Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-29 Thread Vyacheslav Semushin 
2018-05-17 15:15 GMT+02:00 Sam Padgett :

> The file mode is 400, and I think anyuid breaks reading it since the user
> changes.
>
> https://github.com/openshift/openshift-ansible/blob/master/
> roles/openshift_web_console/files/console-template.yaml#L90
>
> The console doesn't need anyuid... I'm not sure what's adding it.
>

Thinking a bit more about this, I can say, that webconsole can be improved.
While it doesn't need root privileges it still needs a "stable" UID and it
doesn't expect that this UID can be changed.

Would it be possible to, follow our own recommendations, and use 040 mode
instead? Using group will give us more predictable results, because all
pods always have root group.

-- 
Slava Semushin | OpenShift
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-28 Thread Vyacheslav Semushin 
I'd like to continue this discussion because this broken configuration
could be easily reproduced by following our own documentation:

https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile
How we can fix this?

Do we have a virtual group (like system:authenticated) that doesn't include
any system-related users? In this case, we will be able to use such a group
in the example above.


2018-05-17 15:15 GMT+02:00 Sam Padgett :

> The file mode is 400, and I think anyuid breaks reading it since the user
> changes.
>
> https://github.com/openshift/openshift-ansible/blob/master/
> roles/openshift_web_console/files/console-template.yaml#L90
>
> The console doesn't need anyuid... I'm not sure what's adding it.
>
> Sam
>
> On Thu, May 17, 2018 at 9:03 AM, Clayton Coleman 
> wrote:
>
>> anyuid is less restrictive than restricted, unless you customized
>> restricted.  Did youvustomize restricted?
>>
>> On May 17, 2018, at 8:56 AM, Charles Moulliard 
>> wrote:
>>
>> Hi,
>>
>> If we scale down/up the Replication Set of the OpenShift Web Console,
>> then the new pod created will crash and report
>>
>> "Error: unable to load server certificate: open
>> /var/serving-cert/tls.crt: permission denied"
>>
>> This problem comes from the fact that when the pod is recreated, then the
>> scc annotation is set to anyuid instead of restricted and then the pod
>> can't access the cert
>>
>> apiVersion: v1
>> kind: Pod
>> metadata:
>>   annotations:
>> openshift.io/scc: anyuid
>>
>> Is this bug been fixed for openshift 3.9 ? Is there a workaround to
>> resolve it otherwise we can't access anymore the Web Console ?
>>
>>
-- 
Slava Semushin | OpenShift
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-24 Thread Daniel Comnea 
Fair point Slava, hat off.

Thanks for the info.

On Thu, May 24, 2018 at 11:16 AM, Vyacheslav Semushin 
wrote:

> 2018-05-24 10:10 GMT+02:00 Charles Moulliard :
>
>> +1 to document somewhere how SCC is working, priority defined,  and
>> what should be done to resolve such issues
>>
>
> Perhaps this info is hard to find but it's there:
> https://docs.openshift.org/latest/architecture/additional_concepts/
> authorization.html#scc-prioritization
>
>
> --
> Slava Semushin | OpenShift
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-24 Thread Vyacheslav Semushin 
2018-05-24 10:10 GMT+02:00 Charles Moulliard :

> +1 to document somewhere how SCC is working, priority defined,  and
> what should be done to resolve such issues
>

Perhaps this info is hard to find but it's there:
https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#scc-prioritization


-- 
Slava Semushin | OpenShift
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-24 Thread Vyacheslav Semushin 
2018-05-23 23:06 GMT+02:00 Daniel Comnea :

>
>
> On Wed, May 23, 2018 at 5:20 PM, Vyacheslav Semushin 
> wrote:
>
>> 2018-05-17 17:18 GMT+02:00 Charles Moulliard :
>>
>>> The trick / solution  described there doesn t work. I tried also using
>>> the ansible playbook of Openshift to remove the project and recreate it and
>>> the pod is always recreated with Openshift annotation = anyuid
>>>
>>
>> The reason of why "anyuid" SCC is being applied is because it was granted
>> to all authenticated users. And because anyuid has priority 10, it gets
>> applied instead of "restricted" SCC.
>>
> [DC]: how do you know about anyuid and priority 10?
>

In the gist that you provided, you posted the output of the oc get
scc/anyuid -o yaml command that shows me that SCC has been granted to
system:authenticated group and
system:serviceaccount:openshift-web-console:webconsole user. Also it shows
the priority field.


> In other words how can i find out each scc what priority has ?
>

Both of the following commands contain PRIORIT field:
oc get scc
oc get scc 


-- 
Slava Semushin | OpenShift
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-24 Thread Charles Moulliard 
+1 to document somewhere how SCC is working, priority defined,  and
what should be done to resolve such issues

On Wed, May 23, 2018 at 11:06 PM, Daniel Comnea 
wrote:

>
>
> On Wed, May 23, 2018 at 5:20 PM, Vyacheslav Semushin 
> wrote:
>
>> 2018-05-17 17:18 GMT+02:00 Charles Moulliard :
>>
>>> The trick / solution  described there doesn t work. I tried also using
>>> the ansible playbook of Openshift to remove the project and recreate it and
>>> the pod is always recreated with Openshift annotation = anyuid
>>>
>>
>> The reason of why "anyuid" SCC is being applied is because it was granted
>> to all authenticated users. And because anyuid has priority 10, it gets
>> applied instead of "restricted" SCC.
>>
> [DC]: how do you know about anyuid and priority 10? In other words how can
> i find out each scc what priority has ?
>
>>
>>
>> --
>> Slava Semushin | OpenShift
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-23 Thread Vyacheslav Semushin 
2018-05-17 17:18 GMT+02:00 Charles Moulliard :

> The trick / solution  described there doesn t work. I tried also using the
> ansible playbook of Openshift to remove the project and recreate it and the
> pod is always recreated with Openshift annotation = anyuid
>

The reason of why "anyuid" SCC is being applied is because it was granted
to all authenticated users. And because anyuid has priority 10, it gets
applied instead of "restricted" SCC.


-- 
Slava Semushin | OpenShift
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Charles Moulliard 
Even if I add the webconsole ServiceAccount to scc anyuid, pod fails to
start

https://gist.github.com/cmoulliard/f05b9bc762cbab9993087b1a44aa1331



On Thu, May 17, 2018 at 7:42 PM, Charles Moulliard 
wrote:

> Do you want that I create a ticket to report the error which is really
> blocking/critical ?
>
> On Thu, May 17, 2018 at 5:20 PM, Charles Moulliard 
> wrote:
>
>> Personaly no. Fyi web console was installed using Openshift ansible
>> playbook
>>
>> On Thu, May 17, 2018, 15:03 Clayton Coleman  wrote:
>>
>>> anyuid is less restrictive than restricted, unless you customized
>>> restricted.  Did youvustomize restricted?
>>>
>>> On May 17, 2018, at 8:56 AM, Charles Moulliard 
>>> wrote:
>>>
>>> Hi,
>>>
>>> If we scale down/up the Replication Set of the OpenShift Web Console,
>>> then the new pod created will crash and report
>>>
>>> "Error: unable to load server certificate: open
>>> /var/serving-cert/tls.crt: permission denied"
>>>
>>> This problem comes from the fact that when the pod is recreated, then
>>> the scc annotation is set to anyuid instead of restricted and then the pod
>>> can't access the cert
>>>
>>> apiVersion: v1
>>> kind: Pod
>>> metadata:
>>>   annotations:
>>> openshift.io/scc: anyuid
>>>
>>> Is this bug been fixed for openshift 3.9 ? Is there a workaround to
>>> resolve it otherwise we can't access anymore the Web Console ?
>>>
>>> Regards
>>>
>>> CHARLES MOULLIARD
>>>
>>> SOFTWARE ENGINEER MANAGER SPRING(BOOT)
>>>
>>> Red Hat 
>>>
>>> cmoulli...@redhat.comM: +32-473-604014
>>> 
>>> @cmoulliard 
>>>
>>> ___
>>> dev mailing list
>>> dev@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>
>>>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Charles Moulliard 
Do you want that I create a ticket to report the error which is really
blocking/critical ?

On Thu, May 17, 2018 at 5:20 PM, Charles Moulliard 
wrote:

> Personaly no. Fyi web console was installed using Openshift ansible
> playbook
>
> On Thu, May 17, 2018, 15:03 Clayton Coleman  wrote:
>
>> anyuid is less restrictive than restricted, unless you customized
>> restricted.  Did youvustomize restricted?
>>
>> On May 17, 2018, at 8:56 AM, Charles Moulliard 
>> wrote:
>>
>> Hi,
>>
>> If we scale down/up the Replication Set of the OpenShift Web Console,
>> then the new pod created will crash and report
>>
>> "Error: unable to load server certificate: open
>> /var/serving-cert/tls.crt: permission denied"
>>
>> This problem comes from the fact that when the pod is recreated, then the
>> scc annotation is set to anyuid instead of restricted and then the pod
>> can't access the cert
>>
>> apiVersion: v1
>> kind: Pod
>> metadata:
>>   annotations:
>> openshift.io/scc: anyuid
>>
>> Is this bug been fixed for openshift 3.9 ? Is there a workaround to
>> resolve it otherwise we can't access anymore the Web Console ?
>>
>> Regards
>>
>> CHARLES MOULLIARD
>>
>> SOFTWARE ENGINEER MANAGER SPRING(BOOT)
>>
>> Red Hat 
>>
>> cmoulli...@redhat.comM: +32-473-604014
>> 
>> @cmoulliard 
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Charles Moulliard 
The trick / solution  described there doesn t work. I tried also using the
ansible playbook of Openshift to remove the project and recreate it and the
pod is always recreated with Openshift annotation = anyuid

On Thu, May 17, 2018, 15:01 Sam Padgett  wrote:

> Charles, I'd try the steps in
>
> https://access.redhat.com/solutions/3428351
>
> Sam
>
> On Thu, May 17, 2018 at 8:56 AM, Charles Moulliard 
> wrote:
>
>> Hi,
>>
>> If we scale down/up the Replication Set of the OpenShift Web Console,
>> then the new pod created will crash and report
>>
>> "Error: unable to load server certificate: open
>> /var/serving-cert/tls.crt: permission denied"
>>
>> This problem comes from the fact that when the pod is recreated, then the
>> scc annotation is set to anyuid instead of restricted and then the pod
>> can't access the cert
>>
>> apiVersion: v1
>> kind: Pod
>> metadata:
>>   annotations:
>> openshift.io/scc: anyuid
>>
>> Is this bug been fixed for openshift 3.9 ? Is there a workaround to
>> resolve it otherwise we can't access anymore the Web Console ?
>>
>> Regards
>>
>> CHARLES MOULLIARD
>>
>> SOFTWARE ENGINEER MANAGER SPRING(BOOT)
>>
>> Red Hat 
>>
>> cmoulli...@redhat.comM: +32-473-604014
>> 
>> @cmoulliard 
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Sam Padgett 
The file mode is 400, and I think anyuid breaks reading it since the user
changes.

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_web_console/files/console-template.yaml#L90

The console doesn't need anyuid... I'm not sure what's adding it.

Sam

On Thu, May 17, 2018 at 9:03 AM, Clayton Coleman 
wrote:

> anyuid is less restrictive than restricted, unless you customized
> restricted.  Did youvustomize restricted?
>
> On May 17, 2018, at 8:56 AM, Charles Moulliard 
> wrote:
>
> Hi,
>
> If we scale down/up the Replication Set of the OpenShift Web Console, then
> the new pod created will crash and report
>
> "Error: unable to load server certificate: open /var/serving-cert/tls.crt:
> permission denied"
>
> This problem comes from the fact that when the pod is recreated, then the
> scc annotation is set to anyuid instead of restricted and then the pod
> can't access the cert
>
> apiVersion: v1
> kind: Pod
> metadata:
>   annotations:
> openshift.io/scc: anyuid
>
> Is this bug been fixed for openshift 3.9 ? Is there a workaround to
> resolve it otherwise we can't access anymore the Web Console ?
>
> Regards
>
> CHARLES MOULLIARD
>
> SOFTWARE ENGINEER MANAGER SPRING(BOOT)
>
> Red Hat 
>
> cmoulli...@redhat.comM: +32-473-604014
> 
> @cmoulliard 
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Clayton Coleman 
anyuid is less restrictive than restricted, unless you customized
restricted.  Did youvustomize restricted?

On May 17, 2018, at 8:56 AM, Charles Moulliard  wrote:

Hi,

If we scale down/up the Replication Set of the OpenShift Web Console, then
the new pod created will crash and report

"Error: unable to load server certificate: open /var/serving-cert/tls.crt:
permission denied"

This problem comes from the fact that when the pod is recreated, then the
scc annotation is set to anyuid instead of restricted and then the pod
can't access the cert

apiVersion: v1
kind: Pod
metadata:
  annotations:
openshift.io/scc: anyuid

Is this bug been fixed for openshift 3.9 ? Is there a workaround to resolve
it otherwise we can't access anymore the Web Console ?

Regards

CHARLES MOULLIARD

SOFTWARE ENGINEER MANAGER SPRING(BOOT)

Red Hat 

cmoulli...@redhat.comM: +32-473-604014

@cmoulliard 

___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

OpenShift Web Console - 3.9 - Pod / CrashLoopBackOff

2018-05-17 Thread Charles Moulliard 
Hi,

If we scale down/up the Replication Set of the OpenShift Web Console, then
the new pod created will crash and report

"Error: unable to load server certificate: open /var/serving-cert/tls.crt:
permission denied"

This problem comes from the fact that when the pod is recreated, then the
scc annotation is set to anyuid instead of restricted and then the pod
can't access the cert

apiVersion: v1
kind: Pod
metadata:
  annotations:
openshift.io/scc: anyuid

Is this bug been fixed for openshift 3.9 ? Is there a workaround to resolve
it otherwise we can't access anymore the Web Console ?

Regards

CHARLES MOULLIARD

SOFTWARE ENGINEER MANAGER SPRING(BOOT)

Red Hat 

cmoulli...@redhat.comM: +32-473-604014

@cmoulliard 
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev