Bug 1308411

Summary: Fail to install OSE 3.0 for no add-scc-to-user command
Product: OpenShift Container Platform Reporter: Gaoyun Pei <gpei>
Component: InstallerAssignee: Brenton Leanhardt <bleanhar>
Status: CLOSED ERRATA QA Contact: Ma xiaoqiang <xiama>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0.0CC: aos-bugs, bleanhar, jokerman, mmccomas, xtian
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openshift-ansible-3.0.41-1.git.0.2446a82.el7aos Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-29 12:57:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gaoyun Pei 2016-02-15 06:38:07 UTC 
Description of problem:
When installing ose 3.0, ansible breaks for no "add-scc-to-user" option of command "oadm policy" in openshift v3.0.2.0-45-g423f434 version.


Version-Release number of selected component (if applicable):
openshift-ansible-3.0.40-1.git.22.da21865.el7aos.noarch
openshift-ansible-roles-3.0.40-1.git.22.da21865.el7aos.noarch
openshift-3.0.2.0-0.git.45.423f434.el7ose.x86_64


How reproducible:
Always

Steps to Reproduce:
1.Run 'atomic-openshift-installer install', choose "OpenShift Enterprise 3.0"


Actual results:
TASK: [openshift_serviceaccounts | Grant the user access to the privileged scc] *** 
failed: [10.66.x.x] => (item=['router', {u'cmd': [u'oc', u'get', u'scc', u'privileged', u'-o', u'yaml'], u'end': u'2016-02-15 10:39:47.004648', u'stderr': u'', u'stdout': u'allowHostDirVolumePlugin: true\nallowHostNetwork: true\nallowHostPorts: true\nallowPrivilegedContainer: true\nallowedCapabilities: null\napiVersion: v1\ngroups:\n- system:cluster-admins\n- system:nodes\nkind: SecurityContextConstraints\nmetadata:\n  creationTimestamp: 2016-02-15T02:39:04Z\n  name: privileged\n  resourceVersion: "57"\n  selfLink: /api/v1/securitycontextconstraints/privileged\n  uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813\nrunAsUser:\n  type: RunAsAny\nseLinuxContext:\n  type: RunAsAny\nusers:\n- system:serviceaccount:openshift-infra:build-controller', 'item': 'privileged', u'changed': False, u'rc': 0, 'failed': False, u'warnings': [], u'delta': u'0:00:00.285601', 'invocation': {'module_name': u'command', 'module_complex_args': {}, 'module_args': u'oc get scc privileged -o yaml'}, 'stdout_lines': [u'allowHostDirVolumePlugin: true', u'allowHostNetwork: true', u'allowHostPorts: true', u'allowPrivilegedContainer: true', u'allowedCapabilities: null', u'apiVersion: v1', u'groups:', u'- system:cluster-admins', u'- system:nodes', u'kind: SecurityContextConstraints', u'metadata:', u'  creationTimestamp: 2016-02-15T02:39:04Z', u'  name: privileged', u'  resourceVersion: "57"', u'  selfLink: /api/v1/securitycontextconstraints/privileged', u'  uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813', u'runAsUser:', u'  type: RunAsAny', u'seLinuxContext:', u'  type: RunAsAny', u'users:', u'- system:serviceaccount:openshift-infra:build-controller'], 'failed_when_result': False, u'start': u'2016-02-15 10:39:46.719047'}]) => {"changed": true, "cmd": ["oadm", "policy", "add-scc-to-user", "privileged", "system:serviceaccount:default:router"], "delta": "0:00:00.062577", "end": "2016-02-15 10:39:47.277234", "item": ["router", {"changed": false, "cmd": ["oc", "get", "scc", "privileged", "-o", "yaml"], "delta": "0:00:00.285601", "end": "2016-02-15 10:39:47.004648", "failed": false, "failed_when_result": false, "invocation": {"module_args": "oc get scc privileged -o yaml", "module_complex_args": {}, "module_name": "command"}, "item": "privileged", "rc": 0, "start": "2016-02-15 10:39:46.719047", "stderr": "", "stdout": "allowHostDirVolumePlugin: true\nallowHostNetwork: true\nallowHostPorts: true\nallowPrivilegedContainer: true\nallowedCapabilities: null\napiVersion: v1\ngroups:\n- system:cluster-admins\n- system:nodes\nkind: SecurityContextConstraints\nmetadata:\n  creationTimestamp: 2016-02-15T02:39:04Z\n  name: privileged\n  resourceVersion: \"57\"\n  selfLink: /api/v1/securitycontextconstraints/privileged\n  uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813\nrunAsUser:\n  type: RunAsAny\nseLinuxContext:\n  type: RunAsAny\nusers:\n- system:serviceaccount:openshift-infra:build-controller", "stdout_lines": ["allowHostDirVolumePlugin: true", "allowHostNetwork: true", "allowHostPorts: true", "allowPrivilegedContainer: true", "allowedCapabilities: null", "apiVersion: v1", "groups:", "- system:cluster-admins", "- system:nodes", "kind: SecurityContextConstraints", "metadata:", "  creationTimestamp: 2016-02-15T02:39:04Z", "  name: privileged", "  resourceVersion: \"57\"", "  selfLink: /api/v1/securitycontextconstraints/privileged", "  uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813", "runAsUser:", "  type: RunAsAny", "seLinuxContext:", "  type: RunAsAny", "users:", "- system:serviceaccount:openshift-infra:build-controller"], "warnings": []}], "rc": 1, "start": "2016-02-15 10:39:47.214657", "warnings": []}
stderr: error: unknown command "add-scc-to-user privileged system:serviceaccount:default:router"
see 'oadm policy -h' for help.


Expected results:
Install without error

Additional info:
Comment 3 Gaoyun Pei 2016-02-16 02:52:55 UTC 
Test with openshift-ansible-3.0.41-1.git.0.2446a82.el7aos.noarch

Ansible will use old commands to do this step when installing ose-3.0 now, and ose-3.0 env could be installed successfully.
Comment 4 Brenton Leanhardt 2016-02-16 21:01:48 UTC 
I made a slight modification to the fix for this bug today and it's now available in the lates puddle.  The idea is that with the previous version if you re-ran the byo/config.yml against a 3.0 install it probably would have failed.  This will avoid re-adding the scc policy to the user for 3.0 installs.
Comment 5 Gaoyun Pei 2016-02-17 07:44:55 UTC 
verify this bug with openshift-ansible-3.0.43-1.git.0.8ffeaf4.el7aos.noarch

With the new openshift-ansible rpm, rerun playbooks/byo/config.yml to install an ose-3.0 env twice, installation are all successful.
Comment 7 errata-xmlrpc 2016-02-29 12:57:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:0311