Bug 1420538
Summary: | Unable to set Supplemental Groups or fsGroup for Cassandra, via metrics deployer. | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Ryan Howe <rhowe> |
Component: | Installer | Assignee: | Jeff Cantrill <jcantril> |
Status: | CLOSED ERRATA | QA Contact: | Peng Li <penli> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 3.4.0 | CC: | aos-bugs, jokerman, mcurry, mmccomas, mwringe, penli, pruan |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: |
undefined
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-04-12 19:01:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ryan Howe
2017-02-08 22:27:35 UTC
@Matt, if he is using the deployer then the 'easy' way would be to edit the deployer template to include the supplemental group before executing the 'oc new-app' step. Is that correct? @jeff: no, that is not how it works. This doesn't need to be applied to the deployer template, but to the Cassandra template. The Cassandra template is not added until the deployment starts, which in this case will fail because there isn't a PV for it to use. So they need to deploy metrics, then scale everything to 0, then modify the cassandra template, then scale everything back up. And when they go to update or reinstall, then they need to do these steps all over again. Trying to handle everything as parameters passed to the deployer or ansible is probably not a good idea. There are too many options people will want, we can't just continue to add in more and more options. Eventually we are going to run into hundreds of parameters. Its also extremely confusing for users. They will know they want to have option X that OpenShift provides, then they need to read the docs to see what that corresponding option is for ansible/deployer and then figure out how to add it as a parameter (or most likely complain that we don't expose that option). All the templates that directly deploy the pods for each metric component come from within the deployer image. The template used to deploy the metrics does not allow the user to make direct changes to the any of the components unless we have added a parameter that can be passed to the deploy, where the deployer will then pass it to the components. The parameter that can be set can be seen here: https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_hosted_templates/files/v1.4/origin/metrics-deployer.yaml#L100-L168 The templates for each component are here and these can only be customized if you build a new deployer image, which is not supported. # docker run --entrypoint /bin/bash -it openshift3/metrics-deployer -c "/bin/cat templates/*" We could make a change to the deployer similiar to what logging is doing: https://github.com/openshift/origin-aggregated-logging/blob/v1.4.1/deployer/templates/es.yaml#L48 @jeff: do we also need a change in the deployer? I guess not since I don't think we need this for the 'oc up' command. I dont anticipate this being back ported to the deployer unless we are directed from PM Commits pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/d226d9b51e6eb1fe897d08e221dd28a34b35339c bug 1420538. Allow users to set supplementalGroup for Cassandra https://github.com/openshift/openshift-ansible/commit/398b72dc31788ed8fd22497761ba16e1f013a108 Merge pull request #3320 from jcantrill/bz_1420538_metrics_supplemental_groups bug 1420538. Allow users to set supplementalGroup for Cassandra verified Steps: 1. specify 'openshift_metrics_cassandra_storage_group' in the inventory #cat ~/my_inventory (...) openshift_metrics_cassandra_storage_group=65531 (...) 2. run the playbook on ansible node # ansible-playbook -v -i ~/my_inventory playbooks/common/openshift-cluster/openshift_metrics.yml 3. check deploy succeed # oc get pod -n oepnshift-infra NAME READY STATUS RESTARTS AGE hawkular-cassandra-1-9j37p 1/1 Running 0 7m hawkular-metrics-ztkd6 1/1 Running 0 7m heapster-fqcx7 1/1 Running 0 7m 3. check the rc # oc get rc/hawkular-cassandra-1 -o yaml (...) securityContext: supplementalGroups: - 65531 (...) 4. check the pod # oc get pod hawkular-cassandra-1-9j37p -o yaml (...) securityContext: fsGroup: 1000000000 seLinuxOptions: level: s0:c1,c0 supplementalGroups: - 65531 (...) Version info: # rpm -qa openshift-ansible* openshift-ansible-3.5.45-1.git.1.4ebc840.el7.noarch openshift-ansible-roles-3.5.45-1.git.1.4ebc840.el7.noarch openshift-ansible-docs-3.5.45-1.git.1.4ebc840.el7.noarch openshift-ansible-filter-plugins-3.5.45-1.git.1.4ebc840.el7.noarch openshift-ansible-callback-plugins-3.5.45-1.git.1.4ebc840.el7.noarch openshift-ansible-playbooks-3.5.45-1.git.1.4ebc840.el7.noarch openshift-ansible-lookup-plugins-3.5.45-1.git.1.4ebc840.el7.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0903 |