Bug 1314260 - Not able to login fluentd pod by "oc rsh" command
Not able to login fluentd pod by "oc rsh" command
Product: OpenShift Origin
Classification: Red Hat
Component: Logging (Show other bugs)
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Luke Meyer
: Regression
Depends On:
  Show dependency treegraph
Reported: 2016-03-03 05:02 EST by Xia Zhao
Modified: 2016-09-29 22:16 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-05-12 13:11:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 1 Xia Zhao 2016-03-03 05:12:31 EST
More info:
1. I meant to log in the same fluentd container with "docker exec" command from docker backend in #1 of "Additional info:"
2. The other logging pods are all accessible by "oc rsh"
3. I already added this line in scc/privileged:
- system:serviceaccount:logging:aggregated-logging-fluentd
4. This test is done with cluster-admin role user
Comment 4 Luke Meyer 2016-03-03 10:37:16 EST
Eric created https://github.com/fabric8io/fluent-plugin-kubernetes_metadata_filter/issues/16

@xia can you test with fluentd K8S_HOST_URL=https://kubernetes.default.svc.cluster.local/ ?
Comment 5 Xia Zhao 2016-03-04 02:13:22 EST
Adding K8S_HOST_URL=https://kubernetes.default.svc.cluster.local/ did not enable me to shell into fluentd pod. I added the project admin user name into scc/privileged and then I was able to oc rsh into fluentd pod. 

I'm not quiet sure about how the ability to shell into a pod related with these rules in privileged scc:

oc edit scc/privileged
allowEmptyDirVolumePlugin: true
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegedContainer: true
allowedCapabilities: null 

Seems we can add these info into the logging deployment doc to inform end user how should they do to enable themselves to shell into fluentd pod.
Comment 7 Xia Zhao 2016-03-07 01:34:06 EST
@ewolinet @lmeyer Sorry that I misunderstand you in my previous comment. Tested with K8S_HOST_URL=https://kubernetes.default.svc.cluster.local in fluentd deamonset and the error message "Connection refused" and error stacks in fluentd pod log disappeared.
Comment 8 Xia Zhao 2016-03-07 21:15:09 EST
Verified with latest images built from logging upstream. Closing as fixed.

Note You need to log in before you can comment on or make changes to this bug.