Image name for OpenShift 3.7.

[GrahamDumpleton]

Is the OpenShift 3.7 rc.0 image ready for use and if so what image name should be used?

[BenHall]

The ImageID is openshift-3-7

Note: This is only available on host02. Do you want me to roll out the RC build or wait until final release?

[GrahamDumpleton]

Do you expect putting together an image for the final release will require any significant extra work now that you have it worked out with rc.0? Will be it be straight forward to replace the rc.0 image with final one later?

Now, when you say 'host02', can I use that at all? Is that what is used when I work in my own personal account? In other words, I can use it now still to work out the scenario changes?

[BenHall]

It's straight forward to replace. You can use host02 with your own scenarios now, it's our test/build environment.

Here is an example I put together: https://host02.katacoda.com/courses/openshift/service-catalog

[GrahamDumpleton]

Ben, after much confusion on my part, have finally worked out that this 3.7-rc.0 image has the service catalog user interface enabled, but does not have the template service broker enabled.

I am not sure what method you are using to build the image, but for Ansible install, enabling template service broker is explained in:

• https://docs.openshift.com/container-platform/latest/install_config/install/advanced_install.html#configuring-template-service-broker

If you were using oc cluster up, you need to use the --service-catalog option with 3.7-rc.0 to also enable the template service broker.

Are you still are using a manual method for setting up a cluster, or are you using one of the above methods.

[BenHall]

We use openshift start. The reason is so we can define a custom masterURL within the master-config.yaml which I believe wasn't possible via oc cluster up.

With start there doesn't look to have a service catalog option. I can't see anything in the YAML files either. Any suggestions?

These is the commands we run:

$ /var/lib/openshift/openshift start --write-config /openshift.local.config/

$ sed magic....

$ /var/lib/openshift/openshift start --master-config=/openshift.local.config/master/master-config.yaml --node-config=/openshift.local.config/node-%H/node-config.yaml --dns=tcp://0.0.0.0:8053

[jorgemoralespou]

@BenHall, what custom master URL you need? You can tune where the master listens and what will be the applications wildcard dns.

You're better off if you base the VM on oc cluster up, although it'll take a little more time to start, since it for the service catalog, it's installed at startup time.

[GrahamDumpleton]

Ben, if I try and use openshift-3-7 even in host02, is not working for me.

• https://host02.katacoda.com/graham.dumpleton/courses/intro-openshift/service-binding

I get error message:

Image openshift-3-7 Not Found. Please refer to the documentation to find the list of our supported environments.

So doesn't seem to be available to other users even on test host.

[BenHall]

Sorry, that was my mistake. I need to explicitly make images available which I have now done.

[GrahamDumpleton]

Thanks. Next issue.

$ ~/.launch.sh
Starting OpenShift
Waiting for OpenShift to start... This may take a couple of moments
OpenShift started.
Configuring... OpenShift Ready
$ oc login -u developer -p developer
error: x509: certificate signed by unknown authority

So can't login from the command line.

It doesn't help to skip TLS verification:

$ oc login -u developer -p developer --insecure-skip-tls-verify
error: x509: certificate signed by unknown authority

You can see behaviour at:

• https://host02.katacoda.com/graham.dumpleton/courses/intro-openshift/service-binding

[BenHall]

What's the default target URL for oc login?

[GrahamDumpleton]

$ oc whoami --show-server
https://172.17.0.10:8443

[BenHall]

Fun!

curl https://172.17.0.9:8443 seems to be happy with it so it's a valid SSL. It's self-signed, but it's generated as part of the installation so it should be correct.

Running echo | openssl s_client -showcerts -servername 172.17.0.10 -connect 172.17.0.10:8443

Seems to indicate the only IP is subject=/CN=127.0.0.1

The issuer is correct... I guess :) openssl x509 -noout -issuer -in /openshift.local.config/master/ca.crt issuer= /CN=openshift-signer@1510225667

[GrahamDumpleton]

Logs may help.

$ oc login --loglevel 9  -u developer -p developer
I1109 11:33:56.924391   10310 loader.go:357] Config loaded from file /openshift.local.config/master/admin.kubeconfig
I1109 11:33:56.924888   10310 round_trippers.go:386] curl -k -v -XHEAD  https://172.17.0.13:8443/
I1109 11:33:56.930599   10310 round_trippers.go:405] HEAD https://172.17.0.13:8443/ 403 Forbidden in 5 milliseconds
I1109 11:33:56.930617   10310 round_trippers.go:411] Response Headers:
I1109 11:33:56.930622   10310 round_trippers.go:414]     Cache-Control: no-store
I1109 11:33:56.930626   10310 round_trippers.go:414]     Content-Type: text/plain
I1109 11:33:56.930629   10310 round_trippers.go:414]     X-Content-Type-Options: nosniff
I1109 11:33:56.930633   10310 round_trippers.go:414]     Content-Length: 90
I1109 11:33:56.930637   10310 round_trippers.go:414]     Date: Thu, 09 Nov 2017 11:33:56 GMT
I1109 11:33:56.930689   10310 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" https://172.17.0.13:8443/.well-known/oauth-authorization-server
I1109 11:33:56.931215   10310 round_trippers.go:405] GET https://172.17.0.13:8443/.well-known/oauth-authorization-server 200 OK in 0 milliseconds
I1109 11:33:56.931225   10310 round_trippers.go:411] Response Headers:
I1109 11:33:56.931230   10310 round_trippers.go:414]     Content-Type: application/json
I1109 11:33:56.931234   10310 round_trippers.go:414]     Content-Length: 636
I1109 11:33:56.931237   10310 round_trippers.go:414]     Date: Thu, 09 Nov 2017 11:33:56 GMT
I1109 11:33:56.931241   10310 round_trippers.go:414]     Cache-Control: no-store
I1109 11:33:56.931365   10310 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" https://2886795277-8443-kitek01.environments.katacoda.com:443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=_xghIEcLjMjbfZw1yutFKqbn55LGP1T46qSLG2CAFcY&code_challenge_method=S256&redirect_uri=https%3A%2F%2F2886795277-8443-kitek01.environments.katacoda.com%3A443%2Foauth%2Ftoken%2Fimplicit&response_type=code
I1109 11:33:56.995087   10310 round_trippers.go:405] GET https://2886795277-8443-kitek01.environments.katacoda.com:443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=_xghIEcLjMjbfZw1yutFKqbn55LGP1T46qSLG2CAFcY&code_challenge_method=S256&redirect_uri=https%3A%2F%2F2886795277-8443-kitek01.environments.katacoda.com%3A443%2Foauth%2Ftoken%2Fimplicit&response_type=code  in 63 milliseconds
I1109 11:33:56.995108   10310 round_trippers.go:411] Response Headers:
F1109 11:33:56.995140   10310 helpers.go:120] error: x509: certificate signed by unknown authority

So is likely:

• https://2886795277-8443-kitek01.environments.katacoda.com:443

which it is actually contacting.

[BenHall]

I tried logging in via the URL explicitly and it was OK. I didn't know you could set the log-level, let me do some more digging with that info :)

On 9 Nov 2017 11:34 am, "Graham Dumpleton" notifications@github.com wrote:

Logs may help.

$ oc login --loglevel 9 -u developer -p developer I1109 11:33:56.924391 10310 loader.go:357] Config loaded from file /openshift.local.config/master/admin.kubeconfig I1109 11:33:56.924888 10310 round_trippers.go:386] curl -k -v -XHEAD https://172.17.0.13:8443/ I1109 https://172.17.0.13:8443/I1109 11:33:56.930599 10310 round_trippers.go:405] HEAD https://172.17.0.13:8443/ 403 Forbidden in 5 milliseconds I1109 11:33:56.930617 10310 round_trippers.go:411] Response Headers: I1109 11:33:56.930622 10310 round_trippers.go:414] Cache-Control: no-store I1109 11:33:56.930626 10310 round_trippers.go:414] Content-Type: text/plain I1109 11:33:56.930629 10310 round_trippers.go:414] X-Content-Type-Options: nosniff I1109 11:33:56.930633 10310 round_trippers.go:414] Content-Length: 90 I1109 11:33:56.930637 10310 round_trippers.go:414] Date: Thu, 09 Nov 2017 11:33:56 GMT I1109 11:33:56.930689 10310 round_trippers.go:386] curl -k -v -XGET -H "X-Csrf-Token: 1" https://172.17.0.13:8443/.well-known/oauth-authorization-server I1109 https://172.17.0.13:8443/.well-known/oauth-authorization-serverI1109 11:33:56.931215 10310 round_trippers.go:405] GET https://172.17.0.13:8443/.well-known/oauth-authorization-server 200 OK in 0 milliseconds I1109 11:33:56.931225 10310 round_trippers.go:411] Response Headers: I1109 11:33:56.931230 10310 round_trippers.go:414] Content-Type: application/json I1109 11:33:56.931234 10310 round_trippers.go:414] Content-Length: 636 I1109 11:33:56.931237 10310 round_trippers.go:414] Date: Thu, 09 Nov 2017 11:33:56 GMT I1109 11:33:56.931241 10310 round_trippers.go:414] Cache-Control: no-store I1109 11:33:56.931365 10310 round_trippers.go:386] curl -k -v -XGET -H "X-Csrf-Token: 1" https://2886795277-8443-kitek01.environments.katacoda.com:443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=_xghIEcLjMjbfZw1yutFKqbn55LGP1T46qSLG2CAFcY&code_challenge_method=S256&redirect_uri=https%3A%2F%2F2886795277-8443-kitek01.environments.katacoda.com%3A443%2Foauth%2Ftoken%2Fimplicit&response_type=code I1109 https://2886795277-8443-kitek01.environments.katacoda.com:443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=_xghIEcLjMjbfZw1yutFKqbn55LGP1T46qSLG2CAFcY&code_challenge_method=S256&redirect_uri=https%3A%2F%2F2886795277-8443-kitek01.environments.katacoda.com%3A443%2Foauth%2Ftoken%2Fimplicit&response_type=codeI1109 11:33:56.995087 10310 round_trippers.go:405] GET https://2886795277-8443-kitek01.environments.katacoda.com:443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=_xghIEcLjMjbfZw1yutFKqbn55LGP1T46qSLG2CAFcY&code_challenge_method=S256&redirect_uri=https%3A%2F%2F2886795277-8443-kitek01.environments.katacoda.com%3A443%2Foauth%2Ftoken%2Fimplicit&response_type=code in 63 milliseconds I1109 11:33:56.995108 10310 round_trippers.go:411] Response Headers: F1109 11:33:56.995140 10310 helpers.go:120] error: x509: certificate signed by unknown authority

So is likely:

• https://2886795277-8443-kitek01.environments.katacoda.com:443

which it is actually contacting.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openshift-evangelists/intro-katacoda/issues/72#issuecomment-343128406, or mute the thread https://github.com/notifications/unsubscribe-auth/AAFCtjqXva-phWKEnJXmZd3H5zncX6IWks5s0uNYgaJpZM4QO7tY .

[BenHall]

This is on 3.6

oc login --loglevel 9  -u developer -p developer
I1114 11:17:18.655280    8798 loader.go:354] Config loaded from file /openshift.local.config/master/admin.kubeconfig
I1114 11:17:18.655673    8798 round_trippers.go:386] curl -k -v -XHEAD  https://172.17.0.14:8443/
I1114 11:17:18.692393    8798 round_trippers.go:405] HEAD https://172.17.0.14:8443/ 200 OK in 36 milliseconds
I1114 11:17:18.692424    8798 round_trippers.go:411] Response Headers:
I1114 11:17:18.692432    8798 round_trippers.go:414]     Content-Type: application/json
I1114 11:17:18.692438    8798 round_trippers.go:414]     Content-Length: 1931
I1114 11:17:18.692444    8798 round_trippers.go:414]     Date: Tue, 14 Nov 2017 11:17:18 GMT
I1114 11:17:18.692530    8798 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" https://172.17.0.14:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1114 11:17:18.694383    8798 round_trippers.go:405] GET https://172.17.0.14:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client 401 Unauthorized in 1 milliseconds
I1114 11:17:18.694401    8798 round_trippers.go:411] Response Headers:
I1114 11:17:18.694408    8798 round_trippers.go:414]     Www-Authenticate: Basic realm="openshift"
I1114 11:17:18.694413    8798 round_trippers.go:414]     Content-Type: text/plain; charset=utf-8
I1114 11:17:18.694419    8798 round_trippers.go:414]     Content-Length: 0
I1114 11:17:18.694424    8798 round_trippers.go:414]     Date: Tue, 14 Nov 2017 11:17:18 GMT
I1114 11:17:18.694500    8798 round_trippers.go:386] curl -k -v -XGET  -H "Authorization: Basic ZGV2ZWxvcGVyOmRldmVsb3Blcg==" -H "X-Csrf-Token: 1" https://172.17.0.14:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client
I1114 11:17:18.703825    8798 round_trippers.go:405] GET https://172.17.0.14:8443/oauth/authorize?response_type=token&client_id=openshift-challenging-client 302 Found in 9 milliseconds
I1114 11:17:18.703851    8798 round_trippers.go:411] Response Headers:
I1114 11:17:18.703863    8798 round_trippers.go:414]     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
I1114 11:17:18.703874    8798 round_trippers.go:414]     Expires: Fri, 01 Jan 1990 00:00:00 GMT
I1114 11:17:18.703884    8798 round_trippers.go:414]     Location: https://2886795278-8443-simba02.environments.katacoda.com:443/oauth/token/implicit#access_token=l5adVnslyNobKCj9K1Gi-dAh-ly_WfObj4UamI7ZIls&expires_in=86400&scope=user%3Afull&token_type=Bearer
I1114 11:17:18.703897    8798 round_trippers.go:414]     Pragma: no-cache
I1114 11:17:18.703927    8798 round_trippers.go:414]     Set-Cookie: ssn=MTUxMDY1ODIzOHxlNldzZmgyTm5naGxIV09na1NxajRrSzBteUFQMXotWEd3UTVQWWx1ZUNXbVhuWGJwaGZZd3M2bEhGbjZpZ1ZvZ2Eyb0pkMEZSQ01OOFJQbXl3OERfUWcyYWhIVTQwUGREcmRTZ3piN05oM21PTWJLdEprMl9jMEZHNDBDaXQxSEpBPT18vvxHk61pRQ-9v9Bmu_7SCTVUuSqJ6H5OXawvRoWfnfE=; Path=/; Expires=Tue, 14 Nov 2017 11:22:18 GMT; Max-Age=300; HttpOnly; Secure
I1114 11:17:18.703945    8798 round_trippers.go:414]     Content-Type: text/plain; charset=utf-8
I1114 11:17:18.703959    8798 round_trippers.go:414]     Content-Length: 0
I1114 11:17:18.703967    8798 round_trippers.go:414]     Date: Tue, 14 Nov 2017 11:17:18 GMT
I1114 11:17:18.704173    8798 round_trippers.go:386] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: oc/v3.6.0+c4dd4cf (linux/amd64) openshift/c4dd4cf" -H "Authorization: Bearer l5adVnslyNobKCj9K1Gi-dAh-ly_WfObj4UamI7ZIls" https://172.17.0.14:8443/oapi/v1/users/~
I1114 11:17:18.708490    8798 round_trippers.go:405] GET https://172.17.0.14:8443/oapi/v1/users/~ 200 OK in 4 milliseconds
I1114 11:17:18.708515    8798 round_trippers.go:411] Response Headers:
I1114 11:17:18.708522    8798 round_trippers.go:414]     Cache-Control: no-store
I1114 11:17:18.708533    8798 round_trippers.go:414]     Content-Type: application/json
I1114 11:17:18.708539    8798 round_trippers.go:414]     Content-Length: 268
I1114 11:17:18.708545    8798 round_trippers.go:414]     Date: Tue, 14 Nov 2017 11:17:18 GMT
I1114 11:17:18.708583    8798 request.go:991] Response Body: {"kind":"User","apiVersion":"v1","metadata":{"name":"developer","selfLink":"/oapi/v1/users/developer","uid":"5bce7cef-c92d-11e7-9312-0242ac11000e","resourceVersion":"1233","creationTimestamp":"2017-11-14T11:17:10Z"},"identities":["anypassword:developer"],"groups":[]}
Login successful.

3.7

$ oc login --loglevel 9  -u developer -p developer
I1114 10:42:47.647597    4162 loader.go:357] Config loaded from file /openshift.local.config/master/admin.kubeconfig
I1114 10:42:47.647968    4162 round_trippers.go:386] curl -k -v -XHEAD  https://172.17.0.9:8443/
I1114 10:42:47.654095    4162 round_trippers.go:405] HEAD https://172.17.0.9:8443/ 403 Forbidden in 6 milliseconds
I1114 10:42:47.654108    4162 round_trippers.go:411] Response Headers:
I1114 10:42:47.654116    4162 round_trippers.go:414]     Date: Tue, 14 Nov 2017 10:42:47 GMT
I1114 10:42:47.654123    4162 round_trippers.go:414]     Cache-Control: no-store
I1114 10:42:47.654129    4162 round_trippers.go:414]     Content-Type: text/plain
I1114 10:42:47.654135    4162 round_trippers.go:414]     X-Content-Type-Options: nosniff
I1114 10:42:47.654141    4162 round_trippers.go:414]     Content-Length: 90
I1114 10:42:47.654193    4162 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" https://172.17.0.9:8443/.well-known/oauth-authorization-server
I1114 10:42:47.654682    4162 round_trippers.go:405] GET https://172.17.0.9:8443/.well-known/oauth-authorization-server 200 OK in 0 milliseconds
I1114 10:42:47.654693    4162 round_trippers.go:411] Response Headers:
I1114 10:42:47.654698    4162 round_trippers.go:414]     Cache-Control: no-store
I1114 10:42:47.654702    4162 round_trippers.go:414]     Content-Type: application/json
I1114 10:42:47.654706    4162 round_trippers.go:414]     Content-Length: 636
I1114 10:42:47.654710    4162 round_trippers.go:414]     Date: Tue, 14 Nov 2017 10:42:47 GMT
I1114 10:42:47.654839    4162 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" https://2886795273-8443-kitek01.environments.katacoda.com:443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=J8Rx_VN8Qggu5Uk0Ey3VnUZ39kyV_lPPo1of9TbieUU&code_challenge_method=S256&redirect_uri=https%3A%2F%2F2886795273-8443-kitek01.environments.katacoda.com%3A443%2Foauth%2Ftoken%2Fimplicit&response_type=code
I1114 10:42:47.715800    4162 round_trippers.go:405] GET https://2886795273-8443-kitek01.environments.katacoda.com:443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=J8Rx_VN8Qggu5Uk0Ey3VnUZ39kyV_lPPo1of9TbieUU&code_challenge_method=S256&redirect_uri=https%3A%2F%2F2886795273-8443-kitek01.environments.katacoda.com%3A443%2Foauth%2Ftoken%2Fimplicit&response_type=code  in 60 milliseconds
I1114 10:42:47.715830    4162 round_trippers.go:411] Response Headers:
F1114 10:42:47.715877    4162 helpers.go:120] error: x509: certificate signed by unknown authority

[BenHall]

It looks potentially something to do when CURL_CA_BUNDLE is set.

Running the curl commands on the command line with CURL_CA_BUNDLE=/openshift.local.config/master/ca.crt set simulates the error.

It's fixed after running unset CURL_CA_BUNDLE.

However, this doesn't fix login.

[BenHall]

Starting to get into a black box of my debugging.

The following works:

oc login --loglevel 9 -u developer -p developer 2886795273-8443-kitek01.environments.katacoda.com

Which makes me think it's something to do with a CA bundle or the URL/Cert changing half way during the request. This command also matches the "Copy Login Command" from the dashboard.

This also works as it looks to bypass oauth routing.

oc login -u system:admin https://172.17.0.9:8443

[BenHall]

Where does oc whoami --show-server value get set?? I've tried changing the masterURL: in /openshift.local.config/master/master-config.yaml but didn't seem to update.

[GrahamDumpleton]

I don't know how it gets set to begin with, but believe that --show-server is reading it from files under ~/.kube directory. You don't have to be logged in for it to show something. Maybe need to delete the context somehow and set it again.

Dig around on oc adm config sub commands.

$ oc adm config current-context
django/api-pro-us-east-1-openshift-com:443/gdumplet@redhat.com

$ oc adm config --help
Manage the client config files

The client stores configuration in the current user's home directory (under the
.kube directory as config). When you login the first time, a new config file is
created, and subsequent project changes with the 'project' command will set the
current context. These subcommands allow you to manage the config directly.

Reference:
https://github.com/kubernetes/kubernetes/blob/master/docs/user-guide/kubeconfig-file.md

Usage:
  oc adm config SUBCOMMAND [options]

Examples:
  # Change the config context to use
  oc adm config use-context my-context

  # Set the value of a config preference
  oc adm config set preferences.some true

Available Commands:
  current-context Displays the current-context
  delete-cluster  Delete the specified cluster from the kubeconfig
  delete-context  Delete the specified context from the kubeconfig
  get-clusters    Display clusters defined in the kubeconfig
  get-contexts    Describe one or many contexts
  set             Sets an individual value in a kubeconfig file
  set-cluster     Sets a cluster entry in kubeconfig
  set-context     Sets a context entry in kubeconfig
  set-credentials Sets a user entry in kubeconfig
  unset           Unsets an individual value in a kubeconfig file
  use-context     Sets the current-context in a kubeconfig file
  view            Display merged kubeconfig settings or a specified kubeconfig
file

Use "oc adm <command> --help" for more information about a given command.
Use "oc adm options" for a list of global command-line options (applies to all
commands).

[GrahamDumpleton]

One thing that will need to be careful of is that don't loose the cached context which initially allows one to do stuff as admin user, before doing separate login as different user.

[jorgemoralespou]

@BenHall I would think that your install is no good. You get a 403 when trying to log in and then you get signed by different certificates than what you have cached. I would just move .kube to .kube.OLD and try with a new .kube context. Try to use the full URL when logging to your 3.7 install.

oc login -u developer -p developer https://172.17.0.9:8443

[BenHall]

I thought I had deleted my .kube folder but let me double check. Thanks!

On 14 Nov 2017 9:46 pm, "Jorge Morales Pou" notifications@github.com wrote:

@BenHall https://github.com/benhall I would think that your install is no good. You get a 403 when trying to log in and then you get signed by different certificates than what you have cached. I would just move .kube to .kube.OLD and try with a new .kube context. Try to use the full URL when logging to your 3.7 install.

oc login -u developer -p developer https://172.17.0.9:8443

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openshift-evangelists/intro-katacoda/issues/72#issuecomment-344392804, or mute the thread https://github.com/notifications/unsubscribe-auth/AAFCtt7tv31v0TM9u3PbNrHEKfWPEEgJks5s2fwVgaJpZM4QO7tY .

[BenHall]

The config is from /openshift.local.config/master/admin.kubeconfig.

The IPs and certs look to be correct for the cluster, but it's using the same CA for the masterPublicURL which has a different SSL certificate. Does this mean the masterPublicURL and the admin.crt needs to have the same SSL certificate?

Don't think this will be useful, but if I try to use the admin.crt directly, it also says it's signed by an unknown authority. This is the same as with 3.6.

$ oc login --certificate-authority=/openshift.local.config/master/admin.crt
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n):

$ oc --loglevel=9 login --certificate-authority=/openshift.local.config/master/admin.crt
I1114 23:10:49.372329   11647 loader.go:357] Config loaded from file /openshift.local.config/master/admin.kubeconfig
I1114 23:10:49.372685   11647 round_trippers.go:386] curl -k -v -XHEAD  https://172.17.0.8:8443/
I1114 23:10:49.377425   11647 round_trippers.go:405] HEAD https://172.17.0.8:8443/  in 4 milliseconds

curl -k -v -XHEAD https://172.17.0.9:6443/ on Kubernetes 1.7.10 (via Kubeadm) also returns a 403.

[BenHall]

Found it I think! Will continue to investigate, but looks like we have some progress.

Within master-config.yaml, in the oauthConfig section the masterPublicURL and masterURL need to be the same. This used to be OK with 3.6.

oauthConfig:
  masterPublicURL: https://172.17.0.8:8443
  masterURL: https://172.17.0.8:8443

$ oc login
error: x509: certificate signed by unknown authority
$ vim /openshift.local.config/master/master-config.yaml
$ systemctl restart origin
$ oc login
Authentication required for https://172.17.0.8:8443 (openshift)
Username:

The only thing that mentions issues with them being different is https://github.com/openshift/origin/issues/4894 but I can't see the code that uses two different endpoints.

[BenHall]

@GrahamDumpleton The login issue has now been fixed.

[GrahamDumpleton]

Yes, please. Make 3.7-rc.0 available in our prod. I will hide my scenario for service catalog (template service broker) but leave the 3.7-rc.0 playground in place with added notes saying is sneak preview and that some things not fully enabled yet. We can then hope the final 3.7 does enable template service broker by default.

I just need to ensure I don't list scenario in intro-openshift-pathway.json to hide it right? Will the branded-ui file being there still cause an issue even if remove from intro-openshift-pathway.json, or should I remove it as well?

[BenHall]

Ok, will do that tonight.

To hide it, correct, just don't add it to the Json pathway.

On 16 Nov 2017 8:14 pm, "Graham Dumpleton" notifications@github.com wrote:

Yes, please. Make 3.7-rc.0 available in our prod. I will hide my scenario for service catalog (template service broker) but leave the 3.7-rc.0 playground in place with added notes saying is sneak preview and that some things not fully enabled yet. We can then hope the final 3.7 does enable template service broker by default.

I just need to ensure I don't list scenario in intro-openshift-pathway.json to hide it right? Will the branded-ui file being there still cause an issue even if remove from intro-openshift-pathway.json, or should I remove it as well?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openshift-evangelists/intro-katacoda/issues/72#issuecomment-345032065, or mute the thread https://github.com/notifications/unsubscribe-auth/AAFCtm_6Iw5BEaCG-u71rIRJx7ygGzGvks5s3ImegaJpZM4QO7tY .

[GrahamDumpleton]

Great. They pre-announced 3.7 today, so will be good to get it up as a sneak preview so people can play.

[BenHall]

This has now been deployed. Thank you for your patience while sorting out the login issue.

[GrahamDumpleton]

Made it live but get:

Oops! Sorry, we had a problem. Please refresh and try again.

Error - create_dind is not defined

Sorry, we hit a problem with the connection.
Your internet connection may have dropped.

Please refresh and try again.

Do I just need to wait a bit while things get built properly?

[GrahamDumpleton]

I am actually getting the same for existing 3.6 scenarios as well.

[BenHall]

Yep sorry, my fault, I was already on it. Fixed.

[GrahamDumpleton]

Can you have a quick look at the 3.7 playground and see if you can reliably get the dashboard to show. I am getting white page in frame. If I reload the frame after a while then I can get it to show, but still slow to come up.

• https://learn.openshift.com/introduction/playground-openshift37/

The startup for 3.7 in terminal seems to be a bit slower as well, but that could just be 3.7 itself compare to 3.6.

[BenHall]

Not sure why it's slower, but will investigate.

For the dashboard - yes, that's strange. It looks like our proxy thinks OpenShift is ready so we try to load it, but it's not so you end up with the white page. Will fix, in the meantime, I set it to open as a separate tab to make it easier to refresh/update until Openshift has started correctly.

[GrahamDumpleton]

Thanks.

Checking the 3.6 playground looks like it is just the 3.7 one which throws up dashboard in new tab, and that is totally fine as meant to be a playground where people do what they want so that shouldn't pose a problem. I will check in again on it in the morning, and if any issues will back out the scenario for now.

I'll let others in our team know 3.7 playground is up, but say not to publicise yet until have a better idea of what is going on.