Bug 1419654 - [3.4] Containerized advanced installation fails due to missing CA certificate /etc/origin/master/ca.crt
Summary: [3.4] Containerized advanced installation fails due to missing CA certificate...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.4.1
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: ---
Assignee: Scott Dodson
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks: 1267746
TreeView+ depends on / blocked
 
Reported: 2017-02-06 16:28 UTC by Javier Ramirez
Modified: 2017-03-14 09:44 UTC (History)
8 users (show)

Fixed In Version: openshift-ansible-3.4.61-1.git.0.67ea55a.el7
Doc Type: Bug Fix
Doc Text:
Previously, containerized installations would fail if the path /etc/openshift existed prior to installation. This problem happened in the code that migrated configuration directories from 3.0 to 3.1 names and has been removed ensuring proper installation if /etc/openshift exists prior to installation.
Clone Of:
Environment:
Last Closed: 2017-03-06 16:38:27 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0448 0 normal SHIPPED_LIVE Important: ansible and openshift-ansible security and bug fix update 2017-03-06 21:36:25 UTC

Description Javier Ramirez 2017-02-06 16:28:03 UTC
Description of problem:
when going through the advanced installer we get the following :


TASK [openshift_node_certificates : fail] **************************************
fatal: [master.example.com]: FAILED! => {
    "changed": false,
    "failed": true
}

MSG:

CA certificate /etc/origin/master/ca.crt doesn't exist on CA host master.example.com. Apply 'openshift_ca' role to master.example.com.

Version-Release number of selected component (if applicable):
3.4.1.2

How reproducible:
Always

Steps to Reproduce:
1. Run the ansible playbook

Actual results:
Fails with:
TASK [openshift_node_certificates : fail] **************************************
fatal: [master.example.com]: FAILED! => {
    "changed": false, 
    "failed": true
}

MSG:

CA certificate /etc/origin/master/ca.crt doesn't exist on CA host master.example.com. Apply 'openshift_ca' role to master.example.com.


Expected results:
Successful installation.

Additional info:

Comment 9 Scott Dodson 2017-02-13 19:00:53 UTC
https://github.com/openshift/openshift-ansible/pull/3343 proposed fix

Comment 10 openshift-github-bot 2017-02-13 20:57:19 UTC
Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/cba1d9e8bcc087c550ce3a4221cd08dc6eac1240
Fix Bug 1419654 Remove legacy config_base fallback to /etc/openshift

If a host had /etc/openshift but not /etc/origin we were setting the
config_base to /etc/openshift in some places but not all. This code was
transitional in order to migrate between 3.0 and 3.1. Given that current
playbooks are only supported when moving from the previous version to
current version this should no longer be necessary.

Comment 11 Scott Dodson 2017-02-13 21:00:19 UTC
release-1.4 backport https://github.com/openshift/openshift-ansible/pull/3344

Comment 13 Johnny Liu 2017-02-14 12:24:28 UTC
Try to reproduce this bug with openshift-ansible-3.4.56-1.git.0.7ba9968.el7.noarch, and create "/etc/openshift" dir in advance before installation, though the failed step is not the same one as initial report, still could be see CA path is pointing to "/etc/openshift/master/ca.crt", finally the installation failed at "Copy the admin client config" step.

<--snip-->
TASK [openshift_node_certificates : Ensure CA certificate exists on openshift_ca_host] ***
Tuesday 14 February 2017  08:59:05 +0000 (0:00:00.140)       0:20:27.254 ****** 
ok: [ec2-54-89-125-34.compute-1.amazonaws.com -> ec2-204-236-250-35.compute-1.amazonaws.com] => {"changed": false, "stat": {"atime": 1487062120.258258, "checksum": "092119d34ae47f1281580d24d11278948260041e", "ctime": 1487062096.388439, "dev": 51714, "executable": false, "exists": true, "gid": 0, "gr_name": "root", "inode": 33642408, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "md5": "88448b19d1721e9f7064afae23d8b06b", "mode": "0644", "mtime": 1487062075.053601, "nlink": 3, "path": "/etc/openshift/master/ca.crt", "pw_name": "root", "readable": true, "rgrp": true, "roth": true, "rusr": true, "size": 1070, "uid": 0, "wgrp": false, "woth": false, "writeable": true, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}}

TASK [openshift_node_certificates : fail] **************************************
Tuesday 14 February 2017  08:59:05 +0000 (0:00:00.633)       0:20:27.888 ****** 
skipping: [ec2-54-89-125-34.compute-1.amazonaws.com] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}
<--snip-->

TASK [openshift_projects : Copy the admin client config(s)] ********************
Tuesday 14 February 2017  09:10:41 +0000 (0:00:00.540)       0:32:03.318 ****** 
fatal: [ec2-204-236-250-35.compute-1.amazonaws.com]: FAILED! => {"changed": false, "cmd": ["cp", "/etc/origin/master/admin.kubeconfig", "/tmp/openshift-ansible-7B5yYa/admin.kubeconfig"], "delta": "0:00:00.002807", "end": "2017-02-14 04:10:40.483319", "failed": true, "rc": 1, "start": "2017-02-14 04:10:40.480512", "stderr": "cp: cannot stat ‘/etc/origin/master/admin.kubeconfig’: No such file or directory", "stdout": "", "stdout_lines": [], "warnings": []}

I think this the root cause.

Because the fix package - openshift-ansible-3.4.61-1.git.0.67ea55a.el7 is not attached to advisory, I move this bug's status to "MODIFIED"

Comment 14 Johnny Liu 2017-02-16 05:43:27 UTC
Now openshift-ansible-3.4.61-1.git.0.67ea55a.el7 is attached to advisory. So move this bug to ON_QA.

Comment 15 Johnny Liu 2017-02-16 05:43:47 UTC
Verified this bug with openshift-ansible-3.4.61-1.git.0.67ea55a.el7, and PASS.

1. Before installation, create /etc/openshift dir in advance.
2. Trigger a containerized installation.
3. Installation is finished successfully.
<--snip-->
TASK [openshift_node_certificates : Ensure CA certificate exists on openshift_ca_host] ***
Thursday 16 February 2017  03:03:56 +0000 (0:00:00.267)       0:19:16.328 ***** 
ok: [ec2-54-86-13-123.compute-1.amazonaws.com -> ec2-54-86-13-123.compute-1.amazonaws.com] => {"changed": false, "stat": {"atime": 1487213726.7270463, "checksum": "a189a7b405e4514b0963d2459847196c8f1c74bb", "ctime": 1487213699.4620621, "dev": 51714, "executable": false, "exists": true, "gid": 0, "gr_name": "root", "inode": 67177395, "isblk": false, "ischr": false, "isdir": false, "isfifo": false, "isgid": false, "islnk": false, "isreg": true, "issock": false, "isuid": false, "md5": "fd91f172651104ee5ea9f89f35ffe233", "mode": "0644", "mtime": 1487213675.738946, "nlink": 3, "path": "/etc/origin/master/ca.crt", "pw_name": "root", "readable": true, "rgrp": true, "roth": true, "rusr": true, "size": 1070, "uid": 0, "wgrp": false, "woth": false, "writeable": true, "wusr": true, "xgrp": false, "xoth": false, "xusr": false}}

TASK [openshift_node_certificates : fail] **************************************
Thursday 16 February 2017  03:03:56 +0000 (0:00:00.678)       0:19:17.007 ***** 
skipping: [ec2-54-86-13-123.compute-1.amazonaws.com] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}
<--snip-->

Seen from the about output, CA path is pointing to "/etc/origin/master/ca.crt"

Comment 17 errata-xmlrpc 2017-03-06 16:38:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:0448


Note You need to log in before you can comment on or make changes to this bug.