Skip to content

Instantly share code, notes, and snippets.

@0xffea

0xffea/gist:7bb52e15608c20ed2f7b60e7a8520756

Created March 7, 2019 16:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 0xffea/7bb52e15608c20ed2f7b60e7a8520756 to your computer and use it in GitHub Desktop.
Save 0xffea/7bb52e15608c20ed2f7b60e7a8520756 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
TASK [openshift_hosted : Create OpenShift router] *********************************************************************************
task path: /home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_hosted/tasks/router.yml:85
Thursday 07 March 2019 16:17:54 +0000 (0:00:01.061) 0:20:33.966 ********
Using module file /home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/lib_openshift/library/oc_adm_router.py
<master0-ost-drupal.urz.uni-heidelberg.de> ESTABLISH SSH CONNECTION FOR USER: ansible
<master0-ost-drupal.urz.uni-heidelberg.de> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=600s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=30 -o ControlPath=/home/centos/.ansible/cp/%h-%r master0-ost-drupal.urz.uni-heidelberg.de '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-ancmoyqadnhyplebzqkhltfwrclkxxdz; /usr/bin/python'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<master0-ost-drupal.urz.uni-heidelberg.de> (1, '', 'Traceback (most recent call last):\n File "<stdin>", line 113, in <module>\n File "<stdin>", line 105, in _ansiballz_main\n File "<stdin>", line 48, in invoke_module\n File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3252, in <module>\n File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3243, in main\n File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3160, in run_ansible\n File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 2963, in create\n File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3007, in needs_update\n File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 2736, in prepared_router\n__main__.RouterException: Could not perform router preparation: Error: unknown flag: --expose-metrics\n\n\nUsage:\n oc adm router [NAME] [flags]\n\nExamples:\n # Check the default router ("router")\n oc adm router --dry-run\n \n # See what the router would look like if created\n oc adm router -o yaml\n \n # Create a router with two replicas if it does not exist\n oc adm router router-west --replicas=2\n \n # Use a different router image\n oc adm router region-west --images=myrepo/somerouter:mytag\n \n # Run the router with a hint to the underlying implementation to _not_ expose statistics.\n oc adm router router-west --stats-port=0\n\nOptions:\n --ciphers=\'\': Specifies the cipher suites to use. You can choose a predefined cipher set (\'modern\', \'intermediate\', or \'old\') or specify exact cipher suites by passing a : separated list. Not supported for F5.\n --create=false: deprecated; this is now the default behavior\n --default-cert=\'\': Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate. Does not apply to external appliance based routers (e.g. F5)\n --disable-namespace-ownership-check=false: Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to \'steal\' sub-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.\n --dry-run=false: If true, show the result of the operation without performing it.\n --extended-logging=false: If true, then configure the router with additional logging.\n --external-host=\'\': If the underlying router implementation connects with an external host, this is the external host\'s hostname.\n --external-host-http-vserver=\'\': If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTP connections.\n --external-host-https-vserver=\'\': If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTPS connections.\n --external-host-insecure=false: If the underlying router implementation connects with an external host over a secure connection, this causes the router to skip strict certificate verification with the external host.\n --external-host-internal-ip=\'\': If the underlying router implementation requires the use of a specific network interface to connect to the pod network, this is the IP address of that internal interface.\n --external-host-partition-path=\'\': If the underlying router implementation uses partitions for control boundaries, this is the path to use for that partition.\n --external-host-password=\'\': If the underlying router implementation connects with an external host, this is the password for authenticating with the external host.\n --external-host-private-key=\'\': If the underlying router implementation requires an SSH private key, this is the path to the private key file.\n --external-host-username=\'\': If the underlying router implementation connects with an external host, this is the username for authenticating with the external host.\n --external-host-vxlan-gw=\'\': If the underlying router implementation requires VxLAN access to the pod network, this is the gateway address that should be used in cidr format.\n --force-subdomain=\'\': A router path format to force on all routes used by this router (will ignore the route host value)\n --host-network=true: If true (the default), then use host networking rather than using a separate container network stack. Not required for external appliance based routers (e.g. F5)\n --host-ports=true: If true (the default), when not using host networking host ports will be exposed. Not required for external appliance based routers (e.g. F5)\n --images=\'openshift/origin-${component}:${version}\': The image to base this router on - ${component} will be replaced with --type\n --labels=\'router=<name>\': A set of labels to uniquely identify the router and its components.\n --latest-images=false: If true, attempt to use the latest images for the router instead of the latest release.\n --local=false: If true, do not contact the apiserver\n --max-connections=\'\': Specifies the maximum number of concurrent connections. Not supported for F5.\n --mutual-tls-auth=\'none\': Controls access to the router using mutually agreed upon TLS configuration (example client certificates). You can choose one of \'required\', \'optional\', or \'none\'. The default is none.\n --mutual-tls-auth-ca=\'\': Optional path to a file containing one or more CA certificates used for mutual TLS authentication. The CA certificate[s] are used by the router to verify a client\'s certificate.\n --mutual-tls-auth-crl=\'\': Optional path to a file containing the certificate revocation list used for mutual TLS authentication. The certificate revocation list is used by the router to verify a client\'s certificate.\n --mutual-tls-auth-filter=\'\': Optional regular expression to filter the client certificates. If the client certificate subject field does _not_ match this regular expression, requests will be rejected by the router.\n -o, --output=\'\': Output results as yaml or json instead of executing, or use name for succint output (resource/name).\n --output-version=\'\': The preferred API versions of the output objects\n --ports=\'80:80,443:443\': A comma delimited list of ports or port pairs that set the port in the router pod containerPort and hostPort. It also sets service port and targetPort to expose on the router pod. This does not modify the env variables. That can be done using oc set env or by editing the router\'s dc. This is used when host-network=false.\n --replicas=1: The replication factor of the router; commonly 2 when high availability is desired.\n --router-canonical-hostname=\'\': CanonicalHostname is the external host name for the router that can be used as a CNAME for the host requested for this route. This value is optional and may not be set in all cases.\n --secrets-as-env=false: If true, use environment variables for master secrets.\n --selector=\'\': Selector used to filter nodes on deployment. Used to run routers on a specific set of nodes.\n --service-account=\'router\': Name of the service account to use to run the router pod.\n -a, --show-all=true: When printing, show all resources (false means hide terminated pods.)\n --show-labels=false: When printing, show all labels as the last column (default hide labels column)\n --sort-by=\'\': If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. \'{.metadata.name}\'). The field in the API resource specified by this JSONPath expression must be an integer or a string.\n --stats-password=\'\': If the underlying router implementation can provide statistics this is the requested password for auth. If not set a password will be generated. Not available for external appliance based routers (e.g. F5)\n --stats-port=1936: If the underlying router implementation can provide statistics this is a hint to expose it on this port. Specify 0 if you want to turn off exposing the statistics.\n --stats-user=\'admin\': If the underlying router implementation can provide statistics this is the requested username for auth. Not available for external appliance based routers (e.g. F5)\n --strict-sni=false: Use strict-sni bind processing (do not use default cert). Not supported for F5.\n --subdomain=\'\': The template for the route subdomain exposed by this router, used for routes that are not externally specified. E.g. \'${name}-${namespace}.apps.mycompany.com\'\n --template=\'\': Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].\n --threads=0: Specifies the number of threads for the haproxy router.\n --type=\'haproxy-router\': The type of router to use - if you specify --images this flag may be ignored.\n\nUse "oc adm options" for a list of global command-line options (applies to all commands).\n\n\n')
<master0-ost-drupal.urz.uni-heidelberg.de> Failed to connect to the host via ssh: Traceback (most recent call last):
File "<stdin>", line 113, in <module>
File "<stdin>", line 105, in _ansiballz_main
File "<stdin>", line 48, in invoke_module
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3252, in <module>
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3243, in main
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3160, in run_ansible
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 2963, in create
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3007, in needs_update
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 2736, in prepared_router
__main__.RouterException: Could not perform router preparation: Error: unknown flag: --expose-metrics
Usage:
oc adm router [NAME] [flags]
Examples:
# Check the default router ("router")
oc adm router --dry-run
# See what the router would look like if created
oc adm router -o yaml
# Create a router with two replicas if it does not exist
oc adm router router-west --replicas=2
# Use a different router image
oc adm router region-west --images=myrepo/somerouter:mytag
# Run the router with a hint to the underlying implementation to _not_ expose statistics.
oc adm router router-west --stats-port=0
Options:
--ciphers='': Specifies the cipher suites to use. You can choose a predefined cipher set ('modern', 'intermediate', or 'old') or specify exact cipher suites by passing a : separated list. Not supported for F5.
--create=false: deprecated; this is now the default behavior
--default-cert='': Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate. Does not apply to external appliance based routers (e.g. F5)
--disable-namespace-ownership-check=false: Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.
--dry-run=false: If true, show the result of the operation without performing it.
--extended-logging=false: If true, then configure the router with additional logging.
--external-host='': If the underlying router implementation connects with an external host, this is the external host's hostname.
--external-host-http-vserver='': If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTP connections.
--external-host-https-vserver='': If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTPS connections.
--external-host-insecure=false: If the underlying router implementation connects with an external host over a secure connection, this causes the router to skip strict certificate verification with the external host.
--external-host-internal-ip='': If the underlying router implementation requires the use of a specific network interface to connect to the pod network, this is the IP address of that internal interface.
--external-host-partition-path='': If the underlying router implementation uses partitions for control boundaries, this is the path to use for that partition.
--external-host-password='': If the underlying router implementation connects with an external host, this is the password for authenticating with the external host.
--external-host-private-key='': If the underlying router implementation requires an SSH private key, this is the path to the private key file.
--external-host-username='': If the underlying router implementation connects with an external host, this is the username for authenticating with the external host.
--external-host-vxlan-gw='': If the underlying router implementation requires VxLAN access to the pod network, this is the gateway address that should be used in cidr format.
--force-subdomain='': A router path format to force on all routes used by this router (will ignore the route host value)
--host-network=true: If true (the default), then use host networking rather than using a separate container network stack. Not required for external appliance based routers (e.g. F5)
--host-ports=true: If true (the default), when not using host networking host ports will be exposed. Not required for external appliance based routers (e.g. F5)
--images='openshift/origin-${component}:${version}': The image to base this router on - ${component} will be replaced with --type
--labels='router=<name>': A set of labels to uniquely identify the router and its components.
--latest-images=false: If true, attempt to use the latest images for the router instead of the latest release.
--local=false: If true, do not contact the apiserver
--max-connections='': Specifies the maximum number of concurrent connections. Not supported for F5.
--mutual-tls-auth='none': Controls access to the router using mutually agreed upon TLS configuration (example client certificates). You can choose one of 'required', 'optional', or 'none'. The default is none.
--mutual-tls-auth-ca='': Optional path to a file containing one or more CA certificates used for mutual TLS authentication. The CA certificate[s] are used by the router to verify a client's certificate.
--mutual-tls-auth-crl='': Optional path to a file containing the certificate revocation list used for mutual TLS authentication. The certificate revocation list is used by the router to verify a client's certificate.
--mutual-tls-auth-filter='': Optional regular expression to filter the client certificates. If the client certificate subject field does _not_ match this regular expression, requests will be rejected by the router.
-o, --output='': Output results as yaml or json instead of executing, or use name for succint output (resource/name).
--output-version='': The preferred API versions of the output objects
--ports='80:80,443:443': A comma delimited list of ports or port pairs that set the port in the router pod containerPort and hostPort. It also sets service port and targetPort to expose on the router pod. This does not modify the env variables. That can be done using oc set env or by editing the router's dc. This is used when host-network=false.
--replicas=1: The replication factor of the router; commonly 2 when high availability is desired.
--router-canonical-hostname='': CanonicalHostname is the external host name for the router that can be used as a CNAME for the host requested for this route. This value is optional and may not be set in all cases.
--secrets-as-env=false: If true, use environment variables for master secrets.
--selector='': Selector used to filter nodes on deployment. Used to run routers on a specific set of nodes.
--service-account='router': Name of the service account to use to run the router pod.
-a, --show-all=true: When printing, show all resources (false means hide terminated pods.)
--show-labels=false: When printing, show all labels as the last column (default hide labels column)
--sort-by='': If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string.
--stats-password='': If the underlying router implementation can provide statistics this is the requested password for auth. If not set a password will be generated. Not available for external appliance based routers (e.g. F5)
--stats-port=1936: If the underlying router implementation can provide statistics this is a hint to expose it on this port. Specify 0 if you want to turn off exposing the statistics.
--stats-user='admin': If the underlying router implementation can provide statistics this is the requested username for auth. Not available for external appliance based routers (e.g. F5)
--strict-sni=false: Use strict-sni bind processing (do not use default cert). Not supported for F5.
--subdomain='': The template for the route subdomain exposed by this router, used for routes that are not externally specified. E.g. '${name}-${namespace}.apps.mycompany.com'
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
--threads=0: Specifies the number of threads for the haproxy router.
--type='haproxy-router': The type of router to use - if you specify --images this flag may be ignored.
Use "oc adm options" for a list of global command-line options (applies to all commands).
The full traceback is:
Traceback (most recent call last):
File "<stdin>", line 113, in <module>
File "<stdin>", line 105, in _ansiballz_main
File "<stdin>", line 48, in invoke_module
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3252, in <module>
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3243, in main
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3160, in run_ansible
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 2963, in create
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 3007, in needs_update
File "/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py", line 2736, in prepared_router
__main__.RouterException: Could not perform router preparation: Error: unknown flag: --expose-metrics
Usage:
oc adm router [NAME] [flags]
Examples:
# Check the default router ("router")
oc adm router --dry-run
# See what the router would look like if created
oc adm router -o yaml
# Create a router with two replicas if it does not exist
oc adm router router-west --replicas=2
# Use a different router image
oc adm router region-west --images=myrepo/somerouter:mytag
# Run the router with a hint to the underlying implementation to _not_ expose statistics.
oc adm router router-west --stats-port=0
Options:
--ciphers='': Specifies the cipher suites to use. You can choose a predefined cipher set ('modern', 'intermediate', or 'old') or specify exact cipher suites by passing a : separated list. Not supported for F5.
--create=false: deprecated; this is now the default behavior
--default-cert='': Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate. Does not apply to external appliance based routers (e.g. F5)
--disable-namespace-ownership-check=false: Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.
--dry-run=false: If true, show the result of the operation without performing it.
--extended-logging=false: If true, then configure the router with additional logging.
--external-host='': If the underlying router implementation connects with an external host, this is the external host's hostname.
--external-host-http-vserver='': If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTP connections.
--external-host-https-vserver='': If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTPS connections.
--external-host-insecure=false: If the underlying router implementation connects with an external host over a secure connection, this causes the router to skip strict certificate verification with the external host.
--external-host-internal-ip='': If the underlying router implementation requires the use of a specific network interface to connect to the pod network, this is the IP address of that internal interface.
--external-host-partition-path='': If the underlying router implementation uses partitions for control boundaries, this is the path to use for that partition.
--external-host-password='': If the underlying router implementation connects with an external host, this is the password for authenticating with the external host.
--external-host-private-key='': If the underlying router implementation requires an SSH private key, this is the path to the private key file.
--external-host-username='': If the underlying router implementation connects with an external host, this is the username for authenticating with the external host.
--external-host-vxlan-gw='': If the underlying router implementation requires VxLAN access to the pod network, this is the gateway address that should be used in cidr format.
--force-subdomain='': A router path format to force on all routes used by this router (will ignore the route host value)
--host-network=true: If true (the default), then use host networking rather than using a separate container network stack. Not required for external appliance based routers (e.g. F5)
--host-ports=true: If true (the default), when not using host networking host ports will be exposed. Not required for external appliance based routers (e.g. F5)
--images='openshift/origin-${component}:${version}': The image to base this router on - ${component} will be replaced with --type
--labels='router=<name>': A set of labels to uniquely identify the router and its components.
--latest-images=false: If true, attempt to use the latest images for the router instead of the latest release.
--local=false: If true, do not contact the apiserver
--max-connections='': Specifies the maximum number of concurrent connections. Not supported for F5.
