You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2020/03/30 01:32:01 UTC
[GitHub] [openwhisk-deploy-kube] ratripathi opened a new issue #594:
gen-certs unable to creates certificates due to insufficient permissions on
OpenShift 4.3
ratripathi opened a new issue #594: gen-certs unable to creates certificates due to insufficient permissions on OpenShift 4.3
URL: https://github.com/apache/openwhisk-deploy-kube/issues/594
**Environment:**
OpenShift 4.3
**Issue Details:**
I am trying to deploy OW on multi-node OpenShift 4.3 cluster, however the gen-certs containers fails due to insufficient permissions.
**Pod Details:**
```
[root@ocp43env-inf openwhisk-deploy-kube]# oc describe pod owdev-gen-certs-8kw5s
Name: owdev-gen-certs-8kw5s
Namespace: openwhisk
Priority: 0
Node: worker2.ocp43env.os.fyre.test.com/10.16.37.86
Start Time: Sun, 29 Mar 2020 18:17:12 -0700
Labels: app=owdev-openwhisk
chart=openwhisk-0.2.1
controller-uid=37fa9beb-dd6b-43df-9945-824dc5066686
heritage=Tiller
job-name=owdev-gen-certs
name=owdev-gen-certs
release=owdev
Annotations: k8s.v1.cni.cncf.io/networks-status:
openshift.io/scc: anyuid
Status: Failed
IP: 10.254.0.245
IPs:
IP: 10.254.0.245
Controlled By: Job/owdev-gen-certs
Containers:
gen-certs:
Container ID: cri-o://46f189427b39623ed36edd338b1649565530e8e50add8f65d4bff2f5ce68f64a
Image: openwhisk/ow-utils:12b2b76
Image ID: docker.io/openwhisk/ow-utils@sha256:894d52e22bcf7118e5a40fffd46c8aa2d33e9a7755bd490a27d5acc34014d84a
Port: <none>
Host Port: <none>
Command:
/bin/bash
-c
set -e; . /task/gencerts.sh
State: Terminated
Reason: Error
Exit Code: 1
Started: Sun, 29 Mar 2020 18:17:20 -0700
Finished: Sun, 29 Mar 2020 18:17:21 -0700
Ready: False
Restart Count: 0
Environment:
NGINX_CERT_SECRET: owdev-nginx
WHISK_API_HOST_NAME: <set to the key 'whisk_api_host_name' of config map 'owdev-whisk.config'> Optional: false
Mounts:
/task/gencerts.sh from task-dir (rw,path="gencerts.sh")
/var/run/secrets/kubernetes.io/serviceaccount from owdev-init-sa-token-kqgc7 (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
task-dir:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: owdev-gen-certs
Optional: false
owdev-init-sa-token-kqgc7:
Type: Secret (a volume populated by a Secret)
SecretName: owdev-init-sa-token-kqgc7
Optional: false
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Pulled 7m26s kubelet, worker2.ocp43env.os.fyre.test.com Container image "openwhisk/ow-utils:12b2b76" already present on machine
Normal Created 7m26s kubelet, worker2.ocp43env.os.fyre.test.com Created container gen-certs
Normal Started 7m26s kubelet, worker2.ocp43env.os.fyre.test.com Started container gen-certs
```
**Container Logs:**
```
[root@ocp43env-inf openwhisk-deploy-kube]# oc logs -f owdev-gen-certs-8kw5s -c gen-certs
Error from server (NotFound): secrets "owdev-nginx" not found
generating new owdev-nginx secret
generating server certificate request
Can't open /cert-gen/openwhisk-server-request.csr for writing, Permission denied
139636596765120:error:0200100D:system library:fopen:Permission denied:../crypto/bio/bss_file.c:72:fopen('/cert-gen/openwhisk-server-request.csr','w')
139636596765120:error:2006D002:BIO routines:BIO_new_file:system lib:../crypto/bio/bss_file.c:81:
```
**Pods Status:**
```
NAME READY STATUS RESTARTS AGE
owdev-alarmprovider-78fc6f44cd-xg6p8 1/1 Running 0 5h
owdev-apigateway-6595ffb657-ncjj5 1/1 Running 0 5h
owdev-cloudantprovider-69485d9bdd-88w94 1/1 Running 0 5h
owdev-controller-0 1/1 Running 0 5h
owdev-couchdb-75d5658f75-vdsnj 1/1 Running 0 5h
owdev-gen-certs-8kw5s 0/1 Error 0 14m
owdev-gen-certs-lmbfh 0/1 Error 0 5h
owdev-gen-certs-ps2pk 0/1 Error 0 5h
owdev-init-couchdb-psdwh 0/1 Completed 0 5h
owdev-install-packages-d86s7 0/1 Completed 0 5h
owdev-invoker-0 1/1 Running 0 5h
owdev-kafka-0 0/1 CrashLoopBackOff 60 5h
owdev-kafkaprovider-7fc45bbbf9-mqttm 1/1 Running 0 5h
owdev-redis-dbf5b4bdd-f4b9s 1/1 Running 0 5h
owdev-wskadmin 1/1 Running 0 5h
owdev-zookeeper-0 1/1 Running 0 5h
wskowdev-invoker-00-1-prewarm-nodejs10 1/1 Running 0 4h59m
wskowdev-invoker-00-2-prewarm-nodejs10 1/1 Running 0 4h59m
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [openwhisk-deploy-kube] dgrove-oss commented on issue #594:
gen-certs unable to creates certificates due to insufficient permissions on
OpenShift 4.3
Posted by GitBox <gi...@apache.org>.
dgrove-oss commented on issue #594: gen-certs unable to creates certificates due to insufficient permissions on OpenShift 4.3
URL: https://github.com/apache/openwhisk-deploy-kube/issues/594#issuecomment-608680471
Does it help if you change `openwhisk-deploy-kube/helm/openwhisk/configMapFiles/genCerts/gencerts.sh` to write the certificate to `/tmp` instead of `/cert-gen` ? We just need a scratch directory to write files, doesn't need to be /cert-gen specifically.
```
diff --git a/helm/openwhisk/configMapFiles/genCerts/gencerts.sh b/helm/openwhisk/configMapFiles/genCerts/gencerts.sh
index b5dbb19..a0a4067 100755
--- a/helm/openwhisk/configMapFiles/genCerts/gencerts.sh
+++ b/helm/openwhisk/configMapFiles/genCerts/gencerts.sh
@@ -19,7 +19,7 @@ if kubectl get secret $NGINX_CERT_SECRET; then
echo "using existing $NGINX_CERT_SECRET secret"
else
echo "generating new $NGINX_CERT_SECRET secret"
- genssl.sh "*.$WHISK_API_HOST_NAME" server /cert-gen
- kubectl create secret tls $NGINX_CERT_SECRET --cert=/cert-gen/openwhisk-server-cert.pem --key=/cert-gen/openwhisk-server-key.pem
+ genssl.sh "*.$WHISK_API_HOST_NAME" server /tmp
+ kubectl create secret tls $NGINX_CERT_SECRET --cert=/tmp/openwhisk-server-cert.pem --key=/tmp/openwhisk-server-key.pem
fi
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services