Bug 1328822
| Summary: | build strategy Source is not allowed after upgrade | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Anping Li <anli> | ||||
| Component: | Cluster Version Operator | Assignee: | Scott Dodson <sdodson> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Anping Li <anli> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 3.2.0 | CC: | aos-bugs, bleanhar, jliggitt, jokerman, mmccomas, tdawson | ||||
| Target Milestone: | --- | Keywords: | TestBlocker | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-05-12 16:36:16 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
We had two of the developers familiar with policy review the commands that were being run and we made one update: https://github.com/openshift/openshift-ansible/pull/1784 Aside from that it seems one potential problem is that the commands run as part of the test don't match exactly what we're running. We're setting a lot of --exclude flags on the reconcile-cluster-role-bindings call for example. It makes me wonder if we should update the test case. Now, as to why you could run the build after upgrade we should continue to debug that if it's reproduceable. I wasn't able to reproduce it but I'll try again when I get a chance. Jordan, could this be related to https://github.com/openshift/origin/pull/8528 in any way? The timing of the 3.2.0.18 and that PR are pretty close. https://github.com/openshift/origin/pull/8528 did the following: 1. removed source build permission from the admin role 2. added a new role containing only source build permission 3. changed the default policy to give the new role to all authenticated users When ansible automatically reconciles policy on upgrade, it should do the following: 1. update roles with any new permissions 2. update any default role grants (EXCLUDING new grants to all authenticated users) When ansible does step 1, it runs reconcile-cluster-roles, and doesn't specify --additive-only=true mode: https://github.com/openshift/openshift-ansible/blob/master/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml#L151 That means the source build permission was removed from the existing admin role, and the new role wasn't given to all users (since we don't automatically grant new roles to all users on upgrade). We should update ansible to run the role reconcile in --additive-only=true mode as well. I also think we should change the command's default to `true`, to avoid removing permissions from existing working policies. If cluster admins want to tighten roles to their default permissions, they can always run the command in --additive-only=false themselves. Ansible fix in https://github.com/openshift/openshift-ansible/pull/1791 Origin fix in https://github.com/openshift/origin/pull/8603 Either is sufficient to resolve this bz Should be fixed in openshift-ansible-3.0.84-1.git.0.04b5245.el7 We can do build after upgrade with the fixed. so move bug to verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2016:1064 |
Created attachment 1149038 [details] upgrade logs for this issue Description of problem: Install OSE 3.1 using v3.2 playbooks, and then upgrade it to OSE 3.2. After upgrade, the build failed due to cluster-role-bindings and sccs reconciliation didn't take effect. Version-Release number of selected component (if applicable): openshift-ansible-filter-plugins-3.0.80 How reproducible: always Steps to Reproduce: 1. install OSE 3.1 using openshift-ansible-filter-plugins-3.0.80 2. As a normal users, create a new project and create cakephp-mysql-example application 3. upgrade to OSE 3.2 4. build applications oc start-build cakephp-mysql-example 5. check role reconcile oadm policy reconcile-cluster-roles oadm policy reconcile-cluster-role-bindings oadm policy reconcile-sccs --confirm Actual results: 4. build failed #oc start-build cakephp-mysql-example Error from server: buildconfigs "cakephp-mysql-example" is forbidden: build strategy Source is not allowed 5. policy reconcile for cluster-role-bindings and sccs didn't take effect. # oadm policy reconcile-cluster-roles [root@osecontain-master1 ~]# #oadm policy reconcile-cluster-role-bindings # oadm policy reconcile-cluster-role-bindings apiVersion: v1 items: - apiVersion: v1 groupNames: - system:authenticated:oauth - system:authenticated <--skip---> <--skip---> subjects: - kind: SystemGroup name: system:authenticated userNames: null kind: List metadata: {} # oadm policy reconcile-sccs apiVersion: v1 items: - allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false allowedCapabilities: null apiVersion: v1 defaultAddCapabilities: null fsGroup: type: RunAsAny kind: SecurityContextConstraints <--skip---> <--skip---> volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - secret kind: List metadata: {} Expected Result Expected results: Additional info: