search

openshift-labs / learn-katacoda

The OpenShift learning portal, powered by Katacoda
https://learn.openshift.com
159 stars 266 forks source link

Sudoer Role not applied to "developer" account in 3.10 env #260

Closed tsanders-rh closed 5 years ago

tsanders-rh commented 5 years ago

For the Operator-SDK module, I need to:

  1. Push an operator image to the internal registry
  2. Create cluster-wide resources

For these reasons, I had added the following to op-sdk-setup.sh script:

setup a /etc/hosts entry for the internal registry

registry_ip=$(oc get svc/docker-registry -o yaml | grep clusterIP: | awk '{print $2}') echo "$registry_ip ocp-registry" >> /etc/hosts

grant the user: developer permissions to push images to the internal registry

oc policy add-role-to-user registry-editor developer --as system:admin

setup sudoer role for user: developer

oc create clusterrolebinding developer-sudoer-binding --clusterrole=sudoer --user=developer

The registry entry in /etc/hosts is incomplete as no ipaddress is listed. This entry was added to assist the user from having to look up the internal registry address repeatedly.

The developer account is required vs system:admin in order to interact with the internal registry. For this reason, having the sudoer role as present in the 3-9 env is required.

-Todd

tsanders-rh commented 5 years ago

@BenHall Here is what I am seeing in the new 3.10 env.

BenHall commented 5 years ago

Perfect! Thanks. We'll get this fixed

tsanders-rh commented 5 years ago

It does appear that the 3.9 Playground is doing this with an environment script run in the background at course init:

"intro": { "courseData": "env-init.sh", "code": "set-env.sh", "text": "intro.md" },

env-init.sh:

ssh root@host01 'for i in {1..200}; do oc policy add-role-to-user system:image-puller system:anonymous && break || sleep 1; done'
ssh root@host01 'oc adm policy add-cluster-role-to-group sudoer system:authenticated'
ssh root@host01 "~/.setup-volumes"
ssh root@host01 "~/.setup-templates"

I tried something similar with the 3.10 env, but it doesn't seem to be invoking the env-init.sh properly; as the script doesn't seem to run. If we could get this working, I would be ok with this approach as well.

tsanders-rh commented 5 years ago

@BenHall @mhausenblas - Any chance we can get this investigated/fixed this week? We were hoping to have our Operator-SDK course / playground in place for KubeCon. I'd be happy with fixing the issues with running a background "courseData" script...but again this doesn't appear to be working in the 3.10 env.

BenHall commented 5 years ago

@tsanders-rh Do you the Katacoda scenario URL so I can reproduce the courseData issue?

This is being used with 3.10 and Istio scenarios - https://github.com/openshift-labs/learn-katacoda/blob/master/servicemesh/2-deploy-microservices/run-init.sh

GrahamDumpleton commented 5 years ago

The newer playgrounds should copy how 3.9 version was done. The changes in that version were made that way to address problems with 3.9. Possibly the 3.10 and 3.11 are now not going to work in same ways 3.9 wasn't until fixed. The 3.9 version in the end was still unusable as oc rsh didn't work though. https://github.com/openshift-labs/learn-katacoda/issues/233

BenHall commented 5 years ago

These scripts are now run when 3.11 boots.

We still need to investigate your issue with run-init.sh, please provide an example when you get a chance.

tsanders-rh commented 5 years ago

@BenHall Thanks. So I think the env-init.sh issue is on me. I am trying to add an entry to the /etc/hosts file to make pushing images to the internal registry easier for students. This is the line that doesn't seem to be working:

ssh root@host01 'registry_ip=$(oc get svc/docker-registry -o yaml | grep clusterIP: | awk '{print $2}') && echo "$registry_ip ocp-registry" >> /etc/hosts'

In fact, if I modify this to simply: ssh root@host01 'echo "foo" >> /etc/hosts' I get nothing added to the /etc/hosts file.

Probably my misunderstanding of the environment. Thoughts?

-Todd

BenHall commented 5 years ago

@tsanders-rh Could you point me to your Katacoda profile please? :)

tsanders-rh commented 5 years ago

@BenHall Certainly. https://github.com/tsanders-rh/learn-katacoda/tree/master/ansibleop/ansible-op-overview

BenHall commented 5 years ago

In the browser's console, you can see the output from the script. The error is:

Background Output bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
role "system:image-puller" added: "system:anonymous"
cluster role "sudoer" added: "system:authenticated"
error: the path "volumes.json" does not exist

Within https://github.com/tsanders-rh/learn-katacoda/blob/master/ansibleop/ansible-op-overview/env-init.sh#L5 it attempts to create the volumes.

This was previously uploaded as an asset - see https://github.com/openshift-labs/learn-katacoda/blob/master/playgrounds/openshift311/index.json#L33 / https://github.com/openshift-labs/learn-katacoda/blob/master/playgrounds/openshift311/assets/volumes.json

Fix: Include the volumes.json file or remove the call if volumes aren't required.

We'll look at making the browser console output into a dialog when you are the content creator for debugging purposes.

tsanders-rh commented 5 years ago

@BenHall Thanks for the pointer on getting at the script output. Helpful.