Bug 1708552

Summary: Cisco ACI support in 3.11
Product: OpenShift Container Platform Reporter: Juan Luis de Sousa-Valadas <jdesousa>
Component: InstallerAssignee: Russell Teague <rteague>
Installer sub component: openshift-ansible QA Contact: Marc Curry <mcurry>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: adakopou, andreas.kurz, gpei, irathore, mcohen2, piqin, trankin, zzhao
Version: 3.11.0Flags: jdesousa: needinfo-
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Install Cisco ACI CNI plugin Result: Allows the user to use the Cisco ACI CNI plugin Ref: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_Cisco_ACI_and_OpenShift_Integration.html
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-26 09:08:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Requested deployment file none

Description Juan Luis de Sousa-Valadas 2019-05-10 08:13:53 UTC 
Description of problem:
My customer needs cisco ACI integrated in the installer.

This is merged in upstream:
* 19f401159 (tag: openshift-ansible-3.11.112-1) Automatic commit of package [openshift-ansible] release [3.11.112-1].
[...]
* |   f444e84f0 Merge pull request #11568 from noironetworks/aci-release-3.11
|\ \  
| * | 4340af6a3 Fix typo in Cisco ACI roles
[...]
* |   c8656b0f4 Merge pull request #11507 from noironetworks/release-3.11

So the request is:
1- Create an RHBA for openshift-ansible 3.11.112-1 or newer so that we can track this from support
2- If possible, an ETA

Version-Release number of the following components:
openshift-ansible-3.11.112-1

How reproducible:
N/A

Steps to Reproduce:
N/A

Actual results:
N/A

Expected results:

Additional info:
The customer also requested the same for 3.10: https://bugzilla.redhat.com/show_bug.cgi?id=1708197
Curently their upgrade is blocked.
Comment 1 Russell Teague 2019-05-10 14:58:37 UTC 
This feature is already merged but needs testing.
openshift-ansible-3.11.112-1 and newer
Comment 3 zhaozhanqi 2019-06-14 10:00:01 UTC 
this bug need the 'aci_deployment_yaml_file' when installing the cisco network cni. which need to use the 'acc-provision' tool to generate that.When I was trying to download the tool from cisco.com. it need 'Contract Number' or 'Product Serial Number'. So I do not have a way to download it.

Assign this bug to reporter

Juan Luis de Sousa-Valadas  could you help verified this bug?
Comment 4 Juan Luis de Sousa-Valadas 2019-06-14 10:16:01 UTC 
No, I can't because I don't have access either.
I just got the requirement from a customer throguh the customer portal saying they need this.

I'll assign it to Marc Curry to see if he can help. My understanding the partner, cisco, should do this.

Copying the same messae for the 3.11 branch
Comment 6 Mike Cohen 2019-06-18 16:16:11 UTC 
No problem, I can send you the aci deployment file. Do you have ACI or are you using it without ACI. I was also told you need acc_provision utility, you can use pip to install it. We can get on a call if you need more clarification.
Comment 7 Mike Cohen 2019-06-18 19:36:41 UTC 
I dont thin you guys have access to an ACI cluster. The acc_provision will not help, acc_provision utility is the one that generates the deployment file it is not available on CCO. I am attaching the generated deployment file, but without ACI the CNI will not come up which means you will not be able to verify the deployment completely.

We can also get on a webex where I can let you test it on our ACI cluster, we have everything ready to go in that case.
Comment 8 Mike Cohen 2019-06-18 19:37:16 UTC 
Created attachment 1581871 [details]
Requested deployment file

I dont thin you guys have access to an ACI cluster. The acc_provision will not help, acc_provision utility is the one that generates the deployment file it is not available on CCO. I am attaching the generated deployment file, but without ACI the CNI will not come up which means you will not be able to verify the deployment completely.

We can also get on a webex where I can let you test it on our ACI cluster, we have everything ready to go in that case.
Comment 10 zhaozhanqi 2019-06-19 10:04:23 UTC 
hi Mike:

I'm not sure what's make above happen since I'm not familiar the Cisco CNI. but seems it's not related this bug according to the fixed PR #https://github.com/openshift/openshift-ansible/pull/11507. 

From the ansible logs:

TASK [aci : Annotate namespace created] ****************************************
task path: /home/slave3/workspace/Run-Ansible-Playbooks-Nextge/private-openshift-ansible/roles/aci/tasks/main.yml:25
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<vm-10-0-76-240.hosted.upshift.rdu2.redhat.com> ESTABLISH SSH CONNECTION FOR USER: root
<vm-10-0-76-240.hosted.upshift.rdu2.redhat.com> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/home/slave3/workspace/Run-Ansible-Playbooks-Nextge/private/config/keys/libra.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/home/slave3/.ansible/cp/%C vm-10-0-76-240.hosted.upshift.rdu2.redhat.com '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<vm-10-0-76-240.hosted.upshift.rdu2.redhat.com> ESTABLISH SSH CONNECTION FOR USER: root
<vm-10-0-76-240.hosted.upshift.rdu2.redhat.com> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/home/slave3/workspace/Run-Ansible-Playbooks-Nextge/private/config/keys/libra.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/home/slave3/.ansible/cp/%C vm-10-0-76-240.hosted.upshift.rdu2.redhat.com '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<vm-10-0-76-240.hosted.upshift.rdu2.redhat.com> ESTABLISH SSH CONNECTION FOR USER: root
<vm-10-0-76-240.hosted.upshift.rdu2.redhat.com> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/home/slave3/workspace/Run-Ansible-Playbooks-Nextge/private/config/keys/libra.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/home/slave3/.ansible/cp/%C vm-10-0-76-240.hosted.upshift.rdu2.redhat.com '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
<vm-10-0-76-240.hosted.upshift.rdu2.redhat.com> (0, '\n{"changed": true, "end": "2019-06-19 05:10:43.302137", "stdout": "namespace \\"openshift-console\\" annotated", "cmd": ["oc", "annotate", "namespace", "openshift-console", "opflex.cisco.com/endpoint-group={\\"policy-space\\":\\"nested_oshift_domain\\", \\"name\\": \\"kubernetes|kube-system\\"}", "--overwrite=True"], "rc": 0, "start": "2019-06-19 05:10:43.097130", "stderr": "", "delta": "0:00:00.205007", "invocation": {"module_args": {"warn": true, "executable": null, "_uses_shell": false, "_raw_params": "oc annotate namespace openshift-console opflex.cisco.com/endpoint-group=\'{\\"policy-space\\":\\"nested_oshift_domain\\", \\"name\\": \\"kubernetes|kube-system\\"}\' --overwrite=True", "removes": null, "creates": null, "chdir": null, "stdin": null}}}\n', '')
changed: [vm-10-0-77-6.hosted.upshift.rdu2.redhat.com -> vm-10-0-76-240.hosted.upshift.rdu2.redhat.com] => (item=openshift-console) => {
    "changed": true, 
    "cmd": [
        "oc", 
        "annotate", 
        "namespace", 
        "openshift-console", 
        "opflex.cisco.com/endpoint-group={\"policy-space\":\"nested_oshift_domain\", \"name\": \"kubernetes|kube-system\"}", 
        "--overwrite=True"
    ], 
    "delta": "0:00:00.205007", 
    "end": "2019-06-19 05:10:43.302137", 
    "failed": false, 
    "invocation": {
        "module_args": {
            "_raw_params": "oc annotate namespace openshift-console opflex.cisco.com/endpoint-group='{\"policy-space\":\"nested_oshift_domain\", \"name\": \"kubernetes|kube-system\"}' --overwrite=True", 
            "_uses_shell": false, 
            "chdir": null, 
            "creates": null, 
            "executable": null, 
            "removes": null, 
            "stdin": null, 
            "warn": true
        }
    }, 
    "item": "openshift-console", 
    "rc": 0, 
    "start": "2019-06-19 05:10:43.097130", 
    "stderr": "", 
    "stderr_lines": [], 
    "stdout": "namespace \"openshift-console\" annotated", 
    "stdout_lines": [
        "namespace \"openshift-console\" annotated"
    ]
}

the fixed PR is working well. So this bug should be fixed.  if so, I will verify this bug. Please correct me if I'm wrong.
Comment 11 Mike Cohen 2019-06-20 00:24:20 UTC 
You are correct. You can mark it as verified.
Comment 12 zhaozhanqi 2019-06-20 02:34:34 UTC 
Verified this bug according to above comment.
Comment 13 Antonios Dakopoulos 2019-06-25 17:58:34 UTC 
Hello Juan Luis,
Per the RH Case,  it was mentioned that both 3.10 and 3.11 fixes will be available today, June 25th

Can we confirm if this will be available today and what is the delivery model to share with Cisco ACI?

Any feedback would be appreciated..

-Antonios
Comment 15 errata-xmlrpc 2019-06-26 09:08:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:1605