Re: docker registry image for openshift 3.2?
Restarting docker cleared it up. I think there is something about my install of OS, perhaps it reinstalls docker. Thank you! On Fri, Jun 17, 2016 at 11:19 AM, Clayton Coleman <ccole...@redhat.com> wrote: > Are you trying to pull that from the DockerHub, or do you have an > --add-registry flag on your daemon? Because that image only exists on > the red hat registry. > > On Fri, Jun 17, 2016 at 2:12 PM, Alan Jones <ajo...@diamanti.com> wrote: > > Error syncing pod, skipping: failed to "StartContainer" for "deployment" > > with ErrImagePull: "Error: image openshift3/ose-deployer:v3.2.0.44 not > > found" > > > > ___ > > users mailing list > > users@lists.openshift.redhat.com > > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
docker registry image for openshift 3.2?
Error syncing pod, skipping: failed to "StartContainer" for "deployment" with ErrImagePull: "Error: image openshift3/ose-deployer:v3.2.0.44 not found" ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: anyone seen this error from ansible install?
See below. I also have two issues that might be related: 1) This is a "reinstall", I've successfully installed using the "simple" interactive, remove and added rpms, and run ansible install 2) There is some issue on this cluster that makes ansible run slow, total 18m to fail vs. <8m for success on a VM cluster with identical config Thanks for any insights you can give me! Alan [root@pocsj41 ~]# rpm -qa | grep ansible openshift-*ansible*-docs-3.0.94-1.git.0.67a822a.el7.noarch openshift-*ansible*-lookup-plugins-3.0.94-1.git.0.67a822a.el7.noarch openshift-*ansible*-filter-plugins-3.0.94-1.git.0.67a822a.el7.noarch openshift-*ansible*-3.0.94-1.git.0.67a822a.el7.noarch openshift-*ansible*-playbooks-3.0.94-1.git.0.67a822a.el7.noarch openshift-*ansible*-roles-3.0.94-1.git.0.67a822a.el7.noarch *ansible*-1.9.4-1.el7aos.noarch [root@pocsj41 ~]# rpm -qa | grep openshift *openshift*-ansible-docs-3.0.94-1.git.0.67a822a.el7.noarch *openshift*-ansible-lookup-plugins-3.0.94-1.git.0.67a822a.el7.noarch atomic-*openshift*-node-3.2.0.44-1.git.0.a4463d9.el7.x86_64 *openshift*-ansible-filter-plugins-3.0.94-1.git.0.67a822a.el7.noarch atomic-*openshift*-sdn-ovs-3.2.0.44-1.git.0.a4463d9.el7.x86_64 *openshift*-ansible-3.0.94-1.git.0.67a822a.el7.noarch *openshift*-ansible-playbooks-3.0.94-1.git.0.67a822a.el7.noarch atomic-*openshift*-clients-3.2.0.44-1.git.0.a4463d9.el7.x86_64 *openshift*-ansible-roles-3.0.94-1.git.0.67a822a.el7.noarch atomic-*openshift*-3.2.0.44-1.git.0.a4463d9.el7.x86_64 tuned-profiles-atomic-*openshift*-node-3.2.0.44-1.git.0.a4463d9.el7.x86_64 atomic-*openshift*-master-3.2.0.44-1.git.0.a4463d9.el7.x86_64 atomic-*openshift*-utils-3.0.94-1.git.0.67a822a.el7.noarch [root@pocsj41 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) On Wed, Jun 8, 2016 at 5:29 AM, Brenton Leanhardt <blean...@redhat.com> wrote: > Can you provide the version of ansible you are using as well as the > RPM or git checkout ref of the playbooks you're using? > > Thanks, > Brenton > > On Tue, Jun 7, 2016 at 9:01 PM, Alan Jones <ajo...@diamanti.com> wrote: > > Error followed by /etc/ansible/hosts below. > > Alan > > --- > > TASK: [openshift_facts | Verify Ansible version is greater than or equal > to > > 1.9.4] *** > > fatal: [pocsj41] => Traceback (most recent call last): > > File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", > line > > 586, in _executor > > exec_rc = self._executor_internal(host, new_stdin) > > File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", > line > > 789, in _executor_internal > > return self._executor_internal_inner(host, self.module_name, > > self.module_args, inject, port, complex_args=complex_args) > > File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", > line > > 869, in _executor_internal_inner > > if not utils.check_conditional(cond, self.basedir, inject, > > fail_on_undefined=self.error_on_undefined_vars): > > File "/usr/lib/python2.7/site-packages/ansible/utils/__init__.py", line > > 269, in check_conditional > > conditional = template.template(basedir, presented, inject) > > File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line > > 124, in template > > varname = template_from_string(basedir, varname, templatevars, > > fail_on_undefined) > > File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line > > 382, in template_from_string > > res = jinja2.utils.concat(rf) > > File "", line 6, in root > > File "/usr/lib/python2.7/site-packages/jinja2/runtime.py", line 153, in > > resolve > > return self.parent[key] > > File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line > > 205, in __getitem__ > > return template(self.basedir, var, self.vars, > > fail_on_undefined=self.fail_on_undefined) > > File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line > > 124, in template > > varname = template_from_string(basedir, varname, templatevars, > > fail_on_undefined) > > File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line > > 382, in template_from_string > > res = jinja2.utils.concat(rf) > > File "", line 10, in root > > File "/usr/share/ansible_plugins/filter_plugins/oo_filters.py", line > 742, > > in oo_persistent_volumes > > if len(groups['oo_nfs_to_config']) > 0: > > KeyError: 'oo_nfs_to_config' > > > > > > FATAL: all hosts have already failed -- aborti
anyone seen this error from ansible install?
Error followed by /etc/ansible/hosts below. Alan --- TASK: [openshift_facts | Verify Ansible version is greater than or equal to 1.9.4] *** fatal: [pocsj41] => Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 586, in _executor exec_rc = self._executor_internal(host, new_stdin) File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 789, in _executor_internal return self._executor_internal_inner(host, self.module_name, self.module_args, inject, port, complex_args=complex_args) File "/usr/lib/python2.7/site-packages/ansible/runner/__init__.py", line 869, in _executor_internal_inner if not utils.check_conditional(cond, self.basedir, inject, fail_on_undefined=self.error_on_undefined_vars): File "/usr/lib/python2.7/site-packages/ansible/utils/__init__.py", line 269, in check_conditional conditional = template.template(basedir, presented, inject) File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 124, in template varname = template_from_string(basedir, varname, templatevars, fail_on_undefined) File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 382, in template_from_string res = jinja2.utils.concat(rf) File "", line 6, in root File "/usr/lib/python2.7/site-packages/jinja2/runtime.py", line 153, in resolve return self.parent[key] File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 205, in __getitem__ return template(self.basedir, var, self.vars, fail_on_undefined=self.fail_on_undefined) File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 124, in template varname = template_from_string(basedir, varname, templatevars, fail_on_undefined) File "/usr/lib/python2.7/site-packages/ansible/utils/template.py", line 382, in template_from_string res = jinja2.utils.concat(rf) File "", line 10, in root File "/usr/share/ansible_plugins/filter_plugins/oo_filters.py", line 742, in oo_persistent_volumes if len(groups['oo_nfs_to_config']) > 0: KeyError: 'oo_nfs_to_config' FATAL: all hosts have already failed -- aborting --- /etc/ansible/hosts [OSEv3:children] masters nodes [OSEv3:vars] ansible_ssh_user=root deployment_type=openshift-enterprise openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] [masters] pocsj41 [nodes] pocsj41 openshift_node_labels="{'region': 'primary', 'zone': 'default'}" openshift_hostname=pocsj41 openshift_public_hostname=pocsj41 openshift_ip=172.16.51.2 openshift_public_ip=172.16.51.2 pocsj42 openshift_node_labels="{'region': 'primary', 'zone': 'default'}" openshift_hostname=pocsj42 openshift_public_hostname=pocsj42 openshift_ip=172.16.51.4 openshift_public_ip=172.16.51.4 pocsj43 openshift_node_labels="{'region': 'primary', 'zone': 'default'}" openshift_hostname=pocsj43 openshift_public_hostname=pocsj43 openshift_ip=172.16.51.7 openshift_public_ip=172.16.51.7 ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: containters with host volumes from controllers
I now reproduced the issue with OpenShift 3.2 on RHEL 7, as apposed to my few week old origin on CentOS. Unfortunately, my magic command isn't working. Here is my procedure: 1) Create node certs with `oadm create-node-config` 2) Use these certs from said node to create a replication set for a container that requires a host mount. 3) See event with 'hostPath volumes are not allowed to be used' Note, this process works with standard Kubernetes; so navigating the OpenShift authentication & permissions is what I'm trying to accomplish. Also note that there is not *project* specified in this procedure; the node being certified belongs to system:node, should I use that? I feel like I'm flying blind because there is no feedback: 1) The command to add privileges doesn't verify that the project or user exists. 2) The failure doesn't tell me which project/user was attempting to do the unpermitted task. Alan [root@alan-lnx ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) [root@alan-lnx ~]# openshift version openshift v3.2.0.20 kubernetes v1.2.0-36-g4a3f9c5 etcd 2.2.5 On Wed, May 18, 2016 at 3:08 PM, Alan Jones <ajo...@diamanti.com> wrote: > I think I'm making progress: > oadm policy add-scc-to-user hostmount-anyuid > system:serviceaccount:openshift-infra:default > Now when I submit the replica set I get a different mount error that I > think I understand. > Note, the context I'm submitting the request in is using the node host > certs under /openshift.local/config/ to the API server. > There is no specified project. > Thank you! > Alan > > On Wed, May 18, 2016 at 2:48 PM, Clayton Coleman <ccole...@redhat.com> > wrote: > >> >> >> On May 18, 2016, at 5:26 PM, Alan Jones <ajo...@diamanti.com> wrote: >> >> > oadm policy ... -z default >> In the version of openshift origin I'm using the oadm command doesn't >> take '-z'. >> Can you fill in the dot, dot, dot for me? >> I'm trying to grant permission for host volume access for a pod created >> by the replication controller which was submitted with node credentials to >> the API server. >> Here is my latest failed attempt to try to follow your advice: >> oadm policy add-scc-to-group hostmount-anyuid >> system:serviceaccount:default >> Again, this would be much easier if I could get logs for what group and >> user it is evaluating when it fails. >> Alan >> >> >> system:serviceaccount:NAMESPACE:default >> >> Since policy is global, you have to identify which namespace/project >> contains the "default" service account (service accounts are scoped to a >> project). >> >> >> On Tue, May 17, 2016 at 5:46 PM, Clayton Coleman <ccole...@redhat.com> >> wrote: >> >>> You need to grant the permission to a service account for the pod (which >>> is "default" if you don't fill in the field). The replication controller's >>> SA is not checked. >>> >>> oadm policy ... -z default >>> >>> On May 17, 2016, at 8:39 PM, Alan Jones <ajo...@diamanti.com> wrote: >>> >>> I tried that: >>> oadm policy add-acc-to-user hostmount-anyuid system:serviceaccount: >>> openshift-infra:replication-controller >>> ... and I still get the error. >>> Is there any way to get the user name/group that fails authentication? >>> Alan >>> >>> On Tue, May 17, 2016 at 9:33 AM, Clayton Coleman <ccole...@redhat.com> >>> wrote: >>> >>>> anyuid doesn't grant hostPath, since that's a much more dangerous >>>> permission. You want grant hostmount-anyuid >>>> >>>> On Tue, May 17, 2016 at 11:44 AM, Alan Jones <ajo...@diamanti.com> >>>> wrote: >>>> > I have several containers that we run using K8 that require host >>>> volume >>>> > access. >>>> > For example, I have a container called "evdispatch-v1" that I'm >>>> trying to >>>> > launch in a replication controller and get the below error. >>>> > Following an example from "Enable Dockerhub Images that Require Root" >>>> in >>>> > ( >>>> https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile >>>> ) >>>> > I tried: >>>> > oadm policy add-scc-to-user anyuid >>>> > system:serviceaccount:openshift-infra:replication-controller >>>> > But still get the error. >>>> > Do you know what I need to do? >>>> > Who knows more about this stuff? >
Re: containters with host volumes from controllers
I think I'm making progress: oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:openshift-infra:default Now when I submit the replica set I get a different mount error that I think I understand. Note, the context I'm submitting the request in is using the node host certs under /openshift.local/config/ to the API server. There is no specified project. Thank you! Alan On Wed, May 18, 2016 at 2:48 PM, Clayton Coleman <ccole...@redhat.com> wrote: > > > On May 18, 2016, at 5:26 PM, Alan Jones <ajo...@diamanti.com> wrote: > > > oadm policy ... -z default > In the version of openshift origin I'm using the oadm command doesn't take > '-z'. > Can you fill in the dot, dot, dot for me? > I'm trying to grant permission for host volume access for a pod created by > the replication controller which was submitted with node credentials to the > API server. > Here is my latest failed attempt to try to follow your advice: > oadm policy add-scc-to-group hostmount-anyuid system:serviceaccount:default > Again, this would be much easier if I could get logs for what group and > user it is evaluating when it fails. > Alan > > > system:serviceaccount:NAMESPACE:default > > Since policy is global, you have to identify which namespace/project > contains the "default" service account (service accounts are scoped to a > project). > > > On Tue, May 17, 2016 at 5:46 PM, Clayton Coleman <ccole...@redhat.com> > wrote: > >> You need to grant the permission to a service account for the pod (which >> is "default" if you don't fill in the field). The replication controller's >> SA is not checked. >> >> oadm policy ... -z default >> >> On May 17, 2016, at 8:39 PM, Alan Jones <ajo...@diamanti.com> wrote: >> >> I tried that: >> oadm policy add-acc-to-user hostmount-anyuid system:serviceaccount: >> openshift-infra:replication-controller >> ... and I still get the error. >> Is there any way to get the user name/group that fails authentication? >> Alan >> >> On Tue, May 17, 2016 at 9:33 AM, Clayton Coleman <ccole...@redhat.com> >> wrote: >> >>> anyuid doesn't grant hostPath, since that's a much more dangerous >>> permission. You want grant hostmount-anyuid >>> >>> On Tue, May 17, 2016 at 11:44 AM, Alan Jones <ajo...@diamanti.com> >>> wrote: >>> > I have several containers that we run using K8 that require host volume >>> > access. >>> > For example, I have a container called "evdispatch-v1" that I'm trying >>> to >>> > launch in a replication controller and get the below error. >>> > Following an example from "Enable Dockerhub Images that Require Root" >>> in >>> > ( >>> https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile >>> ) >>> > I tried: >>> > oadm policy add-scc-to-user anyuid >>> > system:serviceaccount:openshift-infra:replication-controller >>> > But still get the error. >>> > Do you know what I need to do? >>> > Who knows more about this stuff? >>> > Alan >>> > --- >>> > WARNINGevdispatch-v1 >>> 49e7ac4e-1bae-11e6-88c0-080027767789 >>> > ReplicationController replication-controller FailedCreate >>> > Error creating: pods "evdispatch-v1-" is forbidden: unable to validate >>> > against any security context constraint: >>> > [spec.containers[0].securityContext.volumes[0]: Invalid value: >>> "hostPath": >>> > hostPath volumes are not allowed to be used >>> > spec.containers[0].securityContext.volumes[0]: Invalid value: >>> "hostPath": >>> > hostPath volumes are not allowed to be used] >>> > >>> > ___ >>> > users mailing list >>> > users@lists.openshift.redhat.com >>> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> > >>> >> >> > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: containters with host volumes from controllers
I tried that: oadm policy add-acc-to-user hostmount-anyuid system:serviceaccount: openshift-infra:replication-controller ... and I still get the error. Is there any way to get the user name/group that fails authentication? Alan On Tue, May 17, 2016 at 9:33 AM, Clayton Coleman <ccole...@redhat.com> wrote: > anyuid doesn't grant hostPath, since that's a much more dangerous > permission. You want grant hostmount-anyuid > > On Tue, May 17, 2016 at 11:44 AM, Alan Jones <ajo...@diamanti.com> wrote: > > I have several containers that we run using K8 that require host volume > > access. > > For example, I have a container called "evdispatch-v1" that I'm trying to > > launch in a replication controller and get the below error. > > Following an example from "Enable Dockerhub Images that Require Root" in > > ( > https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile > ) > > I tried: > > oadm policy add-scc-to-user anyuid > > system:serviceaccount:openshift-infra:replication-controller > > But still get the error. > > Do you know what I need to do? > > Who knows more about this stuff? > > Alan > > --- > > WARNINGevdispatch-v149e7ac4e-1bae-11e6-88c0-080027767789 > > ReplicationController replication-controller FailedCreate > > Error creating: pods "evdispatch-v1-" is forbidden: unable to validate > > against any security context constraint: > > [spec.containers[0].securityContext.volumes[0]: Invalid value: > "hostPath": > > hostPath volumes are not allowed to be used > > spec.containers[0].securityContext.volumes[0]: Invalid value: "hostPath": > > hostPath volumes are not allowed to be used] > > > > ___ > > users mailing list > > users@lists.openshift.redhat.com > > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users