search

ansibleplaybookbundle / kubevirt-apb

APB for managing KubeVirt deployments
Apache License 2.0
8 stars 16 forks source link

Iptables permission denied (you must be root) when provision kubevirt-apb from OCP web console #54

Closed qwang1 closed 6 years ago

qwang1 commented 6 years ago

Hi there,

I chose ephemeral storage plan to deploy kubevirt on OCP web console, then I ran into this error when executed "Allow ceph OSD traffic" task:

iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)

Here it the ansible log when deploy from web console:

[root@host-172-16-120-120 ~]# oc project rh-virtualization-prov-w4n5h
Now using project "rh-virtualization-prov-w4n5h" on server "https://172.16.120.120:8443".

[root@host-172-16-120-120 ~]# oc get all
NAME                                          READY     STATUS    RESTARTS   AGE
po/apb-e1ebfcc3-4a01-4c0f-83c2-8080d880c127   0/1       Error     0          1m

[root@host-172-16-120-120 ~]# oc logs po/apb-e1ebfcc3-4a01-4c0f-83c2-8080d880c127
+ [[ provision --extra-vars {"_apb_plan_id":"storage-demo","_apb_service_class_id":"60c8357b2a1cb091488d9c5586c4eb4b","_apb_service_instance_id":"94ef5eab-0670-4e69-8702-7688af1c5b0d","admin_password":"redhat","admin_user":"qwang","cluster":"openshift","namespace":"qwang-storage-demo-1","storage_role":"storage-demo","version":"0.4.1-alpha.2"} == *\s\2\i\/\a\s\s\e\m\b\l\e* ]]
+ ACTION=provision
+ shift
+ apb_action_path=kubevirt-ansible/playbooks/kubevirt.yml
+ playbooks=/etc/ansible/roles/kubevirt-ansible/playbooks/kubevirt.yml
+ CREDS=/var/tmp/bind-creds
+ TEST_RESULT=/var/tmp/test-result
+ whoami
+ '[' -w /etc/passwd ']'
++ id -u
+ echo 'apb:x:1000180000:0:apb user:/opt/apb:/sbin/nologin'
+ set +x
+ [[ -e /etc/ansible/roles/kubevirt-ansible/playbooks/kubevirt.yml ]]
+ [[ ! -d /etc/ansible/roles/kubevirt-ansible/playbooks/kubevirt.yml ]]
+ ANSIBLE_ROLES_PATH=/etc/ansible/roles:/opt/ansible/roles
+ ansible-playbook /etc/ansible/roles/kubevirt-ansible/playbooks/kubevirt.yml -e action=provision --extra-vars '{"_apb_plan_id":"storage-demo","_apb_service_class_id":"60c8357b2a1cb091488d9c5586c4eb4b","_apb_service_instance_id":"94ef5eab-0670-4e69-8702-7688af1c5b0d","admin_password":"redhat","admin_user":"qwang","cluster":"openshift","namespace":"qwang-storage-demo-1","storage_role":"storage-demo","version":"0.4.1-alpha.2"}'
 [WARNING]: Found variable using reserved name: action

PLAY [localhost] ***************************************************************

TASK [kubevirt : include_tasks] ************************************************
included: /etc/ansible/roles/kubevirt-ansible/roles/kubevirt/tasks/provision.yml for localhost

TASK [kubevirt : Login As Super User] ******************************************
changed: [localhost]

TASK [kubevirt : Check if qwang-storage-demo-1 exists] *************************
changed: [localhost]

TASK [kubevirt : Create qwang-storage-demo-1 namespace] ************************
skipping: [localhost]

TASK [kubevirt : Add Privileged Policy] ****************************************
changed: [localhost] => (item=kubevirt-privileged)
changed: [localhost] => (item=kubevirt-controller)
changed: [localhost] => (item=kubevirt-infra)

TASK [kubevirt : Add Hostmount-anyuid Policy] **********************************
changed: [localhost]

TASK [kubevirt : Check for kubevirt.yml template in /etc/ansible/roles/kubevirt-ansible/roles/kubevirt/templates] ***
ok: [localhost]

TASK [kubevirt : Download KubeVirt Template] ***********************************
changed: [localhost]

TASK [kubevirt : Render KubeVirt Yml] ******************************************
changed: [localhost]

TASK [kubevirt : Render BYO template] ******************************************
skipping: [localhost]

TASK [kubevirt : Create KubeVirt Resources] ************************************
changed: [localhost]

