Description of problem: Installation failed for ocp-3.10 with ha etcd as following: TASK [etcd : Validate permissions on certificate files] ************************ Friday 30 March 2018 01:52:02 -0400 (0:00:00.168) 0:01:47.615 ********** failed: [ec2-52-71-255-110.compute-1.amazonaws.com] (item=/etc/etcd/ca.crt) => {"changed": false, "failed": true, "gid": 0, "group": "root", "item": "/etc/etcd/ca.crt", "mode": "0644", "msg": "chown failed: failed to look up user etcd", "owner": "root", "path": "/etc/etcd/ca.crt", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 1895, "state": "file", "uid": 0} changed: [ec2-54-152-193-176.compute-1.amazonaws.com] => (item=/etc/etcd/ca.crt) => {"changed": true, "failed": false, "gid": 993, "group": "etcd", "item": "/etc/etcd/ca.crt", "mode": "0600", "owner": "etcd", "path": "/etc/etcd/ca.crt", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 1895, "state": "file", "uid": 996} failed: [ec2-184-73-51-181.compute-1.amazonaws.com] (item=/etc/etcd/ca.crt) => {"changed": false, "failed": true, "gid": 0, "group": "root", "item": "/etc/etcd/ca.crt", "mode": "0644", "msg": "chown failed: failed to look up user etcd", "owner": "root", "path": "/etc/etcd/ca.crt", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 1895, "state": "file", "uid": 0} failed: [ec2-52-71-255-110.compute-1.amazonaws.com] (item=/etc/etcd/server.crt) => {"changed": false, "failed": true, "gid": 0, "group": "root", "item": "/etc/etcd/server.crt", "mode": "0644", "msg": "chown failed: failed to look up user etcd", "owner": "root", "path": "/etc/etcd/server.crt", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 5933, "state": "file", "uid": 0} changed: [ec2-54-152-193-176.compute-1.amazonaws.com] => (item=/etc/etcd/server.crt) => {"changed": true, "failed": false, "gid": 993, "group": "etcd", "item": "/etc/etcd/server.crt", "mode": "0600", "owner": "etcd", "path": "/etc/etcd/server.crt", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 5933, "state": "file", "uid": 996} failed: [ec2-184-73-51-181.compute-1.amazonaws.com] (item=/etc/etcd/server.crt) => {"changed": false, "failed": true, "gid": 0, "group": "root", "item": "/etc/etcd/server.crt", "mode": "0644", "msg": "chown failed: failed to look up user etcd", "owner": "root", "path": "/etc/etcd/server.crt", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 5936, "state": "file", "uid": 0} failed: [ec2-52-71-255-110.compute-1.amazonaws.com] (item=/etc/etcd/server.key) => {"changed": false, "failed": true, "gid": 0, "group": "root", "item": "/etc/etcd/server.key", "mode": "0644", "msg": "chown failed: failed to look up user etcd", "owner": "root", "path": "/etc/etcd/server.key", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 1704, "state": "file", "uid": 0} changed: [ec2-54-152-193-176.compute-1.amazonaws.com] => (item=/etc/etcd/server.key) => {"changed": true, "failed": false, "gid": 993, "group": "etcd", "item": "/etc/etcd/server.key", "mode": "0600", "owner": "etcd", "path": "/etc/etcd/server.key", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 1704, "state": "file", "uid": 996} failed: [ec2-184-73-51-181.compute-1.amazonaws.com] (item=/etc/etcd/server.key) => {"changed": false, "failed": true, "gid": 0, "group": "root", "item": "/etc/etcd/server.key", "mode": "0644", "msg": "chown failed: failed to look up user etcd", "owner": "root", "path": "/etc/etcd/server.key", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 1704, "state": "file", "uid": 0} Only the first etcd host has the expected permissions on certificate files: [root@ip-172-18-14-12 ~]# ls -al /etc/etcd/ total 52 drwx------. 4 root root 172 Mar 30 01:51 . drwxr-xr-x. 82 root root 8192 Mar 30 01:51 .. drwx------. 5 root root 212 Mar 30 01:51 ca -rw-------. 1 etcd etcd 1895 Mar 30 01:51 ca.crt -rw-r--r--. 1 root root 1686 Jan 29 07:57 etcd.conf drwx------. 5 root root 285 Mar 30 01:52 generated_certs -rw-r--r--. 1 root root 5976 Mar 30 01:51 peer.crt -rw-r--r--. 1 root root 1041 Mar 30 01:51 peer.csr -rw-r--r--. 1 root root 1704 Mar 30 01:51 peer.key -rw-------. 1 etcd etcd 5933 Mar 30 01:51 server.crt -rw-r--r--. 1 root root 1041 Mar 30 01:51 server.csr -rw-------. 1 etcd etcd 1704 Mar 30 01:51 server.key For the other two etcd host: [root@ip-172-18-15-205 ~]# ls -al /etc/etcd/ total 48 drwx------. 3 root root 132 Mar 30 01:52 . drwxr-xr-x. 82 root root 8192 Mar 30 01:51 .. drwxr-xr-x. 2 root root 6 Mar 30 01:52 ca -rw-r--r--. 1 root root 1895 Mar 30 01:51 ca.crt -rw-r--r--. 1 root root 5983 Mar 30 01:51 peer.crt -rw-r--r--. 1 root root 1041 Mar 30 01:51 peer.csr -rw-r--r--. 1 root root 1704 Mar 30 01:51 peer.key -rw-r--r--. 1 root root 5936 Mar 30 01:51 server.crt -rw-r--r--. 1 root root 1041 Mar 30 01:51 server.csr -rw-r--r--. 1 root root 1704 Mar 30 01:51 server.key Version-Release number of the following components: openshift-ansible-3.10.0-0.15.0.git.0.556ddbb.el7.noarch.rpm ansible 2.4.4-0.2.rc1.el7ae How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created https://github.com/openshift/openshift-ansible/pull/7770 to fix this
Fix is in openshift-ansible-3.10.0-0.16.0
Verify this bug with openshift-ansible-3.10.0-0.16.0.git.0.8925606.el7.noarch.rpm. For ha etcd cluster installation, this step passed. And etcd cluster is running well.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816