diff --git a/roles/rke2/tasks/install_rke2.yml b/roles/rke2/tasks/install_rke2.yml
index 10bef158925452d502712ede9946497a8576f5af..c2683ca0c3d3b3c031e5356ead36c66dcb4e2461 100644
--- a/roles/rke2/tasks/install_rke2.yml
+++ b/roles/rke2/tasks/install_rke2.yml
@@ -3,11 +3,8 @@
url: https://get.rke2.io
dest: /tmp/rke2.sh
mode: '0755'
- #when: not rke2_installed.stat.exists or upgrade
+ when: not rke2_installed.stat.exists or upgrade
-- name: Kill RKE2
- command: "rke2-killall.sh"
-
- name: Install RKE2
command: "/tmp/rke2.sh"
args:
diff --git a/roles/rke2/tasks/main.yml b/roles/rke2/tasks/main.yml
index 9ce1dcabe8a3606801b590554d07166ef61fdfe4..873af86dd88ae5fca24fee5ab50043036e67402a 100644
--- a/roles/rke2/tasks/main.yml
+++ b/roles/rke2/tasks/main.yml
@@ -6,7 +6,7 @@
- block:
- include_tasks: setup_host.yml
- include_tasks: install_rke2.yml
- # when: ( not rke2_installed.stat.exists and state != 'absent' ) or (upgrade and state != 'absent' )
+ when: ( not rke2_installed.stat.exists and state != 'absent' ) or (upgrade and state != 'absent' )
- include_tasks: templates.yml
when: "state != 'absent' and 'master' in group_names "
diff --git a/roles/rke2/tasks/setup_host.yml b/roles/rke2/tasks/setup_host.yml
index a353ee9f085d6fa96216bd448331f9738e00b78a..c88deb47e725daa2ca5ec0ee287798ad482dd1f6 100644
--- a/roles/rke2/tasks/setup_host.yml
+++ b/roles/rke2/tasks/setup_host.yml
@@ -13,85 +13,10 @@
/usr/sbin/pvresize -y -q /dev/vda2
/usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root
-#- name: Upgrade to latest kernel
-# shell: |
-# dnf upgrade -y
-# dnf updateinfo list --security --available
-# dnf install https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm --assumeyes
-# dnf --enablerepo=elrepo-kernel install kernel-ml --assumeyes
-# touch /.autorelabel
-
-#- name: install RHEL packages
-# dnf:
-# name:
-# - container-selinux
-# - iptables
-# - libnetfilter_conntrack
-# - libnfnetlink
-# - libnftnl
-# - policycoreutils-python-utils
-# - ca-certificates
-# - openssl
-# - setools-console
-# # - libseccomp-devel #this didnt help
-#
-# state: latest
-
-- name: add kernel params
- template:
- src: kernel_params.conf.j2
- dest: /etc/sysctl.d/rke2_kernel_params.conf
- register: kernel_params
-
-- name: load kernel params
- shell: sysctl --system
- when: kernel_params.changed
-
-- name: disable firewalld
- ansible.builtin.systemd:
- name: "firewalld"
- enabled: no
- masked: no
- state: stopped
- ignore_errors: True #this command is not idempotent it seems
-
-- name: enable nftables
- ansible.builtin.systemd:
- name: "nftables"
- enabled: yes
- state: started
- masked: no
-
-- name: add group - etcd
- group:
- name: etcd
- state: present
-
-- name: add user - etcd
- user:
- name: etcd
- group: etcd
-
-#- name: Reboot but not on upgrades, so kernel updates only install at initial runs
-# ansible.builtin.reboot:
-# reboot_timeout: 3600
-# when: ( not upgrade )
-
-
- name: Disable SELinux
selinux:
policy: targeted
state: permissive
- when: ( 'control-plane' in group_names )
-
-- name: Download root CA
- get_url:
- url: https://curl.se/ca/cacert.pem
- dest: /etc/ssl/certs
-
-- name: Update CA trust
- shell: update-ca-trust
-
- name: Copy SELinux Policies
template:
@@ -106,18 +31,7 @@
semodule -i /etc/selinux/targeted/policy/my-openstack.pp
when: ( 'control-plane' in group_names )
-- name: Copy SELinux Policies for new Kernel ()
- template:
- src: ../selinux/my-iptables.te
- dest: /etc/selinux/targeted/policy/my-iptables.te
- #when: ( 'control-plane' in group_names )
-- name: Build SELinux exception module & allow xtables-nft-multi ioctl access on the cgroup directory
- shell: |
- checkmodule -M -m -o /etc/selinux/targeted/policy/my-iptables.mod /etc/selinux/targeted/policy/my-iptables.te
- semodule_package -o /etc/selinux/targeted/policy/my-iptables.pp -m /etc/selinux/targeted/policy/my-iptables.mod
- semodule -i /etc/selinux/targeted/policy/my-iptables.pp
- #when: ( 'control-plane' in group_names )
- name: Ensure /var/lib/rancher/rke2/server/manifests
file: