projectatomic / atomic-enterprise Goto Github PK

Atomic Enterprise - deploy and manage your containers with Docker and Kubernetes

License: Apache License 2.0

Makefile 0.01% JavaScript 1.44% HTML 0.63% CSS 0.29% Go 95.50% Shell 2.05% Python 0.05% DIGITAL Command Language 0.01% Ruby 0.01% Groff 0.02%

atomic-enterprise's People

Contributors

Stargazers

Watchers

Forkers

ashcrow cgwalters maxamillion miminar giuseppe aveshagarwal mheon ljozsa eparis directxman12 pmorie pecameron wanghaoran1988 ipv1337 cloudxtreme linearregression bluemutedwisdom jiten04 unprovable

atomic-enterprise's Issues

Registry admin command must not modify the SCC

It's ok if the registry admin command creates a registry service account to use when running the registry, but it must not add it to the privileged SCC. This gives that service account superuser privileges by default, which is something an admin should make a careful decision about.

NOTICE: This repository is scheduled to be archived

See https://pagure.io/atomic-wg/issue/428

If no reply is received to this issue (or on the above ticket),
this repository will be archived.

Registry command need to accept service account

Without registry command accepting service account, --mount-host option isn't usable. The option requires registry's service account to be privileged. However, default service account, which certainly isn't privileged, is selected for registry.

The way to workaround it is quite messy:

create new service account

oc create -f - <<EOF
{ "apiVersion": "v1", "kind": "ServiceAccount", "metadata": { "name" : "registry-account" } }
EOF

make it privileged

oc edit scc privileged # add system:serviceaccount:default:registry-account to users

create the registry

oadm registry --create --credentials=/etc/openshift/master/openshift-registry.kubeconfig --images='registry.access.redhat.com/openshift3/ose-${component}:latest' --selector="region=infra"

edit registry deployment config

oc edit dc docker-registry
# add "serviceAccount": "registry-account" to spec.template.spec
# and change spec.template.spec.containers[0].securityContext.privileged to `true`

mount host volume

oc volume dc/docker-registry --add --name=registry-storage -m /registry -t hostPath --path=/mnt/registry --overwrite

delete previous resource configurations -- I wonder why this must be done manually
```
oc delete rc/docker-registry{1,2,3}
```
wait for new registry pod to be redeployed -- I always had to run oc deploy --latest docker-registry manually because triggered deployment failed

With --service-account re-added, steps 4,5,6 will be gone.

./hack/test-cmd.sh is failing

Rev: 0bca21a
Environment: F21 (Vagrant DevBox w/VirtualBox)
Failure:

...
[FAIL] !!!!! Test Failed !!!!

I0709 12:21:36.537924    2143 panic.go:17] OpenShift will terminate as soon as a panic occurs.
2015/07/09 12:21:36 profile: cpu profiling enabled, cpu.pprof
I0709 12:21:36.577838    2143 start_allinone.go:225] Starting an Atomic Enterprise all-in-one
I0709 12:21:36.839219    2143 start_master.go:303] Starting an Atomic Enterprise master, reachable at 127.0.0.1:8443 (etcd: [https://127.0.0.1:4001])
I0709 12:21:36.839239    2143 start_master.go:304] Atomic Enterprise master public address is https://127.0.0.1:8443
I0709 12:21:36.966107    2143 server.go:65] etcd: peerTLS: cert = /tmp/openshift-cmd.2GAe/openshift.local.config/master/etcd.server.crt, key = /tmp/openshift-cmd.2GAe/openshift.local.config/master/etcd.server.key, ca = /tmp/openshift-cmd.2GAe/openshift.local.config/master/ca.crt
I0709 12:21:37.087242    2143 server.go:76] etcd: listening for peers on https://127.0.0.1:7001
I0709 12:21:37.087396    2143 server.go:87] etcd: clientTLS: cert = /tmp/openshift-cmd.2GAe/openshift.local.config/master/etcd.server.crt, key = /tmp/openshift-cmd.2GAe/openshift.local.config/master/etcd.server.key, ca = /tmp/openshift-cmd.2GAe/openshift.local.config/master/ca.crt
I0709 12:21:37.205702    2143 server.go:98] etcd: listening for client requests on https://127.0.0.1:4001
2015/07/09 12:21:37 etcdserver: datadir is valid for the 2.0.1 format
2015/07/09 12:21:37 etcdserver: name = openshift.local
2015/07/09 12:21:37 etcdserver: data dir = /tmp/openshift-cmd.2GAe/etcd
2015/07/09 12:21:37 etcdserver: member dir = /tmp/openshift-cmd.2GAe/etcd/member
2015/07/09 12:21:37 etcdserver: heartbeat = 100ms
2015/07/09 12:21:37 etcdserver: election = 1000ms
2015/07/09 12:21:37 etcdserver: snapshot count = 0
2015/07/09 12:21:37 etcdserver: advertise client URLs = https://127.0.0.1:4001
2015/07/09 12:21:37 etcdserver: initial advertise peer URLs = https://127.0.0.1:7001
2015/07/09 12:21:37 etcdserver: initial cluster = openshift.local=https://127.0.0.1:7001
2015/07/09 12:21:37 etcdserver: start member 51cc720fdd39e048 in cluster dcf5ba954f7ebe11
2015/07/09 12:21:37 raft: 51cc720fdd39e048 became follower at term 0
2015/07/09 12:21:37 raft: newRaft 51cc720fdd39e048 [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0]
2015/07/09 12:21:37 raft: 51cc720fdd39e048 became follower at term 1
2015/07/09 12:21:37 etcdserver: set snapshot count to default 10000
2015/07/09 12:21:37 etcdserver: added local member 51cc720fdd39e048 [https://127.0.0.1:7001] to cluster dcf5ba954f7ebe11
I0709 12:21:37.216277    2143 etcd.go:68] Started etcd at 127.0.0.1:4001
I0709 12:21:37.622849    2143 master.go:991] Using default project node label selector:
E0709 12:21:37.731821    2143 reflector.go:133] Failed to list *api.Namespace: Get https://127.0.0.1:8443/api/v1/namespaces: dial tcp 127.0.0.1:8443: connection refused
I0709 12:21:38.159320    2143 plugins.go:70] No cloud provider specified.
E0709 12:21:38.159762    2143 reflector.go:133] Failed to list *api.Namespace: Get https://127.0.0.1:8443/api/v1/namespaces: dial tcp 127.0.0.1:8443: connection refused
I0709 12:21:38.160380    2143 master.go:316] Setting master service IPs based on PortalNet subnet to "172.30.0.1" (read-only) and "172.30.0.2" (read-write).
E0709 12:21:38.160650    2143 reflector.go:133] Failed to list *api.LimitRange: Get https://127.0.0.1:8443/api/v1/limitranges: dial tcp 127.0.0.1:8443: connection refused
E0709 12:21:38.160714    2143 reflector.go:133] Failed to list *api.Namespace: Get https://127.0.0.1:8443/api/v1/namespaces: dial tcp 127.0.0.1:8443: connection refused
E0709 12:21:38.160767    2143 reflector.go:133] Failed to list *api.ServiceAccount: Get https://127.0.0.1:8443/api/v1/serviceaccounts: dial tcp 127.0.0.1:8443: connection refused
E0709 12:21:38.161393    2143 reflector.go:133] Failed to list *api.SecurityContextConstraints: Get https://127.0.0.1:8443/api/v1/securitycontextconstraints: dial tcp 127.0.0.1:8443: connection refused
E0709 12:21:38.161481    2143 reflector.go:133] Failed to list *api.Secret: Get https://127.0.0.1:8443/api/v1/secrets?fieldSelector=type%3Dkubernetes.io%2Fservice-account-token: dial tcp 127.0.0.1:8443: connection refused
E0709 12:21:38.161815    2143 reflector.go:133] Failed to list *api.ResourceQuota: Get https://127.0.0.1:8443/api/v1/resourcequotas: dial tcp 127.0.0.1:8443: connection refused
2015/07/09 12:21:38 raft: 51cc720fdd39e048 is starting a new election at term 1
2015/07/09 12:21:38 raft: 51cc720fdd39e048 became candidate at term 2
2015/07/09 12:21:38 raft: 51cc720fdd39e048 received vote from 51cc720fdd39e048 at term 2
2015/07/09 12:21:38 raft: 51cc720fdd39e048 became leader at term 2
2015/07/09 12:21:38 raft.node: 51cc720fdd39e048 elected leader 51cc720fdd39e048 at term 2
2015/07/09 12:21:38 etcdserver: published {Name:openshift.local ClientURLs:[https://127.0.0.1:4001]} to cluster dcf5ba954f7ebe11
W0709 12:21:38.323603    2143 controller.go:237] Resetting endpoints for master service "kubernetes" to &{{ } {kubernetes  default    0001-01-01 00:00:00 +0000 UTC <nil> map[] map[]} [{[{127.0.0.1 <nil>}] [{ 8443 TCP}]}]}
...

Remove builder service account

Since builder is disabled in AE, it makes no sense to create it for each project.

oc get serviceaccounts
NAME               SECRETS
builder            2
default            2
deployer           2

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.