Bug 1496271 - Preserve Security Context in logging container
Summary: Preserve Security Context in logging container
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 3.5.1
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.6.z
Assignee: Jan Wozniak
QA Contact: Anping Li
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-26 20:57 UTC by Jeff Cantrill
Modified: 2023-09-14 04:09 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2017-10-25 13:08:02 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-ansible pull 5670 0 None None None 2017-10-05 20:14:05 UTC
Red Hat Product Errata RHBA-2017:3049 0 normal SHIPPED_LIVE OpenShift Container Platform 3.6, 3.5, and 3.4 bug fix and enhancement update 2017-10-25 15:57:15 UTC

Description Jeff Cantrill 2017-09-26 20:57:29 UTC
As commented in https://bugzilla.redhat.com/show_bug.cgi?id=1478771

I miss one securityContext in comment 10. There are two securityContext in DC. 
The first is created by ansible. 
The second  is created by 'oc patch' command following the document [1] 
The second one is still overwrote when using the openshift-ansible-3.5.125 with the fix PR.

@Jeff, could you confirm if we need to persist the second securityContext.?


[1]
https://docs.openshift.com/container-platform/3.5/install_config/aggregate_logging.html-> Persistent Elasticsearch Storage -> 2. Each Elasticsearch replica definition must be patched to claim that privilege, for example:
$ for dc in $(oc get deploymentconfig --selector logging-infra=elasticsearch -o name); do
    oc scale $dc --replicas=0
    oc patch $dc \
       -p '{"spec":{"template":{"spec":{"containers":[{"name":"elasticsearch","securityContext":{"privileged": true}}]}}}}'
  done

Comment 1 Jeff Cantrill 2017-09-26 20:58:00 UTC
Opened https://bugzilla.redhat.com/show_bug.cgi?id=1478771 to address

Comment 3 Jan Wozniak 2017-10-03 15:44:00 UTC
PR with a fix created - https://github.com/openshift/openshift-ansible/pull/5637.

I will create a backport to 3.6 once this merges

Comment 4 openshift-github-bot 2017-10-05 10:45:19 UTC
Commits pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/f4c7d5e064fad263f618fb633d5c0d37c0a2a553
Bug 1496271 - Perserve SCC for ES local persistent storage

ES can be modified to use node local persistent storage. This requires
changing SCC and is described in docs:

https://docs.openshift.com/container-platform/3.6/install_config/aggregate_logging.html

During an upgrade, SCC defined by the user is ignored. This fix fetches
SCC user defined as a fact and adds it to the ES DC which is later used.

https://github.com/openshift/openshift-ansible/commit/cdbc995e65921210981e9fb3710a36c7d93a35dc
Merge pull request #5637 from wozniakjan/1496271_fix

Automatic merge from submit-queue.

 Bug 1496271 - Perserve SCC for ES local persistent storage

ES can be modified to use node local persistent storage. This requires changing SCC and is described in docs:

https://docs.openshift.com/container-platform/3.6/install_config/aggregate_logging.html

During an upgrade, SCC defined by the user is ignored. This fix fetches SCC user defined as a fact and adds it to the ES DC which is later used.

Also includes cherrypicked fix for - Bug 1482661 - Preserve ES dc nodeSelector and supplementalGroups

cc @jcantrill

Comment 6 Anping Li 2017-10-12 07:29:04 UTC
The nodeSelector securityContext  when use openshift-ansible:v3.5.132. So move to verified.

Comment 8 errata-xmlrpc 2017-10-25 13:08:02 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:3049

Comment 9 Red Hat Bugzilla 2023-09-14 04:09:01 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days


Note You need to log in before you can comment on or make changes to this bug.