--mutual-tls-auth='none': Controls access to the router using mutually agreed upon TLS configuration (example client certificates). You can choose one of 'required', 'optional', or 'none'. The default is none.
--mutual-tls-auth-ca='': Optional path to a file containing one or more CA certificates used for mutual TLS authentication. The CA certificate[s] are used by the router to verify a client's certificate.
--mutual-tls-auth-crl='': Optional path to a file containing the certificate revocation list used for mutual TLS authentication. The certificate revocation list is used by the router to verify a client's certificate.
--mutual-tls-auth-filter='': Optional regular expression to filter the client certificates. If the client certificate subject field does _not_ match this regular expression, requests will be rejected by the router.
-o, --output='': Output results as yaml or json instead of executing, or use name for succint output (resource/name).
--output-version='': The preferred API versions of the output objects
--ports='80:80,443:443': A comma delimited list of ports or port pairs that set the port in the router pod containerPort and hostPort. It also sets service port and targetPort to expose on the router pod. This does not modify the env variables. That can be done using oc set env or by editing the router's dc. This is used when host-network=false.
--replicas=1: The replication factor of the router; commonly 2 when high availability is desired.
--router-canonical-hostname='': CanonicalHostname is the external host name for the router that can be used as a CNAME for the host requested for this route. This value is optional and may not be set in all cases.
--secrets-as-env=false: If true, use environment variables for master secrets.
--selector='': Selector used to filter nodes on deployment. Used to run routers on a specific set of nodes.
--service-account='router': Name of the service account to use to run the router pod.
-a, --show-all=true: When printing, show all resources (false means hide terminated pods.)
--show-labels=false: When printing, show all labels as the last column (default hide labels column)
--sort-by='': If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string.
--stats-password='': If the underlying router implementation can provide statistics this is the requested password for auth. If not set a password will be generated. Not available for external appliance based routers (e.g. F5)
--stats-port=1936: If the underlying router implementation can provide statistics this is a hint to expose it on this port. Specify 0 if you want to turn off exposing the statistics.
--stats-user='admin': If the underlying router implementation can provide statistics this is the requested username for auth. Not available for external appliance based routers (e.g. F5)
--strict-sni=false: Use strict-sni bind processing (do not use default cert). Not supported for F5.
--subdomain='': The template for the route subdomain exposed by this router, used for routes that are not externally specified. E.g. '${name}-${namespace}.apps.mycompany.com'
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
--threads=0: Specifies the number of threads for the haproxy router.
--type='haproxy-router': The type of router to use - if you specify --images this flag may be ignored.
Use "oc adm options" for a list of global command-line options (applies to all commands).
failed: [master0-ost-drupal.urz.uni-heidelberg.de] (item={u'name': u'router', u'certificate': {u'certfile': u'/etc/pki/tls/certs/star.web-ost-drupal.urz.uni-heidelberg.de.pem', u'keyfile': u'/etc/pki/tls/private/star.web-ost-drupal.urz.uni-heidelberg.de.key', u'cafile': u'/etc/pki/tls/certs/chain-uh.pem'}, u'replicas': u'2', u'namespace': u'default', u'serviceaccount': u'router', u'selector': u'router=allowed', u'edits': [{u'action': u'put', u'key': u'spec.strategy.rollingParams.intervalSeconds', u'value': 1}, {u'action': u'put', u'key': u'spec.strategy.rollingParams.updatePeriodSeconds', u'value': 1}, {u'action': u'put', u'key': u'spec.strategy.activeDeadlineSeconds', u'value': 21600}], u'images': u'openshift/origin-${component}:${version}', u'stats_port': 1936, u'ports': [u'80:80', u'443:443']}) => {
"changed": false,
"item": {
"certificate": {
"cafile": "/etc/pki/tls/certs/chain-uh.pem",
"certfile": "/etc/pki/tls/certs/star.web-ost-drupal.urz.uni-heidelberg.de.pem",
"keyfile": "/etc/pki/tls/private/star.web-ost-drupal.urz.uni-heidelberg.de.key"
},
"edits": [
{
"action": "put",
"key": "spec.strategy.rollingParams.intervalSeconds",
"value": 1
},
{
"action": "put",
"key": "spec.strategy.rollingParams.updatePeriodSeconds",
"value": 1
},
{
"action": "put",
"key": "spec.strategy.activeDeadlineSeconds",
"value": 21600
}
],
"images": "openshift/origin-${component}:${version}",
"name": "router",
"namespace": "default",
"ports": [
"80:80",
"443:443"
],
"replicas": "2",
"selector": "router=allowed",
"serviceaccount": "router",
"stats_port": 1936
},
"module_stderr": "Traceback (most recent call last):\n File \"<stdin>\", line 113, in <module>\n File \"<stdin>\", line 105, in _ansiballz_main\n File \"<stdin>\", line 48, in invoke_module\n File \"/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py\", line 3252, in <module>\n File \"/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py\", line 3243, in main\n File \"/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py\", line 3160, in run_ansible\n File \"/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py\", line 2963, in create\n File \"/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py\", line 3007, in needs_update\n File \"/tmp/ansible_oc_adm_router_payload_4ZJTfN/__main__.py\", line 2736, in prepared_router\n__main__.RouterException: Could not perform router preparation: Error: unknown flag: --expose-metrics\n\n\nUsage:\n oc adm router [NAME] [flags]\n\nExamples:\n # Check the default router (\"router\")\n oc adm router --dry-run\n \n # See what the router would look like if created\n oc adm router -o yaml\n \n # Create a router with two replicas if it does not exist\n oc adm router router-west --replicas=2\n \n # Use a different router image\n oc adm router region-west --images=myrepo/somerouter:mytag\n \n # Run the router with a hint to the underlying implementation to _not_ expose statistics.\n oc adm router router-west --stats-port=0\n\nOptions:\n --ciphers='': Specifies the cipher suites to use. You can choose a predefined cipher set ('modern', 'intermediate', or 'old') or specify exact cipher suites by passing a : separated list. Not supported for F5.\n --create=false: deprecated; this is now the default behavior\n --default-cert='': Optional path to a certificate file that be used as the default certificate. The file should contain the cert, key, and any CA certs necessary for the router to serve the certificate. Does not apply to external appliance based routers (e.g. F5)\n --disable-namespace-ownership-check=false: Disables the namespace ownership check and allows different namespaces to claim either different paths to a route host or overlapping host names in case of a wildcard route. The default behavior (false) to restrict claims to the oldest namespace that has claimed either the host or the subdomain. Please be aware that if namespace ownership checks are disabled, routes in a different namespace can use this mechanism to 'steal' sub-paths for existing domains. This is only safe if route creation privileges are restricted, or if all the users can be trusted.\n --dry-run=false: If true, show the result of the operation without performing it.\n --extended-logging=false: If true, then configure the router with additional logging.\n --external-host='': If the underlying router implementation connects with an external host, this is the external host's hostname.\n --external-host-http-vserver='': If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTP connections.\n --external-host-https-vserver='': If the underlying router implementation uses virtual servers, this is the name of the virtual server for HTTPS connections.\n --external-host-insecure=false: If the underlying router implementation connects with an external host over a secure connection, this causes the router to skip strict certificate verification with the external host.\n --external-host-internal-ip='': If the underlying router implementation requires the use of a specific network interface to connect to the pod network, this is the IP address of that internal interface.\n --external-host-partition-path='': If the underlying router implementation uses partitions for control boundaries, this is the path to use for that partition.\n --external-host-password='': If the underlying router implementation connects with an external host, this is the password for authenticating with the external host.\n --external-host-private-key='': If the underlying router implementation requires an SSH private key, this is the path to the private key file.\n --external-host-username='': If the underlying router implementation connects with an external host, this is the username for authenticating with the external host.\n --external-host-vxlan-gw='': If the underlying router implementation requires VxLAN access to the pod network, this is the gateway address that should be used in cidr format.\n --force-subdomain='': A router path format to force on all routes used by this router (will ignore the route host value)\n --host-network=true: If true (the default), then use host networking rather than using a separate container network stack. Not required for external appliance based routers (e.g. F5)\n --host-ports=true: If true (the default), when not using host networking host ports will be exposed. Not required for external appliance based routers (e.g. F5)\n --images='openshift/origin-${component}:${version}': The image to base this router on - ${component} will be replaced with --type\n --labels='router=<name>': A set of labels to uniquely identify the router and its components.\n --latest-images=false: If true, attempt to use the latest images for the router instead of the latest release.\n --local=false: If true, do not contact the apiserver\n --max-connections='': Specifies the maximum number of concurrent connections. Not supported for F5.\n --mutual-tls-auth='none': Controls access to the router using mutually agreed upon TLS configuration (example client certificates). You can choose one of 'required', 'optional', or 'none'. The default is none.\n --mutual-tls-auth-ca='': Optional path to a file containing one or more CA certificates used for mutual TLS authentication. The CA certificate[s] are used by the router to verify a client's certificate.\n --mutual-tls-auth-crl='': Optional path to a file containing the certificate revocation list used for mutual TLS authentication. The certificate revocation list is used by the router to verify a client's certificate.\n --mutual-tls-auth-filter='': Optional regular expression to filter the client certificates. If the client certificate subject field does _not_ match this regular expression, requests will be rejected by the router.\n -o, --output='': Output results as yaml or json instead of executing, or use name for succint output (resource/name).\n --output-version='': The preferred API versions of the output objects\n --ports='80:80,443:443': A comma delimited list of ports or port pairs that set the port in the router pod containerPort and hostPort. It also sets service port and targetPort to expose on the router pod. This does not modify the env variables. That can be done using oc set env or by editing the router's dc. This is used when host-network=false.\n --replicas=1: The replication factor of the router; commonly 2 when high availability is desired.\n --router-canonical-hostname='': CanonicalHostname is the external host name for the router that can be used as a CNAME for the host requested for this route. This value is optional and may not be set in all cases.\n --secrets-as-env=false: If true, use environment variables for master secrets.\n --selector='': Selector used to filter nodes on deployment. Used to run routers on a specific set of nodes.\n --service-account='router': Name of the service account to use to run the router pod.\n -a, --show-all=true: When printing, show all resources (false means hide terminated pods.)\n --show-labels=false: When printing, show all labels as the last column (default hide labels column)\n --sort-by='': If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string.\n --stats-password='': If the underlying router implementation can provide statistics this is the requested password for auth. If not set a password will be generated. Not available for external appliance based routers (e.g. F5)\n --stats-port=1936: If the underlying router implementation can provide statistics this is a hint to expose it on this port. Specify 0 if you want to turn off exposing the statistics.\n --stats-user='admin': If the underlying router implementation can provide statistics this is the requested username for auth. Not available for external appliance based routers (e.g. F5)\n --strict-sni=false: Use strict-sni bind processing (do not use default cert). Not supported for F5.\n --subdomain='': The template for the route subdomain exposed by this router, used for routes that are not externally specified. E.g. '${name}-${namespace}.apps.mycompany.com'\n --template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].\n --threads=0: Specifies the number of threads for the haproxy router.\n --type='haproxy-router': The type of router to use - if you specify --images this flag may be ignored.\n\nUse \"oc adm options\" for a list of global command-line options (applies to all commands).\n\n\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
PLAY RECAP ************************************************************************************************************************
lb0-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
lb1-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
localhost : ok=13 changed=0 unreachable=0 failed=0
master0-ost-drupal.urz.uni-heidelberg.de : ok=393 changed=62 unreachable=0 failed=1
master1-ost-drupal.urz.uni-heidelberg.de : ok=287 changed=44 unreachable=0 failed=0
master2-ost-drupal.urz.uni-heidelberg.de : ok=287 changed=44 unreachable=0 failed=0
node0-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
node1-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
node2-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
node3-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
node4-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
node5-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
node6-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
node7-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
node8-ost-drupal.urz.uni-heidelberg.de : ok=125 changed=17 unreachable=0 failed=0
INSTALLER STATUS ******************************************************************************************************************
Initialization : Complete (0:00:53)
[DEPRECATION WARNING]: The following are deprecated variables and will be no longer be used in the next minor release. Please update your inventory accordingly.
openshift_hosted_logging_deploy
openshift_hosted_logging_fluentd_nodeselector_label
openshift_hosted_logging_fluentd_nodeselector_label
openshift_hosted_metrics_deploy
openshift_hosted_metrics_public_url
Health Check : Complete (0:00:07)
etcd Install : Complete (0:01:32)
Master Install : Complete (0:05:24)
Master Additional Install : Complete (0:00:32)
Node Install : Complete (0:11:42)
Hosted Install : In Progress (0:00:22)
This phase can be restarted by running: playbooks/openshift-hosted/config.yml
Thursday 07 March 2019 16:17:56 +0000 (0:00:02.217) 0:20:36.183 ********
===============================================================================
openshift_excluder : Install docker excluder - yum ------------------------------------------------------------------------ 64.89s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_excluder/tasks/install.yml:9 -------------------
openshift_node : Add iptables allow rules --------------------------------------------------------------------------------- 41.74s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_node/tasks/firewall.yml:4 ----------------------
openshift_node : Add iptables allow rules --------------------------------------------------------------------------------- 39.33s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_node/tasks/firewall.yml:4 ----------------------
tuned : Ensure files are populated from templates ------------------------------------------------------------------------- 12.01s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/tuned/tasks/main.yml:23 ----------------------------------
tuned : Ensure files are populated from templates ------------------------------------------------------------------------- 11.85s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/tuned/tasks/main.yml:23 ----------------------------------
openshift_master : restart master api ------------------------------------------------------------------------------------- 11.18s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_master/handlers/main.yml:2 ---------------------
openshift_master : restart master controllers ----------------------------------------------------------------------------- 11.16s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_master/handlers/main.yml:13 --------------------
restart master api -------------------------------------------------------------------------------------------------------- 11.14s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/playbooks/openshift-master/private/tasks/wire_aggregator.yml:214
restart master controllers ------------------------------------------------------------------------------------------------ 11.13s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/playbooks/openshift-master/private/tasks/wire_aggregator.yml:218
restart master controllers ------------------------------------------------------------------------------------------------ 11.09s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/playbooks/openshift-master/private/tasks/wire_aggregator.yml:218
restart master api -------------------------------------------------------------------------------------------------------- 11.07s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/playbooks/openshift-master/private/tasks/wire_aggregator.yml:214
restart master controllers ------------------------------------------------------------------------------------------------ 11.07s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/playbooks/openshift-master/private/tasks/wire_aggregator.yml:218
restart master api -------------------------------------------------------------------------------------------------------- 11.02s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/playbooks/openshift-master/private/tasks/wire_aggregator.yml:214
openshift_excluder : Install openshift excluder - yum --------------------------------------------------------------------- 10.77s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_excluder/tasks/install.yml:34 ------------------
openshift_hosted : Get the certificate contents for router ----------------------------------------------------------------- 8.85s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_hosted/tasks/router.yml:24 ---------------------
Run variable sanity checks ------------------------------------------------------------------------------------------------- 8.77s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/playbooks/init/sanity_checks.yml:13 ----------------------------
openshift_excluder : Install openshift excluder - yum ---------------------------------------------------------------------- 8.40s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_excluder/tasks/install.yml:34 ------------------
openshift_node : Update journald setup ------------------------------------------------------------------------------------- 8.15s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_node/tasks/journald.yml:15 ---------------------
openshift_cli : Copy client binaries/symlinks out of CLI image for use on the host ----------------------------------------- 7.94s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_cli/tasks/main.yml:16 --------------------------
openshift_node : Update journald setup ------------------------------------------------------------------------------------- 7.53s
/home/centos/ansible/openshift-ansible-openshift-ansible-3.9.71-1/roles/openshift_node/tasks/journald.yml:15 ---------------------
Failure summary:
1. Hosts: master0-ost-drupal.urz.uni-heidelberg.de
Play: Create Hosted Resources - router
Task: Create OpenShift router
Message: All items completed
[centos@infra2-ost-drupal openshift-ansible-openshift-ansible-3.9.71-1]$
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment