Bug 1482661 - We do not preserve the security context and node selector for the elasticsearch dc after running ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/openshift-logging.yml after upgade
Summary: We do not preserve the security context and node selector for the elasticsear...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.6.z
Assignee: Jeff Cantrill
QA Contact: Anping Li
URL:
Whiteboard:
Depends On: 1478771
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-08-17 20:20 UTC by Jeff Cantrill
Modified: 2021-09-09 12:31 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: The nodeSelector and supplementalGroups from existing deployments were being ignored because it was believed these parameters should be defined in the inventory file. There was no way to define values for each DC which hinders the usecase where a deployment is using hostmount volumes Consequence: The nodeSelector and supplementalGroups were being replaces with those defined in the inventory file. Fix: Use nodeSelector and supplementalGroups from logging facts if they exist for a given DC Result: nodeSelector and supplementalGroups are retained when applied changes.
Clone Of: 1478771
Environment:
Last Closed: 2017-10-17 11:45:24 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
The deployment config before and after upgrade (50.00 KB, application/x-tar)
2017-09-26 07:57 UTC, Anping Li
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift-ansible/pull/5124 0 None None None 2020-07-14 21:26:34 UTC
Red Hat Product Errata RHBA-2017:2900 0 normal SHIPPED_LIVE OpenShift Container Platform atomic-openshift-utils bug fix and enhancement 2017-10-17 15:44:50 UTC

Comment 1 Jeff Cantrill 2017-08-17 21:01:25 UTC
Fixed in PR: openshift-ansible/pull/5124

Comment 2 Rich Megginson 2017-09-08 16:13:56 UTC
Has this been fixed in 3.6 or 3.7 atomic-openshift-ansible?  Can we move this to ON_QA?

Comment 4 Anping Li 2017-09-14 09:01:55 UTC
Using openshift-ansible-3.6.173.0.33, the securityContext and nodeSelector are as before.
#oc get dc logging-es-gcpg63hx -o yaml | grep security -A 1
      securityContext:
        supplementalGroups:
#oc get dc logging-es-gcpg63hx -o yaml | grep nodeSelector -A 2
      nodeSelector:
        logging-es-node: "1"
      restartPolicy: Always
#oc get dc logging-es-mbtd8lz3 -o yaml | grep security -A 1
      securityContext:
        supplementalGroups:
#oc get dc logging-es-mbtd8lz3 -o yaml | grep nodeSelector -A 2
      nodeSelector:
        logging-es-node: "2"
      restartPolicy: Always
#oc get dc logging-es-tybl6f11 -o yaml | grep security -A 1
      securityContext:
        supplementalGroups:
#oc get dc logging-es-tybl6f11 -o yaml | grep nodeSelector -A 2
      nodeSelector:
        logging-es-node: "3"
      restartPolicy: Always

Comment 5 Anping Li 2017-09-14 09:03:49 UTC
The  openshift-ansible-3.6.173.0.33 aren't in the errata 30362, can you confirm if we need an installer error.

Comment 6 Anping Li 2017-09-21 11:29:51 UTC
@scott, The fix is in openshift-ansible. could you move this bug to the proper installer errata?

Comment 9 Anping Li 2017-09-26 03:37:09 UTC
I miss one securityContext in comment 10. There are two securityContext in DC. 
The first is created by ansible. 
The second  is created by 'oc patch' command following the document [1] 
The second one is still overwrote when using the openshift-ansible-3.5.125 with the fix PR.

@Jeff, could you confirm if we need to persist the second securityContext.?


[1]
https://docs.openshift.com/container-platform/3.5/install_config/aggregate_logging.html-> Persistent Elasticsearch Storage -> 2. Each Elasticsearch replica definition must be patched to claim that privilege, for example:
$ for dc in $(oc get deploymentconfig --selector logging-infra=elasticsearch -o name); do
    oc scale $dc --replicas=0
    oc patch $dc \
       -p '{"spec":{"template":{"spec":{"containers":[{"name":"elasticsearch","securityContext":{"privileged": true}}]}}}}'
  done

Comment 10 Anping Li 2017-09-26 07:57:56 UTC
Created attachment 1330898 [details]
The deployment config before and after upgrade

[1] and [2] are removed during upgrade.  the nodeSelector[2] was preserved. From upgrade perspective, we should preserve all changes expect for there are change request from inventory.


[1]
securityContext:
  privileged: true
[2]
- hostPath:
    path: /usr/local/es-storage 
  name: elasticsearch-storage
[3]
  nodeSelector:
    logging-node: "1"

Comment 11 Jeff Cantrill 2017-09-27 18:44:26 UTC
The fix addresses the original issues.  Moved items from #c10 to https://bugzilla.redhat.com/show_bug.cgi?id=1496271

Comment 12 Anping Li 2017-09-28 01:47:40 UTC
The nodeSelector are persisten, so move to verified.  Note that securityContext issue will be fixed in Bug 1496271.

Comment 13 openshift-github-bot 2017-10-05 10:45:10 UTC
Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/ec7d1b04ef91a3d10675efe1c53a88ef100437b8
bug 1482661. Preserve ES dc nodeSelector and supplementalGroups

(cherry picked from commit 601e35cbf4410972c7fa0a1d3d5c6327b82353ac)

Comment 15 errata-xmlrpc 2017-10-17 11:45:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2900


Note You need to log in before you can comment on or make changes to this bug.