Bug 1308411 - Fail to install OSE 3.0 for no add-scc-to-user command
Fail to install OSE 3.0 for no add-scc-to-user command
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.0.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Brenton Leanhardt
Ma xiaoqiang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-15 01:38 EST by Gaoyun Pei
Modified: 2016-07-03 20:46 EDT (History)
5 users (show)

See Also:
Fixed In Version: openshift-ansible-3.0.41-1.git.0.2446a82.el7aos
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-29 07:57:57 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gaoyun Pei 2016-02-15 01:38:07 EST
Description of problem:
When installing ose 3.0, ansible breaks for no "add-scc-to-user" option of command "oadm policy" in openshift v3.0.2.0-45-g423f434 version.


Version-Release number of selected component (if applicable):
openshift-ansible-3.0.40-1.git.22.da21865.el7aos.noarch
openshift-ansible-roles-3.0.40-1.git.22.da21865.el7aos.noarch
openshift-3.0.2.0-0.git.45.423f434.el7ose.x86_64


How reproducible:
Always

Steps to Reproduce:
1.Run 'atomic-openshift-installer install', choose "OpenShift Enterprise 3.0"


Actual results:
TASK: [openshift_serviceaccounts | Grant the user access to the privileged scc] *** 
failed: [10.66.x.x] => (item=['router', {u'cmd': [u'oc', u'get', u'scc', u'privileged', u'-o', u'yaml'], u'end': u'2016-02-15 10:39:47.004648', u'stderr': u'', u'stdout': u'allowHostDirVolumePlugin: true\nallowHostNetwork: true\nallowHostPorts: true\nallowPrivilegedContainer: true\nallowedCapabilities: null\napiVersion: v1\ngroups:\n- system:cluster-admins\n- system:nodes\nkind: SecurityContextConstraints\nmetadata:\n  creationTimestamp: 2016-02-15T02:39:04Z\n  name: privileged\n  resourceVersion: "57"\n  selfLink: /api/v1/securitycontextconstraints/privileged\n  uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813\nrunAsUser:\n  type: RunAsAny\nseLinuxContext:\n  type: RunAsAny\nusers:\n- system:serviceaccount:openshift-infra:build-controller', 'item': 'privileged', u'changed': False, u'rc': 0, 'failed': False, u'warnings': [], u'delta': u'0:00:00.285601', 'invocation': {'module_name': u'command', 'module_complex_args': {}, 'module_args': u'oc get scc privileged -o yaml'}, 'stdout_lines': [u'allowHostDirVolumePlugin: true', u'allowHostNetwork: true', u'allowHostPorts: true', u'allowPrivilegedContainer: true', u'allowedCapabilities: null', u'apiVersion: v1', u'groups:', u'- system:cluster-admins', u'- system:nodes', u'kind: SecurityContextConstraints', u'metadata:', u'  creationTimestamp: 2016-02-15T02:39:04Z', u'  name: privileged', u'  resourceVersion: "57"', u'  selfLink: /api/v1/securitycontextconstraints/privileged', u'  uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813', u'runAsUser:', u'  type: RunAsAny', u'seLinuxContext:', u'  type: RunAsAny', u'users:', u'- system:serviceaccount:openshift-infra:build-controller'], 'failed_when_result': False, u'start': u'2016-02-15 10:39:46.719047'}]) => {"changed": true, "cmd": ["oadm", "policy", "add-scc-to-user", "privileged", "system:serviceaccount:default:router"], "delta": "0:00:00.062577", "end": "2016-02-15 10:39:47.277234", "item": ["router", {"changed": false, "cmd": ["oc", "get", "scc", "privileged", "-o", "yaml"], "delta": "0:00:00.285601", "end": "2016-02-15 10:39:47.004648", "failed": false, "failed_when_result": false, "invocation": {"module_args": "oc get scc privileged -o yaml", "module_complex_args": {}, "module_name": "command"}, "item": "privileged", "rc": 0, "start": "2016-02-15 10:39:46.719047", "stderr": "", "stdout": "allowHostDirVolumePlugin: true\nallowHostNetwork: true\nallowHostPorts: true\nallowPrivilegedContainer: true\nallowedCapabilities: null\napiVersion: v1\ngroups:\n- system:cluster-admins\n- system:nodes\nkind: SecurityContextConstraints\nmetadata:\n  creationTimestamp: 2016-02-15T02:39:04Z\n  name: privileged\n  resourceVersion: \"57\"\n  selfLink: /api/v1/securitycontextconstraints/privileged\n  uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813\nrunAsUser:\n  type: RunAsAny\nseLinuxContext:\n  type: RunAsAny\nusers:\n- system:serviceaccount:openshift-infra:build-controller", "stdout_lines": ["allowHostDirVolumePlugin: true", "allowHostNetwork: true", "allowHostPorts: true", "allowPrivilegedContainer: true", "allowedCapabilities: null", "apiVersion: v1", "groups:", "- system:cluster-admins", "- system:nodes", "kind: SecurityContextConstraints", "metadata:", "  creationTimestamp: 2016-02-15T02:39:04Z", "  name: privileged", "  resourceVersion: \"57\"", "  selfLink: /api/v1/securitycontextconstraints/privileged", "  uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813", "runAsUser:", "  type: RunAsAny", "seLinuxContext:", "  type: RunAsAny", "users:", "- system:serviceaccount:openshift-infra:build-controller"], "warnings": []}], "rc": 1, "start": "2016-02-15 10:39:47.214657", "warnings": []}
stderr: error: unknown command "add-scc-to-user privileged system:serviceaccount:default:router"
see 'oadm policy -h' for help.


Expected results:
Install without error

Additional info:
Comment 3 Gaoyun Pei 2016-02-15 21:52:55 EST
Test with openshift-ansible-3.0.41-1.git.0.2446a82.el7aos.noarch

Ansible will use old commands to do this step when installing ose-3.0 now, and ose-3.0 env could be installed successfully.
Comment 4 Brenton Leanhardt 2016-02-16 16:01:48 EST
I made a slight modification to the fix for this bug today and it's now available in the lates puddle.  The idea is that with the previous version if you re-ran the byo/config.yml against a 3.0 install it probably would have failed.  This will avoid re-adding the scc policy to the user for 3.0 installs.
Comment 5 Gaoyun Pei 2016-02-17 02:44:55 EST
verify this bug with openshift-ansible-3.0.43-1.git.0.8ffeaf4.el7aos.noarch

With the new openshift-ansible rpm, rerun playbooks/byo/config.yml to install an ose-3.0 env twice, installation are all successful.
Comment 7 errata-xmlrpc 2016-02-29 07:57:57 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:0311

Note You need to log in before you can comment on or make changes to this bug.