TASK [kubevirt : Check for vm templates in /etc/ansible/roles/kubevirt-ansible/roles/kubevirt/templates] ***
ok: [localhost] => (item=vm-template-fedora)
ok: [localhost] => (item=vm-template-windows2012r2)
ok: [localhost] => (item=vm-template-rhel7)

TASK [kubevirt : Copy VM templates to /tmp] ************************************

TASK [kubevirt : Download KubeVirt default VM templates] ***********************
 [WARNING]: when statements should not include jinja2 templating delimiters
such as {{ }} or {% %}. Found: cluster == "openshift" and "{{
byo_vm_templates.results | selectattr('stat.exists') | map(attribute='item') |
list | length == 0 }}"
changed: [localhost] => (item=vm-template-fedora)
changed: [localhost] => (item=vm-template-windows2012r2)
changed: [localhost] => (item=vm-template-rhel7)

TASK [kubevirt : Create default VM templates in OpenShift Namespace] ***********
changed: [localhost] => (item=vm-template-fedora)
changed: [localhost] => (item=vm-template-windows2012r2)
changed: [localhost] => (item=vm-template-rhel7)

PLAY [masters[0]] **************************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [storage-demo : include_tasks] ********************************************
included: /etc/ansible/roles/kubevirt-ansible/roles/storage-demo/tasks/provision.yml for localhost

TASK [storage-demo : Login As Super User] **************************************
changed: [localhost]

TASK [storage-demo : Check if namespace qwang-storage-demo-1 exists] ***********
changed: [localhost]

TASK [storage-demo : Create qwang-storage-demo-1 namespace] ********************
skipping: [localhost]

TASK [storage-demo : Check for storage-demo serviceaccount] ********************
changed: [localhost]

TASK [storage-demo : Create storage-demo serviceaccount] ***********************
changed: [localhost]

TASK [storage-demo : Grant privileged access to storage-demo serviceaccount] ***
changed: [localhost]

TASK [storage-demo : Select a target node] *************************************
changed: [localhost]

TASK [storage-demo : Set the target node] **************************************
ok: [localhost]

TASK [storage-demo : Render storage-demo deployment yaml] **********************
changed: [localhost]

TASK [storage-demo : Create storage-demo Resources] ****************************
changed: [localhost]

TASK [cdi : include_tasks] *****************************************************
included: /etc/ansible/roles/kubevirt-ansible/roles/cdi/tasks/provision.yml for localhost

TASK [cdi : Determine Environment] *********************************************
changed: [localhost]

TASK [cdi : Check if namespace golden-images exists] ***************************
changed: [localhost]

TASK [cdi : Create golden-images namespace using kubectl] **********************
skipping: [localhost]

TASK [cdi : Create golden-images namespace using oc] ***************************
changed: [localhost]

TASK [cdi : Check if RBAC exists for CDI] **************************************
changed: [localhost]

TASK [cdi : Create RBAC for CDI] ***********************************************
changed: [localhost]

TASK [cdi : Render golden-images ResourceQuota deployment yaml] ****************
changed: [localhost]

TASK [cdi : Create golden-images ResourceQuota] ********************************
changed: [localhost]

TASK [cdi : Render CDI deployment yaml] ****************************************
changed: [localhost]

TASK [cdi : Create CDI deployment] *********************************************
changed: [localhost]

PLAY [masters nodes] ***********************************************************
 [WARNING]: Could not match supplied host pattern, ignoring: nodes

TASK [storage-demo-nodeconfig : include_tasks] *********************************
included: /etc/ansible/roles/kubevirt-ansible/roles/storage-demo-nodeconfig/tasks/provision.yml for localhost

TASK [storage-demo-nodeconfig : Allow ceph OSD traffic] ************************
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "/usr/sbin/iptables -t filter -I INPUT -p tcp -j ACCEPT --destination-port 6789", "msg": "iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.", "rc": 3, "stderr": "iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n", "stderr_lines": ["iptables v1.4.21: can't initialize iptables table `filter': Permission denied (you must be root)", "Perhaps iptables or your kernel needs to be upgraded."], "stdout": "", "stdout_lines": []}
    to retry, use: --limit @/etc/ansible/roles/kubevirt-ansible/playbooks/kubevirt.retry

PLAY RECAP *********************************************************************
localhost                  : ok=34   changed=26   unreachable=0    failed=1   

+ EXIT_CODE=2
+ set +ex
+ '[' -f /var/tmp/test-result ']'
+ exit 2
rthallisey commented 6 years ago

@qwang1 can you re file this in kubevirt-ansible? This should be fixed there.