Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Charles Moulliard 
Even if I add the webconsole ServiceAccount to scc anyuid, pod fails to
start

https://gist.github.com/cmoulliard/f05b9bc762cbab9993087b1a44aa1331



On Thu, May 17, 2018 at 7:42 PM, Charles Moulliard 
wrote:

> Do you want that I create a ticket to report the error which is really
> blocking/critical ?
>
> On Thu, May 17, 2018 at 5:20 PM, Charles Moulliard 
> wrote:
>
>> Personaly no. Fyi web console was installed using Openshift ansible
>> playbook
>>
>> On Thu, May 17, 2018, 15:03 Clayton Coleman  wrote:
>>
>>> anyuid is less restrictive than restricted, unless you customized
>>> restricted.  Did youvustomize restricted?
>>>
>>> On May 17, 2018, at 8:56 AM, Charles Moulliard 
>>> wrote:
>>>
>>> Hi,
>>>
>>> If we scale down/up the Replication Set of the OpenShift Web Console,
>>> then the new pod created will crash and report
>>>
>>> "Error: unable to load server certificate: open
>>> /var/serving-cert/tls.crt: permission denied"
>>>
>>> This problem comes from the fact that when the pod is recreated, then
>>> the scc annotation is set to anyuid instead of restricted and then the pod
>>> can't access the cert
>>>
>>> apiVersion: v1
>>> kind: Pod
>>> metadata:
>>>   annotations:
>>> openshift.io/scc: anyuid
>>>
>>> Is this bug been fixed for openshift 3.9 ? Is there a workaround to
>>> resolve it otherwise we can't access anymore the Web Console ?
>>>
>>> Regards
>>>
>>> CHARLES MOULLIARD
>>>
>>> SOFTWARE ENGINEER MANAGER SPRING(BOOT)
>>>
>>> Red Hat 
>>>
>>> cmoulli...@redhat.comM: +32-473-604014
>>> 
>>> @cmoulliard 
>>>
>>> ___
>>> dev mailing list
>>> dev@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>
>>>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Charles Moulliard 
Do you want that I create a ticket to report the error which is really
blocking/critical ?

On Thu, May 17, 2018 at 5:20 PM, Charles Moulliard 
wrote:

> Personaly no. Fyi web console was installed using Openshift ansible
> playbook
>
> On Thu, May 17, 2018, 15:03 Clayton Coleman  wrote:
>
>> anyuid is less restrictive than restricted, unless you customized
>> restricted.  Did youvustomize restricted?
>>
>> On May 17, 2018, at 8:56 AM, Charles Moulliard 
>> wrote:
>>
>> Hi,
>>
>> If we scale down/up the Replication Set of the OpenShift Web Console,
>> then the new pod created will crash and report
>>
>> "Error: unable to load server certificate: open
>> /var/serving-cert/tls.crt: permission denied"
>>
>> This problem comes from the fact that when the pod is recreated, then the
>> scc annotation is set to anyuid instead of restricted and then the pod
>> can't access the cert
>>
>> apiVersion: v1
>> kind: Pod
>> metadata:
>>   annotations:
>> openshift.io/scc: anyuid
>>
>> Is this bug been fixed for openshift 3.9 ? Is there a workaround to
>> resolve it otherwise we can't access anymore the Web Console ?
>>
>> Regards
>>
>> CHARLES MOULLIARD
>>
>> SOFTWARE ENGINEER MANAGER SPRING(BOOT)
>>
>> Red Hat 
>>
>> cmoulli...@redhat.comM: +32-473-604014
>> 
>> @cmoulliard 
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Charles Moulliard 
The trick / solution  described there doesn t work. I tried also using the
ansible playbook of Openshift to remove the project and recreate it and the
pod is always recreated with Openshift annotation = anyuid

On Thu, May 17, 2018, 15:01 Sam Padgett  wrote:

> Charles, I'd try the steps in
>
> https://access.redhat.com/solutions/3428351
>
> Sam
>
> On Thu, May 17, 2018 at 8:56 AM, Charles Moulliard 
> wrote:
>
>> Hi,
>>
>> If we scale down/up the Replication Set of the OpenShift Web Console,
>> then the new pod created will crash and report
>>
>> "Error: unable to load server certificate: open
>> /var/serving-cert/tls.crt: permission denied"
>>
>> This problem comes from the fact that when the pod is recreated, then the
>> scc annotation is set to anyuid instead of restricted and then the pod
>> can't access the cert
>>
>> apiVersion: v1
>> kind: Pod
>> metadata:
>>   annotations:
>> openshift.io/scc: anyuid
>>
>> Is this bug been fixed for openshift 3.9 ? Is there a workaround to
>> resolve it otherwise we can't access anymore the Web Console ?
>>
>> Regards
>>
>> CHARLES MOULLIARD
>>
>> SOFTWARE ENGINEER MANAGER SPRING(BOOT)
>>
>> Red Hat 
>>
>> cmoulli...@redhat.comM: +32-473-604014
>> 
>> @cmoulliard 
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Sam Padgett 
The file mode is 400, and I think anyuid breaks reading it since the user
changes.

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_web_console/files/console-template.yaml#L90

The console doesn't need anyuid... I'm not sure what's adding it.

Sam

On Thu, May 17, 2018 at 9:03 AM, Clayton Coleman 
wrote:

> anyuid is less restrictive than restricted, unless you customized
> restricted.  Did youvustomize restricted?
>
> On May 17, 2018, at 8:56 AM, Charles Moulliard 
> wrote:
>
> Hi,
>
> If we scale down/up the Replication Set of the OpenShift Web Console, then
> the new pod created will crash and report
>
> "Error: unable to load server certificate: open /var/serving-cert/tls.crt:
> permission denied"
>
> This problem comes from the fact that when the pod is recreated, then the
> scc annotation is set to anyuid instead of restricted and then the pod
> can't access the cert
>
> apiVersion: v1
> kind: Pod
> metadata:
>   annotations:
> openshift.io/scc: anyuid
>
> Is this bug been fixed for openshift 3.9 ? Is there a workaround to
> resolve it otherwise we can't access anymore the Web Console ?
>
> Regards
>
> CHARLES MOULLIARD
>
> SOFTWARE ENGINEER MANAGER SPRING(BOOT)
>
> Red Hat 
>
> cmoulli...@redhat.comM: +32-473-604014
> 
> @cmoulliard 
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Clayton Coleman 
anyuid is less restrictive than restricted, unless you customized
restricted.  Did youvustomize restricted?

On May 17, 2018, at 8:56 AM, Charles Moulliard  wrote:

Hi,

If we scale down/up the Replication Set of the OpenShift Web Console, then
the new pod created will crash and report

"Error: unable to load server certificate: open /var/serving-cert/tls.crt:
permission denied"

This problem comes from the fact that when the pod is recreated, then the
scc annotation is set to anyuid instead of restricted and then the pod
can't access the cert

apiVersion: v1
kind: Pod
metadata:
  annotations:
openshift.io/scc: anyuid

Is this bug been fixed for openshift 3.9 ? Is there a workaround to resolve
it otherwise we can't access anymore the Web Console ?

Regards

CHARLES MOULLIARD

SOFTWARE ENGINEER MANAGER SPRING(BOOT)

Red Hat 

cmoulli...@redhat.comM: +32-473-604014

@cmoulliard 

___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Charles Moulliard 
Hi,

If we scale down/up the Replication Set of the OpenShift Web Console, then
the new pod created will crash and report

"Error: unable to load server certificate: open /var/serving-cert/tls.crt:
permission denied"

This problem comes from the fact that when the pod is recreated, then the
scc annotation is set to anyuid instead of restricted and then the pod
can't access the cert

apiVersion: v1
kind: Pod
metadata:
  annotations:
openshift.io/scc: anyuid

Is this bug been fixed for openshift 3.9 ? Is there a workaround to resolve
it otherwise we can't access anymore the Web Console ?

Regards

CHARLES MOULLIARD

SOFTWARE ENGINEER MANAGER SPRING(BOOT)

Red Hat 

cmoulli...@redhat.comM: +32-473-604014

@cmoulliard 
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Origin EOL policy and what does trigger a new minor release

2018-05-17 Thread Daniel Comnea 
*PSB*

On Wed, May 16, 2018 at 5:11 PM, Clayton Coleman 
wrote:

> Currently the process is:
>
> 1. critical security vulnerabilities are back ported
> 2. anyone is free to backport a change that is justifiable if you can get
> review and meet the bar for review
>
3. anyone who helps backport a change is expected to help keep CI jobs
> working if you see something is broken - right now only a small pool of
> people are doing that so I've been asking folks to chip in and keep the
> jobs up to date if you're going to submit PRs
> 4. all changes should be in master first (we won't backport an issue that
> hasn't merged to upstream kube or to origin master)
>
*[DC]:  Can you please be more specific around "merged to upstream kube" ?
Reason i'm asking is because K8 is always ahead by 1 cycle with Origin and
as such are you saying that upstream kube branch should match with what
origin master code base cycle is - i.e. say currently origin master is
being worked on 1.10 K8 code base and as such upstream kube to "watch" is
1.10 branch ? *

>
> I cut releases on critical issues and otherwise the tag is just rolling
> (if you merge to release-3.7 the change will show up).
>
>
> On Wed, May 16, 2018 at 11:07 AM, Daniel Comnea 
> wrote:
>
>> Hi,
>>
>> I'm sending out this email to understand what is the Origin EOL policy
>> and also understand / start a conversation around what is considered
>> critical bug which does trigger a new Origin minor release.
>>
>>
>> The rational started from [1] where after i migrated all my internal prod
>> environments from 1.5.1 to 3.7.0 but due to bug [2] was fixed in [3] i had
>> to move to 3.7.2 (picked latest minor due to CVEs too).
>>
>> Now after going to all that long/ painful (due to extensive maintenance
>> window and few disruptions at apps level) upgrade process, i then got hit
>> by [1] and as it stands today don't have many options on the table except
>> forking and trying to back port the patch myself.
>>
>>
>> It will be naive to think that Origin will get all/ majority of the OCP
>> bug fixes however i do expect to have a gate or a transparent/known
>> (public) process which defines what critical bug is (same in how you might
>> have for OCP) such that a new Origin can be triggered.
>>
>>
>> Cheers,
>> Dani
>>
>> [1] https://github.com/openshift/origin/issues/19138
>> [2] https://github.com/openshift/origin/pull/17620
>> [3] https://github.com/openshift/origin/releases/tag/v3.7.1
>>
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: CentOS PaaS SIG meeting (2018-05-16)

2018-05-17 Thread Daniel Comnea 
No biggie Ricardo, thank you !

On Wed, May 16, 2018 at 7:19 PM, Ricardo Martinelli de Oliveira <
rmart...@redhat.com> wrote:

> You are right, Daniel. My apologies for that.
>
> The subject is correct, but the body not. I will pay more attention for
> the next meetings.
>
> On Wed, May 16, 2018 at 12:38 PM, Daniel Comnea 
> wrote:
>
>> Ricardo,
>>
>> The email's subject is wrong ;) the meeting for today hasn't started yet.
>> I suspect the email's subject should have been dated for May 2nd but that
>> was sent out so maybe it was sent too early ;)
>>
>>
>> Dani
>>
>> On Wed, May 16, 2018 at 4:16 PM, Ricardo Martinelli de Oliveira <
>> rmart...@redhat.com> wrote:
>>
>>> Hello,
>>> It's time for our weekly PaaS SIG sync-up meeting
>>>
>>> Time: 1700 UTC - Wedensdays (date -d "1700 UTC")
>>> Date: Today Wedensday, 02 May 2018
>>> Where: IRC- Freenode - #centos-devel
>>>
>>> Agenda:
>>> - OpenShift Current Status
>>> -- rpms
>>> -- automation
>>> - Open Floor
>>>
>>> Minutes from last meeting:
>>> https://www.centos.org/minutes/2018/May/centos-devel.2018-05
>>> -02-17.01.log.html
>>>
>>> --
>>> Ricardo Martinelli de Oliveira
>>> Senior Software Engineer
>>> T: +55 11 3524-6125 <+55%2011%203524-6126> | M: +55 11 9 7069-6531
>>> Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil
>>> 
>>> .
>>> 
>>> TRIED. TESTED. TRUSTED. 
>>>
>>>  Red Hat é reconhecida entre as melhores empresas para trabalhar no
>>> Brasil pelo *Great Place to Work*.
>>>
>>> ___
>>> dev mailing list
>>> dev@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>
>>>
>>
>
>
> --
> Ricardo Martinelli de Oliveira
> Senior Software Engineer
> T: +55 11 3524-6125 <+55%2011%203524-6126> | M: +55 11 9 7069-6531
> Av. Brigadeiro Faria Lima 3900, 8° Andar. São Paulo, Brasil
> 
> .
> 
> TRIED. TESTED. TRUSTED. 
>
>  Red Hat é reconhecida entre as melhores empresas para trabalhar no Brasil
> pelo *Great Place to Work*.
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev