Nope, no time to debug yet :(
--
Mateus Caruccio / Master of Puppets
GetupCloud.com
We make the infrastructure invisible
Gartner Cool Vendor 2017
2017-09-28 7:52 GMT-03:00 Andrew Lau <and...@andrewklau.com>:
> Did you find any solution for this?
>
> On Fri, 15 Sep 2017 at 01:34 Mateus Caruccio <mateus.caruccio@getupcloud.
> com> wrote:
>
>> Yep, there it is:
>>
>> [OSEv3:children]
>> masters
>> etcd
>> nodes
>>
>> [OSEv3:vars]
>> deployment_type=origin
>> openshift_release=v3.6
>> debug_level=1
>> openshift_debug_level=1
>> openshift_node_debug_level=1
>> openshift_master_debug_level=1
>> openshift_master_access_token_max_seconds=2419200
>> osm_cluster_network_cidr=172.16.0.0/16
>> openshift_registry_selector="docker-registry=true"
>> openshift_hosted_registry_replicas=1
>>
>> openshift_master_cluster_hostname=api-cluster.example.com.br
>> openshift_master_cluster_public_hostname=api-cluster.example.com.br
>> osm_default_subdomain=example.com.br
>> openshift_master_default_subdomain=example.com.br
>> osm_default_node_selector="role=app"
>> os_sdn_network_plugin_name=redhat/openshift-ovs-multitenant
>> openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login':
>> 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider',
>> 'filename': '/etc/origin/master/htpasswd'}]
>> osm_use_cockpit=false
>> containerized=False
>>
>> openshift_master_cluster_method=native
>> openshift_master_console_port=443
>> openshift_master_api_port=443
>>
>> openshift_master_overwrite_named_certificates=true
>> openshift_master_named_certificates=[{"certfile":"{{
>> lookup('env','PWD')}}/certs/wildcard.example.com.br.crt","
>> keyfile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.key",
>> "cafile":"{{lookup('env','PWD')}}/certs/wildcard.example.
>> com.br.int.crt"}]
>> openshift_master_session_auth_secrets=['F71uoyI/Tkv/
>> LiDH2PiFKK1o76bLoH10+uE2a']
>> openshift_master_session_encryption_secrets=['bjDwQfiy4ksB/3qph87BGulYb/
>> GUho6K']
>> openshift_master_audit_config={"enabled": true, "auditFilePath":
>> "/var/log/openshift-audit/openshift-audit.log",
>> "maximumFileRetentionDays": 30, "maximumFileSizeMegabytes": 500,
>> "maximumRetainedFiles": 10}
>>
>> openshift_ca_cert_expire_days=1825
>> openshift_node_cert_expire_days=730
>> openshift_master_cert_expire_days=730
>> etcd_ca_default_days=1825
>>
>> openshift_hosted_router_create_certificate=false
>> openshift_hosted_manage_router=true
>> openshift_router_selector="role=infra"
>> openshift_hosted_router_replicas=2
>> openshift_hosted_router_certificate={"certfile":"{{
>> lookup('env','PWD')}}/certs/wildcard.example.com.br.crt","
>> keyfile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.key",
>> "cafile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.int.crt"}
>>
>> openshift_hosted_metrics_deploy=true
>> openshift_hosted_metrics_public_url=https://hawkular-
>> metrics.example.com.br/hawkular/metrics
>>
>> openshift_hosted_logging_deploy=true
>> openshift_hosted_logging_hostname=kibana.example.com.br
>>
>> openshift_install_examples=true
>>
>> openshift_node_kubelet_args={'pods-per-core': ['20'], 'max-pods':
>> ['100'], 'image-gc-high-threshold': ['80'], 'image-gc-low-threshold':
>> ['50'],'minimum-container-ttl-duration': ['60s'],
>> 'maximum-dead-containers-per-container': ['1'],
>> 'maximum-dead-containers': ['15']}
>>
>> logrotate_scripts=[{"name": "syslog", "path": "/var/log/cron\n/var/log/
>> maillog\n/var/log/messages\n/var/log/secure\n/var/log/spooler\n",
>> "options": ["daily", "rotate 7", "compress", "sharedscripts", "missingok"],
>> "scripts": {"postrotate": "/bin/kill -HUP `cat /var/run/syslogd.pid 2>
>> /dev/null` 2> /dev/null || true"}}]
>>
>> openshift_builddefaults_image_labels=[{'name':'builder','value':'true'}]
>> openshift_builddefaults_nodeselectors={'builder':'true'}
>> openshift_builddefaults_annotations={'builder':'true'}
>> openshift_builddefaults_resources_requests_cpu=10m
>> openshift_builddefaults_resources_requests_memory=128Mi
>> openshift_builddefaults_resources_limits_cpu=500m
>> openshift_builddefaults_resources_limits_memory=2Gi
>>
>> openshift_upgrade_nodes_serial=1
>> openshift_upgrade_nodes_max_fail_percentage=0
>> openshift_upgrade_control_plane_nodes_serial=1
>> openshift_upgrade_control_plane_nodes_max_fail_percentage=0
>>
>> openshift_disable_check=disk_availability,memory_availability
>>
>> [masters]
>> e001vmov40p42
>> e001vmov40p51
>> e001vmov40p52
>>
>> [etcd]
>> e001vmov40p42
>> e001vmov40p51
>> e001vmov40p52
>>
>> [nodes]
>> e001vmov40p42 openshift_node_labels="{'role': 'master'}"
>> e001vmov40p51 openshift_node_labels="{'role': 'master'}"
>> e001vmov40p52 openshift_node_labels="{'role': 'master'}"
>>
>> e001vmov40p45 openshift_node_labels="{'role': 'infra',
>> 'docker-registry':'true', 'logging':'true'}"
>> e001vmov40p46 openshift_node_labels="{'role': 'infra', 'metrics':
>> 'true'}"
>>
>> e001vmov40p47 openshift_node_labels="{'role': 'app', 'builder': 'true'}"
>> e001vmov40p48 openshift_node_labels="{'role': 'app', 'builder': 'true'}"
>> e001vmov40p49 openshift_node_labels="{'role': 'app', 'builder': 'true'}"
>>
>>
>>
>>
>>
>> --
>> Mateus Caruccio / Master of Puppets
>> GetupCloud.com
>> We make the infrastructure invisible
>> Gartner Cool Vendor 2017
>>
>> 2017-09-14 10:13 GMT-03:00 Matthew Wringe <mwri...@redhat.com>:
>>
>>> We had an issue where it was not possible for normal users to view their
>>> metrics (but cluster-admin users could). But I didn't think this made it
>>> into any releases.
>>>
>>> Would it be possible to attach the inventory file used?
>>>
>>> On Thu, Sep 14, 2017 at 8:34 AM, Paul Weil <pw...@redhat.com> wrote:
>>>
>>>> Including some metrics folks. Matt/Jeff?
>>>>
>>>> On Wed, Sep 13, 2017 at 9:44 PM, Mateus Caruccio <
>>>> mateus.caruc...@getupcloud.com> wrote:
>>>>
>>>>> Answering my own question, that "namespace" field on audit log refers
>>>>> to the unamespaced resource "/oapi/v1/subjectaccessreviews", not the
>>>>> subject access review object of the request.
>>>>>
>>>>> Still, the problem persists...
>>>>>
>>>>> --
>>>>> Mateus Caruccio / Master of Puppets
>>>>> GetupCloud.com
>>>>> We make the infrastructure invisible
>>>>> Gartner Cool Vendor 2017
>>>>>
>>>>> 2017-09-13 22:39 GMT-03:00 Mateus Caruccio <
>>>>> mateus.caruc...@getupcloud.com>:
>>>>>
>>>>>> Audit logs show this:
>>>>>>
>>>>>> 2017-09-13T22:18:43.907186125-03:00 AUDIT:
>>>>>> id="cf075af6-c8a7-4b3c-8727-4ad2aefa0a49" ip="10.150.10.35"
>>>>>> method="POST" user="mateus"
>>>>>> groups="\"system:authenticated:oauth\",\"system:authenticated\""
>>>>>> as="<self>" asgroups="<lookup>" namespace="<none>" uri="/oapi/v1/
>>>>>> subjectaccessreviews"
>>>>>> 2017-09-13T22:18:43.941696064-03:00 AUDIT:
>>>>>> id="cf075af6-c8a7-4b3c-8727-4ad2aefa0a49" response="201"
>>>>>>
>>>>>> I'm I wrong o that "namespace" field should be not <none>?
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Mateus Caruccio / Master of Puppets
>>>>>> GetupCloud.com
>>>>>> We make the infrastructure invisible
>>>>>> Gartner Cool Vendor 2017
>>>>>>
>>>>>> 2017-09-13 20:31 GMT-03:00 Mateus Caruccio <
>>>>>> mateus.caruc...@getupcloud.com>:
>>>>>>
>>>>>>> After a fresh Origin 3.6.0, hawkular returns only 403 Forbiden.
>>>>>>> What is the auth path used by hawkular and how can I check if it's
>>>>>>> correct (secrets, servicaccounts, token, etc)?
>>>>>>>
>>>>>>> $ oc version
>>>>>>> oc v3.6.0+c4dd4cf
>>>>>>> kubernetes v1.6.1+5115d708d7
>>>>>>> features: Basic-Auth GSSAPI Kerberos SPNEGO
>>>>>>>
>>>>>>> Server <redacted>
>>>>>>> openshift v3.6.0+c4dd4cf
>>>>>>> kubernetes v1.6.1+5115d708d7
>>>>>>>
>>>>>>>
>>>>>>> $ oc -n openshift-infra get rc -o yaml | grep image:
>>>>>>> image: docker.io/openshift/origin-metrics-cassandra:v3.6.0
>>>>>>> image: docker.io/openshift/origin-
>>>>>>> metrics-hawkular-metrics:v3.6.0
>>>>>>> image: docker.io/openshift/origin-metrics-heapster:v3.6.0
>>>>>>>
>>>>>>>
>>>>>>> $ oc -n openshift-infra get pods
>>>>>>> NAME READY STATUS RESTARTS AGE
>>>>>>> hawkular-cassandra-1-vg250 1/1 Running 0 42m
>>>>>>> hawkular-metrics-4rkn4 1/1 Running 0 38m
>>>>>>> heapster-fjg8t 1/1 Running 1 50m
>>>>>>>
>>>>>>>
>>>>>>> $ oadm diagnostics MetricsApiProxy
>>>>>>> [Note] Determining if client configuration exists for client/cluster
>>>>>>> diagnostics
>>>>>>> Info: Successfully read a client config file at
>>>>>>> '/home/getup/.kube/config'
>>>>>>> Info: Using context for cluster-admin access:
>>>>>>> 'default/<redacted>:443/system:admin'
>>>>>>>
>>>>>>> [Note] Running diagnostic: MetricsApiProxy
>>>>>>> Description: Check the integrated heapster metrics can be
>>>>>>> reached via the API proxy
>>>>>>>
>>>>>>> [Note] Summary of diagnostics execution (version v3.6.0+c4dd4cf):
>>>>>>> [Note] Completed with no errors or warnings seen.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>> --
>>>>>>> Mateus Caruccio / Master of Puppets
>>>>>>> GetupCloud.com
>>>>>>> We make the infrastructure invisible
>>>>>>> Gartner Cool Vendor 2017
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> dev mailing list
>>>>> dev@lists.openshift.redhat.com
>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>>>
>>>>>
>>>>
>>>
>> _______________________________________________
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>
_______________________________________________
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
