Thanks for digging into the source. I’m going with the ansible-based install instead. It looks like its configuring a ton of stuff as I’m watching it now, so I’ll let it do its thing.
From: Maciej Szulik [mailto:maszu...@redhat.com] Sent: Wednesday, November 30, 2016 6:02 AM To: Ashby, Jason (IMS) <ash...@imsweb.com> Cc: users@lists.openshift.redhat.com Subject: Re: Deployment error on node: Relabeling content in /usr is not allowed Ashby, Going through sources the only place that this message can appear is related to SElinux: https://github.com/openshift/origin/blob/2fefe090ca5c5e603d0c731d2613d3cddd431ec6/vendor/github.com/opencontainers/runc/libcontainer/selinux/selinux.go#L449 Docker has his own --selinux-enabled flag, can you remove it (in my case it sits in /etc/sysconfig/docker) and retry? I'll try to get from our ansible folks information about selinux policies we setup. But generally, using the ansible for setting the environment is always the best option :) Maciej On Tue, Nov 29, 2016 at 1:55 PM, Ashby, Jason (IMS) <ash...@imsweb.com<mailto:ash...@imsweb.com>> wrote: Thanks Maciej. I’m trying hello-openshift now, and its also telling me it is privileged: Image openshift/hello-openshift runs as the root user which might not be permitted by your cluster administrator. I’m surprised a hello world image for openshift would run as root. Is that expected? I hit the same issue when trying out guestbook, so I relaxed the uid constraint with: oadm policy add-scc-to-user anyuid myusername (I don’t plan on using this in production, just trying to get an example working.) It looks like the hello-openshift image also causes the “relabeling content in /usr is not allowed” message. Is it because its also trying to run privileged, or could it be something else I should look into? [cid:image001.png@01D24B08.778E4600] From: Maciej Szulik [mailto:maszu...@redhat.com<mailto:maszu...@redhat.com>] Sent: Tuesday, November 29, 2016 3:51 AM To: Ashby, Jason (IMS) <ash...@imsweb.com<mailto:ash...@imsweb.com>> Cc: users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com> Subject: Re: Deployment error on node: Relabeling content in /usr is not allowed OpenShift, by default does not allow running privileged containers, and iirc guestbook does that: Handler for POST /containers/create returned error: Relabeling content in /usr is not allowed. I'd suggest starting of with hello-openshift [1] which although creates just a pod can be easily turned into a deployment either manually or preferably using oc run, like this: oc run hello --image=openshift/hello-openshift You can read about the security constraints in [2]. Maciej [1] https://github.com/openshift/origin/tree/master/examples/hello-openshift [2] https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints On Mon, Nov 28, 2016 at 9:38 PM, Ashby, Jason (IMS) <ash...@imsweb.com<mailto:ash...@imsweb.com>> wrote: Sorry all, for over-posting, I just need a little help getting my first OpenShift origin cluster running. I’ve got a cluster consisting of two hosts: a master (CentOS 7) and a node (CentOS 7 Atomic) set up and communicating, but every time I fire off a deployment (I used the kubernetes/guestbook app to test), I get the following on the node: Nov 28 15:22:53 oshift-node-01 kernel: docker0: port 1(veth86f9a99) entered forwarding state Nov 28 15:22:54 oshift-node-01 openshift: I1128 15:22:54.195173 13633 reconciler.go:254] MountVolume operation started for volume "kubernetes.io/secret/670f607d-b5a8-11a4-b673-005056b7468b-deployer-token-p37u0<http://kubernetes.io/secret/670f607d-b5a8-11a4-b673-005056b7468b-deployer-token-p37u0>" (spec.Name: "deployer-token-p37u0") to pod "670f607d-b5a8-11a4-b673-005056b7468b" (UID: "670f607d-b5a8-11a4-b673-005056b7468b"). Volume is already mounted to pod, but remount was requested. Nov 28 15:22:54 oshift-node-01 openshift: I1128 15:22:54.206060 13633 operation_executor.go:740] MountVolume.SetUp succeeded for volume "kubernetes.io/secret/670f607d-b5a8-11a4-b673-005056b7468b-deployer-token-p37u0<http://kubernetes.io/secret/670f607d-b5a8-11a4-b673-005056b7468b-deployer-token-p37u0>" (spec.Name: "deployer-token-p37u0") pod "670f607d-b5a8-11a4-b673-005056b7468b" (UID: "670f607d-b5a8-11a4-b673-005056b7468b"). Nov 28 15:22:54 oshift-node-01 docker-current: time="2016-11-28T15:22:54.598594417-05:00" level=info msg="{Action=create, LoginUID=4294967295, PID=13633}" Nov 28 15:22:54 oshift-node-01 systemd: Device dev-disk-by\x2duuid-ac161f25\x2d0ff5\x2d4ef0\x2d97dd\x2dc7f9f86647c0.device appeared twice with different sysfs paths /sys/devices/virtual/block/dm-5 and /sys/devices/virtual/block/dm-6 Nov 28 15:22:54 oshift-node-01 kernel: XFS (dm-6): Mounting V4 Filesystem Nov 28 15:22:54 oshift-node-01 kernel: XFS (dm-6): Ending clean mount Nov 28 15:22:54 oshift-node-01 kernel: XFS (dm-6): Unmounting Filesystem Nov 28 15:22:54 oshift-node-01 docker-current: time="2016-11-28T15:22:54.952177189-05:00" level=error msg="Handler for POST /containers/create returned error: Relabeling content in /usr is not allowed." Nov 28 15:22:54 oshift-node-01 openshift: E1128 15:22:54.953748 13633 docker_manager.go:2094] container start failed: RunContainerError: runContainer: Error response from daemon: Relabeling content in /usr is not allowed. Nov 28 15:22:54 oshift-node-01 openshift: E1128 15:22:54.953845 13633 pod_workers.go:183] Error syncing pod 670f607d-b5a8-11a4-b673-005056b7468b, skipping: failed to "StartContainer" for "deployment" with RunContainerError: "runContainer: Error response from daemon: Relabeling content in /usr is not allowed." It appears the node is having trouble running pods. I temporarily disabled SELinux on the node and restarted OpenShift, but the error still happens. So it doesn’t appear to be an SELinux thing. Google just points me to a Bugzilla<https://bugzilla.redhat.com/show_bug.cgi?id=1216151> that says it was an issue with an older Docker (1.6) that’s now resolved. I’m running the following which I believe is the default in Atomic: $ docker -v Docker version 1.10.3, build cb079f6-unsupported I’m running OpenShift Origin v1.3.1 on both nodes. Any ideas? ________________________________ Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error. _______________________________________________ users mailing list users@lists.openshift.redhat.com<mailto:users@lists.openshift.redhat.com> http://lists.openshift.redhat.com/openshiftmm/listinfo/users ________________________________ Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error. ________________________________ Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error.
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
