Description of problem: when using apb tools to provision postgresql-apb, it failed at:Set postgresql objects state=present TASK [postgresql-apb : Set postgresql objects state=present] ******************* failed: [localhost] (item={u'name': u'service.yaml.j2'}) => {"changed": false, "error": 403, "item": {"name": "service.yaml.j2"}, "msg": "Failed to retrieve requested object: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"services \\\"postgresql-1234\\\" is forbidden: User \\\"system:serviceaccount:post:bundle-a4d72397-66d7-4fbd-ab00-f868e572372c\\\" cannot get services in the namespace \\\"post\\\": User \\\"system:serviceaccount:post:bundle-a4d72397-66d7-4fbd-ab00-f868e572372c\\\" cannot get services in project \\\"post\\\": RBAC: clusterrole.rbac.authorization.k8s.io \\\"docker\\\" not found\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"postgresql-1234\",\"kind\":\"services\"},\"code\":403}\n", "reason": "Forbidden", "status": 403} deprovision is also failed with the same error. Version-Release number of selected component (if applicable): apb-1.9.0 posgresql-apb: docker.io/ansibleplaybookbundle/postgresql-apb:latest How reproducible: always Steps to Reproduce: 1.oc login as 'cluster-admin' user 2. oc new-project post 3. add registry # apb registry add docker --org ansibleplaybookbundle --type dockerhub --whitelist '.*apb$' 4. provision postgresql-apb # apb bundle provision postgresql-apb -r docker -n post Actual results: 4. provision failed # apb bundle provision postgresql-apb -r docker -n post Found APB [postgresql-apb] in registry [docker] List of available plans: name: dev name: prod Enter name of plan you'd like to deploy: dev Plan: dev Enter value for parameter [postgresql_database], default: [admin]: Enter value for parameter [postgresql_user], default: [admin]: Enter value for parameter [postgresql_password], default: [<nil>]: Enter value for parameter [postgresql_version], default: [9.6]: INFO OpenShift version: v3.11.0-0.11.0 INFO Creating RoleBinding bundle-a4d72397-66d7-4fbd-ab00-f868e572372c INFO Successfully created apb sandbox: [ bundle-a4d72397-66d7-4fbd-ab00-f868e572372c ], with docker permissions in namespace [ post ] Successfully created pod [bundle-a4d72397-66d7-4fbd-ab00-f868e572372c] to provision [postgresql-apb] in namespace [post] check pod # oc get pod NAME READY STATUS RESTARTS AGE bundle-a4d72397-66d7-4fbd-ab00-f868e572372c 0/1 Error 0 43s # oc logs -f bundle-a4d72397-66d7-4fbd-ab00-f868e572372c DEPRECATED: APB playbooks should be stored at /opt/apb/project PLAY [postgresql-apb provision] ************************************************ TASK [ansibleplaybookbundle.asb-modules : debug] ******************************* skipping: [localhost] TASK [postgresql-apb : Update last operation] ********************************** skipping: [localhost] TASK [postgresql-apb : Set facts] ********************************************** ok: [localhost] TASK [postgresql-apb : Backup database] **************************************** skipping: [localhost] TASK [postgresql-apb : Rsync to APB] ******************************************* skipping: [localhost] TASK [postgresql-apb : Take down old deployment and pvc (if it exists)] ******** skipping: [localhost] => (item=pvc.yaml) skipping: [localhost] => (item=deployment.yaml) TASK [postgresql-apb : Update last operation] ********************************** skipping: [localhost] TASK [postgresql-apb : Set postgresql objects state=present] ******************* failed: [localhost] (item={u'name': u'service.yaml.j2'}) => {"changed": false, "error": 403, "item": {"name": "service.yaml.j2"}, "msg": "Failed to retrieve requested object: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"services \\\"postgresql-1234\\\" is forbidden: User \\\"system:serviceaccount:post:bundle-a4d72397-66d7-4fbd-ab00-f868e572372c\\\" cannot get services in the namespace \\\"post\\\": User \\\"system:serviceaccount:post:bundle-a4d72397-66d7-4fbd-ab00-f868e572372c\\\" cannot get services in project \\\"post\\\": RBAC: clusterrole.rbac.authorization.k8s.io \\\"docker\\\" not found\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"postgresql-1234\",\"kind\":\"services\"},\"code\":403}\n", "reason": "Forbidden", "status": 403} skipping: [localhost] => (item={u'apply': False, u'name': u'pvc.yaml.j2'}) failed: [localhost] (item={u'name': u'deployment.yaml.j2'}) => {"changed": false, "error": 403, "item": {"name": "deployment.yaml.j2"}, "msg": "Failed to retrieve requested object: {\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"deploymentconfigs.apps.openshift.io \\\"postgresql-1234\\\" is forbidden: User \\\"system:serviceaccount:post:bundle-a4d72397-66d7-4fbd-ab00-f868e572372c\\\" cannot get deploymentconfigs.apps.openshift.io in the namespace \\\"post\\\": User \\\"system:serviceaccount:post:bundle-a4d72397-66d7-4fbd-ab00-f868e572372c\\\" cannot get deploymentconfigs.apps.openshift.io in project \\\"post\\\": RBAC: clusterrole.rbac.authorization.k8s.io \\\"docker\\\" not found\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"postgresql-1234\",\"group\":\"apps.openshift.io\",\"kind\":\"deploymentconfigs\"},\"code\":403}\n", "reason": "Forbidden", "status": 403} PLAY RECAP ********************************************************************* localhost : ok=1 changed=0 unreachable=0 failed=1 Expected results: Provision succeed Additional info: This apb provision succeed in webconsole.
https://github.com/automationbroker/apb/pull/117
Hi Zihan, I see that you're supplying `-r` in what seems to be an attempt to specify the registry to provision from. If you check `apb provision --help`, you should see that `-r` is actually how you would specify a sandbox role. We think the current behavior was a bit confusing, so in the PR below we've standardized on `-r` representing the registry to provision from. Supplying a non-standard sandbox role will now be done with `--sandbox-role`. You should find that your documented command will work with the below PR. # apb bundle provision postgresql-apb -r docker -n post https://github.com/automationbroker/apb/pull/117
I tried in apb 1.9.3, provision and deprovision succeed using cmd: # apb bundle provision mediawiki-apb -n post -r docker # apb bundle deprovision mediawiki-apb -n post -r docker
New builds added to advisory: openshift-enterprise-asb-container-v3.11.0-0.20.0.0 openshift-enterprise-apb-tools-container-v3.11.0-0.20.0.0
according to #comment3, change it to VERIFIED.
When using apb-1.9.5 provision failed with error: TASK [mediawiki-apb : Update last operation] *********************************** fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error attempting to update pod with last operation annotation: (403)\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'Date': 'Mon, 03 Sep 2018 03:23:03 GMT', 'Content-Length': '377', 'Content-Type': 'application/json', 'Cache-Control': 'no-store'})\nHTTP response body: {\n \"kind\": \"Status\",\n \"apiVersion\": \"v1\",\n \"metadata\": {\n \n },\n \"status\": \"Failure\",\n \"message\": \"pods \\\"bundle-95a2ce42-05a5-4909-a933-ca319e19460b\\\" is forbidden: unable to validate against any security context constraint: []\",\n \"reason\": \"Forbidden\",\n \"details\": {\n \"name\": \"bundle-95a2ce42-05a5-4909-a933-ca319e19460b\",\n \"kind\": \"pods\"\n },\n \"code\": 403\n}\n"} apb pod log: # oc logs -f bundle-95a2ce42-05a5-4909-a933-ca319e19460b DEPRECATED: APB playbooks should be stored at /opt/apb/project PLAY [mediawiki-apb provision] ************************************************* TASK [ansibleplaybookbundle.asb-modules : debug] ******************************* skipping: [localhost] TASK [mediawiki-apb : Update last operation] *********************************** fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error attempting to update pod with last operation annotation: (403)\nReason: Forbidden\nHTTP response headers: HTTPHeaderDict({'Date': 'Mon, 03 Sep 2018 03:23:03 GMT', 'Content-Length': '377', 'Content-Type': 'application/json', 'Cache-Control': 'no-store'})\nHTTP response body: {\n \"kind\": \"Status\",\n \"apiVersion\": \"v1\",\n \"metadata\": {\n \n },\n \"status\": \"Failure\",\n \"message\": \"pods \\\"bundle-95a2ce42-05a5-4909-a933-ca319e19460b\\\" is forbidden: unable to validate against any security context constraint: []\",\n \"reason\": \"Forbidden\",\n \"details\": {\n \"name\": \"bundle-95a2ce42-05a5-4909-a933-ca319e19460b\",\n \"kind\": \"pods\"\n },\n \"code\": 403\n}\n"} PLAY RECAP ********************************************************************* localhost : ok=0 changed=0 unreachable=0 failed=1 reproduce step is the same with #description, using docker hub registry. apb-1.9.3 provision and deprovision work well.
This is because the user launching the APB is a cluster-admin. This ends up assigning the APB pod to the `anyuid` scc. For some reason the `anyuid` scc prevents a service account from annotating the pod that is running. This is documented here: https://docs.okd.io/latest/architecture/additional_concepts/authorization.html#scc-prioritization When the pod runs in the `restricted` scc it is capable of annotating itself which is required for the `apb_last_operation` ansible tasks. To workaround this simply login as a user who is not part of `system:cluster-admins`.
Created a documentation bug to properly inform users of the tool this limitation. https://bugzilla.redhat.com/show_bug.cgi?id=1625766
Updated docs bug to be assigned to appropriate docs contact.