Re: setgid in nginx failing with permission error in container

Hi. Or you just remove the user line in the nginx config ;-). Due to the fact that you will change much more in the nginx config you can take a look into this repo. https://github.com/git001/nginx-osev3 I have changed the logging to a dedicated syslog container and setuped the real_ip module

How to deploy a cassandra cluster ?

Hello, One way, maybe only way, to start a cassandra cluster is like this: - start one node. - start more nodes and give them the IP@ of the first one as seed address, via ENV variable. How can I do this on OpenShift? would I use a Service ? What would I set in the deployment config of such a po

Re: setgid in nginx failing with permission error in container

Thanks! I will grant the user anyuid. On Thu, Mar 3, 2016 at 11:48 PM, Clayton Coleman wrote: > Restricted now drops the SETGID capability. The "anyuid" SCC does not. > You can edit restricted to give that or grant the user anyuid (which is > more correct). > > On Mar 4, 2016, at 12:31 AM, Dean

Re: setgid in nginx failing with permission error in container

Restricted now drops the SETGID capability. The "anyuid" SCC does not. You can edit restricted to give that or grant the user anyuid (which is more correct). On Mar 4, 2016, at 12:31 AM, Dean Peterson wrote: In previous versions of openshift origin I was able to run an nginx server with some st

setgid in nginx failing with permission error in container

In previous versions of openshift origin I was able to run an nginx server with some static content inside a container. Now I install with the ansible installer and I get the following error in the nginx errors.log inside the running container. 2016/03/03 23:51:22 [emerg] 6#0: setgid(996) failed

Private registry : unable to pull

Am trying to create an app using an image from corporate private registry. >> # oc new-app --docker-image=myrepo/skotaru/ruby-22-rhel7 --name quayapp1 I0303 19:55:15.769901 88132 componentresolvers.go:126] Errors occurred during resolution: []error{(*errors.errorString)(0xc208546d00)}

Re: modify the redhat docker images

On Thu, Mar 3, 2016 at 2:49 PM, Candide Kemmler wrote: > Thank you for the help. I have tried to build a new docker image. After > much trials and errors, I'm hitting a road bump: > > Here's my template: > > https://gist.github.com/ckemmler/7397b12a5dd67635cd0a > > When I run it I get: > > Error

Re: example docker build

That appears to have been fixed in 1.1.3 (the panic you hit). On Thu, Mar 3, 2016 at 3:29 PM, Candide Kemmler wrote: > oc v1.1.0.1-1-g2c6ff4b > kubernetes v1.1.0-origin-1107-g4c8e6f4 > > will do tomorrow > >> On 03 Mar 2016, at 22:28, Clayton Coleman wrote: >> >> What does "oc version" report?

Re: example docker build

oc v1.1.0.1-1-g2c6ff4b kubernetes v1.1.0-origin-1107-g4c8e6f4 will do tomorrow > On 03 Mar 2016, at 22:28, Clayton Coleman wrote: > > What does "oc version" report? Can you file an issue for this? > > On Thu, Mar 3, 2016 at 3:28 PM, Clayton Coleman wrote: >> In order to do a build you have t

Re: example docker build

What does "oc version" report? Can you file an issue for this? On Thu, Mar 3, 2016 at 3:28 PM, Clayton Coleman wrote: > In order to do a build you have to provide input. The input for a > build comes from Git, other images, but that's all we support today. > > On Thu, Mar 3, 2016 at 3:18 PM, Ca

Re: example docker build

In order to do a build you have to provide input. The input for a build comes from Git, other images, but that's all we support today. On Thu, Mar 3, 2016 at 3:18 PM, Candide Kemmler wrote: > Hi Clayton, > > I tried: > > oc new-build openshift/jboss-webserver30-tomcat7-openshift > https://github

Re: example docker build

Hi Clayton, I tried: oc new-build openshift/jboss-webserver30-tomcat7-openshift https://github.com/fluxtream/fluxtream-admin-tools.git --strategy=docker -o yaml and got the following stack trace: https://gist.github.com/ckemmler/8ad03537eb39865c9fc3 Also, I'm confused as to the gitrepo parame

Re: example docker build

oc new-build BASEIMAGE GITREPO --strategy=docker -o yaml will give you an example of the YAML / JSON used. On Thu, Mar 3, 2016 at 2:47 PM, Candide Kemmler wrote: > I'm hitting a wall with a simple docker build. Are there example of such > builds online? > > I'm looking for some simple Build

example docker build

I'm hitting a wall with a simple docker build. Are there example of such builds online? I'm looking for some simple BuildConfig that would take e.g. one of the provided xPaas images and modify it to push it on the local registry. ___ users mailing lis

Re: 503 service unavailable

I cleaned up the noise by removing the other routes: curl -k -vvv https://openshift.abecorn.com:8443/oapi/v1/routes/ -H "Authorization: Bearer $(cat /var/run/secrets/ kubernetes.io/serviceaccount/token)" * About to connect() to openshift.abecorn.com port 8443 (#0) * Trying 23.25.149.227... * Con

Re: 503 service unavailable

Ok, I just saw Jordan mentioned it needed to be oapi: The output is at this gist: https://gist.github.com/deanpeterson/5de8251b03cfd3bf00da On Thu, Mar 3, 2016 at 1:13 PM, Ram Ranganathan wrote: > Ok - looks like from your messages and Jordan's reply - the router service > account didn't have p

Re: 503 service unavailable

Hello Ram, actually router was always in the policy who-can get endpoints --all-namespaces (I just missed it). For some reason I am getting a 504 Gateway Time-out error instead of the 503 now. I ran the curl command inside the container and see this: curl -k -vvv https://openshift.abecorn.com:8

Re: modify the redhat docker images

Thank you for the help. I have tried to build a new docker image. After much trials and errors, I'm hitting a road bump: Here's my template: https://gist.github.com/ckemmler/7397b12a5dd67635cd0a When I run it I get: Error from server: resource: required value I can't figure out what this mean

Re: 503 service unavailable

One second, I have to get the pod running again and a manager stopped by so I was sidetracked. I hate to lose focus when I get your guys' attention. On Thu, Mar 3, 2016 at 1:14 PM, Jordan Liggitt wrote: > Routes are an OpenShift object, so `/oapi/v1/routes` > > On Thu, Mar 3, 2016 at 2:13 PM, R

Re: 503 service unavailable

Routes are an OpenShift object, so `/oapi/v1/routes` On Thu, Mar 3, 2016 at 2:13 PM, Ram Ranganathan wrote: > Ok - looks like from your messages and Jordan's reply - the router service > account didn't have permissions to all the namespaces. > For all namespaces, this was missing in the oadm pol

Re: 503 service unavailable

Ok - looks like from your messages and Jordan's reply - the router service account didn't have permissions to all the namespaces. For all namespaces, this was missing in the oadm policy who-can get endpoints --all-namespaces Users: system:serviceaccount:default:router + the account name passe

Re: 503 service unavailable

I did just recreate router with --service-account=router I still get: curl -k -vvv https://openshift.abecorn.com:8443/api/v1/routes/ -H "Authorization: Bearer $(cat var/run/secrets/ kubernetes.io/serviceaccount/token)" cat: var/run/secrets/kubernetes.io/serviceaccount/token: No such file or dire

Re: 503 service unavailable

--service-account expects a service account name, e.g. --service-account=router commands that expect a username use the calculated username for the service account, e.g. `oadm policy add-cluster-role-to-user system:router system:serviceaccount:default:router` Also, do you need to `cat` the servic

Re: 503 service unavailable

You're missing a "cat" before /var/run/secrets/ kubernetes.io/serviceaccount/token, i.e. -H "Authorization: Bearer $(cat /var/run/secrets/ kubernetes.io/serviceaccount/token)" On Thu, Mar 3, 2016 at 1:26 PM, Dean Peterson wrote: > I have followed some of Ram's steps last night after recreating

Re: 503 service unavailable

I have followed some of Ram's steps last night after recreating the router a few times. 1. oadm router aberouter --replicas=1 \ --credentials=/etc/origin/master/openshift-router.kubeconfig \ --service-account=system:serviceaccount:default:router 2. docker ps | grep haproxy 3. I grab the

Re: Persistent Volume usage

Not sure I will have useful feedback, just because am doing very basic POC type stuff for now...Not even sure if I will keep using glusterfs, I used it simply because it looked easy to get started with.. But if I do test something bigger I will share here. Thanks, Mohamed. On Thu, Mar 3, 2016 at

Re: 503 service unavailable

The logs only say: "Router is including routes in all namespaces" On Thu, Mar 3, 2016 at 10:22 AM, Jordan Liggitt wrote: > What is in your router logs? > > On Thu, Mar 3, 2016 at 11:21 AM, Dean Peterson > wrote: > >> *The service account does exist:* >> >> oc describe serviceaccount router >

Re: 503 service unavailable

Ram actually went through quite a lot with me last night. Here is a gist of the irc chat: https://gist.github.com/deanpeterson/568f07b032933e9d219b On Thu, Mar 3, 2016 at 10:36 AM, Dean Peterson wrote: > The logs only say: "Router is including routes in all namespaces" > > > On Thu, Mar 3, 20

Re: modify the redhat docker images

> The xPaaS images are distributed through the Red Hat registry, not > specifically with origin, and while this is currently open it will soon > require credentials for accessing the images. There are other community > images that you could use instead such as the wildfly one, this would provid

Re: Problem in Replication controller

ahh i see thank you very much, now i see the difference thanks! > El 3 mar 2016, a las 17:27, Clayton Coleman escribió: > > When you create a pod directly as a cluster admin, you have permission > to run as any user. So the check allows you to create that process. > When you run under a repli

Re: Problem in Replication controller

When you create a pod directly as a cluster admin, you have permission to run as any user. So the check allows you to create that process. When you run under a replication controller, permission has to be delegated to ensure that the controller (which is acting on your behalf) can create a pod tha

Re: 503 service unavailable

What is in your router logs? On Thu, Mar 3, 2016 at 11:21 AM, Dean Peterson wrote: > *The service account does exist:* > > oc describe serviceaccount router > Name: router > Namespace: default > Labels: > > Image pull secrets: router-dockercfg-2d4wd > > Mountable sec

Re: 503 service unavailable

*The service account does exist:* oc describe serviceaccount router Name: router Namespace: default Labels: Image pull secrets: router-dockercfg-2d4wd Mountable secrets: router-token-9p8at router-dockercfg-2d4wd Tokens: r

Re: 503 service unavailable

Now when it displays: oadm policy who-can get endpoints --all-namespaces Namespace: Verb: get Resource: endpoints Users: system:serviceaccount:default:router system:serviceaccount:management-infra:management-admin Groups: system:cluster-admins system:cluster-read

Re: Persistent Volume usage

Mohamed, I'm curious of your results with glusterfs, we experienced some issues (especially with MySQL) on these volumes. We added "option mandatory-locks on" on the volume, and no crash since. It would be nice if you could share some feedback. Thanks, Philippe ​ _

Re: 503 service unavailable

oadm policy add-cluster-role-to-user system:router system:serviceaccount:default:router On Thu, Mar 3, 2016 at 10:16 AM, Dean Peterson wrote: > Yes, it only shows this: > > oadm policy who-can get endpoints --all-namespaces > Namespace: > Verb: get > Resource: endpoints > > Users: route

Re: 503 service unavailable

Actually, I just noticed; router is in there. On Thu, Mar 3, 2016 at 9:16 AM, Dean Peterson wrote: > Yes, it only shows this: > > oadm policy who-can get endpoints --all-namespaces > Namespace: > Verb: get > Resource: endpoints > > Users: router > system:serviceaccount:managemen

Re: 503 service unavailable

Yes, it only shows this: oadm policy who-can get endpoints --all-namespaces Namespace: Verb: get Resource: endpoints Users: router system:serviceaccount:management-infra:management-admin Groups: system:cluster-admins system:cluster-readers system:masters

Re: How to debug build issue with build git ssh

Oh! I did it the first time around... now forgot that extra step... Thanks a lot. On Thu, Mar 3, 2016 at 10:07 AM, Ben Parees wrote: > > > On Thu, Mar 3, 2016 at 10:00 AM, Mohamed Lrhazi < > mohamed.lrh...@georgetown.edu> wrote: > >> Hello, >> >> This new project keeps failing with apparently an

Re: How to debug build issue with build git ssh

On Thu, Mar 3, 2016 at 10:00 AM, Mohamed Lrhazi < mohamed.lrh...@georgetown.edu> wrote: > Hello, > > This new project keeps failing with apparently an ssh error, how do I > debug further? > I used the same key for another repo on the same git server, in another > project, and it worked fine there.

How to debug build issue with build git ssh

Hello, This new project keeps failing with apparently an ssh error, how do I debug further? I used the same key for another repo on the same git server, in another project, and it worked fine there now in new project it won't work! » oc logs build/avesterra-api-2-1 oc secrets new-sshauth ssh

Re: modify the redhat docker images

(sorry I said EAP a few times in there, I realize you're using the JWS image at the moment. doesn't change the response though) On Thu, Mar 3, 2016 at 9:34 AM, Ben Parees wrote: > > > On Thu, Mar 3, 2016 at 9:20 AM, Candide Kemmler > wrote: > >> Mainly I have a multi-gb file that needs to be

Re: modify the redhat docker images

On Thu, Mar 3, 2016 at 9:20 AM, Candide Kemmler wrote: > Mainly I have a multi-gb file that needs to be available to my webapp. > Copying it over with each build is a lot of unnecessary bandwidth use and > considerably slows down the process. Other binaries include a custom > datastore

Re: modify the redhat docker images

Mainly I have a multi-gb file that needs to be available to my webapp. Copying it over with each build is a lot of unnecessary bandwidth use and considerably slows down the process. Other binaries include a custom datastore . I'm suddenly nervous that dep

Re: Persistent Volume usage

On Wed, Mar 2, 2016 at 10:53 PM, Mohamed Lrhazi < mohamed.lrh...@georgetown.edu> wrote: > He reads my other emails to this list :) We're not hundreds to post here :) ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.

RE: use service from other project (namespace)

Thanks! > From: t...@butter.sh > To: dencow...@hotmail.com; users@lists.openshift.redhat.com > Subject: Re: use service from other project (namespace) > Date: Thu, 3 Mar 2016 14:53:45 +0100 > > Hi. > > > Is it possible to connect with a service which is in another project > > (namespace)? > >

RE: use service from other project (namespace)

No concern on technical level. But we're working with "jobs" which all have their own task to perform on the db. 11 jobs are about xxx and 7 jobs about yyy. So it was pure about the structure. It's not an issue if it isn't possible or to hard to perform. Date: Thu, 3 Mar 2016 08:48:56 -0500 Subj

Re: use service from other project (namespace)

I'm curious - what is your concern about 40 pods in the same project? On Thu, Mar 3, 2016 at 8:24 AM, Den Cowboy wrote: > Is it possible to connect with a service which is in another project > (namespace)? > We have a project with 2 pods and 2 services. one pod (container) is > filling the other

use service from other project (namespace)

Is it possible to connect with a service which is in another project (namespace)? We have a project with 2 pods and 2 services. one pod (container) is filling the other pod (container) of our database. Now we want to start other pods which can use data from that database. It's possible when we'r

Re: 503 service unavailable

Was that service account given permission only within that namespace or cluster wide? What does this show: $ oadm policy who-can get endpoints --all-namespaces If it doesn't include the router service account, then you need to grant a cluster role to that user (oadm policy add-cluster-role-to-us

Re: 503 service unavailable

i know that should not matter, but it works on the same namespace as pods it is clear that it was a permission problem :) > El 3 mar 2016, a las 9:47, Ram Ranganathan escribió: > > Yeah, that should not matter. The routes + namespaces you would see are based > on the permissions of the servic

Re: 503 service unavailable

Yeah, that should not matter. The routes + namespaces you would see are based on the permissions of the service account. I was able to get Dean on irc and ssh into his instance seeing something wonky with the permissions. CCing Jordan and Paul for some help. Inside the router container, I tried

Re: 503 service unavailable

umm could yo please move the router or create a new one on the same namespace as pods and try again .. just for check best regards > El 3 mar 2016, a las 8:56, Dean Peterson escribió: > > The router is on default namespace but the service pods are running on a > different namespace. > > O