[cloud_infra_center] none-root user for bastion, haproxy,DNS reboot i…

…ssue

z_infra_provisioning/cloud_infra_center/ocp_upi/README.md

@@ -34,7 +34,7 @@ The playbook contains the following topics:
 
   3. Requirements pre-check before the installation
 
-**Note**: This playbook supports IBM® Cloud Infrastructure Center version 1.1.4, 1.1.5 and RH OpenShift Container Platform version 4.6 and, 4.7, 4.8, 4.9, 4.10 for z/VM and version 4.7, 4.8, 4.9, 4.10 for KVM.
+**Note**: This playbook supports IBM® Cloud Infrastructure Center version 1.1.4, 1.1.5 and RH OpenShift Container Platform version 4.6 and, 4.7, 4.8, 4.9, 4.10, 4.11for z/VM and version 4.7, 4.8, 4.9, 4.10, 4.11for KVM.
 
 # Installing Red Hat OpenShift on the IBM Cloud Infrastructure Center via user-provisioned infrastructure (UPI)
 
@@ -76,7 +76,7 @@ After you performed the previous steps successfully, you get one ready OpenShift
 
 - **(Required)** A Linux server, the machine that runs Ansible.
     - RHEL8 is the operation system version we tested
-    - Ansible == 2.8
+    - Ansible == 2.8 or 2.9
     - This server **must not** be any of the IBM Cloud Infrastructure Center nodes
     - You can use a single LPAR server or virtual machine
       - Disk with at least 20 GiB
@@ -121,7 +121,7 @@ sudo subscription-manager repos --enable=ansible-2.8-for-rhel-8-s390x-rpms
 
 Install the packages from the repository in the Linux server:
 ```sh
-sudo dnf install python3 ansible jq wget git firewalld tar gzip -y
+sudo dnf install python3 ansible jq wget git firewalld tar gzip redhat-rpm-config gcc libffi-devel python3-devel openssl-devel cargo -y
 ```
 Make sure that `python` points to Python3
 ```sh
@@ -131,10 +131,7 @@ Upgrade the pip package and dnf:
 ```sh
 sudo -H pip3 install --upgrade pip
 ```
-Install the required package through dnf:
-```sh
-sudo dnf install redhat-rpm-config gcc libffi-devel python3-devel openssl-devel cargo -y
-```
+
 Then create the requirements file and use pip3 to install the python modules:
 
 **Note**: The requirements.txt are tested for python-openstackclient=5.5.0.
@@ -316,6 +313,13 @@ ansible-playbook -i inventory.yaml configure-haproxy.yaml
 ```sh
 ansible-playbook -i inventory.yaml bastion.yaml
 ```
+> If you don't have any existing DNS server or Load Balancer and use the non-root user,run the command as below and enter the password for your user.
+```sh
+ansible-playbook -i inventory.yaml bastion.yaml -K
+BECOME:
+```
+
+
 
 3. **Step3**:
 ```sh

z_infra_provisioning/cloud_infra_center/ocp_upi/docs/add-dns-haproxy.md

@@ -68,6 +68,17 @@ _etcd-server-ssl._tcp IN SRV 0 10 2380 etcd-0.openshift.second.com.
                       IN SRV 0 10 2380 etcd-2.openshift.second.com.
 ```
 
+equired DNS records
+
+|Record |Description|
+|------ |------------------------------------|
+api.<cluster_name>.<base_domain>. | A DNS A/AAAA or CNAME record, and a DNS PTR record, to identify the API load balancer. These records must be resolvable by both clients external to the cluster and from all the nodes within the cluster.|
+|api-int.<cluster_name>.<base_domain>. | A DNS A/AAAA or CNAME record, and a DNS PTR record, to internally identify the API load balancer. These records must be resolvable from all the nodes within the cluster.|
+|*.apps.<cluster_name>.<base_domain>.  |A wildcard DNS A/AAAA or CNAME record that refers to the application ingress load balancer. The application ingress load balancer targets the machines that run the Ingress Controller pods. The Ingress Controller pods run on the compute machines by default. These records must be resolvable by both clients external to the cluster and from all the nodes within the cluster.|
+|bootstrap.<cluster_name>.<base_domain>. |A DNS A/AAAA or CNAME record, and a DNS PTR record, to identify the bootstrap machine. These records must be resolvable by the nodes within the cluster.|
+|<master><n>.<cluster_name>.<base_domain>. |DNS A/AAAA or CNAME records and DNS PTR records to identify each machine for the control plane nodes. These records must be resolvable by the nodes within the cluster.|
+|<worker><n>.<cluster_name>.<base_domain>. |DNS A/AAAA or CNAME records and DNS PTR records to identify each machine for the worker nodes. These records must be resolvable by the nodes within the cluster.|
+
 You need to change the `openshift.second.com` to the second cluster domain name, and change servers' IPs and worker nodes' names.
 
 2. Correct the zone file's owner

z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/handlers/main.yml

@@ -17,12 +17,19 @@
 ---
 # handlers file for configure-dns
 - name: Restart named-chroot.service
+  become: yes
+  become_user: root
+  become_method: sudo
   service:
     name: named-chroot.service
     state: restarted
+    enabled: yes
   listen: "restart dns"
 
 - name: Restart firewalld.service
+  become: yes
+  become_user: root
+  become_method: sudo
   service:
     name: firewalld.service
     state: restarted

z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-dns/tasks/main.yml

@@ -18,12 +18,18 @@
 # tasks file for configure-dns
 - include_vars: cluster-template.yaml
 
-- name: Install bind-chroot for dns 
+- name: Install bind-chroot for dns
+  become: yes
+  become_user: root
+  become_method: sudo
   yum:
     name: bind-chroot
     state: latest
 
 - name: Create /var/named directory
+  become: yes
+  become_user: root
+  become_method: sudo
   file:
     path: /var/named
     state: directory
@@ -37,6 +43,9 @@
     subnet_range: "{{ lookup('file', '.subnet_range.yml') }}"
 
 - name: Create dns subnet definition
+  become: yes
+  become_user: root
+  become_method: sudo
   template:
     src: var/named/cluster_domain_name.zone.j2
     dest: /var/named/{{ cluster_domain_name }}.zone
@@ -46,17 +55,26 @@
    - restart dns
 
 - name: Unmanage resolve.conf in NetworkManager
+  become: yes
+  become_user: root
+  become_method: sudo
   lineinfile:
     line: dns=none
     dest: /etc/NetworkManager/NetworkManager.conf
     insertafter: "\\[main\\].*"
     regexp: "^dns=.*"
 
 - name: Check if DNS is already defined
+  become: yes
+  become_user: root
+  become_method: sudo
   shell: grep -c "^{{ cluster_domain_name }}" /etc/resolv.conf || true
   register: check
 
 - name: Use local dns in resolv.conf
+  become: yes
+  become_user: root
+  become_method: sudo
   blockinfile:
     dest: /etc/resolv.conf
     insertbefore: BOF
@@ -70,6 +88,9 @@
     bastion_reverse: "{{ os_dns_domain.split('.')[:-1][::-1]|join('.') }}"
 
 - name: Create dns subnet zone for bastion
+  become: yes
+  become_user: root
+  become_method: sudo
   template:
     src: var/named/bastion.in-addr.arpa.zone.j2
     dest: /var/named/{{ bastion_reverse }}.in-addr.arpa.zone
@@ -79,25 +100,37 @@
    - restart dns
 
 - name: Create /etc/named.conf
+  become: yes
+  become_user: root
+  become_method: sudo
   template:
     src: etc/named.conf.j2
     dest: /etc/named.conf
   notify:
    - restart dns
 
 - name: Update cluster_subnet_range
+  become: yes
+  become_user: root
+  become_method: sudo
   shell: 
     cmd: sed -i "s|cluster_subnet_range|{{ subnet_range }}|g" /etc/named.conf
   notify:
    - restart dns
 
 - name: Update bastion_subnet_prefix_reverse
+  become: yes
+  become_user: root
+  become_method: sudo
   shell: 
     cmd: sed -i "s/bastion_subnet_prefix_reverse/{{ bastion_reverse }}/g" /etc/named.conf
   notify:
    - restart dns
 
 - name: Add dns to firewall
+  become: yes
+  become_user: root
+  become_method: sudo
   firewalld:
     permanent: true
     service: dns

z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-haproxy/handlers/main.yml

@@ -17,19 +17,29 @@
 ---
 # handlers file for configure-haproxy
 - name: Turn on haproxy_connect_any
+  become: yes
+  become_user: root
+  become_method: sudo
   seboolean: 
     name: haproxy_connect_any
     state: yes
     persistent: yes
   listen: "restart haproxy"
 
 - name: Restart haproxy
+  become: yes
+  become_user: root
+  become_method: sudo
   service:
     name: haproxy.service
     state: restarted
+    enabled: yes
   listen: "restart haproxy"
 
 - name: Restart firewalld.service
+  become: yes
+  become_user: root
+  become_method: sudo
   service:
     name: firewalld.service
     state: restarted

z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-haproxy/tasks/main.yml

@@ -20,6 +20,9 @@
 - include_vars: cluster-template.yaml
 
 - name: Install haproxy
+  become: yes
+  become_user: root
+  become_method: sudo
   yum:
     name:
       - haproxy
@@ -31,18 +34,27 @@
   - restart firewalld
 
 - name: Create /etc/haproxy
+  become: yes
+  become_user: root
+  become_method: sudo
   file: 
     path: /etc/haproxy
     state: directory
 
 - name: Create /etc/haproxy/haproxy.cfg
+  become: yes
+  become_user: root
+  become_method: sudo
   template:
     src: etc/haproxy/haproxy.cfg.j2
     dest: /etc/haproxy/haproxy.cfg
   notify: 
   - restart haproxy
 
 - name: Allow http traffic
+  become: yes
+  become_user: root
+  become_method: sudo
   firewalld:
     service: http
     permanent: yes
@@ -52,6 +64,9 @@
   - restart firewalld
 
 - name: Allow http traffic
+  become: yes
+  become_user: root
+  become_method: sudo
   firewalld:
     service: http
     permanent: yes
@@ -61,6 +76,9 @@
   - restart firewalld
 
 - name: Allow https traffic
+  become: yes
+  become_user: root
+  become_method: sudo
   firewalld:
     service: https
     permanent: yes
@@ -70,6 +88,9 @@
   - restart firewalld
 
 - name: Allow https traffic
+  become: yes
+  become_user: root
+  become_method: sudo
   firewalld:
     service: https
     permanent: yes
@@ -79,6 +100,9 @@
   - restart firewalld
 
 - name: Allow traffic at port 443
+  become: yes
+  become_user: root
+  become_method: sudo
   firewalld:
     port: 443/tcp
     permanent: yes
@@ -91,6 +115,9 @@
   - restart firewalld
 
 - name: Allow traffic at port 6443
+  become: yes
+  become_user: root
+  become_method: sudo
   firewalld:
     port: 6443/tcp
     permanent: yes
@@ -103,6 +130,9 @@
   - restart firewalld
 
 - name: Allow traffic at port 22623
+  become: yes
+  become_user: root
+  become_method: sudo
   firewalld:
     port: 22623/tcp
     permanent: yes
@@ -114,21 +144,39 @@
   notify:
   - restart firewalld
 
-- name: Set setenforce 0
-  shell: setenforce 0
-
-- name: Restart haproxy
-  service: name=haproxy state=restarted
+- name: Allow selinux for haproxy
+  become: yes
+  become_user: root
+  become_method: sudo
+  shell: setsebool -P haproxy_connect_any=1
+
+- name: start haproxy
+  become: yes
+  become_user: root
+  become_method: sudo
+  service:
+    name: haproxy
+    state: started
+    enabled: yes
 
 - name: Restart firewalld
+  become: yes
+  become_user: root
+  become_method: sudo
   service: name=firewalld state=restarted
 
 - name: Check if haproxy is running
+  become: yes
+  become_user: root
+  become_method: sudo
   service:
     name: haproxy
     state: started
 
 - name: Check if firewalld is running
+  become: yes
+  become_user: root
+  become_method: sudo
   service:
     name: firewalld
     state: started

z_infra_provisioning/cloud_infra_center/ocp_upi/roles/configure-installer-client-local/tasks/main.yaml

@@ -11,24 +11,17 @@
 # tasks file for configure-installer-and-image
 
 - name: Download openshift installer
-  #  become: yes
   get_url:
     url: '{{ local_openshift_install }}'
     dest: ./openshift-install-linux.tar.gz
     dest: .
-    mode: 0755
-    #group: root
-    #owner: root
+
 
 - name: Download openshift client
-  #become: yes
   get_url:
     url: '{{ local_openshift_client }}'
     dest: ./openshift-client-linux.tar.gz
     dest: .
-    mode: 0644
-    #group: root
-    #owner: root
 
 - name: Unzip openshift client archive
   command: