Re: Remote image with referencePolicy.type=Local -> manifest unknown

[Lionel Orellana]

Thanks Ben, that makes sense.  How do I add remote CAs to the registry
though?

On 17 November 2017 at 15:08, Ben Parees  wrote:

> The registry CAs are distinct from the image import controller CA. They
> are two different processes running in two different environments.
>
>
> Ben Parees | OpenShift
>
> On Nov 16, 2017 10:58 PM, "Lionel Orellana"  wrote:
>
>> Looking at the registry logs, it's not happy with the remote registry
>> cert.
>>
>> time="2017-11-17T03:53:46.591715267Z" level=error msg="response
>> completed with error" err.code="manifest unknown" err.detail=" x509:
>> certificate signed by unknown authority"
>>
>> Given that oc import-image works I was expecting the registry to trust
>> the same ca's.
>>
>> On 17 November 2017 at 12:01, Ben Parees  wrote:
>>
>>>
>>>
>>> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana 
>>> wrote:
>>>
 Is pullthrough enabled on your registry?


 Yes.

 "When performing pullthrough, the registry will use pull credentials
> found in the project associated with the image stream tag that is being
> referenced"
>


 I'm deploying in the same project where the image stream is. I have
 a dockercfg secret in the project with credentials for the remote registry.
 I linked that secret to the deployment as pull secret. It works when
 remotePolicy is Source so I know the credentials are Ok. But how does the
 registry find the pull credentials to use? I assume it looks for the server
 name in the dockercfg secret?

>>>
>>> yes.
>>>
>>>


 On 17 November 2017 at 10:01, Ben Parees  wrote:

>
>
> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana 
> wrote:
>
>> Hi,
>>
>> I imported a remote image and set  referencePolicy.type to Local in
>> the resulting tag. When I try to deploy an pod using this image stream 
>> tag
>> I get "rpc error: code = 2 desc = manifest unknown: manifest
>> unknown".
>>
>> If I change the referencePolicy type to Source then the pod pulls the
>> image fine from the remote registry. But this requires linking a pull
>> secret to the deployment which is an extra step I could do without. I
>> thought I would get around that by referencing the Local image.
>>
>> How do I pull the remote image when referencePolicy is Local?
>>
>
>
> Is pullthrough enabled on your registry?
> https://docs.openshift.org/latest/install_config/registry/ex
> tended_registry_configuration.html#middleware-repository-pullthrough
>
> also:
> "When performing pullthrough, the registry will use pull credentials
> found in the project associated with the image stream tag that is being
> referenced. "
>
> So if your imagestream is in a different project, you need to make
> sure the credentials are in the right place.
>
>
>> Thanks
>>
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
>
> --
> Ben Parees | OpenShift
>
>

>>>
>>>
>>> --
>>> Ben Parees | OpenShift
>>>
>>>
>>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Remote image with referencePolicy.type=Local -> manifest unknown

[Ben Parees]

The registry CAs are distinct from the image import controller CA. They are
two different processes running in two different environments.


Ben Parees | OpenShift

On Nov 16, 2017 10:58 PM, "Lionel Orellana"  wrote:

> Looking at the registry logs, it's not happy with the remote registry cert.
>
> time="2017-11-17T03:53:46.591715267Z" level=error msg="response completed
> with error" err.code="manifest unknown" err.detail=" x509: certificate
> signed by unknown authority"
>
> Given that oc import-image works I was expecting the registry to trust the
> same ca's.
>
> On 17 November 2017 at 12:01, Ben Parees  wrote:
>
>>
>>
>> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana 
>> wrote:
>>
>>> Is pullthrough enabled on your registry?
>>>
>>>
>>> Yes.
>>>
>>> "When performing pullthrough, the registry will use pull credentials
 found in the project associated with the image stream tag that is being
 referenced"

>>>
>>>
>>> I'm deploying in the same project where the image stream is. I have
>>> a dockercfg secret in the project with credentials for the remote registry.
>>> I linked that secret to the deployment as pull secret. It works when
>>> remotePolicy is Source so I know the credentials are Ok. But how does the
>>> registry find the pull credentials to use? I assume it looks for the server
>>> name in the dockercfg secret?
>>>
>>
>> yes.
>>
>>
>>>
>>>
>>> On 17 November 2017 at 10:01, Ben Parees  wrote:
>>>


 On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana 
 wrote:

> Hi,
>
> I imported a remote image and set  referencePolicy.type to Local in
> the resulting tag. When I try to deploy an pod using this image stream tag
> I get "rpc error: code = 2 desc = manifest unknown: manifest unknown".
>
> If I change the referencePolicy type to Source then the pod pulls the
> image fine from the remote registry. But this requires linking a pull
> secret to the deployment which is an extra step I could do without. I
> thought I would get around that by referencing the Local image.
>
> How do I pull the remote image when referencePolicy is Local?
>


 Is pullthrough enabled on your registry?
 https://docs.openshift.org/latest/install_config/registry/ex
 tended_registry_configuration.html#middleware-repository-pullthrough

 also:
 "When performing pullthrough, the registry will use pull credentials
 found in the project associated with the image stream tag that is being
 referenced. "

 So if your imagestream is in a different project, you need to make sure
 the credentials are in the right place.


> Thanks
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>


 --
 Ben Parees | OpenShift


>>>
>>
>>
>> --
>> Ben Parees | OpenShift
>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Remote image with referencePolicy.type=Local -> manifest unknown

[Lionel Orellana]

Looking at the registry logs, it's not happy with the remote registry cert.

time="2017-11-17T03:53:46.591715267Z" level=error msg="response completed
with error" err.code="manifest unknown" err.detail=" x509: certificate
signed by unknown authority"

Given that oc import-image works I was expecting the registry to trust the
same ca's.

On 17 November 2017 at 12:01, Ben Parees  wrote:

>
>
> On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana 
> wrote:
>
>> Is pullthrough enabled on your registry?
>>
>>
>> Yes.
>>
>> "When performing pullthrough, the registry will use pull credentials
>>> found in the project associated with the image stream tag that is being
>>> referenced"
>>>
>>
>>
>> I'm deploying in the same project where the image stream is. I have
>> a dockercfg secret in the project with credentials for the remote registry.
>> I linked that secret to the deployment as pull secret. It works when
>> remotePolicy is Source so I know the credentials are Ok. But how does the
>> registry find the pull credentials to use? I assume it looks for the server
>> name in the dockercfg secret?
>>
>
> yes.
>
>
>>
>>
>> On 17 November 2017 at 10:01, Ben Parees  wrote:
>>
>>>
>>>
>>> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana 
>>> wrote:
>>>
 Hi,

 I imported a remote image and set  referencePolicy.type to Local in the
 resulting tag. When I try to deploy an pod using this image stream tag I
 get "rpc error: code = 2 desc = manifest unknown: manifest unknown".

 If I change the referencePolicy type to Source then the pod pulls the
 image fine from the remote registry. But this requires linking a pull
 secret to the deployment which is an extra step I could do without. I
 thought I would get around that by referencing the Local image.

 How do I pull the remote image when referencePolicy is Local?

>>>
>>>
>>> Is pullthrough enabled on your registry?
>>> https://docs.openshift.org/latest/install_config/registry/ex
>>> tended_registry_configuration.html#middleware-repository-pullthrough
>>>
>>> also:
>>> "When performing pullthrough, the registry will use pull credentials
>>> found in the project associated with the image stream tag that is being
>>> referenced. "
>>>
>>> So if your imagestream is in a different project, you need to make sure
>>> the credentials are in the right place.
>>>
>>>
 Thanks



 ___
 users mailing list
 users@lists.openshift.redhat.com
 http://lists.openshift.redhat.com/openshiftmm/listinfo/users


>>>
>>>
>>> --
>>> Ben Parees | OpenShift
>>>
>>>
>>
>
>
> --
> Ben Parees | OpenShift
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift Docker build strategy using Dockerfiles & MongoDB Database creation

[Ben Parees]

On Wed, Nov 15, 2017 at 6:34 PM, Tien Hung Nguyen 
wrote:

> Hi Ben,
>
> sorry, of course I meant the BuildConfig and yes, I have read your
> documentation but it didn't help me to solve my problem since I'm still
> getting errors.
>
> I have specified the following in my template file:
>
> source:
> contextDir: api
> git:
> ref: ${GIT_REF}
> uri: ${GIT_URI}
> type: Git
> strategy:
> type: Docker
> dockerStrategy:
> dockerfilePath: docker/Dockerfile
>
>
> & this as the dockerfile (api):
>
> FROM docker.io/openjdk:8-jre
>
> MAINTAINER hygi...@capitalone.com
>
>
> ENV SPRING_DATA_MONGODB_DATABASE=dashboard
> ENV SPRING_DATA_MONGODB_HOST=hygieia-mongodb
> ENV SPRING_DATA_MONGODB_PORT=27017
> ENV SPRING_DATA_MONGODB_USERNAME=dashboarduser
> ENV SPRING_DATA_MONGODB_PASSWORD=dbpassword
> ENV AUTH_EXPIRATION_TIME=720
> ENV jasypt.encryptor.password=hygieiasecret
> ENV AUTH_SECRET=hygieiasecret
>
> RUN \
> mkdir /hygieia
>
> COPY *.jar /hygieia
> COPY properties-builder.sh /hygieia/
>
> WORKDIR /hygieia
>
> VOLUME ["/hygieia/logs"]
>
> EXPOSE 8080
> CMD ./properties-builder.sh &&\
> java -Djava.security.egd=file:/dev/./urandom -jar api.jar
> --spring.config.location=/hygieia/dashboard.properties
>
>
> But it says that it can't find my source file in the copy step, which
> leads to an error in the build step.
>
> Note: My api.jar file and the properties-builder.sh file are located in
> the api/docker directory (same directory as the Dockerfile specified in the
> .yaml template file).
>

Then you need to specify "api/docker/*.jar" in your dockerfile, or use a
contextdir.

And reread the build docs.  Specifically the section on how build inputs
are handled and the working directory constructed:
https://docs.openshift.org/latest/dev_guide/builds/build_inputs.html#how-build-inputs-work



>
> Then, I have tried Type: Binary as source for the build config and used
> the build strategy Docker:
> source:
> from-repo: ${GIT_URI}
> contextDir: api
> type: Binary
> strategy:
> type: Docker
> dockerStrategy:
> dockerfilePath: docker/Dockerfile
>
> But this didn't work either. Please, could you tell me which source and
> build strategy is correct in order to execute the build with my existing
> dockerfile?
>
> Furthermore, regarding the aforementioned MongoDB question,I have found
> the Coolstore Microservice example from Redhat:
>
> strategy:
> recreateParams:
> post:
> execNewPod:
> command:
> - /bin/sh
> - -i
> - -c
> - env && while ! mongo ${RATING_MONGODB_SERVICE_HOST}:27017/$MONGODB_DATABASE
> -u $MONGODB_USER -p $MONGODB_PASSWORD --eval="$MONGODB_INIT" > /dev/null
> 2>&1; do echo "waiting for mongo ..."; sleep 5; done
> containerName: rating-mongodb
> env:
> - name: MONGODB_INIT
> value: db.ratings.insert({"_id":"329299","itemId":"329299","
> rating":5.0,"count":1});
> db.ratings.insert({"_id":"329199","itemId":"329199","
> rating":1.0,"count":12});
> db.ratings.insert({"_id":"165613","itemId":"165613","
> rating":2.3,"count":31});
> db.ratings.insert({"_id":"165614","itemId":"165614","
> rating":3.0,"count":51});
> db.ratings.insert({"_id":"165954","itemId":"165954","
> rating":4.0,"count":66});
> db.ratings.insert({"_id":"34","itemId":"34","
> rating":5.0,"count":76});
> db.ratings.insert({"_id":"35","itemId":"35","
> rating":4.0,"count":83});
> db.ratings.insert({"_id":"36","itemId":"36","
> rating":3.0,"count":123});
>
> I tried to adapt this example for my own project, however, it doesn't
> work. It seems that I'm providing a wrong SERVICE_HOST, which might be the
> reason why I can't connect to the mongodb host. It stays in the while loop
> with the message "waiting for mongo...".  Could you tell me, what is the
> ${RATING_MONGODB_SERVICE_HOST} and where can I find the appropriate
> name/variable of my own project? And what are the meanings of the options
> "-i -c" in this case? I can't find the documentation regarding this to
> better understand the Coolstore Microservice example.
>


RATING_MONGODB_SERVICE_HOST will be automatically injected into your pods
when your project contains a service named "rating-mongodb".  The cool
store sample creates such a service, presumably you have deleted it in your
modifications:
https://github.com/jbossdemocentral/coolstore-microservice/blob/1.1.x/openshift/coolstore-template.yaml#L889-L894



>
>
> 2017-11-14 21:46 GMT+01:00 Ben Parees :
>
>>
>>
>> On Tue, Nov 14, 2017 at 3:11 PM, Tien Hung Nguyen <
>> tienhng.ngu...@gmail.com> wrote:
>>
>>> Hello everybody,
>>>
>>> I'm new to OpenShift Origin and I have a few questions:
>>>
>>> My goal is to run an existing DevOps Dashboard Project on OpenShift
>>> Origin. The project does already workes on Docker (with Docker-compose.yaml
>>> and Dockerfile), consisting of the following 3 containers:
>>> 1. MongoDB
>>> 2. API
>>> 3. UI
>>>
>>> In the Dockerfile of the API project I have the following commands:
>>>
>>> FROM docker.io/openjdk:8-jre
>>>
>>> MAINTAINER 

Re: Remote image with referencePolicy.type=Local -> manifest unknown

[Ben Parees]

On Thu, Nov 16, 2017 at 7:57 PM, Lionel Orellana  wrote:

> Is pullthrough enabled on your registry?
>
>
> Yes.
>
> "When performing pullthrough, the registry will use pull credentials found
>> in the project associated with the image stream tag that is being
>> referenced"
>>
>
>
> I'm deploying in the same project where the image stream is. I have
> a dockercfg secret in the project with credentials for the remote registry.
> I linked that secret to the deployment as pull secret. It works when
> remotePolicy is Source so I know the credentials are Ok. But how does the
> registry find the pull credentials to use? I assume it looks for the server
> name in the dockercfg secret?
>

yes.


>
>
> On 17 November 2017 at 10:01, Ben Parees  wrote:
>
>>
>>
>> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana 
>> wrote:
>>
>>> Hi,
>>>
>>> I imported a remote image and set  referencePolicy.type to Local in the
>>> resulting tag. When I try to deploy an pod using this image stream tag I
>>> get "rpc error: code = 2 desc = manifest unknown: manifest unknown".
>>>
>>> If I change the referencePolicy type to Source then the pod pulls the
>>> image fine from the remote registry. But this requires linking a pull
>>> secret to the deployment which is an extra step I could do without. I
>>> thought I would get around that by referencing the Local image.
>>>
>>> How do I pull the remote image when referencePolicy is Local?
>>>
>>
>>
>> Is pullthrough enabled on your registry?
>> https://docs.openshift.org/latest/install_config/registry/
>> extended_registry_configuration.html#middleware-repository-pullthrough
>>
>> also:
>> "When performing pullthrough, the registry will use pull credentials
>> found in the project associated with the image stream tag that is being
>> referenced. "
>>
>> So if your imagestream is in a different project, you need to make sure
>> the credentials are in the right place.
>>
>>
>>> Thanks
>>>
>>>
>>>
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>>
>>
>>
>> --
>> Ben Parees | OpenShift
>>
>>
>


-- 
Ben Parees | OpenShift
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Remote image with referencePolicy.type=Local -> manifest unknown

[Lionel Orellana]

>
> Is pullthrough enabled on your registry?


Yes.

"When performing pullthrough, the registry will use pull credentials found
> in the project associated with the image stream tag that is being
> referenced"
>


I'm deploying in the same project where the image stream is. I have
a dockercfg secret in the project with credentials for the remote registry.
I linked that secret to the deployment as pull secret. It works when
remotePolicy is Source so I know the credentials are Ok. But how does the
registry find the pull credentials to use? I assume it looks for the server
name in the dockercfg secret?


On 17 November 2017 at 10:01, Ben Parees  wrote:

>
>
> On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana 
> wrote:
>
>> Hi,
>>
>> I imported a remote image and set  referencePolicy.type to Local in the
>> resulting tag. When I try to deploy an pod using this image stream tag I
>> get "rpc error: code = 2 desc = manifest unknown: manifest unknown".
>>
>> If I change the referencePolicy type to Source then the pod pulls the
>> image fine from the remote registry. But this requires linking a pull
>> secret to the deployment which is an extra step I could do without. I
>> thought I would get around that by referencing the Local image.
>>
>> How do I pull the remote image when referencePolicy is Local?
>>
>
>
> Is pullthrough enabled on your registry?
> https://docs.openshift.org/latest/install_config/
> registry/extended_registry_configuration.html#middleware-
> repository-pullthrough
>
> also:
> "When performing pullthrough, the registry will use pull credentials found
> in the project associated with the image stream tag that is being
> referenced. "
>
> So if your imagestream is in a different project, you need to make sure
> the credentials are in the right place.
>
>
>> Thanks
>>
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
>
> --
> Ben Parees | OpenShift
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Remote image with referencePolicy.type=Local -> manifest unknown

[Ben Parees]

On Thu, Nov 16, 2017 at 5:36 PM, Lionel Orellana  wrote:

> Hi,
>
> I imported a remote image and set  referencePolicy.type to Local in the
> resulting tag. When I try to deploy an pod using this image stream tag I
> get "rpc error: code = 2 desc = manifest unknown: manifest unknown".
>
> If I change the referencePolicy type to Source then the pod pulls the
> image fine from the remote registry. But this requires linking a pull
> secret to the deployment which is an extra step I could do without. I
> thought I would get around that by referencing the Local image.
>
> How do I pull the remote image when referencePolicy is Local?
>


Is pullthrough enabled on your registry?
https://docs.openshift.org/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough

also:
"When performing pullthrough, the registry will use pull credentials found
in the project associated with the image stream tag that is being
referenced. "

So if your imagestream is in a different project, you need to make sure the
credentials are in the right place.


> Thanks
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>


-- 
Ben Parees | OpenShift
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Remote image with referencePolicy.type=Local -> manifest unknown

[Lionel Orellana]

Hi,

I imported a remote image and set  referencePolicy.type to Local in the
resulting tag. When I try to deploy an pod using this image stream tag I
get "rpc error: code = 2 desc = manifest unknown: manifest unknown".

If I change the referencePolicy type to Source then the pod pulls the image
fine from the remote registry. But this requires linking a pull secret to
the deployment which is an extra step I could do without. I thought I would
get around that by referencing the Local image.

How do I pull the remote image when referencePolicy is Local?

Thanks
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Old JBoss AS 7.1.1 Java 7 container hangs

[zemiak]

Hello,

we are running Payara (a Glassfish derivate) and we had to do some changes.
It is related to the fact, that Payara is not running under a normal user,
but under some artificial user:
Of course, there are probably differences between Payara/Glassfish and
JBoss, but it will give you at least an idea where to start.

We have this in our Dockerfile:

ENV HOME=/home/glassfish \
_JAVA_OPTIONS=-Duser.home=/home/glassfish

RUN set -x \
  && mkdir -p ${HOME} \
  && cp -ax /root/.gfclient ${HOME}/ \
  && chgrp -R 0 /opt/glassfish /etc/glassfish ${HOME}
/opt/payara41/glassfish \
  && chmod -R g+rw /opt/glassfish /etc/glassfish ${HOME}
/opt/payara41/glassfish/

Miro
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Old JBoss AS 7.1.1 Java 7 container hangs

[Joel Pearson]

Hi,

I’m trying to get an existing docker container that has Oracle Java 7 and
JBoss AS 7.1.1 running in OpenShift 3.6.

However when JBoss tries to start the jvm it hangs with no output, in a
terminal we’ve tried running the same Java command that standalone.sh runs
and it hangs the same way. However outside the OpenShift context, in raw
docker it’s fine. Normally I’d expect an error message or something, but
just hanging is strange.

Any ideas? I’m starting to wonder if I need to use strace or something like
that.

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Force external image sync

[Lionel Orellana]

Hi,

I imported an image from an external private registry and set
*importPolicy.scheduled *on the resulting image stream tag to true. It
works nicely but it can take quite a few minutes for changes on the
external tag to be sync'ed back.

Is there an oc command to force the sync?

Thanks

Lionel.
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Dynamic storage - openshift origin 3.6 with AWS as cloudprovider

[Md Faizan Ali]

No, i did not hardcode credentials. I should have probably used IAM role
for it when I was setting the cluster up. I will look into this by looking
at the plays and try and understand why credentials were missing from the
file. However, i hardcoded credentials in the controller file and restarted
controller, worked absolutely fine. Thank you!

On Wed, Nov 15, 2017 at 9:01 PM, Hemant Kumar  wrote:

> Have you tried hardcoding key and secret in inventory file rather than
> having it look up from environment variable?
>
> On Wed, Nov 15, 2017 at 10:20 AM, Md Faizan Ali 
> wrote:
>
>> Thanks for pointing it out.
>>
>> So in the file:
>>
>> *$> cat origin-master-controllers*
>> *OPTIONS=--loglevel=2 --listen=https://0.0.0.0:8444
>> *
>> *CONFIG_FILE=/etc/origin/master/master-config.yaml*
>> *OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000*
>>
>> *AWS_ACCESS_KEY_ID=*
>> *AWS_SECRET_ACCESS_KEY=*
>>
>> *# Proxy configuration*
>> *# See
>> https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy
>> *
>>
>> Is my understanding incorrect that during install, if i provided
>> key/secret key as environment variables, those values will not be captured
>> here? Do i need to hardcode the key/secretkey here and restart master
>> service?
>>
>>
>>
>> On Wed, Nov 15, 2017 at 8:11 PM, Hemant Kumar  wrote:
>>
>>> The AWS access key and secret key should be accessible to openshift
>>> controller manager [usually] via environment variables. Can you double
>>> check if - /etc/sysconfig/atomic-openshift-* has those keys and secrets
>>> listed?
>>>
>>> If inventory and openshift-ansible had access to those keys during
>>> cluster creation then those keys should be correctly placed in
>>> /etc/sysconfig/atomic-openshift-* files.
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Nov 15, 2017 at 9:17 AM, Md Faizan Ali 
>>> wrote:
>>>
 I am running openshift origin 3.6 ( kube v1.6.1+5115d708d7) in AWS.
 Ansible inventory contains cloud provider configuration and I can see the
 config files on the master nodes.


*# From inventory*
 *   # AWS*
 *   openshift_cloudprovider_kind=aws*
 *   openshift_cloudprovider_aws_access_key="{{
 lookup('env','AWS_ACCESS_KEY_ID') }}"*
 *   openshift_cloudprovider_aws_secret_key="{{
 lookup('env','AWS_SECRET_ACCESS_KEY') }}"*

 *I have also provisioned a storageclass *

 *   # oc get storageclass*
 *   NAME TYPE*
 *   fast (default)   kubernetes.io/aws-ebs
 *
 *However, when i try to create a pvc:*

 *kind: "PersistentVolumeClaim"*
 *apiVersion: "v1"*
 *metadata:*
 *  name: "testclaim"*
 *  namespace: testns*
 *spec:*
 *  accessModes:*
 *- "ReadWriteOnce"*
 *  resources:*
 *requests:*
 *  storage: "3Gi"*
 *  storageClassName: fast*
 It just goes in infinite loop trying to get the pvc created. Events
 show me this error:

*(combined from similar events): Failed to provision volume
 with StorageClass "fast": UnauthorizedOperation: You are not authorized to
 perform this operation. Encoded authorization failure message:
 $(encoded-message) status code: 403, request id:
 d0742e84-a2e1-4bfd-b642-c6f1a61ddc1b*

 Unfortunately I cannot decode the encoded message using aws cli as it
 gives error.

*aws sts decode-authorization-message -–encoded-message
 $(encoded-message) *
 *   Error: UnicodeWarning: Unicode equal comparison failed to
 convert both arguments to Unicode - interpreting them as being unequal*

 I have now also tried pv+pvc and using that in a pod. Everything gets
 created and I can see the claim. However when I try to mount it, I see
 similar errors with permission denied. Any pointers please.



 So far I have been able to deploy pods, services etc and they seem to
 be working fine.

 ___
 users mailing list
 users@lists.openshift.redhat.com
 http://lists.openshift.redhat.com/openshiftmm/listinfo/users


>>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users