Bug 1599529

Summary: Add securty content for hawkular-cassandra before openshift was updated to v3.10
Product: OpenShift Container Platform Reporter: Anping Li <anli>
Component: DocumentationAssignee: Sara Thomas <sarthoma>
Status: CLOSED WONTFIX QA Contact: Anping Li <anli>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.10.0CC: aos-bugs, jokerman, juzhao, kalexand, mmccomas
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1599241 Environment:
Last Closed: 2021-07-12 19:04:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1599241    
Bug Blocks:    

Description Anping Li 2018-07-10 02:58:10 UTC 
+++ This bug was initially created as a clone of Bug #1599241 +++

Description of problem:
The metrics cassandra 3.9 has no permission to create directory /cassandra_data/data once Openshift is updated to v3.10. Redeploy metrics via  openshift-ansible:v3.10 can solve this issue. But there are some downtime between Openshift upgrade and metrics updated. 

To avoild the metrics downtime, we can add the securityContext to make v3.9 cassandra works in v3.10 as the following steps. if the customer don't care about the downtime, they can skip these steps.

Steps:
1. oc get namespaces openshift-infra -o json

$oc get namespaces openshift-infra -o yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/node-selector: ""
    openshift.io/sa.initialized-roles: "true"
    openshift.io/sa.scc.mcs: s0:c6,c5
    openshift.io/sa.scc.supplemental-groups: 1000040000/10000
    openshift.io/sa.scc.uid-range: 1000040000/10000
  name: openshift-infra
  uid: 2d73f159-8331-11e8-9c8f-42010af00028
spec:
  finalizers:
  - kubernetes
  - openshift.io/origin

2. Update the securityContext in replicacontrollers  hawkular-cassandra-1 using the values from the namespaces openshift-infra

  $oc edit rc hawkular-cassandra-1
   #Add the fsGroup and seLinuxOptions using the same value from the namespaces openshift-infra

                "securityContext": {
                    "fsGroup": 1000040000,
                    "seLinuxOptions": {
                        "level": "s0:c6,c5"
                    },
                    "supplementalGroups": [
                        65534
                    ]
                },
                "serviceAccount": "cassandra",
                "serviceAccountName": "cassandra"

For more detail, refer to https://bugzilla.redhat.com/show_bug.cgi?id=1590748, the PR https://github.com/openshift/openshift-ansible/pull/8831


Version-Release number of selected component (if applicable):
openshift-ansible:v3.9

How reproducible:
always

Steps to Reproduce:
1. deploy metrcis v3.9 on v3.9
  openshift_metrics_install_metrics=True
  oreg_url=registry.reg-aws.openshift.com:443/openshift3/ose-${component}:${version}

2. Upgrade OCP to v3.10

3. Check the cassandra logs in v3.10


Expected results:
The /cassandra_data/data can be access after upgrade

Additional info:
Once redeployed v3.10 via openshift-ansible:v3.10. The cassandra can acesss the directory /cassandra_data/data.

--- Additional comment from Anping Li on 2018-07-09 05:46:14 EDT ---

Shall we add this issue in v3.10 release note? and back port the PR 8831 in v3.9?
Comment 1 Anping Li 2018-07-10 03:01:29 UTC 
I think 1599241 should be in v3.9. so clone a bug to document team in v3.10 to warning this issue in release note. If the customer want to decrease the downtime. They can follow the step I provided.
Comment 2 Sara Thomas 2021-07-12 19:04:12 UTC 
As of 4.1, Cassandra is deprecated: https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html#ocp-41-deprecated-features. Marking closed, wont fix.