Bug 1599529 - Add securty content for hawkular-cassandra before openshift was updated to v3.10
Summary: Add securty content for hawkular-cassandra before openshift was updated to v3.10
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 3.11.z
Assignee: Sara Thomas
QA Contact: Anping Li
Vikram Goyal
URL:
Whiteboard:
Depends On: 1599241
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-10 02:58 UTC by Anping Li
Modified: 2021-07-12 19:04 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1599241
Environment:
Last Closed: 2021-07-12 19:04:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Anping Li 2018-07-10 02:58:10 UTC 
+++ This bug was initially created as a clone of Bug #1599241 +++

Description of problem:
The metrics cassandra 3.9 has no permission to create directory /cassandra_data/data once Openshift is updated to v3.10. Redeploy metrics via  openshift-ansible:v3.10 can solve this issue. But there are some downtime between Openshift upgrade and metrics updated. 

To avoild the metrics downtime, we can add the securityContext to make v3.9 cassandra works in v3.10 as the following steps. if the customer don't care about the downtime, they can skip these steps.

Steps:
1. oc get namespaces openshift-infra -o json

$oc get namespaces openshift-infra -o yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    openshift.io/node-selector: ""
    openshift.io/sa.initialized-roles: "true"
    openshift.io/sa.scc.mcs: s0:c6,c5
    openshift.io/sa.scc.supplemental-groups: 1000040000/10000
    openshift.io/sa.scc.uid-range: 1000040000/10000
  name: openshift-infra
  uid: 2d73f159-8331-11e8-9c8f-42010af00028
spec:
  finalizers:
  - kubernetes
  - openshift.io/origin

2. Update the securityContext in replicacontrollers  hawkular-cassandra-1 using the values from the namespaces openshift-infra

  $oc edit rc hawkular-cassandra-1
   #Add the fsGroup and seLinuxOptions using the same value from the namespaces openshift-infra

                "securityContext": {
                    "fsGroup": 1000040000,
                    "seLinuxOptions": {
                        "level": "s0:c6,c5"
                    },
                    "supplementalGroups": [
                        65534
                    ]
                },
                "serviceAccount": "cassandra",
                "serviceAccountName": "cassandra"

For more detail, refer to https://bugzilla.redhat.com/show_bug.cgi?id=1590748, the PR https://github.com/openshift/openshift-ansible/pull/8831


Version-Release number of selected component (if applicable):
openshift-ansible:v3.9

How reproducible:
always

Steps to Reproduce:
1. deploy metrcis v3.9 on v3.9
  openshift_metrics_install_metrics=True
  oreg_url=registry.reg-aws.openshift.com:443/openshift3/ose-${component}:${version}

2. Upgrade OCP to v3.10

3. Check the cassandra logs in v3.10


Expected results:
The /cassandra_data/data can be access after upgrade

Additional info:
Once redeployed v3.10 via openshift-ansible:v3.10. The cassandra can acesss the directory /cassandra_data/data.

--- Additional comment from Anping Li on 2018-07-09 05:46:14 EDT ---

Shall we add this issue in v3.10 release note? and back port the PR 8831 in v3.9?
Comment 1 Anping Li 2018-07-10 03:01:29 UTC 
I think 1599241 should be in v3.9. so clone a bug to document team in v3.10 to warning this issue in release note. If the customer want to decrease the downtime. They can follow the step I provided.
Comment 2 Sara Thomas 2021-07-12 19:04:12 UTC 
As of 4.1, Cassandra is deprecated: https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html#ocp-41-deprecated-features. Marking closed, wont fix.
Note You need to log in before you can comment on or make changes to this bug.