Bug 1664889 - Redeploy certificates playbook fails due to etcd related permissions issues
Summary: Redeploy certificates playbook fails due to etcd related permissions issues
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 3.10.z
Assignee: Patrick Dillon
QA Contact: ge liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-01-09 22:44 UTC by Luke Stanton
Modified: 2023-03-24 14:28 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: starting in 3.10, etcd certs are owned by root because etcd is expected to run as root in a static pod colocated on master nodes Consequence: customers running standalone etcd clusters who upgrade from earlier versions have permission denied when etcd tries to access certs when upgrading or redeploying certs Fix: support upgrading standalone etcd clusters by setting owner to etcd if existing certs have etcd owner. Result: if etcd is running in standalone cluster, certs have owner etcd and etcd can access the certs. allowing upgrade or cert redeploy.
Clone Of:
Environment:
Last Closed: 2019-02-20 10:11:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0328 0 None None None 2019-02-20 10:11:17 UTC

Description Luke Stanton 2019-01-09 22:44:55 UTC 
Description of problem:

Running redeploy-certificates.yml playbook fails due to etcd permissions. It looks like the problem was documented in https://github.com/openshift/openshift-ansible/issues/10289, however the associated pull request appears to have never gone through.

Additional info:
Had to manually make changes similar to https://github.com/openshift/openshift-ansible/pull/10291 to get things working.
Comment 4 Patrick Dillon 2019-01-24 14:20:17 UTC 
Known etcd permission issues were fixed by this pr: https://github.com/openshift/openshift-ansible/pull/10943

Customer had invalid openshift_master_named_certificates entry in inventory which caused install to fail. Could not reproduce any further etcd permission errors with available information. If problem is not solved by fix above, please open a new bug.
Comment 5 Patrick Dillon 2019-01-25 19:02:09 UTC 
On closer inspection, the problem is that etcd is running in a separate cluster. Starting in 3.10, OpenShift expects etcd to be run as root in a static pod. I have posted a PR which would allow support for situations like this, where an existing etcd cluster is in place. If there are existing certs with etcd as owner, that ownership will be maintained.

PR: https://github.com/openshift/openshift-ansible/pull/11079
Comment 6 Scott Dodson 2019-01-28 14:47:56 UTC 
PR from comment 5 in openshift-ansible-3.11.75-1 and later
Comment 7 ge liu 2019-01-30 09:34:52 UTC 
Verified with openshift-ansible-3.10.104-1.git.0.79f87f7.el7.noarch.rpm.
Comment 9 errata-xmlrpc 2019-02-20 10:11:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0328
Note You need to log in before you can comment on or make changes to this bug.