Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1599241 - Add securty content for hawkular-cassandra before openshift was updated to v3.10
Summary: Add securty content for hawkular-cassandra before openshift was updated to v3.10
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Hawkular
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.9.z
Assignee: Ruben Vargas Palma
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On: 1613095
Blocks: 1599529
TreeView+ depends on / blocked
 
Reported: 2018-07-09 09:44 UTC by Anping Li
Modified: 2018-08-29 14:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1599529 (view as bug list)
Environment:
Last Closed: 2018-08-29 14:42:31 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2549 None None None 2018-08-29 14:43:15 UTC

Description Anping Li 2018-07-09 09:44:30 UTC
Description of problem:
The metrics cassandra 3.9 has no permission to create directory /cassandra_data/data once Openshift is updated to v3.10. Redeploy metrics via  openshift-ansible:v3.10 can solve this issue. But there are some downtime between Openshift upgrade and metrics updated. 

To avoild the metrics downtime, we can add the securityContext to make v3.9 cassandra works in v3.10 as the following steps. if the customer don't care about the downtime, they can skip these steps.

Steps:
1. oc get namespaces openshift-infra -o json

$oc get namespaces openshift-infra -o yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/node-selector: ""
    openshift.io/sa.initialized-roles: "true"
    openshift.io/sa.scc.mcs: s0:c6,c5
    openshift.io/sa.scc.supplemental-groups: 1000040000/10000
    openshift.io/sa.scc.uid-range: 1000040000/10000
  name: openshift-infra
  uid: 2d73f159-8331-11e8-9c8f-42010af00028
spec:
  finalizers:
  - kubernetes
  - openshift.io/origin

2. Update the securityContext in replicacontrollers  hawkular-cassandra-1 using the values from the namespaces openshift-infra

  $oc edit rc hawkular-cassandra-1
   #Add the fsGroup and seLinuxOptions using the same value from the namespaces openshift-infra

                "securityContext": {
                    "fsGroup": 1000040000,
                    "seLinuxOptions": {
                        "level": "s0:c6,c5"
                    },
                    "supplementalGroups": [
                        65534
                    ]
                },
                "serviceAccount": "cassandra",
                "serviceAccountName": "cassandra"

For more detail, refer to https://bugzilla.redhat.com/show_bug.cgi?id=1590748, the PR https://github.com/openshift/openshift-ansible/pull/8831


Version-Release number of selected component (if applicable):
openshift-ansible:v3.9

How reproducible:
always

Steps to Reproduce:
1. deploy metrcis v3.9 on v3.9
  openshift_metrics_install_metrics=True
  oreg_url=registry.reg-aws.openshift.com:443/openshift3/ose-${component}:${version}

2. Upgrade OCP to v3.10

3. Check the cassandra logs in v3.10


Expected results:
The /cassandra_data/data can be access after upgrade

Additional info:
Once redeployed v3.10 via openshift-ansible:v3.10. The cassandra can acesss the directory /cassandra_data/data.

Comment 1 Anping Li 2018-07-09 09:46:14 UTC
Shall we add this issue in v3.10 release note? and back port the PR 8831 in v3.9?

Comment 2 John Sanda 2018-07-16 21:50:46 UTC
(In reply to Anping Li from comment #1)
> Shall we add this issue in v3.10 release note? and back port the PR 8831 in
> v3.9?

I talked with Ruben and we agree that it should be back ported. I think it makes sense to include in the release notes as well.

For step 2 in the description, you are upgrading OCP and not metrics, right?

Comment 3 Ruben Vargas Palma 2018-07-30 18:22:02 UTC
The solution was already backported to 3.9 and the PR was merged, https://github.com/openshift/openshift-ansible/pull/9278.

I'm moving this BZ to MODIFIED.

Comment 5 Junqi Zhao 2018-08-22 08:23:44 UTC
Blocked by Bug 1613095

Comment 6 Junqi Zhao 2018-08-25 13:38:57 UTC
securityContext is added to metrics 3.9
*****************************************************
      securityContext:
        fsGroup: 1000040000
        seLinuxOptions:
          level: s0:c6,c5
        supplementalGroups:
        - 65534
      serviceAccount: cassandra
      serviceAccountName: cassandra
*****************************************************

openshift-ansible-3.9.41-1.git.0.4c55974.el7
# oc version
oc v3.9.41
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth GSSAPI Kerberos SPNEGO

Images
metrics-cassandra-v3.9.40-11
metrics-hawkular-metrics-v3.9.40-11
metrics-heapster-v3.9.40-11

Comment 8 errata-xmlrpc 2018-08-29 14:42:31 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2549


Note You need to log in before you can comment on or make changes to this bug.