projectatomic / atomic-enterprise Goto Github PK
View Code? Open in Web Editor NEWAtomic Enterprise - deploy and manage your containers with Docker and Kubernetes
Home Page: http://www.projectatomic.io/
License: Apache License 2.0
Atomic Enterprise - deploy and manage your containers with Docker and Kubernetes
Home Page: http://www.projectatomic.io/
License: Apache License 2.0
It's ok if the registry admin command creates a registry
service account to use when running the registry, but it must not add it to the privileged SCC. This gives that service account superuser privileges by default, which is something an admin should make a careful decision about.
See https://pagure.io/atomic-wg/issue/428
If no reply is received to this issue (or on the above ticket),
this repository will be archived.
Without registry command accepting service account, --mount-host
option isn't usable. The option requires registry's service account to be privileged. However, default service account, which certainly isn't privileged, is selected for registry.
The way to workaround it is quite messy:
create new service account
oc create -f - <<EOF
{ "apiVersion": "v1", "kind": "ServiceAccount", "metadata": { "name" : "registry-account" } }
EOF
make it privileged
oc edit scc privileged # add system:serviceaccount:default:registry-account to users
create the registry
oadm registry --create --credentials=/etc/openshift/master/openshift-registry.kubeconfig --images='registry.access.redhat.com/openshift3/ose-${component}:latest' --selector="region=infra"
edit registry deployment config
oc edit dc docker-registry
# add "serviceAccount": "registry-account" to spec.template.spec
# and change spec.template.spec.containers[0].securityContext.privileged to `true`
mount host volume
oc volume dc/docker-registry --add --name=registry-storage -m /registry -t hostPath --path=/mnt/registry --overwrite
delete previous resource configurations -- I wonder why this must be done manually
oc delete rc/docker-registry{1,2,3}
wait for new registry pod to be redeployed -- I always had to run oc deploy --latest docker-registry
manually because triggered deployment failed
With --service-account
re-added, steps 4,5,6 will be gone.
Rev: 0bca21a
Environment: F21 (Vagrant DevBox w/VirtualBox)
Failure:
...
[FAIL] !!!!! Test Failed !!!!
I0709 12:21:36.537924 2143 panic.go:17] OpenShift will terminate as soon as a panic occurs.
2015/07/09 12:21:36 profile: cpu profiling enabled, cpu.pprof
I0709 12:21:36.577838 2143 start_allinone.go:225] Starting an Atomic Enterprise all-in-one
I0709 12:21:36.839219 2143 start_master.go:303] Starting an Atomic Enterprise master, reachable at 127.0.0.1:8443 (etcd: [https://127.0.0.1:4001])
I0709 12:21:36.839239 2143 start_master.go:304] Atomic Enterprise master public address is https://127.0.0.1:8443
I0709 12:21:36.966107 2143 server.go:65] etcd: peerTLS: cert = /tmp/openshift-cmd.2GAe/openshift.local.config/master/etcd.server.crt, key = /tmp/openshift-cmd.2GAe/openshift.local.config/master/etcd.server.key, ca = /tmp/openshift-cmd.2GAe/openshift.local.config/master/ca.crt
I0709 12:21:37.087242 2143 server.go:76] etcd: listening for peers on https://127.0.0.1:7001
I0709 12:21:37.087396 2143 server.go:87] etcd: clientTLS: cert = /tmp/openshift-cmd.2GAe/openshift.local.config/master/etcd.server.crt, key = /tmp/openshift-cmd.2GAe/openshift.local.config/master/etcd.server.key, ca = /tmp/openshift-cmd.2GAe/openshift.local.config/master/ca.crt
I0709 12:21:37.205702 2143 server.go:98] etcd: listening for client requests on https://127.0.0.1:4001
2015/07/09 12:21:37 etcdserver: datadir is valid for the 2.0.1 format
2015/07/09 12:21:37 etcdserver: name = openshift.local
2015/07/09 12:21:37 etcdserver: data dir = /tmp/openshift-cmd.2GAe/etcd
2015/07/09 12:21:37 etcdserver: member dir = /tmp/openshift-cmd.2GAe/etcd/member
2015/07/09 12:21:37 etcdserver: heartbeat = 100ms
2015/07/09 12:21:37 etcdserver: election = 1000ms
2015/07/09 12:21:37 etcdserver: snapshot count = 0
2015/07/09 12:21:37 etcdserver: advertise client URLs = https://127.0.0.1:4001
2015/07/09 12:21:37 etcdserver: initial advertise peer URLs = https://127.0.0.1:7001
2015/07/09 12:21:37 etcdserver: initial cluster = openshift.local=https://127.0.0.1:7001
2015/07/09 12:21:37 etcdserver: start member 51cc720fdd39e048 in cluster dcf5ba954f7ebe11
2015/07/09 12:21:37 raft: 51cc720fdd39e048 became follower at term 0
2015/07/09 12:21:37 raft: newRaft 51cc720fdd39e048 [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0]
2015/07/09 12:21:37 raft: 51cc720fdd39e048 became follower at term 1
2015/07/09 12:21:37 etcdserver: set snapshot count to default 10000
2015/07/09 12:21:37 etcdserver: added local member 51cc720fdd39e048 [https://127.0.0.1:7001] to cluster dcf5ba954f7ebe11
I0709 12:21:37.216277 2143 etcd.go:68] Started etcd at 127.0.0.1:4001
I0709 12:21:37.622849 2143 master.go:991] Using default project node label selector:
E0709 12:21:37.731821 2143 reflector.go:133] Failed to list *api.Namespace: Get https://127.0.0.1:8443/api/v1/namespaces: dial tcp 127.0.0.1:8443: connection refused
I0709 12:21:38.159320 2143 plugins.go:70] No cloud provider specified.
E0709 12:21:38.159762 2143 reflector.go:133] Failed to list *api.Namespace: Get https://127.0.0.1:8443/api/v1/namespaces: dial tcp 127.0.0.1:8443: connection refused
I0709 12:21:38.160380 2143 master.go:316] Setting master service IPs based on PortalNet subnet to "172.30.0.1" (read-only) and "172.30.0.2" (read-write).
E0709 12:21:38.160650 2143 reflector.go:133] Failed to list *api.LimitRange: Get https://127.0.0.1:8443/api/v1/limitranges: dial tcp 127.0.0.1:8443: connection refused
E0709 12:21:38.160714 2143 reflector.go:133] Failed to list *api.Namespace: Get https://127.0.0.1:8443/api/v1/namespaces: dial tcp 127.0.0.1:8443: connection refused
E0709 12:21:38.160767 2143 reflector.go:133] Failed to list *api.ServiceAccount: Get https://127.0.0.1:8443/api/v1/serviceaccounts: dial tcp 127.0.0.1:8443: connection refused
E0709 12:21:38.161393 2143 reflector.go:133] Failed to list *api.SecurityContextConstraints: Get https://127.0.0.1:8443/api/v1/securitycontextconstraints: dial tcp 127.0.0.1:8443: connection refused
E0709 12:21:38.161481 2143 reflector.go:133] Failed to list *api.Secret: Get https://127.0.0.1:8443/api/v1/secrets?fieldSelector=type%3Dkubernetes.io%2Fservice-account-token: dial tcp 127.0.0.1:8443: connection refused
E0709 12:21:38.161815 2143 reflector.go:133] Failed to list *api.ResourceQuota: Get https://127.0.0.1:8443/api/v1/resourcequotas: dial tcp 127.0.0.1:8443: connection refused
2015/07/09 12:21:38 raft: 51cc720fdd39e048 is starting a new election at term 1
2015/07/09 12:21:38 raft: 51cc720fdd39e048 became candidate at term 2
2015/07/09 12:21:38 raft: 51cc720fdd39e048 received vote from 51cc720fdd39e048 at term 2
2015/07/09 12:21:38 raft: 51cc720fdd39e048 became leader at term 2
2015/07/09 12:21:38 raft.node: 51cc720fdd39e048 elected leader 51cc720fdd39e048 at term 2
2015/07/09 12:21:38 etcdserver: published {Name:openshift.local ClientURLs:[https://127.0.0.1:4001]} to cluster dcf5ba954f7ebe11
W0709 12:21:38.323603 2143 controller.go:237] Resetting endpoints for master service "kubernetes" to &{{ } {kubernetes default 0001-01-01 00:00:00 +0000 UTC <nil> map[] map[]} [{[{127.0.0.1 <nil>}] [{ 8443 TCP}]}]}
...
Since builder
is disabled in AE, it makes no sense to create it for each project.
oc get serviceaccounts
NAME SECRETS
builder 2
default 2
deployer 2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.