Description of problem: ------------------------------ The OCP on RHV can be executed by rootless user. However, we must make sure the CA file contain the right permissions. Bad scenario example: -------------------------- User imported the CA /etc/pki/ca-trust/source/anchors/${MYCA}.pem and kept only owner as read/write. Example: rw-------. root:root /etc/pki/ca-trust/source/anchors/ca.pem In that case, root can read the list of CA trusted with command trust list but ordinary can't read ca.pem. What's expected ? -------------------------- In OCP RHV documentation, we should recommend or make a note about the right permissions. $ sudo chmod 0644 /etc/pki/ca-trust/source/anchors/ca.pem Example: ------------- # cd /etc/pki/ca-trust/source/anchors # ls -la engine-medogz-home.pem -rw-------. 1 root root 1355 May 25 13:24 engine-medogz-home.pem # trust list | grep engine label: engine.medogz.home.52705 ^^^^^^^ as root - all good # sudo su douglas $ trust list | grep engine $ <--------- None, bad How to fix? --------------------- $ sudo su - # cd /etc/pki/ca-trust/source/anchors # chmod 0644 engine-medogz-home.pem How can affect the OCP installer RHV? --------------------------------------- If CA cert file perm is wrong... rootless user won't be able to use it to communicate with Engine.
*** Bug 1841384 has been marked as a duplicate of this bug. ***
https://docs.openshift.com/container-platform/4.4/installing/installing_rhv/installing-rhv-default.html#installing-rhv-setting-up-ca-certificate_installing-rhv-default