Red Hat Bugzilla – Bug 1447019
Include Audit configuration in the installation process (Ansible OCP inventory)
Last modified: 2017-06-15 14:38:10 EDT
1. Proposed title of this feature request Include Audit configuration in the installation process (Ansible OCP inventory) 2. What is the nature and description of the request? The OCP Audit configuration [1] can only be configured manually. We would like to be able to configure it at installation time, setting Ansible variables in the inventory for the different options, the same way It is done for other configurations types [2]. These are the options that the audit config allows: *enabled *auditFilePath *MaximumFileRetentionDays *MaximumRetainedFiles *MaximumFileSizeMegabytes 5. How would the customer like to achieve this? (List the functional requirements here) The above parameters should be configured at installation time in inventory.
This is already possible today. The value mentioned in https://github.com/openshift/openshift-ansible/pull/2149/files shows that the raw json is passed to Ansible which will be stored in the Master configuration. All documented audit configuration parameters will work.
Tried to use below parameter in inventory for installation but I do not see this configuration added in master-config after successfull deployment : openshift_master_audit_config={"enabled": true} oc version oc v3.4.1.18 kubernetes v1.4.0+776c994 features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://ham1.example.com:8443 openshift v3.4.1.18 kubernetes v1.4.0+776c994
Jaspreet, can you attach the generated master configuration?
What version of openshift-ansible are you using?
Here are the details : rpm -qa | grep openshift atomic-openshift-3.4.1.18-1.git.0.0f9d380.el7.x86_64 atomic-openshift-node-3.4.1.18-1.git.0.0f9d380.el7.x86_64 openshift-ansible-docs-3.4.74-1.git.0.6542413.el7.noarch openshift-ansible-callback-plugins-3.4.74-1.git.0.6542413.el7.noarch atomic-openshift-clients-3.4.1.18-1.git.0.0f9d380.el7.x86_64 atomic-openshift-master-3.4.1.18-1.git.0.0f9d380.el7.x86_64 tuned-profiles-atomic-openshift-node-3.4.1.18-1.git.0.0f9d380.el7.x86_64 openshift-ansible-3.4.74-1.git.0.6542413.el7.noarch openshift-ansible-filter-plugins-3.4.74-1.git.0.6542413.el7.noarch openshift-ansible-roles-3.4.74-1.git.0.6542413.el7.noarch atomic-openshift-utils-3.4.74-1.git.0.6542413.el7.noarch atomic-openshift-sdn-ovs-3.4.1.18-1.git.0.0f9d380.el7.x86_64 openshift-ansible-lookup-plugins-3.4.74-1.git.0.6542413.el7.noarch openshift-ansible-playbooks-3.4.74-1.git.0.6542413.el7.noarch
Jianlin, would you mind confirming if we have a bug with our openshift_master_audit_config setting or not? If could be that the logic we have to optionally set that code is no longer working. Given that we branch for openshift-ansible now I think the "and openshift.common.version_gte_3_2_or_1_2" logic could be completely removed now. roles/openshift_master/templates/master.yaml.v1.j2:{% if openshift.master.audit_config | default(none) is not none and openshift.common.version_gte_3_2_or_1_2 | bool %}
@gepi, could you help answer comment 9, this is kind of similar to BZ#1439619.
Brenton, not sure if Jaspreet was trying a non-ha master installation. In our master.yaml jinja2 template, there's another condition for auditConfig options to be added in master-config[1] With openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/log/audit-ocp.log", "maximumFileRetentionDays": 10,"maximumRetainedFiles": 10,"maximumFileSizeMegabytes": 100} setting in ansible inventory, for ha master cluster installation, the Audit options could be configured correctly in master-config.yaml. [root@ip-172-18-11-189 ~]# grep -A 4 audit /etc/origin/master/master-config.yaml auditConfig: auditFilePath: /var/log/audit-ocp.log enabled: true maximumFileRetentionDays: 10 maximumFileSizeMegabytes: 100 maximumRetainedFiles: 10 Test with openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm If the audit configurations were only expected to be used for ha-master cluster, I think we could add some additional description in the doc, or we could remove the openshift_master_ha condition check if not. [1] https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L47
Yes I was having a non-ha env. Shouldn't this feature be applicable for both ?
That's a great catch Gaoyun. I think this is just a bug for non-ha environments. It should be easy to move the audit logging configuration outside the {% if openshift_master_ha | bool %} block.
Proposed: https://github.com/openshift/openshift-ansible/pull/4226
Commit pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/ebb1b751b9623eb2f9b265737e6d032ba5c5da3c Fix auditConfig for non-HA environments Bug 1447019
Proposed (3.5 backport): https://github.com/openshift/openshift-ansible/pull/4258
Merged: https://github.com/openshift/openshift-ansible/pull/4258
Verify this bug with openshift-ansible-3.5.5.19-1.git.0.ded7c89.el7.noarch With audit options added in ansible inventory for non-ha master environment, the related configurations could be found in master config file after installation. openshift_master_audit_config={"enabled": true, "auditFilePath": "/var/log/audit-ocp.log", "maximumFileRetentionDays": 10,"maximumRetainedFiles": 10,"maximumFileSizeMegabytes": 100} [root@ip-172-18-11-206 ~]# grep -A 4 audit /etc/origin/master/master-config.yaml auditConfig: auditFilePath: /var/log/audit-ocp.log enabled: true maximumFileRetentionDays: 10 maximumFileSizeMegabytes: 100 maximumRetainedFiles: 10 Will move this bug to verified after the openshift-ansible rpm package was attached to advisory 28675
Verify this bug with openshift-ansible-3.5.74-1.git.0.4e9bb21.el7.noarch.rpm. openshift_master_audit_config works as expected in non-ha master env.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1425