{ etcd_lv_size }}" etcd logical volume on etcd nodes + lvol: + vg: sysvg + lv: ocp-etcd-lv + size: "{{ etcd_lv_size }}" + when: inventory_hostname in groups['etcd'] + # Create origin logical volume on all nodes except etcd + - name: Create "{{ node_origin_lv_size }}" origin logical volume on all nodes except etcd + lvol: + vg: sysvg + lv: ocp-origin-lv + size: "{{ node_origin_lv_size }}" + when: inventory_hostname in groups['nodes'] and inventory_hostname not in groups['etcd'] + # Create origin logical volume on etcd nodes + - name: Create "{{ etcd_origin_lv_size }}" origin logical volume on etcd nodes + lvol: + vg: sysvg + lv: ocp-origin-lv + size: "{{ etcd_origin_lv_size }}" + when: inventory_hostname in groups['etcd'] + # Create etcd filesystem on etcd nodes + - name: Create etcd filesystem on etcd nodes + filesystem: + fstype: xfs + dev: /dev/mapper/sysvg-ocp--etcd--lv + when: inventory_hostname in groups['etcd'] + # Create origin filesystem on all nodes + - name: Create origin filesystem on all nodes + filesystem: + fstype: xfs + dev: /dev/mapper/sysvg-ocp--origin--lv + when: inventory_hostname in groups['nodes'] + # Create etcd mountpoint on etcd nodes + - name: Create etcd mountpoint on etcd nodes + file: + path: /var/lib/etcd + state: directory + when: inventory_hostname in groups['etcd'] + # Create origin mountpoint on all nodes + - name: Create origin mountpoint on all nodes + file: + path: /var/lib/origin + state: directory + when: inventory_hostname in groups['nodes'] + # Mount etcd filesystem on etcd nodes + - name: Mount etcd filesystem on etcd nodes + mount: + path: /var/lib/etcd + src: /dev/mapper/sysvg-ocp--etcd--lv + fstype: xfs + opts: defaults + state: mounted + when: inventory_hostname in groups['etcd'] + # Mount origin filesystem on all nodes + - name: Mount origin filesystem on all nodes + mount: + path: /var/lib/origin + src: /dev/mapper/sysvg-ocp--origin--lv + fstype: xfs + opts: defaults + state: mounted + when: inventory_hostname in groups['nodes'] + # Update SELinux policy on all nodes + - name: Update SELinux policy on all nodes + shell: + cmd: | + semanage fcontext -a -t container_file_t '/var/lib/origin' + restorecon -R /var/lib/origin + when: inventory_hostname in groups['nodes'] + # Update SELinux policy on etcd nodes + - name: Update SELinux policy on etcd nodes + shell: + cmd: | + semanage fcontext -a -t container_file_t '/var/lib/etcd' + chcon -R -t container_file_t /var/lib/etcd + restorecon -R /var/lib/etcd + when: inventory_hostname in groups['etcd'] + + become: True diff --git a/ocp-prep/roles/configure_ocp_storage/tasks/wipe_storage.yml b/ocp-prep/roles/configure_ocp_storage/tasks/wipe_storage.yml new file mode 100644 index 0000000..6bc9915 --- /dev/null +++ b/ocp-prep/roles/configure_ocp_storage/tasks/wipe_storage.yml @@ -0,0 +1,19 @@ +--- + +# Use a 'block' to ensure "become: True" for all tasks since +# # all of these tasks require elevated privileges + +- block: + + # Prepare disk for docker storage on all OCP hosts + - name: Prepare disk for docker storage on all OCP hosts + shell: "dd if=/dev/zero of={{ docker_storage_disk }} bs=512 count=2000" + when: inventory_hostname in groups['nodes'] + + # Prepare disk for gluster storage on all storage/OCS hosts + - name: Prepare disks for gluster storage on all storage hosts + shell: "dd if=/dev/zero of={{ item }} bs=512 count=2000" + with_items: "{{ gluster_storage_disks }}" + when: inventory_hostname in groups['storage'] + + become: True diff --git a/ocp-prep/roles/configure_ocp_storage/templates/main.yml b/ocp-prep/roles/configure_ocp_storage/templates/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_ocp_storage/vars/main.yml b/ocp-prep/roles/configure_ocp_storage/vars/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_rsyslog/defaults/main.yml b/ocp-prep/roles/configure_rsyslog/defaults/main.yml new file mode 100644 index 0000000..e61fdfb --- /dev/null +++ b/ocp-prep/roles/configure_rsyslog/defaults/main.yml @@ -0,0 +1,7 @@ +--- +# defaults file for rsyslog + +rsyslog_ocp_audit_log_input_file_name: "/var/log/origin/audit-ocp.log" +rsyslog_ocp_audit_log_input_file_tag: "audit_ocp" +rsyslog_ocp_audit_log_input_file_state_file: "audit-log:" +rsyslog_ocp_audit_log_input_file_facility: "local6" diff --git a/ocp-prep/roles/configure_rsyslog/handlers/main.yml b/ocp-prep/roles/configure_rsyslog/handlers/main.yml new file mode 100644 index 0000000..27a8a60 --- /dev/null +++ b/ocp-prep/roles/configure_rsyslog/handlers/main.yml @@ -0,0 +1,10 @@ +--- +# handler file for rsyslog + +- name: restart rsyslog + become: yes + service: + name: "rsyslog" + state: restarted + tags: + - rsyslog diff --git a/ocp-prep/roles/configure_rsyslog/tasks/main.yml b/ocp-prep/roles/configure_rsyslog/tasks/main.yml new file mode 100644 index 0000000..ae1e2f8 --- /dev/null +++ b/ocp-prep/roles/configure_rsyslog/tasks/main.yml @@ -0,0 +1,31 @@ +--- +# tasks file to configure rsyslog for OCP Auditing + +- name: Ensure config files in rsyslog.d/ are accounted for in the rsyslog.conf configuration file + become: yes + lineinfile: + path: /etc/rsyslog.conf + regexp: '^\$IncludeConfig \/etc\/rsyslog\.d/\*\.conf' + line: '$IncludeConfig /etc/rsyslog.d/*.conf' + notify: + - restart rsyslog + +- name: Create rsyslog.d configuration directory + become: yes + file: + path: /etc/rsyslog.d + owner: root + group: root + mode: 0755 + state: directory + +- name: Create rsyslog ocp audit configuration file + become: yes + template: + src: 50-ocp-audit.conf.j2 + dest: /etc/rsyslog.d/50-ocp-audit.conf + owner: root + group: root + mode: 0644 + notify: + - restart rsyslog diff --git a/ocp-prep/roles/configure_rsyslog/templates/50-ocp-audit.conf.j2 b/ocp-prep/roles/configure_rsyslog/templates/50-ocp-audit.conf.j2 new file mode 100644 index 0000000..338df51 --- /dev/null +++ b/ocp-prep/roles/configure_rsyslog/templates/50-ocp-audit.conf.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +# Module for flat file for openshift audit logging +$ModLoad imfile + +#New settings for OpenShift audit logging +$InputFileName {{ rsyslog_ocp_audit_log_input_file_name }} +$InputFileTag {{ rsyslog_ocp_audit_log_input_file_tag }} +$InputFileStateFile {{ rsyslog_ocp_audit_log_input_file_state_file }} +$InputFileFacility {{ rsyslog_ocp_audit_log_input_file_facility }} +$InputRunFileMonitor diff --git a/ocp-prep/roles/configure_rsyslog/vars/main.yml b/ocp-prep/roles/configure_rsyslog/vars/main.yml new file mode 100644 index 0000000..cd21505 --- /dev/null +++ b/ocp-prep/roles/configure_rsyslog/vars/main.yml @@ -0,0 +1,2 @@ +--- + diff --git a/ocp-prep/roles/configure_satellite/defaults/main.yml b/ocp-prep/roles/configure_satellite/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_satellite/files/main.yml b/ocp-prep/roles/configure_satellite/files/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_satellite/handlers/main.yml b/ocp-prep/roles/configure_satellite/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_satellite/tasks/main.yml b/ocp-prep/roles/configure_satellite/tasks/main.yml new file mode 100644 index 0000000..d89e7aa --- /dev/null +++ b/ocp-prep/roles/configure_satellite/tasks/main.yml @@ -0,0 +1,76 @@ +--- + +# Use a 'block' to ensure "become: True" for all tasks since +# # all of these tasks require elevated privileges +- block: + + # Obtains the necessary satellite packages + - name: Grab Satellite Info + get_url: + url: "http://{{ rhsm_server_hostname }}/pub/katello-ca-consumer-latest.noarch.rpm" + dest: "{{ satellite_server_rpm_tmp_dir }}" + when: + - rhsm_server_hostname is defined + - rhsm_server_hostname|trim != '' + + # Unregisters from default satellite + - name: Unregister satellite + redhat_subscription: + state: absent + when: + - rhsm_server_hostname is defined + - rhsm_server_hostname|trim != '' + + # Removes default/non-applicable repo(s) + - name: Purge repos + command: rm -rf /etc/yum.repos.d/* + args: + warn: False + when: + - rhsm_server_hostname is defined + - rhsm_server_hostname|trim != '' + + # Installs the satellite package(s) obtained in an earlier step + - name: Install Katello package + yum: + name: "{{ satellite_server_rpm_tmp_dir }}/katello-ca-consumer-latest.noarch.rpm" + state: present + disable_gpg_check: "{{ disable_pkg_authenticity_verification | default(no) }}" + when: + - rhsm_server_hostname is defined + - rhsm_server_hostname|trim != '' + + # Registers to the new satellite + - name: Register satellite + redhat_subscription: + state: present + username: "{{ rhsm_username | default(omit) }}" + password: "{{ rhsm_password | default(omit) }}" + pool_ids: "{{ rhsm_pool_ids | default(omit) }}" + pool: "{{ rhsm_pool | default(omit) }}" + autosubscribe: "{{ ((rhsm_pool is defined or rhsm_pool_ids is defined or rhsm_activation_key is defined) | ternary(omit, true)) }}" + server_hostname: "{{ rhsm_server_hostname | default(omit) }}" + activationkey: "{{ rhsm_activation_key | default(omit) }}" + org_id: "{{ rhsm_org_id | default(omit) }}" + force_register: "{{ rhsm_force_register | default(omit) }}" + force_register: "true" + delegate_to: "{{ item }}" + with_items: "{{ groups['nodes'] }}" + run_once: true + when: + - rhsm_server_hostname is defined + - rhsm_server_hostname|trim != '' + + # Perform a yum clean/update + - name: Update repos + command: yum clean all + args: + warn: no + + # Remove temp file + - name: Cleanup + file: + path: "{{ satellite_server_rpm_tmp_dir }}katello-ca-consumer-latest.noarch.rpm" + state: absent + + become: True diff --git a/ocp-prep/roles/configure_satellite/templates/main.yml b/ocp-prep/roles/configure_satellite/templates/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_satellite/vars/main.yml b/ocp-prep/roles/configure_satellite/vars/main.yml new file mode 100644 index 0000000..facd115 --- /dev/null +++ b/ocp-prep/roles/configure_satellite/vars/main.yml @@ -0,0 +1 @@ +satellite_server_rpm_tmp_dir: "/tmp/" diff --git a/ocp-prep/roles/configure_ssh/defaults/main.yml b/ocp-prep/roles/configure_ssh/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_ssh/files/main.yml b/ocp-prep/roles/configure_ssh/files/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_ssh/handlers/main.yml b/ocp-prep/roles/configure_ssh/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_ssh/tasks/distribute_ssh_pubkey.yml b/ocp-prep/roles/configure_ssh/tasks/distribute_ssh_pubkey.yml new file mode 100644 index 0000000..8dcdba3 --- /dev/null +++ b/ocp-prep/roles/configure_ssh/tasks/distribute_ssh_pubkey.yml @@ -0,0 +1,10 @@ +--- +#Copy newly created ssh pubkey to .ssh dir on remote hosts + +- name: Copy newly created ssh pubkey to .ssh dir on remote hosts + authorized_key: + user: "{{ ansible_ssh_user }}" + state: present + key: "{{ lookup('file', '{{ user_ssh }}/id_rsa.pub') }}" + manage_dir: yes + become: False diff --git a/ocp-prep/roles/configure_ssh/tasks/main.yml b/ocp-prep/roles/configure_ssh/tasks/main.yml new file mode 100644 index 0000000..f3f917a --- /dev/null +++ b/ocp-prep/roles/configure_ssh/tasks/main.yml @@ -0,0 +1,14 @@ +--- + +# Create .ssh directory for user on localhost +- import_tasks: ssh_dir_create.yml + delegate_to: localhost + run_once: true + +# Generate ssh key for user on localhost +- import_tasks: ssh_keygen.yml + delegate_to: localhost + run_once: true + +# Distribute ssh key to all nodes in the OpenShift cluster +- import_tasks: distribute_ssh_pubkey.yml diff --git a/ocp-prep/roles/configure_ssh/tasks/ssh_dir_create.yml b/ocp-prep/roles/configure_ssh/tasks/ssh_dir_create.yml new file mode 100644 index 0000000..e66177c --- /dev/null +++ b/ocp-prep/roles/configure_ssh/tasks/ssh_dir_create.yml @@ -0,0 +1,8 @@ +--- +# Create .ssh directory on localhost + +- name: Create ssh dir + file: + state: directory + path: "{{ user_ssh }}" + become: False diff --git a/ocp-prep/roles/configure_ssh/tasks/ssh_keygen.yml b/ocp-prep/roles/configure_ssh/tasks/ssh_keygen.yml new file mode 100644 index 0000000..a96f373 --- /dev/null +++ b/ocp-prep/roles/configure_ssh/tasks/ssh_keygen.yml @@ -0,0 +1,12 @@ +--- +# Generate ssh keypair + +- name: Verify if ssh keypair exists + stat: + path: "{{ user_ssh }}/id_rsa.pub" + register: stat_result + +- name: Generate ssh keypair + command: ssh-keygen -t rsa -b {{ ssh_key_size }} -P {{ ssh_passphrase | default('""') }} -f {{ user_ssh }}/id_rsa + when: stat_result.stat.exists == False + become: False diff --git a/ocp-prep/roles/configure_ssh/templates/main.yml b/ocp-prep/roles/configure_ssh/templates/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/configure_ssh/vars/main.yml b/ocp-prep/roles/configure_ssh/vars/main.yml new file mode 100644 index 0000000..72eeea9 --- /dev/null +++ b/ocp-prep/roles/configure_ssh/vars/main.yml @@ -0,0 +1,2 @@ +user_home: /home/{{ ansible_ssh_user }} +user_ssh: "{{ user_home }}/.ssh" diff --git a/ocp-prep/roles/package_install/defaults/main.yml b/ocp-prep/roles/package_install/defaults/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/package_install/files/main.yml b/ocp-prep/roles/package_install/files/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/package_install/handlers/main.yml b/ocp-prep/roles/package_install/handlers/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/package_install/tasks/main.yml b/ocp-prep/roles/package_install/tasks/main.yml new file mode 100644 index 0000000..0343794 --- /dev/null +++ b/ocp-prep/roles/package_install/tasks/main.yml @@ -0,0 +1,25 @@ +--- + +# Ensure required packages are installed on localhost +- import_tasks: package_install.yml + delegate_to: localhost + vars: + host_grp: localhost + run_once: true + +# Ensure required packages are installed on all nodes in the OpenShift cluster +- import_tasks: package_install.yml + vars: + host_grp: nodes + +# Update packages on localhost +- import_tasks: yum_update.yml + delegate_to: localhost + vars: + host_grp: localhost + run_once: true + +# Update packages on all nodes in the OpenShift cluster +- import_tasks: yum_update.yml + vars: + host_grp: nodes diff --git a/ocp-prep/roles/package_install/tasks/package_install.yml b/ocp-prep/roles/package_install/tasks/package_install.yml new file mode 100644 index 0000000..910b9f0 --- /dev/null +++ b/ocp-prep/roles/package_install/tasks/package_install.yml @@ -0,0 +1,8 @@ +--- +- name: Install needed rpm(s) for "{{ host_grp }}" + become: True + yum: + name: "{{ pkg_list }}" + state: present + register: result + until: result is succeeded diff --git a/ocp-prep/roles/package_install/tasks/yum_update.yml b/ocp-prep/roles/package_install/tasks/yum_update.yml new file mode 100644 index 0000000..628677b --- /dev/null +++ b/ocp-prep/roles/package_install/tasks/yum_update.yml @@ -0,0 +1,9 @@ +--- +# Upgrade all packages +- name: Upgrade all packages + become: True + yum: + name: '*' + state: latest + register: result + until: result is succeeded diff --git a/ocp-prep/roles/package_install/templates/main.yml b/ocp-prep/roles/package_install/templates/main.yml new file mode 100644 index 0000000..e69de29 diff --git a/ocp-prep/roles/package_install/vars/main.yml b/ocp-prep/roles/package_install/vars/main.yml new file mode 100644 index 0000000..46816f7 --- /dev/null +++ b/ocp-prep/roles/package_install/vars/main.yml @@ -0,0 +1,49 @@ +--- +localhost_prep_pkg_list: +- openshift-ansible +- atomic-openshift-clients +- vim +- mlocate +- tmux +- skopeo +- sysstat +- bash-completion + +nodes_prep_pkg_list: +- wget +- git +- net-tools +- bind-utils +- yum-utils +- iptables-services +- bridge-utils +- bash-completion +- kexec-tools +- sos +- psacct +- vim +- glusterfs-fuse +- device-mapper-multipath +- nfs-utils +- iscsi-initiator-utils +- ceph-common +- atomic +- ansible +- bash-completion +- dnsmasq +- ntp +- logrotate +- httpd-tools +- firewalld +- libselinux-python +- conntrack-tools +- openssl +- iproute +- python-dbus +- PyYAML +- mlocate +- tmux +- skopeo +- sysstat + +pkg_list: "{{ vars[host_grp + '_prep_pkg_list'] }}"