Router

Quick question Is it possible to expose different routers for different routes on same project? One approach is create different projects but we have a use case where we want to expose different routers for different routers. We knew there is a namespace label on every project and all the

controller -> api talk

Is controller talk to API server using hostname: port or LB VIP? We have 3 node master setup and API servers LB with VIP. Trying to understand whether controller use direct path to talk to API servers or go via VIP like how other clients access -- Srinivas Kotaru

Time zone in deployment/POD

Hi How to set rightway timezone info in containers/POD? Hypervisors and VM’s using GMT time zone. However it was observed image build node time zone is taking into account, rather where the container has been running. Is it true image build host timezone always embedded as TZ inside container?

Re: quota question

018 at 8:14 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Want to validate a statement. Just assume, we have a only one node with 60 GB memory. Pod A scheduled with request of 10 GB and no limit. After some time, it start using 55 GB ( ignore s

quota question

Want to validate a statement. Just assume, we have a only one node with 60 GB memory. Pod A scheduled with request of 10 GB and no limit. After some time, it start using 55 GB ( ignore systems reserves for now). system now has only left with 5 GB free. If new podB scheduled with request of

CAP_LINUX_IMMUTABLE

Is it possible to use CAP_LINUX_IMMUTABLE security context with restricted SCC? One of our client want to use chattr +a /tmp/logs/*.log command in pod. We don’t want to relax or give privileged SCC for any clients. Wondering whether any way they can use this command inside pod directly or

Re: Configuring Private DNS Zones and Upstream Nameservers in Openshift

til 3.9. We also want to move to coredns, but that could take longer. On Feb 15, 2018, at 6:26 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Is it possible like described in kubernetes? http://blog.kubernetes.io/2017/04/configuring-pr

Re: Leader election in Kubernetes control plane

article. Regards, Takayoshi On Wed, 21 Feb 2018 14:37:32 +0900, "Srinivas Naga Kotaru (skotaru)" <skot...@cisco.com> wrote: > > It has just client-ca-file. We have 3 masters in each cluster. not sure how to identify which control manager is act

Re: Leader election in Kubernetes control plane

r that. On Feb 15, 2018, at 2:48 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: while I was reading below article, I tried to do the same to find out which one is active control plane in Openshift. I could see zero end points in kube-system name

Configuring Private DNS Zones and Upstream Nameservers in Openshift

Is it possible like described in kubernetes? http://blog.kubernetes.io/2017/04/configuring-private-dns-zones-upstream-nameservers-kubernetes.html We have few clients where they configured their own consul based DNS server and not suing service discovery provided by Openshift. We build a custom

Leader election in Kubernetes control plane

while I was reading below article, I tried to do the same to find out which one is active control plane in Openshift. I could see zero end points in kube-system name space. Am I missing something or not implemented in Openshift?

PTR record for POD

HI Is it possible to get POD name given POD IP address by querying master DNS server? Service lookup working: dig +short @master kubernetes.default.svc.cluster.local 172.24.0.1 PTR lookup not working: $ dig -x @master 172.24.0.1 +short 172.24.0.1 -- Srinivas Kotaru

jolokia REST API

Hi Is there any way we can collect metrics using Jolokia REST API end point? I knew Openshift using jolokia for Java apps. I’m not sure this is only for Redhat supplied images or in genera. Am trying to collect metrics using InfluxDB/telegraf agent from Jolokia REST API. -- Srinivas Kotaru

Prometheus Vs raw metrics

Hi What is the difference of running a dedicated Prometheus server Vs using metrics exposed by oc get –raw metrics? If both are same in terms of accuracy, available information, does it make sense to run again another Prometheus server and pull cluster metrics? Am trying to setup some metrics

Re: Usage is more then Limits

Can someone comment on this? -- Srinivas Kotaru From: Srinivas Naga Kotaru Date: Wednesday, May 10, 2017 at 12:25 PM To: dev Subject: Usage is more then Limits Hi Is it possible Usage is more than Limits? Observed some nodes has more Usage

Usage is more then Limits

Hi Is it possible Usage is more than Limits? Observed some nodes has more Usage then allowed Limits in our cluster. We have a Quota’s implemented, LimitRagen enabled per project (Defaults Limits and Requests) and Cluster overcommit % specified (10 % CPU Limits and 25 % Memory Limits as

arp table increase

Hi We had an issue where one client joining consul agents from different projects to central project where they kept all servers. All agents using local service account but using end points approach to connect to remote consul server. Remote consul service has ingress IP attached. Flow:

Re: List routes from Routershards

n guarantee something stable anytime soon. On Apr 4, 2017, at 9:04 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Is anyway we can list all the routes created from a specific router shard? We have multiple router shards configured and want to che

List routes from Routershards

Is anyway we can list all the routes created from a specific router shard? We have multiple router shards configured and want to check or list routes from a specific shard? -- Srinivas Kotaru ___ dev mailing list dev@lists.openshift.redhat.com

Re: PV/PVC storage use tracking

We using 3.4, that is latest stable. -- Srinivas Kotaru On 3/31/17, 10:39 AM, "Matt Wringe" <mwri...@redhat.com> wrote: - Original Message ----- > From: "Srinivas Naga Kotaru (skotaru)" <skot...@cisco.com> > To: "Patrick Tescher"

Re: PV/PVC storage use tracking

node. Lastly if you want to be able to display the stats generated by Heapster or Hawkular Openshift Agent you can set up https://github.com/hawkular/hawkular-grafana-datasource. -- Patrick Tescher On Mar 29, 2017, at 10:05 AM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:sk

Re: PV/PVC storage use tracking

he stats generated by Heapster or Hawkular Openshift Agent you can set up https://github.com/hawkular/hawkular-grafana-datasource. -- Patrick Tescher On Mar 29, 2017, at 10:05 AM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Does Openshift has any mecha

Re: projects join

ot...@cisco.com> Cc: dev <dev@lists.openshift.redhat.com> Subject: Re: projects join Not at my laptop but should be an annotation on the project/namespace On Mar 29, 2017, at 12:28 AM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Is th

PV/PVC storage use tracking

Does Openshift has any mechanism to track PV/PVC usage? PV/PVC are getting filled but there is no mechanism for us or our clients to track what is current utilization? One way to check is , platform teams or clients has to check usage by mounting the PV somewhere and check by using OS commands

projects join

Is there anyway or how to find out 2 projects are joined together? I joined few projects for inter project communication but didn’t find any way to check the status. # oadm pod-network join-projects --to= -- Srinivas Kotaru ___ dev mailing list

Re: metrics

hu, Feb 23, 2017 at 5:31 PM, Clayton Coleman <ccole...@redhat.com<mailto:ccole...@redhat.com>> wrote: Yes, the apiserver, the controllers, and the nodes all expose metrics on their serving port. The controllers listen on localhost only today. You can view the api server metric

Re: metrics

their serving port. The controllers listen on localhost only today. You can view the api server metrics as a suitably privileged user with "oc get --raw /metrics", or use the appropriate credentials (treat it as an API call for the purpose of auth

Re: metrics

dentials (treat it as an API call for the purpose of authentication). On Thu, Feb 23, 2017 at 4:53 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Does API server expose any metrics like https://apiserver/metrics or any other form? -- Srinivas Kotaru __

metrics

Does API server expose any metrics like https://apiserver/metrics or any other form? -- Srinivas Kotaru ___ dev mailing list dev@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Docker Errors

We are seeing below 3 symptoms very frequently in our platform. Any idea or thoughts why they occurring? Issue 1: Feb 14 03:38:55 cae-ga2-004 systemd[1]: Starting Docker Application Container Engine... Feb 14 03:38:55 cae-ga2-004 docker-current[115776]: time="2017-02-14T03:38:55.028792370Z"

Re: API health or status page

hen create the custom role: oc create -f myrole.yaml And grant it to anonymous users: oadm policy add-cluster-role-to-group my-role-name system:unauthenticated On Thu, Feb 9, 2017 at 5:18 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: That is inte

Re: API health or status page

Gravidade On Thu, Feb 9, 2017 at 8:30 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Perfect. Thank you very much Jordan. Appreciated for quick help -- Srinivas Kotaru From: Jordan Liggitt <jligg...@redhat.com<mailto:jligg...@redhat.com&

Re: API health or status page

anonymous users: oadm policy add-cluster-role-to-group my-role-name system:unauthenticated On Thu, Feb 9, 2017 at 5:18 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: That is interesting, indeed what I want. Can you share step by st

API health or status page

Can I use any API call without authentication? I need an API URL to put into my monitoring agent to periodically check health. All most all API calls need token or authentication. Although I can use a service account and use secret as a token since it doesn’t expire, am looking for a simple

Re: Network manager

/etcc/dnsmasq/*.conf file. -- Srinivas Kotaru On 2/3/17, 9:02 AM, "Srinivas Naga Kotaru (skotaru)" <skot...@cisco.com> wrote: That is exactly my next question. If we have an automated process to update /etc/resolve.conf file, can’t we also update dnsmasq file and eliminat

Re: Network manager

-- Srinivas Kotaru On 2/3/17, 9:02 AM, "Srinivas Naga Kotaru (skotaru)" <skot...@cisco.com> wrote: That is exactly my next question. If we have an automated process to update /etc/resolve.conf file, can’t we also update dnsmasq file and eliminate networkm

Network manager

NetworkManager is mandatory requirement for OCP install and functionality?? Can we use traditional network service rather network manager?? Srinivas Kotaru Sent from my iPhone ___ dev mailing list dev@lists.openshift.redhat.com

Re: service discover - always confuse

cole...@redhat.com<mailto:ccole...@redhat.com>> wrote: On Jan 30, 2017, at 1:51 AM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Hi Observed 2 different behaviors in my platform. not sure this is expected behavior or not. Can you cla

service discover - always confuse

Hi Observed 2 different behaviors in my platform. not sure this is expected behavior or not. Can you clarify for below behaviors? 1. Name resolution not working for external domains although ping and curl commands working as expected Examples: # oc rsh kong-app3-792309857-1i4xk #

cluster health metrics or API end points

We want to measure the health of OpenShift cluster from all possible ways and report status back to clients in a single simple page. I have few things in mind Health of: · API servers · etcd servers · nodes (kubectl??) · SDN · PV’s · Routers

Re: storage labels

Friday, January 13, 2017 at 12:17 PM To: Srinivas Naga Kotaru <skot...@cisco.com> Cc: Nakayama Kenjiro <nakayamakenj...@gmail.com>, dev <dev@lists.openshift.redhat.com> Subject: Re: storage labels On Fri, Jan 13, 2017 at 2:05 PM, Srinivas Naga Kotaru (skotaru) <sk

Re: storage labels

:59 AM To: Srinivas Naga Kotaru <skot...@cisco.com> Cc: Nakayama Kenjiro <nakayamakenj...@gmail.com>, dev <dev@lists.openshift.redhat.com> Subject: Re: storage labels On Fri, Jan 13, 2017 at 12:59 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com

Re: storage labels

X: Y PVC: matchLabels: A: B X: Y OK === PV: labels: A: B X: Y PVC: matchLabels: A: B NG === PV: labels: A: B PVC: matchLabels: A: B X: Y Regards, Kenjiro On Fri, Jan 13, 2017 at 6:47 AM, Srinivas Naga Kota

Re: storage labels

How to represent TB storage in PV? Is it Ti , similar to Gi? -- Srinivas Kotaru From: on behalf of Srinivas Naga Kotaru Date: Wednesday, January 11, 2017 at 11:33 AM To: dev Subject: storage labels Hi

Re: Binding Persistent Volumes by Labels

by a quota. The corresponding PR with a sample configuration is here (its work-in-progress): https://github.com/kubernetes/kubernetes/pull/36765 Thanks, Derek On Wed, Jan 4, 2017 at 2:03 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Clayton I saw the

Re: Binding Persistent Volumes by Labels

lasses up front in the quota. A whitelist approach is coming later (where adding new storage classes would not require you to change everyone's quota for that new type to be zero) On Wed, Jan 4, 2017 at 1:35 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>>

Binding Persistent Volumes by Labels

Can we control storage at project level, similar to node selector for POD’s scheduling? Use case I have is, want to control different type of storage (NFS, SSD etc) at project creation time? like project A can have only NFS type storage, Project B can have SSD only, project C can have access

Re: ingress firewall

freedom/choices/possibilities of IaaS layer in container platrorm without having any limitations. To achive this, network is very foundational and critical. -- Srinivas Kotaru On 12/14/16, 10:48 AM, "Dan Winship" <d...@redhat.com> wrote: On 12/14/2016 01:03 PM, Srin

ingress firewall

Hi Does ingress support firewall? We have a use case where tenant have multiple projects for services segmentation purpose and need ports other 80/433. We are planning to use ingress and egress features to allocated pool of IP address to use. Client has strict requirements of controlling

Re: web socket support

allows Connection: Upgrade headers seamlessly. Connection timeouts on the router matter, of course. The router documentation briefly describes it, mostly because it just works. On Dec 6, 2016, at 6:51 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>&g

web socket support

What is OpenShift strategy or plans to support web socket support at router layer? Our clients asking web socket support since Openshift 2 days onwards. I knew Openshift 2 has limited apache based node proxy but that is not a full web socket support. Would like to hear from your for OpenShift

feedback

we are continuously hearing 2 complaints from our users not much verbose info to troubleshott/narrow down 2 commonf failures . 1. Pod unable to come up. Why it failed, what caused? 2. Deployment failure. Why it failed ? what is the reason? Most clints using console,

Re: cluster wide service acount

ovide a way to log in with a service account token. On Thu, Dec 1, 2016 at 3:19 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Jordan That helps. Thanks for quick help. Can we use this sa account to login into console and OC clinet? If yes how? I knew S

Re: cluster wide service acount

uster-role-to-user cluster-reader system:serviceaccount:openshift-infra:monitor-service-account On Thu, Dec 1, 2016 at 3:02 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: I knew we can create a service account per project and can be use

cluster wide service acount

I knew we can create a service account per project and can be used as a password less API work and automations activities. Can we create a service account at cluster level and can be used for platform operations (monitoring, automation, shared account for operation teams)? Intention is to have

Re: master public http --> https redirection

hift.redhat.com> Subject: Re: master public http --> https redirection There is an existing RFE for this to happen OOTB https://trello.com/c/qxRMizmK Is the load balancer you are using in front of the masters able to do this redirect? On Thu, Dec 1, 2016 at 1:08 PM, Srinivas Naga Kotaru (skotaru

master public http --> https redirection

How to configure master public URl to redirect from http --> https? we want to redirect to https when our clients hit http://public_url in thr browser. Also OC and other clients shouldn’t face any issues with this change. Is it possible? -- Srinivas Kotaru

Re: cockpit auth issue

with openshift auth mechanism. "Srinivas Naga Kotaru (skotaru)" ---12/01/2016 12:29:43 AM---Am testing cockpit and cloudforms for OpenShift monitoring and see which one is better for our requi From: "Srinivas Naga Kotaru (skotaru)" <skot...@cisco.com<mailto:skot...@cisco.

Re: cockpit auth issue

cockpit auth is linked with openshift auth mechanism. "Srinivas Naga Kotaru (skotaru)" ---12/01/2016 12:29:43 AM---Am testing cockpit and cloudforms for OpenShift monitoring and see which one is better for our requi From: "Srinivas Naga Kotaru (skotaru)" <skot...@cisco.com

Re: namedCertificates not working

A bundle? When configured to use a non-system-roots ca bundle, oc remembers it in the local user's kubeconfig file ($KUBECONFIG or ~/.kube/config). Try moving (or removing) the kubeconfig file and see if that allows oc to use the system roots to recognize the new certificates On Nov 15, 2016

Re: Quota Policies

ator is taking that responsibility). Thanks, Derek On Thu, Oct 27, 2016 at 5:13 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Derek We have separate project for non-prod & prod. I fully understood the example you quoted. It Is very clear

Re: Quota Policies

ration on in a project. Thanks, Derek On Thu, Oct 27, 2016 at 2:32 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Derek Thanks for helping so far. It is not clear how quota & QOS works. We are planning ot use BestEffort for non-prod ap

Re: Quota Policies

rek On Wed, Oct 26, 2016 at 2:54 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Can u answer this question? Trying to understand how do we call BestEffort pods in terms of quota/limtrange/pod definitions perceptive? My understand is, a pod is ca

Re: Quota Policies

to ensure is available 3. are able to burst up to 10 cpu cores, and 20Gi memory based on node-local conditions Thanks, Derek On Tue, Oct 25, 2016 at 5:14 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Derek/Clayton I saw this link yesterday.

Re: How would I know my project members & roles ?

We only giving edit role to project members, not admin for specific reason. With edit role, they won’t be able to view members of their project? Does it need admin privileges? OSE 2.x Below issue reproted by one of our client. -- Srinivas Kotaru OSE3.x has no option to display the roles &

Re: Quota Policies

based on node-local conditions Thanks, Derek On Tue, Oct 25, 2016 at 5:14 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Derek/Clayton I saw this link yesterday. It was really good and helpful; I didn’t understand the last advanced se

Audit logging in Openshift Enterprise 3

https://access.redhat.com/solutions/1748893 had seen KB article recently. What is the path to log file? Can we specific a log path? Can we forward to other logging systems (Splunk or ELK) etc.? any good documentation link would be useful -- Srinivas Kotaru

Re: Container UUID

name: UNIQUE_UUID value: '${UNIQUE_UUID}' Hope it helps. -- Mateus Caruccio / Master of Puppets GetupCloud.com - Eliminamos a Gravidade On Tue, Oct 11, 2016 at 2:11 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Hi Is there any way to put

Container UUID

Hi Is there any way to put an environment variable which hold a unique UUID value per pod basis? If we put an environment variable at dc or rc level, same value propagating for all pods. That is expected behavior since all pods are creating using same template definition If we add environment

NetworkCIDR for big cluster

Hi We ‘re building 3 big clusters, 1 specific to each data center. growth expected to 1000 nodes each cluster over the time. Questions: 1. # egrep 'clusterNetworkCIDR|serviceNetworkCIDR' /etc/origin/master/master-config.yaml clusterNetworkCIDR: 10.1.0.0/16 serviceNetworkCIDR:

ovs-multitenant

Hi We are switching our SDN plugin from ovs-subnet --> ovs-multitenant. Few qq 1. ovs-multitenant is ready for prod grade workloads? 2. Do we need to delete and re-create router and registry components or not required? ( I knew we need to restart master and node services after

Re: Clarification

On 9/8/16, 12:44 PM, "Dan Winship" <d...@redhat.com> wrote: On 09/08/2016 03:32 PM, Srinivas Naga Kotaru (skotaru) wrote: > Containers that use UDP (Layer 4) and do not go through the Openshift > networking layer can find other containers running in a Pod with a

Clarification

Can you confirm below 2 statements? Potential Bug: Openshift does not always clean up all containers within a Pod when the Pod is removed. There were a few instances where one of the containers from the Pod were left running even though the Pod was successfully removed and the other containers

Re: Accessing Metrics Using Hawkular Metrics

Any comments? -- Srinivas Kotaru From: > on behalf of skotaru > Date: Wednesday, July 13, 2016 at 7:01 PM To: dev

Re: OSE 3.2 - Registry - Unable to write

Kotaru On 6/7/16, 10:58 AM, "Srinivas Naga Kotaru (skotaru)" <skot...@cisco.com> wrote: >Am using NFS volume for registry > > > >-- >Srinivas Kotaru > >On 6/7/16, 10:42 AM, "Seth Jennings" <sjenn...@redhat.com> wrote: > >>Ye

Re: OSE 3.2 - Registry - Unable to write

> >On Tue, Jun 7, 2016 at 12:29 PM, Srinivas Naga Kotaru (skotaru) ><skot...@cisco.com> wrote: >> Can someone help here? Struck and unable to proceed next step >> >> >> >> -- >> >> Srinivas Kotaru >> >> >> >> From: skot

OSE 3.2 - Registry - Unable to write

Hi Just finished installing OSE 3.2. Registry throwing below error while doing a sample deployment. I0606 18:40:55.315293 1 sti.go:334] Successfully built alln-int-build-testing/cakephp-example-1:e6008a5f I0606 18:40:55.335600 1 cleanup.go:23] Removing temporary directory

Re: Clarification on container security in OpenShift

Clayton and Team Is it possible to run all containers from a specific application to use a dedicated OS user name ( UUID in OSE 2.X). Am not referring UID which is typically a numeric number and control local access. We have a requirement for database access control perceptive where every

Re: Clarification on container security in OpenShift

e label on each pod in a namespace should be possible, although that's only visible via the API. On Jan 19, 2016, at 1:31 PM, Srinivas Naga Kotaru (skotaru) <skot...@cisco.com<mailto:skot...@cisco.com>> wrote: Clayton and Team Is it possible to run all containers from a specific applicati

routing/vhost alias

Hi In OSE 2.X we have a alias concept for routes. User or admin can create an alias ( apache vhost definition) for an application and create a DNS recored to point to upstream load balancer. This was so flexible if user FQDN is different than openshift created http url ( example

Router Sharding

Brenton said you guys are working on router sharding https://trello.com/c/DtPlixdb/49-8-router-sharding-traffic-ingress I didn’t get quite well description. What is this feature, how it is useful, what are the use cases and when it will be released? Can we create separate routers for internal

Re: Router Sharding

Thanks Brenton sharing overview page to see what are upcoming features or changes. Very handy .. -- Srinivas Kotaru On 1/15/16, 1:49 PM, "Brenton Leanhardt" <blean...@redhat.com> wrote: >On Fri, Jan 15, 2016 at 3:53 PM, Srinivas Naga Kotaru (skotaru) ><