Re: Best way to use oc client

Den, I’m a fan limiting interactions with the cluster using specific roles and users to help with auditing purposes. A strategy I would recommend in your case would be to create users that have the specific permissions they need, and with a password they control. This will prevent your need to

Re: Master/ETCD Migration

Diego, We’ve done a similar thing in our environment. I’m not sure if the openshift-ansible guys have a better way, but this is what we did at that time. We created a custom playbook to run through all the steps as necessary. And due to the version of openshift-ansible we were running, we had t

Re: Creating new-app from image in openshift repository

-- John Skarbek On December 2, 2016 at 07:02:18, Thomas Diesler (tdies...@redhat.com<mailto:tdies...@redhat.com>) wrote: On 02 Dec 2016, at 12:57, Skarbek, John mailto:john.skar...@ca.com>> wrote: On December 2, 2016 at 05:01:52, Thomas Diesler (tdies...@redhat.com&

Re: Creating new-app from image in openshift repository

On December 2, 2016 at 05:01:52, Thomas Diesler (tdies...@redhat.com) wrote: Folks, I have a scenario where a maven build creates an image and pushes this to the local openshift docker repository. I’m then trying to use `oc new-app …` to create an application from th

Re: Error: error communicating with registry: Get https://registry.example.com/healthz: x509: certificate signed by unknown authority

On November 28, 2016 at 08:19:21, Stéphane Klein (cont...@stephane-klein.info) wrote: Hi, I can execute with success this command on my desktop host: oc adm --token=`oc -n default sa get-token pruner` prune images --confirm --registry-url=registry.example.c

Re: Why I don't have debug information in DockerRegistry logs?

In my opinion, I don’t believe this is an auth issue. If it were an auth issue, you would’ve seen something from the builder indicating a failure to push with incorrect credentials. Instead you are looking at what appears as his inability to talk to the registry entirely. Your log output you pr

Re: Pod does not have Scale up/down buttons

The reason this is occurring, is due to you utilizing a Pod definition. The purpose of the pod is to spin up one pod and do nothing else. Checkout the documentation on creating a replication controller

Openshift/Kuberenets Nodes Ready State

Good Morning, Is there any documentation anywhere within openshift or kubernetes that discusses what kubernetes does to determine that a node is Ready? I certainly haven’t found any. The reason why I ask is every once in awhile, I’ll run into an issue where kubernetes is trying to schedule som

Re: Using OpenShift registry.access.redhat.com/jboss-webserver-3/webserver30-tomcat7-openshift:1.2-12 image

Den, -- John Skarbek On September 13, 2016 at 07:03:18, Den Cowboy (dencow...@hotmail.com) wrote: Hi We are using the image: registry.access.redhat.com/jboss-webserver-3/webserver30-tomcat7-openshift:1.2-12 inside our OpenShift environment to deploy some .WAR

Re: s2i build set hostname

Robson, What is it that you are trying to accomplish? In your prior thread you mention the use of setting up an ftp docker image. I think there’s a misunderstanding for the purpose of s2i here. s2i build is not going to build the Dockerfile that you posted. s2i is meant to take an existing doc

Openshift, vip-manager, and DHCP

Good Morning, I’m curious if anyone is successfully running openshift in an environment where they manage their own dhcp clients and scopes. Our infrastructure recently had an issue and we are struggling to find a root cause. In our environment we run two vip-manager POD’s which manages 2 ip ad

Re: multiple master multiple etcd

On September 7, 2016 at 11:42:05, Julio Saura (jsa...@hiberus.com) wrote: Hello i am about building a new cluster with 2 masters and 3 etcd servers por HA .. my doubt is that i think i read somewhere in doc it is not recommended to have the external etcd servers in th

Re: Openshift SDN considerations

Boris, Regarding question one, this would be solved by using a route that is exposed by said authentication service. This prevents the need for having to join the various projects together. Only services between namespaces are locked down. The exposed route will still be available to any and al

Re: Canary release via Openshift

I don’t believe Openshift themselves have documentation covering this deployment method, however, kubernetes certainly does. http://kubernetes.io/docs/user-guide/managing-deployments/#canary-deployments Selectors are a key component to enabling this functionality. -- John Skarbek On August 1

Re: Node startup Failure on SDN

sort of ntp check and maybe even go the extra mile and compare the time on the server to …life. I have no idea why my master node decided to back to Valentines day in 2001. I think I was single way back when. -- John Skarbek On August 15, 2016 at 13:32:13, Skarbek, John (john.skar...@ca.com

Re: Node startup Failure on SDN

com>) wrote: The node's client certificate may have expired - that a common failure mode. On Aug 15, 2016, at 1:23 PM, Skarbek, John mailto:john.skar...@ca.com>> wrote: Good Morning, We recently had a node go down, upon trying to get it back online, the origin-node service fails t

Node startup Failure on SDN

Good Morning, We recently had a node go down, upon trying to get it back online, the origin-node service fails to start. The rest of the cluster appears to be just fine, so with the desire to troubleshoot, what can I look at to determine the root cause of the following error: Aug 15 17:12:59 n

Re: Custom Builder Pull Error

=OlgHByRaEHWTCML5lKLAPQYO0jAA-GsPH-GH8qITq_8&e=>) On Sun, Jul 31, 2016 at 9:29 PM, Skarbek, John mailto:john.skar...@ca.com>> wrote: Good Morning, I'm playing around with the openshift dev preview, in doing so I'm toying around with creating a custom s2i builder specific

Custom Builder Pull Error

Good Morning, I'm playing around with the openshift dev preview, in doing so I'm toying around with creating a custom s2i builder specifically for the phoenix web framework. While it's not feature complete, I've had a working example up until today. After updating the builder image, I'm stru

Re: Preview Openshift 3 Pod Failure, System error

On Wed, Jul 13, 2016 at 7:06 AM, Skarbek, John mailto:john.skar...@ca.com>> wrote: Good Morning, I was messing around with a random quick application on the preview of openshift 3 online. I ran into this in the log of a container that won’t start: Timestamp: 2016-07-13 11:49:38.1603982

Preview Openshift 3 Pod Failure, System error

Good Morning, I was messing around with a random quick application on the preview of openshift 3 online. I ran into this in the log of a container that won’t start: Timestamp: 2016-07-13 11:49:38.160398231 + UTC Code: System error Message: lstat /var/lib/docker/devicemapper/mnt/704986103e7

Re: Evacuation of pods and scheduling

re than willing to accept these pods. I ponder if the replication controller doesn’t have updated information regarding the availability of nodes until after the pods are finally killed off. I’m still researching how I can prevent all three pods from ending up on a single node. -- John Skarbe

Evacuation of pods and scheduling

Good Morning, I’d like to ask a question regarding the use of evacuating pods and how openshift/kubernetes schedules the replacement. We have 3 nodes configured to run applications, and we went through a cycle of applying patches. So we’ve created an ansible playbook that goes through, evacuat

Re: The Router is so hard to get right

mplate=abecorn-landing-page-template On Sun, May 29, 2016 at 10:22 PM, Skarbek, John mailto:john.skar...@ca.com>> wrote: That’s weird, that should’ve worked… What about simply oc get routes -- John Skarbek On May 29, 2016 at 23:19:40, Dean Peterson (peterson.d...@gmail.com<ma

Re: The Router is so hard to get right

quot; not found" On Sun, May 29, 2016 at 10:15 PM, Skarbek, John mailto:john.skar...@ca.com>> wrote: What do we see when we do a: oc get routes –all-namespaces -- John Skarbek On May 29, 2016 at 23:01:16, Dean Peterson (peterson.d...@gmail.com<mailto:peterson.d...@gmail.com&

Re: The Router is so hard to get right

;; WHEN: Sun May 29 21:03:52 EDT 2016 ;; MSG SIZE rcvd: 77 I have tried pointing a cname record at the public dns name of the openshift master running the router as well with no luck. On Sun, May 29, 2016 at 7:34 PM, Skarbek, John mailto:john.skar...@ca.com>> wrote: Dean, You should

Re: integrated docker registry

On May 28, 2016 at 13:07:23, Alan Jones (ajo...@diamanti.com) wrote: Friends, I'm trying to deploy an integrated docker registry for OpenShift 3.2. The instructions I'm trying to follow are: https://docs.openshift.com/enterprise/3.2/install_config/install/docker_registr

Order of Deploy/Template Configuration

Good Morning, Is there some concept of parenting, or timing, or simply ordering of items when building a template configuration? Specifically around first time deploys. I’ve got a multi service application, where the head honcho service requires prior services to be up and running. Thus far, I’

Deploy Failure

Anyone got any tips on troubleshooting this: In the events log: Deployment Config Warning Failed update Error updating deployment default/router-14 status to Pending And in the log from the deployer pod: oc logs router-14-deploy I0520 20:55:31.651525 1 deployer.go:201] Deploying fro

Haproxy Routing Balance Implementation Question

Good Morning, We have an application which terminates their own SSL, therefore we utilize TLS passthrough in the route configuration. This is our preferred method of communicating with this particular application. This enforces haproxy to operate using tcp mode, which the balance method is hard

Re: Grant access for a user authenticated with an identity provider to the namespace/project default

Charles, You’ve created a new user in the system, and by default he’s not going to inherit any permissions. You’ll need to add a role to the user to access any projects. A command such as this should provide you admin access to the default project: oc policy add-role-to-user admin admin -n def

Re: Error updating deployment [deploy] status to Pending

Philippe, Is the node in a Ready state? The log output you posted makes it seem like something isn’t working properly if it keeps reading a config file over and over. Are you able to start pods that do not utilize a PV? -- John Skarbek On May 19, 2016 at 16:43:16, Philippe Lafoucrière (phi

RE: Jenkins setup for OpenShift

penshift.redhat.com<mailto:users@lists.openshift.redhat.com> You can also just supply a dockercfg file that already has the right credentials in it, just make that file available to your Jenkins job. Ben Parees | OpenShift On May 11, 2016 9:30 AM, "Skarbek, John" mailto:john.skar...@ca.

Re: Jenkins setup for OpenShift

On May 11, 2016 at 08:46:18, Den Cowboy (dencow...@hotmail.com) wrote: We are using a Jenkins server which isn't running on openshift. The main goal at the moment is: - Get dockerfile out of our git - Build image - Push image to OpenShift Docker Registry We have the

Re: overwrite parameteres (env) of template

Den, You are passing the incorrect flags. The templates don’t use the -e flag, but rather the --param flag. Something like this should work: ``` oc new-app mysql-ephemeral \ > --param=MYSQL_USER=activiti \ > --param=MYSQL_PASSWORD=activiti \ > --param=MYSQL_DATABASE=activiti_production ```

Re: pod deployment error: couldn't get deployment: dial tcp 172.30.0.1:443: getsockopt: no route to host

Isn’t flushing iptable rules a dangerous option? I thought iptables was heavily utilized for destination NAT’ing for the kube service… -- John Skarbek On April 19, 2016 at 00:23:39, v (vekt...@gmx.net) wrote: Hey, I'd try to disable all firewall rules and then see if

Re: OpenShift version 1.1.6

Den, This repo is indeed separate from all things origin. If you run this 3 months from now on a brand new cluster, it’ll pull the latest version of openshift available. In order to pin the version of openshift that is installed you could throw this in your inventory file: openshift_pkg_versi

Re: Router Pod stuck at pending

-- --- 4m4m 1 {deploymentconfig-controller } Normal DeploymentCreated Created new deployment "router-1" for version 1 4m 4m 1 {deployer }

Re: Router Pod stuck at pending

Hello, I ponder if there’s an issue with the labels being utilized by the nodes and the pods. Can you run the following command: oc get nodes —show-labels And then an: oc describe dc router -- John Skarbek On April 7, 2016 at 04:26:37, Mfawa Alfred Onen (muffycomp...@gmail.com

Re: policy for openshift user who can only push to openshift registry.

t your policy is up to date: `oadm policy reconcile-cluster-roles`. By default that makes no changes. If you approve of the changes it wants to make, you can use `--confirm`. On Fri, Mar 18, 2016 at 7:17 AM, Skarbek, John mailto:john.skar...@ca.com>> wrote: I would love to know a go

Re: DockerBuild Vs STI

Srinivas, I’d like to throw another option your way. Eclipse —> Git —> Jenkins to build and create artifacts —> Jenkins Docker Plug-in to create image -> push image to the built-in openshift docker registry Something you’ll need before the above pipeline, is a configuration already in place on

Re: policy for openshift user who can only push to openshift registry.

I would love to know a good answer to this as well. Currently we create a service account called application_robot, similar to their documentation, this robot is dedicated to the appropriate namespace and is applied via the example: system:service account:default:application_robot. Our automati

Openshift Routing Haproxy Logging

Good Morning, Anyone have any advice of plucking the access logs out of the haproxy router? I’m pushing a TLS feature and while I love the fact that I get a 502 responses, at this moment, I have zero method to debug this. My guess is that I need to create a custom haproxy image to add some abil

openshift-ansible release cycle

HI So quick question. What determines when you guys do a release on the openshift-ansible repo? There are fixes in master that haven’t been released yet. Looking at the history, there’s no pattern. Thank you. -- John Skarbek ___ users mailing lis

Kubernetes Update Cadence

Hello! Is there are particular cadence from which you guys choose to update kubernetes for openshift? I’m pondering hopping onboard with the spread thing and there’s a bug that exists in the current utilized v

Re: Serious docker upgrade problem -> 1.8 -> 1.9 update breaks system

t 7:44 AM, Skarbek, John mailto:john.skar...@ca.com>> wrote: Andy, David had already file an issue<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openshift_openshift-2Dansible_issues_1573&d=CwMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=8IlWeJZqFt

Re: Serious docker upgrade problem -> 1.8 -> 1.9 update breaks system

Andy, David had already file an issue Mar 09 12:40:07 js-router-001.ose.bld.f4tech.com systemd[1]: Starting Docker Application Container Engine... Mar 09 12:40:07 js-router-001.ose.bld.f4tech.com forward-journal[18500]: Forwarding std

Re: Serious docker upgrade problem -> 1.8 -> 1.9 update breaks system

I’m seeing the same. I don’t believe this is specific to Openshift. But perhaps a problem with docker’s systemd configuration. Something was added in the docker.service config file. Looks as if they added a shell wrapper around starting docker for some reason (1.9.x): ExecStart=/bin/sh -c '/us

RE: Errors: container "x" in pod/x-1-8vhpi is crash-looping

Lorenz, The reason for using an arbitrary UID is to prevent the user inside of the container from having access to resources outside of the container if somehow breached. This includes resources on the host as well as resources accessed by other containers. Since you don’t know what that user

Re: Errors: container "x" in pod/x-1-8vhpi is crash-looping

Lorenz, The issue is not that the image is coming from a specific repo, but rather the image itself is not fine tuned for use within openshift. CrashLoop indicates the container was able to start, but then crashed, and subsequent restarts are resulting in the same. In general your permissions

Re: Running applications that dont use LB

Kevin, Tis true haproxy is used for the web traffic. But you can run other arbitrary services inside of openshift. I believe the documentation that may help lead you the direction you should go is here: https://docs.openshift.org/latest/architecture/core_concepts/pods_and_services.html#services

Re: Hairpin?

Ugh, Found it after sending an email… https://github.com/openshift/origin/issues/6362 -- John Skarbek On February 17, 2016 at 07:46:46, Skarbek, John (john.skar...@ca.com<mailto:john.skar...@ca.com>) wrote: Anyone know what the following log output means? 7659 manager.go:1841] H

Hairpin?

Anyone know what the following log output means? 7659 manager.go:1841] Hairpin setup failed for pod "sample-jvm-app-1-deploy_sample-project(93a68aeb-d50a-11e5-bd72-005056b41fcd)": open /sys/devices/virtual/net/veth5b1a753/brport/hairpin_mode: no such file or directory I’ve got some pods that

Re: Start container which needs env's

Den, There’s quite a few ways to set ENV vars. Have a look at this documentation It is also possible to include environmental variables as part of the deployment configuration as well as templates. -- John Skarbek On F

Re: OpenShift with Docker method installation on CentOS, error : deployer.go:65] couldn't get deployment default/docker-registry-1: Get https://10.0.2.15:8443/api/v1/namespaces/default/replicationcont

You don’t have any rules for port 8443. We would need to find out which chain the rule should go inside But something similar to this should fix the problem: iptables -I INPUT -p tcp —-dport 8443 -j ACCEPT Though I’d be more concerned as to why the rule wasn’t put in place from the get go. -

Re: install everything with ansible

works very well. On Jan 27, 2016, at 08:10, Skarbek, John mailto:skaj...@ca.com>> wrote: Den, Indeed the openshift-ansible<https://github.com/openshift/openshift-ansible> repo contains the capability to stand up entire environments. Checkout the various readme’s located at the roo