From Ian.Donaldson at NGIC.COM Tue Aug 6 09:58:10 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Tue, 6 Aug 2019 15:58:10 +0000 Subject: [caasp-beta] Dex AD group membership not showing In-Reply-To: <5F45F2B3-5389-448A-954A-C4D781F5B0E4@suse.com> References: <5F45F2B3-5389-448A-954A-C4D781F5B0E4@suse.com> Message-ID: <666e5bb9a890402aa3449a7fa65b44be@WSWPPME001.NGIC.COM> How do I get dex to pull down groups for a user? Our company uses Active Directory for ldap, whch I am able to authenticate a user against ok, but I never see any group info in the logs, which we need for tying RBAC to... 2019-08-01T16:41:02.971260002-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="performing ldap search OU=NGIC,DC=NGIC,DC=COM sub (&(objectClass=person)(sAMAccountName=i807154))" 2019-08-01T16:41:02.991102943-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="username \"i807154\" mapped to entry CN=Donaldson\, Ian,OU=Permanent,OU=Users,OU=Winston-Salem,OU=Sites,OU=NGIC,DC=NGIC,DC=COM" 2019-08-01T16:41:03.026028235-04:00 stderr F time="2019-08-01T20:41:03Z" level=info msg="login successful: connector \"AD\", username=\"Donaldson, Ian\", email=\"Ian.Donaldson at NGIC.COM\", groups=[]" [CL test] root at plctapconwc001:/var/log/containers # Here is my config: # This is a sample with LDAP as connector. # Requires a update to fulfill your environment. connectors: - type: ldap id: AD name: AD config: host: adldap.ngic.com:389 insecureNoSSL: true insecureSkipVerify: true startTLS: true bindDN: "CN=my bind account" bindPW: 'password' usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName #idAttr: DN #emailAttr: sAMAccountName #nameAttr: cn idAttr: DN emailAttr: mail nameAttr: cn groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=group)" #userAttr: distinguishedName #groupAttr: member #nameAttr: sAMAccountName # username: userPrincipalName userAttr: DN groupAttr: member nameAttr: cn ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ian.Donaldson at NGIC.COM Wed Aug 7 08:24:21 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Wed, 7 Aug 2019 14:24:21 +0000 Subject: [caasp-beta] workers - Unable to read config path "/etc/kubernetes/manifests": path does not exist Message-ID: Hi, We noticed the following spam looking messages filling up our central syslog. It looks like /etc/kubernetes/manifests exists on the masters, but not on the workers. 2019-08-07T14:20:03.235537+00:00 worker-02 k8s.system/kubelet[4253] E0807 10:20:03.235497 4253 file_linux.go:61] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring 2019-08-07T14:20:03.902887+00:00 worker-01 k8s.system/kubelet[2133] E0807 10:20:03.902832 2133 file_linux.go:61] Unable to read config path "/etc/kubernetes/manifests": path does not exist, ignoring syslogs # grep -c kubernetes/manifests messages 73317 According to this the rpm should take care of this. Is there something needing to be added to a worker when it is joined via skuba? https://github.com/kubernetes/kubeadm/issues/1345 Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Wed Aug 7 08:55:00 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Wed, 7 Aug 2019 14:55:00 +0000 Subject: [caasp-beta] dex - failure to rotate keys Message-ID: <159d6275b6ef40b4addc18b4d9d9bde3@WSWPPME001.NGIC.COM> Seeing a lot of these failure to rotate keys, due to forbidden status. 2019-08-07T14:52:25.529575+00:00 caasp-test-worker-02 k8s.pod/kube-system/oidc-dex-55fc689dc-vtvnh/oidc-dex 2019-08-07T10:52:25.529490058-04:00 stderr F time="2019-08-07T14:52:25Z" level=error msg="failed to rotate keys: PUT https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/signingkeies/openid-connect-keys Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"signingkeies.dex.coreos.com \\"openid-connect-keys\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot update resource \\"signingkeies\\" in API group \\"dex.coreos.com\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"openid-connect-keys\",\"group\":\"dex.coreos.com\",\"kind\":\"signingkeies\"},\"code\":403}\"" Thanks, Ian ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ian.Donaldson at NGIC.COM Wed Aug 7 09:42:03 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Wed, 7 Aug 2019 15:42:03 +0000 Subject: [caasp-beta] syslog - failed to get cgroup stats for "/system.slice/kubelet.service" Message-ID: <8b61527af7934021a79f575436946461@WSWPPME001.NGIC.COM> Lots of these messages spamming syslog. 2019-08-07 11:16:13.707999 5943 summary_sys_containers.go:47] Failed to get system container stats for "/system.slice/kubelet.service": failed to get cgroup stats for "/system.slice/kubelet.service": failed to get container info for "/system.slice/kubelet.service": unknown container "/system.slice/kubelet.service" syslogs # grep -c "/system.slice/kubelet.service" messages 8192 https://github.com/kubernetes/kubernetes/issues/56850 Fix appears to be the following and should be included in rpm: I added the following to /etc/sysconfig/kubelet and restarted kubelet: KUBELET_EXTRA_ARGS='--runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice' Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Wed Aug 7 12:13:08 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Wed, 7 Aug 2019 18:13:08 +0000 Subject: [caasp-beta] Dex AD group membership not showing References: <5F45F2B3-5389-448A-954A-C4D781F5B0E4@suse.com> Message-ID: <9da31583671f4589bde11f263a3b2aca@WSWPPME001.NGIC.COM> The issue was not with Dex. The issue is that gangway by default doesn't have the group scope included! This should really be added to the default yaml shipped by SUSE. I can imagine most companies being required to leverage existing ldap groups for RBAC rules in K8s. I found that this is missing from gangway, and prevents group from even being searched. Gangway yaml requires: scopes: ["openid", "profile", "email", "offline_access", "groups"] Once I added the scope line (it wasn't there by default) with groups, the group search was executed. I was then able to modify dex for our correct search filter. usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName idAttr: sAMAccountName emailAttr: mail nameAttr: DN groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectCategory=group)" userAttr: DN groupAttr: member nameAttr: sAMAccountName Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] From: Donaldson, Ian Sent: Tuesday, August 6, 2019 11:58 AM To: 'caasp-beta at lists.suse.com' Subject: Dex AD group membership not showing How do I get dex to pull down groups for a user? Our company uses Active Directory for ldap, whch I am able to authenticate a user against ok, but I never see any group info in the logs, which we need for tying RBAC to... 2019-08-01T16:41:02.971260002-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="performing ldap search OU=NGIC,DC=NGIC,DC=COM sub (&(objectClass=person)(sAMAccountName=i807154))" 2019-08-01T16:41:02.991102943-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="username \"i807154\" mapped to entry CN=Donaldson\, Ian,OU=Permanent,OU=Users,OU=Winston-Salem,OU=Sites,OU=NGIC,DC=NGIC,DC=COM" 2019-08-01T16:41:03.026028235-04:00 stderr F time="2019-08-01T20:41:03Z" level=info msg="login successful: connector \"AD\", username=\"Donaldson, Ian\", email=\"Ian.Donaldson at NGIC.COM\", groups=[]" [CL test] root at plctapconwc001:/var/log/containers # Here is my config: # This is a sample with LDAP as connector. # Requires a update to fulfill your environment. connectors: - type: ldap id: AD name: AD config: host: adldap.ngic.com:389 insecureNoSSL: true insecureSkipVerify: true startTLS: true bindDN: "CN=my bind account" bindPW: 'password' usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName #idAttr: DN #emailAttr: sAMAccountName #nameAttr: cn idAttr: DN emailAttr: mail nameAttr: cn groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=group)" #userAttr: distinguishedName #groupAttr: member #nameAttr: sAMAccountName # username: userPrincipalName userAttr: DN groupAttr: member nameAttr: cn ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From jenting.hsiao at suse.com Wed Aug 7 23:07:23 2019 From: jenting.hsiao at suse.com (JenTing Hsiao) Date: Thu, 8 Aug 2019 05:07:23 +0000 Subject: [caasp-beta] dex - failure to rotate keys In-Reply-To: <159d6275b6ef40b4addc18b4d9d9bde3@WSWPPME001.NGIC.COM> References: <159d6275b6ef40b4addc18b4d9d9bde3@WSWPPME001.NGIC.COM> Message-ID: Hi Ian, Thanks for your reporting. This issue was fixed at Beta 5. JenTing Donaldson, Ian > ? 2019?8?7? ?? ??10:55??? Seeing a lot of these failure to rotate keys, due to forbidden status. 2019-08-07T14:52:25.529575+00:00 caasp-test-worker-02 k8s.pod/kube-system/oidc-dex-55fc689dc-vtvnh/oidc-dex 2019-08-07T10:52:25.529490058-04:00 stderr F time="2019-08-07T14:52:25Z" level=error msg="failed to rotate keys: PUT https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/signingkeies/openid-connect-keys Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"signingkeies.dex.coreos.com \\"openid-connect-keys\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot update resource \\"signingkeies\\" in API group \\"dex.coreos.com\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"openid-connect-keys\",\"group\":\"dex.coreos.com\",\"kind\":\"signingkeies\"},\"code\":403}\"" Thanks, Ian ________________________________ Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: From jenting.hsiao at suse.com Wed Aug 7 23:09:11 2019 From: jenting.hsiao at suse.com (JenTing Hsiao) Date: Thu, 8 Aug 2019 05:09:11 +0000 Subject: [caasp-beta] Dex AD group membership not showing In-Reply-To: <9da31583671f4589bde11f263a3b2aca@WSWPPME001.NGIC.COM> References: <5F45F2B3-5389-448A-954A-C4D781F5B0E4@suse.com> <9da31583671f4589bde11f263a3b2aca@WSWPPME001.NGIC.COM> Message-ID: Hi Ian, Thanks for your reporting. The group scope was added at Beta 5. JenTing Donaldson, Ian > ? 2019?8?8? ?? ??2:13??? The issue was not with Dex. The issue is that gangway by default doesn?t have the group scope included! This should really be added to the default yaml shipped by SUSE. I can imagine most companies being required to leverage existing ldap groups for RBAC rules in K8s. I found that this is missing from gangway, and prevents group from even being searched. Gangway yaml requires: scopes: ["openid", "profile", "email", "offline_access", "groups"] Once I added the scope line (it wasn?t there by default) with groups, the group search was executed. I was then able to modify dex for our correct search filter. usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName idAttr: sAMAccountName emailAttr: mail nameAttr: DN groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectCategory=group)" userAttr: DN groupAttr: member nameAttr: sAMAccountName Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] From: Donaldson, Ian Sent: Tuesday, August 6, 2019 11:58 AM To: 'caasp-beta at lists.suse.com' > Subject: Dex AD group membership not showing How do I get dex to pull down groups for a user? Our company uses Active Directory for ldap, whch I am able to authenticate a user against ok, but I never see any group info in the logs, which we need for tying RBAC to... 2019-08-01T16:41:02.971260002-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="performing ldap search OU=NGIC,DC=NGIC,DC=COM sub (&(objectClass=person)(sAMAccountName=i807154))" 2019-08-01T16:41:02.991102943-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="username \"i807154\" mapped to entry CN=Donaldson\, Ian,OU=Permanent,OU=Users,OU=Winston-Salem,OU=Sites,OU=NGIC,DC=NGIC,DC=COM" 2019-08-01T16:41:03.026028235-04:00 stderr F time="2019-08-01T20:41:03Z" level=info msg="login successful: connector \"AD\", username=\"Donaldson, Ian\", email=\"Ian.Donaldson at NGIC.COM\", groups=[]" [CL test] root at plctapconwc001:/var/log/containers # Here is my config: # This is a sample with LDAP as connector. # Requires a update to fulfill your environment. connectors: - type: ldap id: AD name: AD config: host: adldap.ngic.com:389 insecureNoSSL: true insecureSkipVerify: true startTLS: true bindDN: "CN=my bind account" bindPW: 'password' usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName #idAttr: DN #emailAttr: sAMAccountName #nameAttr: cn idAttr: DN emailAttr: mail nameAttr: cn groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=group)" #userAttr: distinguishedName #groupAttr: member #nameAttr: sAMAccountName # username: userPrincipalName userAttr: DN groupAttr: member nameAttr: cn ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ________________________________ Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Wed Aug 7 23:23:02 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Thu, 8 Aug 2019 05:23:02 +0000 Subject: [caasp-beta] Dex AD group membership not showing In-Reply-To: References: <5F45F2B3-5389-448A-954A-C4D781F5B0E4@suse.com> <9da31583671f4589bde11f263a3b2aca@WSWPPME001.NGIC.COM> Message-ID: I have installed Beta 5, but perhaps it didn?t install correctly over Beta 4. What version of caasp-dex and gangway images should there be? I show: image: registry.suse.com/caasp/v4/caasp-dex:2.16.0 image: registry.suse.com/caasp/v4/gangway:3.1.0 Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] From: JenTing Hsiao Sent: Thursday, August 8, 2019 1:09 AM To: Donaldson, Ian Cc: caasp-beta at lists.suse.com Subject: Re: [caasp-beta] Dex AD group membership not showing WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Hi Ian, Thanks for your reporting. The group scope was added at Beta 5. JenTing Donaldson, Ian > ? 2019?8?8? ?? ??2:13??? The issue was not with Dex. The issue is that gangway by default doesn?t have the group scope included! This should really be added to the default yaml shipped by SUSE. I can imagine most companies being required to leverage existing ldap groups for RBAC rules in K8s. I found that this is missing from gangway, and prevents group from even being searched. Gangway yaml requires: scopes: ["openid", "profile", "email", "offline_access", "groups"] Once I added the scope line (it wasn?t there by default) with groups, the group search was executed. I was then able to modify dex for our correct search filter. usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName idAttr: sAMAccountName emailAttr: mail nameAttr: DN groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectCategory=group)" userAttr: DN groupAttr: member nameAttr: sAMAccountName Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] From: Donaldson, Ian Sent: Tuesday, August 6, 2019 11:58 AM To: 'caasp-beta at lists.suse.com' > Subject: Dex AD group membership not showing How do I get dex to pull down groups for a user? Our company uses Active Directory for ldap, whch I am able to authenticate a user against ok, but I never see any group info in the logs, which we need for tying RBAC to... 2019-08-01T16:41:02.971260002-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="performing ldap search OU=NGIC,DC=NGIC,DC=COM sub (&(objectClass=person)(sAMAccountName=i807154))" 2019-08-01T16:41:02.991102943-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="username \"i807154\" mapped to entry CN=Donaldson\, Ian,OU=Permanent,OU=Users,OU=Winston-Salem,OU=Sites,OU=NGIC,DC=NGIC,DC=COM" 2019-08-01T16:41:03.026028235-04:00 stderr F time="2019-08-01T20:41:03Z" level=info msg="login successful: connector \"AD\", username=\"Donaldson, Ian\", email=\"Ian.Donaldson at NGIC.COM\", groups=[]" [CL test] root at plctapconwc001:/var/log/containers # Here is my config: # This is a sample with LDAP as connector. # Requires a update to fulfill your environment. connectors: - type: ldap id: AD name: AD config: host: adldap.ngic.com:389 insecureNoSSL: true insecureSkipVerify: true startTLS: true bindDN: "CN=my bind account" bindPW: 'password' usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName #idAttr: DN #emailAttr: sAMAccountName #nameAttr: cn idAttr: DN emailAttr: mail nameAttr: cn groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=group)" #userAttr: distinguishedName #groupAttr: member #nameAttr: sAMAccountName # username: userPrincipalName userAttr: DN groupAttr: member nameAttr: cn ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ________________________________ Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Wed Aug 7 23:23:54 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Thu, 8 Aug 2019 05:23:54 +0000 Subject: [caasp-beta] dex - failure to rotate keys In-Reply-To: References: <159d6275b6ef40b4addc18b4d9d9bde3@WSWPPME001.NGIC.COM> Message-ID: <6dcbe5ff8c6448fca1abc4ed8f597193@WSWPPME001.NGIC.COM> I upgraded to Beta 5 from Beta 4, but perhaps it didn?t install correctly? How do I correct this? Thanks, Ian From: JenTing Hsiao Sent: Thursday, August 8, 2019 1:07 AM To: Donaldson, Ian Cc: caasp-beta at lists.suse.com Subject: Re: [caasp-beta] dex - failure to rotate keys WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Hi Ian, Thanks for your reporting. This issue was fixed at Beta 5. JenTing Donaldson, Ian > ? 2019?8?7? ?? ??10:55??? Seeing a lot of these failure to rotate keys, due to forbidden status. 2019-08-07T14:52:25.529575+00:00 caasp-test-worker-02 k8s.pod/kube-system/oidc-dex-55fc689dc-vtvnh/oidc-dex 2019-08-07T10:52:25.529490058-04:00 stderr F time="2019-08-07T14:52:25Z" level=error msg="failed to rotate keys: PUT https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/signingkeies/openid-connect-keys Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"signingkeies.dex.coreos.com \\"openid-connect-keys\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot update resource \\"signingkeies\\" in API group \\"dex.coreos.com\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"openid-connect-keys\",\"group\":\"dex.coreos.com\",\"kind\":\"signingkeies\"},\"code\":403}\"" Thanks, Ian ________________________________ Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: From jenting.hsiao at suse.com Wed Aug 7 23:46:50 2019 From: jenting.hsiao at suse.com (JenTing Hsiao) Date: Thu, 8 Aug 2019 05:46:50 +0000 Subject: [caasp-beta] Dex AD group membership not showing In-Reply-To: References: <5F45F2B3-5389-448A-954A-C4D781F5B0E4@suse.com> <9da31583671f4589bde11f263a3b2aca@WSWPPME001.NGIC.COM> Message-ID: Hi Ian, Image version both are correct! The gangway manifest is generated when executes `skuba cluster init`, I am not sure when you upgrade from Beta4 to Beta5, did you redeploy the whole cluster? JenTing Donaldson, Ian > ? 2019?8?8? ?? ??1:23??? I have installed Beta 5, but perhaps it didn?t install correctly over Beta 4. What version of caasp-dex and gangway images should there be? I show: image: registry.suse.com/caasp/v4/caasp-dex:2.16.0 image: registry.suse.com/caasp/v4/gangway:3.1.0 Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] From: JenTing Hsiao > Sent: Thursday, August 8, 2019 1:09 AM To: Donaldson, Ian > Cc: caasp-beta at lists.suse.com Subject: Re: [caasp-beta] Dex AD group membership not showing WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Hi Ian, Thanks for your reporting. The group scope was added at Beta 5. JenTing Donaldson, Ian > ? 2019?8?8? ?? ??2:13??? The issue was not with Dex. The issue is that gangway by default doesn?t have the group scope included! This should really be added to the default yaml shipped by SUSE. I can imagine most companies being required to leverage existing ldap groups for RBAC rules in K8s. I found that this is missing from gangway, and prevents group from even being searched. Gangway yaml requires: scopes: ["openid", "profile", "email", "offline_access", "groups"] Once I added the scope line (it wasn?t there by default) with groups, the group search was executed. I was then able to modify dex for our correct search filter. usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName idAttr: sAMAccountName emailAttr: mail nameAttr: DN groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectCategory=group)" userAttr: DN groupAttr: member nameAttr: sAMAccountName Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] From: Donaldson, Ian Sent: Tuesday, August 6, 2019 11:58 AM To: 'caasp-beta at lists.suse.com' > Subject: Dex AD group membership not showing How do I get dex to pull down groups for a user? Our company uses Active Directory for ldap, whch I am able to authenticate a user against ok, but I never see any group info in the logs, which we need for tying RBAC to... 2019-08-01T16:41:02.971260002-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="performing ldap search OU=NGIC,DC=NGIC,DC=COM sub (&(objectClass=person)(sAMAccountName=i807154))" 2019-08-01T16:41:02.991102943-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="username \"i807154\" mapped to entry CN=Donaldson\, Ian,OU=Permanent,OU=Users,OU=Winston-Salem,OU=Sites,OU=NGIC,DC=NGIC,DC=COM" 2019-08-01T16:41:03.026028235-04:00 stderr F time="2019-08-01T20:41:03Z" level=info msg="login successful: connector \"AD\", username=\"Donaldson, Ian\", email=\"Ian.Donaldson at NGIC.COM\", groups=[]" [CL test] root at plctapconwc001:/var/log/containers # Here is my config: # This is a sample with LDAP as connector. # Requires a update to fulfill your environment. connectors: - type: ldap id: AD name: AD config: host: adldap.ngic.com:389 insecureNoSSL: true insecureSkipVerify: true startTLS: true bindDN: "CN=my bind account" bindPW: 'password' usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName #idAttr: DN #emailAttr: sAMAccountName #nameAttr: cn idAttr: DN emailAttr: mail nameAttr: cn groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=group)" #userAttr: distinguishedName #groupAttr: member #nameAttr: sAMAccountName # username: userPrincipalName userAttr: DN groupAttr: member nameAttr: cn ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ________________________________ Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From jenting.hsiao at suse.com Wed Aug 7 23:49:07 2019 From: jenting.hsiao at suse.com (JenTing Hsiao) Date: Thu, 8 Aug 2019 05:49:07 +0000 Subject: [caasp-beta] dex - failure to rotate keys In-Reply-To: <6dcbe5ff8c6448fca1abc4ed8f597193@WSWPPME001.NGIC.COM> References: <159d6275b6ef40b4addc18b4d9d9bde3@WSWPPME001.NGIC.COM> <6dcbe5ff8c6448fca1abc4ed8f597193@WSWPPME001.NGIC.COM> Message-ID: Hi Ian, The dex manifest is generated on `skuba cluster init`. Or you could edit the ClusterRole by `kubectl edit ClusterRole oidc-dex --namespace kube-system` and add update verb to resources signingkeies. JenTing Donaldson, Ian > ? 2019?8?8? ?? ??1:23??? I upgraded to Beta 5 from Beta 4, but perhaps it didn?t install correctly? How do I correct this? Thanks, Ian From: JenTing Hsiao > Sent: Thursday, August 8, 2019 1:07 AM To: Donaldson, Ian > Cc: caasp-beta at lists.suse.com Subject: Re: [caasp-beta] dex - failure to rotate keys WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Hi Ian, Thanks for your reporting. This issue was fixed at Beta 5. JenTing Donaldson, Ian > ? 2019?8?7? ?? ??10:55??? Seeing a lot of these failure to rotate keys, due to forbidden status. 2019-08-07T14:52:25.529575+00:00 caasp-test-worker-02 k8s.pod/kube-system/oidc-dex-55fc689dc-vtvnh/oidc-dex 2019-08-07T10:52:25.529490058-04:00 stderr F time="2019-08-07T14:52:25Z" level=error msg="failed to rotate keys: PUT https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/signingkeies/openid-connect-keys Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"signingkeies.dex.coreos.com \\"openid-connect-keys\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot update resource \\"signingkeies\\" in API group \\"dex.coreos.com\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"openid-connect-keys\",\"group\":\"dex.coreos.com\",\"kind\":\"signingkeies\"},\"code\":403}\"" Thanks, Ian ________________________________ Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ian.Donaldson at NGIC.COM Wed Aug 7 23:49:52 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Thu, 8 Aug 2019 05:49:52 +0000 Subject: [caasp-beta] Dex AD group membership not showing In-Reply-To: References: <5F45F2B3-5389-448A-954A-C4D781F5B0E4@suse.com> <9da31583671f4589bde11f263a3b2aca@WSWPPME001.NGIC.COM> Message-ID: Got it, I did not redeploy the whole cluster completely with a skuba cluster init. I must have accidently used the old dex and gangway yaml files from Beta 4. Thanks! Ian From: JenTing Hsiao Sent: Thursday, August 8, 2019 1:47 AM To: Donaldson, Ian Cc: caasp-beta at lists.suse.com Subject: Re: [caasp-beta] Dex AD group membership not showing Hi Ian, Image version both are correct! The gangway manifest is generated when executes `skuba cluster init`, I am not sure when you upgrade from Beta4 to Beta5, did you redeploy the whole cluster? JenTing Donaldson, Ian > ? 2019?8?8? ?? ??1:23??? I have installed Beta 5, but perhaps it didn?t install correctly over Beta 4. What version of caasp-dex and gangway images should there be? I show: image: registry.suse.com/caasp/v4/caasp-dex:2.16.0 image: registry.suse.com/caasp/v4/gangway:3.1.0 Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] From: JenTing Hsiao > Sent: Thursday, August 8, 2019 1:09 AM To: Donaldson, Ian > Cc: caasp-beta at lists.suse.com Subject: Re: [caasp-beta] Dex AD group membership not showing WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Hi Ian, Thanks for your reporting. The group scope was added at Beta 5. JenTing Donaldson, Ian > ? 2019?8?8? ?? ??2:13??? The issue was not with Dex. The issue is that gangway by default doesn?t have the group scope included! This should really be added to the default yaml shipped by SUSE. I can imagine most companies being required to leverage existing ldap groups for RBAC rules in K8s. I found that this is missing from gangway, and prevents group from even being searched. Gangway yaml requires: scopes: ["openid", "profile", "email", "offline_access", "groups"] Once I added the scope line (it wasn?t there by default) with groups, the group search was executed. I was then able to modify dex for our correct search filter. usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName idAttr: sAMAccountName emailAttr: mail nameAttr: DN groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectCategory=group)" userAttr: DN groupAttr: member nameAttr: sAMAccountName Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] From: Donaldson, Ian Sent: Tuesday, August 6, 2019 11:58 AM To: 'caasp-beta at lists.suse.com' > Subject: Dex AD group membership not showing How do I get dex to pull down groups for a user? Our company uses Active Directory for ldap, whch I am able to authenticate a user against ok, but I never see any group info in the logs, which we need for tying RBAC to... 2019-08-01T16:41:02.971260002-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="performing ldap search OU=NGIC,DC=NGIC,DC=COM sub (&(objectClass=person)(sAMAccountName=i807154))" 2019-08-01T16:41:02.991102943-04:00 stderr F time="2019-08-01T20:41:02Z" level=info msg="username \"i807154\" mapped to entry CN=Donaldson\, Ian,OU=Permanent,OU=Users,OU=Winston-Salem,OU=Sites,OU=NGIC,DC=NGIC,DC=COM" 2019-08-01T16:41:03.026028235-04:00 stderr F time="2019-08-01T20:41:03Z" level=info msg="login successful: connector \"AD\", username=\"Donaldson, Ian\", email=\"Ian.Donaldson at NGIC.COM\", groups=[]" [CL test] root at plctapconwc001:/var/log/containers # Here is my config: # This is a sample with LDAP as connector. # Requires a update to fulfill your environment. connectors: - type: ldap id: AD name: AD config: host: adldap.ngic.com:389 insecureNoSSL: true insecureSkipVerify: true startTLS: true bindDN: "CN=my bind account" bindPW: 'password' usernamePrompt: User Name userSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=person)" username: sAMAccountName #idAttr: DN #emailAttr: sAMAccountName #nameAttr: cn idAttr: DN emailAttr: mail nameAttr: cn groupSearch: baseDN: OU=NGIC,DC=NGIC,DC=COM filter: "(objectClass=group)" #userAttr: distinguishedName #groupAttr: member #nameAttr: sAMAccountName # username: userPrincipalName userAttr: DN groupAttr: member nameAttr: cn ---------------------------------------------------------------------- Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ________________________________ Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Wed Aug 7 23:53:04 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Thu, 8 Aug 2019 05:53:04 +0000 Subject: [caasp-beta] dex - failure to rotate keys In-Reply-To: References: <159d6275b6ef40b4addc18b4d9d9bde3@WSWPPME001.NGIC.COM> <6dcbe5ff8c6448fca1abc4ed8f597193@WSWPPME001.NGIC.COM> Message-ID: Got it. Thank you! We have teams starting to use the v4 cluster, even though Beta, so I?ve been trying not to disrupt them too much and didn?t get these updates as a result. Thanks, Ian From: JenTing Hsiao Sent: Thursday, August 8, 2019 1:49 AM To: Donaldson, Ian Cc: caasp-beta at lists.suse.com Subject: Re: [caasp-beta] dex - failure to rotate keys Hi Ian, The dex manifest is generated on `skuba cluster init`. Or you could edit the ClusterRole by `kubectl edit ClusterRole oidc-dex --namespace kube-system` and add update verb to resources signingkeies. JenTing Donaldson, Ian > ? 2019?8?8? ?? ??1:23??? I upgraded to Beta 5 from Beta 4, but perhaps it didn?t install correctly? How do I correct this? Thanks, Ian From: JenTing Hsiao > Sent: Thursday, August 8, 2019 1:07 AM To: Donaldson, Ian > Cc: caasp-beta at lists.suse.com Subject: Re: [caasp-beta] dex - failure to rotate keys WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Hi Ian, Thanks for your reporting. This issue was fixed at Beta 5. JenTing Donaldson, Ian > ? 2019?8?7? ?? ??10:55??? Seeing a lot of these failure to rotate keys, due to forbidden status. 2019-08-07T14:52:25.529575+00:00 caasp-test-worker-02 k8s.pod/kube-system/oidc-dex-55fc689dc-vtvnh/oidc-dex 2019-08-07T10:52:25.529490058-04:00 stderr F time="2019-08-07T14:52:25Z" level=error msg="failed to rotate keys: PUT https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/signingkeies/openid-connect-keys Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"signingkeies.dex.coreos.com \\"openid-connect-keys\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot update resource \\"signingkeies\\" in API group \\"dex.coreos.com\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"openid-connect-keys\",\"group\":\"dex.coreos.com\",\"kind\":\"signingkeies\"},\"code\":403}\"" Thanks, Ian ________________________________ Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmassaguerpla at suse.de Thu Aug 8 01:50:12 2019 From: jmassaguerpla at suse.de (Jordi Massaguer Pla) Date: Thu, 8 Aug 2019 09:50:12 +0200 Subject: [caasp-beta] workers - Unable to read config path "/etc/kubernetes/manifests": path does not exist In-Reply-To: References: Message-ID: Hi Ian Donaldson, we just created a bug in our system for us to fix it. https://bugzilla.suse.com/show_bug.cgi?id=1144796 Thanks for reaching out to us with this, it is really appreciated jordi On 08/07/2019 04:24 PM, Donaldson, Ian wrote: > > We noticed the following spam looking messages filling up our central > ?syslog. It looks like /etc/kubernetes/manifests exists on the > masters, but not on the workers. > > 2019-08-07T14:20:03.235537+00:00 worker-02 k8s.system/kubelet[4253] > E0807 10:20:03.235497??? 4253 file_linux.go:61] Unable to read config > path "/etc/kubernetes/manifests": path does not exist, ignoring > > 2019-08-07T14:20:03.902887+00:00 worker-01 k8s.system/kubelet[2133] > E0807 10:20:03.902832??? 2133 file_linux.go:61] Unable to read config > path "/etc/kubernetes/manifests": path does not exist, ignoring > > syslogs # grep -c kubernetes/manifests messages > > 73317 > > According to this the rpm should take care of this. Is there something > needing to be added to a worker when it is joined via skuba? > > https://github.com/kubernetes/kubeadm/issues/1345 > -- Jordi Massaguer Pla Release Manager for SUSE CaaS Platform SUSE Linux https://www.suse.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmassaguerpla at suse.de Thu Aug 8 02:14:33 2019 From: jmassaguerpla at suse.de (Jordi Massaguer Pla) Date: Thu, 8 Aug 2019 10:14:33 +0200 Subject: [caasp-beta] dex - failure to rotate keys In-Reply-To: <159d6275b6ef40b4addc18b4d9d9bde3@WSWPPME001.NGIC.COM> References: <159d6275b6ef40b4addc18b4d9d9bde3@WSWPPME001.NGIC.COM> Message-ID: Hi! Would you mind opening a bug in https://bugzilla.suse.com/enter_bug.cgi?product=Beta%20SUSE%20CaaS%20Platform%204 This will help us fix it. Thanks in advance jordi On 08/07/2019 04:55 PM, Donaldson, Ian wrote: > > Seeing a lot of these failure to rotate keys, due to forbidden status. > > 2019-08-07T14:52:25.529575+00:00 caasp-test-worker-02 > k8s.pod/kube-system/oidc-dex-55fc689dc-vtvnh/oidc-dex > 2019-08-07T10:52:25.529490058-04:00 stderr F > time="2019-08-07T14:52:25Z" level=error msg="failed to rotate keys: > PUT > https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/signingkeies/openid-connect-keys > Forbidden: response from server > \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"signingkeies.dex.coreos.com > \\"openid-connect-keys\\" is forbidden: User > \\"system:serviceaccount:kube-system:oidc-dex\\" cannot update > resource \\"signingkeies\\" in API group \\"dex.coreos.com\\" in the > namespace > \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"openid-connect-keys\",\"group\":\"dex.coreos.com\",\"kind\":\"signingkeies\"},\"code\":403}\ > "" > > Thanks, > > > Ian > > ------------------------------------------------------------------------ > Note: Please be aware that unencrypted electronic mail is not secure. > For this reason, please do not send any sensitive personal information > such > as your address, driver license, policy number, Social Security > Number, or claims information by unencrypted electronic mail. The > information > contained in this message may be privileged and confidential and > protected from disclosure. If the reader of this message is not the > intended recipient, > or an employee or agent responsible for delivering this message to the > intended recipient, you are hereby notified that any dissemination, > distribution > or copying of this communication is strictly prohibited. If you have > received this communication in error, please notify us immediately by > replying > to the message and deleting it from your computer. Thank you. > > > _______________________________________________ > caasp-beta mailing list > caasp-beta at lists.suse.com > Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -- Jordi Massaguer Pla Release Manager for SUSE CaaS Platform SUSE Linux https://www.suse.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmassaguerpla at suse.de Thu Aug 8 02:15:13 2019 From: jmassaguerpla at suse.de (Jordi Massaguer Pla) Date: Thu, 8 Aug 2019 10:15:13 +0200 Subject: [caasp-beta] syslog - failed to get cgroup stats for "/system.slice/kubelet.service" In-Reply-To: <8b61527af7934021a79f575436946461@WSWPPME001.NGIC.COM> References: <8b61527af7934021a79f575436946461@WSWPPME001.NGIC.COM> Message-ID: <384a26ab-1d3d-55fc-9552-2229a1c95849@suse.de> Hi, Could you open a bug in https://bugzilla.suse.com/enter_bug.cgi?product=Beta%20SUSE%20CaaS%20Platform%204 This will help us fix it. Thanks in advance On 08/07/2019 05:42 PM, Donaldson, Ian wrote: > > Lots of these messages spamming syslog. > > > 2019-08-07 11:16:13.707999????5943 summary_sys_containers.go:47] > Failed to get system container stats for > "/system.slice/kubelet.service": failed to get cgroup stats for > "/system.slice/kubelet.service": failed to get container info for > "/system.slice/kubelet.service": unknown container > "/system.slice/kubelet.service" > > syslogs # grep -c "/system.slice/kubelet.service" messages > 8192 > > > https://github.com/kubernetes/kubernetes/issues/56850 > > Fix appears to be the following and should be included in rpm: > > I added the following to /etc/sysconfig/kubelet and restarted kubelet: > KUBELET_EXTRA_ARGS='--runtime-cgroups=/systemd/system.slice > --kubelet-cgroups=/systemd/system.slice' > > Ian Donaldson > > Unix Systems Administrator > > Office: 336-435-3983 > > ian.donaldson at NGIC.com > > cid:image001.png at 01CF32FA.7C387000 > > ------------------------------------------------------------------------ > Note: Please be aware that unencrypted electronic mail is not secure. > For this reason, please do not send any sensitive personal information > such > as your address, driver license, policy number, Social Security > Number, or claims information by unencrypted electronic mail. The > information > contained in this message may be privileged and confidential and > protected from disclosure. If the reader of this message is not the > intended recipient, > or an employee or agent responsible for delivering this message to the > intended recipient, you are hereby notified that any dissemination, > distribution > or copying of this communication is strictly prohibited. If you have > received this communication in error, please notify us immediately by > replying > to the message and deleting it from your computer. Thank you. > > > _______________________________________________ > caasp-beta mailing list > caasp-beta at lists.suse.com > Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -- Jordi Massaguer Pla Release Manager for SUSE CaaS Platform SUSE Linux https://www.suse.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: not available URL: From jmassaguerpla at suse.de Thu Aug 8 02:18:04 2019 From: jmassaguerpla at suse.de (Jordi Massaguer Pla) Date: Thu, 8 Aug 2019 10:18:04 +0200 Subject: [caasp-beta] dex - failure to rotate keys In-Reply-To: References: <159d6275b6ef40b4addc18b4d9d9bde3@WSWPPME001.NGIC.COM> Message-ID: <09b57f86-c6cc-87ad-aba1-4b48f356860a@suse.de> Hi, I just read yours and JenTing emails about this. Looks like the bug if fixed in Beta5. Nice :) ! Thanks for reaching out On 08/08/2019 10:14 AM, Jordi Massaguer Pla wrote: > > Hi! > > Would you mind opening a bug in > https://bugzilla.suse.com/enter_bug.cgi?product=Beta%20SUSE%20CaaS%20Platform%204 > > This will help us fix it. > > Thanks in advance > > jordi > > > > On 08/07/2019 04:55 PM, Donaldson, Ian wrote: >> >> Seeing a lot of these failure to rotate keys, due to forbidden status. >> >> 2019-08-07T14:52:25.529575+00:00 caasp-test-worker-02 >> k8s.pod/kube-system/oidc-dex-55fc689dc-vtvnh/oidc-dex >> 2019-08-07T10:52:25.529490058-04:00 stderr F >> time="2019-08-07T14:52:25Z" level=error msg="failed to rotate keys: >> PUT >> https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/signingkeies/openid-connect-keys >> Forbidden: response from server >> \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"signingkeies.dex.coreos.com >> \\"openid-connect-keys\\" is forbidden: User >> \\"system:serviceaccount:kube-system:oidc-dex\\" cannot update >> resource \\"signingkeies\\" in API group \\"dex.coreos.com\\" in the >> namespace >> \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"openid-connect-keys\",\"group\":\"dex.coreos.com\",\"kind\":\"signingkeies\"},\"code\":403}\ >> "" >> >> Thanks, >> >> >> Ian >> >> ------------------------------------------------------------------------ >> Note: Please be aware that unencrypted electronic mail is not secure. >> For this reason, please do not send any sensitive personal >> information such >> as your address, driver license, policy number, Social Security >> Number, or claims information by unencrypted electronic mail. The >> information >> contained in this message may be privileged and confidential and >> protected from disclosure. If the reader of this message is not the >> intended recipient, >> or an employee or agent responsible for delivering this message to >> the intended recipient, you are hereby notified that any >> dissemination, distribution >> or copying of this communication is strictly prohibited. If you have >> received this communication in error, please notify us immediately by >> replying >> to the message and deleting it from your computer. Thank you. >> >> >> _______________________________________________ >> caasp-beta mailing list >> caasp-beta at lists.suse.com >> Check the mailing list archives or Unsubscribe athttp://lists.suse.com/mailman/listinfo/caasp-beta > > -- > Jordi Massaguer Pla > Release Manager for SUSE CaaS Platform > SUSE Linux > https://www.suse.com > > > _______________________________________________ > caasp-beta mailing list > caasp-beta at lists.suse.com > Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -- Jordi Massaguer Pla Release Manager for SUSE CaaS Platform SUSE Linux https://www.suse.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ian.Donaldson at NGIC.COM Fri Aug 16 10:44:19 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Fri, 16 Aug 2019 16:44:19 +0000 Subject: [caasp-beta] caasp v4 dex refreshtokens forbidden Message-ID: <74cc754fabb846d2b746087d7ad6a4b0@NGIC.COM> One of our developers can't login to gangway/dex to get his token.. I see these errors in the dex logs. Any ideas? 2019-08-16T11:44:00.072284195-04:00 stderr F time="2019-08-16T15:44:00Z" level=error msg="failed to get refresh token: GET https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/refreshtokens/bj7ffgjikxfj6hiryzqgmzm6x Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"refreshtokens.dex.coreos.com \\"bj7ffgjikxfj6hiryzqgmzm6x\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot get resource \\"refreshtokens\\" in API group \\"dex.coreos.com\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"bj7ffgjikxfj6hiryzqgmzm6x\",\"group\":\"dex.coreos.com\",\"kind\":\"refreshtokens\"},\"code\":403}\"" Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Fri Aug 16 11:55:52 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Fri, 16 Aug 2019 17:55:52 +0000 Subject: [caasp-beta] caasp v4 dex refreshtokens forbidden Message-ID: <62f071f5bb7b47f5ad155bcdbb104c0c@NGIC.COM> One of our developers can't login to gangway/dex to get his token. He gets this message in the browser. any ideas? securecookie: the value is too long Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Fri Aug 16 15:41:12 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Fri, 16 Aug 2019 21:41:12 +0000 Subject: [caasp-beta] caasp v4 dex refreshtokens forbidden Message-ID: <054696f6fc9b4084abdb22fd2366073e@NGIC.COM> I'm wondering if this is because he is a member of many ldap groups. How do we work around a value that is too long?? Ian From: Donaldson, Ian Sent: Friday, August 16, 2019 1:56 PM To: 'caasp-beta at lists.suse.com' Subject: RE: caasp v4 dex refreshtokens forbidden One of our developers can't login to gangway/dex to get his token. He gets this message in the browser. any ideas? securecookie: the value is too long Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From roger.klorese at suse.com Fri Aug 16 23:31:10 2019 From: roger.klorese at suse.com (Roger Klorese) Date: Sat, 17 Aug 2019 05:31:10 +0000 Subject: [caasp-beta] caasp v4 dex refreshtokens forbidden In-Reply-To: <054696f6fc9b4084abdb22fd2366073e@NGIC.COM> References: <054696f6fc9b4084abdb22fd2366073e@NGIC.COM> Message-ID: <4709164F-2280-4F8B-BADB-B2BA3352EEC7@suse.com> Pretty likely. Expect to hear back on Monday - the development team tracking the beta list were gone by the time the issue was posted. Roger B.A. Klorese (they/them or he/him) Senior Product Manager SUSE 255 King Street Suite 800 Seattle WA 98104 (P)+1 206.217.7432 (M)+1 425.444.5493 roger.klorese at suse.com Schedule a meeting: https://doodle.com/RogerKlorese GPG Key: D567 F186 A6AE D244 067E 95E4 E67D 019F 0670 D9CC On Aug 16, 2019, at 2:41 PM, Donaldson, Ian wrote: ? I?m wondering if this is because he is a member of many ldap groups. How do we work around a value that is too long?? Ian From: Donaldson, Ian Sent: Friday, August 16, 2019 1:56 PM To: 'caasp-beta at lists.suse.com' Subject: RE: caasp v4 dex refreshtokens forbidden One of our developers can?t login to gangway/dex to get his token. He gets this message in the browser. any ideas? securecookie: the value is too long Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: From jenting.hsiao at suse.com Mon Aug 19 04:45:57 2019 From: jenting.hsiao at suse.com (JenTing Hsiao) Date: Mon, 19 Aug 2019 10:45:57 +0000 Subject: [caasp-beta] caasp v4 dex refreshtokens forbidden In-Reply-To: <054696f6fc9b4084abdb22fd2366073e@NGIC.COM> References: <054696f6fc9b4084abdb22fd2366073e@NGIC.COM> Message-ID: Hi Ian, Have you add refeshtokens get permission on ClusterRole? JenTing Donaldson, Ian >? 2019?8?17? ???05:41??? I?m wondering if this is because he is a member of many ldap groups. How do we work around a value that is too long?? Ian From: Donaldson, Ian Sent: Friday, August 16, 2019 1:56 PM To: 'caasp-beta at lists.suse.com' > Subject: RE: caasp v4 dex refreshtokens forbidden One of our developers can?t login to gangway/dex to get his token. He gets this message in the browser. any ideas? securecookie: the value is too long Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From jenting.hsiao at suse.com Mon Aug 19 04:47:18 2019 From: jenting.hsiao at suse.com (JenTing Hsiao) Date: Mon, 19 Aug 2019 10:47:18 +0000 Subject: [caasp-beta] caasp v4 dex refreshtokens forbidden In-Reply-To: References: <74cc754fabb846d2b746087d7ad6a4b0@NGIC.COM> Message-ID: Loop more people. JenTing Hsiao >? 2019?8?17? ???11:45??? Hi Ian, Due to oidc-dex ClusterRole refreshtokens no get permission. Thanks for finding the bug. Please help file bugzilla if possible. JenTing Donaldson, Ian >? 2019?8?17? ???00:44??? One of our developers can?t login to gangway/dex to get his token.. I see these errors in the dex logs. Any ideas? 2019-08-16T11:44:00.072284195-04:00 stderr F time="2019-08-16T15:44:00Z" level=error msg="failed to get refresh token: GET https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/refreshtokens/bj7ffgjikxfj6hiryzqgmzm6x Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"refreshtokens.dex.coreos.com \\"bj7ffgjikxfj6hiryzqgmzm6x\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot get resource \\"refreshtokens\\" in API group \\"dex.coreos.com\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"bj7ffgjikxfj6hiryzqgmzm6x\",\"group\":\"dex.coreos.com\",\"kind\":\"refreshtokens\"},\"code\":403}\"" Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Mon Aug 19 07:24:46 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Mon, 19 Aug 2019 13:24:46 +0000 Subject: [caasp-beta] caasp v4 dex refreshtokens forbidden In-Reply-To: References: <74cc754fabb846d2b746087d7ad6a4b0@NGIC.COM> Message-ID: <63bb5b79237146cabe9d766482685e98@NGIC.COM> Ok I have added get to refresh tokens as follows and will open a Bugzilla. The real issue now for developers getting logged in from a browser seems to be the ?securecookie: the value is too long? issue. I will log Bugzilla as well, but that seems much more critical. kind: ClusterRole metadata: name: oidc-dex namespace: kube-system rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "get", "list", "update", "watch"] - apiGroups: ["dex.coreos.com"] resources: ["oauth2clients", "connectors", "passwords", "refreshtokens"] verbs: ["list"] - apiGroups: ["dex.coreos.com"] resources: ["signingkeies"] verbs: ["create", "get", "list", "update"] - apiGroups: ["dex.coreos.com"] resources: ["authcodes", "authrequests", "offlinesessionses"] verbs: ["create", "delete", "get", "list", "update"] - apiGroups: ["dex.coreos.com"] resources: ["refreshtokens"] verbs: ["get","create", "delete"] Ian From: JenTing Hsiao Sent: Monday, August 19, 2019 6:47 AM To: Donaldson, Ian ; caasp-beta at lists.suse.com Subject: Re: [caasp-beta] caasp v4 dex refreshtokens forbidden WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Loop more people. JenTing Hsiao >? 2019?8?17? ???11:45??? Hi Ian, Due to oidc-dex ClusterRole refreshtokens no get permission. Thanks for finding the bug. Please help file bugzilla if possible. JenTing Donaldson, Ian >? 2019?8?17? ???00:44??? One of our developers can?t login to gangway/dex to get his token.. I see these errors in the dex logs. Any ideas? 2019-08-16T11:44:00.072284195-04:00 stderr F time="2019-08-16T15:44:00Z" level=error msg="failed to get refresh token: GET https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/refreshtokens/bj7ffgjikxfj6hiryzqgmzm6x Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"refreshtokens.dex.coreos.com \\"bj7ffgjikxfj6hiryzqgmzm6x\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot get resource \\"refreshtokens\\" in API group \\"dex.coreos.com\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"bj7ffgjikxfj6hiryzqgmzm6x\",\"group\":\"dex.coreos.com\",\"kind\":\"refreshtokens\"},\"code\":403}\"" Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7504 bytes Desc: image001.png URL: From fbergmann at suse.de Mon Aug 19 07:44:23 2019 From: fbergmann at suse.de (Florian Bergmann) Date: Mon, 19 Aug 2019 15:44:23 +0200 Subject: [caasp-beta] syslog - failed to get cgroup stats for "/system.slice/kubelet.service" In-Reply-To: <384a26ab-1d3d-55fc-9552-2229a1c95849@suse.de> References: <8b61527af7934021a79f575436946461@WSWPPME001.NGIC.COM> <384a26ab-1d3d-55fc-9552-2229a1c95849@suse.de> Message-ID: Hi, I tried to reproduce this bug on a cluster, but with the versions currently in `devel` this can no longer be reproduced. It seems that some upstream fix might have already cleaned this up for us. Best regards, On 8/8/19 10:15 AM, Jordi Massaguer Pla wrote: > Hi, > > Could you open a bug in https://bugzilla.suse.com/enter_bug.cgi?product=Beta%20SUSE%20CaaS%20Platform%204 > > This will help us fix it. > > Thanks in advance > > > On 08/07/2019 05:42 PM, Donaldson, Ian wrote: >> >> Lots of these messages spamming syslog. >> >> >> 2019-08-07 11:16:13.707999????5943 summary_sys_containers.go:47] Failed to get system container stats for "/system.slice/kubelet.service": failed to get cgroup stats for "/system.slice/kubelet.service": failed to get container info for "/system.slice/kubelet.service": unknown container "/system.slice/kubelet.service" >> >> syslogs # grep -c "/system.slice/kubelet.service" messages >> 8192 >> >> ? >> >> >> https://github.com/kubernetes/kubernetes/issues/56850 >> >> ? >> >> Fix appears to be the following and should be included in rpm: >> >> ? >> >> I added the following to /etc/sysconfig/kubelet and restarted kubelet: >> KUBELET_EXTRA_ARGS='--runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice' >> >> ? >> >> ? >> >> ? >> >> Ian Donaldson >> >> Unix Systems Administrator >> >> Office: 336-435-3983 >> >> ian.donaldson at NGIC.com >> >> cid:image001.png at 01CF32FA.7C387000 >> >> ? >> >> ? >> >> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ >> Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such >> as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information >> contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, >> or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution >> or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying >> to the message and deleting it from your computer. Thank you. >> >> >> _______________________________________________ >> caasp-beta mailing list >> caasp-beta at lists.suse.com >> Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta > > -- > Jordi Massaguer Pla > Release Manager for SUSE CaaS Platform > SUSE Linux > https://www.suse.com > > > _______________________________________________ > caasp-beta mailing list > caasp-beta at lists.suse.com > Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta > -- Florian Bergmann fbergmann at suse.de SUSE LINUX GmbH, Maxfeldstr. 5, D-90409 Nuernberg T: +49 (0) 911 74053 0 From jenting.hsiao at suse.com Mon Aug 19 19:24:50 2019 From: jenting.hsiao at suse.com (JenTing Hsiao) Date: Tue, 20 Aug 2019 01:24:50 +0000 Subject: [caasp-beta] caasp v4 dex refreshtokens forbidden In-Reply-To: <63bb5b79237146cabe9d766482685e98@NGIC.COM> References: <74cc754fabb846d2b746087d7ad6a4b0@NGIC.COM> <63bb5b79237146cabe9d766482685e98@NGIC.COM> Message-ID: Great, thanks! Donaldson, Ian >? 2019?8?19? ???21:24??? Ok I have added get to refresh tokens as follows and will open a Bugzilla. The real issue now for developers getting logged in from a browser seems to be the ?securecookie: the value is too long? issue. I will log Bugzilla as well, but that seems much more critical. kind: ClusterRole metadata: name: oidc-dex namespace: kube-system rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "get", "list", "update", "watch"] - apiGroups: ["dex.coreos.com"] resources: ["oauth2clients", "connectors", "passwords", "refreshtokens"] verbs: ["list"] - apiGroups: ["dex.coreos.com"] resources: ["signingkeies"] verbs: ["create", "get", "list", "update"] - apiGroups: ["dex.coreos.com"] resources: ["authcodes", "authrequests", "offlinesessionses"] verbs: ["create", "delete", "get", "list", "update"] - apiGroups: ["dex.coreos.com"] resources: ["refreshtokens"] verbs: ["get","create", "delete"] Ian From: JenTing Hsiao > Sent: Monday, August 19, 2019 6:47 AM To: Donaldson, Ian >; caasp-beta at lists.suse.com Subject: Re: [caasp-beta] caasp v4 dex refreshtokens forbidden WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Loop more people. JenTing Hsiao >? 2019?8?17? ???11:45??? Hi Ian, Due to oidc-dex ClusterRole refreshtokens no get permission. Thanks for finding the bug. Please help file bugzilla if possible. JenTing Donaldson, Ian >? 2019?8?17? ???00:44??? One of our developers can?t login to gangway/dex to get his token.. I see these errors in the dex logs. Any ideas? 2019-08-16T11:44:00.072284195-04:00 stderr F time="2019-08-16T15:44:00Z" level=error msg="failed to get refresh token: GET https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/refreshtokens/bj7ffgjikxfj6hiryzqgmzm6x Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"refreshtokens.dex.coreos.com \\"bj7ffgjikxfj6hiryzqgmzm6x\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot get resource \\"refreshtokens\\" in API group \\"dex.coreos.com\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"bj7ffgjikxfj6hiryzqgmzm6x\",\"group\":\"dex.coreos.com\",\"kind\":\"refreshtokens\"},\"code\":403}\"" Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7504 bytes Desc: image001.png URL: From jenting.hsiao at suse.com Mon Aug 19 22:15:21 2019 From: jenting.hsiao at suse.com (JenTing Hsiao) Date: Tue, 20 Aug 2019 04:15:21 +0000 Subject: [caasp-beta] caasp v4 dex refreshtokens forbidden In-Reply-To: <63bb5b79237146cabe9d766482685e98@NGIC.COM> References: <74cc754fabb846d2b746087d7ad6a4b0@NGIC.COM> <63bb5b79237146cabe9d766482685e98@NGIC.COM> Message-ID: Hi Ian, The RC1 fix the refresh tokens no get permission issue. Please wait. We will check the other issue ?securecookie: the value is too long? JenTing Donaldson, Ian > ? 2019?8?19? ?? ??9:24??? Ok I have added get to refresh tokens as follows and will open a Bugzilla. The real issue now for developers getting logged in from a browser seems to be the ?securecookie: the value is too long? issue. I will log Bugzilla as well, but that seems much more critical. kind: ClusterRole metadata: name: oidc-dex namespace: kube-system rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "get", "list", "update", "watch"] - apiGroups: ["dex.coreos.com"] resources: ["oauth2clients", "connectors", "passwords", "refreshtokens"] verbs: ["list"] - apiGroups: ["dex.coreos.com"] resources: ["signingkeies"] verbs: ["create", "get", "list", "update"] - apiGroups: ["dex.coreos.com"] resources: ["authcodes", "authrequests", "offlinesessionses"] verbs: ["create", "delete", "get", "list", "update"] - apiGroups: ["dex.coreos.com"] resources: ["refreshtokens"] verbs: ["get","create", "delete"] Ian From: JenTing Hsiao > Sent: Monday, August 19, 2019 6:47 AM To: Donaldson, Ian >; caasp-beta at lists.suse.com Subject: Re: [caasp-beta] caasp v4 dex refreshtokens forbidden WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Loop more people. JenTing Hsiao >? 2019?8?17? ???11:45??? Hi Ian, Due to oidc-dex ClusterRole refreshtokens no get permission. Thanks for finding the bug. Please help file bugzilla if possible. JenTing Donaldson, Ian >? 2019?8?17? ???00:44??? One of our developers can?t login to gangway/dex to get his token.. I see these errors in the dex logs. Any ideas? 2019-08-16T11:44:00.072284195-04:00 stderr F time="2019-08-16T15:44:00Z" level=error msg="failed to get refresh token: GET https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/refreshtokens/bj7ffgjikxfj6hiryzqgmzm6x Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"refreshtokens.dex.coreos.com \\"bj7ffgjikxfj6hiryzqgmzm6x\\" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\" cannot get resource \\"refreshtokens\\" in API group \\"dex.coreos.com\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"bj7ffgjikxfj6hiryzqgmzm6x\",\"group\":\"dex.coreos.com\",\"kind\":\"refreshtokens\"},\"code\":403}\"" Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 7504 bytes Desc: image001.png URL: From jenting.hsiao at suse.com Tue Aug 20 02:03:55 2019 From: jenting.hsiao at suse.com (JenTing Hsiao) Date: Tue, 20 Aug 2019 08:03:55 +0000 Subject: [caasp-beta] caasp v4 dex refreshtokens forbidden In-Reply-To: <62f071f5bb7b47f5ad155bcdbb104c0c@NGIC.COM> References: <62f071f5bb7b47f5ad155bcdbb104c0c@NGIC.COM> Message-ID: Hi Ian, Could you provide which browser and version the developer used? JenTing Donaldson, Ian > ? 2019?8?17? ?? ??1:55??? One of our developers can?t login to gangway/dex to get his token. He gets this message in the browser. any ideas? securecookie: the value is too long Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From lukas.grossar at adfinis-sygroup.ch Tue Aug 20 02:16:30 2019 From: lukas.grossar at adfinis-sygroup.ch (Lukas Grossar) Date: Tue, 20 Aug 2019 10:16:30 +0200 Subject: [caasp-beta] zypper up only provides skuba 0.6.1 Message-ID: Hi everyone I'm currently trying to install the current Beta 5 of SUSE CaaSP but zypper somehow only installs version 0.6.1 of skuba. I followed the instructions to enable the the Containers module and SUSE CaaS Platform 4.0: SUSEConnect -p sle-module-containers/15.1/x86_64 SUSEConnect -p caasp/4.0/x86_64 -r xxx But with `zypper in skuba` only version 0.6.1 is installed. In `zypper repos` I see both the Pool and Updates repo enabled for SUSE-CAASP-4.0. Am I missing something? Regards Lukas -- Adfinis SyGroup AG Lukas Grossar, Senior System Engineer Giessereiweg 5 | CH-3007 Bern Tel. 031 550 31 11 | Direkt 031 550 31 06 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From beta-programs at lists.suse.com Tue Aug 20 09:54:13 2019 From: beta-programs at lists.suse.com (SUSE Beta Program) Date: Tue, 20 Aug 2019 17:54:13 +0200 Subject: [caasp-beta] [ANNOUNCE] SUSE CaaS Platform 4.0 RC 1 is out! Message-ID: <5d5c17a54ada_604a2b2765e925fc3082a@zourite.lab.gb.mail> We are happy to announce the Release Candidate 1 of SUSE CaaS Platform 4.0. Notable changes in RC 1 The most relevant work has been on the integration with other SUSE Products, and you can now find documentation for: - SUSE Cloud Application Patform Integration[1] - SUSE Enterprise Storage Integration[2] - SUSE OpenStack Cloud Integration[3] Apart from that, the team also added a new features: - skuba login, which is a command line interface application that enables authentication flow for your SUSE CaaS Platform. Users can login, authorize access, and get the `kubeconfig` file. For more details, see the Release Notes[4]. Reporting issues: If you find issues, kindly report them to the SUSE Bugzilla[5]. Feedback is very welcome. Architecture and working features: The architecture of SUSE CaaS Platform 4.0 is described here[6]. This build has been tested on SUSE OpenStack Cloud 8, VMware ESXi 6.7.0 and bare metal. We have validated the following features: - Bootstrapping a cluster - Deploying with Terraform in SUSE OpenStack Cloud and VMware - Deploying with autoyast for Bare Metal - Adding, removing nodes and resetting nodes - Deploying, scaling, and exposing nginx image - PodSecurityPolicy deployment and conformance - Applying Base OS updates - Centralized Logging - Authentication and Role Base Access Control - http/https proxy for crio - AppArmor installed and enabled on nodes - helm/tiller deployment - Cilium L3/L4 policies - SCC and RMT registration - Cloud Provider Integration for OpenStack - 389 Directory Service and Active Directory integration for Role Base Access Control - Kubernetes conformance tests - Custom registry for containers - Bootstrap a cluster for 250 nodes - Integration with SUSE Cloud Application Platform - Integration with SUSE Enterprise Storage - skuba login See our Release Notes[7] for most recent changes and Known Issues[8]. Note that the product is not feature complete yet, we will continue to improve it. Beta Registration codes You should not use a SLES 15 SP1 environment with the SLE Beta Registration Code anymore. Because the SLE Beta Registration Code is expired now but you can either use your regular SLE Registration Code or use a Trial. Registration is not working with your regular key, special Beta Registration Code is required. You need to request one for SUSE CaaS Platform 4.0 Beta Program by contacting us at beta-programs at lists.suse.com[9]. Installation Use the terraform package to install SUSE CaaS Platform on SUSE OpenStack Cloud or VMware. Use autoyast for installing on Bare Metal. Refer to the Deployment Guide[10] for further information. Beta Page ?[11] Documentation ?[12] Have fun beta testing! Your SUSE CaaS Platform Team Please refer to our dedicated SUSE CaaSP Beta Program[13] webpage for any general information. However, do not hesitate to contact us at beta-programs at lists.suse.com if you have any questions. You received this email because you're signed up to get updates from us. Click here to unsubscribe.[14] [1]:https://susedoc.github.io/doc-caasp/beta/caasp-admin/sing le-html/#_suse_cloud_application_platform_integration [2]:https://susedoc.github.io/doc-caasp/beta/caasp-admin/sing le-html/#_suse_enterprise_storage_integration [3]:https://susedoc.github.io/doc-caasp/beta/caasp-deployment /single-html/#_deployment_on_suse_openstack_cloud [4]:https://susedoc.github.io/caasp-release-notes/beta/releas e-notes/single-html/ [5]:https://bugzilla.suse.com/enter_bug.cgi?product=Beta%20SU SE%20CaaS%20Platform%204 [6]:https://susedoc.github.io/doc-caasp/beta/caasp-architectu re/single-html/ [7]:https://www.suse.com/betaprogram/caasp-beta/#releasenotes [8]:https://www.suse.com/betaprogram/caasp-beta/#knownissues [9]:mailto:beta-programs at lists.suse.com?subject=Requesting%20 SUSE%20CaaSP%204.0%20Beta%20Registration%20Codes&body=Request ing%20SUSE%20CaaSP%204.0 [10]:https://susedoc.github.io/doc-caasp/beta/caasp-deploymen t/single-html/ [11]:https://www.suse.com/betaprogram/caasp-beta [12]:https://www.suse.com/betaprogram/caasp-beta/#documentati on [13]:https://www.suse.com/betaprogram/caasp-beta/ [14]:mailto:beta-programs at lists.suse.com?subject=Unsubscribe% 20from%20SUSE%20CaaSP%20Beta&body=Unsubscribe%20from%20SUSE%2 0CaaSP%20Beta -------------- next part -------------- An HTML attachment was scrubbed... URL: From Simon.Briggs at suse.com Tue Aug 20 10:00:54 2019 From: Simon.Briggs at suse.com (Simon Briggs) Date: Tue, 20 Aug 2019 16:00:54 +0000 Subject: [caasp-beta] Issue with repo when bootstrapping master with skuba Message-ID: Hi, I have used standard terraforms to build a small 3 node environment with CPI. This seems to work fine when registering against the SCC. But when I use command: skuba node bootstrap --user sles --sudo --target 151.155.15.166 caasp-master-sibriggs-caasp-cluster-0 -v 5 I get the error: ** This is a BETA release and NOT intended for production usage. ** I0820 16:55:49.549897 7183 config.go:38] loading configuration from "kubeadm-init.conf" I0820 16:55:49.551182 7183 states.go:35] === applying state kubernetes.install-node-pattern === I0820 16:55:51.703516 7183 ssh.go:167] running command: "sudo sh -c 'zypper --non-interactive install --force patterns-caasp-Node-1.15'" I0820 16:55:53.549139 7183 ssh.go:190] stdout | Refreshing service 'Basesystem_Module_15_SP1_x86_64'. I0820 16:55:53.549300 7183 ssh.go:190] stdout | Refreshing service 'Containers_Module_15_SP1_x86_64'. I0820 16:55:53.549340 7183 ssh.go:190] stdout | Refreshing service 'SUSE_CaaS_Platform_4.0_x86_64'. I0820 16:55:53.549588 7183 ssh.go:190] stdout | Refreshing service 'SUSE_Linux_Enterprise_Server_15_SP1_x86_64'. I0820 16:55:53.549990 7183 ssh.go:190] stdout | Refreshing service 'Server_Applications_Module_15_SP1_x86_64'. I0820 16:55:55.390479 7183 ssh.go:190] stdout | Loading repository data... I0820 16:55:55.405980 7183 ssh.go:190] stdout | Reading installed packages... I0820 16:55:55.508669 7183 ssh.go:190] stderr | Package 'patterns-caasp-Node-1.15' not found. F0820 16:55:55.515453 7183 bootstrap.go:48] error bootstraping node: failed to apply state kubernetes.install-node-pattern: Process exited with status 104 But on the master node I can only see: sles at caasp-master-sibriggs-caasp-cluster-0:~> zypper se patterns-caasp-Nod Loading repository data... Reading installed packages... S | Name | Summary | Type ---+---------------------+-------------------------+-------- i+ | patterns-caasp-Node | SUSE CaaS Platform Node | package Which I installed myself. sles at caasp-master-sibriggs-caasp-cluster-0:~> SUSEConnect -l Root privileges are required to register products and change software repositories sles at caasp-master-sibriggs-caasp-cluster-0:~> sudo SUSEConnect -l AVAILABLE EXTENSIONS AND MODULES Basesystem Module 15 SP1 x86_64 (Activated) Deactivate with: SUSEConnect -d -p sle-module-basesystem/15.1/x86_64 Containers Module 15 SP1 x86_64 (Activated) Deactivate with: SUSEConnect -d -p sle-module-containers/15.1/x86_64 SUSE CaaS Platform 4.0 x86_64 (BETA) (Activated) Deactivate with: SUSEConnect -d -p caasp/4.0/x86_64 Desktop Applications Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-desktop-applications/15.1/x86_64 Development Tools Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-development-tools/15.1/x86_64 SUSE Linux Enterprise Workstation Extension 15 SP1 x86_64 Activate with: SUSEConnect -p sle-we/15.1/x86_64 -r ADDITIONAL REGCODE Python 2 Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-python2/15.1/x86_64 SUSE Cloud Application Platform Tools Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-cap-tools/15.1/x86_64 SUSE Linux Enterprise Live Patching 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-live-patching/15.1/x86_64 -r ADDITIONAL REGCODE SUSE Package Hub 15 SP1 x86_64 Activate with: SUSEConnect -p PackageHub/15.1/x86_64 Server Applications Module 15 SP1 x86_64 (Activated) Deactivate with: SUSEConnect -d -p sle-module-server-applications/15.1/x86_64 Legacy Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-legacy/15.1/x86_64 Public Cloud Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-public-cloud/15.1/x86_64 SUSE Enterprise Storage 6 x86_64 Activate with: SUSEConnect -p ses/6/x86_64 -r ADDITIONAL REGCODE SUSE Linux Enterprise High Availability Extension 15 SP1 x86_64 Activate with: SUSEConnect -p sle-ha/15.1/x86_64 -r ADDITIONAL REGCODE Web and Scripting Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-web-scripting/15.1/x86_64 Transactional Server Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-transactional-server/15.1/x86_64 My manager/deployer was built Friday 20th Aug 2019. I can provide access to the nodes if this helps, but I couldn't find any variables were I could change this package name to the correct. Kind regards Simon Briggs EMEA Cloud Technical Strategist at SUSE simon.briggs at suse.com +44 (0) 1635 937619 +44 (0) 7881 808969 From vmoutoussamy at suse.com Wed Aug 21 02:26:56 2019 From: vmoutoussamy at suse.com (Vincent Moutoussamy) Date: Wed, 21 Aug 2019 08:26:56 +0000 Subject: [caasp-beta] Issue with repo when bootstrapping master with skuba In-Reply-To: References: Message-ID: <6011F614-EBBE-4011-8DEE-A55BF864F5DF@suse.com> Hi, I think this issue might be due to the SCC channels updates we did to release RC1. Please redo your testing it might works now. Regards, -- Vincent Moutoussamy SUSE Beta Program, JeOS and SDK Project Manager On 20 Aug 2019, at 18:00, Simon Briggs > wrote: Hi, I have used standard terraforms to build a small 3 node environment with CPI. This seems to work fine when registering against the SCC. But when I use command: skuba node bootstrap --user sles --sudo --target 151.155.15.166 caasp-master-sibriggs-caasp-cluster-0 -v 5 I get the error: ** This is a BETA release and NOT intended for production usage. ** I0820 16:55:49.549897 7183 config.go:38] loading configuration from "kubeadm-init.conf" I0820 16:55:49.551182 7183 states.go:35] === applying state kubernetes.install-node-pattern === I0820 16:55:51.703516 7183 ssh.go:167] running command: "sudo sh -c 'zypper --non-interactive install --force patterns-caasp-Node-1.15'" I0820 16:55:53.549139 7183 ssh.go:190] stdout | Refreshing service 'Basesystem_Module_15_SP1_x86_64'. I0820 16:55:53.549300 7183 ssh.go:190] stdout | Refreshing service 'Containers_Module_15_SP1_x86_64'. I0820 16:55:53.549340 7183 ssh.go:190] stdout | Refreshing service 'SUSE_CaaS_Platform_4.0_x86_64'. I0820 16:55:53.549588 7183 ssh.go:190] stdout | Refreshing service 'SUSE_Linux_Enterprise_Server_15_SP1_x86_64'. I0820 16:55:53.549990 7183 ssh.go:190] stdout | Refreshing service 'Server_Applications_Module_15_SP1_x86_64'. I0820 16:55:55.390479 7183 ssh.go:190] stdout | Loading repository data... I0820 16:55:55.405980 7183 ssh.go:190] stdout | Reading installed packages... I0820 16:55:55.508669 7183 ssh.go:190] stderr | Package 'patterns-caasp-Node-1.15' not found. F0820 16:55:55.515453 7183 bootstrap.go:48] error bootstraping node: failed to apply state kubernetes.install-node-pattern: Process exited with status 104 But on the master node I can only see: sles at caasp-master-sibriggs-caasp-cluster-0:~> zypper se patterns-caasp-Nod Loading repository data... Reading installed packages... S | Name | Summary | Type ---+---------------------+-------------------------+-------- i+ | patterns-caasp-Node | SUSE CaaS Platform Node | package Which I installed myself. sles at caasp-master-sibriggs-caasp-cluster-0:~> SUSEConnect -l Root privileges are required to register products and change software repositories sles at caasp-master-sibriggs-caasp-cluster-0:~> sudo SUSEConnect -l AVAILABLE EXTENSIONS AND MODULES Basesystem Module 15 SP1 x86_64 (Activated) Deactivate with: SUSEConnect -d -p sle-module-basesystem/15.1/x86_64 Containers Module 15 SP1 x86_64 (Activated) Deactivate with: SUSEConnect -d -p sle-module-containers/15.1/x86_64 SUSE CaaS Platform 4.0 x86_64 (BETA) (Activated) Deactivate with: SUSEConnect -d -p caasp/4.0/x86_64 Desktop Applications Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-desktop-applications/15.1/x86_64 Development Tools Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-development-tools/15.1/x86_64 SUSE Linux Enterprise Workstation Extension 15 SP1 x86_64 Activate with: SUSEConnect -p sle-we/15.1/x86_64 -r ADDITIONAL REGCODE Python 2 Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-python2/15.1/x86_64 SUSE Cloud Application Platform Tools Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-cap-tools/15.1/x86_64 SUSE Linux Enterprise Live Patching 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-live-patching/15.1/x86_64 -r ADDITIONAL REGCODE SUSE Package Hub 15 SP1 x86_64 Activate with: SUSEConnect -p PackageHub/15.1/x86_64 Server Applications Module 15 SP1 x86_64 (Activated) Deactivate with: SUSEConnect -d -p sle-module-server-applications/15.1/x86_64 Legacy Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-legacy/15.1/x86_64 Public Cloud Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-public-cloud/15.1/x86_64 SUSE Enterprise Storage 6 x86_64 Activate with: SUSEConnect -p ses/6/x86_64 -r ADDITIONAL REGCODE SUSE Linux Enterprise High Availability Extension 15 SP1 x86_64 Activate with: SUSEConnect -p sle-ha/15.1/x86_64 -r ADDITIONAL REGCODE Web and Scripting Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-web-scripting/15.1/x86_64 Transactional Server Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-transactional-server/15.1/x86_64 My manager/deployer was built Friday 20th Aug 2019. I can provide access to the nodes if this helps, but I couldn't find any variables were I could change this package name to the correct. Kind regards Simon Briggs EMEA Cloud Technical Strategist at SUSE simon.briggs at suse.com +44 (0) 1635 937619 +44 (0) 7881 808969 _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: From Simon.Briggs at suse.com Wed Aug 21 02:51:34 2019 From: Simon.Briggs at suse.com (Simon Briggs) Date: Wed, 21 Aug 2019 08:51:34 +0000 Subject: [caasp-beta] Issue with repo when bootstrapping master with skuba In-Reply-To: <6011F614-EBBE-4011-8DEE-A55BF864F5DF@suse.com> References: , <6011F614-EBBE-4011-8DEE-A55BF864F5DF@suse.com> Message-ID: Hi, I guessed as much because I saw the RC1 announcement seconds after I sent this mail. Thanks for following up guys. Kind regards Simon Briggs EMEA Cloud Technical Strategist at SUSE simon.briggs at suse.com +44 (0) 1635 937619 +44 (0) 7881 808969 ________________________________________ From: Vincent Moutoussamy Sent: 21 August 2019 09:26 To: Simon Briggs Cc: caasp-beta at lists.suse.com Subject: Re: [caasp-beta] Issue with repo when bootstrapping master with skuba Hi, I think this issue might be due to the SCC channels updates we did to release RC1. Please redo your testing it might works now. Regards, -- Vincent Moutoussamy SUSE Beta Program, JeOS and SDK Project Manager On 20 Aug 2019, at 18:00, Simon Briggs > wrote: Hi, I have used standard terraforms to build a small 3 node environment with CPI. This seems to work fine when registering against the SCC. But when I use command: skuba node bootstrap --user sles --sudo --target 151.155.15.166 caasp-master-sibriggs-caasp-cluster-0 -v 5 I get the error: ** This is a BETA release and NOT intended for production usage. ** I0820 16:55:49.549897 7183 config.go:38] loading configuration from "kubeadm-init.conf" I0820 16:55:49.551182 7183 states.go:35] === applying state kubernetes.install-node-pattern === I0820 16:55:51.703516 7183 ssh.go:167] running command: "sudo sh -c 'zypper --non-interactive install --force patterns-caasp-Node-1.15'" I0820 16:55:53.549139 7183 ssh.go:190] stdout | Refreshing service 'Basesystem_Module_15_SP1_x86_64'. I0820 16:55:53.549300 7183 ssh.go:190] stdout | Refreshing service 'Containers_Module_15_SP1_x86_64'. I0820 16:55:53.549340 7183 ssh.go:190] stdout | Refreshing service 'SUSE_CaaS_Platform_4.0_x86_64'. I0820 16:55:53.549588 7183 ssh.go:190] stdout | Refreshing service 'SUSE_Linux_Enterprise_Server_15_SP1_x86_64'. I0820 16:55:53.549990 7183 ssh.go:190] stdout | Refreshing service 'Server_Applications_Module_15_SP1_x86_64'. I0820 16:55:55.390479 7183 ssh.go:190] stdout | Loading repository data... I0820 16:55:55.405980 7183 ssh.go:190] stdout | Reading installed packages... I0820 16:55:55.508669 7183 ssh.go:190] stderr | Package 'patterns-caasp-Node-1.15' not found. F0820 16:55:55.515453 7183 bootstrap.go:48] error bootstraping node: failed to apply state kubernetes.install-node-pattern: Process exited with status 104 But on the master node I can only see: sles at caasp-master-sibriggs-caasp-cluster-0:~> zypper se patterns-caasp-Nod Loading repository data... Reading installed packages... S | Name | Summary | Type ---+---------------------+-------------------------+-------- i+ | patterns-caasp-Node | SUSE CaaS Platform Node | package Which I installed myself. sles at caasp-master-sibriggs-caasp-cluster-0:~> SUSEConnect -l Root privileges are required to register products and change software repositories sles at caasp-master-sibriggs-caasp-cluster-0:~> sudo SUSEConnect -l AVAILABLE EXTENSIONS AND MODULES Basesystem Module 15 SP1 x86_64 (Activated) Deactivate with: SUSEConnect -d -p sle-module-basesystem/15.1/x86_64 Containers Module 15 SP1 x86_64 (Activated) Deactivate with: SUSEConnect -d -p sle-module-containers/15.1/x86_64 SUSE CaaS Platform 4.0 x86_64 (BETA) (Activated) Deactivate with: SUSEConnect -d -p caasp/4.0/x86_64 Desktop Applications Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-desktop-applications/15.1/x86_64 Development Tools Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-development-tools/15.1/x86_64 SUSE Linux Enterprise Workstation Extension 15 SP1 x86_64 Activate with: SUSEConnect -p sle-we/15.1/x86_64 -r ADDITIONAL REGCODE Python 2 Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-python2/15.1/x86_64 SUSE Cloud Application Platform Tools Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-cap-tools/15.1/x86_64 SUSE Linux Enterprise Live Patching 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-live-patching/15.1/x86_64 -r ADDITIONAL REGCODE SUSE Package Hub 15 SP1 x86_64 Activate with: SUSEConnect -p PackageHub/15.1/x86_64 Server Applications Module 15 SP1 x86_64 (Activated) Deactivate with: SUSEConnect -d -p sle-module-server-applications/15.1/x86_64 Legacy Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-legacy/15.1/x86_64 Public Cloud Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-public-cloud/15.1/x86_64 SUSE Enterprise Storage 6 x86_64 Activate with: SUSEConnect -p ses/6/x86_64 -r ADDITIONAL REGCODE SUSE Linux Enterprise High Availability Extension 15 SP1 x86_64 Activate with: SUSEConnect -p sle-ha/15.1/x86_64 -r ADDITIONAL REGCODE Web and Scripting Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-web-scripting/15.1/x86_64 Transactional Server Module 15 SP1 x86_64 Activate with: SUSEConnect -p sle-module-transactional-server/15.1/x86_64 My manager/deployer was built Friday 20th Aug 2019. I can provide access to the nodes if this helps, but I couldn't find any variables were I could change this package name to the correct. Kind regards Simon Briggs EMEA Cloud Technical Strategist at SUSE simon.briggs at suse.com +44 (0) 1635 937619 +44 (0) 7881 808969 _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta From Ian.Donaldson at NGIC.COM Wed Aug 21 08:37:00 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Wed, 21 Aug 2019 14:37:00 +0000 Subject: [caasp-beta] rc1 release - new packages? Message-ID: <3e3a08aececb42eda4465d7ae06406f9@NGIC.COM> We are subscribed to SLES 15SP1 channel in SUMA and have been taking the CaaSP v4 updates from the associated child channel for CaaSP. I haven't seen any updates come through for RC1 yet, is this expected? Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Simon.Briggs at suse.com Wed Aug 21 10:56:39 2019 From: Simon.Briggs at suse.com (Simon Briggs) Date: Wed, 21 Aug 2019 16:56:39 +0000 Subject: [caasp-beta] Testing results found with CaaSP 4 RC1 Message-ID: Hi, I have been testing this using terraform CPI on OpenStack. Initially all looked good as the output of the terraform apply showed that generate-cpi-conf.sh had been called and skuba had successfully built the CaaSP cluster. But when I ran "skuba cluster status" I got: E0821 17:45:29.421056 10829 status.go:34] unable to get cluster status: unable to get admin client set: could not load admin kubeconfig file: failed to load admin kubeconfig: open admin.conf: no such file or directory Checking the system for a directory structure named "my-cluster" (as detailed in the skuba command ran by generate-cpi-conf.sh) I was unable to find any files of that name on the local VM (working as my manager/deployer) I was using for testing and so could not workout how to debug this further. To get around this I moved cloud-provider.tf out of the way stopping the script running skuba being called, but when I manually tried to bootstrap the cluster I saw this error from "skuba node bootstrap --user sles --sudo --target 151.155.15.74 caasp-master-sibriggs-caasp-cluster-0". (see attached file) Sorry If I have made an config mistake to cause this, but I have checked and rechecked this and cannot see it and the start of a weeks vacation is calling me away from doing any more tests. I have stopped the machines on OpenStack, but they can be restarted if you need a look (I can do this and get you access from were I'm staying) Hope it helps. Kind regards Simon Briggs EMEA Cloud Technical Strategist at SUSE simon.briggs at suse.com +44 (0) 1635 937619 +44 (0) 7881 808969 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: test-fail1.txt URL: From Simon.Briggs at suse.com Wed Aug 21 11:15:19 2019 From: Simon.Briggs at suse.com (Simon Briggs) Date: Wed, 21 Aug 2019 17:15:19 +0000 Subject: [caasp-beta] Testing results found with CaaSP 4 RC1 In-Reply-To: References: Message-ID: Please ignore this "issue" as it was user error. (one last look before I turned off the laptop gave me a clue...DOH!) Kind regards Simon Briggs EMEA Cloud Technical Strategist at SUSE simon.briggs at suse.com +44 (0) 1635 937619 +44 (0) 7881 808969 ________________________________________ From: caasp-beta on behalf of Simon Briggs Sent: 21 August 2019 17:56 To: caasp-beta at lists.suse.com Subject: [caasp-beta] Testing results found with CaaSP 4 RC1 Hi, I have been testing this using terraform CPI on OpenStack. Initially all looked good as the output of the terraform apply showed that generate-cpi-conf.sh had been called and skuba had successfully built the CaaSP cluster. But when I ran "skuba cluster status" I got: E0821 17:45:29.421056 10829 status.go:34] unable to get cluster status: unable to get admin client set: could not load admin kubeconfig file: failed to load admin kubeconfig: open admin.conf: no such file or directory Checking the system for a directory structure named "my-cluster" (as detailed in the skuba command ran by generate-cpi-conf.sh) I was unable to find any files of that name on the local VM (working as my manager/deployer) I was using for testing and so could not workout how to debug this further. To get around this I moved cloud-provider.tf out of the way stopping the script running skuba being called, but when I manually tried to bootstrap the cluster I saw this error from "skuba node bootstrap --user sles --sudo --target 151.155.15.74 caasp-master-sibriggs-caasp-cluster-0". (see attached file) Sorry If I have made an config mistake to cause this, but I have checked and rechecked this and cannot see it and the start of a weeks vacation is calling me away from doing any more tests. I have stopped the machines on OpenStack, but they can be restarted if you need a look (I can do this and get you access from were I'm staying) Hope it helps. Kind regards Simon Briggs EMEA Cloud Technical Strategist at SUSE simon.briggs at suse.com +44 (0) 1635 937619 +44 (0) 7881 808969 From lukas.grossar at adfinis-sygroup.ch Wed Aug 21 11:51:41 2019 From: lukas.grossar at adfinis-sygroup.ch (Lukas Grossar) Date: Wed, 21 Aug 2019 19:51:41 +0200 Subject: [caasp-beta] Configuration updates for addons via skuba Message-ID: <4BF1F6FA-1A40-4AD2-87DB-2A8D823F59A4@adfinis-sygroup.ch> Hi everyone Thanks for the RC1 release. Our first tests with an installation on bare metal machines was successful so far. After the deploy I wanted to add an additional connector to the dex configuration and added it to addons/dex/dex.yaml and was looking for some skuba command to rollout this change to the cluster via skuba but came up blank. Are there any plans for extending skuba so that it can be used for configuration changes or updates of addon components in a running cluster or what would be the recommended way to maintain addons in v4? Regards Lukas -- Adfinis SyGroup AG Lukas Grossar, System Engineer Giessereiweg 5 | CH-3007 Bern Tel. 031 550 31 11 | Direkt 031 550 31 06 From jmassaguerpla at suse.de Thu Aug 22 02:56:22 2019 From: jmassaguerpla at suse.de (Jordi Massaguer Pla) Date: Thu, 22 Aug 2019 10:56:22 +0200 Subject: [caasp-beta] zypper up only provides skuba 0.6.1 In-Reply-To: References: Message-ID: <3bef893a-f059-0d82-b1f2-48496dd22c53@suse.de> Hi Lukas, On 08/20/2019 10:16 AM, Lukas Grossar wrote: > Hi everyone > > I'm currently trying to install the current Beta 5 of SUSE CaaSP but > zypper somehow only installs version 0.6.1 of skuba. > > I followed the instructions to enable the the Containers module and > SUSE CaaS Platform 4.0: > > SUSEConnect -p sle-module-containers/15.1/x86_64 > SUSEConnect -p caasp/4.0/x86_64 -r xxx > > But with `zypper in skuba` only version 0.6.1 is installed. In `zypper > repos` I see both the Pool and Updates repo enabled for SUSE-CAASP-4.0. > > Am I missing something? > > Regards > Lukas Please try again. You hit the RC1 release time window when we removed all packages from the update channel and instead release them into the Pool. From lukas.grossar at adfinis-sygroup.ch Thu Aug 22 03:49:28 2019 From: lukas.grossar at adfinis-sygroup.ch (Lukas Grossar) Date: Thu, 22 Aug 2019 11:49:28 +0200 Subject: [caasp-beta] zypper up only provides skuba 0.6.1 In-Reply-To: <3bef893a-f059-0d82-b1f2-48496dd22c53@suse.de> References: <3bef893a-f059-0d82-b1f2-48496dd22c53@suse.de> Message-ID: <71a8fb1fea0d3ed4d0714a000f6500276de239ec.camel@adfinis-sygroup.ch> Hi Jori On Thu, 2019-08-22 at 10:56 +0200, Jordi Massaguer Pla wrote: > [...] > Please try again. You hit the RC1 release time window when we > removed all packages from the update channel and instead release > them into the Pool. Thanks for the feedback. I've redeployed my test cluster yesterday with RC1 and everything works fine now! Regards Lukas -- Adfinis SyGroup AG Lukas Grossar, Senior System Engineer Giessereiweg 5 | CH-3007 Bern Tel. 031 550 31 11 | Direkt 031 550 31 06 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: From jmassaguerpla at suse.de Thu Aug 22 06:30:31 2019 From: jmassaguerpla at suse.de (Jordi Massaguer Pla) Date: Thu, 22 Aug 2019 14:30:31 +0200 Subject: [caasp-beta] rc1 release - new packages? In-Reply-To: <3e3a08aececb42eda4465d7ae06406f9@NGIC.COM> References: <3e3a08aececb42eda4465d7ae06406f9@NGIC.COM> Message-ID: <90097541-9c06-98b3-7c58-cf6b2fae9646@suse.de> Hi Ian, On 08/21/2019 04:37 PM, Donaldson, Ian wrote: > > We are subscribed to SLES 15SP1 channel in SUMA and have been taking > the CaaSP v4 updates from the associated child channel for CaaSP. I > haven?t seen any updates come through for RC1 yet, is this expected? > Do see the skuba-0.9.4-1.1 package in the SUSE CAASP 4.0 *Pool* channel? For RC1 we have emptied the update channels and instead update the packages in the Pool channel as a preparation for GMC. > Thanks, > > > > Ian Donaldson > > Unix Systems Administrator > > Office: 336-435-3983 > > ian.donaldson at NGIC.com > > cid:image001.png at 01CF32FA.7C387000 > > > > _______________________________________________ > caasp-beta mailing list > caasp-beta at lists.suse.com > Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -- Jordi Massaguer Pla Release Manager for SUSE CaaS Platform SUSE Linux https://www.suse.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: not available URL: From Ian.Donaldson at NGIC.COM Thu Aug 22 11:15:13 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Thu, 22 Aug 2019 17:15:13 +0000 Subject: [caasp-beta] caasp v4 - zypper ps deleted files Message-ID: I see the following on all master and worker nodes, no matter how many times I reboot. /usr/bin/caasp-pause and /usr/bin/kured do not exist, but the libs refrenced do. zypper ps The following running processes use deleted files: PID | PPID | UID | User | Command | Service | Files ------+-------+-----+------+-------------+---------+------------------------------------------------------- 16802 | 16778 | 0 | root | caasp-pause | | /usr/bin/caasp-pause (stat: No such file or directory) 17334 | 17323 | 0 | root | kured | | /lib64/ld-2.26.so (path inode=940720) | | | | | | /usr/bin/kured (stat: No such file or directory) | | | | | | /lib64/libc-2.26.so (path inode=1124) Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Thu Aug 22 11:17:29 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Thu, 22 Aug 2019 17:17:29 +0000 Subject: [caasp-beta] caas v4 gangway - open /usr/share/caasp-gangway/web/templates/caasp/home.tmpl: no such file or directory Message-ID: <878962da14864698a4d29eee6e377e7f@NGIC.COM> After updating gangway manifest with RC1 I get the following error when trying to access it in a browser: open /usr/share/caasp-gangway/web/templates/caasp/home.tmpl: no such file or directory Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Thu Aug 22 11:53:31 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Thu, 22 Aug 2019 17:53:31 +0000 Subject: [caasp-beta] rc1 release - new packages? In-Reply-To: <90097541-9c06-98b3-7c58-cf6b2fae9646@suse.de> References: <3e3a08aececb42eda4465d7ae06406f9@NGIC.COM> <90097541-9c06-98b3-7c58-cf6b2fae9646@suse.de> Message-ID: <02f19cc6441e4ec795d56d4372714724@NGIC.COM> Got it, thanks! Ian From: Jordi Massaguer Pla Sent: Thursday, August 22, 2019 8:31 AM To: Donaldson, Ian ; caasp-beta at lists.suse.com Subject: Re: [caasp-beta] rc1 release - new packages? WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Hi Ian, On 08/21/2019 04:37 PM, Donaldson, Ian wrote: We are subscribed to SLES 15SP1 channel in SUMA and have been taking the CaaSP v4 updates from the associated child channel for CaaSP. I haven't seen any updates come through for RC1 yet, is this expected? Do see the skuba-0.9.4-1.1 package in the SUSE CAASP 4.0 Pool channel? For RC1 we have emptied the update channels and instead update the packages in the Pool channel as a preparation for GMC. Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -- Jordi Massaguer Pla Release Manager for SUSE CaaS Platform SUSE Linux https://www.suse.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Thu Aug 22 12:00:40 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Thu, 22 Aug 2019 18:00:40 +0000 Subject: [caasp-beta] rc1 release - new packages? References: <3e3a08aececb42eda4465d7ae06406f9@NGIC.COM> <90097541-9c06-98b3-7c58-cf6b2fae9646@suse.de> Message-ID: <4d76b53ec47b4a199bc075f5874f30af@NGIC.COM> I missed this in the release notes.. Updating from Beta to RC 1 # RC 1, unlike Beta 4 or Beta 5, is not published as an update. Updating from any Beta to RC 1 is not supported. Will RC2, and GMC support updates from an existing RC1 cluster? Thanks, Ian From: Donaldson, Ian Sent: Thursday, August 22, 2019 1:54 PM To: 'Jordi Massaguer Pla' ; caasp-beta at lists.suse.com Subject: RE: [caasp-beta] rc1 release - new packages? Got it, thanks! Ian From: Jordi Massaguer Pla > Sent: Thursday, August 22, 2019 8:31 AM To: Donaldson, Ian >; caasp-beta at lists.suse.com Subject: Re: [caasp-beta] rc1 release - new packages? WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ Hi Ian, On 08/21/2019 04:37 PM, Donaldson, Ian wrote: We are subscribed to SLES 15SP1 channel in SUMA and have been taking the CaaSP v4 updates from the associated child channel for CaaSP. I haven't seen any updates come through for RC1 yet, is this expected? Do see the skuba-0.9.4-1.1 package in the SUSE CAASP 4.0 Pool channel? For RC1 we have emptied the update channels and instead update the packages in the Pool channel as a preparation for GMC. Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -- Jordi Massaguer Pla Release Manager for SUSE CaaS Platform SUSE Linux https://www.suse.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Thu Aug 22 21:46:54 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Fri, 23 Aug 2019 03:46:54 +0000 Subject: [caasp-beta] caas v4 gangway - open /usr/share/caasp-gangway/web/templates/caasp/home.tmpl: no such file or directory Message-ID: Got past this after reinstalling... Ian From: Donaldson, Ian Sent: Thursday, August 22, 2019 1:17 PM To: 'caasp-beta at lists.suse.com' Subject: caas v4 gangway - open /usr/share/caasp-gangway/web/templates/caasp/home.tmpl: no such file or directory After updating gangway manifest with RC1 I get the following error when trying to access it in a browser: open /usr/share/caasp-gangway/web/templates/caasp/home.tmpl: no such file or directory Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Thu Aug 22 21:47:04 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Fri, 23 Aug 2019 03:47:04 +0000 Subject: [caasp-beta] caasp v4 - zypper ps deleted files Message-ID: <7d2c374525a747da86a93fa40f20d0b3@NGIC.COM> From: Donaldson, Ian Sent: Thursday, August 22, 2019 1:15 PM To: 'caasp-beta at lists.suse.com' Subject: caasp v4 - zypper ps deleted files I see the following on all master and worker nodes, no matter how many times I reboot. /usr/bin/caasp-pause and /usr/bin/kured do not exist, but the libs refrenced do. zypper ps The following running processes use deleted files: PID | PPID | UID | User | Command | Service | Files ------+-------+-----+------+-------------+---------+------------------------------------------------------- 16802 | 16778 | 0 | root | caasp-pause | | /usr/bin/caasp-pause (stat: No such file or directory) 17334 | 17323 | 0 | root | kured | | /lib64/ld-2.26.so (path inode=940720) | | | | | | /usr/bin/kured (stat: No such file or directory) | | | | | | /lib64/libc-2.26.so (path inode=1124) Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Thu Aug 22 21:47:38 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Fri, 23 Aug 2019 03:47:38 +0000 Subject: [caasp-beta] caasp v4 - zypper ps deleted files Message-ID: After fresh reinstall this still shows up. Logged Bug 1146947 to Bugzilla. Ian From: Donaldson, Ian Sent: Thursday, August 22, 2019 1:15 PM To: 'caasp-beta at lists.suse.com' Subject: caasp v4 - zypper ps deleted files I see the following on all master and worker nodes, no matter how many times I reboot. /usr/bin/caasp-pause and /usr/bin/kured do not exist, but the libs refrenced do. zypper ps The following running processes use deleted files: PID | PPID | UID | User | Command | Service | Files ------+-------+-----+------+-------------+---------+------------------------------------------------------- 16802 | 16778 | 0 | root | caasp-pause | | /usr/bin/caasp-pause (stat: No such file or directory) 17334 | 17323 | 0 | root | kured | | /lib64/ld-2.26.so (path inode=940720) | | | | | | /usr/bin/kured (stat: No such file or directory) | | | | | | /lib64/libc-2.26.so (path inode=1124) Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From kukuk at suse.com Thu Aug 22 21:58:56 2019 From: kukuk at suse.com (Thorsten Kukuk) Date: Fri, 23 Aug 2019 05:58:56 +0200 Subject: [caasp-beta] caasp v4 - zypper ps deleted files In-Reply-To: <3369802bda9f4815ae87710d145e57a2@BYAPR18MB2885.namprd18.prod.outlook.com> References: <3369802bda9f4815ae87710d145e57a2@BYAPR18MB2885.namprd18.prod.outlook.com> Message-ID: <20190823035856.GA14711@suse.com> On Fri, Aug 23, Donaldson, Ian wrote: > I see the following on all master and worker nodes, no matter how many times I > reboot. /usr/bin/caasp-pause and /usr/bin/kured do not exist, but the libs > refrenced do. looks like "zypper ps" get's confused with running containers ... Thorsten > zypper ps > > The following running processes use deleted files: > > > > PID | PPID | UID | User | Command | Service | Files > > ------+-------+-----+------+-------------+---------+------------------------------------------------------- > > 16802 | 16778 | 0 | root | caasp-pause | | /usr/bin/caasp-pause > (stat: No such file or directory) > > 17334 | 17323 | 0 | root | kured | | /lib64/ld-2.26.so (path > inode=940720) > > | | | | | | /usr/bin/kured (stat: No > such file or directory) > > | | | | | | /lib64/libc-2.26.so (path > inode=1124) > > > > > > > > Ian Donaldson > > Unix Systems Administrator > > Office: 336-435-3983 > > ian.donaldson at NGIC.com > > cid:image001.png at 01CF32FA.7C387000 > > > > > > _______________________________________________ > caasp-beta mailing list > caasp-beta at lists.suse.com > Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 247165, AG M?nchen) From Ian.Donaldson at NGIC.COM Thu Aug 22 22:00:12 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Fri, 23 Aug 2019 04:00:12 +0000 Subject: [caasp-beta] caasp v4 - zypper ps deleted files In-Reply-To: <20190823035856.GA14711@suse.com> References: <3369802bda9f4815ae87710d145e57a2@BYAPR18MB2885.namprd18.prod.outlook.com> <20190823035856.GA14711@suse.com> Message-ID: Agreed! ;) -----Original Message----- From: caasp-beta On Behalf Of Thorsten Kukuk Sent: Thursday, August 22, 2019 11:59 PM To: caasp-beta at lists.suse.com Subject: Re: [caasp-beta] caasp v4 - zypper ps deleted files WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ---------------------------------------------------------------------- On Fri, Aug 23, Donaldson, Ian wrote: > I see the following on all master and worker nodes, no matter how many > times I reboot. /usr/bin/caasp-pause and /usr/bin/kured do not exist, > but the libs refrenced do. looks like "zypper ps" get's confused with running containers ... Thorsten > zypper ps > > The following running processes use deleted files: > > > > PID | PPID | UID | User | Command | Service | Files > > ------+-------+-----+------+-------------+---------+------------------ > ------+-------+-----+------+-------------+---------+------------------ > ------+-------+-----+------+-------------+---------+------------------ > ------+-------+-----+------+-------------+---------+- > > 16802 | 16778 | 0 | root | caasp-pause | | /usr/bin/caasp-pause > (stat: No such file or directory) > > 17334 | 17323 | 0 | root | kured | | /lib64/ld-2.26.so (path > inode=940720) > > | | | | | | /usr/bin/kured (stat: No > such file or directory) > > | | | | | | /lib64/libc-2.26.so (path > inode=1124) > > > > > > > > Ian Donaldson > > Unix Systems Administrator > > Office: 336-435-3983 > > ian.donaldson at NGIC.com > > cid:image001.png at 01CF32FA.7C387000 > > > > > > _______________________________________________ > caasp-beta mailing list > caasp-beta at lists.suse.com > Check the mailing list archives or Unsubscribe at > https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.suse.com_mai > lman_listinfo_caasp-2Dbeta&d=DwIFAw&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2J > NMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=3xo8iMYBll > lno98REjbTbAZCwSDKPJ1nDZIP6Nu4BPc&s=rf0_J7Tcyf4WjbZ-CJtQ07jmj3Ftwn7FZp > SQUpZ81uY&e= -- Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Felix Imendoerffer (HRB 247165, AG M?nchen) _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.suse.com_mailman_listinfo_caasp-2Dbeta&d=DwIFAw&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=3xo8iMYBlllno98REjbTbAZCwSDKPJ1nDZIP6Nu4BPc&s=rf0_J7Tcyf4WjbZ-CJtQ07jmj3Ftwn7FZpSQUpZ81uY&e= From jmassaguerpla at suse.de Fri Aug 23 04:18:38 2019 From: jmassaguerpla at suse.de (Jordi Massaguer Pla) Date: Fri, 23 Aug 2019 12:18:38 +0200 Subject: [caasp-beta] rc1 release - new packages? In-Reply-To: <4d76b53ec47b4a199bc075f5874f30af@NGIC.COM> References: <3e3a08aececb42eda4465d7ae06406f9@NGIC.COM> <90097541-9c06-98b3-7c58-cf6b2fae9646@suse.de> <4d76b53ec47b4a199bc075f5874f30af@NGIC.COM> Message-ID: <09e45198-0a2d-b185-c124-f082b8cfddb0@suse.de> On 08/22/2019 08:00 PM, Donaldson, Ian wrote: > > I missed this in the release notes.. > > > Updating from Beta to RC 1# > > > RC 1, unlike Beta 4 or Beta 5, is not published as an update. Updating > from any Beta to RC 1 is not supported. > > Will RC2, and GMC support updates from an existing RC1 cluster? > No, they won't. Next releases will not be released as updates. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jenting.hsiao at suse.com Fri Aug 23 21:25:06 2019 From: jenting.hsiao at suse.com (JenTing Hsiao) Date: Sat, 24 Aug 2019 03:25:06 +0000 Subject: [caasp-beta] caas v4 gangway - open /usr/share/caasp-gangway/web/templates/caasp/home.tmpl: no such file or directory In-Reply-To: References: Message-ID: Ian, Sorry for the inconvenience. The gangway image got updated due to branding but does not bump out new container image version since I thought we are in beta program (and I don?t wanna change image pull policy as Always because it might waste time on always downloading image even just redeploys gangway) Jenting Donaldson, Ian >? 2019?8?23? ???11:46??? Got past this after reinstalling? Ian From: Donaldson, Ian Sent: Thursday, August 22, 2019 1:17 PM To: 'caasp-beta at lists.suse.com' > Subject: caas v4 gangway - open /usr/share/caasp-gangway/web/templates/caasp/home.tmpl: no such file or directory After updating gangway manifest with RC1 I get the following error when trying to access it in a browser: open /usr/share/caasp-gangway/web/templates/caasp/home.tmpl: no such file or directory Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] _______________________________________________ caasp-beta mailing list caasp-beta at lists.suse.com Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Wed Aug 28 11:52:53 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Wed, 28 Aug 2019 17:52:53 +0000 Subject: [caasp-beta] CaasP v4 Question Message-ID: <33141ddc13cb4367b21e4c5c92db9f05@NGIC.COM> Is there any chance SUSE could ship Certbot/Let's Encrypt w/CaaS v4 so things like Gangway/Dex out of the box look secure in an end user's browser (green lockbox) ? Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From roger.klorese at suse.com Wed Aug 28 11:56:13 2019 From: roger.klorese at suse.com (Roger Klorese) Date: Wed, 28 Aug 2019 17:56:13 +0000 Subject: [caasp-beta] CaasP v4 Question In-Reply-To: <33141ddc13cb4367b21e4c5c92db9f05@NGIC.COM> References: <33141ddc13cb4367b21e4c5c92db9f05@NGIC.COM> Message-ID: Great question. Since our gold master candidate is being built, it won't be in 4.0, but as we will be doing quarterly updates, and potentially releasaing non-breaking capabilities more often, I will definitely put it in the PM feature backlog ahead of a lot of other stuff. Roger B.A. Klorese (they/them or he/him) Senior Product Manager SUSE 255 King St Suite 800 Seattle WA 98104 (P)+1 206.217.7432 (M)+1 425.444.5493 roger.klorese at suse.com Schedule a meeting: https://doodle.com/RogerKlorese GPG Key: D567 F186 A6AE D244 067E 95E4 E67D 019F 0670 D9CC ________________________________ From: caasp-beta on behalf of Donaldson, Ian Sent: Wednesday, August 28, 2019 10:52 AM To: caasp-beta at lists.suse.com Subject: [caasp-beta] CaasP v4 Question Is there any chance SUSE could ship Certbot/Let?s Encrypt w/CaaS v4 so things like Gangway/Dex out of the box look secure in an end user?s browser (green lockbox) ? Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From CSeader at suse.com Wed Aug 28 11:56:21 2019 From: CSeader at suse.com (Cameron Seader) Date: Wed, 28 Aug 2019 17:56:21 +0000 Subject: [caasp-beta] CaasP v4 Question In-Reply-To: <33141ddc13cb4367b21e4c5c92db9f05@NGIC.COM> References: <33141ddc13cb4367b21e4c5c92db9f05@NGIC.COM> Message-ID: That's a great idea. We have solutions written for other things. I can take a look at a solution there. It may not be Certbot though. -- Cameron Seader Technology Strategist SUSE cs at suse.com (M)208-420-2167 www.susecon.com ________________________________ From: caasp-beta on behalf of Donaldson, Ian Sent: Wednesday, August 28, 2019 11:52 AM To: caasp-beta at lists.suse.com Subject: [caasp-beta] CaasP v4 Question Is there any chance SUSE could ship Certbot/Let?s Encrypt w/CaaS v4 so things like Gangway/Dex out of the box look secure in an end user?s browser (green lockbox) ? Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From Ian.Donaldson at NGIC.COM Wed Aug 28 12:02:11 2019 From: Ian.Donaldson at NGIC.COM (Donaldson, Ian) Date: Wed, 28 Aug 2019 18:02:11 +0000 Subject: [caasp-beta] CaasP v4 Question In-Reply-To: References: <33141ddc13cb4367b21e4c5c92db9f05@NGIC.COM> Message-ID: <958796f1cd3c4f0c9e936d736873e3e9@NGIC.COM> Right, no hard dependency on Certbot, that's just what came to mind. I think this would be a really big win. I can already hear end users complaining about the existing cert warnings in their browsers for things like gangway/dex. Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] From: Cameron Seader Sent: Wednesday, August 28, 2019 1:56 PM To: Donaldson, Ian ; caasp-beta at lists.suse.com Subject: Re: CaasP v4 Question WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ That's a great idea. We have solutions written for other things. I can take a look at a solution there. It may not be Certbot though. -- Cameron Seader Technology Strategist SUSE cs at suse.com (M)208-420-2167 www.susecon.com ________________________________ From: caasp-beta > on behalf of Donaldson, Ian > Sent: Wednesday, August 28, 2019 11:52 AM To: caasp-beta at lists.suse.com > Subject: [caasp-beta] CaasP v4 Question Is there any chance SUSE could ship Certbot/Let's Encrypt w/CaaS v4 so things like Gangway/Dex out of the box look secure in an end user's browser (green lockbox) ? Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: From roger.klorese at suse.com Wed Aug 28 13:07:29 2019 From: roger.klorese at suse.com (Roger Klorese) Date: Wed, 28 Aug 2019 19:07:29 +0000 Subject: [caasp-beta] CaasP v4 Question In-Reply-To: <958796f1cd3c4f0c9e936d736873e3e9@NGIC.COM> References: <33141ddc13cb4367b21e4c5c92db9f05@NGIC.COM> , <958796f1cd3c4f0c9e936d736873e3e9@NGIC.COM> Message-ID: We were already planning on support of external certs for 4.x - it was planned for 4.0 but got cut on the time-vs-resources balancing act. So adding Let's Encrypt/Certbot capability to it is a great enhancement, especially given kubeadm's certificate-handling capabilities. Roger B.A. Klorese (they/them or he/him) Senior Product Manager SUSE 255 King St Suite 800 Seattle WA 98104 (P)+1 206.217.7432 (M)+1 425.444.5493 roger.klorese at suse.com Schedule a meeting: https://doodle.com/RogerKlorese GPG Key: D567 F186 A6AE D244 067E 95E4 E67D 019F 0670 D9CC ________________________________ From: Donaldson, Ian Sent: Wednesday, August 28, 2019 11:02 AM To: caasp-beta at lists.suse.com ; Cameron Seader Cc: Roger Klorese Subject: RE: CaasP v4 Question Right, no hard dependency on Certbot, that?s just what came to mind. I think this would be a really big win. I can already hear end users complaining about the existing cert warnings in their browsers for things like gangway/dex. Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] From: Cameron Seader Sent: Wednesday, August 28, 2019 1:56 PM To: Donaldson, Ian ; caasp-beta at lists.suse.com Subject: Re: CaasP v4 Question WARNING: This Message came from an external source. Please exercise caution when opening any attachments or clicking on links. ________________________________ That's a great idea. We have solutions written for other things. I can take a look at a solution there. It may not be Certbot though. -- Cameron Seader Technology Strategist SUSE cs at suse.com (M)208-420-2167 www.susecon.com ________________________________ From: caasp-beta > on behalf of Donaldson, Ian > Sent: Wednesday, August 28, 2019 11:52 AM To: caasp-beta at lists.suse.com > Subject: [caasp-beta] CaasP v4 Question Is there any chance SUSE could ship Certbot/Let?s Encrypt w/CaaS v4 so things like Gangway/Dex out of the box look secure in an end user?s browser (green lockbox) ? Thanks, Ian Donaldson Unix Systems Administrator Office: 336-435-3983 ian.donaldson at NGIC.com [cid:image001.png at 01CF32FA.7C387000] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2857 bytes Desc: image001.png URL: