tripleo-heat-templates/deployment/podman/podman-baremetal-ansible.yaml
Jiri Stransky 7f7960a536 Allow combining system_upgrade_prepare and system_upgrade_run into system_upgrade
Previously we required the operator to run two separate commands for
the "prepare" and "run" phases of operating system upgrade. This
commit refactors the upgrade_tasks with these tags so that running the
whole system upgrade is possible via a single command with `--tags
system_upgrade`.

Allowing to run in a single command requires being more careful about
what can happen in which step number in the upgrade tasks. The upgrade
steps for system upgrade are now explicitly documented in composable
services readme.

The existing system_upgrade_run and system_upgrade_prepare tasks were
checked and moved into the appropriate steps. In the case of
pacemaker, it required moving the cluster stop/destroy action into a
single file with removing all containers, to guarantee that the
cluster is stopped before the container removal, otherwise pacemaker
would try to spawn new containers.

Change-Id: I3cd78de8d07be46ee01006dd7e039c285991d14a
Partial-Bug: #1831690
(cherry picked from commit 206625d4f5)
2019-08-19 10:19:45 +02:00

235 lines
8.9 KiB
YAML

heat_template_version: rocky
description: >
Configures podman on the host
parameters:
DockerInsecureRegistryAddress:
description: Optional. The IP Address and Port of an insecure docker
namespace that will be configured in /etc/sysconfig/docker.
The value can be multiple addresses separated by commas.
type: comma_delimited_list
default: []
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
ContainerImageRegistryLogin:
type: boolean
default: false
description: Flag to enable container registry login actions during the deployment.
Setting this to true will cause login calls to be performed during the
deployment.
ContainerImageRegistryCredentials:
type: json
hidden: true
default: {}
description: |
Mapping of image registry hosts to login credentials. Must be in the following example format
docker.io:
username: pa55word
'192.0.2.1:8787':
registry_username: password
SystemdDropInDependencies:
default: true
description: tell the container manager (e.g. paunch) to inject
additional ordering dependencies for the systemd
scopes associated to podman containers.
type: boolean
conditions:
insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
systemd_drop_in_dependencies_enabled: {get_param: SystemdDropInDependencies}
outputs:
role_data:
description: Role data for the podman service
value:
service_name: podman
config_settings: {}
step_config: ''
host_prep_tasks:
- name: Install and configure Podman
block: &install_and_configure_podman
- name: Set login facts
set_fact:
container_registry_insecure_registries:
if:
- insecure_registry_is_empty
- []
- {get_param: DockerInsecureRegistryAddress}
container_registry_login: {get_param: ContainerImageRegistryLogin}
# default that is overwritten by the heat -> dict conversion
container_registry_logins: {}
container_registry_logins_json: {get_param: ContainerImageRegistryCredentials}
- name: Convert logins json to dict
set_fact:
container_registry_logins: "{{ container_registry_logins_json | from_json }}"
when:
- container_registry_login | bool
- container_registry_logins_json | length) > 0
- name: ensure podman and deps are installed
package:
name: podman
state: latest
- name: Remove default cni config for cni0 if exists
copy:
dest: /etc/cni/net.d/87-podman-bridge.conflist
content: ''
force: yes
ignore_errors: True
- name: Delete cni0 interface if exists
command: ip link delete cni0
ignore_errors: True
- name: configure insecure registries /etc/containers/registries.conf
ini_file:
path: /etc/containers/registries.conf
section: 'registries.insecure'
option: registries
value: "{{ container_registry_insecure_registries }}"
when: container_registry_insecure_registries | length > 0
- name: Perform container registry login(s)
shell: podman login --username=$REGISTRY_USERNAME --password=$REGISTRY_PASSWORD $REGISTRY
environment:
REGISTRY_USERNAME: "{{ lookup('dict', item.value).key }}"
REGISTRY_PASSWORD: "{{ lookup('dict', item.value).value }}"
REGISTRY: "{{ item.key }}"
loop: "{{ query('dict', container_registry_logins | default({})) }}"
when:
- container_registry_login | bool
- container_registry_logins
- if:
- systemd_drop_in_dependencies_enabled
- - name: Configure paunch to generate systemd drop-in dependencies
copy:
dest: /etc/sysconfig/podman_drop_in
content: |
This file makes paunch generate additional systemd
dependencies for containers that have special
start/stop ordering constraints. It ensures that
those constraints are enforced on reboot/shutdown.
- - name: Configure paunch to not generate drop-in dependencies
file:
path: /etc/sysconfig/podman_drop_in
state: absent
service_config_settings: {}
upgrade_tasks:
- name: system_upgrade_prepare step 2
tags:
- never
- system_upgrade
- system_upgrade_prepare
when:
- (step | int) == 2
block:
- name: Check if pcs is present
stat:
path: /usr/sbin/pcs
register: pcs_stat
- name: Stop pacemaker cluster before stopping all docker containers
pacemaker_cluster: state=offline
when: pcs_stat.stat.exists
- name: Destroy pacemaker cluster
command: /usr/sbin/pcs cluster destroy
when: pcs_stat.stat.exists
- name: Stop all services by stopping all Docker containers
shell: docker ps -q | xargs --no-run-if-empty -n1 docker stop
# Upgrade tasks for Pacemaker-managed services tasks pull
# container images in step 2, we need insecure registries
# configured in step 1.
- name: Install and configure Podman
when: step|int == 1
block: *install_and_configure_podman
post_upgrade_tasks:
- name: Purge everything about Docker on the host
when: step|int == 3
block:
- name: Check if docker has some data
stat:
path: /var/lib/docker
register: docker_path_stat
- name: Purge Docker
when: docker_path_stat.stat.exists
block:
- name: Ensure docker service is running
systemd:
name: docker
register: docker_service_state
- name: Run docker system prune
shell: docker system prune -a -f
when: docker_service_state.status['SubState'] == 'running'
- name: Stop and disable Docker service
when: docker_service_state.status['SubState'] == 'running'
systemd:
name: docker
state: stopped
enabled: no
- name: Uninstall Docker rpm
package:
name: docker
state: absent
- name: Get the list of directory mounted under /var/lib/docker/ orderer.
shell: |
mount | awk '/\/var\/lib\/docker\/[^/]+\// {print $3}';
mount | awk '/\/var\/lib\/docker\/[^/]+$/ {print $3}';
register: unmounted_dirs
- name: Unmount those directories
mount:
path: "{{ item }}"
state: unmounted
loop: "{{ unmounted_dirs.stdout_lines }}"
- name: Purge /var/lib/docker
file:
path: /var/lib/docker
state: absent
- name: Clean podman
when:
- step|int == 3
- container_cli == 'podman'
block:
- name: Purge Podman
block:
- name: Clean podman images
shell: podman image prune -a
- name: Clean podman volumes
shell: podman volume prune -f
post_update_tasks:
- name: Clean podman
when:
- step|int == 3
- container_cli == 'podman'
block:
- name: Purge Podman
block:
- name: Clean podman images
shell: podman image prune -a
- name: Clean podman volumes
shell: podman volume prune -f