-
Notifications
You must be signed in to change notification settings - Fork 409
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1795696: templates: etcd-member: setup environment variables needed for easy etcdctl execution #1429
Bug 1795696: templates: etcd-member: setup environment variables needed for easy etcdctl execution #1429
Conversation
@retroflexer: This pull request references Bugzilla bug 1795696, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
command: | ||
- /bin/sh | ||
- -c | ||
- echo 'export ETCDCTL_API=3 ETCDCTL_CACERT=/etc/ssl/etcd/ca.crt ETCDCTL_CERT=$(find /etc/ssl/ -name *peer*crt) ETCDCTL_KEY=$(find /etc/ssl/ -name *peer*key)' >> /root/.profile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we set API version in env below. we should do one or the other. does this work if we exec in as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed ETCDCTL_API. crictl exec works well too.
overall looks good, thanks @retroflexer |
@retroflexer: This pull request references Bugzilla bug 1795696, which is valid. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@retroflexer: This pull request references Bugzilla bug 1795696, which is valid. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
||
env: | ||
- name: ETCDCTL_API | ||
value: "3" | ||
- name: ETCD_DATA_DIR | ||
value: "/var/lib/etcd" | ||
- name: ENV | ||
value: "/root/.profile" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In RHCOS, /bin/sh is symbolically linked to bash, but it tries to mimic the behavior of historical bourne shell.
When bash is invoked as an interactive shell with the name sh, bash looks for the variable ENV, expands its value if it is defined, and uses the expanded value as the name of a file to read and execute. Since a shell invoked as sh does not attempt to read and execute commands from any other startup files (including .profile), the --rcfile option has no effect.
(from the man
pages of bash)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@retroflexer thanks, for the crisp explanation. I wonder if it would be a good idea to create a secret/configmap for the env variables here and then mount the configmap? I think it would be lot cleaner and admins can configure the env variable independent of static pod yaml.
/cc @hexfusion
b8a58a5
to
144c710
Compare
/test e2e-gcp-op |
/test e2e-aws-disruptive |
1 similar comment
/test e2e-aws-disruptive |
/test e2e-gcp-op |
@retroflexer: This pull request references Bugzilla bug 1795696, which is valid. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
@retroflexer: This pull request references Bugzilla bug 1795696, which is valid. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
command: | ||
- /bin/sh | ||
- -c | ||
- echo 'export ETCDCTL_CACERT=/etc/ssl/etcd/ca.crt ETCDCTL_CERT=$(find /etc/ssl/ -name *peer*crt) ETCDCTL_KEY=$(find /etc/ssl/ -name *peer*key)' >> /root/.profile |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really don't think we should have starting any containers affect host content like this by default.
The etcd recovery tools are going to be containerized anyways, so let's just document this stuff over there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The etcd recovery tools are going to be containerized in 4.5+. And it assumes cluster-etcd-operator to be available, which is not available prior to 4.4. That means, our current customers of 4.2 and 4.3 (and perhaps 4.4) will not have easy execution of etcdctl.
Also .profile is current not used by anyone (that file doesn't exist at all in most pod installations). So, I do not see a reason to oppose it. If you don't like the use of .profile
, I can put it in a file named .etcdctl_env
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I mistakenly thought these hooks ran on the host.
/hold |
What other solution do you recommend, Colins? Our customers and customer supporting staff are struggling with typing a mile long commands to achieve simple Michal thought this should be ported to 4.2 and 4.3 as well to help mitigate the pain for our customers. Cc: @mfojtik, @hexfusion |
@cgwalters i'm willing to accept this for 4.4, but revisit in 4.5 where we should make the ETCD_DNS_NAME in the cert names go away and one could just set normal pod level env vars that points to ETCDCTL_CERT/etc. Also this is important when debugging broken clusters and also come up recently during one escalation call. /cc @smarterclayton |
@retroflexer @hexfusion can we maybe do this via the discovery container? for instance, we set the DNS name here[1], can we set the ETCDCTL_CERT* env variables here as well. It will be in the
|
Thanks @retroflexer for confirming over slack, this will only work if the user explicitly sources |
/hold cancel |
/test e2e-aws-disruptive |
/test e2e-aws-scaleup-rhel7 |
The bottom line here is we are improving user experience. This is a simple and practical approach in my opinion. thanks @retroflexer /lgtm |
/skip |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cgwalters, hexfusion, retroflexer The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cherrypick release-4.3 |
@retroflexer: once the present PR merges, I will cherry-pick it on top of release-4.3 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@retroflexer: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
@retroflexer: All pull requests linked via external trackers have merged. Bugzilla bug 1795696 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@retroflexer: new pull request created: #1452 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Closes: #1795696
One can easily update .bashrc or .bash_profile using postStart hooks. However,
oc rsh
apparently doesn't use bash, so these are not getting automatically invoked.openshift/origin#7514
openshift/origin#7496
openshift/origin#7519
However, standard shell (Bourne shell) uses .profile. But in RHCOS, /bin/sh is symbolically linked to /usr/bin/bash.
- What I did
Added the environment variables needed for straightforward execution of etcdctl into /root/.profile, so that
oc rsh
has the ready-made environment.- How to verify it
etcdctl member list
Should work right off the bat.
- Description for the changelog
Provide environment variables for straightfoward execution of etcdctl commands on pods.