Re: Ansible-openshift - Libvirt cluster create fails

2016-06-01 Thread Jason DeTiberus 
I created a PR with a fix that worked in my environment, could you see if
it fixes your issue as well?

https://github.com/openshift/openshift-ansible/pull/1969

Thanks,
--
Jason DeTiberus

On Wed, Jun 1, 2016 at 9:50 AM, Jason DeTiberus  wrote:

>
>
> On Wed, Jun 1, 2016 at 1:21 AM, Daniel Dumitriu  wrote:
>
>> Sorry, but it's not fixed...
>>
>> (I can come up with more details)
>>
>> In particular: this seems to happen because some tasks are skipped:
>> ...
>> TASK [openshift_facts : set_fact]
>> **
>> task path: /home/daniel/ansible-ws/openshift
>> -ansible/roles/openshift_facts/tasks/main.yml:15
>> skipping: [danield-master-e2398] => {"changed": false, "skip_reason":
>> "Conditional check failed", "skipped": true}
>> ...
>>
>> And the final (fatal) error:
>>
>> ..
>> TASK [openshift_repos : assert]
>> 
>> task path: /home/daniel/ansible-ws/openshift
>> -ansible/roles/openshift_repos/tasks/main.yaml:10
>> fatal: [danield-master-e2398]: FAILED! => {"failed": true, "msg": "The
>> conditional check 'not openshift.common.is_containerized | bool'
>> failed. The error was: error while evaluating conditional (not
>> openshift.common.is_containerized | bool): 'openshift' is
>> undefined\n\nThe error appears to have been in '/home/daniel/ansible
>> -ws/openshift-ansible/roles/openshift_repos/tasks/main.yaml': line 10,
>> column 3, but may\nbe elsewhere in the file depending on the exact
>> syntax problem.\n\nThe offending line appears to be:\n\n\n- assert:\n
>>  ^ here\n"}
>>
>
> Thanks for the additional info. I'll attempt to replicate it today to see
> if I can track down the issue.
>
>
>
>> __
>>
>> Daniel Dumitriu
>>
>>
>> On Tue, 2016-05-31 at 23:04 -0400, Jason DeTiberus wrote:
>> >
>> >
>> > On Tue, May 31, 2016 at 10:35 PM, Daniel Dumitriu 
>> > wrote:
>> > > Not sure this is the right forum for my question, but I could not
>> > > find
>> > > a more appropriate one...
>> > > I an trying to work with "openshift-ansible".
>> > >
>> > > Most examples I found are busy talking about the "established"
>> > > cloud
>> > > providers - so, not much help, there...
>> > > However, I find the most convenient "provider", by far, to be
>> > > "libvirt". Especially for testing and development - since it comes
>> > > as a
>> > > default package group in most distributions.
>> > >
>> > > So, I have been trying - for a few days, now - to create a libvirt
>> > > cluster but all my attempts have been unsuccessful !
>> > >
>> > > In the debugging process, I found some hard-coded variables in the
>> > > playbooks (would those qualify as errors?), but I cannot find a way
>> > > to
>> > > go past one annoying error:
>> > >
>> > > In the "task-book" "roles/openshift_repos/tasks/main.yaml":
>> > > -
>> > > fatal: [danield-master-4206c]: FAILED! => {"failed": true, "msg":
>> > > "The
>> > > conditional check 'not openshift.common.is_containerized | bool'
>> > > failed
>> > >
>> > > The error was: error while evaluating conditional (not
>> > > openshift.common.is_containerized | bool):
>> > > 'openshift' is undefined
>> > >
>> > > The error appears to have been in '/home/daniel/ansible
>> > > -ws/openshift
>> > > -ansible/roles/openshift_repos/tasks/main.yaml' at line 10
>> > > (assert)
>> > > -
>> > >
>> > > I understand that the variable "openshift" is set by the
>> > > "openshift_facts" module, defined in
>> > > "roles/openshift_facts/library".
>> > > But I, also, see the task that sets the "openshift" variables being
>> > > SKIPPED, and do not understand why !
>> > >
>> > > (By the way, the VMs are being built and started just fine)
>> > >
>> > > Could anyone help me? I would, really, appreciate it !
>> > This should be fixed in the current master branch. We reverted a
>> > change yesterday that was causing issues similar to this.
>> >
>> > --
>> > Jason DeTiberus
>> >
>>
>
>
>
> --
> Jason DeTiberus
>



-- 
Jason DeTiberus
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: role bindings incorrect after ose 3.2.0 upgrade

2016-06-01 Thread Jordan Liggitt 
It's fine to reconcile rolebindings like you did, as long as you are aware
that can result in new default roles being granted to all users. That's
what the --exclude-... bits are for - they let you choose to avoid
automatically granting new roles to all users in case you want to inspect
those more closely and decide if that something you want.

On Wed, Jun 1, 2016 at 4:19 PM, Dale Bewley  wrote:

> - On Jun 1, 2016, at 10:01 AM, Jordan Liggitt 
> wrote:
>
> No, the source build strategy permissions moved from the admin/edit roles
> into their own specific roles.
>
> Automatic role reconciliation on upgrade should be additive only, which
> would have left the source build permissions previously defined in the
> admin/edit roles:
>
> $ oadm policy reconcile-cluster-roles --additive-only=true --confirm
>
> Thanks for the response. Actually, I had already reconciled the cluster
> ROLES as above, but I still did not have permissions to do source builds.
>
> I then (contrary to current docs) reconciled the cluster role BINDINGS
> like this:
>
> $ oadm policy reconcile-cluster-role-bindings \
> > --exclude-groups=system:unauthenticated \
> > --exclude-users=system:anonymous \
> > --additive-only=true \
> > --confirm
> clusterrolebinding/self-provisioners
> clusterrolebinding/system:build-strategy-docker-binding
> clusterrolebinding/system:build-strategy-custom-binding
> clusterrolebinding/system:build-strategy-source-binding
>
> After that I can once again perform source builds.
>
> My scratchpad
>
> http://guifreelife.com/blog/2016/05/17/OpenShift-Enterprise-Upgrade-3.1-to-3.2#update-cluster-policies-and-roles
>
>
>
>
>
>
>
> On Wed, Jun 1, 2016 at 12:16 PM, Dale Bewley  wrote:
>
>>
>> After upgrading to OSE 3.2.0 developers can no longer use the source
>> build strategy.
>>
>> I used the playbook to upgrade and now I'm trying to reconcile the policy
>> role bindings per:
>>
>>
>> https://docs.openshift.com/enterprise/3.2/install_config/upgrading/manual_upgrades.html#updating-policy-definitions
>>
>> Is it because the docs:
>>
>>  $ oadm policy reconcile-cluster-role-bindings \
>> --exclude-groups=system:authenticated \
>> --exclude-groups=system:authenticated:oauth \
>> --exclude-groups=system:unauthenticated \
>> --exclude-users=system:anonymous \
>> --additive-only=true \
>> --confirm
>>
>> Should actually be:
>>
>>  $ oadm policy reconcile-cluster-role-bindings \
>> --exclude-groups=system:unauthenticated \
>> --exclude-users=system:anonymous \
>> --additive-only=true \
>> --confirm
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: role bindings incorrect after ose 3.2.0 upgrade

2016-06-01 Thread Dale Bewley 
- On Jun 1, 2016, at 10:01 AM, Jordan Liggitt  wrote: 

> No, the source build strategy permissions moved from the admin/edit roles into
> their own specific roles.

> Automatic role reconciliation on upgrade should be additive only, which would
> have left the source build permissions previously defined in the admin/edit
> roles:
> $ oadm policy reconcile-cluster-roles --additive-only=true --confirm

Thanks for the response. Actually, I had already reconciled the cluster ROLES 
as above, but I still did not have permissions to do source builds. 

I then (contrary to current docs) reconciled the cluster role BINDINGS like 
this: 

$ oadm policy reconcile-cluster-role-bindings \ 
> --exclude-groups=system:unauthenticated \ 
> --exclude-users=system:anonymous \ 
> --additive-only=true \ 
> --confirm 
clusterrolebinding/self-provisioners 
clusterrolebinding/system:build-strategy-docker-binding 
clusterrolebinding/system:build-strategy-custom-binding 
clusterrolebinding/system:build-strategy-source-binding 

After that I can once again perform source builds. 

My scratchpad 
http://guifreelife.com/blog/2016/05/17/OpenShift-Enterprise-Upgrade-3.1-to-3.2#update-cluster-policies-and-roles
 

> On Wed, Jun 1, 2016 at 12:16 PM, Dale Bewley < d...@bewley.net > wrote:

>> After upgrading to OSE 3.2.0 developers can no longer use the source build
>> strategy.

>> I used the playbook to upgrade and now I'm trying to reconcile the policy 
>> role
>> bindings per:

>> https://docs.openshift.com/enterprise/3.2/install_config/upgrading/manual_upgrades.html#updating-policy-definitions

>> Is it because the docs:

>> $ oadm policy reconcile-cluster-role-bindings \
>> --exclude-groups=system:authenticated \
>> --exclude-groups=system:authenticated:oauth \
>> --exclude-groups=system:unauthenticated \
>> --exclude-users=system:anonymous \
>> --additive-only=true \
>> --confirm

>> Should actually be:

>> $ oadm policy reconcile-cluster-role-bindings \
>> --exclude-groups=system:unauthenticated \
>> --exclude-users=system:anonymous \
>> --additive-only=true \
>> --confirm

>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users