On Wed, Apr 13, 2016 at 3:16 AM, Lorenz Vanthillo <
lorenz.vanthi...@outlook.com> wrote:
> I saw on https://github.com/openshift/origin/issues/8358:
>
>
> $ oc debug pod/logging-fluentd-80xzt -- cat /proc/self/attr/current
> Debugging with pod/debug-logging-fluentd-80xzt, original command: entrypoint>
> Waiting for pod to start ...
> system_u:system_r:svirt_lxc_net_t:s0:c216,c576
>
> Removing debug pod ...
>
>
> Yup. The problem was what I thought: it's being run under the
> svirt_lsc_net_t SELinux type, which doesn't have access to var_log_t. If
> you don't want to disable SELinux, you'll need to follow the instructions
> for creating a new SELinux type that I posted above.
>
> So I understand what's wrong but I don't see why the workaround (changing
> the service account permissions from anyuid to privileged) isn't working
> for me + I don't want to create a new selinuxtype.
>
Sorry about that, we had missed a step. You'll need to delete your
daemonset, edit your logging-fluentd-template to add a property to your
container spec and recreate your daemonset to let it properly run as
privileged to escape the SELinux enforcing.
$ oc delete daemonset logging-fluentd
$ oc edit template/logging-fluentd-template
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving
this file will be
# reopened with the relevant failures.
#
apiVersion: v1
kind: Template
labels:
component: fluentd
. . .
objects:
- apiVersion: extensions/v1beta1
kind: DaemonSet
. . .
spec:
selector:
matchLabels:
component: fluentd
provider: openshift
template:
metadata:
labels:
component: fluentd
provider: openshift
name: fluentd-elasticsearch
spec:
containers:
. . .
name: fluentd-elasticsearch
# insert below here
securityContext:
privileged: true
# insert above here
resources:
limits:
cpu: 100m
. . .
$ oc process logging-fluentd-template | oc create -f -
> --
> From: lorenz.vanthi...@outlook.com
> To: ewoli...@redhat.com
> CC: users@lists.openshift.redhat.com
> Subject: RE: Aggregating container logs using Kibana
> Date: Wed, 13 Apr 2016 09:30:48 +0200
>
>
> Fixed the issue with nodeselectormismatching:
> So now I have 3 fluentd pods on my 2 normal nodes and my infranode:
> But still the same permission issue:
> NAME READY STATUS RESTARTS AGE
> logging-curator-1-j7mz0 1/1 Running 0 17m
> logging-deployer-39qcz0/1 Completed 0 47m
> logging-es-605u5g7g-1-36owl 1/1 Running 0 17m
> logging-fluentd-4uqx1 1/1 Running 0 46m
> logging-fluentd-dez5r 1/1 Running 0 2m
> logging-fluentd-m50nj 1/1 Running 0 46m
> logging-kibana-1-wfog22/2 Running 0 16m
>
> --
> From: lorenz.vanthi...@outlook.com
> To: ewoli...@redhat.com
> CC: users@lists.openshift.redhat.com
> Subject: RE: Aggregating container logs using Kibana
> Date: Wed, 13 Apr 2016 09:21:47 +0200
>
> Hi Eric,
>
> Thanks for your reply and the follow up of this issue.
> I've created a new origin 1.1.6 cluster (2 days ago) but still have the
> same issue:
> My environment is one master (with node) non schedulable, 2 'normal' nodes
> and one infra node.
> I still got the permission denied (The documentation is up to date so I
> even don't had to perform the workaround manually).
> - system:serviceaccount:logging:aggregated-logging-fluentd is in scc
> privileged by default.
>
> The logging-deployer-template creates services and 2 pods of fluentd (on
> the normal nodes).
> The pods appear after performing this command:
>
> oc label nodes --all logging-infra-fluentd=true
>
> So my nodes got that label. also the unschedulable node on my master. So
> that's normal that it failed but why it fails on my infra-node I don't
> know. (I defined in my master-config that projects are by default on the
> other 2 nodes, maybe that's why but I don't know it's relevant for my
> issue).
> I also don't really understand why 'oc process logging-support-tempalte |
> oc create -f -' is only be cited at the troubleshooting part.
> Still the error: [error]: unexpected error error_class=Errno::EACCES
> error=#
>
> oc get is
> NAMEDOCKER REPO
> TAGSUPDATED
> logging-auth-proxy docker.io/openshift/origin-logging-auth-proxy
> latest,v0.0.1 4 minutes ago
> logging-curator docker.io/openshift/origin-logging-curator
> latest 4 minutes ago
> logging-elasticsearch docker.io/openshift/origin-logging-elasticsearch
> latest 4 minutes ago
> logging-fluentd docker.io/openshift/origin-logging-fluentd
> latest 4 minutes ago
>