OCP 3.5 installation fail - missing ansible role openshift_serviceaccounts

[bartpved]

Failed installation with OpenShift 3.5. Ansible role openshift_serviceaccounts missing.

The role that is missing used to be installed for OCP 3.4 with openshift-ansible-roles-3.4.67-1.git.0.14a0b4d.el7.noarch.

With OCP 3.5 and openshift-ansible-roles-3.5.60-1.git.0.b6f77a6.el7.noarch, the role is not there.
Is OCP 3.5 supported?

Here can be seen the error from ansible run, from /var/log/ansible.xx

`ERROR! the role 'openshift_serviceaccounts' was not found in /var/lib/ansible/playbooks/roles:/usr/share/ansible/openshift-ansible/roles:/var/lib/ansible/roles:/var/lib/ansible/playbooks

The error appears to have been in '/var/lib/ansible/playbooks/ipfailover.yml': line 5, column 5, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

roles:

• role: openshift_serviceaccounts
  ^ here
  `

Installation is on redhat machines, these are the repos used:
[root@ocp-int35-bastion scripts]# yum repolist
Loaded plugins: package_upload, search-disabled-repos
repo id repo name status
!rhel-7-server-extras-rpms/x86_64 Red Hat Enterprise Linux 7 Server - Extras 465
!rhel-7-server-openstack-8-director-rpms/7Server/x86_64 Red Hat OpenStack Platform 8 director for 90
!rhel-7-server-openstack-8-rpms/7Server/x86_64 Red Hat OpenStack Platform 8 for RHEL 7 (R 1 004
!rhel-7-server-optional-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server - Option 10 894
!rhel-7-server-ose-3.5-rpms/x86_64 Red Hat OpenShift Container Platform 3.5 ( 435
!rhel-7-server-rpms/7Server/x86_64 Red Hat Enterprise Linux 7 Server (RPMs) 14 277
!rhel-7-server-satellite-tools-6.2-rpms/x86_64 Red Hat Satellite Tools 6.2 (for RHEL 7 Se 109

Looking at openshift-ansible and ansible versions:
[root@ocp-int35-bastion scripts]# rpm -qa ansible
ansible-2.2.1.0-2.el7.noarch
[root@ocp-int35-bastion scripts]# rpm -qa|grep ansible
openshift-ansible-lookup-plugins-3.5.60-1.git.0.b6f77a6.el7.noarch
openshift-ansible-3.5.60-1.git.0.b6f77a6.el7.noarch
openshift-ansible-callback-plugins-3.5.60-1.git.0.b6f77a6.el7.noarch
openshift-ansible-roles-3.5.60-1.git.0.b6f77a6.el7.noarch
openshift-ansible-docs-3.5.60-1.git.0.b6f77a6.el7.noarch
openshift-ansible-filter-plugins-3.5.60-1.git.0.b6f77a6.el7.noarch
openshift-ansible-playbooks-3.5.60-1.git.0.b6f77a6.el7.noarch
ansible-2.2.1.0-2.el7.noarch

[rlopez133]

Hi bartpved,

I noticed that you had a missing repository, for OCP 3.5 it also requires: rhel-7-fast-datapath-rpms

[bartpved]

Thanks @rlopez133. At this moment I'm not hitting the issue with missing repo, but probably I will :-) . It would help if on the project page it would be stated which OpenShift version is supported with this project, and what is openshift-ansible version requirement. Wandering if anyone managed to have the 3.5 running? BTW, OCP 3.4 works fine when installed with this project, and using openshift-ansible 3.4.

[ioggstream]

@bartpved Try running ansible from the following dir. /usr/share/ansible/openshift-ansible

[ioggstream]

@bartpved did the above hint fix your issue?

[cwpenhale]

I've been jamming on this for a bit, and I found that role doesn't exist anymore in release-1.5 in the openshift-ansible project, and the playbook executes an incorrect command for setting up ipfailvoer anyway. See openshift/origin@641067b RE: https://github.com/redhat-openstack/openshift-on-openstack/blob/master/templates/var/lib/ansible/playbooks/ipfailover.yml#L17

I've gotten around this by removing the --credentials command, and cribbing from the ansible playbook the following task:

  - name: Create Admin Service Account
    oc_serviceaccount:
      kubeconfig: "/etc/origin/master/admin.kubeconfig"
      name: ipfailover
      namespace: default
      state: present

I still need to add permissions to that account, though, and I'm fishing for how to do so. So far though, a successful deployment on 1.5 with ipfailover.

EDIT: I should also say, I removed the 'openshift_serviceaccounts' roles from the ipfailover playbook.

[bartpved]

sounds promising @cwpenhale , I'll have to give it a try!

[bartpved]

@ioggstream thanks for suggestion, I will have to try it,haven't looked at it yet

[cwpenhale]

This is what my successful ./templates/var/lib/ansible/playbooks/ipfailover.yml looks like:

mkdir -p /var/lib/os-apply-config/templates/var/lib/ansible/playbooks
cat << 'EOF' > /var/lib/os-apply-config/templates/var/lib/ansible/playbooks/ipfailover.yml
---
{{=<% %>=}}
- hosts: masters[0]
  sudo: yes

  tasks:
  - name: ipfailover service account 
    command: oadm policy add-scc-to-user privileged -z ipfailover
    when: ansible_first_run | default(false) | bool
    ignore_errors: yes
  - name: Deploy Openshift IP failover for router
    command: oadm ipfailover --create --service-account=ipfailover --interface=eth0 --selector='region=infra' --replicas={{ num_infra }} --virtual-ips={{ router_vip }} 
    when: ansible_first_run | default(false) | bool
    # oadm ipfailover returns error code if service account already exists even
    # if ipfailover pod is created successfully
    # remove when https://bugzilla.redhat.com/show_bug.cgi?id=1332432 is fixed
    ignore_errors: yes

- hosts: masters
  sudo: yes
  tasks:
  - name: Allow multicast for keepalived
    command: /sbin/iptables -I INPUT -i eth0 -d 224.0.0.18/32 -j ACCEPT
<%={{ }}=%>
EOF

[bartpved]

🥇 --> @cwpenhale
Stack creation with changes in ipfailover.yml you suggested works fine! Many thanks! I haven't tested the ipfailover.