Bug 1599241

Summary: Add securty content for hawkular-cassandra before openshift was updated to v3.10
Product: OpenShift Container Platform Reporter: Anping Li <anli>
Component: HawkularAssignee: Ruben Vargas Palma <rvargasp>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.9.0CC: aos-bugs, jsanda, rvargasp
Target Milestone: ---   
Target Release: 3.9.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1599529 (view as bug list) Environment:
Last Closed: 2018-08-29 14:42:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1613095    
Bug Blocks: 1599529    

Description Anping Li 2018-07-09 09:44:30 UTC 
Description of problem:
The metrics cassandra 3.9 has no permission to create directory /cassandra_data/data once Openshift is updated to v3.10. Redeploy metrics via  openshift-ansible:v3.10 can solve this issue. But there are some downtime between Openshift upgrade and metrics updated. 

To avoild the metrics downtime, we can add the securityContext to make v3.9 cassandra works in v3.10 as the following steps. if the customer don't care about the downtime, they can skip these steps.

Steps:
1. oc get namespaces openshift-infra -o json

$oc get namespaces openshift-infra -o yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/node-selector: ""
    openshift.io/sa.initialized-roles: "true"
    openshift.io/sa.scc.mcs: s0:c6,c5
    openshift.io/sa.scc.supplemental-groups: 1000040000/10000
    openshift.io/sa.scc.uid-range: 1000040000/10000
  name: openshift-infra
  uid: 2d73f159-8331-11e8-9c8f-42010af00028
spec:
  finalizers:
  - kubernetes
  - openshift.io/origin

2. Update the securityContext in replicacontrollers  hawkular-cassandra-1 using the values from the namespaces openshift-infra

  $oc edit rc hawkular-cassandra-1
   #Add the fsGroup and seLinuxOptions using the same value from the namespaces openshift-infra

                "securityContext": {
                    "fsGroup": 1000040000,
                    "seLinuxOptions": {
                        "level": "s0:c6,c5"
                    },
                    "supplementalGroups": [
                        65534
                    ]
                },
                "serviceAccount": "cassandra",
                "serviceAccountName": "cassandra"

For more detail, refer to https://bugzilla.redhat.com/show_bug.cgi?id=1590748, the PR https://github.com/openshift/openshift-ansible/pull/8831


Version-Release number of selected component (if applicable):
openshift-ansible:v3.9

How reproducible:
always

Steps to Reproduce:
1. deploy metrcis v3.9 on v3.9
  openshift_metrics_install_metrics=True
  oreg_url=registry.reg-aws.openshift.com:443/openshift3/ose-${component}:${version}

2. Upgrade OCP to v3.10

3. Check the cassandra logs in v3.10


Expected results:
The /cassandra_data/data can be access after upgrade

Additional info:
Once redeployed v3.10 via openshift-ansible:v3.10. The cassandra can acesss the directory /cassandra_data/data.
Comment 1 Anping Li 2018-07-09 09:46:14 UTC 
Shall we add this issue in v3.10 release note? and back port the PR 8831 in v3.9?
Comment 2 John Sanda 2018-07-16 21:50:46 UTC 
(In reply to Anping Li from comment #1)
> Shall we add this issue in v3.10 release note? and back port the PR 8831 in
> v3.9?

I talked with Ruben and we agree that it should be back ported. I think it makes sense to include in the release notes as well.

For step 2 in the description, you are upgrading OCP and not metrics, right?
Comment 3 Ruben Vargas Palma 2018-07-30 18:22:02 UTC 
The solution was already backported to 3.9 and the PR was merged, https://github.com/openshift/openshift-ansible/pull/9278.

I'm moving this BZ to MODIFIED.
Comment 5 Junqi Zhao 2018-08-22 08:23:44 UTC 
Blocked by Bug 1613095
Comment 6 Junqi Zhao 2018-08-25 13:38:57 UTC 
securityContext is added to metrics 3.9
*****************************************************
      securityContext:
        fsGroup: 1000040000
        seLinuxOptions:
          level: s0:c6,c5
        supplementalGroups:
        - 65534
      serviceAccount: cassandra
      serviceAccountName: cassandra
*****************************************************

openshift-ansible-3.9.41-1.git.0.4c55974.el7
# oc version
oc v3.9.41
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth GSSAPI Kerberos SPNEGO

Images
metrics-cassandra-v3.9.40-11
metrics-hawkular-metrics-v3.9.40-11
metrics-heapster-v3.9.40-11
Comment 8 errata-xmlrpc 2018-08-29 14:42:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2549