Bug 1496271

Summary: Preserve Security Context in logging container
Product: OpenShift Container Platform Reporter: Jeff Cantrill <jcantril>
Component: LoggingAssignee: Jan Wozniak <jwozniak>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.5.1CC: aivaras.laimikis, aos-bugs, pdwyer, rmeggins, tkatarki
Target Milestone: ---   
Target Release: 3.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-25 13:08:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Cantrill 2017-09-26 20:57:29 UTC 
As commented in https://bugzilla.redhat.com/show_bug.cgi?id=1478771

I miss one securityContext in comment 10. There are two securityContext in DC. 
The first is created by ansible. 
The second  is created by 'oc patch' command following the document [1] 
The second one is still overwrote when using the openshift-ansible-3.5.125 with the fix PR.

@Jeff, could you confirm if we need to persist the second securityContext.?


[1]
https://docs.openshift.com/container-platform/3.5/install_config/aggregate_logging.html-> Persistent Elasticsearch Storage -> 2. Each Elasticsearch replica definition must be patched to claim that privilege, for example:
$ for dc in $(oc get deploymentconfig --selector logging-infra=elasticsearch -o name); do
    oc scale $dc --replicas=0
    oc patch $dc \
       -p '{"spec":{"template":{"spec":{"containers":[{"name":"elasticsearch","securityContext":{"privileged": true}}]}}}}'
  done
Comment 1 Jeff Cantrill 2017-09-26 20:58:00 UTC 
Opened https://bugzilla.redhat.com/show_bug.cgi?id=1478771 to address
Comment 3 Jan Wozniak 2017-10-03 15:44:00 UTC 
PR with a fix created - https://github.com/openshift/openshift-ansible/pull/5637.

I will create a backport to 3.6 once this merges
Comment 4 openshift-github-bot 2017-10-05 10:45:19 UTC 
Commits pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/f4c7d5e064fad263f618fb633d5c0d37c0a2a553
Bug 1496271 - Perserve SCC for ES local persistent storage

ES can be modified to use node local persistent storage. This requires
changing SCC and is described in docs:

https://docs.openshift.com/container-platform/3.6/install_config/aggregate_logging.html

During an upgrade, SCC defined by the user is ignored. This fix fetches
SCC user defined as a fact and adds it to the ES DC which is later used.

https://github.com/openshift/openshift-ansible/commit/cdbc995e65921210981e9fb3710a36c7d93a35dc
Merge pull request #5637 from wozniakjan/1496271_fix

Automatic merge from submit-queue.

 Bug 1496271 - Perserve SCC for ES local persistent storage

ES can be modified to use node local persistent storage. This requires changing SCC and is described in docs:

https://docs.openshift.com/container-platform/3.6/install_config/aggregate_logging.html

During an upgrade, SCC defined by the user is ignored. This fix fetches SCC user defined as a fact and adds it to the ES DC which is later used.

Also includes cherrypicked fix for - Bug 1482661 - Preserve ES dc nodeSelector and supplementalGroups

cc @jcantrill
Comment 6 Anping Li 2017-10-12 07:29:04 UTC 
The nodeSelector securityContext  when use openshift-ansible:v3.5.132. So move to verified.
Comment 8 errata-xmlrpc 2017-10-25 13:08:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3049
Comment 9 Red Hat Bugzilla 2023-09-14 04:09:01 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days