Bug 1808068
| Summary: | openshift-ca.crt replaced during 3.11.104 to 3.11.157 upgrade | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | dtarabor |
| Component: | Installer | Assignee: | Russell Teague <rteague> |
| Installer sub component: | openshift-ansible | QA Contact: | Gaoyun Pei <gpei> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | low | ||
| Priority: | low | CC: | cscribne, dominik.mierzejewski, rteague |
| Version: | 3.11.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 3.11.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause: Missing mounts on the sync pod to the pki directory
Consequence: The openshift-ca.crt found was not accessible and was recreated.
Fix: Add the missing mounts and volumes to the sync pod.
Result: The openshift-ca.crt file is accessible in the sync pod.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-05-28 05:44:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1826448 | ||
| Bug Blocks: | |||
|
Description
dtarabor
2020-02-27 18:13:24 UTC
This is the patch that was applied to rectify the issue.
--- /usr/share/ansible/openshift-ansible/roles/openshift_node_group/files/sync.yaml 2019-12-02 09:21:20.000000000 +0100
+++ /usr/share/ansible/openshift-ansible/roles/openshift_node_group/files/sync.yaml.fix 2020-02-21 17:03:00.000000000 +0100
@@ -226,6 +226,8 @@
readOnly: true
- mountPath: /etc/pki
name: host-pki
+ - mountPath: /usr/share/pki
+ name: host-pki-usr
volumes:
# In bootstrap mode, the host config contains information not easily available
@@ -246,6 +248,10 @@
path: /etc/pki
type: ""
name: host-pki
+ - hostPath:
+ path: /usr/share/pki
+ type: ""
+ name: host-pki-usr
# Sync daemonset should tolerate all taints to make sure it runs on all nodes
tolerations:
- operator: "Exists"
We've had some issues with 3.11 CI that have been resolved and the PR merged. The change will be picked up by QE and tested before shipping in the next release. Thanks for the info.
With using openshift-ansible-3.11.218-1.git.0.6f55149.el7.noarch, either for fresh install or upgrade from previous 3.11, the /usr/share/pki is also mounted to node sync pod.
[root@gpei-311bmaster-etcd-nfs-1 ~]# ls /usr/share/pki/ca-trust-source/anchors
test.crt
[root@gpei-311bmaster-etcd-nfs-1 ~]# oc describe -n openshift-node pod sync-ngmpq
...
Volumes:
...
host-pki:
Type: HostPath (bare host directory volume)
Path: /etc/pki
HostPathType:
host-pki-usr:
Type: HostPath (bare host directory volume)
Path: /usr/share/pki
HostPathType:
[root@gpei-311bmaster-etcd-nfs-1 ~]# oc -n openshift-node rsh sync-ngmpq
sh-4.2# ls /usr/share/pki/ca-trust-source/anchors
test.crt
So it should be OK to move this bug to verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2215 |