1599241 – Add securty content for hawkular-cassandra before openshift was updated to v3.10

Bug 1599241 - Add securty content for hawkular-cassandra before openshift was updated to v3.10

Summary: Add securty content for hawkular-cassandra before openshift was updated to v3.10

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Hawkular
Sub Component:
Version:	3.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	3.9.z
Assignee:	Ruben Vargas Palma
QA Contact:	Junqi Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:	1613095
Blocks:	1599529
TreeView+	depends on / blocked

Reported:	2018-07-09 09:44 UTC by Anping Li
Modified:	2018-08-29 14:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1599529 (view as bug list)
Environment:
Last Closed:	2018-08-29 14:42:31 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:2549	0	None	None	None	2018-08-29 14:43:15 UTC

Description Anping Li 2018-07-09 09:44:30 UTC

Description of problem:
The metrics cassandra 3.9 has no permission to create directory /cassandra_data/data once Openshift is updated to v3.10. Redeploy metrics via  openshift-ansible:v3.10 can solve this issue. But there are some downtime between Openshift upgrade and metrics updated. 

To avoild the metrics downtime, we can add the securityContext to make v3.9 cassandra works in v3.10 as the following steps. if the customer don't care about the downtime, they can skip these steps.

Steps:
1. oc get namespaces openshift-infra -o json

$oc get namespaces openshift-infra -o yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/node-selector: ""
    openshift.io/sa.initialized-roles: "true"
    openshift.io/sa.scc.mcs: s0:c6,c5
    openshift.io/sa.scc.supplemental-groups: 1000040000/10000
    openshift.io/sa.scc.uid-range: 1000040000/10000
  name: openshift-infra
  uid: 2d73f159-8331-11e8-9c8f-42010af00028
spec:
  finalizers:
  - kubernetes
  - openshift.io/origin

2. Update the securityContext in replicacontrollers  hawkular-cassandra-1 using the values from the namespaces openshift-infra

  $oc edit rc hawkular-cassandra-1
   #Add the fsGroup and seLinuxOptions using the same value from the namespaces openshift-infra

                "securityContext": {
                    "fsGroup": 1000040000,
                    "seLinuxOptions": {
                        "level": "s0:c6,c5"
                    },
                    "supplementalGroups": [
                        65534
                    ]
                },
                "serviceAccount": "cassandra",
                "serviceAccountName": "cassandra"

For more detail, refer to https://bugzilla.redhat.com/show_bug.cgi?id=1590748, the PR https://github.com/openshift/openshift-ansible/pull/8831


Version-Release number of selected component (if applicable):
openshift-ansible:v3.9

How reproducible:
always

Steps to Reproduce:
1. deploy metrcis v3.9 on v3.9
  openshift_metrics_install_metrics=True
  oreg_url=registry.reg-aws.openshift.com:443/openshift3/ose-${component}:${version}

2. Upgrade OCP to v3.10

3. Check the cassandra logs in v3.10


Expected results:
The /cassandra_data/data can be access after upgrade

Additional info:
Once redeployed v3.10 via openshift-ansible:v3.10. The cassandra can acesss the directory /cassandra_data/data.

Comment 1 Anping Li 2018-07-09 09:46:14 UTC

Shall we add this issue in v3.10 release note? and back port the PR 8831 in v3.9?

Comment 2 John Sanda 2018-07-16 21:50:46 UTC

(In reply to Anping Li from comment #1)
> Shall we add this issue in v3.10 release note? and back port the PR 8831 in
> v3.9?

I talked with Ruben and we agree that it should be back ported. I think it makes sense to include in the release notes as well.

For step 2 in the description, you are upgrading OCP and not metrics, right?

Comment 3 Ruben Vargas Palma 2018-07-30 18:22:02 UTC

The solution was already backported to 3.9 and the PR was merged, https://github.com/openshift/openshift-ansible/pull/9278.

I'm moving this BZ to MODIFIED.

Comment 5 Junqi Zhao 2018-08-22 08:23:44 UTC

Blocked by Bug 1613095

Comment 6 Junqi Zhao 2018-08-25 13:38:57 UTC

securityContext is added to metrics 3.9
*****************************************************
      securityContext:
        fsGroup: 1000040000
        seLinuxOptions:
          level: s0:c6,c5
        supplementalGroups:
        - 65534
      serviceAccount: cassandra
      serviceAccountName: cassandra
*****************************************************

openshift-ansible-3.9.41-1.git.0.4c55974.el7
# oc version
oc v3.9.41
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth GSSAPI Kerberos SPNEGO

Images
metrics-cassandra-v3.9.40-11
metrics-hawkular-metrics-v3.9.40-11
metrics-heapster-v3.9.40-11

Comment 8 errata-xmlrpc 2018-08-29 14:42:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2549

Note You need to log in before you can comment on or make changes to this bug.