Bug 1558900

Summary: Example cert-check jobs using container image not work well
Product: OpenShift Container Platform Reporter: Gaoyun Pei <gpei>
Component: InstallerAssignee: Vadim Rutkovsky <vrutkovs>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.9.0CC: aos-bugs, gpei, jokerman, mmccomas, sdodson, vrutkovs
Target Milestone: ---   
Target Release: 3.9.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-17 06:43:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Ansible output none

Description Gaoyun Pei 2018-03-21 09:21:56 UTC 
Description of problem:
In https://github.com/openshift/openshift-ansible/tree/release-3.9/examples#openshift-ansible-usage-examples, it introduce four example jobs of cert-check/scheduled cert-check, list the issues here found during testing on OCP-3.9.


1. Secret creation command is deprecated

[root@ip-172-18-13-8 ~]# oc secrets new-sshauth sshkey --ssh-privatekey=$HOME/.ssh/id_rsa
Command "new-sshauth" is deprecated, use oc create secret
secret/sshkey


2. Path to the playbooks used in template files is invalid

[root@ip-172-18-13-8 ~]# oc logs certificate-check-tkplg
Using /usr/share/ansible/openshift-ansible/ansible.cfg as config file
ERROR! the playbook: playbooks/certificate_expiry/easy-mode-upload.yaml could not be found

The same as html_and_json_timestamp.yaml playbook


3. Image used in the template is not correct for OCP

[root@ip-172-18-13-8 ~]# oc get job certificate-check -o yaml |grep image:
        image: openshift/origin-ansible


4. ScheduledJob Kind is deprecated in OCP-3.9 
[root@ip-172-18-13-8 ~]# oc create -f openshift-ansible/examples/scheduled-certcheck-upload.yaml
error: unable to recognize "openshift-ansible/examples/scheduled-certcheck-upload.yaml": no matches for batch/, Kind=ScheduledJob

After changed to "CronJob", it could work.


5. Write reports to `/var/lib/certcheck` failed when using volumes

TASK [openshift_certificate_expiry : Generate expiration report HTML] **********
Wednesday 21 March 2018  08:55:36 +0000 (0:00:04.180)       0:00:04.933 ******* 
fatal: [ec2-54-164-122-51.compute-1.amazonaws.com]: FAILED! => {"msg": "Failed to get information on remote file (/var/lib/certcheck/20180321-cert-expiry-report.html): /bin/sh: sudo: command not found\n"}



Version-Release number of the following components:
[root@ip-172-18-13-8 openshift-ansible]# git describe
openshift-ansible-3.9.12-1-4-gfabeed5


How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag
Comment 1 Vadim Rutkovsky 2018-03-27 09:46:41 UTC 
Created https://github.com/openshift/openshift-ansible/pull/7666 to address this.

(In reply to Gaoyun Pei from comment #0)
> 1. Secret creation command is deprecated

Fixed in PR

> 2. Path to the playbooks used in template files is invalid

Fixed

> 3. Image used in the template is not correct for OCP
> 
> [root@ip-172-18-13-8 ~]# oc get job certificate-check -o yaml |grep image:
>         image: openshift/origin-ansible

Not sure of this is an issue. The image is available on dockerhub, I don't think we want pre-processing to use separate images for Origin and OCP. In any case, this is just a sample job

> 4. ScheduledJob Kind is deprecated in OCP-3.9 

Fixed

> 5. Write reports to `/var/lib/certcheck` failed when using volumes
> 
> TASK [openshift_certificate_expiry : Generate expiration report HTML]
> **********
> Wednesday 21 March 2018  08:55:36 +0000 (0:00:04.180)       0:00:04.933
> ******* 
> fatal: [ec2-54-164-122-51.compute-1.amazonaws.com]: FAILED! => {"msg":
> "Failed to get information on remote file
> (/var/lib/certcheck/20180321-cert-expiry-report.html): /bin/sh: sudo:
> command not found\n"}

Can't seem to find where it attempts to run 'sudo'.

Are you running this manually or in scheduled mode? Could you attach the ansible log?
Comment 2 Gaoyun Pei 2018-03-27 10:20:47 UTC 
Met with this error when running Job certificate-check-volume.yaml, following the guide in https://github.com/openshift/openshift-ansible/tree/release-3.9/examples#job-and-scheduledjob-to-check-certificates-using-volumes

Seems like it's a same issue with https://bugzilla.redhat.com/show_bug.cgi?id=1551464

Attached the ansible logs.
Comment 3 Gaoyun Pei 2018-03-27 10:21:52 UTC 
Created attachment 1413659 [details]
Ansible output
Comment 4 Vadim Rutkovsky 2018-03-27 10:26:54 UTC 
(In reply to Gaoyun Pei from comment #2)
> Met with this error when running Job certificate-check-volume.yaml,
> following the guide in
> https://github.com/openshift/openshift-ansible/tree/release-3.9/examples#job-
> and-scheduledjob-to-check-certificates-using-volumes
> 
> Seems like it's a same issue with
> https://bugzilla.redhat.com/show_bug.cgi?id=1551464
> 
> Attached the ansible logs.

Do you have 'become' in your inventory? Ansible would attempt to use sudo if its set - but the container image may not have it.

Not sure how to proceed here - should we add a warning about sudo to the README.md? Should 'sudo' be added to 'openshift/origin-ansible' image?
Comment 5 Gaoyun Pei 2018-03-28 07:20:00 UTC 
(In reply to Vadim Rutkovsky from comment #4)
> (In reply to Gaoyun Pei from comment #2)
> > Met with this error when running Job certificate-check-volume.yaml,
> > following the guide in
> > https://github.com/openshift/openshift-ansible/tree/release-3.9/examples#job-
> > and-scheduledjob-to-check-certificates-using-volumes
> > 
> > Seems like it's a same issue with
> > https://bugzilla.redhat.com/show_bug.cgi?id=1551464
> > 
> > Attached the ansible logs.
> 
> Do you have 'become' in your inventory? Ansible would attempt to use sudo if
> its set - but the container image may not have it.

No, I didn't use "become=yes" or "ansible_become" related options, just set ansible_user=root directly in [OSEv3] group var.
Comment 6 Vadim Rutkovsky 2018-03-28 13:04:13 UTC 
(In reply to Gaoyun Pei from comment #5)
> (In reply to Vadim Rutkovsky from comment #4)
> > (In reply to Gaoyun Pei from comment #2)
> > > Met with this error when running Job certificate-check-volume.yaml,
> > > following the guide in
> > > https://github.com/openshift/openshift-ansible/tree/release-3.9/examples#job-
> > > and-scheduledjob-to-check-certificates-using-volumes
> > > 
> > > Seems like it's a same issue with
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1551464
> > > 
> > > Attached the ansible logs.
> > 
> > Do you have 'become' in your inventory? Ansible would attempt to use sudo if
> > its set - but the container image may not have it.
> 
> No, I didn't use "become=yes" or "ansible_become" related options, just set
> ansible_user=root directly in [OSEv3] group var.

Right, got a fix for that. Lets track it in https://bugzilla.redhat.com/show_bug.cgi?id=1551464
Comment 7 Vadim Rutkovsky 2018-04-03 09:24:14 UTC 
Fix is available in openshift-ansible-3.9.16-1
Comment 8 Gaoyun Pei 2018-04-08 07:49:55 UTC 
Verify this bug with openshift-ansible-3.9.19-1.

The four examples in https://github.com/openshift/openshift-ansible/tree/release-3.9/examples#openshift-ansible-usage-examples all work well now.
Comment 10 Gaoyun Pei 2018-04-23 05:52:46 UTC 
Move it to verified according to Comment 8
Comment 13 errata-xmlrpc 2018-05-17 06:43:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1566