DNS issue install OpenShift on OpenStack

[Joel Pearson]

Hi,


I'm trying to install openshift on openstack and I've been following
https://github.com/openshift/openshift-ansible-contrib/tree/master/playbooks/provisioning/openstack
I got past the openstack bit and now I'm installing openshift with
“ansible-playbook openshift-ansible/playbooks/byo/config.yml” it got pretty
far.


Except it I got this error:




TASK [openshift_examples : Import Centos Image streams]
***

Monday 09 October 2017  12:30:17 + (0:00:00.058)   0:05:10.675


fatal: [master-0.openshift.staging.agiledigital.co]: FAILED! => {"changed":
false, "cmd": ["oc", "create",
"--config=/etc/origin/master/admin.kubeconfig", "-n", "openshift", "-f",
"/usr/share/openshift/examples/image-streams/image-streams-centos7.json"],
"delta": "0:00:00.309497", "end": "2017-10-09 12:30:18.114400", "failed":
true, "failed_when_result": true, "rc": 1, "start": "2017-10-09
12:30:17.804903", "stderr": "Unable to connect to the server: dial tcp:
lookup master-0.openshift.staging.agiledigital.co on 8.8.8.8:53: no such
host", "stderr_lines": ["Unable to connect to the server: dial tcp: lookup
master-0.openshift.staging.agiledigital.co on 8.8.8.8:53: no such host"],
"stdout": "", "stdout_lines": []}

———-


I used the option of letting it install a DNS server in the openstack
section, and I used this setting “public_dns_nameservers:
[8.8.8.8,8.8.4.4]”, however it seems that it isn't using the dns server it
installed, and hence internal DNS doesn't resolve.


Is there a way to get the openstack-ansible playbooks to use the internal
dns (which was created by “ansible-playbook
openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml”),
which in my case is “10.2.100.5”?


I figure I must have messed something up in the OpenStack provision
section. But I don’t know what.


Thanks,


Joel
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Unable to dynamically provision cinder volumes

[Joel Pearson]

Hi,

I'm having no luck getting dynamic provisioning of cinder volumes working.

I followed
https://docs.openshift.org/latest/install_config/persistent_storage/dynamically_provisioning_pvs.html#openstack-cinder-spec

And used:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: gold
provisioner: kubernetes.io/cinder
parameters:
  type: fast
  availability: nova
  fsType: ext4

But whenever I try it, it fails with:

Failed to provision volume with StorageClass "gold": invalid option
"fsType" for volume plugin kubernetes.io/cinder

I tried removing the fsType in the storage class but it hasn't helped.

My /etc/origin/cloudprovider/openstack.conf looks correct, but I cannot
figure out what is going on.

There is nothing useful in journalctl -xe on the master

How else can I diagnose?

Thanks,

Joel
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Unable to dynamically provision cinder volumes

[Joel Pearson]

Got some help on the #sig-openstack channel in kubernetes from @fengyunpan

Turns out I needed to add

[BlockStorage]
bs-version=v2

to /etc/origin/cloudprovider/openstack.conf

It looks like better autodetection exists in Kubernetes 1.7

https://github.com/kubernetes/kubernetes/blob/release-1.7/pkg/cloudprovider/providers/openstack/openstack.go

vs
https://github.com/kubernetes/kubernetes/blob/release-1.6/pkg/cloudprovider/providers/openstack/openstack.go

You'll notice there is only 1 reference to "auto" in the 1.6 version.

I'm not sure how it works for other people running Openshift 3.6 on
OpenStack without that setting.

Thanks,

Joel

On Sat, Oct 14, 2017 at 1:49 PM Joel Pearson <japear...@agiledigital.com.au>
wrote:

> Hi,
>
> I'm having no luck getting dynamic provisioning of cinder volumes working.
>
> I followed
> https://docs.openshift.org/latest/install_config/persistent_storage/dynamically_provisioning_pvs.html#openstack-cinder-spec
>
> And used:
>
> kind: StorageClass
> apiVersion: storage.k8s.io/v1
> metadata:
>   name: gold
> provisioner: kubernetes.io/cinder
> parameters:
>   type: fast
>   availability: nova
>   fsType: ext4
>
> But whenever I try it, it fails with:
>
> Failed to provision volume with StorageClass "gold": invalid option
> "fsType" for volume plugin kubernetes.io/cinder
>
> I tried removing the fsType in the storage class but it hasn't helped.
>
> My /etc/origin/cloudprovider/openstack.conf looks correct, but I cannot
> figure out what is going on.
>
> There is nothing useful in journalctl -xe on the master
>
> How else can I diagnose?
>
> Thanks,
>
> Joel
> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: DNS issue install OpenShift on OpenStack

[Joel Pearson]

Hi,

Sorry, I think I didn’t explain it very well.

I’m trying to use the in-stack DNS servers, but it seems to just be using
the google ones.

Yes the base domain is hosted by AWS but I haven’t created any records for “
master-0.openshift.staging.agiledigital.co” as I don’t need that resolvable
outside the cluster. I thought the in-stack DNS server would automatically
create DNS records that work inside the cluster and that it would configure
all the instances it created to use the in-stack DNS.

The “10.2.100.5” ip is created by the stack, so I can’t use that in the
public_dns_nameservers variable, as it doesn’t exist at that point.

How is the in-stack DNS supposed to work? Maybe I’m misunderstanding its
purpose?

Thanks,

Joel
On Tue, 10 Oct 2017 at 12:54 am, François VILLAIN <f.vill...@linkbynet.com>
wrote:

> Hello,
>
>
>
> I see that your domain name is hosted by AWS. Maybe try to see if the
> domain is “public” or “private”, it seems private from what I can see (your
> entries do not resolve).
> If it is private you should directly reference your DNS server in the
> “public_dns_nameservers” variable.
>
>
>
> Good luck ☺
>
>
>
> *De : *<users-boun...@lists.openshift.redhat.com> au nom de Joel Pearson <
> japear...@agiledigital.com.au>
> *Date : *lundi 9 octobre 2017 à 14:54
> *À : *"users@lists.openshift.redhat.com" <users@lists.openshift.redhat.com
> >
> *Objet : *DNS issue install OpenShift on OpenStack
>
>
>
> Hi,
>
>
>
> I'm trying to install openshift on openstack and I've been following
> https://github.com/openshift/openshift-ansible-contrib/tree/master/playbooks/provisioning/openstack
> I got past the openstack bit and now I'm installing openshift with
> “ansible-playbook openshift-ansible/playbooks/byo/config.yml” it got pretty
> far.
>
>
>
> Except it I got this error:
>
>
>
> 
>
> TASK [openshift_examples : Import Centos Image streams]
> ***
>
> Monday 09 October 2017  12:30:17 + (0:00:00.058)   0:05:10.675
> 
>
> fatal: [master-0.openshift.staging.agiledigital.co]: FAILED! =>
> {"changed": false, "cmd": ["oc", "create",
> "--config=/etc/origin/master/admin.kubeconfig", "-n", "openshift", "-f",
> "/usr/share/openshift/examples/image-streams/image-streams-centos7.json"],
> "delta": "0:00:00.309497", "end": "2017-10-09 12:30:18.114400", "failed":
> true, "failed_when_result": true, "rc": 1, "start": "2017-10-09
> 12:30:17.804903", "stderr": "Unable to connect to the server: dial tcp:
> lookup master-0.openshift.staging.agiledigital.co on 8.8.8.8:53: no such
> host", "stderr_lines": ["Unable to connect to the server: dial tcp: lookup
> master-0.openshift.staging.agiledigital.co on 8.8.8.8:53: no such host"],
> "stdout": "", "stdout_lines": []}
>
> ———-
>
>
>
> I used the option of letting it install a DNS server in the openstack
> section, and I used this setting “public_dns_nameservers:
> [8.8.8.8,8.8.4.4]”, however it seems that it isn't using the dns server it
> installed, and hence internal DNS doesn't resolve.
>
>
>
> Is there a way to get the openstack-ansible playbooks to use the internal
> dns (which was created by “ansible-playbook
> openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml”),
> which in my case is “10.2.100.5”?
>
>
>
> I figure I must have messed something up in the OpenStack provision
> section. But I don’t know what.
>
>
>
> Thanks,
>
>
>
> Joel
>
> --
>
> Kind Regards,
>
>
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: DNS issue install OpenShift on OpenStack

[Joel Pearson]

Ok, my bad it looks like the
https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/post-provision-openstack.yml
playbook does what I’m after. I’ll run that and see what happens
On Tue, 10 Oct 2017 at 6:58 am, Joel Pearson <japear...@agiledigital.com.au>
wrote:

> Hi,
>
> Sorry, I think I didn’t explain it very well.
>
> I’m trying to use the in-stack DNS servers, but it seems to just be using
> the google ones.
>
> Yes the base domain is hosted by AWS but I haven’t created any records for
> “master-0.openshift.staging.agiledigital.co” as I don’t need that
> resolvable outside the cluster. I thought the in-stack DNS server would
> automatically create DNS records that work inside the cluster and that it
> would configure all the instances it created to use the in-stack DNS.
>
> The “10.2.100.5” ip is created by the stack, so I can’t use that in the
> public_dns_nameservers variable, as it doesn’t exist at that point.
>
> How is the in-stack DNS supposed to work? Maybe I’m misunderstanding its
> purpose?
>
> Thanks,
>
> Joel
> On Tue, 10 Oct 2017 at 12:54 am, François VILLAIN <f.vill...@linkbynet.com>
> wrote:
>
>> Hello,
>>
>>
>>
>> I see that your domain name is hosted by AWS. Maybe try to see if the
>> domain is “public” or “private”, it seems private from what I can see (your
>> entries do not resolve).
>> If it is private you should directly reference your DNS server in the
>> “public_dns_nameservers” variable.
>>
>>
>>
>> Good luck ☺
>>
>>
>>
>> *De : *<users-boun...@lists.openshift.redhat.com> au nom de Joel Pearson
>> <japear...@agiledigital.com.au>
>> *Date : *lundi 9 octobre 2017 à 14:54
>> *À : *"users@lists.openshift.redhat.com" <
>> users@lists.openshift.redhat.com>
>> *Objet : *DNS issue install OpenShift on OpenStack
>>
>>
>>
>> Hi,
>>
>>
>>
>> I'm trying to install openshift on openstack and I've been following
>> https://github.com/openshift/openshift-ansible-contrib/tree/master/playbooks/provisioning/openstack
>> I got past the openstack bit and now I'm installing openshift with
>> “ansible-playbook openshift-ansible/playbooks/byo/config.yml” it got pretty
>> far.
>>
>>
>>
>> Except it I got this error:
>>
>>
>>
>> 
>>
>> TASK [openshift_examples : Import Centos Image streams]
>> ***
>>
>> Monday 09 October 2017  12:30:17 + (0:00:00.058)   0:05:10.675
>> 
>>
>> fatal: [master-0.openshift.staging.agiledigital.co]: FAILED! =>
>> {"changed": false, "cmd": ["oc", "create",
>> "--config=/etc/origin/master/admin.kubeconfig", "-n", "openshift", "-f",
>> "/usr/share/openshift/examples/image-streams/image-streams-centos7.json"],
>> "delta": "0:00:00.309497", "end": "2017-10-09 12:30:18.114400", "failed":
>> true, "failed_when_result": true, "rc": 1, "start": "2017-10-09
>> 12:30:17.804903", "stderr": "Unable to connect to the server: dial tcp:
>> lookup master-0.openshift.staging.agiledigital.co on 8.8.8.8:53: no such
>> host", "stderr_lines": ["Unable to connect to the server: dial tcp: lookup
>> master-0.openshift.staging.agiledigital.co on 8.8.8.8:53: no such
>> host"], "stdout": "", "stdout_lines": []}
>>
>> ———-
>>
>>
>>
>> I used the option of letting it install a DNS server in the openstack
>> section, and I used this setting “public_dns_nameservers:
>> [8.8.8.8,8.8.4.4]”, however it seems that it isn't using the dns server it
>> installed, and hence internal DNS doesn't resolve.
>>
>>
>>
>> Is there a way to get the openstack-ansible playbooks to use the internal
>> dns (which was created by “ansible-playbook
>> openshift-ansible-contrib/playbooks/provisioning/openstack/provision.yaml”),
>> which in my case is “10.2.100.5”?
>>
>>
>>
>> I figure I must have messed something up in the OpenStack provision
>> section. But I don’t know what.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Joel
>>
>> --
>>
>> Kind Regards,
>>
>>
>>
>> Joel Pearson
>> Agile Digital | Senior Software Consultant
>>
>> Love Your Software™ | ABN 98 106 361 273
>> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>>
> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: DNS issue install OpenShift on OpenStack

[Joel Pearson]

Looks like the post-provision-openstack.yml did run by itself, but I needed
to restart all the nodes to pick up the new DNS entries via DHCP.  Maybe I
should submit a PR to include that tip, unless of course, a restart wasn't
supposed to be necessary.

On Tue, Oct 10, 2017 at 7:15 AM Joel Pearson <japear...@agiledigital.com.au>
wrote:

> Ok, my bad it looks like the
> https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/post-provision-openstack.yml
> playbook does what I’m after. I’ll run that and see what happens
> On Tue, 10 Oct 2017 at 6:58 am, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> Hi,
>>
>> Sorry, I think I didn’t explain it very well.
>>
>> I’m trying to use the in-stack DNS servers, but it seems to just be using
>> the google ones.
>>
>> Yes the base domain is hosted by AWS but I haven’t created any records
>> for “master-0.openshift.staging.agiledigital.co” as I don’t need that
>> resolvable outside the cluster. I thought the in-stack DNS server would
>> automatically create DNS records that work inside the cluster and that it
>> would configure all the instances it created to use the in-stack DNS.
>>
>> The “10.2.100.5” ip is created by the stack, so I can’t use that in the
>> public_dns_nameservers variable, as it doesn’t exist at that point.
>>
>> How is the in-stack DNS supposed to work? Maybe I’m misunderstanding its
>> purpose?
>>
>> Thanks,
>>
>> Joel
>> On Tue, 10 Oct 2017 at 12:54 am, François VILLAIN <
>> f.vill...@linkbynet.com> wrote:
>>
>>> Hello,
>>>
>>>
>>>
>>> I see that your domain name is hosted by AWS. Maybe try to see if the
>>> domain is “public” or “private”, it seems private from what I can see (your
>>> entries do not resolve).
>>> If it is private you should directly reference your DNS server in the
>>> “public_dns_nameservers” variable.
>>>
>>>
>>>
>>> Good luck ☺
>>>
>>>
>>>
>>> *De : *<users-boun...@lists.openshift.redhat.com> au nom de Joel
>>> Pearson <japear...@agiledigital.com.au>
>>> *Date : *lundi 9 octobre 2017 à 14:54
>>> *À : *"users@lists.openshift.redhat.com" <
>>> users@lists.openshift.redhat.com>
>>> *Objet : *DNS issue install OpenShift on OpenStack
>>>
>>>
>>>
>>> Hi,
>>>
>>>
>>>
>>> I'm trying to install openshift on openstack and I've been following
>>> https://github.com/openshift/openshift-ansible-contrib/tree/master/playbooks/provisioning/openstack
>>> I got past the openstack bit and now I'm installing openshift with
>>> “ansible-playbook openshift-ansible/playbooks/byo/config.yml” it got pretty
>>> far.
>>>
>>>
>>>
>>> Except it I got this error:
>>>
>>>
>>>
>>> 
>>>
>>> TASK [openshift_examples : Import Centos Image streams]
>>> ***
>>>
>>> Monday 09 October 2017  12:30:17 + (0:00:00.058)   0:05:10.675
>>> 
>>>
>>> fatal: [master-0.openshift.staging.agiledigital.co]: FAILED! =>
>>> {"changed": false, "cmd": ["oc", "create",
>>> "--config=/etc/origin/master/admin.kubeconfig", "-n", "openshift", "-f",
>>> "/usr/share/openshift/examples/image-streams/image-streams-centos7.json"],
>>> "delta": "0:00:00.309497", "end": "2017-10-09 12:30:18.114400", "failed":
>>> true, "failed_when_result": true, "rc": 1, "start": "2017-10-09
>>> 12:30:17.804903", "stderr": "Unable to connect to the server: dial tcp:
>>> lookup master-0.openshift.staging.agiledigital.co on 8.8.8.8:53: no
>>> such host", "stderr_lines": ["Unable to connect to the server: dial tcp:
>>> lookup master-0.openshift.staging.agiledigital.co on 8.8.8.8:53: no
>>> such host"], "stdout": "", "stdout_lines": []}
>>>
>>> ———-
>>>
>>>
>>>
>>> I used the option of letting it install a DNS server in the openstack
>>> section, and I used this setting “public_dns_nameservers:
>>> [8.8.8.8,8.8.4.4]”, however it seems that it isn't usin

Re: Origin router and X-Forwarded-For

[Joel Pearson]

Hi Marcelo,

If you use Passthrough termination then that means that OpenShift cannot
add the X-Forwarded-For header, because as the name suggests it is just
passing the packets through and because it’s encrypted it can modify the
http request in anyway.

If you want X-Forwarded-For you will need to switch to Edge termination.

Thanks,

Joel
On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi <cell...@gmail.com> wrote:

> Hi All,
> we tried to configure a route on Origin 3.6 with a Passthrough
> termination to an Apache webserver present into a single POD but we can't
> notice the X-Forwarded-Header to Apache logs. We tried to capture it
> without success.
>
> Could you confirm if there are some method to extract it from the POD side?
>
> Thanks,
> Marcello
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Origin router and X-Forwarded-For

[Joel Pearson]

Sorry I meant it say, it *cannot modify the http request in any way.
On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson <japear...@agiledigital.com.au>
wrote:

> Hi Marcelo,
>
> If you use Passthrough termination then that means that OpenShift cannot
> add the X-Forwarded-For header, because as the name suggests it is just
> passing the packets through and because it’s encrypted it can modify the
> http request in anyway.
>
> If you want X-Forwarded-For you will need to switch to Edge termination.
>
> Thanks,
>
> Joel
> On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi <cell...@gmail.com>
> wrote:
>
>> Hi All,
>> we tried to configure a route on Origin 3.6 with a Passthrough
>> termination to an Apache webserver present into a single POD but we can't
>> notice the X-Forwarded-Header to Apache logs. We tried to capture it
>> without success.
>>
>> Could you confirm if there are some method to extract it from the POD
>> side?
>>
>> Thanks,
>> Marcello
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: authentication required even for pulling images from private registry

[Joel Pearson]

Is the image in a different project that which you’re trying to run it in?

Ie the image lives in project a and you’re trying to run the pod in project
b

In that scenario you need to grant some sort of permissions (image-pull or
something).
On Thu, 19 Oct 2017 at 4:32 am, Yu Wei <yu20...@hotmail.com> wrote:

> Hi,
>
> I setup openshift origin cluster 3.6 and found a problem with private
> registry.
>
> Image was failed to be pulled by work node with error as below,
>
> rpc error: code = 2 desc = unauthorized: authentication required
>
>
> However, the registry works well and I also could find the image via
> docker-console.
>
> I installed the cluster via "Advanced installation". It seemed insecure
> registry is not enabled.
>
>
> How could I check what's wrong in my env?
>
>
>
> Thanks,
>
> Jared, (韦煜）
> Software developer
> Interested in open source software, big data, Linux
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: LDAP bindPassword in Ansible inventory

[Joel Pearson]

Maybe if you use a vars yaml file, it might work? I was going to try it
today, but I didn't get around to it, was hoping you'd get it working first?

By a vars file I mean

ansible-playbook -e "@varsfile.yml"

With something like this in there, but obviously the encrypted bit

openshift_master_identity_providers:
- name: active_directory
  challenge: 'true'
  login: 'true'
  kind: LDAPPasswordIdentityProvider
  attributes:
email:
- mail
id:
- sAMAccountName
name:
- displayName
preferredUsername:
- sAMAccountName
  insecure: 'true'
  bindDN: 'CN=,OU=Azure Users,OU=DEH-Staff,DC=internal,DC=govt'
  bindPassword: ''
  url: ldap://
ad-lb.envris-os-dev.agiledigital.com.au:389/ou=deh-staff,dc=internal,dc=govt?samAccountName


On Tue, Oct 24, 2017 at 4:59 PM Lionel Orellana <lione...@gmail.com> wrote:

> Well adding this to the inventory file doesn't work (even if the files are
> copied to masters before hand).
>
> 'bindPassword': {'file': '/root/bindPassword.encrypted', 'keyFile':
> '/root/bindPassword.key'},
>
> Is there any way to encrypt the bindPassword in the inventory file?
>
> On 21 October 2017 at 11:43, Lionel Orellana <lione...@gmail.com> wrote:
>
>> Looking at the master role it just copies the configuration from the
>> inventory to the config file so I do have to copy the encryption files
>> beforehand. Will have to try if the format in the inventory file is right.
>> On Sat, 21 Oct 2017 at 9:15 am, Lionel Orellana <lione...@gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I see there's a way to encrypt
>>> <https://docs.openshift.org/latest/install_config/master_node_configuration.html#master-node-configuration-passwords-and-other-data>an
>>> ldap bind password for use in the master configs.
>>>
>>> But I'm not sure how this would work in the Ansible inventory
>>> configuration for the identity provider.
>>>
>>> If I use an Encrypted External File do I need to copy the file to all
>>> the masters first? Or is the playbook going to copy it from the ansible
>>> host?
>>>
>>> What should the openshift_master_identity_providers look like?
>>>
>>> openshift_master_identity_providers=[{'name': 'my_ldap_provider', ...,
>>> 'kind': 'LDAPPasswordIdentityProvider', ..., *'bindPassword': { 'file':
>>> 'bindPassword.encrypted'*
>>> *'keyFile': 'bindPassword.key'}*, ...}]
>>>
>>> Thanks
>>>
>>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: ansible with openstack cloud provider

[Joel Pearson]

So I this is your own OpenStack installation?
How did you install it? OpenStack ansible? Packstack?

Are your keystone endpoints https?
On Sat, 25 Nov 2017 at 1:57 am, Tim Dudgeon <tdudgeon...@gmail.com> wrote:

> Wondered if anyone has any ideas on this.
>
> I'm still stuck with it.
>
> On 07/11/2017 11:29, Tim Dudgeon wrote:
>
> I'm still struggling with this. Now that I specify a value for
> openshift_cloudprovider_openstack_tenant_id the openstack.conf file gets
> created, but the master service fails to start because of:
>
> Nov 07 11:17:20 test.openstacklocal origin-master[15001]: F1107
> 11:17:20.431262   15001 start_master.go:118] could not init cloud provider
> "openstack": Authentication failed
>
> So something is still not right.
>
> My openstack.conf that gets generated looks like this:
>
> [Global]
> auth-url = 
> username = 
> password = 
> domain-name = 
> tenant-id = 
> region = 
>
> The one thing I'm uncertain about is what to specify as the tenant-id as
> that is not defined in the v3 keystonerc.
> I've used the value of the username but that may not be correct.
>
> The value of password is the API password and works with the python
> openstack client.
>
> Can anyone spot what is wrong?
> What is Openshift tying to do when it tries to init the cloud provider and
> fails?
>
>
>
>
> On 04/11/2017 11:51, Joel Pearson wrote:
>
> I found it worked better if it uses the v3 keystone api. I tried the v2
> keystone api, and it didn't work out of the box, I had to manually modify
> openstack.conf file.  It seems like something is not right, but I lost
> interest in the problem and just made the variables available that it
> wanted.
>
> If you have issues with cinder, you might need to try my pull request too.
>
> https://github.com/openshift/openshift-ansible/pull/5776
>
> On Sat, Nov 4, 2017 at 9:21 PM Joel Pearson <japear...@agiledigital.com.au>
> wrote:
>
>> Yes mine too, but if you want it to work you need to add it back. I
>> grabbed those values from the v2 RC file.
>> On Sat, 4 Nov 2017 at 9:20 pm, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>>
>>> Yes, I removed those because my setup file (Newton release) included
>>> this:
>>>
>>> # unset v2.0 items in case set
>>> unset OS_TENANT_ID
>>> unset OS_TENANT_NAME
>>>
>>> Is openshift expecting an earlier release?
>>>
>>> On 04/11/2017 09:51, Joel Pearson wrote:
>>>
>>> I added this to mine:
>>>
>>> openshift_cloudprovider_openstack_tenant_name: "{{
>>> lookup('env','OS_TENANT_NAME') }}"
>>>
>>> On Sat, Nov 4, 2017 at 8:50 PM Joel Pearson <
>>> japear...@agiledigital.com.au> wrote:
>>>
>>>> You're missing "(openshift_cloudprovider_openstack_tenant_id or
>>>> openshift_cloudprovider_openstack_tenant_name )"
>>>>
>>>> See: (openshift_cloudprovider_openstack_tenant_id is defined or
>>>> openshift_cloudprovider_openstack_tenant_name is defined) in the file below
>>>>
>>>>
>>>> https://github.com/openshift/openshift-ansible/blob/81cf5123366814d098b7ca169a6e4deb2759507d/roles/openshift_cloud_provider/tasks/openstack.yml#L10
>>>>
>>>> On Sat, Nov 4, 2017 at 8:41 PM Tim Dudgeon <tdudgeon...@gmail.com>
>>>> wrote:
>>>>
>>>>> On 03/11/2017 22:24, Joel Pearson wrote:
>>>>>
>>>>> Are you actually filling in those values with anything?
>>>>>
>>>>> Yes, all have values, I just didn't want to divulge them.
>>>>>
>>>>> I setup OpenShift on OpenStack Kilo and I needed to make sure I was
>>>>> using the v3 rc file and I also had an issue with block storage the the
>>>>> OpenStack file which I submitted a patch for.
>>>>>
>>>>> Are you using this OpenShift on OpenStack repo?
>>>>>
>>>>>
>>>>> https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/README.md
>>>>>
>>>>> No, the infrastructure is already provisioned. I'm, just using the
>>>>> openshift-ansible/playbooks/byo/config.yml playbook to provision 
>>>>> openshift.
>>>>>
>>>>>
>>>>>
>>>>> The error message suggests that potentially none of the variables have
>>>>> a value so the file isn’t being generated.
>>>>>
>>>>> Well, they do 

Re: Permissions problem mounting file from ConfigMap

[Joel Pearson]

Oh, I didn't realise configmaps got updated without a Pod restart.  How
long does it take to update?  I see in (
https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#mounted-configmaps-are-updated-automatically)
it says the kubelet sync period + ttl.  What are the OpenShift defaults for
that?

On Wed, Dec 13, 2017 at 8:41 PM Graham Dumpleton 
wrote:

> If you copy it rather than symlink, you will loose the ability that an
> update to the configmap will be reflected automatically inside of the
> container after a short period. If the file was something that was
> rescanned by the application, this allows changes to be pushed into a
> container without needing to do a restart. If you only read the file once
> on start up, then copying would be fine.
>
> Graham
>
>
>
> On 13 Dec 2017, at 8:26 pm, Tim Dudgeon  wrote:
>
> Graham,
>
> Thanks for your help on this.
> I had managed to work around the problem in a way similar to how you
> described (but copying not symlinking). Not nice, but it works!
>
> On 12/12/17 21:10, Graham Dumpleton wrote:
>
> A belated update on this.
>
> The problem with using subPath is due to a SELinux issue in the kernel.
>
> There is an issue about it at:
>
> https://github.com/openshift/origin/issues/16951
>
> Whether you see it will depend on how SELinux is setup I guess.
>
> The only work around would be to mount it as a directory '..data' in the
> target directory, and then you create a symlink from startup run script in
> your source code to symlink the file in the '..data' directory into the
> parent. Know of no other solution at this point.
>
> Graham
>
> On 9 Dec 2017, at 8:36 pm, Tim Dudgeon  wrote:
>
> If you mount onto a new directory you get the same problem.
> It only seems to happen when specifying a subPath as follows:
>
> - mountPath:
> /usr/local/tomcat/webapps/portal/META-INF/context.xml
>   name: squonk-sso-config
>   subPath: context.xml
>   readOnly: true
>
> If the whole configMap is mounted to a directory the contents are readable.
>
> And as mentioned already, if you do this in Minishift it works fine.
>
>
> On 09/12/17 02:16, Graham Dumpleton wrote:
>
> The permissions is correct. It is shown as decimal, not the octal you are
> setting it with.
>
> '%o' % 420
>
> '644'
>
> What happens when you mount the configmap onto a directory separate from
> anything else?
>
> Graham
>
> On 9 Dec 2017, at 4:02 am, Tim Dudgeon  wrote:
>
> More on this.
>
> I find when I look a the deployment yaml that the volume ends up looking
> like this:
>
>   volumes:
> - configMap:
> defaultMode: 420
> name: squonk-sso-config
>   name: squonk-sso-config
>
> This is despite `oc explain pod.spec.volumes.configMap` stating that the
> default for defaultMode is 0644.
>
> Even when I specify defaultMode: 0644 in the template it ends up being 420.
>
> Any idea what's going on?
>
>
> On 08/12/17 16:44, Tim Dudgeon wrote:
>
> Hi All,
>
> I'm having a problem mounting a file from a ConfigMap when running on an
> Openshift origin environment, but when doing the same on Minishift it works
> fine.
>
> I'm mounting the context.xml file from the ConfigMap into the container
> like this:
>
>   spec:
> containers:
> - image: ...
>   ...
>   volumeMounts:
> - mountPath:
> /usr/local/tomcat/webapps/portal/META-INF/context.xml
>   name: my-configmap-vol
>   subPath: context.xml
>   readOnly: true
> volumes:
>   - name: my-configmap-vol
> configMap:
>   name: squonk-sso-config
>
> Within the container the file is there but has permissions problems:
>
> # ls -l
> ls: cannot access 'context.xml': Permission denied
> total 4
> -rw-r--r--. 1 root root 104 Dec  5 12:48 MANIFEST.MF
> -?? ? ??  ?? context.xml
>
> Any idea what's the problem?
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Old JBoss AS 7.1.1 Java 7 container hangs

[Joel Pearson]

Hi,

I’m trying to get an existing docker container that has Oracle Java 7 and
JBoss AS 7.1.1 running in OpenShift 3.6.

However when JBoss tries to start the jvm it hangs with no output, in a
terminal we’ve tried running the same Java command that standalone.sh runs
and it hangs the same way. However outside the OpenShift context, in raw
docker it’s fine. Normally I’d expect an error message or something, but
just hanging is strange.

Any ideas? I’m starting to wonder if I need to use strace or something like
that.

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to pull images from a remote registry with the actual layers instead of just metadata?

[Joel Pearson]

Thanks Lionel. I guess one way to make it secure would be to have a
certificate that’s valid on the internet. But I guess it’s not really
important if it’s all internal traffic.

I’ll try out that local option I think that’s what I want. Because I don’t
want to have to rely on the remote registry always being there, because
we’re thinking of shutting down our dev and test clusters at night time.

So it sounds like the local option means after it’s pulled once it will
exist in the local registry?
On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <lione...@gmail.com> wrote:

> Hi Joel,
>
> By default the imported image stream tag will have a reference policy of
> Source. That means the pod will end up pulling the image from the remote
> registry directly. For that to work you have to link a secret containing
> the docker credentials with the deployment's sa. For the default sa this
> looks like this
>
>  oc secrets link default my-dockercfg --for=pull
>
> The other option is to set the istag's reference policy to Local.
>
> tags:
> - annotations: null
>   ...
>   name: latest
>   referencePolicy:
> type: Local  .
>
> Now the pod will try to get the image from the local registry which in
> turn will pull from the remote. The registry will look for a dockercfg
> secret with the remote server name. By default communication with the
> remote registry will not use ssl. This is controlled by the istag import
> policy:
>
> importPolicy: insecure: true
>
> I have not been able to get it to work with insecure: false. I can't find
> the right place to put the remote's ca for the registry to use it. But it
> all works well when insecure is true.
>
>
> Cheers
>
> Lionel
>
>
> On 18 November 2017 at 13:59, Joel Pearson <japear...@agiledigital.com.au>
> wrote:
>
>> Hi,
>>
>> I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image" to
>> pull an image from one openshift cluster to another.  I setup the docker
>> secrets, and it appeared to be working as there was a bunch of metadata
>> visible in the image stream.
>>
>> However, when actually started a pod, it seemed at that point it tried to
>> get the actual layers from the remote registry of the other openshift
>> cluster, at this point it got some authentication error, which is super
>> bizarre since it happily imported all the metadata fine.
>>
>> Is there some way to actually do the equivalent of docker pull?  So that
>> the image data is transferred in that moment, as opposed to a on-demand
>> "lazy" transfer?
>>
>> Can "oc tag" actually copy the data?
>>
>> Thanks,
>>
>> Joel
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to pull images from a remote registry with the actual layers instead of just metadata?

[Joel Pearson]

So there is no way with the oc command to import an image and not have it
need the remote to exist after that? I’d just have to use docker push
instead?
On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees <bpar...@redhat.com> wrote:

> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana <lione...@gmail.com>
> wrote:
>
>> So it sounds like the local option means after it’s pulled once it will
>>> exist in the local registry?
>>
>>
>> Hmm It always seems to do the pull-through
>> <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>.
>> Not sure what will happen if the remote is down.
>>
>
> the blobs will be mirrored in the local registry, but the manifest is not
> (currently) so the remote still needs to be accessible, but the pull should
> be faster once the blobs have been cached in the local registry.  (assuming
> mirroring pullthrough is turned on, which by default i believe it is).
>
>
>
>
>>
>> On 18 November 2017 at 16:53, Joel Pearson <japear...@agiledigital.com.au
>> > wrote:
>>
>>> Thanks Lionel. I guess one way to make it secure would be to have a
>>> certificate that’s valid on the internet. But I guess it’s not really
>>> important if it’s all internal traffic.
>>>
>>> I’ll try out that local option I think that’s what I want. Because I
>>> don’t want to have to rely on the remote registry always being there,
>>> because we’re thinking of shutting down our dev and test clusters at night
>>> time.
>>>
>>> So it sounds like the local option means after it’s pulled once it will
>>> exist in the local registry?
>>>
>>> On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <lione...@gmail.com>
>>> wrote:
>>>
>>>> Hi Joel,
>>>>
>>>> By default the imported image stream tag will have a reference policy
>>>> of Source. That means the pod will end up pulling the image from the remote
>>>> registry directly. For that to work you have to link a secret containing
>>>> the docker credentials with the deployment's sa. For the default sa this
>>>> looks like this
>>>>
>>>>  oc secrets link default my-dockercfg --for=pull
>>>>
>>>> The other option is to set the istag's reference policy to Local.
>>>>
>>>> tags:
>>>> - annotations: null
>>>>   ...
>>>>   name: latest
>>>>   referencePolicy:
>>>> type: Local  .
>>>>
>>>> Now the pod will try to get the image from the local registry which in
>>>> turn will pull from the remote. The registry will look for a dockercfg
>>>> secret with the remote server name. By default communication with the
>>>> remote registry will not use ssl. This is controlled by the istag import
>>>> policy:
>>>>
>>>> importPolicy: insecure: true
>>>>
>>>> I have not been able to get it to work with insecure: false. I can't
>>>> find the right place to put the remote's ca for the registry to use it. But
>>>> it all works well when insecure is true.
>>>>
>>>>
>>>> Cheers
>>>>
>>>> Lionel
>>>>
>>>>
>>>> On 18 November 2017 at 13:59, Joel Pearson <
>>>> japear...@agiledigital.com.au> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image"
>>>>> to pull an image from one openshift cluster to another.  I setup the 
>>>>> docker
>>>>> secrets, and it appeared to be working as there was a bunch of metadata
>>>>> visible in the image stream.
>>>>>
>>>>> However, when actually started a pod, it seemed at that point it tried
>>>>> to get the actual layers from the remote registry of the other openshift
>>>>> cluster, at this point it got some authentication error, which is super
>>>>> bizarre since it happily imported all the metadata fine.
>>>>>
>>>>> Is there some way to actually do the equivalent of docker pull?  So
>>>>> that the image data is transferred in that moment, as opposed to a
>>>>> on-demand "lazy" transfer?
>>>>>
>>>>> Can "oc tag" actually copy the data?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Joel
>>>>>
>>>>> ___
>>>>> users mailing list
>>>>> users@lists.openshift.redhat.com
>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>>>
>>>>>
>>>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
>
> --
> Ben Parees | OpenShift
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to pull images from a remote registry with the actual layers instead of just metadata?

[Joel Pearson]

Ahh ok. Is there some way to abuse build config‘s to push existing images
to remote OpenShift registries?
On Sat, 18 Nov 2017 at 6:15 pm, Ben Parees <bpar...@redhat.com> wrote:

> On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> So there is no way with the oc command to import an image and not have it
>> need the remote to exist after that? I’d just have to use docker push
>> instead?
>
>
> currently that is correct.
>
>
>>
>> On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees <bpar...@redhat.com> wrote:
>>
>>> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana <lione...@gmail.com>
>>> wrote:
>>>
>>>> So it sounds like the local option means after it’s pulled once it will
>>>>> exist in the local registry?
>>>>
>>>>
>>>> Hmm It always seems to do the pull-through
>>>> <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>.
>>>> Not sure what will happen if the remote is down.
>>>>
>>>
>>> the blobs will be mirrored in the local registry, but the manifest is
>>> not (currently) so the remote still needs to be accessible, but the pull
>>> should be faster once the blobs have been cached in the local registry.
>>> (assuming mirroring pullthrough is turned on, which by default i believe it
>>> is).
>>>
>>>
>>>
>>>
>>>>
>>>> On 18 November 2017 at 16:53, Joel Pearson <
>>>> japear...@agiledigital.com.au> wrote:
>>>>
>>>>> Thanks Lionel. I guess one way to make it secure would be to have a
>>>>> certificate that’s valid on the internet. But I guess it’s not really
>>>>> important if it’s all internal traffic.
>>>>>
>>>>> I’ll try out that local option I think that’s what I want. Because I
>>>>> don’t want to have to rely on the remote registry always being there,
>>>>> because we’re thinking of shutting down our dev and test clusters at night
>>>>> time.
>>>>>
>>>>> So it sounds like the local option means after it’s pulled once it
>>>>> will exist in the local registry?
>>>>>
>>>>> On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <lione...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Joel,
>>>>>>
>>>>>> By default the imported image stream tag will have a reference policy
>>>>>> of Source. That means the pod will end up pulling the image from the 
>>>>>> remote
>>>>>> registry directly. For that to work you have to link a secret containing
>>>>>> the docker credentials with the deployment's sa. For the default sa this
>>>>>> looks like this
>>>>>>
>>>>>>  oc secrets link default my-dockercfg --for=pull
>>>>>>
>>>>>> The other option is to set the istag's reference policy to Local.
>>>>>>
>>>>>> tags:
>>>>>> - annotations: null
>>>>>>   ...
>>>>>>   name: latest
>>>>>>   referencePolicy:
>>>>>> type: Local  .
>>>>>>
>>>>>> Now the pod will try to get the image from the local registry which
>>>>>> in turn will pull from the remote. The registry will look for a dockercfg
>>>>>> secret with the remote server name. By default communication with the
>>>>>> remote registry will not use ssl. This is controlled by the istag import
>>>>>> policy:
>>>>>>
>>>>>> importPolicy: insecure: true
>>>>>>
>>>>>> I have not been able to get it to work with insecure: false. I can't
>>>>>> find the right place to put the remote's ca for the registry to use it. 
>>>>>> But
>>>>>> it all works well when insecure is true.
>>>>>>
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> Lionel
>>>>>>
>>>>>>
>>>>>> On 18 November 2017 at 13:59, Joel Pearson <
>>>>>> japear...@agiledigital.com.au> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>&

Re: SSO with OAUTH/OIDC between OpenShift and Jenkins not working

[Joel Pearson]

I’ve had this problem too. You need to use the original route name (you can
change the host name) as the Jenkins service account refers to the route
name for oauth purposes.
On Sat, 18 Nov 2017 at 4:13 pm, Marc Boorshtein 
wrote:

> I have a fresh install of Origin 3.6.1 on CentOS 7.  In my project I
> created a new persistent jenkins from the template included in origin with
> oauth enabled.  It creates a route to 127.0.0.1.nip.io.  When I create a
> new route with a routable domain name, and I try to login I get the
> following error:
>
> {
>   "error": "invalid_request",
>   "error_description": "The request is missing a required parameter, includes 
> an invalid parameter value, includes a parameter more than once, or is 
> otherwise malformed.",
>   "state": "NGEyNWJlOTgtZTZlZC00"
> }
>
> The redirect looks like:
>
> https://oslocal.tremolo.lan:8443/oauth/authorize?client_id=system:serviceaccount:jjacksontest:jenkins_uri=https://jenkins-jjacksontest.192.168.2.140.nip.io/securityRealm/finishLogin_type=code=user:info
>  user:check-access=NGEyNWJlOTgtZTZlZC00
>
> I suspect the issue is that the redirect_uri is different then what is 
> expected, but I can't find a secret or environment variable to set so it 
> knows the correct redirect_uri.  Is there some place I can set that?
>
> Thanks
>
> Marc
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to pull images from a remote registry with the actual layers instead of just metadata?

[Joel Pearson]

Wow! Thanks Lars, I’ll try out your ideas on Monday.
On Sat, 18 Nov 2017 at 10:34 pm, Lars Milland <l...@mailme.dk> wrote:

> Hi
>
>
>
> This limitation or ”design” of the oc import-image and also the
> limitations of Docker push where one needs to have the image locally to be
> able to push it, is the reason why we have shifted to use Skopeo for all
> such Docker image importing.
>
>
>
> We have two OpenShift environments with their own OpenShift Docker
> Registries inside, one for test and one for production, and move images up
> from test through the use of Skopeo, using OpenShift service account
> credentials in Jenkins pipelines running from the production OpenShift
> environment. That way we ensure that images are always available in the
> embedded OpenShift Docker registry, and not have the OpenShift environment
> be dependent on other resources as in this case an external Docker registry.
>
>
>
> We are then also using Skopeo to copy in Docker images that are not our
> own from DockerHub or other outside our OpenShift environments Docker
> registries.
>
>
>
> We have added the Skopeo command to the Jenkins slave images we use for
> all deployment pipeline activities, so imports of images cross environments
> can be run inside our Jenkins pipelines.
>
>
>
> So a Jenkins based pipeline that imports a Java application based image
> and activates the matching Fabric8 based DeploymentConfig running from the
> OpenShift production environment as a Maven/Fabric8/Skopeo Jenkins slave
> connecting to the OpenShift Test environment, would look like this:
>
>
>
> def version() {
>
>   def matcher = readFile('pom.xml') =~ '(.+)'
>
>   matcher ? matcher[0][1] : null
>
> }
>
>
>
>
>
> def destNamespace = 'myproject'
>
> def srcRegistry ='registry-test.mydomain.com:443'
>
> def destRegistry = 'docker-registry.default.svc:5000'
>
> def srcNamespace = 'myproject-preproduction'
>
> def application = 'myapp'
>
> def version = version()
>
> def tag = application + '-' + version
>
> def kubernetesserver='https://kubernetes.default:443'
>
> def srckubernetesserver='https://openshift-test.mydomain.com:8443'
>
> def replicaCount = '2'
>
>
>
>
>
> node('java8-maven') {
>
> withEnv(["KUBERNETES_TRUST_CERTIFICATES=true",
> "KUBERNETES_NAMESPACE=${ destNamespace }"]) {
>
>
>
> checkout scm
>
>
>
> stage('Import Image') {
>
>
>
> withCredentials(
>
> [   usernamePassword(
>
> credentialsId: 'test-myproject-builder',
>
> passwordVariable: 'SRC_TOKEN',
>
> usernameVariable: 'SRC_USERNAME'),
>
> usernamePassword(
>
> credentialsId: 'prod-myproject-builder',
>
> passwordVariable: 'DEST_TOKEN',
>
> usernameVariable: 'DEST_USERNAME')
>
> ]) {
>
> sh """
>
> echo "Importing image with Skopeo
> \${srcRegistry}/${srcNamespace}/${application}:${tag} ->
> \${destRegistry}/${destNamespace}/${application}:${tag}"
>
> oc login ${kubernetesserver} --token=${DEST_TOKEN}
> --insecure-skip-tls-verify
>
> oc login ${srckubernetesserver} --token=${SRC_TOKEN}
> --insecure-skip-tls-verify
>
> skopeo --debug copy --src-tls-verify=false
> --dest-tls-verify=false --src-creds openshift:${SRC_TOKEN} --dest-creds
> openshift:${DEST_TOKEN}
> atomic:${srcRegistry}/${srcNamespace}/${application}:${tag}
> atomic:${destRegistry}/${destNamespace}/${application}:${tag}
>
>echo 'Executing deploy of latest DeploymentController'
>
>oc login ${kubernetesserver} --token=\$(cat /var/run/secrets/
> kubernetes.io/serviceaccount/token) --insecure-skip-tls-verify
>
>mvn -B -e -Dappargs='--spring.profiles.active=production
> --spring.cloud.kubernetes.secrets.paths=/tmp/applicationproperties'
> -Dmaven.test.skip=true -Djava.net.preferIPv4Stack=true
> -Dfabric8.mode=openshift -Dfabric8.skipResourceValidation=true
> -Dopenshiftnamespace=${destNamespace}  -Dreplicas=${replicaCount} clean
> fabric8:resource-apply -s devops/maven/settings.xml
>
>oc rollout latest dc/${application} -n ${destNamespace}
>
> """
>
>openshiftVerifyDeployment depCfg: "${application}", namespace:
> "${destNamespace}", verifyReplicaCount: "${replicaCount}"
>
> }
>
> }
>
> }
>
> }
>
>
>
>
>
>
>
> Best regards
>
> Lars Milland
>
>
>
> *From:* users-boun...@lists.openshift.

OpenShift registry behind registry auth issues

[Joel Pearson]

Hi,

I spend most of the day debugging why my OpenShift registry wasn’t working
because the cluster lives behind a http proxy. I can see OpenShift ansible
configured the registry with proxy settings including no_proxy, but in the
error logs I could see during authentication it was trying to talk to the
master api server at 172.30.0.1, but that wasn’t in the no_proxy env
setting so the proxy was trying to resolve it and failing.

So that can be fixed by adding 172.30.0.1 to no_proxy, but it felt a bit
hacky. A dns name would be better as they’re easier to wildcard in
no_proxy.

I want to know how the registry knows to use the IP address of the master
api server instead of a dns name? I couldn’t see a reference to the api
server in /etc/registry. Where does it get that from? Is it part of a
docket secret?

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to pull images from a remote registry with the actual layers instead of just metadata?

[Joel Pearson]

It would introduce a new final layer right? Because after every build,
OpenShift automatically adds a bunch of labels?
On Sun, 19 Nov 2017 at 7:13 am, Ben Parees <bpar...@redhat.com> wrote:

> On Sat, Nov 18, 2017 at 2:54 AM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> Ahh ok. Is there some way to abuse build config‘s to push existing images
>> to remote OpenShift registries?
>
>
> technically you could probably have a dockerfile that just says "FROM
> imagex" and nothing else, and put that in a buildconfig.
>
> I'm not sure if that would introduce any new layers during the docker
> build or not.
>
> But it's probably not the right solution for moving images around
> regardless.
>
>
>>
>> On Sat, 18 Nov 2017 at 6:15 pm, Ben Parees <bpar...@redhat.com> wrote:
>>
>>> On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson <
>>> japear...@agiledigital.com.au> wrote:
>>>
>>>> So there is no way with the oc command to import an image and not have
>>>> it need the remote to exist after that? I’d just have to use docker push
>>>> instead?
>>>
>>>
>>> currently that is correct.
>>>
>>>
>>>>
>>>> On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees <bpar...@redhat.com> wrote:
>>>>
>>>>> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana <lione...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> So it sounds like the local option means after it’s pulled once it
>>>>>>> will exist in the local registry?
>>>>>>
>>>>>>
>>>>>> Hmm It always seems to do the pull-through
>>>>>> <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>.
>>>>>> Not sure what will happen if the remote is down.
>>>>>>
>>>>>
>>>>> the blobs will be mirrored in the local registry, but the manifest is
>>>>> not (currently) so the remote still needs to be accessible, but the pull
>>>>> should be faster once the blobs have been cached in the local registry.
>>>>> (assuming mirroring pullthrough is turned on, which by default i believe 
>>>>> it
>>>>> is).
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> On 18 November 2017 at 16:53, Joel Pearson <
>>>>>> japear...@agiledigital.com.au> wrote:
>>>>>>
>>>>>>> Thanks Lionel. I guess one way to make it secure would be to have a
>>>>>>> certificate that’s valid on the internet. But I guess it’s not really
>>>>>>> important if it’s all internal traffic.
>>>>>>>
>>>>>>> I’ll try out that local option I think that’s what I want. Because I
>>>>>>> don’t want to have to rely on the remote registry always being there,
>>>>>>> because we’re thinking of shutting down our dev and test clusters at 
>>>>>>> night
>>>>>>> time.
>>>>>>>
>>>>>>> So it sounds like the local option means after it’s pulled once it
>>>>>>> will exist in the local registry?
>>>>>>>
>>>>>>> On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <lione...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Joel,
>>>>>>>>
>>>>>>>> By default the imported image stream tag will have a reference
>>>>>>>> policy of Source. That means the pod will end up pulling the image 
>>>>>>>> from the
>>>>>>>> remote registry directly. For that to work you have to link a secret
>>>>>>>> containing the docker credentials with the deployment's sa. For the 
>>>>>>>> default
>>>>>>>> sa this looks like this
>>>>>>>>
>>>>>>>>  oc secrets link default my-dockercfg --for=pull
>>>>>>>>
>>>>>>>> The other option is to set the istag's reference policy to Local.
>>>>>>>>
>>>>>>>> tags:
>>>>>>>> - annotations: null
>>>>>>>>   ...
>>>>>>>>   name: la

Re: Re-configure openshift cluster using ansible

[Joel Pearson]

For reference what you're after is:

openshift_disable_check=disk_availability

On Wed, Nov 22, 2017 at 5:05 AM Scott Dodson  wrote:

> It really depends on the configuration changes you want to make whether or
> not you can simply re-run config.yml and get what you're looking for.
> Things like hostnames that get placed in certs and certain network
> configuration such as services and cluster CIDR ranges are immutable and
> cannot be changed via the installer.
>
> As far as the health check goes, you should be able to disable any health
> check by setting the variable that's emitted in the error message.
>
> On Tue, Nov 21, 2017 at 11:25 AM, Alon Zusman 
> wrote:
>
>> Hello,
>> I could not figure out how I can change the inventory file for new
>> configurations and then Re-configure my current cluster.
>>
>> Whenever I re run the configure.yml in the byo folder, it checks again
>> the minimal requirements and my /var is already less than 40G after the
>> installation.
>>
>> Thanks.
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

How to pull images from a remote registry with the actual layers instead of just metadata?

[Joel Pearson]

Hi,

I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image" to
pull an image from one openshift cluster to another.  I setup the docker
secrets, and it appeared to be working as there was a bunch of metadata
visible in the image stream.

However, when actually started a pod, it seemed at that point it tried to
get the actual layers from the remote registry of the other openshift
cluster, at this point it got some authentication error, which is super
bizarre since it happily imported all the metadata fine.

Is there some way to actually do the equivalent of docker pull?  So that
the image data is transferred in that moment, as opposed to a on-demand
"lazy" transfer?

Can "oc tag" actually copy the data?

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: ansible with openstack cloud provider

[Joel Pearson]

I found it worked better if it uses the v3 keystone api. I tried the v2
keystone api, and it didn't work out of the box, I had to manually modify
openstack.conf file.  It seems like something is not right, but I lost
interest in the problem and just made the variables available that it
wanted.

If you have issues with cinder, you might need to try my pull request too.

https://github.com/openshift/openshift-ansible/pull/5776

On Sat, Nov 4, 2017 at 9:21 PM Joel Pearson <japear...@agiledigital.com.au>
wrote:

> Yes mine too, but if you want it to work you need to add it back. I
> grabbed those values from the v2 RC file.
> On Sat, 4 Nov 2017 at 9:20 pm, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>
>> Yes, I removed those because my setup file (Newton release) included this:
>>
>> # unset v2.0 items in case set
>> unset OS_TENANT_ID
>> unset OS_TENANT_NAME
>>
>> Is openshift expecting an earlier release?
>>
>> On 04/11/2017 09:51, Joel Pearson wrote:
>>
>> I added this to mine:
>>
>> openshift_cloudprovider_openstack_tenant_name: "{{
>> lookup('env','OS_TENANT_NAME') }}"
>>
>> On Sat, Nov 4, 2017 at 8:50 PM Joel Pearson <
>> japear...@agiledigital.com.au> wrote:
>>
>>> You're missing "(openshift_cloudprovider_openstack_tenant_id or
>>> openshift_cloudprovider_openstack_tenant_name )"
>>>
>>> See: (openshift_cloudprovider_openstack_tenant_id is defined or
>>> openshift_cloudprovider_openstack_tenant_name is defined) in the file below
>>>
>>>
>>> https://github.com/openshift/openshift-ansible/blob/81cf5123366814d098b7ca169a6e4deb2759507d/roles/openshift_cloud_provider/tasks/openstack.yml#L10
>>>
>>> On Sat, Nov 4, 2017 at 8:41 PM Tim Dudgeon <tdudgeon...@gmail.com>
>>> wrote:
>>>
>>>> On 03/11/2017 22:24, Joel Pearson wrote:
>>>>
>>>> Are you actually filling in those values with anything?
>>>>
>>>> Yes, all have values, I just didn't want to divulge them.
>>>>
>>>> I setup OpenShift on OpenStack Kilo and I needed to make sure I was
>>>> using the v3 rc file and I also had an issue with block storage the the
>>>> OpenStack file which I submitted a patch for.
>>>>
>>>> Are you using this OpenShift on OpenStack repo?
>>>>
>>>>
>>>> https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/README.md
>>>>
>>>> No, the infrastructure is already provisioned. I'm, just using the
>>>> openshift-ansible/playbooks/byo/config.yml playbook to provision openshift.
>>>>
>>>>
>>>>
>>>> The error message suggests that potentially none of the variables have
>>>> a value so the file isn’t being generated.
>>>>
>>>> Well, they do have values and the file is not being generated. That's
>>>> what I'm wanting to resolve.
>>>>
>>>>
>>>> On Sat, 4 Nov 2017 at 5:50 am, Tim Dudgeon <tdudgeon...@gmail.com>
>>>> wrote:
>>>>
>>>>> I'm trying to use the openstack provisioning stuff (cinder volumes
>>>>> etc.)
>>>>> using the Ansible installer.
>>>>>  From the origin docs key to this is to enable the openstack cloud
>>>>> provider, which I try to do this this:
>>>>>
>>>>> openshift_cloudprovider_kind=openstack
>>>>> openshift_cloudprovider_openstack_auth_url=
>>>>> openshift_cloudprovider_openstack_username=
>>>>> openshift_cloudprovider_openstack_password=
>>>>> openshift_cloudprovider_openstack_domain_name=
>>>>> openshift_cloudprovider_openstack_region=
>>>>> openshift_cloudprovider_openstack_lb_subnet_id=
>>>>>
>>>>>
>>>>> But the Ansible installer fails (those being the only changes to the
>>>>> inventory file that otherwise works fine).
>>>>> Looking into the journal I find:
>>>>>
>>>>> 28188 plugins.go:115] Couldn't open cloud provider configuration
>>>>> /etc/origin/cloudprovider/openstack.conf: {Op:"open",
>>>>> Path:"/etc/origin/cloudprovider/openstack.conf", Err:0x2}
>>>>>
>>>>> And indeed the /etc/origin/cloudprovider/ dir is empty.
>>>>>
>>>>> So am I missing something important here?
>>>>>
>>>>> __

Failing to install containerized version of origin

[Joel Pearson]

Hi,

I'm trying to install Origin 3.6.1 in AWS, and the containerized version
isn't working because the redhat registry isn't setup correctly via the
ansible scripts.

I'm using the release-3.6 branch:
https://github.com/openshift/openshift-ansible/tree/release-3.6

And latest master of
https://github.com/openshift/openshift-ansible-contrib/tree/master/reference-architecture/aws-ansible

And latest Centos 7 (1708_01), which is 7.4.

I've noticed it's partially configured the redhat registry, but that
certificate is missing, so the etc image doesn't pull down correctly.

What did you have to do to enable the redhat registry?

I thought openshift-ansible scripts would add the registry automatically,
but it's not quite working, there is a bad symlink it seems:

[ec2-user@ip-10-2-8-9 ~]$ sudo docker pull
registry.access.redhat.com/rhel7/etcd
Using default tag: latest
Trying to pull repository registry.access.redhat.com/rhel7/etcd ...
open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no such
file or directory
[ec2-user@ip-10-2-8-9 ~]$ ls -la /etc/docker/certs.d/
registry.access.redhat.com/redhat-ca.crt
lrwxrwxrwx. 1 root root 27 Nov  3 04:43 /etc/docker/certs.d/
registry.access.redhat.com/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem
[ec2-user@ip-10-2-8-9 ~]$

Ideas?

Strangely the rpm version is failing now when it was working last week too,
it fails starting the master apis, I'm thinking maybe Centos 7.4 is not
supported or the release-3.6 branch is no longer stable.  But I want the
containerized version now, so that I can get 3.6.1, as it looks like there
are no rpms for 3.6.1 yet.

Thanks,

-Joel
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Failing to install containerized version of origin

[Joel Pearson]

It looks like the docker package was the one to install redhat registry, so
I guess the problem lies in there.  I guess I'll just make that certificate
exist.

[root@ip-10-2-7-120 ~]# rpm -qf /etc/docker/certs.d/
registry.access.redhat.com/redhat-ca.crt
docker-1.12.6-61.git85d7426.el7.centos.x86_64


On Tue, Nov 7, 2017 at 11:01 AM Joel Pearson <japear...@agiledigital.com.au>
wrote:

> Hi,
>
> I'm trying to install Origin 3.6.1 in AWS, and the containerized version
> isn't working because the redhat registry isn't setup correctly via the
> ansible scripts.
>
> I'm using the release-3.6 branch:
> https://github.com/openshift/openshift-ansible/tree/release-3.6
>
> And latest master of
> https://github.com/openshift/openshift-ansible-contrib/tree/master/reference-architecture/aws-ansible
>
> And latest Centos 7 (1708_01), which is 7.4.
>
> I've noticed it's partially configured the redhat registry, but that
> certificate is missing, so the etc image doesn't pull down correctly.
>
> What did you have to do to enable the redhat registry?
>
> I thought openshift-ansible scripts would add the registry automatically,
> but it's not quite working, there is a bad symlink it seems:
>
> [ec2-user@ip-10-2-8-9 ~]$ sudo docker pull
> registry.access.redhat.com/rhel7/etcd
> Using default tag: latest
> Trying to pull repository registry.access.redhat.com/rhel7/etcd ...
> open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no
> such file or directory
> [ec2-user@ip-10-2-8-9 ~]$ ls -la /etc/docker/certs.d/
> registry.access.redhat.com/redhat-ca.crt
> lrwxrwxrwx. 1 root root 27 Nov  3 04:43 /etc/docker/certs.d/
> registry.access.redhat.com/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem
> [ec2-user@ip-10-2-8-9 ~]$
>
> Ideas?
>
> Strangely the rpm version is failing now when it was working last week
> too, it fails starting the master apis, I'm thinking maybe Centos 7.4 is
> not supported or the release-3.6 branch is no longer stable.  But I want
> the containerized version now, so that I can get 3.6.1, as it looks like
> there are no rpms for 3.6.1 yet.
>
> Thanks,
>
> -Joel
> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Failing to install containerized version of origin

[Joel Pearson]

Hi Scott,

The problem is the CA file didn't exist, so it would refuse to pull, it
seems a gap in the docker rpm.  It blindly creates symlinks to the redhat
ca, but doesn't make sure that file actually exists:

See here:
https://git.centos.org/blob/rpms!docker.git/0ed995e7fde2a28653cee391a37233e0323e8b61/SPECS!docker.spec#L449

To get around this problem I just created an empty file, because I figured
the redhat registry would use a valid certificate, which was a correct
assumption it seems.

This was my solution in ansible:

  - name: create redhat rhsm directory
file:
  path: /etc/rhsm/ca
  mode: 0755
  state: directory
  recurse: yes

  - name: Create an empty redhat ca file
command: touch /etc/rhsm/ca/redhat-uep.pem
args:
  creates: /etc/rhsm/ca/redhat-uep.pem

So, do you think it is better to pull from the fedora registry? Or it
doesn't matter.  I can pull from the redhat registry fine now.

Thanks,

Joel

On Tue, Nov 7, 2017 at 1:25 PM Scott Dodson <sdod...@redhat.com> wrote:

> Joel,
>
> Can you clarify, you're saying even with the CA you referenced you cannot
> pull the etcd image? I think we've got a gap in that our containerized CI
> tests happen on a RHEL host which may have additional certificates deployed
> which allows for pulling that image whereas centos hosts may not be able
> to. For now you can set osm_etcd_image=registry.fedoraproject.org/f26/etcd
> to pull from fedora rather than rhel repos. We're going to work on making
> that the default for origin installs.
>
> Also, the origin 3.6.1 RPMs were tagged into the release repos today so
> those should soon be available if you prefer RPM based installs.
>
>
> On Mon, Nov 6, 2017 at 7:14 PM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> It looks like the docker package was the one to install redhat registry,
>> so I guess the problem lies in there.  I guess I'll just make that
>> certificate exist.
>>
>> [root@ip-10-2-7-120 ~]# rpm -qf /etc/docker/certs.d/
>> registry.access.redhat.com/redhat-ca.crt
>> docker-1.12.6-61.git85d7426.el7.centos.x86_64
>>
>>
>> On Tue, Nov 7, 2017 at 11:01 AM Joel Pearson <
>> japear...@agiledigital.com.au> wrote:
>>
>>> Hi,
>>>
>>> I'm trying to install Origin 3.6.1 in AWS, and the containerized version
>>> isn't working because the redhat registry isn't setup correctly via the
>>> ansible scripts.
>>>
>>> I'm using the release-3.6 branch:
>>> https://github.com/openshift/openshift-ansible/tree/release-3.6
>>>
>>> And latest master of
>>> https://github.com/openshift/openshift-ansible-contrib/tree/master/reference-architecture/aws-ansible
>>>
>>> And latest Centos 7 (1708_01), which is 7.4.
>>>
>>> I've noticed it's partially configured the redhat registry, but that
>>> certificate is missing, so the etc image doesn't pull down correctly.
>>>
>>> What did you have to do to enable the redhat registry?
>>>
>>> I thought openshift-ansible scripts would add the registry
>>> automatically, but it's not quite working, there is a bad symlink it seems:
>>>
>>> [ec2-user@ip-10-2-8-9 ~]$ sudo docker pull
>>> registry.access.redhat.com/rhel7/etcd
>>> Using default tag: latest
>>> Trying to pull repository registry.access.redhat.com/rhel7/etcd ...
>>> open /etc/docker/certs.d/registry.access.redhat.com/redhat-ca.crt: no
>>> such file or directory
>>> [ec2-user@ip-10-2-8-9 ~]$ ls -la /etc/docker/certs.d/
>>> registry.access.redhat.com/redhat-ca.crt
>>> lrwxrwxrwx. 1 root root 27 Nov  3 04:43 /etc/docker/certs.d/
>>> registry.access.redhat.com/redhat-ca.crt -> /etc/rhsm/ca/redhat-uep.pem
>>> [ec2-user@ip-10-2-8-9 ~]$
>>>
>>> Ideas?
>>>
>>> Strangely the rpm version is failing now when it was working last week
>>> too, it fails starting the master apis, I'm thinking maybe Centos 7.4 is
>>> not supported or the release-3.6 branch is no longer stable.  But I want
>>> the containerized version now, so that I can get 3.6.1, as it looks like
>>> there are no rpms for 3.6.1 yet.
>>>
>>> Thanks,
>>>
>>> -Joel
>>> --
>>> Kind Regards,
>>>
>>> Joel Pearson
>>> Agile Digital | Senior Software Consultant
>>>
>>> Love Your Software™ | ABN 98 106 361 273
>>> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>>>
>> --
>> Kind Regards,
>>
>> Joel Pearson
>> Agile Digital | Senior Software Consultant
>>
>> Love Your Software™ | ABN 98 106 361 273
>> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: ansible with openstack cloud provider

[Joel Pearson]

Are you actually filling in those values with anything? I setup OpenShift
on OpenStack Kilo and I needed to make sure I was using the v3 rc file and
I also had an issue with block storage the the OpenStack file which I
submitted a patch for.

Are you using this OpenShift on OpenStack repo?

https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/README.md

The error message suggests that potentially none of the variables have a
value so the file isn’t being generated.
On Sat, 4 Nov 2017 at 5:50 am, Tim Dudgeon <tdudgeon...@gmail.com> wrote:

> I'm trying to use the openstack provisioning stuff (cinder volumes etc.)
> using the Ansible installer.
>  From the origin docs key to this is to enable the openstack cloud
> provider, which I try to do this this:
>
> openshift_cloudprovider_kind=openstack
> openshift_cloudprovider_openstack_auth_url=
> openshift_cloudprovider_openstack_username=
> openshift_cloudprovider_openstack_password=
> openshift_cloudprovider_openstack_domain_name=
> openshift_cloudprovider_openstack_region=
> openshift_cloudprovider_openstack_lb_subnet_id=
>
>
> But the Ansible installer fails (those being the only changes to the
> inventory file that otherwise works fine).
> Looking into the journal I find:
>
> 28188 plugins.go:115] Couldn't open cloud provider configuration
> /etc/origin/cloudprovider/openstack.conf: {Op:"open",
> Path:"/etc/origin/cloudprovider/openstack.conf", Err:0x2}
>
> And indeed the /etc/origin/cloudprovider/ dir is empty.
>
> So am I missing something important here?
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: ansible with openstack cloud provider

[Joel Pearson]

I added this to mine:

openshift_cloudprovider_openstack_tenant_name: "{{
lookup('env','OS_TENANT_NAME') }}"

On Sat, Nov 4, 2017 at 8:50 PM Joel Pearson <japear...@agiledigital.com.au>
wrote:

> You're missing "(openshift_cloudprovider_openstack_tenant_id or
> openshift_cloudprovider_openstack_tenant_name )"
>
> See: (openshift_cloudprovider_openstack_tenant_id is defined or
> openshift_cloudprovider_openstack_tenant_name is defined) in the file below
>
>
> https://github.com/openshift/openshift-ansible/blob/81cf5123366814d098b7ca169a6e4deb2759507d/roles/openshift_cloud_provider/tasks/openstack.yml#L10
>
> On Sat, Nov 4, 2017 at 8:41 PM Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>
>> On 03/11/2017 22:24, Joel Pearson wrote:
>>
>> Are you actually filling in those values with anything?
>>
>> Yes, all have values, I just didn't want to divulge them.
>>
>> I setup OpenShift on OpenStack Kilo and I needed to make sure I was using
>> the v3 rc file and I also had an issue with block storage the the OpenStack
>> file which I submitted a patch for.
>>
>> Are you using this OpenShift on OpenStack repo?
>>
>>
>> https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/README.md
>>
>> No, the infrastructure is already provisioned. I'm, just using the
>> openshift-ansible/playbooks/byo/config.yml playbook to provision openshift.
>>
>>
>>
>> The error message suggests that potentially none of the variables have a
>> value so the file isn’t being generated.
>>
>> Well, they do have values and the file is not being generated. That's
>> what I'm wanting to resolve.
>>
>>
>> On Sat, 4 Nov 2017 at 5:50 am, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>>
>>> I'm trying to use the openstack provisioning stuff (cinder volumes etc.)
>>> using the Ansible installer.
>>>  From the origin docs key to this is to enable the openstack cloud
>>> provider, which I try to do this this:
>>>
>>> openshift_cloudprovider_kind=openstack
>>> openshift_cloudprovider_openstack_auth_url=
>>> openshift_cloudprovider_openstack_username=
>>> openshift_cloudprovider_openstack_password=
>>> openshift_cloudprovider_openstack_domain_name=
>>> openshift_cloudprovider_openstack_region=
>>> openshift_cloudprovider_openstack_lb_subnet_id=
>>>
>>>
>>> But the Ansible installer fails (those being the only changes to the
>>> inventory file that otherwise works fine).
>>> Looking into the journal I find:
>>>
>>> 28188 plugins.go:115] Couldn't open cloud provider configuration
>>> /etc/origin/cloudprovider/openstack.conf: {Op:"open",
>>> Path:"/etc/origin/cloudprovider/openstack.conf", Err:0x2}
>>>
>>> And indeed the /etc/origin/cloudprovider/ dir is empty.
>>>
>>> So am I missing something important here?
>>>
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>> --
>> Kind Regards,
>>
>> Joel Pearson
>> Agile Digital | Senior Software Consultant
>>
>> Love Your Software™ | ABN 98 106 361 273
>> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>>
>>
>> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: ansible with openstack cloud provider

[Joel Pearson]

You're missing "(openshift_cloudprovider_openstack_tenant_id or
openshift_cloudprovider_openstack_tenant_name )"

See: (openshift_cloudprovider_openstack_tenant_id is defined or
openshift_cloudprovider_openstack_tenant_name is defined) in the file below

https://github.com/openshift/openshift-ansible/blob/81cf5123366814d098b7ca169a6e4deb2759507d/roles/openshift_cloud_provider/tasks/openstack.yml#L10

On Sat, Nov 4, 2017 at 8:41 PM Tim Dudgeon <tdudgeon...@gmail.com> wrote:

> On 03/11/2017 22:24, Joel Pearson wrote:
>
> Are you actually filling in those values with anything?
>
> Yes, all have values, I just didn't want to divulge them.
>
> I setup OpenShift on OpenStack Kilo and I needed to make sure I was using
> the v3 rc file and I also had an issue with block storage the the OpenStack
> file which I submitted a patch for.
>
> Are you using this OpenShift on OpenStack repo?
>
>
> https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/README.md
>
> No, the infrastructure is already provisioned. I'm, just using the
> openshift-ansible/playbooks/byo/config.yml playbook to provision openshift.
>
>
>
> The error message suggests that potentially none of the variables have a
> value so the file isn’t being generated.
>
> Well, they do have values and the file is not being generated. That's what
> I'm wanting to resolve.
>
>
> On Sat, 4 Nov 2017 at 5:50 am, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>
>> I'm trying to use the openstack provisioning stuff (cinder volumes etc.)
>> using the Ansible installer.
>>  From the origin docs key to this is to enable the openstack cloud
>> provider, which I try to do this this:
>>
>> openshift_cloudprovider_kind=openstack
>> openshift_cloudprovider_openstack_auth_url=
>> openshift_cloudprovider_openstack_username=
>> openshift_cloudprovider_openstack_password=
>> openshift_cloudprovider_openstack_domain_name=
>> openshift_cloudprovider_openstack_region=
>> openshift_cloudprovider_openstack_lb_subnet_id=
>>
>>
>> But the Ansible installer fails (those being the only changes to the
>> inventory file that otherwise works fine).
>> Looking into the journal I find:
>>
>> 28188 plugins.go:115] Couldn't open cloud provider configuration
>> /etc/origin/cloudprovider/openstack.conf: {Op:"open",
>> Path:"/etc/origin/cloudprovider/openstack.conf", Err:0x2}
>>
>> And indeed the /etc/origin/cloudprovider/ dir is empty.
>>
>> So am I missing something important here?
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
>
> --
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: ansible with openstack cloud provider

[Joel Pearson]

Yes mine too, but if you want it to work you need to add it back. I grabbed
those values from the v2 RC file.
On Sat, 4 Nov 2017 at 9:20 pm, Tim Dudgeon <tdudgeon...@gmail.com> wrote:

> Yes, I removed those because my setup file (Newton release) included this:
>
> # unset v2.0 items in case set
> unset OS_TENANT_ID
> unset OS_TENANT_NAME
>
> Is openshift expecting an earlier release?
>
> On 04/11/2017 09:51, Joel Pearson wrote:
>
> I added this to mine:
>
> openshift_cloudprovider_openstack_tenant_name: "{{
> lookup('env','OS_TENANT_NAME') }}"
>
> On Sat, Nov 4, 2017 at 8:50 PM Joel Pearson <japear...@agiledigital.com.au>
> wrote:
>
>> You're missing "(openshift_cloudprovider_openstack_tenant_id or
>> openshift_cloudprovider_openstack_tenant_name )"
>>
>> See: (openshift_cloudprovider_openstack_tenant_id is defined or
>> openshift_cloudprovider_openstack_tenant_name is defined) in the file below
>>
>>
>> https://github.com/openshift/openshift-ansible/blob/81cf5123366814d098b7ca169a6e4deb2759507d/roles/openshift_cloud_provider/tasks/openstack.yml#L10
>>
>> On Sat, Nov 4, 2017 at 8:41 PM Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>>
>>> On 03/11/2017 22:24, Joel Pearson wrote:
>>>
>>> Are you actually filling in those values with anything?
>>>
>>> Yes, all have values, I just didn't want to divulge them.
>>>
>>> I setup OpenShift on OpenStack Kilo and I needed to make sure I was
>>> using the v3 rc file and I also had an issue with block storage the the
>>> OpenStack file which I submitted a patch for.
>>>
>>> Are you using this OpenShift on OpenStack repo?
>>>
>>>
>>> https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/README.md
>>>
>>> No, the infrastructure is already provisioned. I'm, just using the
>>> openshift-ansible/playbooks/byo/config.yml playbook to provision openshift.
>>>
>>>
>>>
>>> The error message suggests that potentially none of the variables have a
>>> value so the file isn’t being generated.
>>>
>>> Well, they do have values and the file is not being generated. That's
>>> what I'm wanting to resolve.
>>>
>>>
>>> On Sat, 4 Nov 2017 at 5:50 am, Tim Dudgeon <tdudgeon...@gmail.com>
>>> wrote:
>>>
>>>> I'm trying to use the openstack provisioning stuff (cinder volumes etc.)
>>>> using the Ansible installer.
>>>>  From the origin docs key to this is to enable the openstack cloud
>>>> provider, which I try to do this this:
>>>>
>>>> openshift_cloudprovider_kind=openstack
>>>> openshift_cloudprovider_openstack_auth_url=
>>>> openshift_cloudprovider_openstack_username=
>>>> openshift_cloudprovider_openstack_password=
>>>> openshift_cloudprovider_openstack_domain_name=
>>>> openshift_cloudprovider_openstack_region=
>>>> openshift_cloudprovider_openstack_lb_subnet_id=
>>>>
>>>>
>>>> But the Ansible installer fails (those being the only changes to the
>>>> inventory file that otherwise works fine).
>>>> Looking into the journal I find:
>>>>
>>>> 28188 plugins.go:115] Couldn't open cloud provider configuration
>>>> /etc/origin/cloudprovider/openstack.conf: {Op:"open",
>>>> Path:"/etc/origin/cloudprovider/openstack.conf", Err:0x2}
>>>>
>>>> And indeed the /etc/origin/cloudprovider/ dir is empty.
>>>>
>>>> So am I missing something important here?
>>>>
>>>> ___
>>>> users mailing list
>>>> users@lists.openshift.redhat.com
>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>>
>>> --
>>> Kind Regards,
>>>
>>> Joel Pearson
>>> Agile Digital | Senior Software Consultant
>>>
>>> Love Your Software™ | ABN 98 106 361 273
>>> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>>>
>>>
>>> --
>> Kind Regards,
>>
>> Joel Pearson
>> Agile Digital | Senior Software Consultant
>>
>> Love Your Software™ | ABN 98 106 361 273
>> p: 1300 858 277 <1300%20858%20277> | m: 0405 417 843 <0405417843> | w:
>> agiledigital.com.au
>>
> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
>
> --
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift master keeps consuming lots and memory and swapping

[Joel Pearson]

Hi Clayton,

We’re running 3.6.1 I believe. It was installed a few weeks ago using
OpenShift ansible on the the release-3.6 branch.

We’re running 11 namespaces, 2 nodes, 7 pods, so it’s pretty minimal.

I’ve never run this prune.
https://docs.openshift.com/container-platform/3.6/admin_guide/pruning_resources.html

Is there some log that would help highlight exactly what the issue is?


Thanks,

Joel

On Sat, 21 Oct 2017 at 2:23 pm, Clayton Coleman <ccole...@redhat.com> wrote:

> What version are you running?  How many nodes, pods, and namespaces?
> Excessive memory use can be caused by not running prune or having an
> automated process that creates lots of an object.  Excessive CPU use can be
> caused by an errant client or component stuck in a hot loop repeatedly
> taking the same action.
>
>
>
> On Oct 21, 2017, at 1:55 AM, Joel Pearson <japear...@agiledigital.com.au>
> wrote:
>
> Hi,
>
> I've got a brand new OpenShift cluster running on OpenStack and I'm
> finding that the single master that I have is struggling big time, it seems
> to consume tons of virtual memory and then start swapping and slows right
> down.
>
> It is running with 16GB of memory, 40GB disk and 2 CPUs.
>
> The cluster is fairly idle, so I don't know why the master gets this way.
> Restarting the master solves the problem for a while, for example, I
> restarted it at 10pm last night, and when I checked again this morning it
> was in the same situation.
>
> Would having multiple masters alleviate this problem?
>
> Here is a snapshot of top:
>
> 
>
>
> Any advice?  I've happy to build the cluster with multiple masters if it
> will help.
>
>
> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
> --
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Using RMI Protocol to connect to OpenShift from external application

[Joel Pearson]

Hi Tien,

You just need to create a passthrough route like this:

https://docs.openshift.com/container-platform/3.9/architecture/networking/routes.html#passthrough-termination

For it to work, your swing client needs to use SNI (server name
identification), so that the OpenShift router knows what you're trying to
connect to.  A bit of quick googling suggests that Java 7 supports that,
but it depends if the RMI SSL Client uses SNI or not.

Then you'd need to tell your swing clients to connect to RMI on port 443,
ie :443. This is because that is what port the
router listens on.

Then the router will do the normal things like redirecting the traffic to
your service on whatever port your RMI server is actually running on.

In this passthrough mode, you're essentially using the router as a TCP load
balancer.

I think it has a fair chance of working.

Good luck.

Thanks,

Joel

On Thu, May 3, 2018 at 1:40 AM Tien Hung Nguyen <tienhng.ngu...@gmail.com>
wrote:

> Currently, our application is already running on Docker through RMI over
> SSL. Therefore, we are able to connect our client to the server via SSL and
> RMI using Docker.
>
> What do we have to do in order to make it work with OpenShift, now?
>
> 2018-05-02 16:34 GMT+02:00 Joel Pearson <japear...@agiledigital.com.au>:
>
>> Selectors refer to labels, so it’d be
>> deploymentconfig.metadata.labels.name
>>
>> SSL/TLS means the client has to support it too. So if there is some
>> option to run RMI over SSL/TLS then it could work pretty easily. But if
>> it’s not possible to run server and client that way then yes, nodeports
>> will be easier. Otherwise I think there might be other Ingress options. But
>> I’ve never used them.
>> On Thu, 3 May 2018 at 12:14 am, Tien Hung Nguyen <
>> tienhng.ngu...@gmail.com> wrote:
>>
>>> Thank you for the response.
>>>
>>> How can I set up SSL/TLS as a connection method on OpenShift that my
>>> Client connects through SSL/TLS to the server? Is that done on the
>>> OpenShift router or where can I do the settings?
>>>
>>> Otherwise, I think NodePorts are the easier solution to establish a
>>> connection between Client-Server using RMI. In this case, do I just have to
>>> specify the service with the proper NodePort as the property like this
>>> example, where the selector.name is the name of the
>>> deploymentConfig.metadata.name? :
>>>
>>> apiVersion: v1
>>> kind: Service
>>> metadata:
>>>   name: mysql
>>>   labels:
>>> name: mysql
>>> spec:
>>>   type: NodePort
>>>   ports:
>>> - port: 3036
>>>   nodePort: 30036
>>>   name: http
>>>   selector:
>>> name: mysql
>>>
>>>
>>>
>>>
>>>
>>> 2018-05-02 15:53 GMT+02:00 Joel Pearson <japear...@agiledigital.com.au>:
>>>
>>>> If you're using SSL/TLS you could traverse the Router by use
>>>> Passthrough.  Otherwise, you have to use NodePorts on a Service or
>>>> something like that.  The Router is generally only really for HTTP, but
>>>> with passthrough SSL/TLS just about anything could be running in the pod.
>>>>
>>>> On Wed, May 2, 2018 at 10:52 PM Tien Hung Nguyen <
>>>> tienhng.ngu...@gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> we have a application, which is actually running on
>>>>> Wildfly 12.0.0.Final via Docker.
>>>>> Now, we would like to put our application on OpenShift with the
>>>>> existing Dockerfile.
>>>>>
>>>>> However, our client is using RMI to connect connect to the server. Is
>>>>> it still possible to run our application on OpenShift while using RMI for
>>>>> the client-server connection? If yes, how should we configure the client
>>>>> and the router of OpenShift to connect to the server?
>>>>>
>>>>> At the moment our java client is using the hostname:port in order to
>>>>> connect to the server running on Docker.
>>>>>
>>>>> Regards,
>>>>> Tien
>>>>>
>>>>> Note: Our application is not a web application, but it is java swing
>>>>> application (desktop application) which uses RMI to connect to the server.
>>>>>
>>>>>
>>>>> ___
>>>>> users mailing list
>>>>> users@lists.openshift.redhat.com
>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>>>
>>>>
>>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.9 on Centos

[Joel Pearson]

You shouldn’t need testing. It looks like they’ve been in the repo for
about a month.

Not sure about the ansible side I haven’t actually tried to install 3.9
yet. And when I do I plan on using system containers.

But you could grep through the ansible scripts looking for what installs to
repo so you can figure out why it isn’t using it.
On Mon, 21 May 2018 at 8:38 pm, Tim Dudgeon <tdudgeon...@gmail.com> wrote:

> Seems like Ansible isn't doing so for me.
> Are there any special params needed for this?
>
> I did try setting these two, but to no effect:
>
> openshift_enable_origin_repo=true
> openshift_repos_enable_testing=true
>
> On 21/05/18 11:32, Joel Pearson wrote:
>
> They’re in the paas repo. You don’t have that repo installed for some
> reason.
>
> Ansible is supposed to lay that down
>
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/
>
> Why don’t you use the system container version instead? Or you prefer rpms?
> On Mon, 21 May 2018 at 8:30 pm, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>
>> I looks like RPMs for Origin 3.9 are still not available from the Centos
>> repos:
>>
>> > $ yum search origin
>> > Loaded plugins: fastestmirror
>> > Loading mirror speeds from cached hostfile
>> >  * base: ftp.lysator.liu.se
>> >  * extras: ftp.lysator.liu.se
>> >  * updates: ftp.lysator.liu.se
>> >
>> 
>>
>> > N/S matched: origin
>> >
>> =
>> > centos-release-openshift-origin13.noarch : Yum configuration for
>> > OpenShift Origin 1.3 packages
>> > centos-release-openshift-origin14.noarch : Yum configuration for
>> > OpenShift Origin 1.4 packages
>> > centos-release-openshift-origin15.noarch : Yum configuration for
>> > OpenShift Origin 1.5 packages
>> > centos-release-openshift-origin36.noarch : Yum configuration for
>> > OpenShift Origin 3.6 packages
>> > centos-release-openshift-origin37.noarch : Yum configuration for
>> > OpenShift Origin 3.7 packages
>> > google-noto-sans-canadian-aboriginal-fonts.noarch : Sans Canadian
>> > Aboriginal font
>> > centos-release-openshift-origin.noarch : Common release file to
>> > establish shared metadata for CentOS PaaS SIG
>> > ksh.x86_64 : The Original ATT Korn Shell
>> > texlive-tetex.noarch : scripts and files originally written for or
>> > included in teTeX
>> >
>> >   Name and summary matches only, use "search all" for everything.
>> Any idea when these will be available, or instructions for finding them
>> somewhere else?
>>
>>
>>
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.9 on Centos

[Joel Pearson]

They’re in the paas repo. You don’t have that repo installed for some
reason.

Ansible is supposed to lay that down

http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/

Why don’t you use the system container version instead? Or you prefer rpms?
On Mon, 21 May 2018 at 8:30 pm, Tim Dudgeon  wrote:

> I looks like RPMs for Origin 3.9 are still not available from the Centos
> repos:
>
> > $ yum search origin
> > Loaded plugins: fastestmirror
> > Loading mirror speeds from cached hostfile
> >  * base: ftp.lysator.liu.se
> >  * extras: ftp.lysator.liu.se
> >  * updates: ftp.lysator.liu.se
> >
> 
>
> > N/S matched: origin
> >
> =
> > centos-release-openshift-origin13.noarch : Yum configuration for
> > OpenShift Origin 1.3 packages
> > centos-release-openshift-origin14.noarch : Yum configuration for
> > OpenShift Origin 1.4 packages
> > centos-release-openshift-origin15.noarch : Yum configuration for
> > OpenShift Origin 1.5 packages
> > centos-release-openshift-origin36.noarch : Yum configuration for
> > OpenShift Origin 3.6 packages
> > centos-release-openshift-origin37.noarch : Yum configuration for
> > OpenShift Origin 3.7 packages
> > google-noto-sans-canadian-aboriginal-fonts.noarch : Sans Canadian
> > Aboriginal font
> > centos-release-openshift-origin.noarch : Common release file to
> > establish shared metadata for CentOS PaaS SIG
> > ksh.x86_64 : The Original ATT Korn Shell
> > texlive-tetex.noarch : scripts and files originally written for or
> > included in teTeX
> >
> >   Name and summary matches only, use "search all" for everything.
> Any idea when these will be available, or instructions for finding them
> somewhere else?
>
>
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: question about external load balancer

[Joel Pearson]

OpenShift already has some support for F5 load balancer’s as a router. So
maybe given the choice between F5 or netscalers, then F5’s might make
sense.

But either will work fine, it’s probably more a question of which device
you have more skills in.

On Wed, 16 May 2018 at 3:17 am, Yu Wei  wrote:

> Hi guys,
> I tried to setup openshift origin cluster with multiple masters for HA.
> I read the doc in
> https://github.com/redhat-cop/openshift-playbooks/blob/master/playbooks/installation/load_balancing.adoc
> .
>
> Any other advice for external load balancer?
> Which solution should I select for external load balancer?  F5 or
> netscaler? Which is better?
> My cluster is about more than 200 physical machines.
>
> Thanks,
>
> Jared, (韦煜）
> Software developer
> Interested in open source software, big data, Linux
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: load balancing for infra node in HA setup

[Joel Pearson]

Hi Tim,

Answers inline.

On 8 June 2018 at 23:00, Tim Dudgeon  wrote:

> The docs for installing a high availability openshift cluster e.g. [1] are
> fairly clear when it comes to the master node. If you set up a 3 masters
> then you need a load balancer that sits in front of these. OpenShift can
> provide this or you can provide your own external one.
>
> What not so clear is how to handle the nodes where the infrastructure
> components (registry and router) get deployed. In a typical example you
> would have 2 of these nodes, but what would happen in this case?
>
> I presume you are still openstack? Here is the OpenStack reference
architecture for Openshift:
https://access.redhat.com/documentation/en-us/reference_architectures/2018/html/deploying_and_managing_openshift_3.9_on_red_hat_openstack_platform_10/reference_architecture_summary

Normally you have 3 infra nodes with 3 router replicas with 1 load balancer
in front.


> Does a single registry and router get deployed to one of those nodes (in
> which case it would be difficult to set up DNS for the router to point to
> the right one).
>
> You simply point the DNS at the load balancer in front of the infra
nodes.  In the AWS reference architecture I run 3 registries, but they're
backed by S3, so it depends on the backing store for the registry I guess.
But it doesn't matter if you run 1 registry or 3, as long as the traffic
comes in via the load balancer, the OpenShift Routers will figure out where
the registries are running.

Or does the router get deployed to both so a load balancer is needed in
> front of these?
>
Yes, routers should be deployed on all infra nodes with a load balancer in
front.

>
> And similarly for the registry. Is there one or two of these deployed? How
> does this work?
>
As mentioned above, it doesn't matter how many registries, but for ha you
could have as many as the number of infra nodes, provided the backend for
your registry allows multiple replicas.

>
> I hope someone can clarify this.
> Tim
>
> [1] https://docs.openshift.org/latest/install_config/install/adv
> anced_install.html#multiple-masters
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>



-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

[=Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 |  w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

What is the most reliable deployment method for 3.9 origin

[Joel Pearson]

Hi,

I’m wondering what the most reliable method for installing Origin on Centos
7 is?

* RPMs
* Containerized
* System containers

Just recently we discovered that upgrading from 3.6 to 3.7 doesn’t seem to
be tested using the containerized method, as the etcd upgrade fails as it
tries to find specific versions of etcd on the fedora registry but the
fedora registry only has a latest tag for etcd and then a few other random
tags. So we had to switch to etcd from the redhat registry. This to me
suggested that RPMs are probably the best method, as etcd at least has a
version number, so the upgrade should succeed.

How do system containers work? Are they still pulling containers from
docker hub or are they something else entirely? Are they preferred over
RPMs? Are they tested in origin? Or are RPMs they only real tested path for
Origin?

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: What is the most reliable deployment method for 3.9 origin

[Joel Pearson]

Hi Wolf,

Given the silence, we've decided to go with the RPM method, as it's the
default for Centos/non-Atomic.

Thanks,

Joel

On Thu, Jun 14, 2018 at 3:21 PM Wolf Noble  wrote:

> I’ve been in the process of trying to assess this myself.
>
> Interested to hear what you settle on regardless
>
>
>
> > On Jun 13, 2018, at 23:26, Joel Pearson 
> wrote:
> >
> > Hi,
> >
> > I’m wondering what the most reliable method for installing Origin on
> Centos 7 is?
> >
> > * RPMs
> > * Containerized
> > * System containers
> >
> > Just recently we discovered that upgrading from 3.6 to 3.7 doesn’t seem
> to be tested using the containerized method, as the etcd upgrade fails as
> it tries to find specific versions of etcd on the fedora registry but the
> fedora registry only has a latest tag for etcd and then a few other random
> tags. So we had to switch to etcd from the redhat registry. This to me
> suggested that RPMs are probably the best method, as etcd at least has a
> version number, so the upgrade should succeed.
> >
> > How do system containers work? Are they still pulling containers from
> docker hub or are they something else entirely? Are they preferred over
> RPMs? Are they tested in origin? Or are RPMs they only real tested path for
> Origin?
> >
> > Thanks,
> >
> > Joel
> > ___
> > users mailing list
> > users@lists.openshift.redhat.com
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: errors accessing egressnetworkpolicies.network.openshift.io when attempting to export project

[Joel Pearson]

I guess that means your admin user doesn’t have the cluster-admin role
On Sat, 2 Jun 2018 at 4:02 am, Brian Keyes  wrote:

> I am attempting to follow these instructions
>
>
> https://docs.openshift.com/container-platform/3.7/day_two_guide/project_level_tasks.html
>
> I want to backup THE sample python app and I created a script like this (
> from the documentation)
>
>
>
>
> $ for object in rolebindings serviceaccounts secrets imagestreamtags 
> podpreset cms egressnetworkpolicies rolebindingrestrictions limitranges 
> resourcequotas pvcs templates cronjobs statefulsets hpas deployments 
> replicasets poddisruptionbudget endpoints
> do
>   oc export $object -o yaml > $object.yaml
> done
>
>
> --
> but when I run this I get some access denied errors like this , is this
> saying that the objects I am attempting to back up do not exist?
>
>
> $ ./exportotherprojects.sh
> error: no resources found - nothing to export
> the server doesn't have a resource type "cms"
> Error from server (Forbidden): User "admin" cannot list
> egressnetworkpolicies.network.openshift.io in the namespace "sample-py":
> User "admin" cannot list egressnetworkpolicies.network.openshift.io in
> project "sample-py" (get egressnetworkpolicies.network.openshift.io)
> error: no resources found - nothing to export
> error: no resources found - nothing to export
> error: no resources found - nothing to export
> the server doesn't have a resource type "pvcs"
> error: no resources found - nothing to export
> error: no resources found - nothing to export
> error: no resources found - nothing to export
> the server doesn't have a resource type "hpas"
> error: no resources found - nothing to export
> error: no resources found - nothing to export
> Error from server (Forbidden): User "admin" cannot list
> poddisruptionbudgets.policy in the namespace "sample-py": User "admin"
> cannot list poddisruptionbudgets.policy in project "sample-py" (get
> poddisruptionbudgets.policy)
>
>
> thanks
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OC debug command does not show command prompt

[Joel Pearson]

What operating system is your local machine? Ok windows I’ve noticed the oc
binary doesn’t doesn’t do terminal emulation properly. So it looks like
it’s hanging but it’s actually working. Try typing “ls” and see if the
command has actually worked, but you’re just not setting the command
prompt.
On Thu, 7 Jun 2018 at 6:52 am, Brian Keyes  wrote:

> no I dont think so , but I am running the CLI on my local machine , I will
> ssh  into one of the nodes and try
>
> thanks
>
>
> On Wed, Jun 6, 2018 at 4:49 PM, Aleksandar Lazic 
> wrote:
>
>> On 06/06/2018 13:04, Brian Keyes wrote:
>>
>>> If I do a "debug in terminal" in the console I always get a command
>>> prompt
>>>
>>> if i goto the command line and do a "oc debug   i get this
>>> message
>>>
>>> Debugging with pod/lster-1-2rqg9-debug, original command:
>>> container-entrypoint /tmp/scripts/run
>>> Waiting for pod to start ...
>>> Pod IP: 10.252.4.18
>>> If you don't see a command prompt, try pressing enter.
>>>
>>> i hit enter many many times and do not ever get a command prompt
>>>
>>
>> Are you behind a proxy?
>>
>> --
>>> thanks
>>>
>>
>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>
>>
>
>
> --
> Brian Keyes
> Systems Engineer, Vizuri
> 703-855-9074(Mobile)
> 703-464-7030 x8239 (Office)
>
> FOR OFFICIAL USE ONLY: This email and any attachments may contain
> information that is privacy and business sensitive.  Inappropriate or
> unauthorized disclosure of business and privacy sensitive information may
> result in civil and/or criminal penalties as detailed in as amended Privacy
> Act of 1974 and DoD 5400.11-R.
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

How to make 172.30.0.1 (kubernetes service) health checked?

[Joel Pearson]

Hi,

I'm running OpenShift 3.9 on AWS with masters in HA mode using Classic
ELB's doing TCP load balancing.  If I restart masters, from outside the
cluster the ELB does the right thing and takes a master out of service.
However, if something tries to talk to the kubernetes API inside the
cluster, it seems that kubernetes is unaware the master is missing, and I
get failures when I'm serially restarting masters.

Is there some way that I can point the kubernetes service to use the load
balancer?  Maybe I should update the kubernetes endpoint object to use the
ELB IP address instead of the actual master addresses?  Is this a valid
approach?  Is there some way with openshift-ansible I can tell the
kubernetes service to use the load balancer when it creates the kubernetes
service?

 Thanks,

Joel


apiVersion: v1
kind: Service
metadata:
  creationTimestamp: '2018-06-27T06:30:50Z'
  labels:
component: apiserver
provider: kubernetes
  name: kubernetes
  namespace: default
  resourceVersion: '45'
  selfLink: /api/v1/namespaces/default/services/kubernetes
  uid: a224fd75-79d3-11e8-bd57-0a929ba50438
spec:
  clusterIP: 172.30.0.1
  ports:
- name: https
  port: 443
  protocol: TCP
  targetPort: 443
- name: dns
  port: 53
  protocol: UDP
  targetPort: 8053
- name: dns-tcp
  port: 53
  protocol: TCP
  targetPort: 8053
  sessionAffinity: ClientIP
  sessionAffinityConfig:
clientIP:
  timeoutSeconds: 10800
  type: ClusterIP
status:
  loadBalancer: {}


apiVersion: v1
kind: Endpoints
metadata:
  creationTimestamp: '2018-06-27T06:30:50Z'
  name: kubernetes
  namespace: default
  resourceVersion: '83743'
  selfLink: /api/v1/namespaces/default/endpoints/kubernetes
  uid: a22a0283-79d3-11e8-bd57-0a929ba50438
subsets:
  - addresses:
  - ip: 10.2.12.53
  - ip: 10.2.12.72
  - ip: 10.2.12.91
ports:
  - name: dns
port: 8053
protocol: UDP
  - name: dns-tcp
port: 8053
protocol: TCP
  - name: https
port: 443
protocol: TCP
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Using RMI Protocol to connect to OpenShift from external application

[Joel Pearson]

If you're using SSL/TLS you could traverse the Router by use Passthrough.
Otherwise, you have to use NodePorts on a Service or something like that.
The Router is generally only really for HTTP, but with passthrough SSL/TLS
just about anything could be running in the pod.

On Wed, May 2, 2018 at 10:52 PM Tien Hung Nguyen 
wrote:

> Hi,
>
> we have a application, which is actually running on Wildfly 12.0.0.Final
> via Docker.
> Now, we would like to put our application on OpenShift with the existing
> Dockerfile.
>
> However, our client is using RMI to connect connect to the server. Is it
> still possible to run our application on OpenShift while using RMI for the
> client-server connection? If yes, how should we configure the client and
> the router of OpenShift to connect to the server?
>
> At the moment our java client is using the hostname:port in order to
> connect to the server running on Docker.
>
> Regards,
> Tien
>
> Note: Our application is not a web application, but it is java swing
> application (desktop application) which uses RMI to connect to the server.
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Using RMI Protocol to connect to OpenShift from external application

[Joel Pearson]

Selectors refer to labels, so it’d be deploymentconfig.metadata.labels.name

SSL/TLS means the client has to support it too. So if there is some option
to run RMI over SSL/TLS then it could work pretty easily. But if it’s not
possible to run server and client that way then yes, nodeports will be
easier. Otherwise I think there might be other Ingress options. But I’ve
never used them.
On Thu, 3 May 2018 at 12:14 am, Tien Hung Nguyen <tienhng.ngu...@gmail.com>
wrote:

> Thank you for the response.
>
> How can I set up SSL/TLS as a connection method on OpenShift that my
> Client connects through SSL/TLS to the server? Is that done on the
> OpenShift router or where can I do the settings?
>
> Otherwise, I think NodePorts are the easier solution to establish a
> connection between Client-Server using RMI. In this case, do I just have to
> specify the service with the proper NodePort as the property like this
> example, where the selector.name is the name of the
> deploymentConfig.metadata.name? :
>
> apiVersion: v1
> kind: Service
> metadata:
>   name: mysql
>   labels:
> name: mysql
> spec:
>   type: NodePort
>   ports:
> - port: 3036
>   nodePort: 30036
>   name: http
>   selector:
> name: mysql
>
>
>
>
>
> 2018-05-02 15:53 GMT+02:00 Joel Pearson <japear...@agiledigital.com.au>:
>
>> If you're using SSL/TLS you could traverse the Router by use
>> Passthrough.  Otherwise, you have to use NodePorts on a Service or
>> something like that.  The Router is generally only really for HTTP, but
>> with passthrough SSL/TLS just about anything could be running in the pod.
>>
>> On Wed, May 2, 2018 at 10:52 PM Tien Hung Nguyen <
>> tienhng.ngu...@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> we have a application, which is actually running on Wildfly 12.0.0.Final
>>> via Docker.
>>> Now, we would like to put our application on OpenShift with the existing
>>> Dockerfile.
>>>
>>> However, our client is using RMI to connect connect to the server. Is it
>>> still possible to run our application on OpenShift while using RMI for the
>>> client-server connection? If yes, how should we configure the client and
>>> the router of OpenShift to connect to the server?
>>>
>>> At the moment our java client is using the hostname:port in order to
>>> connect to the server running on Docker.
>>>
>>> Regards,
>>> Tien
>>>
>>> Note: Our application is not a web application, but it is java swing
>>> application (desktop application) which uses RMI to connect to the server.
>>>
>>>
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Prometheus node exporter on v3.7

[Joel Pearson]

Upgrade your cluster to 3.9 just to be safe? You know you want too ... ;)
On Fri, 4 May 2018 at 6:00 am, Tim Dudgeon  wrote:

> Any Prometheus experts out there that can comment on this?
>
>
> On 30/04/18 15:19, Tim Dudgeon wrote:
> > I'm running Prometheus an Origin cluster using v3.7.2 installed from
> > the playbooks on the release-3.7 branch of openshift/openshift-ansible.
> >
> > It looks like the node exported was not included in this version [1]
> > but was added for the 3.9 version [2].
> > As it's metrics on the nodes that I'm wanting most I wonder what the
> > best approach is here.
> >
> > It is safe to run the `playbooks/openshift-prometheus/config.yml`
> > playbook from the release-3.9 branch on a cluster running v3.7.2, or
> > is there a better approach?
> >
> > [1] (v3.7)
> >
> https://github.com/openshift/openshift-ansible/tree/release-3.7/roles/openshift_prometheus/tasks
> > [2] (v3.9)
> >
> https://github.com/openshift/openshift-ansible/tree/release-3.9/roles/openshift_prometheus/tasks
> >
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift on AWS using Terraform

[Joel Pearson]

If you’re ok with CloudFormation then these ansible scripts can do that
https://github.com/openshift/openshift-ansible-contrib/tree/master/reference-architecture/aws-ansible
On Sun, 31 Dec 2017 at 4:46 am, Krzysztof Sobkowiak <
krzys.sobkow...@gmail.com> wrote:

> Hi
>
> I'd like to provision an OpenShift HA cluster on AWS. I'm wondering, if I
> can find somewhere Terraform scripts which can be used to initially
> provision the infrastructure on AWS (bastion, masters, nodes,
> infranodes,...)
> Do you know such solution?
>
> Kindly regards
> Krzysztof
>
>
> --
> Krzysztof Sobkowiak (@ksobkowiak)
>
> JEE & OSS Architect, Integration Architect
> Apache Software Foundation Member (http://apache.org/)
> Apache ServiceMix Committer & PMC Member (http://servicemix.apache.org/)
> Senior Delivery Architect @ Capgemini SSC (
> http://www.capgeminisoftware.pl/)
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Limiting which LDAP users can login

[Joel Pearson]

Ahh Thanks, I wondered if there would be a side effect.

I discovered that the directory we're using, OpenDJ, has virtual
attributes, and one of those attributes is "isMemberOf", so I was able to
use:

url: ldap://
ldap.company.com.au:1389/ou=people,dc=company,dc=com,dc=au?uid?sub?(isMemberOf=cn=staff,ou=groups,dc=company,dc=com,dc=au)

And that worked like a charm. As manually provisioning users sounds like
way too much effort.

On Fri, Jan 5, 2018 at 1:50 AM Jordan Liggitt <jligg...@redhat.com> wrote:

> On Thu, Jan 4, 2018 at 5:35 AM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> Hi,
>>
>> I just wanted to check what the proper way is to limit which users are
>> allowed to login to OpenShift via an LDAP group.
>>
>> There doesn't seem to be a way during authentication, but on the
>> authorisation side of things I found that if I removed
>> "system:authenticated" from the basic-user cluster role binding then that
>> seemed to have the desired effect.  Is this the right way?
>>
>
>
> No, removing that role breaks things like `oc whoami`, `oc auth can-i`,
> and web console login.
>
> You have two options for gating logins during authentication:
>
> 1. Specify a filter on the user query to limit to a particular set of
> users. See the filter documentation at
> https://docs.openshift.org/latest/install_config/configuring_authentication.html#LDAPPasswordIdentityProvider
> for more information. For example, to limit to users with an
> openshiftUser=true attribute:
>
> url: 
> "ldap://ldap.example.com/ou=users,dc=acme,dc=com?uid?sub?(openshiftUser=true)
>
>
> 2. Instead of automatically provisioning User and Identity objects in
> openshift at login time, require them to be pre-created out of band using
> `mappingMethod: lookup`. Any attempt to log in as an LDAP user that does
> not have a configured Identity and User object will fail. See
> https://docs.openshift.org/latest/install_config/configuring_authentication.html#mapping-identities-to-users
> for more details.
>
>
>
>> So I ran these 2 commands:
>>
>> oc adm policy add-cluster-role-to-group basic-user staff
>> oc adm policy remove-cluster-role-from-group basic-user
>> system:authenticated
>>
>> After which only users in the staff group can login if that don't already
>> have other permissions.
>>
>> The effect on the console is a little odd.  You can login ok and it shows
>> an error screen, then you click continue and then you are redirected back
>> to the login screen.
>>
>> Thanks,
>>
>> Joel
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Deployment to OpenStack

[Joel Pearson]

Hi Tim,

Yes, I only discovered what the basion setting did by looking at the heat
template, as I was going to try and remove the need for the bastion by
myself.

I found this line in the heat template:
https://github.com/openshift/openshift-ansible-contrib/blob/master/roles/openstack-stack/templates/heat_stack.yaml.j2#L75

I don't know what provider_network does. But you might want to grep around
the repo chasing down those settings to see if it suits your purposes. It
seems a bit undocumented.

In regards to creating private floating ip's, this is what we did for our
on-premise openstack, because we wanted to have floating ip's that allowed
other computers outside the openstack network to be able connect to
individual servers.

I don't know what sort of privileges you need to run this command, so it
might not work for you.

openstack network create  --external  --provider-physical-network flat
--provider-network-type flat public
openstack subnet create --network public --allocation-pool
start=10.2.100.1,end=10.2.100.254  --dns-nameserver 10.2.0.1  --gateway
10.2.0.1 --subnet-range  10.2.0.0/16 public

Instead of public, you could call it something else.

So the end result of that command was that when openshift ansible asked for
a floating ip, we'd get an IP address in the range of 10.2.100.1-254.

Hope it helps.

Thanks,

Joel

On Fri, Jan 5, 2018 at 8:18 AM Tim Dudgeon <tdudgeon...@gmail.com> wrote:

> Joel,
> Thanks for that.
> I had seen this but didn't really understand what it meant.
> Having read through it again I still don't!
> I'll give it a try tomorrow and see what happens.
>
> As for the warning about scaling up/down then yes, that is a big concern.
> That's the whole point of getting automation in place.
> So if anyone can shed any light on this then please do so!
>
> Could you explain more about 'an alternative is to create a floating ip
> range that uses private non-routable ip addressees'?
>
>
> On 04/01/18 20:17, Joel Pearson wrote:
>
> I had exactly the same concern and I discovered that inside the heat
> template there is a bastion mode, which once enabled it doesn’t use
> floating ip’s any more.
>
> Have a look at
> https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/advanced-configuration.md
>
> I think you want openstack_use_bastion: True but I am yet to test it out
> so I’d recommend checking the heat template to see if it does what I think
> it does.
>
> At the bottom of that advanced page it mentions that in bastion mode scale
> up doesn’t work for some reason, so I don’t know if that matters for you.
>
> Otherwise an alternative is to create a floating ip range that uses
> private non-routable ip addressees. That’s what we’re using in our
> on-premise OpenStack. But only because we hadn’t discovered the bastion
> mode at the time.
>
> Hope that helps.
> On Fri, 5 Jan 2018 at 4:10 am, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>
>> I hope this is the right place to ask questions about the
>> openshift/openshift-ansible-contrib GitHub repo, and specifically the
>> playbooks for installing OpenShift on OpenStack:
>>
>> https://github.com/openshift/openshift-ansible-contrib/tree/master/playbooks/provisioning/openstack
>> If not then please redirect me.
>>
>> By following the instructions in that link I successfully ran a basic
>> deployment that involved provisioning the OpenStack servers and the
>> deploying OpenShift using the byo config.yaml playbook. But in doing so
>> it's immediately obvious that this approach is not really viable as
>> public IP addresses are assigned to every node. It should only be
>> necessary to have public IP addresses for the master and the
>> infrastructure node hosting the router.
>>
>> My expectation is that the best way to handle this would be to:
>>
>> 1. provision the basic openstack networking environment plus a bastion
>> node from outside the openstack environment
>> 2. from that bastion node provision the nodes that will form the
>> OpenShift cluster and deploy OpenShift to those.
>>
>> Are there any examples along those lines?
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: ansible service catalog continuous failures OpenShift 3.7.0

[Joel Pearson]

I tried using: ansibleplaybookbundle/origin-ansible-service-broker:latest
but it crashed trying to retrieve cluster roles. So I'm not sure what the
correct option is.


!!filter mode is none[2018-01-05T00:45:57.44Z] [INFO] - Validating
specs...
[2018-01-05T00:45:57.44Z] [NOTICE] - All specs passed validation!
[2018-01-05T00:45:57.44Z] [NOTICE] - Broker successfully bootstrapped on
startup
[2018-01-05T00:45:57.834Z] [ERROR] - Unable to retrieve cluster roles rules
from cluster
 You must be using OpenShift 3.7 to use the User rules check.
the server could not find the requested resource

On Thu, Jan 4, 2018 at 9:31 PM Joel Pearson <japear...@agiledigital.com.au>
wrote:

> Hi,
>
> I've installed OpenShift 3.7.0 containerized on OpenStack, and I'm getting
> some issues with the service catalog.  It's spewing heaps of errors into
> the journal. Lots of very large errors.
>
> In the end it looks like it isn't deploying properly because it can't find
> the tag it is after, as I found this in the events:
>
> Failed to pull image
> "ansibleplaybookbundle/ansible-service-broker:latest": rpc error: code = 2
> desc = Tag latest not found in repository
> docker.io/ansibleplaybookbundle/ansible-service-broker
>
> I had a look at
> https://hub.docker.com/r/ansibleplaybookbundle/origin-ansible-service-broker/tags/
>  and
> It looks like it's supposed to be origin-ansible-service-broker instead of
> ansible-service-broker?
>
> As there is no latest tag here:
>
> https://hub.docker.com/r/ansibleplaybookbundle/ansible-service-broker/tags/
>
> The errors look like:
>
> -- Logs begin at Thu 2018-01-04 01:07:33 UTC. --
> Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
> I0104 09:55:55.106869   1 round_trippers.go:442] Response Headers:
> Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
> I0104 09:55:55.106902   1 round_trippers.go:445] Cache-Control:
> no-store
> Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
> I0104 09:55:55.106912   1 round_trippers.go:445] Content-Type:
> application/json
> Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
> I0104 09:55:55.106921   1 round_trippers.go:445] Content-Length: 547
> Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
> I0104 09:55:55.106929   1 round_trippers.go:445] Date: Thu, 04 Jan
> 2018 09:55:55 GMT
> Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
> I0104 09:55:55.107083   1 request.go:836] Response Body:
> {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1
> ","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"verb":"update","group":"
> servicecatalog.k8s.io","version":"v1beta1","resource":"clusterservicebrokers","subresource":"status","name":"ansible-service-broker"},"user":"system:serviceaccount:kube-service-catalog:service-catalog-controller","group":["system:serviceaccounts","system:serviceaccounts:kube-service-catalog","system:authenticated"]},"status":{"allowed":true,"reason":"allowed
> by cluster rule"}}
> Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
> I0104 09:55:55.107293   1 handler.go:150] service-catalog-apiserver:
> PUT "/apis/
> servicecatalog.k8s.io/v1beta1/clusterservicebrokers/ansible-service-broker/status"
> satisfied by gorestful with webservice /apis/servicecatalog.k8s.io/v1beta1
> Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
> I0104 09:55:55.116503   1 admission.go:81] Retrieved
> clusterClusterServiceBroker &{{ } {ansible-service-broker   /apis/
> servicecatalog.k8s.io/v1beta1/clusterservicebrokers/ansible-service-broker
> dd9acb9a-f0ef-11e7-bc63-0a580a82 3141 1 2018-01-04 01:37:46 + UTC
>   map[] map[] [] nil [kubernetes-incubator/service-catalog] } {
> https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
> 0xc421154380 false [45 45 45 45 45 66 69 71 73 78 32 67 69 82 84 73 70 73
> 67 65 84 69 45 45 45 45 45 10 77 73 73 67 54 106 67 67 65 100 75 103 65 119
> 73 66 65 103 73 66 65 84 65 78 66 103 107 113 104 107 105 71 57 119 48 66
> 65 81 115 70 65 68 65 109 77 83 81 119 73 103 89 68 86 81 81 68 68 66 116
> 118 99 71 86 117 10 99 50 104 112 90 110 81 116 99 50 108 110 98 109 86 121
> 81 68 69 49 77 84 85 119 77 106 103 51 77 84 81 119 72 104 99 78 77 84 103
> 119 77 84 65 48 77 68 69 120 79 68 77 122 87 104 99 78 77 

Re: Deployment to OpenStack

[Joel Pearson]

I had exactly the same concern and I discovered that inside the heat
template there is a bastion mode, which once enabled it doesn’t use
floating ip’s any more.

Have a look at
https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/advanced-configuration.md

I think you want openstack_use_bastion: True but I am yet to test it out so
I’d recommend checking the heat template to see if it does what I think it
does.

At the bottom of that advanced page it mentions that in bastion mode scale
up doesn’t work for some reason, so I don’t know if that matters for you.

Otherwise an alternative is to create a floating ip range that uses private
non-routable ip addressees. That’s what we’re using in our on-premise
OpenStack. But only because we hadn’t discovered the bastion mode at the
time.

Hope that helps.
On Fri, 5 Jan 2018 at 4:10 am, Tim Dudgeon  wrote:

> I hope this is the right place to ask questions about the
> openshift/openshift-ansible-contrib GitHub repo, and specifically the
> playbooks for installing OpenShift on OpenStack:
>
> https://github.com/openshift/openshift-ansible-contrib/tree/master/playbooks/provisioning/openstack
> If not then please redirect me.
>
> By following the instructions in that link I successfully ran a basic
> deployment that involved provisioning the OpenStack servers and the
> deploying OpenShift using the byo config.yaml playbook. But in doing so
> it's immediately obvious that this approach is not really viable as
> public IP addresses are assigned to every node. It should only be
> necessary to have public IP addresses for the master and the
> infrastructure node hosting the router.
>
> My expectation is that the best way to handle this would be to:
>
> 1. provision the basic openstack networking environment plus a bastion
> node from outside the openstack environment
> 2. from that bastion node provision the nodes that will form the
> OpenShift cluster and deploy OpenShift to those.
>
> Are there any examples along those lines?
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Deployment to OpenStack

[Joel Pearson]

Hi Tim,

The DNS needs to still be there because the master server uses those host
names to communicate with the nodes in the cluster. For example I
discovered that in the UI when you look at the logs or the terminal, the
master api server opens up a connection to the node in question via the DNS
name. In my current setup I’m using a non internet resolvable DNS name,
openshift.local or something like that. Then I maintain a real DNS domain
to point to the master api server and the infra node.

So, if you can still view logs in the UI, then I’d say the DNS is working
ok.

I’ll have to try this non-floating ip mode in the future, but it might be a
month or so away.
On Fri, 5 Jan 2018 at 9:30 pm, Tim Dudgeon <tdudgeon...@gmail.com> wrote:

> OK, so I tried setting `openstack_use_bastion: True`. Servers were
> provisioned OK. Public IP addresses were only applied to the infra and dns
> nodes (not master).
>
> But the inventory/hosts file that gets auto-generated by this process
> still contains the "public" hostnames that can't be reached, even if put
> into DNS. Also, I expected to see a bastion node, but none was created.
>
> I find the docs for this a bit baffling. Is there anyone on this list who
> was involved with creating this who can help get this straight?
> On 04/01/18 23:13, Joel Pearson wrote:
>
> Hi Tim,
>
> Yes, I only discovered what the basion setting did by looking at the heat
> template, as I was going to try and remove the need for the bastion by
> myself.
>
> I found this line in the heat template:
>
> https://github.com/openshift/openshift-ansible-contrib/blob/master/roles/openstack-stack/templates/heat_stack.yaml.j2#L75
>
> I don't know what provider_network does. But you might want to grep around
> the repo chasing down those settings to see if it suits your purposes. It
> seems a bit undocumented.
>
> In regards to creating private floating ip's, this is what we did for our
> on-premise openstack, because we wanted to have floating ip's that allowed
> other computers outside the openstack network to be able connect to
> individual servers.
>
> I don't know what sort of privileges you need to run this command, so it
> might not work for you.
>
> openstack network create  --external  --provider-physical-network flat
> --provider-network-type flat public
> openstack subnet create --network public --allocation-pool
> start=10.2.100.1,end=10.2.100.254  --dns-nameserver 10.2.0.1  --gateway
> 10.2.0.1 --subnet-range  10.2.0.0/16 public
>
> Instead of public, you could call it something else.
>
> So the end result of that command was that when openshift ansible asked
> for a floating ip, we'd get an IP address in the range of 10.2.100.1-254.
>
> Hope it helps.
>
> Thanks,
>
> Joel
>
> On Fri, Jan 5, 2018 at 8:18 AM Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>
>> Joel,
>> Thanks for that.
>> I had seen this but didn't really understand what it meant.
>> Having read through it again I still don't!
>> I'll give it a try tomorrow and see what happens.
>>
>> As for the warning about scaling up/down then yes, that is a big concern.
>> That's the whole point of getting automation in place.
>> So if anyone can shed any light on this then please do so!
>>
>> Could you explain more about 'an alternative is to create a floating ip
>> range that uses private non-routable ip addressees'?
>>
>>
>> On 04/01/18 20:17, Joel Pearson wrote:
>>
>> I had exactly the same concern and I discovered that inside the heat
>> template there is a bastion mode, which once enabled it doesn’t use
>> floating ip’s any more.
>>
>> Have a look at
>> https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/advanced-configuration.md
>>
>> I think you want openstack_use_bastion: True but I am yet to test it out
>> so I’d recommend checking the heat template to see if it does what I think
>> it does.
>>
>> At the bottom of that advanced page it mentions that in bastion mode
>> scale up doesn’t work for some reason, so I don’t know if that matters for
>> you.
>>
>> Otherwise an alternative is to create a floating ip range that uses
>> private non-routable ip addressees. That’s what we’re using in our
>> on-premise OpenStack. But only because we hadn’t discovered the bastion
>> mode at the time.
>>
>> Hope that helps.
>> On Fri, 5 Jan 2018 at 4:10 am, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>>
>>> I hope this is the right place to ask questions about the
>>> openshift/openshift-ansible-contrib GitHub repo, and specifically the
>>> playbooks for inst

Re: Pod persistence without replication controller

[Joel Pearson]

You could use a StatefulSet if you want a consistent hostname, it would
also ensure that there is a always one running.
On Wed, 10 Jan 2018 at 3:49 am, Feld, Michael (IMS) 
wrote:

> Does anyone know why a standalone pod (without a replication controller)
> sometimes persists through a host/node reboot, but not all times (not
> evacuating first)? We have a database pod that we cannot risk scaling, and
> want to ensure that it’s always running.
>
> --
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift Origin 3.7 Template Broker seems super flaky

[Joel Pearson]

Ahh, I looked into all the objects that were getting deleted and they all
have an ownerReference, eg:

"ownerReferences": [
{
"apiVersion": "template.openshift.io/v1",
"kind": "TemplateInstance",
"name": "75c0ccd3-642e-4035-a5cf-3c27e54cae40",
"uid": "a7301596-f41a-11e7-88e5-fa163eb8ca3a",
"blockOwnerDeletion": true
}
]

That looks like what patch is about. I also found that if I tried to edit
an object and remove the ownerReference then it also triggered a garbage
collect on the spot and all the resources evaporated.

So I guess my workaround can be, run the template, wait for everything to
deploy, export all templated resources to json, strip out ownerReferences,
and create all the resources again.

On Mon, Jan 8, 2018 at 12:30 PM Joel Pearson <japear...@agiledigital.com.au>
wrote:

> Hmm, in my case I don't need to need to restart to cause the problem to
> happen. Is there some way to run nightlies of openshift:release-3.7 using
> the openshift-ansible? So that I can verify it's fixed for me?
>
> On Mon, Jan 8, 2018 at 12:23 PM Jordan Liggitt <jligg...@redhat.com>
> wrote:
>
>> Garbage collection in particular could be related to
>> https://bugzilla.redhat.com/show_bug.cgi?id=1525699 (fixed in
>> https://github.com/openshift/origin/pull/17818 but not included in a
>> point release yet)
>>
>>
>> On Jan 7, 2018, at 8:17 PM, Joel Pearson <japear...@agiledigital.com.au>
>> wrote:
>>
>> Hi,
>>
>> Has anyone else noticed that the new OpenShift Origin 3.7 Template Broker
>> seems super flaky?
>>
>> For example, if I deploy a Jenkins (Persistent or Ephemeral), and then I
>> modify the route, by adding an annotation for example:
>>
>> kubernetes.io/tls-acme: 'true'
>>
>> I have https://github.com/tnozicka/openshift-acme Installed in the
>> cluster which then grabs an SSL cert for me, adds it to the route, then
>> moments later all resources from the template are garbage collected for no
>> apparent reason.
>>
>> I also got the same behaviour when I modified the service account the
>> Jenkins template uses, I added an additional route so I added a new "
>> serviceaccounts.openshift.io/oauth-redirectreference.jenkins:" entry. It
>> took a bit longer (like 12 hours), but it all disappeared again.  I have a
>> suspicion that if you modify any object that a template created, then
>> eventually the template broker will remove all objects it created.
>>
>> Is there any way to disable the new template broker and use the old
>> template system?
>>
>> In Origin 3.6 it was flawless and worked with openshift-acme without any
>> problems at all.
>>
>> I should mention that if I create things manually then it works fine, I
>> can use openshift-acme, and all my resources don't vanish at whim.
>>
>> Here is a snippet of the logs, you can see the acme points are removed
>> after successfully getting a cert, and then moments later, the deleting
>> starts:
>>
>> Jan 08 00:26:47 master-0.openshift.staging.local dockerd-current[23329]:
>> I0108 00:26:47.648255   1 leaderelection.go:199] successfully renewed
>> lease kube-service-catalog/service-catalog-controller-manager
>> Jan 08 00:26:47 master-0.openshift.staging.local origin-node[26684]:
>> I0108 00:26:47.744777   26749 roundrobin.go:338] LoadBalancerRR: Removing
>> endpoints for jenkins-test/acme-9cv97q5dn8:
>> Jan 08 00:26:47 master-0.openshift.staging.local dockerd-current[23329]:
>> I0108 00:26:47.744777   26749 roundrobin.go:338] LoadBalancerRR: Removing
>> endpoints for jenkins-test/acme-9cv97q5dn8:
>> Jan 08 00:26:47 master-0.openshift.staging.local origin-node[26684]:
>> I0108 00:26:47.762005   26749 ovs.go:143] Error executing ovs-ofctl:
>> ovs-ofctl: None: invalid IP address
>> Jan 08 00:26:47 master-0.openshift.staging.local dockerd-current[23329]:
>> I0108 00:26:47.762005   26749 ovs.go:143] Error executing ovs-ofctl:
>> ovs-ofctl: None: invalid IP address
>> Jan 08 00:26:47 master-0.openshift.staging.local dockerd-current[23329]:
>> E0108 00:26:47.765091   26749 sdn_controller.go:284] Error deleting OVS
>> flows for service &{{ } {acme-9cv97q5dn8  jenkins-test
>> /api/v1/namespaces/jenkins-test/services/acme-9cv97q5dn8
>> 94c6b3b3-f40a-11e7-88e5-fa163eb8ca3a 622382 0 2018-01-08 00:26:34 + UTC
>>   map[] map[] [] nil [] } {ClusterIP [{http TCP 80 {0 80

OpenShift Origin 3.7 Template Broker seems super flaky

[Joel Pearson]

Hi,

Has anyone else noticed that the new OpenShift Origin 3.7 Template Broker
seems super flaky?

For example, if I deploy a Jenkins (Persistent or Ephemeral), and then I
modify the route, by adding an annotation for example:

kubernetes.io/tls-acme: 'true'

I have https://github.com/tnozicka/openshift-acme Installed in the cluster
which then grabs an SSL cert for me, adds it to the route, then moments
later all resources from the template are garbage collected for no apparent
reason.

I also got the same behaviour when I modified the service account the
Jenkins template uses, I added an additional route so I added a new "
serviceaccounts.openshift.io/oauth-redirectreference.jenkins:" entry. It
took a bit longer (like 12 hours), but it all disappeared again.  I have a
suspicion that if you modify any object that a template created, then
eventually the template broker will remove all objects it created.

Is there any way to disable the new template broker and use the old
template system?

In Origin 3.6 it was flawless and worked with openshift-acme without any
problems at all.

I should mention that if I create things manually then it works fine, I can
use openshift-acme, and all my resources don't vanish at whim.

Here is a snippet of the logs, you can see the acme points are removed
after successfully getting a cert, and then moments later, the deleting
starts:

Jan 08 00:26:47 master-0.openshift.staging.local dockerd-current[23329]:
I0108 00:26:47.648255   1 leaderelection.go:199] successfully renewed
lease kube-service-catalog/service-catalog-controller-manager
Jan 08 00:26:47 master-0.openshift.staging.local origin-node[26684]: I0108
00:26:47.744777   26749 roundrobin.go:338] LoadBalancerRR: Removing
endpoints for jenkins-test/acme-9cv97q5dn8:
Jan 08 00:26:47 master-0.openshift.staging.local dockerd-current[23329]:
I0108 00:26:47.744777   26749 roundrobin.go:338] LoadBalancerRR: Removing
endpoints for jenkins-test/acme-9cv97q5dn8:
Jan 08 00:26:47 master-0.openshift.staging.local origin-node[26684]: I0108
00:26:47.762005   26749 ovs.go:143] Error executing ovs-ofctl: ovs-ofctl:
None: invalid IP address
Jan 08 00:26:47 master-0.openshift.staging.local dockerd-current[23329]:
I0108 00:26:47.762005   26749 ovs.go:143] Error executing ovs-ofctl:
ovs-ofctl: None: invalid IP address
Jan 08 00:26:47 master-0.openshift.staging.local dockerd-current[23329]:
E0108 00:26:47.765091   26749 sdn_controller.go:284] Error deleting OVS
flows for service &{{ } {acme-9cv97q5dn8  jenkins-test
/api/v1/namespaces/jenkins-test/services/acme-9cv97q5dn8
94c6b3b3-f40a-11e7-88e5-fa163eb8ca3a 622382 0 2018-01-08 00:26:34 + UTC
  map[] map[] [] nil [] } {ClusterIP [{http TCP 80 {0 80 } 0}]
map[] None  []  None []  0} {{[]}}}: exit status 1
Jan 08 00:26:47 master-0.openshift.staging.local origin-node[26684]: E0108
00:26:47.765091   26749 sdn_controller.go:284] Error deleting OVS flows for
service &{{ } {acme-9cv97q5dn8  jenkins-test
/api/v1/namespaces/jenkins-test/services/acme-9cv97q5dn8
94c6b3b3-f40a-11e7-88e5-fa163eb8ca3a 622382 0 2018-01-08 00:26:34 + UTC
  map[] map[] [] nil [] } {ClusterIP [{http TCP 80 {0 80 } 0}]
map[] None  []  None []  0} {{[]}}}: exit status 1
Jan 08 00:26:48 master-0.openshift.staging.local dockerd-current[23329]:
I0108 00:26:48.139090   1 rest.go:362] Starting watch for
/api/v1/namespaces, rv=622418 labels= fields= timeout=8m38s
Jan 08 00:26:48 master-0.openshift.staging.local origin-master-api[23448]:
I0108 00:26:48.139090   1 rest.go:362] Starting watch for
/api/v1/namespaces, rv=622418 labels= fields= timeout=8m38s
Jan 08 00:26:49 master-0.openshift.staging.local dockerd-current[23329]:
I0108 00:26:49.668205   1 leaderelection.go:199] successfully renewed
lease kube-service-catalog/service-catalog-controller-manager
Jan 08 00:26:49 master-0.openshift.staging.local dockerd-current[23329]:
I0108 00:26:49.885207   1 garbagecollector.go:291] processing item [
template.openshift.io/v1/TemplateInstance, namespace: jenkins-test, name:
e3639aec-bbbc-4170-b0e4-3b63735af348, uid:
915d585d-f408-11e7-88e5-fa163eb8ca3a]
Jan 08 00:26:49 master-0.openshift.staging.local
origin-master-controllers[73353]: I0108 00:26:49.885207   1
garbagecollector.go:291] processing item [
template.openshift.io/v1/TemplateInstance, namespace: jenkins-test, name:
e3639aec-bbbc-4170-b0e4-3b63735af348, uid:
915d585d-f408-11e7-88e5-fa163eb8ca3a]
Jan 08 00:26:49 master-0.openshift.staging.local dockerd-current[23329]:
I0108 00:26:49.904249   1 garbagecollector.go:394] delete object [
template.openshift.io/v1/TemplateInstance, namespace: jenkins-test, name:
e3639aec-bbbc-4170-b0e4-3b63735af348, uid:
915d585d-f408-11e7-88e5-fa163eb8ca3a] with propagation policy Background
Jan 08 00:26:49 master-0.openshift.staging.local
origin-master-controllers[73353]: I0108 00:26:49.904249   1
garbagecollector.go:394] delete object [
template.openshift.io/v1/TemplateInstance, namespace: jenkins-test, name:

Re: OpenShift Origin 3.7 Template Broker seems super flaky

[Joel Pearson]

> The TemplateInstance object should have an ownerReference to a
BrokerTemplateInstance and that reference not being handled properly is the
bug.  If you remove that ownerRef from the TemplateInstance, you should be
safe from undesired of the TemplateInstance (and the cascading delete of
everything else) (at least w/ respect to the bug we are aware of).

Nice, that did the trick.

I did an oc patch, and that fixed it:

$ oc get templateinstance
NAME   TEMPLATE
b180d814-2917-4c7e-875f-b91e5d4743e8   jenkins-ephemeral

$ oc patch templateinstance b180d814-2917-4c7e-875f-b91e5d4743e8 --type
json -p='[{"op": "remove", "path": "/metadata/ownerReferences"}]'
templateinstance "b180d814-2917-4c7e-875f-b91e5d4743e8" patched


Also, I've got another stale serviceinstance after a few rounds of testing,
I cannot for the life of me make it die, meaning I can't delete the project
that it is a part of, I've tried a force delete, but it doesn't work.

$ oc delete serviceinstance jenkins-ephemeral-8dmk9 --force --grace-period=0
warning: Immediate deletion does not wait for confirmation that the running
resource has been terminated. The resource may continue to run on the
cluster indefinitely.
serviceinstance "jenkins-ephemeral-8dmk9" deleted

$ oc get serviceinstance
NAME  AGE
jenkins-ephemeral-8dmk9   7m

What's the magic sauce to make it so that I can delete the serviceinstance?

On 8 January 2018 at 15:29, Ben Parees <bpar...@redhat.com> wrote:

>
>
> On Sun, Jan 7, 2018 at 9:35 PM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> Ahh, I looked into all the objects that were getting deleted and they all
>> have an ownerReference, eg:
>>
>> "ownerReferences": [
>> {
>> "apiVersion": "template.openshift.io/v1",
>> "kind": "TemplateInstance",
>> "name": "75c0ccd3-642e-4035-a5cf-3c27e54cae40",
>> "uid": "a7301596-f41a-11e7-88e5-fa163eb8ca3a",
>> "blockOwnerDeletion": true
>> }
>> ]
>>
>> That looks like what patch is about. I also found that if I tried to edit
>> an object and remove the ownerReference then it also triggered a garbage
>> collect on the spot and all the resources evaporated.
>>
>>
> Sounds worse than the behavior we were aware of, but fundamentally what's
> causing the cascade deletion is this:
>
> Jan 08 00:26:49 master-0.openshift.staging.local dockerd-current[23329]:
> I0108 00:26:49.904249   1 garbagecollector.go:394] delete object [
> template.openshift.io/v1/TemplateInstance, namespace: jenkins-test, name:
> e3639aec-bbbc-4170-b0e4-3b63735af348, uid: 
> 915d585d-f408-11e7-88e5-fa163eb8ca3a]
> with propagation policy Background
>
> The TemplateInstance object should have an ownerReference to a
> BrokerTemplateInstance and that reference not being handled properly is the
> bug.  If you remove that ownerRef from the TemplateInstance, you should be
> safe from undesired of the TemplateInstance (and the cascading delete of
> everything else) (at least w/ respect to the bug we are aware of).
>
> That should be the only ownerRef you need to delete unless there are other
> (to date unknow) bugs in the GC behavior, or in how the TSB is creating the
> ownerRef chain.
>
>
>
>> So I guess my workaround can be, run the template, wait for everything to
>> deploy, export all templated resources to json, strip out ownerReferences,
>> and create all the resources again.
>>
>> On Mon, Jan 8, 2018 at 12:30 PM Joel Pearson <
>> japear...@agiledigital.com.au> wrote:
>>
>>> Hmm, in my case I don't need to need to restart to cause the problem to
>>> happen. Is there some way to run nightlies of openshift:release-3.7 using
>>> the openshift-ansible? So that I can verify it's fixed for me?
>>>
>>> On Mon, Jan 8, 2018 at 12:23 PM Jordan Liggitt <jligg...@redhat.com>
>>> wrote:
>>>
>>>> Garbage collection in particular could be related to
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1525699 (fixed in
>>>> https://github.com/openshift/origin/pull/17818 but not included in a
>>>> point release yet)
>>>>
>>>>
>>>> On Jan 7, 2018, at 8:17 PM, Joel Pearson <japear...@agiledigital.com.au>
>>>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> Has anyone else noticed that the new OpenShift 

Limiting which LDAP users can login

[Joel Pearson]

Hi,

I just wanted to check what the proper way is to limit which users are
allowed to login to OpenShift via an LDAP group.

There doesn't seem to be a way during authentication, but on the
authorisation side of things I found that if I removed
"system:authenticated" from the basic-user cluster role binding then that
seemed to have the desired effect.  Is this the right way?

So I ran these 2 commands:

oc adm policy add-cluster-role-to-group basic-user staff
oc adm policy remove-cluster-role-from-group basic-user system:authenticated

After which only users in the staff group can login if that don't already
have other permissions.

The effect on the console is a little odd.  You can login ok and it shows
an error screen, then you click continue and then you are redirected back
to the login screen.

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

ansible service catalog continuous failures OpenShift 3.7.0

[Joel Pearson]

Hi,

I've installed OpenShift 3.7.0 containerized on OpenStack, and I'm getting
some issues with the service catalog.  It's spewing heaps of errors into
the journal. Lots of very large errors.

In the end it looks like it isn't deploying properly because it can't find
the tag it is after, as I found this in the events:

Failed to pull image "ansibleplaybookbundle/ansible-service-broker:latest":
rpc error: code = 2 desc = Tag latest not found in repository
docker.io/ansibleplaybookbundle/ansible-service-broker

I had a look at
https://hub.docker.com/r/ansibleplaybookbundle/origin-ansible-service-broker/tags/
and
It looks like it's supposed to be origin-ansible-service-broker instead of
ansible-service-broker?

As there is no latest tag here:

https://hub.docker.com/r/ansibleplaybookbundle/ansible-service-broker/tags/

The errors look like:

-- Logs begin at Thu 2018-01-04 01:07:33 UTC. --
Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
I0104 09:55:55.106869   1 round_trippers.go:442] Response Headers:
Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
I0104 09:55:55.106902   1 round_trippers.go:445] Cache-Control:
no-store
Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
I0104 09:55:55.106912   1 round_trippers.go:445] Content-Type:
application/json
Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
I0104 09:55:55.106921   1 round_trippers.go:445] Content-Length: 547
Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
I0104 09:55:55.106929   1 round_trippers.go:445] Date: Thu, 04 Jan
2018 09:55:55 GMT
Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
I0104 09:55:55.107083   1 request.go:836] Response Body:
{"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1
","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"verb":"update","group":"
servicecatalog.k8s.io","version":"v1beta1","resource":"clusterservicebrokers","subresource":"status","name":"ansible-service-broker"},"user":"system:serviceaccount:kube-service-catalog:service-catalog-controller","group":["system:serviceaccounts","system:serviceaccounts:kube-service-catalog","system:authenticated"]},"status":{"allowed":true,"reason":"allowed
by cluster rule"}}
Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
I0104 09:55:55.107293   1 handler.go:150] service-catalog-apiserver:
PUT "/apis/
servicecatalog.k8s.io/v1beta1/clusterservicebrokers/ansible-service-broker/status"
satisfied by gorestful with webservice /apis/servicecatalog.k8s.io/v1beta1
Jan 04 09:55:55 master-0.openshift.staging.local dockerd-current[24069]:
I0104 09:55:55.116503   1 admission.go:81] Retrieved
clusterClusterServiceBroker &{{ } {ansible-service-broker   /apis/
servicecatalog.k8s.io/v1beta1/clusterservicebrokers/ansible-service-broker
dd9acb9a-f0ef-11e7-bc63-0a580a82 3141 1 2018-01-04 01:37:46 + UTC
  map[] map[] [] nil [kubernetes-incubator/service-catalog] } {
https://asb.openshift-ansible-service-broker.svc:1338/ansible-service-broker
0xc421154380 false [45 45 45 45 45 66 69 71 73 78 32 67 69 82 84 73 70 73
67 65 84 69 45 45 45 45 45 10 77 73 73 67 54 106 67 67 65 100 75 103 65 119
73 66 65 103 73 66 65 84 65 78 66 103 107 113 104 107 105 71 57 119 48 66
65 81 115 70 65 68 65 109 77 83 81 119 73 103 89 68 86 81 81 68 68 66 116
118 99 71 86 117 10 99 50 104 112 90 110 81 116 99 50 108 110 98 109 86 121
81 68 69 49 77 84 85 119 77 106 103 51 77 84 81 119 72 104 99 78 77 84 103
119 77 84 65 48 77 68 69 120 79 68 77 122 87 104 99 78 77 106 77 119 77 84
65 122 10 77 68 69 120 79 68 77 48 87 106 65 109 77 83 81 119 73 103 89 68
86 81 81 68 68 66 116 118 99 71 86 117 99 50 104 112 90 110 81 116 99 50
108 110 98 109 86 121 81 68 69 49 77 84 85 119 77 106 103 51 77 84 81 119
10 103 103 69 105 77 65 48 71 67 83 113 71 83 73 98 51 68 81 69 66 65 81 85
65 65 52 73 66 68 119 65 119 103 103 69 75 65 111 73 66 65 81 67 104 97 75
51 66 80 74 109 84 121 109 65 100 52 79 73 100 78 54 114 43 10 104 76 69 72
114 84 66 54 121 89 109 121 117 97 103 104 97 113 77 81 122 86 56 115 90 89
78 52 122 112 112 68 56 43 48 47 109 107 85 115 66 89 109 67 83 121 85 121
102 49 119 97 76 83 48 88 105 98 102 119 109 106 78 120 10 87 83 107 73 113
50 110 49 103 78 98 122 68 52 51 79 98 57 121 120 55 88 86 84 108 99 107
110 83 83 83 71 76 98 54 118 87 74 87 53 48 108 70 97 103 108 79 47 101 84
55 112 57 102 101 56 105 108 118 97 107 102 113 86 10 99 121 115 43 55 119
56 78 77 114 43 119 110 73 97 83 74 106 101 115 107 102 57 97 110 53 75 108
68 73 69 107 75 50 71 104 90 89 115 49 103 84 69 88 115 118 49 105 51 84 83
55 88 107 99 53 75 81 56 75 74 102 78 49 10 100 98 78 81 69 79 88 72 72 108
122 56 97 87 53 70 77 56 85 68 90 110 66 55 108 90 71 77 84 83 73 122 102
85 85 88 86 54 67 50 51 84 66 79 120 49 90 56 53 47 101 97 82 67 109 116 77
48 112 50 119 89 57 112 10 114 54 

Re: Passthrough TLS route not working

[Joel Pearson]

What mode are you running the AWS load balancers in? You probably want to
run them as TCP load balancers and not HTTP. That way as you say the SNI
will not get messed with.
On Sat, 20 Jan 2018 at 4:45 am, Marc Boorshtein 
wrote:

> So if I bypass the AWS load balancer, everything works great.  Why doesn't
> HAProxy like the incoming requests?  I'm trying to debug the issue by
> enabling logging with
>
> oc set env dc/router ROUTER_SYSLOG_ADDRESS=127.0.0.1 ROUTER_LOG_LEVEL=debug
>
> But the logging doesn't seem to get there (I also tried a remote server as 
> well).  I'm guessing this is probably an SNI configuration issue?
>
>
>
> On Fri, Jan 19, 2018 at 11:59 AM Marc Boorshtein 
> wrote:
>
>> I'm running origin 3.7 on AWS.  I have an AWS load balancer in front of
>> my infrastructure node.  I have a pod listening on TLS on port 9090.  The
>> service links to the pod and then I have a route that is setup with
>> passthrough tls to the pod, but every time i try to access it I get the
>> "Application is not availble" screen even though looking in the console the
>> service references both the router and the pod.  I have deployments that do
>> the same thing but will only work with re-encrypt.  Am I missing
>> something?  Is there an issue using the AWS load balancer with passthrough?
>>
>> Thanks
>>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Passthrough TLS route not working

[Joel Pearson]

In the reference implementation they use Classic ELB load balancers in TCP
mode:

See this cloud formation template:
https://github.com/openshift/openshift-ansible-contrib/blob/master/reference-architecture/aws-ansible/playbooks/roles/cloudformation-infra/files/greenfield.json.j2#L763

On Sat, Jan 20, 2018 at 8:55 AM Joel Pearson <japear...@agiledigital.com.au>
wrote:

> What mode are you running the AWS load balancers in? You probably want to
> run them as TCP load balancers and not HTTP. That way as you say the SNI
> will not get messed with.
> On Sat, 20 Jan 2018 at 4:45 am, Marc Boorshtein <mboorsht...@gmail.com>
> wrote:
>
>> So if I bypass the AWS load balancer, everything works great.  Why
>> doesn't HAProxy like the incoming requests?  I'm trying to debug the issue
>> by enabling logging with
>>
>> oc set env dc/router ROUTER_SYSLOG_ADDRESS=127.0.0.1 ROUTER_LOG_LEVEL=debug
>>
>> But the logging doesn't seem to get there (I also tried a remote server as 
>> well).  I'm guessing this is probably an SNI configuration issue?
>>
>>
>>
>> On Fri, Jan 19, 2018 at 11:59 AM Marc Boorshtein <mboorsht...@gmail.com>
>> wrote:
>>
>>> I'm running origin 3.7 on AWS.  I have an AWS load balancer in front of
>>> my infrastructure node.  I have a pod listening on TLS on port 9090.  The
>>> service links to the pod and then I have a route that is setup with
>>> passthrough tls to the pod, but every time i try to access it I get the
>>> "Application is not availble" screen even though looking in the console the
>>> service references both the router and the pod.  I have deployments that do
>>> the same thing but will only work with re-encrypt.  Am I missing
>>> something?  Is there an issue using the AWS load balancer with passthrough?
>>>
>>> Thanks
>>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Deployment getting deleted when running configure.yml again

[Joel Pearson]

I presume you’re running OpenShift 3.7?

If you’re running the new template broker (openshift-ansible installs it)
it has a nasty bug that does what you describe. But you can work around it
by removing an owner reference see:

https://lists.openshift.redhat.com/openshift-archives/users/2018-January/msg00045.html
On Tue, 30 Jan 2018 at 9:53 pm, Alon Zusman  wrote:

> Hello,
> I have an OpenShift cluster with 3 masters, 3 infra, 3 nodes.
>
> I change the cluster configuration from a time to time and whenever I run
> config.yml (after the first time) all the deployments that were created
> using a provisioned service being deleted.
>
> That is a huge problem for me.
> Am I missing something? Should I be running a different playbook?
> Thank you.
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Deployment getting deleted when running configure.yml again

[Joel Pearson]

The information about where the bug is fixed is:

https://lists.openshift.redhat.com/openshift-archives/users/2018-January/msg00042.html
On Mon, 5 Feb 2018 at 8:19 pm, Alon Zusman  wrote:

> Yes I do. This fix worked for few times but then it started to make the
> router and other things to be deleted. Anyway this is not something that I
> can do for every user that wants to use the services I provide.
> I could not find the bug opened for this or anything on it actually on
> google. (Could not even find the post you linked).
> When I true fix will be available?
> Thanks.
>
>
>
> On Jan 31, 2018 at 12:14 AM, >
> wrote:
>
> I presume you’re running OpenShift 3.7?
>
> If you’re running the new template broker (openshift-ansible installs it)
> it has a nasty bug that does what you describe. But you can work around it
> by removing an owner reference see:
>
>
> https://lists.openshift.redhat.com/openshift-archives/users/2018-January/msg00045.html
> On Tue, 30 Jan 2018 at 9:53 pm, Alon Zusman  wrote:
>
>> Hello,
>> I have an OpenShift cluster with 3 masters, 3 infra, 3 nodes.
>>
>> I change the cluster configuration from a time to time and whenever I run
>> config.yml (after the first time) all the deployments that were created
>> using a provisioned service being deleted.
>>
>> That is a huge problem for me.
>> Am I missing something? Should I be running a different playbook?
>> Thank you.
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

How to use DNS hostname of OpenShift on AWS

[Joel Pearson]

Hi,

I'm trying to figure out how to use the DNS hostname when deploying
OpenShift on AWS using
https://github.com/openshift/openshift-ansible-contrib/tree/master/reference-architecture/aws-ansible
Currently
it uses private dns name, eg, ip-10-2-7-121.ap-southeast-2.compute.internal
but that isn't too useful a name for me.  I've managed to set the hostname
on the ec2 instance properly but disabling the relevant cloud-init setting,
but it still grabs the private dns name somehow.

I tried adding "openshift_hostname" to be the same as "name" on this line:
https://github.com/openshift/openshift-ansible-contrib/blob/master/reference-architecture/aws-ansible/playbooks/roles/instance-groups/tasks/main.yaml#L11

Which did set the hostname in the node-config.yaml, but then when running
"oc get nodes" it still returned the private dns name somehow, and
installation failed waiting for the nodes to start properly, I guess a
mismatch between node names somewhere.

I found an old github issue, but it's all referring to files in ansible
that exist no longer:
https://github.com/openshift/openshift-ansible/issues/1170

Even on OpenShift Online Starter, they're using the default ec2 names,
eg: ip-172-31-28-11.ca-central-1.compute.internal, which isn't a good sign
I guess.

Has anyone successfully used a DNS name for OpenShift on AWS?

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to use DNS hostname of OpenShift on AWS

[Joel Pearson]

Michael are you running OpenShift on AWS?

https://github.com/openshift/openshift-ansible-contrib/tree/master/reference-architecture/aws-ansible
is the AWS reference architecture and it does use openshift-ansible once
the infrastructure is built, but it uses a dynamic inventory.

It’s not an option for us not to use the aws reference architecture to
install OpenShift as it would be rather painful as we’re relying heavily on
cloud formation and the dynamic inventory.

While ansible is running the hostnames are correct, so I’m suspecting that
maybe OpenShift itself is detecting the cloud provider and overriding the
hostname or maybe the ansible playbook is doing something similar. Inside
the ansible openshift_facts python library I saw some custom hostname
handling for Google Cloud, but not for AWS, but it made me suspicious
thinking it might be hiding somewhere else.
On Wed, 21 Feb 2018 at 11:38 pm, Feld, Michael (IMS) <fe...@imsweb.com>
wrote:

> Deploying with https://github.com/openshift/openshift-ansible you can
> define the hostnames in your inventory file. There is a sample inventory
> file at
> https://docs.openshift.org/latest/install_config/install/advanced_install.html
> that shows how to define the master/etcd/nodes, and those names should be
> used as the hostnames in the cluster.
>
>
>
> *From:* users-boun...@lists.openshift.redhat.com [mailto:
> users-boun...@lists.openshift.redhat.com] *On Behalf Of *Joel Pearson
> *Sent:* Wednesday, February 21, 2018 7:14 AM
> *To:* users <users@lists.openshift.redhat.com>
> *Subject:* How to use DNS hostname of OpenShift on AWS
>
>
>
> Hi,
>
>
>
> I'm trying to figure out how to use the DNS hostname when deploying
> OpenShift on AWS using
> https://github.com/openshift/openshift-ansible-contrib/tree/master/reference-architecture/aws-ansible
>  Currently
> it uses private dns name, eg, ip-10-2-7-121.ap-southeast-2.compute.internal
> but that isn't too useful a name for me.  I've managed to set the hostname
> on the ec2 instance properly but disabling the relevant cloud-init setting,
> but it still grabs the private dns name somehow.
>
>
>
> I tried adding "openshift_hostname" to be the same as "name" on this line:
> https://github.com/openshift/openshift-ansible-contrib/blob/master/reference-architecture/aws-ansible/playbooks/roles/instance-groups/tasks/main.yaml#L11
>
>
>
> Which did set the hostname in the node-config.yaml, but then when running
> "oc get nodes" it still returned the private dns name somehow, and
> installation failed waiting for the nodes to start properly, I guess a
> mismatch between node names somewhere.
>
>
>
> I found an old github issue, but it's all referring to files in ansible
> that exist no longer:
>
> https://github.com/openshift/openshift-ansible/issues/1170
>
>
>
> Even on OpenShift Online Starter, they're using the default ec2 names,
> eg: ip-172-31-28-11.ca-central-1.compute.internal, which isn't a good sign
> I guess.
>
>
>
> Has anyone successfully used a DNS name for OpenShift on AWS?
>
>
>
> Thanks,
>
>
>
> Joel
>
> --
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: openvswitch?

[Joel Pearson]

It’s in the paas repo
http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/
On Thu, 21 Dec 2017 at 1:09 am, Tim Dudgeon  wrote:

> I just starting hitting this error when using the ansible installer
> (installing v3.70 from openshift-ansible on branch release-3.7).
>
> 1. Hosts:host-10-0-0-10, host-10-0-0-13, host-10-0-0-7,
> host-10-0-0-8, host-10-0-0-9
>   Play: OpenShift Health Checks
>   Task: Run health checks (install) - EL
>   Message:  One or more checks failed
>   Details:  check "package_availability":
> Could not perform a yum update.
> Errors from dependency resolution:
>   origin-sdn-ovs-3.7.0-1.0.7ed6862.x86_64 requires
> openvswitch >= 2.6.1
> You should resolve these issues before proceeding with
> an install.
> You may need to remove or downgrade packages or
> enable/disable yum repositories.
>
> check "package_version":
> Not all of the required packages are available at their
> requested version
> openvswitch:['2.6', '2.7', '2.8']
> Please check your subscriptions and enabled repositories.
>
> This was not happening before. Where does openvswitch come from? Can't
> find it in the standard rpm repos.
>
> Tim
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: nginx in front of haproxy ?

[Joel Pearson]

It’s also worth mentioning that the console is not haproxy. That is the
router, which run on the infrastructure nodes. The console/api server runs
something else.
On Wed, 3 Jan 2018 at 1:46 am, Fabio Martinelli <
fabio.martinelli.1...@gmail.com> wrote:

> It was actually needed to rewrite the master-config.yaml in this other
> way, basically removing all the :8443 strings in the 'public' fields, i.e.
> to make it implicitly appear as :443
>
> admissionConfig:
>   pluginConfig:
> BuildDefaults:
>   configuration:
> apiVersion: v1
> env: []
> kind: BuildDefaultsConfig
> resources:
>   limits: {}
>   requests: {}
> BuildOverrides:
>   configuration:
> apiVersion: v1
> kind: BuildOverridesConfig
> PodPreset:
>   configuration:
> apiVersion: v1
> disable: false
> kind: DefaultAdmissionConfig
> openshift.io/ImagePolicy:
>   configuration:
> apiVersion: v1
> executionRules:
> - matchImageAnnotations:
>   - key: images.openshift.io/deny-execution
> value: 'true'
>   name: execution-denied
>   onResources:
>   - resource: pods
>   - resource: builds
>   reject: true
>   skipOnResolutionFailure: true
> kind: ImagePolicyConfig
> aggregatorConfig:
>   proxyClientInfo:
> certFile: aggregator-front-proxy.crt
> keyFile: aggregator-front-proxy.key
> apiLevels:
> - v1
> apiVersion: v1
> assetConfig:
>   extensionScripts:
>   - /etc/origin/master/openshift-ansible-catalog-console.js
>   logoutURL: ""
>   masterPublicURL: https://hosting.wfp.org<
>   metricsPublicURL: https://metrics.hosting.wfp.org/hawkular/metrics
>   publicURL: https://hosting.wfp.org/console/<
>   servingInfo:
> bindAddress: 0.0.0.0:8443
> bindNetwork: tcp4
> certFile: master.server.crt
> clientCA: ""
> keyFile: master.server.key
> maxRequestsInFlight: 0
> requestTimeoutSeconds: 0
> authConfig:
>   requestHeader:
> clientCA: front-proxy-ca.crt
> clientCommonNames:
> - aggregator-front-proxy
> extraHeaderPrefixes:
> - X-Remote-Extra-
> groupHeaders:
> - X-Remote-Group
> usernameHeaders:
> - X-Remote-User
> controllerConfig:
>   election:
> lockName: openshift-master-controllers
>   serviceServingCert:
> signer:
>   certFile: service-signer.crt
>   keyFile: service-signer.key
> controllers: '*'
> corsAllowedOrigins:
> - (?i)//127\.0\.0\.1(:|\z)
> - (?i)//localhost(:|\z)
> - (?i)//10\.11\.41\.85(:|\z)
> - (?i)//kubernetes\.default(:|\z)
> - (?i)//kubernetes\.default\.svc\.cluster\.local(:|\z)
> - (?i)//kubernetes(:|\z)
> - (?i)//openshift\.default(:|\z)
> - (?i)//hosting\.wfp\.org(:|\z)
> - (?i)//openshift\.default\.svc(:|\z)
> - (?i)//172\.30\.0\.1(:|\z)
> - (?i)//wfpromshap21\.global\.wfp\.org(:|\z)
> - (?i)//openshift\.default\.svc\.cluster\.local(:|\z)
> - (?i)//kubernetes\.default\.svc(:|\z)
> - (?i)//openshift(:|\z)
> dnsConfig:
>   bindAddress: 0.0.0.0:8053
>   bindNetwork: tcp4
> etcdClientInfo:
>   ca: master.etcd-ca.crt
>   certFile: master.etcd-client.crt
>   keyFile: master.etcd-client.key
>   urls:
>   - https://wfpromshap21.global.wfp.org:2379
>   - https://wfpromshap22.global.wfp.org:2379
>   - https://wfpromshap23.global.wfp.org:2379
> etcdStorageConfig:
>   kubernetesStoragePrefix: kubernetes.io
>   kubernetesStorageVersion: v1
>   openShiftStoragePrefix: openshift.io
>   openShiftStorageVersion: v1
> imageConfig:
>   format: openshift/origin-${component}:${version}
>   latest: false
> kind: MasterConfig
> kubeletClientInfo:
>   ca: ca-bundle.crt
>   certFile: master.kubelet-client.crt
>   keyFile: master.kubelet-client.key
>   port: 10250
> kubernetesMasterConfig:
>   apiServerArguments:
> runtime-config:
> - apis/settings.k8s.io/v1alpha1=true
> storage-backend:
> - etcd3
> storage-media-type:
> - application/vnd.kubernetes.protobuf
>   controllerArguments:
>   masterCount: 3
>   masterIP: 10.11.41.85
>   podEvictionTimeout:
>   proxyClientInfo:
> certFile: master.proxy-client.crt
> keyFile: master.proxy-client.key
>   schedulerArguments:
>   schedulerConfigFile: /etc/origin/master/scheduler.json
>   servicesNodePortRange: ""
>   servicesSubnet: 172.30.0.0/16
>   staticNodeNames: []
> masterClients:
>   externalKubernetesClientConnectionOverrides:
> acceptContentTypes:
> application/vnd.kubernetes.protobuf,application/json
> burst: 400
> contentType: application/vnd.kubernetes.protobuf
> qps: 200
>   externalKubernetesKubeConfig: ""
>   openshiftLoopbackClientConnectionOverrides:
> acceptContentTypes:
> application/vnd.kubernetes.protobuf,application/json
> burst: 600
> contentType: application/vnd.kubernetes.protobuf
> qps: 300
>   openshiftLoopbackKubeConfig: openshift-master.kubeconfig
> masterPublicURL: https://hosting.wfp.org<
> networkConfig:
> 

What is the most current OpenShift on OpenStack playbooks?

[Joel Pearson]

Hi,

I just wanted to find out if
https://github.com/openshift/openshift-ansible-contrib/tree/master/playbooks/provisioning/openstack
is
still the most current for deploying OpenShift on OpenStack?

I had a read of
https://access.redhat.com/documentation/en-us/reference_architectures/2018/html-single/deploying_and_managing_openshift_3.9_on_red_hat_openstack_platform_10/
but
it doesn't appear to use Ansible for the OpenStack infrastructure
configuration, but rather it is done by hand.

Is there an equivalent of the AMI approach for OpenShift nodes, ie:
https://github.com/openshift/openshift-ansible/tree/master/playbooks/aws ?

Or is that something I'd need to do myself if I wanted such a thing?

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to make 172.30.0.1 (kubernetes service) health checked?

[Joel Pearson]

Hi Clayton,

Sorry for the extensive delay, but I’ve been thinking about this more and
I’m wondering if it’s safe to remove a master from the endpoint just before
restarting it (say in Ansible), so that failures aren’t seen inside the
cluster?

Or would something in Kubernetes just go and add the master back to the
endpoint?

Alternatively, would it be possible to tell Kubernetes not to add the
individual masters to that endpoint and use a load balancer instead? Say a
private ELB for example?

Or are there future features in kubernetes that will make master failover
more reliable internally?

Thanks,

Joel
On Thu, 28 Jun 2018 at 12:48 pm, Clayton Coleman 
wrote:

> In OpenShift 3.9, when a master goes down the endpoints object should be
> updated within 15s (the TTL on the record for the master).  You can check
> the value of "oc get endpoints -n default kubernetes" - if you still see
> the master IP in that list after 15s then something else is wrong.
>
> On Wed, Jun 27, 2018 at 9:33 AM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> Hi,
>>
>> I'm running OpenShift 3.9 on AWS with masters in HA mode using Classic
>> ELB's doing TCP load balancing.  If I restart masters, from outside the
>> cluster the ELB does the right thing and takes a master out of service.
>> However, if something tries to talk to the kubernetes API inside the
>> cluster, it seems that kubernetes is unaware the master is missing, and I
>> get failures when I'm serially restarting masters.
>>
>> Is there some way that I can point the kubernetes service to use the load
>> balancer?  Maybe I should update the kubernetes endpoint object to use the
>> ELB IP address instead of the actual master addresses?  Is this a valid
>> approach?  Is there some way with openshift-ansible I can tell the
>> kubernetes service to use the load balancer when it creates the kubernetes
>> service?
>>
>>  Thanks,
>>
>> Joel
>>
>>
>> apiVersion: v1
>> kind: Service
>> metadata:
>>   creationTimestamp: '2018-06-27T06:30:50Z'
>>   labels:
>> component: apiserver
>> provider: kubernetes
>>   name: kubernetes
>>   namespace: default
>>   resourceVersion: '45'
>>   selfLink: /api/v1/namespaces/default/services/kubernetes
>>   uid: a224fd75-79d3-11e8-bd57-0a929ba50438
>> spec:
>>   clusterIP: 172.30.0.1
>>   ports:
>> - name: https
>>   port: 443
>>   protocol: TCP
>>   targetPort: 443
>> - name: dns
>>   port: 53
>>   protocol: UDP
>>   targetPort: 8053
>> - name: dns-tcp
>>   port: 53
>>   protocol: TCP
>>   targetPort: 8053
>>   sessionAffinity: ClientIP
>>   sessionAffinityConfig:
>> clientIP:
>>   timeoutSeconds: 10800
>>   type: ClusterIP
>> status:
>>   loadBalancer: {}
>>
>>
>> apiVersion: v1
>> kind: Endpoints
>> metadata:
>>   creationTimestamp: '2018-06-27T06:30:50Z'
>>   name: kubernetes
>>   namespace: default
>>   resourceVersion: '83743'
>>   selfLink: /api/v1/namespaces/default/endpoints/kubernetes
>>   uid: a22a0283-79d3-11e8-bd57-0a929ba50438
>> subsets:
>>   - addresses:
>>   - ip: 10.2.12.53
>>   - ip: 10.2.12.72
>>   - ip: 10.2.12.91
>> ports:
>>   - name: dns
>> port: 8053
>> protocol: UDP
>>   - name: dns-tcp
>> port: 8053
>> protocol: TCP
>>   - name: https
>> port: 443
>> protocol: TCP
>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: scheduler policy to spread pods

[Joel Pearson]

You’re probably after pod anti-affinity?
https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

That lets you tell the scheduler that the pods aren’t allowed to be on the
same node for example.
On Wed, 4 Jul 2018 at 8:51 pm, Tim Dudgeon  wrote:

> I've got a process the fires up a number of pods (bare pods, not backed
> by replication controller) to execute a computationally demanding job in
> parallel.
> What I find is that the pods do not spread effectively across the
> available nodes. In my case I have a node selector that restricts
> execution to 3 nodes, and the pods run mostly on the first node, a few
> run on the second node, and none run on the third node.
>
> I know that I could specify cpu resource requests and limits to help
> with this, but for other reasons I'm currently unable to do this.
>
> It looks like this is controllable through the scheduler, but the
> options for controlling this look pretty complex.
> Could someone advise on how best to allow pods to spread evenly across
> nodes rather than execute preferentially on one node?
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: scheduler policy to spread pods

[Joel Pearson]

Here’s an OpenShift reference for the same thing.

https://docs.openshift.com/container-platform/3.6/admin_guide/scheduling/pod_affinity.html
On Wed, 4 Jul 2018 at 9:14 pm, Joel Pearson 
wrote:

> You’re probably after pod anti-affinity?
> https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
>
> That lets you tell the scheduler that the pods aren’t allowed to be on the
> same node for example.
> On Wed, 4 Jul 2018 at 8:51 pm, Tim Dudgeon  wrote:
>
>> I've got a process the fires up a number of pods (bare pods, not backed
>> by replication controller) to execute a computationally demanding job in
>> parallel.
>> What I find is that the pods do not spread effectively across the
>> available nodes. In my case I have a node selector that restricts
>> execution to 3 nodes, and the pods run mostly on the first node, a few
>> run on the second node, and none run on the third node.
>>
>> I know that I could specify cpu resource requests and limits to help
>> with this, but for other reasons I'm currently unable to do this.
>>
>> It looks like this is controllable through the scheduler, but the
>> options for controlling this look pretty complex.
>> Could someone advise on how best to allow pods to spread evenly across
>> nodes rather than execute preferentially on one node?
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenStack cloud provider problems

[Joel Pearson]

Complete stab in the dark, but maybe your OpenStack account doesn’t have
enough privileges to be able to complete an install?
On Wed, 17 Jan 2018 at 9:46 pm, Tim Dudgeon  wrote:

> I'm still having problems getting the OpenStack cloud provider running.
>
> I have a minimal OpenShift Origin 3.7 Ansible install that runs OK. But
> when I add the definition for the OpenStack cloud provider (just the
> cloud provider definition, nothing yet that uses it) the installation
> fails like this:
>
> TASK [nickhammond.logrotate : nickhammond.logrotate | Setup logrotate.d
> scripts]
>
> ***
>
> RUNNING HANDLER [openshift_node : restart node]
>
> 
> FAILED - RETRYING: restart node (3 retries left).
> FAILED - RETRYING: restart node (3 retries left).
> FAILED - RETRYING: restart node (3 retries left).
> FAILED - RETRYING: restart node (3 retries left).
> FAILED - RETRYING: restart node (3 retries left).
> FAILED - RETRYING: restart node (2 retries left).
> FAILED - RETRYING: restart node (2 retries left).
> FAILED - RETRYING: restart node (2 retries left).
> FAILED - RETRYING: restart node (2 retries left).
> FAILED - RETRYING: restart node (2 retries left).
> FAILED - RETRYING: restart node (1 retries left).
> FAILED - RETRYING: restart node (1 retries left).
> FAILED - RETRYING: restart node (1 retries left).
> FAILED - RETRYING: restart node (1 retries left).
> FAILED - RETRYING: restart node (1 retries left).
> fatal: [orndev-node-000]: FAILED! => {"attempts": 3, "changed": false,
> "msg": "Unable to restart service origin-node: Job for
> origin-node.service failed because the control process exited with error
> code. See \"systemctl status origin-node.service\" and \"journalctl
> -xe\" for details.\n"}
> fatal: [orndev-node-001]: FAILED! => {"attempts": 3, "changed": false,
> "msg": "Unable to restart service origin-node: Job for
> origin-node.service failed because the control process exited with error
> code. See \"systemctl status origin-node.service\" and \"journalctl
> -xe\" for details.\n"}
> fatal: [orndev-master-000]: FAILED! => {"attempts": 3, "changed": false,
> "msg": "Unable to restart service origin-node: Job for
> origin-node.service failed because the control process exited with error
> code. See \"systemctl status origin-node.service\" and \"journalctl
> -xe\" for details.\n"}
> fatal: [orndev-node-002]: FAILED! => {"attempts": 3, "changed": false,
> "msg": "Unable to restart service origin-node: Job for
> origin-node.service failed because the control process exited with error
> code. See \"systemctl status origin-node.service\" and \"journalctl
> -xe\" for details.\n"}
> fatal: [orndev-infra-000]: FAILED! => {"attempts": 3, "changed": false,
> "msg": "Unable to restart service origin-node: Job for
> origin-node.service failed because the control process exited with error
> code. See \"systemctl status origin-node.service\" and \"journalctl
> -xe\" for details.\n"}
>
> RUNNING HANDLER [openshift_node : reload systemd units]
>
> 
>  to retry, use: --limit
> @/home/centos/openshift-ansible/playbooks/byo/config.retry
>
>
> Looking on one of the nodes I see this error in the origin-node.service
> logs:
>
> Jan 17 09:40:49 orndev-master-000 origin-node[2419]: E0117
> 09:40:49.7468062419 kubelet_node_status.go:106] Unable to register
> node "orndev-master-000" with API server: nodes "orndev-master-000" is
> forbidden: node 10.0.0.6 cannot modify node orndev-master-000
>
> The /etc/origin/cloudprovider/openstack.conf file has been created OK,
> and looks to be what is expected.
> But I can't be sure its specified correctly and will work. In fact if I
> deliberately change the configuration to use an invalid openstack
> username the install fails at the same place, but the error message on
> the node is different:
>
> Jan 17 10:08:58 orndev-master-000 origin-node[24066]: F0117
> 10:08:58.474152   24066 start_node.go:159] could not init cloud provider
> "openstack": Authentication failed
>
> When set back to the right username the node service again fails because
> of:
> Unable to register node "orndev-master-000" with API server: nodes
> "orndev-master-000" is forbidden: node 10.0.0.6 cannot modify node
> orndev-master-000
>
> How can this be tested on a node to ensure that the cloud provider is
> configured correctly?
> Any idea what the "node 10.0.0.6 cannot modify node orndev-master-000"
> error is about?
>
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenStack cloud provider problems

[Joel Pearson]

Have you tried an OpenStack users list? It sounds like you need someone
with in-depth OpenStack knowledge
On Wed, 17 Jan 2018 at 9:55 pm, Tim Dudgeon <tdudgeon...@gmail.com> wrote:

> So what does "complete an install" entail?
> Presumably  OpenShift/Kubernetes is trying to do something in OpenStack
> but this is failing.
>
> But what is it trying to do?
>
> On 17/01/18 10:49, Joel Pearson wrote:
>
> Complete stab in the dark, but maybe your OpenStack account doesn’t have
> enough privileges to be able to complete an install?
> On Wed, 17 Jan 2018 at 9:46 pm, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>
>> I'm still having problems getting the OpenStack cloud provider running.
>>
>> I have a minimal OpenShift Origin 3.7 Ansible install that runs OK. But
>> when I add the definition for the OpenStack cloud provider (just the
>> cloud provider definition, nothing yet that uses it) the installation
>> fails like this:
>>
>> TASK [nickhammond.logrotate : nickhammond.logrotate | Setup logrotate.d
>> scripts]
>>
>> ***
>>
>> RUNNING HANDLER [openshift_node : restart node]
>>
>> 
>> FAILED - RETRYING: restart node (3 retries left).
>> FAILED - RETRYING: restart node (3 retries left).
>> FAILED - RETRYING: restart node (3 retries left).
>> FAILED - RETRYING: restart node (3 retries left).
>> FAILED - RETRYING: restart node (3 retries left).
>> FAILED - RETRYING: restart node (2 retries left).
>> FAILED - RETRYING: restart node (2 retries left).
>> FAILED - RETRYING: restart node (2 retries left).
>> FAILED - RETRYING: restart node (2 retries left).
>> FAILED - RETRYING: restart node (2 retries left).
>> FAILED - RETRYING: restart node (1 retries left).
>> FAILED - RETRYING: restart node (1 retries left).
>> FAILED - RETRYING: restart node (1 retries left).
>> FAILED - RETRYING: restart node (1 retries left).
>> FAILED - RETRYING: restart node (1 retries left).
>> fatal: [orndev-node-000]: FAILED! => {"attempts": 3, "changed": false,
>> "msg": "Unable to restart service origin-node: Job for
>> origin-node.service failed because the control process exited with error
>> code. See \"systemctl status origin-node.service\" and \"journalctl
>> -xe\" for details.\n"}
>> fatal: [orndev-node-001]: FAILED! => {"attempts": 3, "changed": false,
>> "msg": "Unable to restart service origin-node: Job for
>> origin-node.service failed because the control process exited with error
>> code. See \"systemctl status origin-node.service\" and \"journalctl
>> -xe\" for details.\n"}
>> fatal: [orndev-master-000]: FAILED! => {"attempts": 3, "changed": false,
>> "msg": "Unable to restart service origin-node: Job for
>> origin-node.service failed because the control process exited with error
>> code. See \"systemctl status origin-node.service\" and \"journalctl
>> -xe\" for details.\n"}
>> fatal: [orndev-node-002]: FAILED! => {"attempts": 3, "changed": false,
>> "msg": "Unable to restart service origin-node: Job for
>> origin-node.service failed because the control process exited with error
>> code. See \"systemctl status origin-node.service\" and \"journalctl
>> -xe\" for details.\n"}
>> fatal: [orndev-infra-000]: FAILED! => {"attempts": 3, "changed": false,
>> "msg": "Unable to restart service origin-node: Job for
>> origin-node.service failed because the control process exited with error
>> code. See \"systemctl status origin-node.service\" and \"journalctl
>> -xe\" for details.\n"}
>>
>> RUNNING HANDLER [openshift_node : reload systemd units]
>>
>> 
>>  to retry, use: --limit
>> @/home/centos/openshift-ansible/playbooks/byo/config.retry
>>
>>
>> Looking on one of the nodes I see this error in the origin-node.service
>> logs:
>>
>> Jan 17 09:40:49 orndev-master-000 origin-node[2419]: E0117
>> 09:40:49.7468062419 kubelet_node_status.go:106] Unable to register
>>

Re: Can the Origin Ansible Playbook stop on "Restart node" **fatal** errors?

[Joel Pearson]

You could edit the
openshift-ansible\playbooks\common\openshift-node\restart.yml and add:

max_fail_percentage: 0

under

serial: "{{ openshift_restart_nodes_serial | default(1) }}"

That, in theory, should make it fail straight away.

On Wed, Mar 14, 2018 at 9:46 PM Alan Christie <
achris...@informaticsmatters.com> wrote:

> Hi,
>
> I’ve been running the Ansible release-3.7 branch playbook and occasionally
> I get errors restarting nodes. I’m not looking for help on why my nodes are
> not restarting but I am curious as to why the playbook continues when there
> are fatal errors that eventually lead to a failure some 30 minutes or so
> later? Especially annoying if you happen a) not to be looking at the screen
> at the time of the original failure or b) running the installation inside
> another IaC framework.
>
> Is there an option to “stop on fatal” I’m missing by chance?
>
> Here’s a typical failure at (in my case) 21 minutes in…
>
>
> *RUNNING HANDLER [openshift_node : restart
> node] 
> ***Wednesday
> 14 March 2018  10:12:44 + (0:00:00.081)   0:21:47.968 ***
> skipping: [os-master-1]
> skipping: [os-node-001]
> FAILED - RETRYING: restart node (3 retries left).
> FAILED - RETRYING: restart node (3 retries left).
> FAILED - RETRYING: restart node (2 retries left).
> FAILED - RETRYING: restart node (2 retries left).
> FAILED - RETRYING: restart node (1 retries left).
> FAILED - RETRYING: restart node (1 retries left).
>
>
> *fatal: [os-infra-1]: FAILED! => {"attempts": 3, "changed": false, "msg":
> "Unable to restart service origin-node: Job for origin-node.service failed
> because the control process exited with error code. See \"systemctl status
> origin-node.service\" and \"journalctl -xe\" for details.\n"}fatal:
> [os-node-002]: FAILED! => {"attempts": 3, "changed": false, "msg": "Unable
> to restart service origin-node: Job for origin-node.service failed because
> the control process exited with error code. See \"systemctl status
> origin-node.service\" and \"journalctl -xe\" for details.\n"}*
> And the roll-out finally "gives up the ghost" (in my case) after a further
> 30 minutes...
>
> TASK [debug]
> *
> Wednesday 14 March 2018  10:42:20 + (0:00:00.117)   0:51:23.829
> ***
> skipping: [os-master-1]
> to retry, use: --limit
> @/home/centos/abc/orchestrator/openshift/openshift-ansible/playbooks/byo/config.retry
>
> PLAY RECAP
> ***
> localhost  : ok=13   changed=0unreachable=0
>   failed=0
> *os-infra-1 : ok=182  changed=70   unreachable=0
>   failed=1   *
> os-master-1: ok=539  changed=210  unreachable=0
>   failed=0
> os-node-001: ok=188  changed=65   unreachable=0
>   failed=0
> *os-node-002: ok=165  changed=61   unreachable=0
>   failed=1*
>
> Alan Christie
>
>
>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: glusterfs setup

[Joel Pearson]

“Distributed-Three-way replication is the only supported volume type.”

https://access.redhat.com/documentation/en-us/red_hat_gluster_storage/3.2/html/container-native_storage_for_openshift_container_platform/ch03s02


On Thu, 29 Mar 2018 at 12:00 am, Tim Dudgeon  wrote:

> When using native glusterfs its not clear to me how to configure the
> types of storage.
>
> As described in the glusterfs docs [1] there are multiple types of
> volume that can be created (Distributed, Replicated, Distributed
> Replicated, Striped, Distributed Striped).
>
> In the example ansible inventory file [2] you are suggested to set up
> the glusterfs_devices variable like this:
>
> [glusterfs]
> node0  glusterfs_devices='[ "/dev/vdb", "/dev/vdc", "/dev/vdd" ]'
> node1  glusterfs_devices='[ "/dev/vdb", "/dev/vdc", "/dev/vdd" ]'
> node2  glusterfs_devices='[ "/dev/vdb", "/dev/vdc", "/dev/vdd" ]'
>
> But how is the way those block devices are utilised to create a
> particular type of volume?
>
> How would you specify that you wanted multiple types of volume
> (presumably each with its own storage class)?
>
> Thanks
> Tim
>
> [1]
>
> https://docs.gluster.org/en/latest/Quick-Start-Guide/Architecture/#types-of-volumes
> [2]
>
> https://github.com/openshift/openshift-ansible/blob/master/inventory/hosts.glusterfs.native.example
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: glusterfs setup

[Joel Pearson]

You’d have to run your Gluster cluster separate from OpenShift if you want
a different volume type I’m guessing.
On Thu, 29 Mar 2018 at 12:15 am, Tim Dudgeon <tdudgeon...@gmail.com> wrote:

> Ah!, that's a shame.
>
> Tim
>
> On 28/03/18 14:11, Joel Pearson wrote:
>
> “Distributed-Three-way replication is the only supported volume type.”
>
>
> https://access.redhat.com/documentation/en-us/red_hat_gluster_storage/3.2/html/container-native_storage_for_openshift_container_platform/ch03s02
>
>
> On Thu, 29 Mar 2018 at 12:00 am, Tim Dudgeon <tdudgeon...@gmail.com>
> wrote:
>
>> When using native glusterfs its not clear to me how to configure the
>> types of storage.
>>
>> As described in the glusterfs docs [1] there are multiple types of
>> volume that can be created (Distributed, Replicated, Distributed
>> Replicated, Striped, Distributed Striped).
>>
>> In the example ansible inventory file [2] you are suggested to set up
>> the glusterfs_devices variable like this:
>>
>> [glusterfs]
>> node0  glusterfs_devices='[ "/dev/vdb", "/dev/vdc", "/dev/vdd" ]'
>> node1  glusterfs_devices='[ "/dev/vdb", "/dev/vdc", "/dev/vdd" ]'
>> node2  glusterfs_devices='[ "/dev/vdb", "/dev/vdc", "/dev/vdd" ]'
>>
>> But how is the way those block devices are utilised to create a
>> particular type of volume?
>>
>> How would you specify that you wanted multiple types of volume
>> (presumably each with its own storage class)?
>>
>> Thanks
>> Tim
>>
>> [1]
>>
>> https://docs.gluster.org/en/latest/Quick-Start-Guide/Architecture/#types-of-volumes
>> [2]
>>
>> https://github.com/openshift/openshift-ansible/blob/master/inventory/hosts.glusterfs.native.example
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Accessing Remote Files via SSHFS

[Joel Pearson]

A quick google found this:

https://karlstoney.com/2017/03/01/fuse-mount-in-kubernetes/

It looks like the approach would work for you too. But it’s worth
mentioning that he’s doing the mount from within the container, so he needs
the pod to start as a privileged pod. You can do that in open shift but
running privileged pods does have security implications, so it depends if
you trust your legacy app enough to run it this way.
On Thu, 29 Mar 2018 at 1:59 am, Jamie Jackson  wrote:

> Hi Folks,
>
> I'm in the process of containerizing my stack. One of the pieces of the
> legacy stack accesses a remote file system over SSHFS (autofs manages the
> access). What would be the best way to handle this kind of requirement on
> OpenShift?
>
> FYI, I'm currently using straight docker for the stack (docker-compose,
> but no orchestration), but the end goal is probably to run on OpenShift, so
> I'm trying to approach things in a way that will be most transferable to
> OpenShift.
>
> (Note, this conversation started on Google Groups:
> https://groups.google.com/d/msg/openshift/9hjDE2INe5o/vqPoQq-6AwAJ )
>
> Thanks,
> Jamie
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: FW: installing newest OCP 3.9 on RHEL 7.4 failed (MODULE ERROR)

[Joel Pearson]

Do you have a Redhat subscription? If not, you shouldn’t be trying to
install OCP but rather Origin. If you don’t have a subscription configured
then that’d probably explain why it can’t find the rpms.
On Mon, 2 Apr 2018 at 8:35 pm, Lukas Budiman  wrote:

> I am really stuck, trying 4 times installing OCP 3.9, all returned same
> error like this. I'm completely newbie in Openshift, Ansible, but
> understand some basic linux command.
> I run 2 hosts (master called OSMaster & 1 nodes called OSNodeA.
>
>
>
> Any help is greatly appreciated!
>
>
>
> 2018-04-02 10:41:13,571 p=12188 u=root |  PLAY [Set openshift_version for
> etcd, node, and master hosts] ***
> 2018-04-02 10:41:13,585 p=12188 u=root |  TASK [Gathering Facts]
> **
> 2018-04-02 10:41:14,437 p=12188 u=root |  ok: [osnodea.172.16.0.15.nip.io]
> 2018-04-02 10:41:14,496 p=12188 u=root |  TASK [set_fact]
> *
> 2018-04-02 10:41:14,660 p=12188 u=root |  ok: [osnodea.172.16.0.15.nip.io]
> 2018-04-02 10:41:14,674 p=12188 u=root |  PLAY [Ensure the requested
> version packages are available.] *
> 2018-04-02 10:41:14,685 p=12188 u=root |  TASK [Gathering Facts]
> **
> 2018-04-02 10:41:15,500 p=12188 u=root |  ok: [osnodea.172.16.0.15.nip.io]
> 2018-04-02 10:41:15,555 p=12188 u=root |  TASK [include_role]
> *
> 2018-04-02 10:41:15,641 p=12188 u=root |  TASK [openshift_version : Check
> openshift_version for rpm installation] *
> 2018-04-02 10:41:15,682 p=12188 u=root |  included:
> /usr/share/ansible/openshift-ansible/roles/openshift_version/tasks/check_available_rpms.yml
> for osnodea.172.16.0.15.nip.io
> 2018-04-02 10:41:15,699 p=12188 u=root |  TASK [openshift_version : Get
> available atomic-openshift version] ***
> 2018-04-02 10:41:16,134 p=12188 u=root |  fatal: [
> osnodea.172.16.0.15.nip.io]: FAILED! => {"changed": false,
> "module_stderr": "Shared connection to osnodea.172.16.0.15.nip.io
> closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n
> File \"/tmp/ansible_d2lUs_/ansible_module_repoquery.py\", line 642, in
> \r\nmain()\r\n  File
> \"/tmp/ansible_d2lUs_/ansible_module_repoquery.py\", line 632, in
> main\r\nrval = Repoquery.run_ansible(module.params,
> module.check_mode)\r\n  File
> \"/tmp/ansible_d2lUs_/ansible_module_repoquery.py\", line 588, in
> run_ansible\r\nresults = repoquery.repoquery()\r\n  File
> \"/tmp/ansible_d2lUs_/ansible_module_repoquery.py\", line 547, in
> repoquery\r\nrval = self._repoquery_cmd(repoquery_cmd, True,
> 'raw')\r\n  File \"/tmp/ansible_d2lUs_/ansible_module_repoquery.py\", line
> 385, in _repoquery_cmd\r\nreturncode, stdout, stderr = _run(cmds)\r\n
> File \"/tmp/ansible_d2lUs_/ansible_module_repoquery.py\", line 356, in
> _run\r\nstderr=subprocess.PIPE)\r\n  File
> \"/usr/lib64/python2.7/subprocess.py\", line 711, in __init__\r\n
> errread, errwrite)\r\n  File \"/usr/lib64/python2.7/subprocess.py\", line
> 1327, in _execute_child\r\nraise child_exception\r\nOSError: [Errno 2]
> No such file or directory\r\n", "msg": "MODULE FAILURE", "rc": 0}
> 2018-04-02 10:41:16,136 p=12188 u=root |  PLAY RECAP
> **
> 2018-04-02 10:41:16,137 p=12188 u=root |  localhost  :
> ok=12   changed=0unreachable=0failed=0
> 2018-04-02 10:41:16,137 p=12188 u=root |  osmaster.172.16.0.14.nip.io :
> ok=35   changed=2unreachable=0failed=0
> 2018-04-02 10:41:16,137 p=12188 u=root |  osnodea.172.16.0.15.nip.io :
> ok=20   changed=2unreachable=0failed=1
> 2018-04-02 10:41:16,137 p=12188 u=root |  INSTALLER STATUS
> 
> 2018-04-02 10:41:16,142 p=12188 u=root |  Initialization : In
> Progress (0:00:26)
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: TSB fails to start

[Joel Pearson]

Are you using calico or something like that? If so why not consider a
regular overlay network just to get it working?
On Thu, 15 Mar 2018 at 5:26 am, Tim Dudgeon  wrote:

> A little more on this.
> One the nodes that are not working the file
> /etc/cni/net.d/80-openshift-network.conf is not present.
> This seems to cause errors like this in the origin-node service:
>
> Mar 14 18:21:45 zzz-infra.openstacklocal origin-node[17833]: W0314
> 18:21:45.711715   17833 cni.go:189] Unable to update cni config: No
> networks found in /etc/cni/net.d
>
> Where in the installation process does the 80-openshift-network.conf file
> get created?
> I don't see anything in the ansible installer logs suggesting anything has
> gone wrong.
>
>
>
> On 13/03/18 17:02, Tim Dudgeon wrote:
>
> This is still troubling me. I would welcome any input on this.
>
> When I run an ansible install (using Origin 3.7.1 on Centos7 nodes) the
> DNS setup on some nodes seems to randomly get messed up. For instance I've
> just run a setup with 1 master, 1 infra and 2 identical worker nodes.
>
> During the installation one of the worker nodes starts responding very
> slowly. The other is fine.
> Looking deeper, on the slow responding one I see a DNS setup like this:
>
> [centos@xxx-node-001 ~]$ sudo netstat -tunlp | grep tcp | grep :53 | grep
> -v tcp6
> tcp0  0 10.0.0.20:530.0.0.0:*
> LISTEN  14727/dnsmasq
> tcp0  0 172.17.0.1:53   0.0.0.0:*
> LISTEN  14727/dnsmasq
> [centos@xxx-node-001 ~]$ host orndev-bastion-002
> ;; connection timed out; trying next origin
> orndev-bastion-002.openstacklocal has address 10.0.0.9
>
> Whilst on the good one it looks like this:
>
> [centos@xxx-node-002 ~]$ sudo netstat -tunlp | grep tcp | grep :53 | grep
> -v tcp6
> tcp0  0 127.0.0.1:530.0.0.0:*
> LISTEN  17231/openshift
> tcp0  0 10.129.0.1:53   0.0.0.0:*
> LISTEN  14563/dnsmasq
> tcp0  0 10.0.0.22:530.0.0.0:*
> LISTEN  14563/dnsmasq
> tcp0  0 172.17.0.1:53   0.0.0.0:*
> LISTEN  14563/dnsmasq
> [centos@xxx-node-002 ~]$ host orndev-bastion-002
> orndev-bastion-002.openstacklocal has address 10.0.0.9
>
> Notice how 2 DNS listeners are not present, and how this causes the DNS
> lookup to timeout locally before falling back to an upstream server.
>
> Getting into this state seems to be a random event.
>
> Any thoughts?
>
>
>
> On 01/03/18 14:30, Tim Dudgeon wrote:
>
> Yes, I think it is related to DNS.
>
> On a similar, but working, OpenStack environment ` netstat -tunlp | grep
> ...` shows this:
>
> tcp0  0 127.0.0.1:530.0.0.0:*
> LISTEN  16957/openshift
> tcp0  0 10.128.0.1:53   0.0.0.0:*
> LISTEN  16248/dnsmasq
> tcp0  0 10.0.0.5:53 0.0.0.0:*
> LISTEN  16248/dnsmasq
> tcp0  0 172.17.0.1:53   0.0.0.0:*
> LISTEN  16248/dnsmasq
> tcp0  0 0.0.0.0:80530.0.0.0:*
> LISTEN  12270/openshift
>
> On the environment where the TSB is failing to start I'm seeing:
>
> tcp0  0 127.0.0.1:530.0.0.0:*
> LISTEN  19067/openshift
> tcp0  0 10.129.0.1:53   0.0.0.0:*
> LISTEN  16062/dnsmasq
> tcp0  0 172.17.0.1:53   0.0.0.0:*
> LISTEN  16062/dnsmasq
> tcp0  0 0.0.0.0:80530.0.0.0:*
> LISTEN  11628/openshift
>
> Notice that inf the first case dnsmasq is listening on the machine's IP
> address (line 3) but in the second case  this is missing.
>
> Both environments have been created with the openshift-ansible playbooks
> using an approach that is as equivalent as is possible.
> The contents of /etc/dnsmasq.d/ on the two systems also seem to be
> equivalent.
>
> Any thoughts?
>
>
>
> On 28/02/18 18:50, Nobuhiro Sue wrote:
>
> Tim,
>
> It seems to be DNS issue. I guess your environment is on OpenStack, so
> please check resolver (lookup / reverse lookup).
> You can see how DNS works on OpenShift 3.6 or above:
>
> https://blog.openshift.com/dns-changes-red-hat-openshift-container-platform-3-6/
>
> 2018-03-01 0:06 GMT+09:00 Tim Dudgeon :
>
>> Hi
>>
>> I'm having problems getting an Origin cluster running, using the ansible
>> playbooks.
>> It fails at this point:
>>
>> TASK [template_service_broker : Verify that TSB is running]
>> **
>> FAILED - RETRYING: Verify that TSB is running (120 retries left).
>> FAILED - RETRYING: Verify that TSB is running (119 retries left).
>> 
>> FAILED - RETRYING: Verify that TSB is running (1 retries left).
>> fatal: [master-01.novalocal]: FAILED! => {"attempts": 120, "changed":
>> false, "cmd": ["curl", "-k", "
>> https://apiserver.openshift-template-service-broker.svc/healthz;],
>> "delta": 

OpenShift Origin 3.9.0 release imminent?

[Joel Pearson]

Is the OpenShift Origin 3.9.0 release imminent? I noticed the tag appeared
4 days ago, but without any detail yet:

https://github.com/openshift/origin/releases
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Reverse Proxy using Nginx

[Joel Pearson]

What do you want Nginx for? OpenShift has a component called the Router
which routes traffic. It is based on Haproxy. You could run an nginx
container that the router will send traffic to, but if you’re just trying
to expose other apps. Then just use the built in Router.

Unless you’re talking about the kubernetes reference nginx ingress
controller?
On Sat, 17 Mar 2018 at 5:05 am, Gaurav Ojha  wrote:

> Hello,
>
> I have a single host OpenShift cluster. Is it possible to install Nginx
> (run it as a docker image) and route traffic using Nginx?
>
> If so, can someone point out the configurations for NO_PROXY and
> HTTP_PROXY in this case?
>
> I dont want any OpenShift instance IP managed by OpenShift. What I am
> confused about is this part of the document
>
> HTTP_PROXY=http://:@:/
> HTTPS_PROXY=https://:@:/
> NO_PROXY=master.hostname.example.com,10.1.0.0/16,172.30.0.0/16
>
>
> It mentions that NO_PROXY has the hostname of the master included in
> NO_PROXY. But since my cluster only has 1 host, so all my routes are
> managed through that hostname. In this case, do I just assign some random
> routes, and route through Nginx?
>
> Regards
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: route resolution happens intermittently

[Joel Pearson]

Sounds like your DNS configuration is a bit weird. Do you control the DNS
server where you put that myapps domain? How did you figure the nodes to
use DNS?


On Fri, 16 Mar 2018 at 3:47 pm, abdul nizam  wrote:

> Hi All,
>
> I have 2 nodes and one master.
> I have installed OSE 3.6 in my setup.
> I have created 2 projects say Project-A and Project-B
> under project-A i have i have deployed redmine application and Under
> Project-B i have deployed jenkins application.
> Both the pods are in running state and both the pods are runing in
> separate nodes.(ex: redmine pod in node1 and jenkins pod in node 2.
>
> And i have DNS wildcard entry which resolves to the nodes.
>
> Now when i tried to curl the route of redmine from jenkins pod it shows
> error as below
> "Could not resolve host: redmine-project-a.apps67.myapps.com; Name or
> service not known"
>
> I am getting this error most of the time but there is a catch that is some
> times it does work means when i curl the redmine route it works fine.
>
> and when i am getting error and if i make the node IP and route enrty in
> /etc/hosts of the jenkins pod it works fine.
>
> I wanted to know why this kind of behaviour?
>
> Regards
> Abdul
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Pods stuck on Terminating status

[Joel Pearson]

I had this at one point, but it was before I cared about the data in that
cluster so I just rebuilt it, so you could just rebuild your cluster ;)

But in all seriousness sounds like you need to do some etcd surgery, but I
have no idea how that works.
On Tue, 20 Mar 2018 at 4:00 am, bahhooo  wrote:

> Hi Rodrigo,
>
>
> Restarting master services did not help either..
> I tried afterwards again with grace period and force delete. Stil no luck.
>
>
>
>
> Bahho
>
> On 16 March 2018 at 21:29, Rodrigo Bersa  wrote:
>
>> Bahhoo,
>>
>> I believe that the namespace will get stuck also. 'Cause it will only be
>> deleted after all of it's objects got deleted.
>>
>> I would try to restart the Masters services before.
>>
>>
>> Regards,
>>
>>
>> Rodrigo Bersa
>>
>> Cloud Consultant, RHCVA, RHCE
>>
>> Red Hat Brasil 
>>
>> rbe...@redhat.comM: +55-11-99557-5841
>> 
>> TRIED. TESTED. TRUSTED. 
>> Red Hat é reconhecida entre as melhores empresas para trabalhar no Brasil
>> pelo *Great Place to Work*.
>>
>> On Fri, Mar 16, 2018 at 5:25 PM, Bahhoo  wrote:
>>
>>> Hi  Rodrigo,
>>>
>>> No PVs are used. One of the pods is a build pod, the other one's a
>>> normal pod without storage.
>>> I'll try deleting the namespace. I didn't want to do that,since I had
>>> running pods in the namespace.
>>>
>>> Best,
>>> Bahho
>>> --
>>> Kimden: Rodrigo Bersa 
>>> Gönderme tarihi: ‎16.‎3.‎2018 16:12
>>> Kime: Bahhoo 
>>> Bilgi: rahul334...@gmail.com; users 
>>>
>>> Konu: Re: Pods stuck on Terminating status
>>>
>>> Hi Bahhoo,
>>>
>>> Are you using PVs on the "Terminating" POD? I heard about some issues
>>> with PODs bounded to PV/PVCs provided by dynamic storage, where you have to
>>> first remove the volume form POD, then the PVPVC. Just after that remove
>>> the POD or the DeplymentConfig.
>>>
>>> If it's not the case, maybe restarting the atomic-openshift-master-*
>>> services can work removing the inconsistent POD.
>>>
>>>
>>> Regards,
>>>
>>>
>>> Rodrigo Bersa
>>>
>>> Cloud Consultant, RHCVA, RHCE
>>>
>>> Red Hat Brasil 
>>>
>>> rbe...@redhat.comM: +55-11-99557-5841
>>> 
>>> TRIED. TESTED. TRUSTED. 
>>> Red Hat é reconhecida entre as melhores empresas para trabalhar no
>>> Brasil pelo *Great Place to Work*.
>>>
>>> On Thu, Mar 15, 2018 at 7:28 PM, Bahhoo  wrote:
>>>
 Hi Rahul,

 That won't do it either.

 Thanks
 Bahho
 --
 Kimden: Rahul Agarwal 
 Gönderme tarihi: ‎15.‎3.‎2018 22:26
 Kime: bahhooo 
 Bilgi: users 
 Konu: Re: Pods stuck on Terminating status

 Hi Bahho

 Try: oc delete all -l app=

 Thanks,
 Rahul

 On Thu, Mar 15, 2018 at 5:19 PM, bahhooo  wrote:

> Hi all,
>
> I have some zombie pods stuck on Terminating status on a OCP 3.7
> HA-cluster.
>
> oc delete with --grace-period=0 --force etc. won't work.
> Docker restart. server reboot won't help either.
>
> I tried to find the pod key in etcd either in order to delete it
> manually. I couldn't find it.
>
> Is there a way to delete these pods?
>
>
>
>
> Bahho
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>

 ___
 users mailing list
 users@lists.openshift.redhat.com
 http://lists.openshift.redhat.com/openshiftmm/listinfo/users


>>>
>>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Reverse Proxy using Nginx

[Joel Pearson]

So your problem is solved then?
On Wed, 21 Mar 2018 at 4:47 am, Gaurav Ojha <gauravo...@gmail.com> wrote:

> Hi,
>
> Thanks for the reply. I have router, but have a bunch of APIs behind
> gunicorn which I wanted to route through nginx.
>
> I deployed a nginx image and am using it.
>
> On Tue, Mar 20, 2018, 9:43 AM Joel Pearson <japear...@agiledigital.com.au>
> wrote:
>
>> What do you want Nginx for? OpenShift has a component called the Router
>> which routes traffic. It is based on Haproxy. You could run an nginx
>> container that the router will send traffic to, but if you’re just trying
>> to expose other apps. Then just use the built in Router.
>>
>> Unless you’re talking about the kubernetes reference nginx ingress
>> controller?
>> On Sat, 17 Mar 2018 at 5:05 am, Gaurav Ojha <gauravo...@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I have a single host OpenShift cluster. Is it possible to install Nginx
>>> (run it as a docker image) and route traffic using Nginx?
>>>
>>> If so, can someone point out the configurations for NO_PROXY and
>>> HTTP_PROXY in this case?
>>>
>>> I dont want any OpenShift instance IP managed by OpenShift. What I am
>>> confused about is this part of the document
>>>
>>> HTTP_PROXY=http://:@:/
>>> HTTPS_PROXY=https://:@:/
>>> NO_PROXY=master.hostname.example.com,10.1.0.0/16,172.30.0.0/16
>>>
>>>
>>> It mentions that NO_PROXY has the hostname of the master included in
>>> NO_PROXY. But since my cluster only has 1 host, so all my routes are
>>> managed through that hostname. In this case, do I just assign some random
>>> routes, and route through Nginx?
>>>
>>> Regards
>>>
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OC client slowness Windows

[Joel Pearson]

My guess is that you’ve probably got some antivirus software interfering.
I’d recommend disabling all antivirus software and seeing if the
performance improves. It’s very slow for me at one of my client sites, but
I’ve discovered so is Cygwin in general, so I think it’s related to the
Symantec Endpoint Protection that is installed.
On Mon, 8 Oct 2018 at 8:14 pm, Marcello Lorenzi  wrote:

> Hi All,
> we installed the newer version of oc-client on a Windows 7 machine and we
> tested the oc client commands via git bash shell. We noticed some seconds
> of waiting during the oc commands execution and with the --loglevel=8, the
> commands reported their output after some seconds of hang. Do you notice
> this behavior on your experience?
>
> We're trying to identify the cause of this issue.
>
> Thanks,
> Marcello
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: https route stopped working

[Joel Pearson]

Oh right. Now that you mention it. I think I have encountered that before
too. I don’t remember the circumstances though.
On Mon, 8 Oct 2018 at 7:44 pm, Tim Dudgeon  wrote:

> Yes, I had tried re-creating the route and that didn't work.
>
> Eventually I did manage to solve it. The 'Destination CA Cert' property
> for the route was (automatically) filled with some place holder 'backwards
> compatibility' text. When I replaced this with the CA cert used by the
> service (found in the secrets) things started working again.
>
> I have no idea why this stopped working and why this fix became necessary.
>
> On 07/10/18 21:14, Joel Pearson wrote:
>
> Have you tried looking at the generated haproxy file inside the router? It
> might give some hints as to what went wrong. I presume you’ve already tried
> recreating the route?
> On Wed, 3 Oct 2018 at 2:30 am, Tim Dudgeon  wrote:
>
>> We've hit a problem with a HTTPS route that used to work fine has now
>> stopped working.
>> Instead of the application we're are seeing the 'Application is not
>> available' page from the router.
>>
>> The route is using 'reencrypt' termination type to hit the service on
>> port 8443.
>> The service itself and its pod is running OK as indicated by being able
>> to curl it from inside the router pod using:
>>
>> curl -kL https://secure-sso.openrisknet-infra.svc:8443/auth
>>
>> (the -k is needed).
>>
>> An equivalent HTTP route that hits the HTTP service on port 8080 is
>> working fine.
>>
>> The only thing I can think of that might have caused this is redeploying
>> the master certificates using the 'redeploy-certificates.yml' playbook,
>> but I can't see how that would cause this.
>> This is all with Origin 3.7.
>>
>> Any thoughts on what might be wrong here?
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift Origin on AWS

[Joel Pearson]

There is cloud formation templates as part of the 3.6 reference
architecture. But that is now deprecated. I’m using that template at a
client site and it worked fine (I’ve adapted it to work with 3.9 by using a
static inventory as we didn’t want to revisit our architecture from
scratch). We did customise it a fair bit though.

https://github.com/openshift/openshift-ansible-contrib/blob/master/reference-architecture/aws-ansible/README.md

Here is an example of a jinja template that outputs a cloud formation
template.

However, you can’t use the playbook as is for 3.9/3.10 because
openshift-ansible has breaking changes to the playbooks.

For some reason the new playbooks for 3.9/3.10 don’t use cloud formation,
but rather use the amazon ansible plugins instead and directly interact
with AWS resources:

https://github.com/openshift/openshift-ansible/blob/master/playbooks/aws/README.md

That new approach is pretty interesting though as it uses prebuilt AMIs and
auto-scaling groups, which make it very quick to add nodes.

Hopefully some of that is useful to you.

On Tue, 9 Oct 2018 at 9:42 pm, Peter Heitman  wrote:

> Thank you for the reminder and the pointer. I know of that document but
> was too focused on searching for a CloudFormation template. I'll go back to
> the reference architecture which I'm sure will answer at least some of my
> questions.
>
> On Sun, Oct 7, 2018 at 4:24 PM Joel Pearson 
> wrote:
>
>> Have you seen the AWS reference architecture?
>> https://access.redhat.com/documentation/en-us/reference_architectures/2018/html/deploying_and_managing_openshift_3.9_on_amazon_web_services/index#
>> On Tue, 2 Oct 2018 at 3:11 am, Peter Heitman  wrote:
>>
>>> I've created a CloudFormation Stack for simple lab-test deployments of
>>> OpenShift Origin on AWS. Now I'd like to understand what would be best for
>>> production deployments of OpenShift Origin on AWS. In particular I'd like
>>> to create the corresponding CloudFormation Stack.
>>>
>>> I've seen the Install Guide page on Configuring for AWS and I've looked
>>> through the RedHat QuickStart Guide for OpenShift Enterprise but am still
>>> missing information. For example, the RedHat QuickStart Guide creates 3
>>> masters, 3 etcd servers and some number of compute nodes. Where are the
>>> routers (infra nodes) located? On the masters or on the etcd servers? How
>>> are the ELBs configured to work with those deployed routers? What if some
>>> of the traffic you are routing is not http/https? What is required to
>>> support that?
>>>
>>> I've seen the simple CloudFormation stack (
>>> https://sysdig.com/blog/deploy-openshift-aws/) but haven't found
>>> anything comparable for something that is closer to production ready (and
>>> likely takes advantage of using the AWS VPC QuickStart (
>>> https://aws.amazon.com/quickstart/architecture/vpc/).
>>>
>>> Does anyone have any prior work that they could share or point me to?
>>>
>>> Thanks in advance,
>>>
>>> Peter Heitman
>>>
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: https route stopped working

[Joel Pearson]

Have you tried looking at the generated haproxy file inside the router? It
might give some hints as to what went wrong. I presume you’ve already tried
recreating the route?
On Wed, 3 Oct 2018 at 2:30 am, Tim Dudgeon  wrote:

> We've hit a problem with a HTTPS route that used to work fine has now
> stopped working.
> Instead of the application we're are seeing the 'Application is not
> available' page from the router.
>
> The route is using 'reencrypt' termination type to hit the service on
> port 8443.
> The service itself and its pod is running OK as indicated by being able
> to curl it from inside the router pod using:
>
> curl -kL https://secure-sso.openrisknet-infra.svc:8443/auth
>
> (the -k is needed).
>
> An equivalent HTTP route that hits the HTTP service on port 8080 is
> working fine.
>
> The only thing I can think of that might have caused this is redeploying
> the master certificates using the 'redeploy-certificates.yml' playbook,
> but I can't see how that would cause this.
> This is all with Origin 3.7.
>
> Any thoughts on what might be wrong here?
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift Origin on AWS

[Joel Pearson]

Have you seen the AWS reference architecture?
https://access.redhat.com/documentation/en-us/reference_architectures/2018/html/deploying_and_managing_openshift_3.9_on_amazon_web_services/index#
On Tue, 2 Oct 2018 at 3:11 am, Peter Heitman  wrote:

> I've created a CloudFormation Stack for simple lab-test deployments of
> OpenShift Origin on AWS. Now I'd like to understand what would be best for
> production deployments of OpenShift Origin on AWS. In particular I'd like
> to create the corresponding CloudFormation Stack.
>
> I've seen the Install Guide page on Configuring for AWS and I've looked
> through the RedHat QuickStart Guide for OpenShift Enterprise but am still
> missing information. For example, the RedHat QuickStart Guide creates 3
> masters, 3 etcd servers and some number of compute nodes. Where are the
> routers (infra nodes) located? On the masters or on the etcd servers? How
> are the ELBs configured to work with those deployed routers? What if some
> of the traffic you are routing is not http/https? What is required to
> support that?
>
> I've seen the simple CloudFormation stack (
> https://sysdig.com/blog/deploy-openshift-aws/) but haven't found anything
> comparable for something that is closer to production ready (and likely
> takes advantage of using the AWS VPC QuickStart (
> https://aws.amazon.com/quickstart/architecture/vpc/).
>
> Does anyone have any prior work that they could share or point me to?
>
> Thanks in advance,
>
> Peter Heitman
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: IPv6

[Joel Pearson]

It looks like not, I found some references saying that Kubernetes has alpha
support in 1.9 and some improvements in 1.10

https://github.com/kubernetes/kubernetes/issues/1443
https://github.com/kubernetes/kubernetes/issues/62822

I did find this article suggesting that you might be able to use project
calico for IPv6 support, I don't know if that applies to 3.7 or not, but
calico is quite a different network deployment though.

https://www.projectcalico.org/enable-ipv6-on-kubernetes-with-project-calico/

On Tue, Sep 25, 2018 at 11:46 AM Diego Armando Ramirez Avelino <
dramir...@ipn.mx> wrote:

> IPv6 support for Openshift 3.7,  is available?
>
> Greetings
> --
>
> --
>
> La información de este correo así como la contenida en los documentos que
> se adjuntan, pueden ser objeto de solicitudes de acceso a la información.
> Visítanos: http://www.ipn.mx
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Atomic Host support on OpenShift 3.11 and up

[Joel Pearson]

Clayton, does this mean that in OpenShift 4.0 you'd be able to take a
vanilla kubernetes installation and then install a bunch of OpenShift
operators and basically have an OpenShift cluster? Or is that not really
the goal of migration to operators? Is it just to make future OpenShift
releases easier to package?

On Fri, Sep 7, 2018 at 9:18 AM Clayton Coleman  wrote:

> Master right now will be labeled 4.0 when 3.11 branches (happening right
> now).  It’s possible we might later cut a 3.12 but no plans at the current
> time.
>
> Changes to master will include significant changes as the core is rewired
> with operators - you’ll also see much more focus on preparing
> openshift/installer and refractors in openshift-ansible that reduce its
> scope as the hand-off to operators happens.  Expect churn for the next
> months.
>
> On Sep 6, 2018, at 6:23 PM, Daniel Comnea  wrote:
>
> Clayton,
>
> 4.0 is that going to be 3.12 rebranded (if we follow the current release
> cycle) or 3.13 ?
>
>
>
> On Thu, Sep 6, 2018 at 2:34 PM Clayton Coleman 
> wrote:
>
>> The successor to atomic host will be RH CoreOS and the community
>> variants.  That is slated for 4.0.
>>
>> > On Sep 6, 2018, at 9:25 AM, Marc Ledent  wrote:
>> >
>> > Hi all,
>> >
>> > I have read in the 3.10 release notes that Atomic Host is deprecated
>> and will nod be supported starting release 3.11.
>> >
>> > What this means? Is it advisable to migrate all Atomic host vms to
>> "standard" RHEL server?
>> >
>> > Kind regards,
>> > Marc
>> >
>> >
>> > ___
>> > users mailing list
>> > users@lists.openshift.redhat.com
>> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How do edit Grafana dashboards in OpenShift 3.11

[Joel Pearson]

Oh, it looks like it's read-only in 3.11:
https://bugzilla.redhat.com/show_bug.cgi?id=1652536

On Thu, 3 Jan 2019 at 22:49, Joel Pearson 
wrote:

> Hi,
>
> I found the grafana instance in OpenShift 3.11 in the openshift-monitoring
> project.
>
> I'm wondering how do I modify the dashboards? It seems to be in read-only
> mode.
>
> I'm a cluster-admin so I thought that it would give me write access.
>
> I'm guessing there is another role that gives that access?
>
> Thanks,
>
> Joel
>


-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

How do edit Grafana dashboards in OpenShift 3.11

[Joel Pearson]

Hi,

I found the grafana instance in OpenShift 3.11 in the openshift-monitoring
project.

I'm wondering how do I modify the dashboards? It seems to be in read-only
mode.

I'm a cluster-admin so I thought that it would give me write access.

I'm guessing there is another role that gives that access?

Thanks,

Joel
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Joel Pearson]

I think it's worth mentioning here that the RPMs at
http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a
critical security vulnerability, I think it's unsafe to use the RPMs if
you're planning on having your cluster available on the internet.

https://access.redhat.com/security/cve/cve-2018-1002105

Unless you're going to be using the RedHat supported version of OpenShift,
ie OCP, then I think the only safe option is to install OKD with Centos
Atomic Host and the containerised version of OpenShift, ie not use the RPMs
at all.

The problem with the RPMs, is that you get no patches, only the version of
OpenShift 3.11.0 as it was when it was released, however, the containerized
version of OKD (only supported on Atomic Host) has a rolling tag (see
https://lists.openshift.redhat.com/openshift-archives/users/2018-October/msg00049.html)
and you'll notice that the containers were just rebuilt a few minutes ago:
https://hub.docker.com/r/openshift/origin-node/tags

It looks like the OKD images are rebuilt from the release-3.11 branch:
https://github.com/openshift/origin/commits/release-3.11

You can see the CVE critical vulnerability was fixed in commits on December
4, however, the RPMs were built on the 5th of November so they certainly do
not contain the critical vulnerability fixes.

I am running OKD 3.11 on Centos Atomic Host on an OpenStack cluster and it
works fine, and I can confirm from the OKD About page that I'm running a
version of OpenShift that is patched: OpenShift Master: v3.11.0+d0a16e1-79
(which lines up with commits on December 31)

However, the bad news for you is that an upgrade from RPMs to containerised
would not be simple, and you couldn't reuse your nodes because you'd need
to switch from Centos regular to Centos Atomic Host.  It would probably be
technically possible but not simple.  I guess you'd upgrade your 3.10
cluster to the vulnerable version of 3.11 via RPMs, and then migrate your
cluster to another cluster running on Atomic Host, I'm guessing there is
probably some way to replicate the etcd data from one cluster to another.
But it sounds like it'd be a lot of work, and you'd need some pretty deep
skills in etcd and openshift.

On Sun, 6 Jan 2019 at 07:03, mabi  wrote:

> ‐‐‐ Original Message ‐‐‐
> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea 
> wrote:
>
> [DC]: i think you are a bit confused: there are 2 ways to get the rpms
> from CentOS yum repo: using the generic repo [1] which will always have the
> latest origin release OR [2] where i've mentioned that you can install
> *centos-release-openshift-origin3** rpm which will give you [3] yum repo
>
>
> Thank you for your precisions and yes I am confused because first of all
> the upgrading documentation on the okd.io website does not mention
> anything about having to manually change the yum repo.repos.d file to match
> a new directory for a new version of openshift.
>
> Then second, this mail (
> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
> has the following sentence, I quote:
>
> "Please note that due to ongoing work on releasing CentOS 7.6, the
> mirror.centos.org repo is in freeze mode - see [4] and as such we have
> not published the rpms to [5]. Once the freeze mode will end, we'll publish
> the rpms."
>
> So when is the freeze mode over for this repo? I read this should have
> happened after the CentOS 7.6 release but that was already one month ago
> and still no version 3.11 RPMs in the
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...
>
> Finally, all I want to do is to upgrade my current okd version 3.10 to
> version 3.11 but I can't find any complete instructions documented
> correctly. The best I can find is
> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply
> mentions running the following upgrade playbook:
>
> ansible-playbook \
> -i  \
> playbooks/byo/openshift-cluster/upgrades//upgrade.yml
>
> Again here there is no mention of having to modify a yum.repos.d file
> beforehand or having to install the centos-release-openshift-origin
> package...
>
> I would be glad if someone can clarify the full upgrade process and/or
> have the official documentation enhanced.
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Joel Pearson]

On Mon, 7 Jan 2019 at 8:01 am, mabi  wrote:

> ‐‐‐ Original Message ‐‐‐
> On Sunday, January 6, 2019 12:28 PM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
> I think it's worth mentioning here that the RPMs at
> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/ have a
> critical security vulnerability, I think it's unsafe to use the RPMs if
> you're planning on having your cluster available on the internet.
>
> https://access.redhat.com/security/cve/cve-2018-1002105
>
>
> Thank you Joel for pointing this important security issue out. I was not
> aware that the OpenShift RPMs on this official CentOS repository are not
> being updated for security vulnerabilities. This is a total nogo for me as
> my cluster is facing the internet.
>

It looks like the RPMs will eventually get the security fix according to
the other reply from Daniel Comnea. But with containers you could have a
fix within a day as opposed to waiting for new tag which still hasn’t
happened yet and it’s been more than 1 month.


> Unless you're going to be using the RedHat supported version of OpenShift,
> ie OCP, then I think the only safe option is to install OKD with Centos
> Atomic Host and the containerised version of OpenShift, ie not use the RPMs
> at all.
>
>
> I will stick with OKD and try out CentOS Atomic Host instead of plain
> CentOS.
>
> However, the bad news for you is that an upgrade from RPMs to
> containerised would not be simple, and you couldn't reuse your nodes
> because you'd need to switch from Centos regular to Centos Atomic Host.  It
> would probably be technically possible but not simple.  I guess you'd
> upgrade your 3.10 cluster to the vulnerable version of 3.11 via RPMs, and
> then migrate your cluster to another cluster running on Atomic Host, I'm
> guessing there is probably some way to replicate the etcd data from one
> cluster to another. But it sounds like it'd be a lot of work, and you'd
> need some pretty deep skills in etcd and openshift.
>
>
> As I am still trying out OKD I will simply trash my existing CentOS nodes
> and re-install them all with CentOS Atomic Host. That shouldn't be a
> problem. I just hope that installing OKD on Atomic Host is better
> documented than the installation on plain CentOS, especially in regard of
> the upgrading procedure. But If I understand correctly the upgrade
> procedure here should be simplified as everything runs inside Docker
> containers.
>

The upgrade procedure is the same as RPMs, however you wouldn’t need to
change the rpm repo.

https://docs.okd.io/3.11/upgrading/automated_upgrades.html

A word of warning about the next major version upgrade, v4.0, Atomic Host
support is deprecated in favour of CoreOS (which RedHat recently acquired)
however CoreOS is not supported for 3.11 so it looks like you’ll need to do
a cluster rebuild for v4.0.  But at least you’ll be able to get 3.11
patches in the meantime.

>
>
> Now I first have to figure out how to install my CentOS Atomic
> Host virtual machines automatically with PXE and kickstart. It looks like I
> just need to adapt my kickstart file for Atomic Host (rpm ostree) and I get
> Atomic Host instead of plain CentOS...
>
>
> On Sun, 6 Jan 2019 at 07:03, mabi  wrote:
>
>> ‐‐‐ Original Message ‐‐‐
>> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea <
>> comnea.d...@gmail.com> wrote:
>>
>> [DC]: i think you are a bit confused: there are 2 ways to get the rpms
>> from CentOS yum repo: using the generic repo [1] which will always have the
>> latest origin release OR [2] where i've mentioned that you can install
>> *centos-release-openshift-origin3** rpm which will give you [3] yum repo
>>
>>
>> Thank you for your precisions and yes I am confused because first of all
>> the upgrading documentation on the okd.io website does not mention
>> anything about having to manually change the yum repo.repos.d file to match
>> a new directory for a new version of openshift.
>>
>> Then second, this mail (
>> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
>> has the following sentence, I quote:
>>
>> "Please note that due to ongoing work on releasing CentOS 7.6, the
>> mirror.centos.org repo is in freeze mode - see [4] and as such we have
>> not published the rpms to [5]. Once the freeze mode will end, we'll publish
>> the rpms."
>>
>> So when is the freeze mode over for this repo? I read this should have
>> happened after the CentOS 7.6 release but that was already one month ago
>> and still no version 3.11 RPMs in the
>> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin

Re: RPMs for 3.11 still missing from the official OpenShift Origin CentOS repo

[Joel Pearson]

It just detects. It checks the operating system type. You don’t even need
to change the inventory at all. As rpms are only supported on Centos and
containerised only on Atomic

On Mon, 7 Jan 2019 at 7:47 pm, mabi  wrote:

> ‐‐‐ Original Message ‐‐‐
> On Sunday, January 6, 2019 11:13 PM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
> It looks like the RPMs will eventually get the security fix according to
> the other reply from Daniel Comnea. But with containers you could have a
> fix within a day as opposed to waiting for new tag which still hasn’t
> happened yet and it’s been more than 1 month.
>
>
> That's good to know that it will eventually get fixed but with security
> vulnerabilities 1 month is already too long.
>
> The upgrade procedure is the same as RPMs, however you wouldn’t need to
> change the rpm repo.
>
>
> That's great! So this means that the OpenShift Ansible upgrade.yml
> playbook detects if the node is using CentOS+RPMs or Atomic Host+Docker and
> then upgrades using the correct way? or is there any special parameter I
> need for example in my Ansible inventory file to let the playbook know that
> I would be using Atomic Host?
>
>
> On Sun, 6 Jan 2019 at 07:03, mabi  wrote:
>>
>>> ‐‐‐ Original Message ‐‐‐
>>> On Saturday, January 5, 2019 3:57 PM, Daniel Comnea <
>>> comnea.d...@gmail.com> wrote:
>>>
>>> [DC]: i think you are a bit confused: there are 2 ways to get the rpms
>>> from CentOS yum repo: using the generic repo [1] which will always have the
>>> latest origin release OR [2] where i've mentioned that you can install
>>> *centos-release-openshift-origin3** rpm which will give you [3] yum repo
>>>
>>>
>>> Thank you for your precisions and yes I am confused because first of all
>>> the upgrading documentation on the okd.io website does not mention
>>> anything about having to manually change the yum repo.repos.d file to match
>>> a new directory for a new version of openshift.
>>>
>>> Then second, this mail (
>>> https://lists.openshift.redhat.com/openshift-archives/users/2018-November/msg7.html)
>>> has the following sentence, I quote:
>>>
>>> "Please note that due to ongoing work on releasing CentOS 7.6, the
>>> mirror.centos.org repo is in freeze mode - see [4] and as such we have
>>> not published the rpms to [5]. Once the freeze mode will end, we'll publish
>>> the rpms."
>>>
>>> So when is the freeze mode over for this repo? I read this should have
>>> happened after the CentOS 7.6 release but that was already one month ago
>>> and still no version 3.11 RPMs in the
>>> http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin/ repo...
>>>
>>> Finally, all I want to do is to upgrade my current okd version 3.10 to
>>> version 3.11 but I can't find any complete instructions documented
>>> correctly. The best I can find is
>>> https://docs.okd.io/3.11/upgrading/automated_upgrades.html which simply
>>> mentions running the following upgrade playbook:
>>>
>>> ansible-playbook \
>>> -i  \
>>> playbooks/byo/openshift-cluster/upgrades//upgrade.yml
>>>
>>> Again here there is no mention of having to modify a yum.repos.d file
>>> beforehand or having to install the centos-release-openshift-origin
>>> package...
>>>
>>> I would be glad if someone can clarify the full upgrade process and/or
>>> have the official documentation enhanced.
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>
>>
>> --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
>
> --
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: [ssl] oc cluster up

[Joel Pearson]

Why not use an ansible installation for a single node instead? Then you can let 
ansible configure everything properly for you. 

Sent from my iPhone

> On 28 Feb 2019, at 9:02 am, Pavel Maslov  wrote:
> 
> With my original question, I meant how can I secure the Web Console (I was 
> able to install a custom SSL certificate for the Router, so now it's the Web 
> Console's turn). I am following the instructions from the documentation [1], 
> but to no avail - Web Console is still picking up the default self-singed 
> certificate by Openshift.
> 
> Since I am starting my Openshift cluster using oc cluster up, a new directory 
> gets created, namely openshift.local.clusterup/.
> So what I did I edited the file 
> openshift.local.clusterup/kub-apiserver/master-config.yaml as described in 
> [1]:
> 
> servingInfo:
>   masterPublicURL: https://dev3.maslick.com:8443
>   publicURL: https://dev3.maslick.com:8443/console/
>   bindAddress: 0.0.0.0:8443
>   bindNetwork: tcp4
>   certFile: master.server.crt
>   clientCA: ca.crt
>   keyFile: master.server.key
>   maxRequestsInFlight: 1200
>   namedCertificates:
>   - certFile: dev3-maslick-com.crt
> clientCA: ca-maslick-com.pem
> keyFile: key-dev3-maslick-com.pem
> names:
>   - "dev3.maslick.com"
>   requestTimeoutSeconds: 3600
> volumeConfig:
>   dynamicProvisioningEnabled: true
> 
> It doesn't work though. It doesn't even pick up my certificate. I put the 
> crt, ca and key files into the same folder as master-config.yaml: 
> $HOME/openshift.local.clusterup/kub-apiserver/.
> Any thoughts? Thanks!
> 
> [1] 
> https://docs.okd.io/latest/install_config/certificate_customization.html#configuring-custom-certificates
> 
> Regards,
> Pavel Maslov, MS
> 
> 
>> On Mon, Feb 25, 2019 at 4:31 PM Pavel Maslov  wrote:
>> Hi, all
>> 
>> I'm new to the list. Perhaps, smb already asked this question:
>> 
>> When I start a cluster using oc cluster up command, Openshift generates a 
>> self-signed certificate. Is it possible to give it a real certificate? 
>> 
>> Thanks in advance.
>> 
>> Regards,
>> Pavel Maslov, MS
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: [OKD/OCP v4]: deployment on a single node using CodeReady Container

[Joel Pearson]

With CodeReady Container, it's not possible to use it without
virtualisation right?  Because it needs CoreOS, and can't startup on an
existing docker installation like you can with "oc cluster up"?

I'm only asking because I almost got OKD 3.11 running on Windows 10 WSL
(windows subsystem for linux) v2.  But if it's a full VM, then running
inside WSL 2 doesn't really make sense (and probably doesn't work anyway).

On Sat, 14 Sep 2019 at 02:35, Daniel Comnea  wrote:

> Recently folks were asking what is the minishift's alternative for v4 and
> in case you've missed the news see [1]
>
> Hopefully that will also work for OKD v4 once  the MVP is out.
>
>
> Dani
>
> [1]
> https://developers.redhat.com/blog/2019/09/05/red-hat-openshift-4-on-your-laptop-introducing-red-hat-codeready-containers/
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: [OKD/OCP v4]: deployment on a single node using CodeReady Container

[Joel Pearson]

Marvin, you could try enabling nested virtualisation in GCP?

https://cloud.google.com/compute/docs/instances/enable-nested-virtualization-vm-instances


On Fri, 20 Sep 2019 at 09:50, Just Marvin <
marvin.the.cynical.ro...@gmail.com> wrote:

> Fernando,
>
> Is CRC only expected to run on bare-metal? I tried running it on a VM
> in GCP and it didn't work, complaining about virtualization problems (sorry
> - forget the exact error). It runs find on my laptop, but I'd really like
> to not muddy up my laptop with all kinds of experimental things.
>
> Regards,
> Marvin
>
> On Wed, Sep 18, 2019 at 12:35 PM Fernando Lozano 
> wrote:
>
>> Hi Joel,
>>
>> Yes, CRC requires virtualization. It creates and manages a VM, using the
>> hypervisor provided by your laptop OS, and runs OpenShift inside that VM.
>> AFAIK there is no more all-in-one containerized support for OpenShift so
>> more 'oc cluster up' for OpenShift 4.x.
>>
>> []s, Fernando Lozano
>>
>>
>> On Wed, Sep 18, 2019 at 9:44 AM Joel Pearson <
>> japear...@agiledigital.com.au> wrote:
>>
>>> With CodeReady Container, it's not possible to use it without
>>> virtualisation right?  Because it needs CoreOS, and can't startup on an
>>> existing docker installation like you can with "oc cluster up"?
>>>
>>> I'm only asking because I almost got OKD 3.11 running on Windows 10 WSL
>>> (windows subsystem for linux) v2.  But if it's a full VM, then running
>>> inside WSL 2 doesn't really make sense (and probably doesn't work anyway).
>>>
>>> On Sat, 14 Sep 2019 at 02:35, Daniel Comnea 
>>> wrote:
>>>
>>>> Recently folks were asking what is the minishift's alternative for v4
>>>> and in case you've missed the news see [1]
>>>>
>>>> Hopefully that will also work for OKD v4 once  the MVP is out.
>>>>
>>>>
>>>> Dani
>>>>
>>>> [1]
>>>> https://developers.redhat.com/blog/2019/09/05/red-hat-openshift-4-on-your-laptop-introducing-red-hat-codeready-containers/
>>>> ___
>>>> users mailing list
>>>> users@lists.openshift.redhat.com
>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>>
>>>
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>

-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

How to use extra trusted CA certs when pulling images for a builder

[Joel Pearson]

Hi,

I’m trying to build an image in Openshift 4.2 where my internet has an MITM
proxy.

So trying to pull docker images fails during the build with x509 errors.

Is there a way to provide extra trusted CA certificates to the builder?

Pulling image registry.redhat.io/ubi7-minimal:7.7 ...

Warning: Pull failed, retrying in 5s ...

Warning: Pull failed, retrying in 5s ...

Warning: Pull failed, retrying in 5s ...

error: build error: failed to pull image: After retrying 2 times, Pull
image still failed due to error: while pulling "docker://
registry.redhat.io/ubi7-minimal:7.7" as "registry.redhat.io/ubi7-minimal:7.7":
Error initializing source docker://registry.redhat.io/ubi7-minimal:7.7:
pinging docker registry returned: Get https://registry.redhat.io/v2/: x509:
certificate signed by unknown authority

Thanks,

Joel

-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to use extra trusted CA certs when pulling images for a builder

[Joel Pearson]

On Tue, 12 Nov 2019 at 12:26 am, Ben Parees  wrote:

>
>
> On Mon, Nov 11, 2019 at 1:17 AM Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> Hi,
>>
>> I’m trying to build an image in Openshift 4.2 where my internet has an
>> MITM proxy.
>>
>> So trying to pull docker images fails during the build with x509 errors.
>>
>> Is there a way to provide extra trusted CA certificates to the builder?
>>
>
> Did you supply additional CAs via the proxy configuration?  Those should
> be picked up by the builder automatically when it is pulling images and I
> think it'd be a bug if you configured that and it's not working:
>
> https://docs.openshift.com/container-platform/4.2/networking/enable-cluster-wide-proxy.html#nw-proxy-configure-object_config-cluster-wide-proxy
>

<https://docs.openshift.com/container-platform/4.2/networking/enable-cluster-wide-proxy.html#nw-proxy-configure-object_config-cluster-wide-proxy>
>
I forgot to mention that it’s a transparent proxy, in install-config.yaml I
added the proxy CA to “additionalTrustBundle” which helped it install the
cluster. But it just didn’t seem to apply to the builder.

Can I use the “trustedCA” part of the proxy configuration without actually
specifying an explicit proxy?
-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to use extra trusted CA certs when pulling images for a builder

[Joel Pearson]

On Mon, 18 Nov 2019 at 13:05, Clayton Coleman  wrote:

> Raise a bug to the installler component, yes
>

Ok thanks, I raised a bug here:
https://bugzilla.redhat.com/show_bug.cgi?id=1773419


> On Nov 17, 2019, at 6:03 PM, Joel Pearson 
> wrote:
>
> On Mon, 18 Nov 2019 at 12:37, Ben Parees  wrote:
>
>>
>>
>> On Sun, Nov 17, 2019 at 7:24 PM Joel Pearson <
>> japear...@agiledigital.com.au> wrote:
>>
>>>
>>>
>>> On Wed, 13 Nov 2019 at 02:43, Ben Parees  wrote:
>>>
>>>>
>>>>
>>>> On Mon, Nov 11, 2019 at 11:27 PM Ben Parees  wrote:
>>>>
>>>>>
>>>>>
>>>>> On Mon, Nov 11, 2019 at 10:47 PM Joel Pearson <
>>>>> japear...@agiledigital.com.au> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, 12 Nov 2019 at 06:56, Ben Parees  wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Can I use the “trustedCA” part of the proxy configuration without
>>>>>>>> actually specifying an explicit proxy?
>>>>>>>>
>>>>>>>
>>>>>>> you should be able to.  Daneyon can you confirm?  (if you can't i'd
>>>>>>> consider it a bug).
>>>>>>>
>>>>>>> It does work! Thanks for that. user-ca-bundle already existed and
>>>>>> had my certificate in there, I just needed to reference user-ca-bundle in
>>>>>> the proxy config.
>>>>>>
>>>>>
>>>>> cool, given that you supplied the CAs during install, and the
>>>>> user-ca-bundle CM was created, i'm a little surprised the install didn't
>>>>> automatically setup the reference in the proxyconfig resource for you.  
>>>>> I'm
>>>>> guessing it did not because there was no actual proxy hostname configured.
>>>>> I think that's a gap we should close..would you mind filing a bug?  (
>>>>> bugzilla.redhat.com).  You can submit it against the install
>>>>> component.
>>>>>
>>>>
>>>> fyi I've filed a bug for this aspect of the issues you ran into:
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1771564
>>>>
>>>>
>>> Thanks for raising this, reading through the related github tickets it
>>> looks like I've opened a can of worms to some degree.
>>>
>>
>> Yes there's some difference of opinion on what the out of box desired
>> behavior is, but at a minimum you've exposed a gap in our documentation
>> that we will get fixed.
>>
>>
>> I also just discovered that the openshift cluster version operator (CVO),
> isn't quite configured correctly out of the box to use the correct trusted
> CA certs (which means it can't download cluster updates).
>
> It correctly mounts /etc/ssl/certs from the host (the masters), but it
> fails to also mount /etc/pki, because the certs are a symlink
> /etc/ssl/certs/ca-bundle.crt ->
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
>
> I couldn't find where the installer sets up the CVO but an example of what
> is missing is here.
>
> https://github.com/openshift/cluster-version-operator/blob/01a7825179246fa708ac64de96e6675c0bf9a930/bootstrap/bootstrap-pod.yaml#L44-L46
>
>
> Is there an existing bug for this? Or should I raise a bugzilla for this?
> Would it be part of the installer?
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

How to recover from failed update in OpenShift 4.2.x?

[Joel Pearson]

So, I'm running OpenShift 4.2 on Azure UPI following this blog article:
https://blog.openshift.com/openshift-4-1-upi-environment-deployment-on-microsoft-azure-cloud/
with
a few customisations on the terraform side.

One of the main differences it seems, is how the router/ingress is handled.
Normal Azure uses load balancers, but UPI Azure uses a regular router (that
I'm used to seeing the 3.x version) which is configured by setting the
"HostNetwork"
for the endpoint publishing strategy


It was all working fine in OpenShift 4.2.0 and 4.2.2, but when I upgraded
to OpenShift 4.2.4, the router stopped listening on ports 80 and 443, I
could see the pod running with "crictl ps", but a "netstat -tpln" didn't
show anything listening.

I tried updating the version back from 4.2.4 to 4.2.2, but I
accidentally used 4.1.22 image digest value, so I quickly reverted back to
4.2.4 once I saw the apiservers coming up as 4.1.22.  I then noticed that
there was a 4.2.7 release on the candidate-4.2 channel, so I switched to
that, and ingress started working properly again.

So my question is, what is the strategy for recovering from a failed
update? Do I need to have etcd backups and then restore the cluster by
restoring etcd? Ie.
https://docs.openshift.com/container-platform/4.2/backup_and_restore/disaster_recovery/scenario-2-restoring-cluster-state.html

The upgrade page

specifically says "Reverting your cluster to a previous version, or a
rollback, is not supported. Only upgrading to a newer version is
supported." so is it an expectation for a production cluster that you would
restore from backup if the cluster isn't usable?

Maybe the upgrade page should mention taking backups? Especially if there
is no rollback option.
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users