Description of problem: When installing ose 3.0, ansible breaks for no "add-scc-to-user" option of command "oadm policy" in openshift v3.0.2.0-45-g423f434 version. Version-Release number of selected component (if applicable): openshift-ansible-3.0.40-1.git.22.da21865.el7aos.noarch openshift-ansible-roles-3.0.40-1.git.22.da21865.el7aos.noarch openshift-3.0.2.0-0.git.45.423f434.el7ose.x86_64 How reproducible: Always Steps to Reproduce: 1.Run 'atomic-openshift-installer install', choose "OpenShift Enterprise 3.0" Actual results: TASK: [openshift_serviceaccounts | Grant the user access to the privileged scc] *** failed: [10.66.x.x] => (item=['router', {u'cmd': [u'oc', u'get', u'scc', u'privileged', u'-o', u'yaml'], u'end': u'2016-02-15 10:39:47.004648', u'stderr': u'', u'stdout': u'allowHostDirVolumePlugin: true\nallowHostNetwork: true\nallowHostPorts: true\nallowPrivilegedContainer: true\nallowedCapabilities: null\napiVersion: v1\ngroups:\n- system:cluster-admins\n- system:nodes\nkind: SecurityContextConstraints\nmetadata:\n creationTimestamp: 2016-02-15T02:39:04Z\n name: privileged\n resourceVersion: "57"\n selfLink: /api/v1/securitycontextconstraints/privileged\n uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813\nrunAsUser:\n type: RunAsAny\nseLinuxContext:\n type: RunAsAny\nusers:\n- system:serviceaccount:openshift-infra:build-controller', 'item': 'privileged', u'changed': False, u'rc': 0, 'failed': False, u'warnings': [], u'delta': u'0:00:00.285601', 'invocation': {'module_name': u'command', 'module_complex_args': {}, 'module_args': u'oc get scc privileged -o yaml'}, 'stdout_lines': [u'allowHostDirVolumePlugin: true', u'allowHostNetwork: true', u'allowHostPorts: true', u'allowPrivilegedContainer: true', u'allowedCapabilities: null', u'apiVersion: v1', u'groups:', u'- system:cluster-admins', u'- system:nodes', u'kind: SecurityContextConstraints', u'metadata:', u' creationTimestamp: 2016-02-15T02:39:04Z', u' name: privileged', u' resourceVersion: "57"', u' selfLink: /api/v1/securitycontextconstraints/privileged', u' uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813', u'runAsUser:', u' type: RunAsAny', u'seLinuxContext:', u' type: RunAsAny', u'users:', u'- system:serviceaccount:openshift-infra:build-controller'], 'failed_when_result': False, u'start': u'2016-02-15 10:39:46.719047'}]) => {"changed": true, "cmd": ["oadm", "policy", "add-scc-to-user", "privileged", "system:serviceaccount:default:router"], "delta": "0:00:00.062577", "end": "2016-02-15 10:39:47.277234", "item": ["router", {"changed": false, "cmd": ["oc", "get", "scc", "privileged", "-o", "yaml"], "delta": "0:00:00.285601", "end": "2016-02-15 10:39:47.004648", "failed": false, "failed_when_result": false, "invocation": {"module_args": "oc get scc privileged -o yaml", "module_complex_args": {}, "module_name": "command"}, "item": "privileged", "rc": 0, "start": "2016-02-15 10:39:46.719047", "stderr": "", "stdout": "allowHostDirVolumePlugin: true\nallowHostNetwork: true\nallowHostPorts: true\nallowPrivilegedContainer: true\nallowedCapabilities: null\napiVersion: v1\ngroups:\n- system:cluster-admins\n- system:nodes\nkind: SecurityContextConstraints\nmetadata:\n creationTimestamp: 2016-02-15T02:39:04Z\n name: privileged\n resourceVersion: \"57\"\n selfLink: /api/v1/securitycontextconstraints/privileged\n uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813\nrunAsUser:\n type: RunAsAny\nseLinuxContext:\n type: RunAsAny\nusers:\n- system:serviceaccount:openshift-infra:build-controller", "stdout_lines": ["allowHostDirVolumePlugin: true", "allowHostNetwork: true", "allowHostPorts: true", "allowPrivilegedContainer: true", "allowedCapabilities: null", "apiVersion: v1", "groups:", "- system:cluster-admins", "- system:nodes", "kind: SecurityContextConstraints", "metadata:", " creationTimestamp: 2016-02-15T02:39:04Z", " name: privileged", " resourceVersion: \"57\"", " selfLink: /api/v1/securitycontextconstraints/privileged", " uid: 4711ed03-d38d-11e5-ac02-fa163ebf2813", "runAsUser:", " type: RunAsAny", "seLinuxContext:", " type: RunAsAny", "users:", "- system:serviceaccount:openshift-infra:build-controller"], "warnings": []}], "rc": 1, "start": "2016-02-15 10:39:47.214657", "warnings": []} stderr: error: unknown command "add-scc-to-user privileged system:serviceaccount:default:router" see 'oadm policy -h' for help. Expected results: Install without error Additional info:
Test with openshift-ansible-3.0.41-1.git.0.2446a82.el7aos.noarch Ansible will use old commands to do this step when installing ose-3.0 now, and ose-3.0 env could be installed successfully.
I made a slight modification to the fix for this bug today and it's now available in the lates puddle. The idea is that with the previous version if you re-ran the byo/config.yml against a 3.0 install it probably would have failed. This will avoid re-adding the scc policy to the user for 3.0 installs.
verify this bug with openshift-ansible-3.0.43-1.git.0.8ffeaf4.el7aos.noarch With the new openshift-ansible rpm, rerun playbooks/byo/config.yml to install an ose-3.0 env twice, installation are all successful.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:0311