update

2023-05-30 14:44:26 +09:00
parent 9a3174deef
commit 4c32a7239d
2598 changed files with 164595 additions and 487 deletions
--- a/kubespray/roles/reset/defaults/main.yml
+++ b/kubespray/roles/reset/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+flush_iptables: true
+reset_restart_network: true
--- a/kubespray/roles/reset/tasks/main.yml
+++ b/kubespray/roles/reset/tasks/main.yml
@@ -0,0 +1,431 @@
+---
+- name: reset | stop services
+  service:
+    name: "{{ item }}"
+    state: stopped
+  with_items:
+    - kubelet.service
+    - cri-dockerd.service
+    - cri-dockerd.socket
+  failed_when: false
+  tags:
+    - services
+
+- name: reset | remove services
+  file:
+    path: "/etc/systemd/system/{{ item }}"
+    state: absent
+  with_items:
+    - kubelet.service
+    - cri-dockerd.service
+    - cri-dockerd.socket
+    - calico-node.service
+    - containerd.service.d/http-proxy.conf
+    - crio.service.d/http-proxy.conf
+    - k8s-certs-renew.service
+    - k8s-certs-renew.timer
+  register: services_removed
+  tags:
+    - services
+    - containerd
+    - crio
+
+- name: reset | Remove Docker
+  include_role:
+    name: container-engine/docker
+    tasks_from: reset
+  when: container_manager == 'docker'
+  tags:
+    - docker
+
+- name: reset | systemctl daemon-reload  # noqa 503
+  systemd:
+    daemon_reload: true
+  when: services_removed.changed
+
+- name: reset | check if crictl is present
+  stat:
+    path: "{{ bin_dir }}/crictl"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
+  register: crictl
+
+- name: reset | stop all cri containers
+  shell: "set -o pipefail && {{ bin_dir }}/crictl ps -q | xargs -r {{ bin_dir }}/crictl -t 60s stop"
+  args:
+    executable: /bin/bash
+  register: remove_all_cri_containers
+  retries: 5
+  until: remove_all_cri_containers.rc == 0
+  delay: 5
+  tags:
+    - crio
+    - containerd
+  when:
+    - crictl.stat.exists
+    - container_manager in ["crio", "containerd"]
+  ignore_errors: true  # noqa ignore-errors
+
+- name: reset | force remove all cri containers
+  command: "{{ bin_dir }}/crictl rm -a -f"
+  register: remove_all_cri_containers
+  retries: 5
+  until: remove_all_cri_containers.rc == 0
+  delay: 5
+  tags:
+    - crio
+    - containerd
+  when:
+    - crictl.stat.exists
+    - container_manager in ["crio", "containerd"]
+    - deploy_container_engine
+  ignore_errors: true  # noqa ignore-errors
+
+- name: reset | stop and disable crio service
+  service:
+    name: crio
+    state: stopped
+    enabled: false
+  failed_when: false
+  tags: [ crio ]
+  when: container_manager == "crio"
+
+- name: reset | forcefully wipe CRI-O's container and image storage
+  command: "crio wipe -f"
+  failed_when: false
+  tags: [ crio ]
+  when: container_manager == "crio"
+
+- name: reset | stop all cri pods
+  shell: "set -o pipefail && {{ bin_dir }}/crictl pods -q | xargs -r {{ bin_dir }}/crictl -t 60s stopp"
+  args:
+    executable: /bin/bash
+  register: remove_all_cri_containers
+  retries: 5
+  until: remove_all_cri_containers.rc == 0
+  delay: 5
+  tags: [ containerd ]
+  when:
+    - crictl.stat.exists
+    - container_manager == "containerd"
+  ignore_errors: true  # noqa ignore-errors
+
+- block:
+    - name: reset | force remove all cri pods
+      command: "{{ bin_dir }}/crictl rmp -a -f"
+      register: remove_all_cri_containers
+      retries: 5
+      until: remove_all_cri_containers.rc == 0
+      delay: 5
+      tags: [ containerd ]
+      when:
+        - crictl.stat.exists
+        - container_manager == "containerd"
+
+  rescue:
+    - name: reset | force remove all cri pods (rescue)
+      shell: "ip netns list | cut -d' ' -f 1 | xargs -n1 ip netns delete && {{ bin_dir }}/crictl rmp -a -f"
+      ignore_errors: true  # noqa ignore-errors
+      changed_when: true
+
+- name: reset | stop etcd services
+  service:
+    name: "{{ item }}"
+    state: stopped
+  with_items:
+    - etcd
+    - etcd-events
+  failed_when: false
+  tags:
+    - services
+
+- name: reset | remove etcd services
+  file:
+    path: "/etc/systemd/system/{{ item }}.service"
+    state: absent
+  with_items:
+    - etcd
+    - etcd-events
+  register: services_removed
+  tags:
+    - services
+
+- name: reset | remove containerd
+  when: container_manager == 'containerd'
+  block:
+    - name: reset | stop containerd service
+      service:
+        name: containerd
+        state: stopped
+      failed_when: false
+      tags:
+        - services
+
+    - name: reset | remove containerd service
+      file:
+        path: /etc/systemd/system/containerd.service
+        state: absent
+      register: services_removed
+      tags:
+        - services
+
+- name: reset | gather mounted kubelet dirs  # noqa 301
+  shell: set -o pipefail && mount | grep /var/lib/kubelet/ | awk '{print $3}' | tac
+  args:
+    executable: /bin/bash
+    warn: false
+  check_mode: no
+  register: mounted_dirs
+  failed_when: false
+  tags:
+    - mounts
+
+- name: reset | unmount kubelet dirs  # noqa 301
+  command: umount -f {{ item }}
+  with_items: "{{ mounted_dirs.stdout_lines }}"
+  register: umount_dir
+  when: mounted_dirs
+  retries: 4
+  until: umount_dir.rc == 0
+  delay: 5
+  tags:
+    - mounts
+
+- name: flush iptables
+  iptables:
+    table: "{{ item }}"
+    flush: yes
+  with_items:
+    - filter
+    - nat
+    - mangle
+    - raw
+  when: flush_iptables|bool
+  tags:
+    - iptables
+
+- name: flush ip6tables
+  iptables:
+    table: "{{ item }}"
+    flush: yes
+    ip_version: ipv6
+  with_items:
+    - filter
+    - nat
+    - mangle
+    - raw
+  when: flush_iptables|bool and enable_dual_stack_networks
+  tags:
+    - ip6tables
+
+- name: Clear IPVS virtual server table
+  command: "ipvsadm -C"
+  ignore_errors: true  # noqa ignore-errors
+  when:
+    - kube_proxy_mode == 'ipvs' and inventory_hostname in groups['k8s_cluster']
+
+- name: reset | check kube-ipvs0 network device
+  stat:
+    path: /sys/class/net/kube-ipvs0
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
+  register: kube_ipvs0
+
+- name: reset | Remove kube-ipvs0
+  command: "ip link del kube-ipvs0"
+  when:
+    - kube_proxy_mode == 'ipvs'
+    - kube_ipvs0.stat.exists
+
+- name: reset | check nodelocaldns network device
+  stat:
+    path: /sys/class/net/nodelocaldns
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
+  register: nodelocaldns_device
+
+- name: reset | Remove nodelocaldns
+  command: "ip link del nodelocaldns"
+  when:
+    - enable_nodelocaldns|default(false)|bool
+    - nodelocaldns_device.stat.exists
+
+- name: reset | find files/dirs with immutable flag in /var/lib/kubelet
+  command: lsattr -laR /var/lib/kubelet
+  become: true
+  register: var_lib_kubelet_files_dirs_w_attrs
+  changed_when: false
+  no_log: true
+
+- name: reset | remove immutable flag from files/dirs in /var/lib/kubelet
+  file:
+    path: "{{ filedir_path }}"
+    state: touch
+    attributes: "-i"
+  loop: "{{ var_lib_kubelet_files_dirs_w_attrs.stdout_lines|select('search', 'Immutable')|list }}"
+  loop_control:
+    loop_var: file_dir_line
+    label: "{{ filedir_path }}"
+  vars:
+    filedir_path: "{{ file_dir_line.split(' ')[0] }}"
+
+- name: reset | delete some files and directories
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "{{ kube_config_dir }}"
+    - /var/lib/kubelet
+    - "{{ containerd_storage_dir }}"
+    - "{{ ansible_env.HOME | default('/root') }}/.kube"
+    - "{{ ansible_env.HOME | default('/root') }}/.helm"
+    - "{{ ansible_env.HOME | default('/root') }}/.config/helm"
+    - "{{ ansible_env.HOME | default('/root') }}/.cache/helm"
+    - "{{ ansible_env.HOME | default('/root') }}/.local/share/helm"
+    - "{{ etcd_data_dir }}"
+    - "{{ etcd_events_data_dir }}"
+    - "{{ etcd_config_dir }}"
+    - /var/log/calico
+    - /etc/cni
+    - /etc/nerdctl
+    - "{{ nginx_config_dir }}"
+    - /etc/dnsmasq.d
+    - /etc/dnsmasq.conf
+    - /etc/dnsmasq.d-available
+    - /etc/etcd.env
+    - /etc/calico
+    - /etc/NetworkManager/conf.d/calico.conf
+    - /etc/NetworkManager/conf.d/k8s.conf
+    - /etc/weave.env
+    - /opt/cni
+    - /etc/dhcp/dhclient.d/zdnsupdate.sh
+    - /etc/dhcp/dhclient-exit-hooks.d/zdnsupdate
+    - /run/flannel
+    - /etc/flannel
+    - /run/kubernetes
+    - /usr/local/share/ca-certificates/etcd-ca.crt
+    - /usr/local/share/ca-certificates/kube-ca.crt
+    - /etc/ssl/certs/etcd-ca.pem
+    - /etc/ssl/certs/kube-ca.pem
+    - /etc/pki/ca-trust/source/anchors/etcd-ca.crt
+    - /etc/pki/ca-trust/source/anchors/kube-ca.crt
+    - /var/log/pods/
+    - "{{ bin_dir }}/kubelet"
+    - "{{ bin_dir }}/cri-dockerd"
+    - "{{ bin_dir }}/etcd-scripts"
+    - "{{ bin_dir }}/etcd"
+    - "{{ bin_dir }}/etcd-events"
+    - "{{ bin_dir }}/etcdctl"
+    - "{{ bin_dir }}/etcdctl.sh"
+    - "{{ bin_dir }}/kubernetes-scripts"
+    - "{{ bin_dir }}/kubectl"
+    - "{{ bin_dir }}/kubeadm"
+    - "{{ bin_dir }}/helm"
+    - "{{ bin_dir }}/calicoctl"
+    - "{{ bin_dir }}/calicoctl.sh"
+    - "{{ bin_dir }}/calico-upgrade"
+    - "{{ bin_dir }}/weave"
+    - "{{ bin_dir }}/crictl"
+    - "{{ bin_dir }}/nerdctl"
+    - "{{ bin_dir }}/netctl"
+    - "{{ bin_dir }}/k8s-certs-renew.sh"
+    - /var/lib/cni
+    - /etc/openvswitch
+    - /run/openvswitch
+    - /var/lib/kube-router
+    - /var/lib/calico
+    - /etc/cilium
+    - /run/calico
+    - /etc/bash_completion.d/kubectl.sh
+    - /etc/bash_completion.d/crictl
+    - /etc/bash_completion.d/nerdctl
+    - /etc/bash_completion.d/krew
+    - /etc/bash_completion.d/krew.sh
+    - "{{ krew_root_dir }}"
+    - /etc/modules-load.d/kube_proxy-ipvs.conf
+    - /etc/modules-load.d/kubespray-br_netfilter.conf
+    - /etc/modules-load.d/kubespray-kata-containers.conf
+    - /usr/libexec/kubernetes
+    - /etc/origin/openvswitch
+    - /etc/origin/ovn
+    - "{{ sysctl_file_path }}"
+    - /etc/crictl.yaml
+  ignore_errors: true  # noqa ignore-errors
+  tags:
+    - files
+
+- name: reset | remove containerd binary files
+  file:
+    path: "{{ containerd_bin_dir }}/{{ item }}"
+    state: absent
+  with_items:
+    - containerd
+    - containerd-shim
+    - containerd-shim-runc-v1
+    - containerd-shim-runc-v2
+    - containerd-stress
+    - crictl
+    - critest
+    - ctd-decoder
+    - ctr
+    - runc
+  ignore_errors: true  # noqa ignore-errors
+  when: container_manager == 'containerd'
+  tags:
+    - files
+
+- name: reset | remove dns settings from dhclient.conf
+  blockinfile:
+    path: "{{ item }}"
+    state: absent
+    marker: "# Ansible entries {mark}"
+  failed_when: false
+  with_items:
+    - /etc/dhclient.conf
+    - /etc/dhcp/dhclient.conf
+  tags:
+    - files
+    - dns
+
+- name: reset | remove host entries from /etc/hosts
+  blockinfile:
+    path: "/etc/hosts"
+    state: absent
+    marker: "# Ansible inventory hosts {mark}"
+  tags:
+    - files
+    - dns
+
+- name: reset | include file with reset tasks specific to the network_plugin if exists
+  include_role:
+    name: "network_plugin/{{ kube_network_plugin }}"
+    tasks_from: reset
+  when:
+    - kube_network_plugin in ['flannel', 'cilium', 'kube-router', 'calico']
+  tags:
+    - network
+
+- name: reset | Restart network
+  service:
+    name: >-
+      {% if ansible_os_family == "RedHat" -%}
+      {%- if ansible_distribution_major_version|int >= 8 or is_fedora_coreos or ansible_distribution == "Fedora" -%}
+      NetworkManager
+      {%- else -%}
+      network
+      {%- endif -%}
+      {%- elif ansible_distribution == "Ubuntu" -%}
+      systemd-networkd
+      {%- elif ansible_os_family == "Debian" -%}
+      networking
+      {%- endif %}
+    state: restarted
+  when:
+    - ansible_os_family not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+    - reset_restart_network
+  tags:
+    - services
+    - network