From 8ff4ad2d8ed8f322f6104cc09aa02cc77c5bbf42 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Mon, 4 Nov 2024 16:56:17 +0100 Subject: [PATCH 1/2] preinstall: simplify OS packages selection Since a2019c1c2 (Add a JSON schema describing the packages install structure, 2024-04-25), we use a custom structure to select which packages should be installed on a particular host OS. This has proven too rigid in practice, and the query is pretty complicated. Replace this by simply using an array of jinja conditions for the packages, which should be easier to understand for everyone and more flexible. Also remove the associated schema and validation which are no longer needed. --- .../preinstall/files/pkgs-schema.json | 80 ---------- .../preinstall/tasks/0040-verify-settings.yml | 5 - .../preinstall/tasks/0070-system-packages.yml | 17 +- roles/kubernetes/preinstall/vars/main.yml | 151 +++++++----------- 4 files changed, 60 insertions(+), 193 deletions(-) delete mode 100644 roles/kubernetes/preinstall/files/pkgs-schema.json diff --git a/roles/kubernetes/preinstall/files/pkgs-schema.json b/roles/kubernetes/preinstall/files/pkgs-schema.json deleted file mode 100644 index 1fb9e28de..000000000 --- a/roles/kubernetes/preinstall/files/pkgs-schema.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "https://kubespray.io/internal/os_packages.schema.json", - "title": "Os packages", - "description": "Criteria for selecting packages to install on Kubernetes nodes during installation by Kubespray", - "type": "object", - "patternProperties": { - ".*": { - "type": "object", - "additionalProperties": false, - "properties": { - "enabled": { - "description": "Escape hatch to filter packages. The value is expected to be pre-resolved to a boolean by Jinja", - "type": "boolean", - "default": true - }, - "groups": { - "description": "Match if the host is in one of these groups. If not specified match any host.", - "type": "array", - "minItems": 1, - "items":{ - "type": "string", - "pattern": "^[0-9A-Za-z_]*$" - } - }, - "os": { - "type": "object", - "description": "If not specified match any OS. Otherwise, must match by 'families' or 'distributions' to be included.", - "additionalProperties": false, - "minProperties": 1, - "properties": { - "families": { - "description": "Match if ansible_os_family is part of the list.", - "type": "array", - "minItems": 1, - "items": { - "type": "string" - } - }, - "distributions": { - "type": "object", - "description": "Match if ansible_distribution match one of defined keys.", - "minProperties": 1, - "patternProperties": { - ".*": { - "description": "Match if either the value is the empty hash, or one major_versions/versions/releases contains the corresponding variable ('ansible_distrbution_*')", - "type": "object", - "additionalProperties": false, - "properties": { - "major_versions": { - "type": "array", - "minItems": 1, - "items": { - "type": "string" - } - }, - "versions": { - "type": "array", - "minItems": 1, - "items": { - "type": "string" - } - }, - "releases": { - "type": "array", - "minItems": 1, - "items": { - "type": "string" - } - } - } - } - } - } - } - } - } - } - } -} diff --git a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml index 867cfb2ed..344ed7336 100644 --- a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml @@ -321,11 +321,6 @@ - kube_apiserver_enable_admission_plugins is defined - kube_apiserver_enable_admission_plugins | length > 0 -- name: Verify that the packages list structure is valid - ansible.utils.validate: - criteria: "{{ lookup('file', 'pkgs-schema.json') }}" - data: "{{ pkgs }}" - - name: Verify that the packages list is sorted vars: pkgs_lists: "{{ pkgs.keys() | list }}" diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml index c8b480c84..77f4c8686 100644 --- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml +++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml @@ -60,23 +60,8 @@ - bootstrap-os - name: Install packages requirements - vars: - # The json_query for selecting packages name is split for readability - # see files/pkgs-schema.json for the structure of `pkgs` - # and the matching semantics - full_query: "[? value | (enabled == null || enabled) && ( {{ filters_os }} ) && ( {{ filters_groups }} ) ].key" - filters_groups: "groups | @ == null || [? contains(`{{ group_names }}`, @)]" - filters_os: "os == null || (os | ( {{ filters_family }} ) || ( {{ filters_distro }} ))" - dquote: !unsafe '"' - # necessary to workaround Ansible escaping - filters_distro: "distributions.{{ dquote }}{{ ansible_distribution }}{{ dquote }} | - @ == `{}` || - contains(not_null(major_versions, `[]`), '{{ ansible_distribution_major_version }}') || - contains(not_null(versions, `[]`), '{{ ansible_distribution_version }}') || - contains(not_null(releases, `[]`), '{{ ansible_distribution_release }}')" - filters_family: "families && contains(families, '{{ ansible_os_family }}')" package: - name: "{{ pkgs | dict2items | to_json|from_json | community.general.json_query(full_query) }}" + name: "{{ pkgs | dict2items | selectattr('value', 'ansible.builtin.all') | map(attribute='key') }}" state: present register: pkgs_task_result until: pkgs_task_result is succeeded diff --git a/roles/kubernetes/preinstall/vars/main.yml b/roles/kubernetes/preinstall/vars/main.yml index e788b5db7..00285b8a7 100644 --- a/roles/kubernetes/preinstall/vars/main.yml +++ b/roles/kubernetes/preinstall/vars/main.yml @@ -1,103 +1,70 @@ --- pkgs: - apparmor: &debian_family_base - os: - families: - - Debian - apt-transport-https: *debian_family_base - aufs-tools: &deb_10 - groups: - - k8s_cluster - os: - distributions: - Debian: - major_versions: - - "10" - bash-completion: {} - conntrack: &deb_redhat - groups: - - k8s_cluster - os: - families: - - Debian - - RedHat + apparmor: + - "{{ ansible_os_family == 'Debian' }}" + apt-transport-https: + - "{{ ansible_os_family == 'Debian' }}" + aufs-tools: + - "{{ ansible_os_family == 'Debian' }}" + - "{{ ansible_distribution_major_version == '10' }}" + - "{{ 'k8s_cluster' in group_names }}" + bash-completion: [] + conntrack: + - "{{ ansible_os_family in ['Debian', 'RedHat'] }}" + - "{{ 'k8s_cluster' in group_names }}" conntrack-tools: - groups: - - k8s_cluster - os: - families: - - Suse - distributions: - Amazon: {} - container-selinux: &redhat_family - groups: - - k8s_cluster - os: - families: - - RedHat - curl: {} + - "{{ ansible_os_family == 'Suse' or ansible_distribution == 'Amazon' }}" + - "{{ 'k8s_cluster' in group_names }}" + container-selinux: + - "{{ ansible_os_family == 'RedHat' }}" + - "{{ 'k8s_cluster' in group_names }}" + curl: [] device-mapper: - groups: - - k8s_cluster - os: - families: - - Suse - device-mapper-libs: *redhat_family - e2fsprogs: {} - ebtables: {} - gnupg: &debian - groups: - - k8s_cluster - os: - distributions: - Debian: - major_versions: - - "11" - - "12" + - "{{ ansible_os_family == 'Suse' }}" + - "{{ 'k8s_cluster' in group_names }}" + device-mapper-libs: + - "{{ ansible_os_family == 'RedHat' }}" + e2fsprogs: [] + ebtables: [] + gnupg: + - "{{ ansible_distribution == 'Debian' }}" + - "{{ ansible_distribution_major_version in ['11', '12'] }}" + - "{{ 'k8s_cluster' in group_names }}" ipset: - enabled: "{{ kube_proxy_mode != 'ipvs' }}" - groups: - - k8s_cluster - iptables: *deb_redhat + - "{{ kube_proxy_mode != 'ipvs' }}" + - "{{ 'k8s_cluster' in group_names }}" + iptables: + - "{{ ansible_os_family in ['Debian', 'RedHat'] }}" ipvsadm: - enabled: "{{ kube_proxy_mode == 'ipvs' }}" - groups: - - k8s_cluster - libseccomp: *redhat_family + - "{{ kube_proxy_mode == 'ipvs' }}" + - "{{ 'k8s_cluster' in group_names }}" + libseccomp: + - "{{ ansible_os_family == 'RedHat' }}" libseccomp2: - groups: - - k8s_cluster - os: - families: - - Suse - - Debian + - "{{ ansible_os_family in ['Debian', 'Suse'] }}" + - "{{ 'k8s_cluster' in group_names }}" libselinux-python: # TODO: Handle rehat_family + major < 8 - os: - distributions: - Amazon: {} + - "{{ ansible_distribution == 'Amazon' }}" libselinux-python3: - os: - distributions: - Fedora: {} + - "{{ ansible_distribution == 'Fedora' }}" mergerfs: - os: - distributions: - Debian: - major_versions: - - "12" - nss: *redhat_family - openssl: {} - python-apt: *deb_10 - # TODO: not for debian 10 - python3-apt: *debian_family_base + - "{{ ansible_distribution == 'Debian' }}" + - "{{ ansible_distribution_major_version == '12' }}" + nss: + - "{{ ansible_os_family == 'RedHat' }}" + openssl: [] + python-apt: + - "{{ ansible_os_family == 'Debian' }}" + - "{{ ansible_distribution_major_version == '10' }}" + python3-apt: + - "{{ ansible_os_family == 'Debian' }}" + - "{{ ansible_distribution_major_version != '10' }}" python3-libselinux: - os: - distributions: - RedHat: {} - CentOS: {} - rsync: {} - socat: {} - software-properties-common: *debian_family_base - tar: {} - unzip: {} - xfsprogs: {} + - "{{ ansible_distribution in ['RedHat', 'CentOS'] }}" + rsync: [] + socat: [] + software-properties-common: + - "{{ ansible_os_family == 'Debian' }}" + tar: [] + unzip: [] + xfsprogs: [] From e1392c65b417ffd087dd93fe06f8ca6786c372a2 Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Tue, 5 Nov 2024 09:27:20 +0100 Subject: [PATCH 2/2] Fix openEuler packages conntrack -> conntrack-tools device-mapper-libs -> device-mapper --- roles/kubernetes/preinstall/vars/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/kubernetes/preinstall/vars/main.yml b/roles/kubernetes/preinstall/vars/main.yml index 00285b8a7..699a87de5 100644 --- a/roles/kubernetes/preinstall/vars/main.yml +++ b/roles/kubernetes/preinstall/vars/main.yml @@ -11,19 +11,21 @@ pkgs: bash-completion: [] conntrack: - "{{ ansible_os_family in ['Debian', 'RedHat'] }}" + - "{{ ansible_distribution != 'openEuler' }}" - "{{ 'k8s_cluster' in group_names }}" conntrack-tools: - - "{{ ansible_os_family == 'Suse' or ansible_distribution == 'Amazon' }}" + - "{{ ansible_os_family == 'Suse' or ansible_distribution in ['Amazon', 'openEuler'] }}" - "{{ 'k8s_cluster' in group_names }}" container-selinux: - "{{ ansible_os_family == 'RedHat' }}" - "{{ 'k8s_cluster' in group_names }}" curl: [] device-mapper: - - "{{ ansible_os_family == 'Suse' }}" + - "{{ ansible_os_family == 'Suse' or ansible_distribution == 'openEuler' }}" - "{{ 'k8s_cluster' in group_names }}" device-mapper-libs: - "{{ ansible_os_family == 'RedHat' }}" + - "{{ ansible_distribution != 'openEuler' }}" e2fsprogs: [] ebtables: [] gnupg: