Bug 1447019
Summary: | Include Audit configuration in the installation process (Ansible OCP inventory) | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Jaspreet Kaur <jkaur> | |
Component: | Installer | Assignee: | Russell Teague <rteague> | |
Status: | CLOSED ERRATA | QA Contact: | Gaoyun Pei <gpei> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 3.5.0 | CC: | aos-bugs, bleanhar, gpei, jialiu, jkaur, jokerman, mmccomas, rteague | |
Target Milestone: | --- | Keywords: | Reopened | |
Target Release: | 3.5.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Adjusted conditionals to allow audit configuration for non-ha environments.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1454370 1454377 (view as bug list) | Environment: | ||
Last Closed: | 2017-06-15 18:38:10 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1454370, 1454377 |
Description
Jaspreet Kaur
2017-05-01 08:29:33 UTC
This is already possible today. The value mentioned in https://github.com/openshift/openshift-ansible/pull/2149/files shows that the raw json is passed to Ansible which will be stored in the Master configuration. All documented audit configuration parameters will work. Tried to use below parameter in inventory for installation but I do not see this configuration added in master-config after successfull deployment : openshift_master_audit_config={"enabled": true} oc version oc v3.4.1.18 kubernetes v1.4.0+776c994 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://ham1.example.com:8443 openshift v3.4.1.18 kubernetes v1.4.0+776c994 Jaspreet, can you attach the generated master configuration? What version of openshift-ansible are you using? Here are the details : rpm -qa | grep openshift atomic-openshift-3.4.1.18-1.git.0.0f9d380.el7.x86_64 atomic-openshift-node-3.4.1.18-1.git.0.0f9d380.el7.x86_64 openshift-ansible-docs-3.4.74-1.git.0.6542413.el7.noarch openshift-ansible-callback-plugins-3.4.74-1.git.0.6542413.el7.noarch atomic-openshift-clients-3.4.1.18-1.git.0.0f9d380.el7.x86_64 atomic-openshift-master-3.4.1.18-1.git.0.0f9d380.el7.x86_64 tuned-profiles-atomic-openshift-node-3.4.1.18-1.git.0.0f9d380.el7.x86_64 openshift-ansible-3.4.74-1.git.0.6542413.el7.noarch openshift-ansible-filter-plugins-3.4.74-1.git.0.6542413.el7.noarch openshift-ansible-roles-3.4.74-1.git.0.6542413.el7.noarch atomic-openshift-utils-3.4.74-1.git.0.6542413.el7.noarch atomic-openshift-sdn-ovs-3.4.1.18-1.git.0.0f9d380.el7.x86_64 openshift-ansible-lookup-plugins-3.4.74-1.git.0.6542413.el7.noarch openshift-ansible-playbooks-3.4.74-1.git.0.6542413.el7.noarch Jianlin, would you mind confirming if we have a bug with our openshift_master_audit_config setting or not? If could be that the logic we have to optionally set that code is no longer working. Given that we branch for openshift-ansible now I think the "and openshift.common.version_gte_3_2_or_1_2" logic could be completely removed now. roles/openshift_master/templates/master.yaml.v1.j2:{% if openshift.master.audit_config | default(none) is not none and openshift.common.version_gte_3_2_or_1_2 | bool %} @gepi, could you help answer comment 9, this is kind of similar to BZ#1439619. Brenton, not sure if Jaspreet was trying a non-ha master installation. In our master.yaml jinja2 template, there's another condition for auditConfig options to be added in master-config[1] With openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/log/audit-ocp.log", "maximumFileRetentionDays": 10,"maximumRetainedFiles": 10,"maximumFileSizeMegabytes": 100} setting in ansible inventory, for ha master cluster installation, the Audit options could be configured correctly in master-config.yaml. [root@ip-172-18-11-189 ~]# grep -A 4 audit /etc/origin/master/master-config.yaml auditConfig: auditFilePath: /var/log/audit-ocp.log enabled: true maximumFileRetentionDays: 10 maximumFileSizeMegabytes: 100 maximumRetainedFiles: 10 Test with openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm If the audit configurations were only expected to be used for ha-master cluster, I think we could add some additional description in the doc, or we could remove the openshift_master_ha condition check if not. [1] https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L47 Yes I was having a non-ha env. Shouldn't this feature be applicable for both ? That's a great catch Gaoyun. I think this is just a bug for non-ha environments. It should be easy to move the audit logging configuration outside the {% if openshift_master_ha | bool %} block. Commit pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/ebb1b751b9623eb2f9b265737e6d032ba5c5da3c Fix auditConfig for non-HA environments Bug 1447019 Proposed (3.5 backport): https://github.com/openshift/openshift-ansible/pull/4258 Verify this bug with openshift-ansible-3.5.5.19-1.git.0.ded7c89.el7.noarch With audit options added in ansible inventory for non-ha master environment, the related configurations could be found in master config file after installation. openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/log/audit-ocp.log", "maximumFileRetentionDays": 10,"maximumRetainedFiles": 10,"maximumFileSizeMegabytes": 100} [root@ip-172-18-11-206 ~]# grep -A 4 audit /etc/origin/master/master-config.yaml auditConfig: auditFilePath: /var/log/audit-ocp.log enabled: true maximumFileRetentionDays: 10 maximumFileSizeMegabytes: 100 maximumRetainedFiles: 10 Will move this bug to verified after the openshift-ansible rpm package was attached to advisory 28675 Verify this bug with openshift-ansible-3.5.74-1.git.0.4e9bb21.el7.noarch.rpm. openshift_master_audit_config works as expected in non-ha master env. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1425 |