Bug 1289603
Summary: | oc login fails with Unauthorized error sometimes on HA etcd environment | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Evgheni Dereveanchin <ederevea> |
Component: | apiserver-auth | Assignee: | Jordan Liggitt <jliggitt> |
Status: | CLOSED ERRATA | QA Contact: | weiwei jiang <wjiang> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.1.0 | CC: | akokshar, aos-bugs, bleanhar, ccoleman, dma, erich, jliggitt, jokerman, mmccomas, pep, pruan, tstclair, wjiang, wsun |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1282718 | Environment: | |
Last Closed: | 2016-01-26 19:19:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1282718 | ||
Bug Blocks: | 1267746 |
Description
Evgheni Dereveanchin
2015-12-08 14:30:19 UTC
Recreated locally with single master and 3-node etcd cluster. A quorum read is needed. The current (deprecated) etcd client does not expose the quorum read option. Work upstream to switch to the current etcd client is tracked in https://github.com/kubernetes/kubernetes/issues/11962 For reference, I spun up an etcd cluster in three docker containers like this: IP=1.2.3.4 docker run -d -p 4001:4001 -p 7001:7001 --name etcd0 quay.io/coreos/etcd:v2.0.3 \ -name etcd0 \ -advertise-client-urls http://$IP:4001 \ -listen-client-urls http://0.0.0.0:4001 \ -initial-advertise-peer-urls http://$IP:7001 \ -listen-peer-urls http://0.0.0.0:7001 \ -initial-cluster-token my-etcd-cluster \ -initial-cluster etcd0=http://$IP:7001,etcd1=http://$IP:7002,etcd2=http://$IP:7003 \ -initial-cluster-state new docker run -d -p 4002:4002 -p 7002:7002 --name etcd1 quay.io/coreos/etcd:v2.0.3 \ -name etcd1 \ -advertise-client-urls http://$IP:4002 \ -listen-client-urls http://0.0.0.0:4002 \ -initial-advertise-peer-urls http://$IP:7002 \ -listen-peer-urls http://0.0.0.0:7002 \ -initial-cluster-token my-etcd-cluster \ -initial-cluster etcd0=http://$IP:7001,etcd1=http://$IP:7002,etcd2=http://$IP:7003 \ -initial-cluster-state existing docker run -d -p 4003:4003 -p 7003:7003 --name etcd2 quay.io/coreos/etcd:v2.0.3 \ -name etcd2 \ -advertise-client-urls http://$IP:4003 \ -listen-client-urls http://0.0.0.0:4003 \ -initial-advertise-peer-urls http://$IP:7003 \ -listen-peer-urls http://0.0.0.0:7003 \ -initial-cluster-token my-etcd-cluster \ -initial-cluster etcd0=http://$IP:7001,etcd1=http://$IP:7002,etcd2=http://$IP:7003 \ -initial-cluster-state existing Then started my master server from a config referencing an external etcd like this: ... etcdClientInfo: ca: "" certFile: "" keyFile: "" urls: - http://1.2.3.4:4001 - http://1.2.3.4:4002 - http://1.2.3.4:4003 ... Fixed in puddle AtomicOpenShift/3.1/2016-01-13.1 Verify on puddle AtomicOpenShift/3.1/2016-01-13.1, this bug is fixed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2016:0070 |