Nope, no time to debug yet :( -- Mateus Caruccio / Master of Puppets GetupCloud.com We make the infrastructure invisible Gartner Cool Vendor 2017
2017-09-28 7:52 GMT-03:00 Andrew Lau <and...@andrewklau.com>: > Did you find any solution for this? > > On Fri, 15 Sep 2017 at 01:34 Mateus Caruccio <mateus.caruccio@getupcloud. > com> wrote: > >> Yep, there it is: >> >> [OSEv3:children] >> masters >> etcd >> nodes >> >> [OSEv3:vars] >> deployment_type=origin >> openshift_release=v3.6 >> debug_level=1 >> openshift_debug_level=1 >> openshift_node_debug_level=1 >> openshift_master_debug_level=1 >> openshift_master_access_token_max_seconds=2419200 >> osm_cluster_network_cidr=172.16.0.0/16 >> openshift_registry_selector="docker-registry=true" >> openshift_hosted_registry_replicas=1 >> >> openshift_master_cluster_hostname=api-cluster.example.com.br >> openshift_master_cluster_public_hostname=api-cluster.example.com.br >> osm_default_subdomain=example.com.br >> openshift_master_default_subdomain=example.com.br >> osm_default_node_selector="role=app" >> os_sdn_network_plugin_name=redhat/openshift-ovs-multitenant >> openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': >> 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', >> 'filename': '/etc/origin/master/htpasswd'}] >> osm_use_cockpit=false >> containerized=False >> >> openshift_master_cluster_method=native >> openshift_master_console_port=443 >> openshift_master_api_port=443 >> >> openshift_master_overwrite_named_certificates=true >> openshift_master_named_certificates=[{"certfile":"{{ >> lookup('env','PWD')}}/certs/wildcard.example.com.br.crt"," >> keyfile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.key", >> "cafile":"{{lookup('env','PWD')}}/certs/wildcard.example. >> com.br.int.crt"}] >> openshift_master_session_auth_secrets=['F71uoyI/Tkv/ >> LiDH2PiFKK1o76bLoH10+uE2a'] >> openshift_master_session_encryption_secrets=['bjDwQfiy4ksB/3qph87BGulYb/ >> GUho6K'] >> openshift_master_audit_config={"enabled": true, "auditFilePath": >> "/var/log/openshift-audit/openshift-audit.log", >> "maximumFileRetentionDays": 30, "maximumFileSizeMegabytes": 500, >> "maximumRetainedFiles": 10} >> >> openshift_ca_cert_expire_days=1825 >> openshift_node_cert_expire_days=730 >> openshift_master_cert_expire_days=730 >> etcd_ca_default_days=1825 >> >> openshift_hosted_router_create_certificate=false >> openshift_hosted_manage_router=true >> openshift_router_selector="role=infra" >> openshift_hosted_router_replicas=2 >> openshift_hosted_router_certificate={"certfile":"{{ >> lookup('env','PWD')}}/certs/wildcard.example.com.br.crt"," >> keyfile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.key", >> "cafile":"{{lookup('env','PWD')}}/certs/wildcard.example.com.br.int.crt"} >> >> openshift_hosted_metrics_deploy=true >> openshift_hosted_metrics_public_url=https://hawkular- >> metrics.example.com.br/hawkular/metrics >> >> openshift_hosted_logging_deploy=true >> openshift_hosted_logging_hostname=kibana.example.com.br >> >> openshift_install_examples=true >> >> openshift_node_kubelet_args={'pods-per-core': ['20'], 'max-pods': >> ['100'], 'image-gc-high-threshold': ['80'], 'image-gc-low-threshold': >> ['50'],'minimum-container-ttl-duration': ['60s'], >> 'maximum-dead-containers-per-container': ['1'], >> 'maximum-dead-containers': ['15']} >> >> logrotate_scripts=[{"name": "syslog", "path": "/var/log/cron\n/var/log/ >> maillog\n/var/log/messages\n/var/log/secure\n/var/log/spooler\n", >> "options": ["daily", "rotate 7", "compress", "sharedscripts", "missingok"], >> "scripts": {"postrotate": "/bin/kill -HUP `cat /var/run/syslogd.pid 2> >> /dev/null` 2> /dev/null || true"}}] >> >> openshift_builddefaults_image_labels=[{'name':'builder','value':'true'}] >> openshift_builddefaults_nodeselectors={'builder':'true'} >> openshift_builddefaults_annotations={'builder':'true'} >> openshift_builddefaults_resources_requests_cpu=10m >> openshift_builddefaults_resources_requests_memory=128Mi >> openshift_builddefaults_resources_limits_cpu=500m >> openshift_builddefaults_resources_limits_memory=2Gi >> >> openshift_upgrade_nodes_serial=1 >> openshift_upgrade_nodes_max_fail_percentage=0 >> openshift_upgrade_control_plane_nodes_serial=1 >> openshift_upgrade_control_plane_nodes_max_fail_percentage=0 >> >> openshift_disable_check=disk_availability,memory_availability >> >> [masters] >> e001vmov40p42 >> e001vmov40p51 >> e001vmov40p52 >> >> [etcd] >> e001vmov40p42 >> e001vmov40p51 >> e001vmov40p52 >> >> [nodes] >> e001vmov40p42 openshift_node_labels="{'role': 'master'}" >> e001vmov40p51 openshift_node_labels="{'role': 'master'}" >> e001vmov40p52 openshift_node_labels="{'role': 'master'}" >> >> e001vmov40p45 openshift_node_labels="{'role': 'infra', >> 'docker-registry':'true', 'logging':'true'}" >> e001vmov40p46 openshift_node_labels="{'role': 'infra', 'metrics': >> 'true'}" >> >> e001vmov40p47 openshift_node_labels="{'role': 'app', 'builder': 'true'}" >> e001vmov40p48 openshift_node_labels="{'role': 'app', 'builder': 'true'}" >> e001vmov40p49 openshift_node_labels="{'role': 'app', 'builder': 'true'}" >> >> >> >> >> >> -- >> Mateus Caruccio / Master of Puppets >> GetupCloud.com >> We make the infrastructure invisible >> Gartner Cool Vendor 2017 >> >> 2017-09-14 10:13 GMT-03:00 Matthew Wringe <mwri...@redhat.com>: >> >>> We had an issue where it was not possible for normal users to view their >>> metrics (but cluster-admin users could). But I didn't think this made it >>> into any releases. >>> >>> Would it be possible to attach the inventory file used? >>> >>> On Thu, Sep 14, 2017 at 8:34 AM, Paul Weil <pw...@redhat.com> wrote: >>> >>>> Including some metrics folks. Matt/Jeff? >>>> >>>> On Wed, Sep 13, 2017 at 9:44 PM, Mateus Caruccio < >>>> mateus.caruc...@getupcloud.com> wrote: >>>> >>>>> Answering my own question, that "namespace" field on audit log refers >>>>> to the unamespaced resource "/oapi/v1/subjectaccessreviews", not the >>>>> subject access review object of the request. >>>>> >>>>> Still, the problem persists... >>>>> >>>>> -- >>>>> Mateus Caruccio / Master of Puppets >>>>> GetupCloud.com >>>>> We make the infrastructure invisible >>>>> Gartner Cool Vendor 2017 >>>>> >>>>> 2017-09-13 22:39 GMT-03:00 Mateus Caruccio < >>>>> mateus.caruc...@getupcloud.com>: >>>>> >>>>>> Audit logs show this: >>>>>> >>>>>> 2017-09-13T22:18:43.907186125-03:00 AUDIT: >>>>>> id="cf075af6-c8a7-4b3c-8727-4ad2aefa0a49" ip="10.150.10.35" >>>>>> method="POST" user="mateus" >>>>>> groups="\"system:authenticated:oauth\",\"system:authenticated\"" >>>>>> as="<self>" asgroups="<lookup>" namespace="<none>" uri="/oapi/v1/ >>>>>> subjectaccessreviews" >>>>>> 2017-09-13T22:18:43.941696064-03:00 AUDIT: >>>>>> id="cf075af6-c8a7-4b3c-8727-4ad2aefa0a49" response="201" >>>>>> >>>>>> I'm I wrong o that "namespace" field should be not <none>? >>>>>> >>>>>> >>>>>> -- >>>>>> Mateus Caruccio / Master of Puppets >>>>>> GetupCloud.com >>>>>> We make the infrastructure invisible >>>>>> Gartner Cool Vendor 2017 >>>>>> >>>>>> 2017-09-13 20:31 GMT-03:00 Mateus Caruccio < >>>>>> mateus.caruc...@getupcloud.com>: >>>>>> >>>>>>> After a fresh Origin 3.6.0, hawkular returns only 403 Forbiden. >>>>>>> What is the auth path used by hawkular and how can I check if it's >>>>>>> correct (secrets, servicaccounts, token, etc)? >>>>>>> >>>>>>> $ oc version >>>>>>> oc v3.6.0+c4dd4cf >>>>>>> kubernetes v1.6.1+5115d708d7 >>>>>>> features: Basic-Auth GSSAPI Kerberos SPNEGO >>>>>>> >>>>>>> Server <redacted> >>>>>>> openshift v3.6.0+c4dd4cf >>>>>>> kubernetes v1.6.1+5115d708d7 >>>>>>> >>>>>>> >>>>>>> $ oc -n openshift-infra get rc -o yaml | grep image: >>>>>>> image: docker.io/openshift/origin-metrics-cassandra:v3.6.0 >>>>>>> image: docker.io/openshift/origin- >>>>>>> metrics-hawkular-metrics:v3.6.0 >>>>>>> image: docker.io/openshift/origin-metrics-heapster:v3.6.0 >>>>>>> >>>>>>> >>>>>>> $ oc -n openshift-infra get pods >>>>>>> NAME READY STATUS RESTARTS AGE >>>>>>> hawkular-cassandra-1-vg250 1/1 Running 0 42m >>>>>>> hawkular-metrics-4rkn4 1/1 Running 0 38m >>>>>>> heapster-fjg8t 1/1 Running 1 50m >>>>>>> >>>>>>> >>>>>>> $ oadm diagnostics MetricsApiProxy >>>>>>> [Note] Determining if client configuration exists for client/cluster >>>>>>> diagnostics >>>>>>> Info: Successfully read a client config file at >>>>>>> '/home/getup/.kube/config' >>>>>>> Info: Using context for cluster-admin access: >>>>>>> 'default/<redacted>:443/system:admin' >>>>>>> >>>>>>> [Note] Running diagnostic: MetricsApiProxy >>>>>>> Description: Check the integrated heapster metrics can be >>>>>>> reached via the API proxy >>>>>>> >>>>>>> [Note] Summary of diagnostics execution (version v3.6.0+c4dd4cf): >>>>>>> [Note] Completed with no errors or warnings seen. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks >>>>>>> -- >>>>>>> Mateus Caruccio / Master of Puppets >>>>>>> GetupCloud.com >>>>>>> We make the infrastructure invisible >>>>>>> Gartner Cool Vendor 2017 >>>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> dev mailing list >>>>> dev@lists.openshift.redhat.com >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >>>>> >>>>> >>>> >>> >> _______________________________________________ >> dev mailing list >> dev@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >> >
_______________________________________________ dev mailing list dev@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev