7f7960a536
Previously we required the operator to run two separate commands for
the "prepare" and "run" phases of operating system upgrade. This
commit refactors the upgrade_tasks with these tags so that running the
whole system upgrade is possible via a single command with `--tags
system_upgrade`.
Allowing to run in a single command requires being more careful about
what can happen in which step number in the upgrade tasks. The upgrade
steps for system upgrade are now explicitly documented in composable
services readme.
The existing system_upgrade_run and system_upgrade_prepare tasks were
checked and moved into the appropriate steps. In the case of
pacemaker, it required moving the cluster stop/destroy action into a
single file with removing all containers, to guarantee that the
cluster is stopped before the container removal, otherwise pacemaker
would try to spawn new containers.
Change-Id: I3cd78de8d07be46ee01006dd7e039c285991d14a
Partial-Bug: #1831690
(cherry picked from commit 206625d4f5
)
235 lines
8.9 KiB
YAML
235 lines
8.9 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
Configures podman on the host
|
|
|
|
parameters:
|
|
DockerInsecureRegistryAddress:
|
|
description: Optional. The IP Address and Port of an insecure docker
|
|
namespace that will be configured in /etc/sysconfig/docker.
|
|
The value can be multiple addresses separated by commas.
|
|
type: comma_delimited_list
|
|
default: []
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
ContainerImageRegistryLogin:
|
|
type: boolean
|
|
default: false
|
|
description: Flag to enable container registry login actions during the deployment.
|
|
Setting this to true will cause login calls to be performed during the
|
|
deployment.
|
|
ContainerImageRegistryCredentials:
|
|
type: json
|
|
hidden: true
|
|
default: {}
|
|
description: |
|
|
Mapping of image registry hosts to login credentials. Must be in the following example format
|
|
|
|
docker.io:
|
|
username: pa55word
|
|
'192.0.2.1:8787':
|
|
registry_username: password
|
|
SystemdDropInDependencies:
|
|
default: true
|
|
description: tell the container manager (e.g. paunch) to inject
|
|
additional ordering dependencies for the systemd
|
|
scopes associated to podman containers.
|
|
type: boolean
|
|
|
|
conditions:
|
|
insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
|
|
systemd_drop_in_dependencies_enabled: {get_param: SystemdDropInDependencies}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the podman service
|
|
value:
|
|
service_name: podman
|
|
config_settings: {}
|
|
step_config: ''
|
|
host_prep_tasks:
|
|
- name: Install and configure Podman
|
|
block: &install_and_configure_podman
|
|
- name: Set login facts
|
|
set_fact:
|
|
container_registry_insecure_registries:
|
|
if:
|
|
- insecure_registry_is_empty
|
|
- []
|
|
- {get_param: DockerInsecureRegistryAddress}
|
|
container_registry_login: {get_param: ContainerImageRegistryLogin}
|
|
# default that is overwritten by the heat -> dict conversion
|
|
container_registry_logins: {}
|
|
container_registry_logins_json: {get_param: ContainerImageRegistryCredentials}
|
|
- name: Convert logins json to dict
|
|
set_fact:
|
|
container_registry_logins: "{{ container_registry_logins_json | from_json }}"
|
|
when:
|
|
- container_registry_login | bool
|
|
- container_registry_logins_json | length) > 0
|
|
|
|
- name: ensure podman and deps are installed
|
|
package:
|
|
name: podman
|
|
state: latest
|
|
- name: Remove default cni config for cni0 if exists
|
|
copy:
|
|
dest: /etc/cni/net.d/87-podman-bridge.conflist
|
|
content: ''
|
|
force: yes
|
|
ignore_errors: True
|
|
- name: Delete cni0 interface if exists
|
|
command: ip link delete cni0
|
|
ignore_errors: True
|
|
- name: configure insecure registries /etc/containers/registries.conf
|
|
ini_file:
|
|
path: /etc/containers/registries.conf
|
|
section: 'registries.insecure'
|
|
option: registries
|
|
value: "{{ container_registry_insecure_registries }}"
|
|
when: container_registry_insecure_registries | length > 0
|
|
- name: Perform container registry login(s)
|
|
shell: podman login --username=$REGISTRY_USERNAME --password=$REGISTRY_PASSWORD $REGISTRY
|
|
environment:
|
|
REGISTRY_USERNAME: "{{ lookup('dict', item.value).key }}"
|
|
REGISTRY_PASSWORD: "{{ lookup('dict', item.value).value }}"
|
|
REGISTRY: "{{ item.key }}"
|
|
loop: "{{ query('dict', container_registry_logins | default({})) }}"
|
|
when:
|
|
- container_registry_login | bool
|
|
- container_registry_logins
|
|
- if:
|
|
- systemd_drop_in_dependencies_enabled
|
|
- - name: Configure paunch to generate systemd drop-in dependencies
|
|
copy:
|
|
dest: /etc/sysconfig/podman_drop_in
|
|
content: |
|
|
This file makes paunch generate additional systemd
|
|
dependencies for containers that have special
|
|
start/stop ordering constraints. It ensures that
|
|
those constraints are enforced on reboot/shutdown.
|
|
- - name: Configure paunch to not generate drop-in dependencies
|
|
file:
|
|
path: /etc/sysconfig/podman_drop_in
|
|
state: absent
|
|
|
|
service_config_settings: {}
|
|
upgrade_tasks:
|
|
- name: system_upgrade_prepare step 2
|
|
tags:
|
|
- never
|
|
- system_upgrade
|
|
- system_upgrade_prepare
|
|
when:
|
|
- (step | int) == 2
|
|
block:
|
|
- name: Check if pcs is present
|
|
stat:
|
|
path: /usr/sbin/pcs
|
|
register: pcs_stat
|
|
- name: Stop pacemaker cluster before stopping all docker containers
|
|
pacemaker_cluster: state=offline
|
|
when: pcs_stat.stat.exists
|
|
- name: Destroy pacemaker cluster
|
|
command: /usr/sbin/pcs cluster destroy
|
|
when: pcs_stat.stat.exists
|
|
- name: Stop all services by stopping all Docker containers
|
|
shell: docker ps -q | xargs --no-run-if-empty -n1 docker stop
|
|
|
|
# Upgrade tasks for Pacemaker-managed services tasks pull
|
|
# container images in step 2, we need insecure registries
|
|
# configured in step 1.
|
|
- name: Install and configure Podman
|
|
when: step|int == 1
|
|
block: *install_and_configure_podman
|
|
post_upgrade_tasks:
|
|
- name: Purge everything about Docker on the host
|
|
when: step|int == 3
|
|
block:
|
|
- name: Check if docker has some data
|
|
stat:
|
|
path: /var/lib/docker
|
|
register: docker_path_stat
|
|
|
|
- name: Purge Docker
|
|
when: docker_path_stat.stat.exists
|
|
block:
|
|
- name: Ensure docker service is running
|
|
systemd:
|
|
name: docker
|
|
register: docker_service_state
|
|
- name: Run docker system prune
|
|
shell: docker system prune -a -f
|
|
when: docker_service_state.status['SubState'] == 'running'
|
|
- name: Stop and disable Docker service
|
|
when: docker_service_state.status['SubState'] == 'running'
|
|
systemd:
|
|
name: docker
|
|
state: stopped
|
|
enabled: no
|
|
- name: Uninstall Docker rpm
|
|
package:
|
|
name: docker
|
|
state: absent
|
|
- name: Get the list of directory mounted under /var/lib/docker/ orderer.
|
|
shell: |
|
|
mount | awk '/\/var\/lib\/docker\/[^/]+\// {print $3}';
|
|
mount | awk '/\/var\/lib\/docker\/[^/]+$/ {print $3}';
|
|
register: unmounted_dirs
|
|
- name: Unmount those directories
|
|
mount:
|
|
path: "{{ item }}"
|
|
state: unmounted
|
|
loop: "{{ unmounted_dirs.stdout_lines }}"
|
|
- name: Purge /var/lib/docker
|
|
file:
|
|
path: /var/lib/docker
|
|
state: absent
|
|
- name: Clean podman
|
|
when:
|
|
- step|int == 3
|
|
- container_cli == 'podman'
|
|
block:
|
|
- name: Purge Podman
|
|
block:
|
|
- name: Clean podman images
|
|
shell: podman image prune -a
|
|
- name: Clean podman volumes
|
|
shell: podman volume prune -f
|
|
post_update_tasks:
|
|
- name: Clean podman
|
|
when:
|
|
- step|int == 3
|
|
- container_cli == 'podman'
|
|
block:
|
|
- name: Purge Podman
|
|
block:
|
|
- name: Clean podman images
|
|
shell: podman image prune -a
|
|
- name: Clean podman volumes
|
|
shell: podman volume prune -f
|