0

I try to make a monitoring connection to openshift with manageiq. The container provider is generated successfully.

enter image description here

But the problem is this connection can not be refreshed. I set the authentication mode to httpd like below,

enter image description here

But, this configuration throws the 403 error.

enter image description here

For your information, these are ssl_error.log and evm.log

==ssl_error.log==

[Sat Jun 03 00:39:59.440542 2017] [proxy:error] [pid 2049] (111)Connection refused: AH00957: HTTP: attempt to connect to 0.0.0.0:3002 (0.0.0.0) failed
[Sat Jun 03 00:39:59.440548 2017] [proxy:error] [pid 2049] AH00959: ap_proxy_connect_backend disabling worker for (0.0.0.0) for 60s
[Sat Jun 03 00:39:59.440550 2017] [proxy_http:error] [pid 2049] [client 172.17.0.1:43722] AH01114: HTTP: failed to make connection to backend: 0.0.0.0, referer: https://localhost:8443/ems_container/1
[Sat Jun 03 00:39:59.570938 2017] [proxy:error] [pid 2049] (111)Connection refused: AH00957: HTTP: attempt to connect to 0.0.0.0:3001 (0.0.0.0) failed
[Sat Jun 03 00:39:59.570960 2017] [proxy:error] [pid 2049] AH00959: ap_proxy_connect_backend disabling worker for (0.0.0.0) for 60s
[Sat Jun 03 00:39:59.570963 2017] [proxy_http:error] [pid 2049] [client 172.17.0.1:43722] AH01114: HTTP: failed to make connection to backend: 0.0.0.0, referer: https://localhost:8443/ems_container/1

== evm.log ==

[----] E, [2017-06-03T00:43:41.697865 #2327:2ad9e81e2b4c] ERROR -- : MIQ(ManageIQ::Providers::Openshift::ContainerManager::EventCatcher::Runner#start_event_monitor) EMS [console.starter-us-east-1.openshift.com] as [] Event Monitor Thread aborted because [User "gladiator67@naver.com" cannot list all events in the cluster]
[----] E, [2017-06-03T00:43:41.698127 #2327:2ad9e81e2b4c] ERROR -- : [KubeException]: User "gladiator67@naver.com" cannot list all events in the cluster  Method:[rescue in block in start_event_monitor]
[----] E, [2017-06-03T00:43:41.698272 #2327:2ad9e81e2b4c] ERROR -- : /opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/kubeclient-2.3.0/lib/kubeclient/common.rb:107:in `rescue in handle_exception'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/kubeclient-2.3.0/lib/kubeclient/common.rb:99:in `handle_exception'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/kubeclient-2.3.0/lib/kubeclient/common.rb:258:in `get_entities'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/kubeclient-2.3.0/lib/kubeclient/common.rb:169:in `block (2 levels) in define_entity_methods'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/kubeclient-2.3.0/lib/kubeclient/common.rb:79:in `method_missing'
/opt/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/bundler/gems/manageiq-gems-pending-e0f3ea8755bf/lib/gems/pending/kubernetes/events/kubernetes_event_monitor.rb:32:in `each'
/var/www/miq/vmdb/app/models/manageiq/providers/kubernetes/container_manager/event_catcher_mixin.rb:41:in `monitor_events'
/var/www/miq/vmdb/app/models/manageiq/providers/base_manager/event_catcher/runner.rb:164:in `block in start_event_monitor'

Updated

Then how can I monitor only my own projects on openshift online? Is it impossible on manageiq Docker container? The below code is the openshift Java client code which show my openshift project.

    IClient client = new ClientBuilder("https://console.starter-us-east-1.openshift.com")
                        .withUserName("gladiator67@naver.com")
                        .withPassword("111111")
                        .build();

client.getAuthorizationContext().setToken("is-ildn...");

                System.out.println("=======================================================================");
System.out.println(client.getOpenShiftAPIVersion() + ", " + client.getServerReadyStatus());
    System.out.println("\n========================Openshift Project====================================");
    IProject project = (IProject)client.getResourceFactory().stub(ResourceKind.PROJECT, "josephproject-openshift");
    System.out.println("Openshift API version : " + project.getApiVersion() 
                    +", Project namespace : " + project.getNamespace() + ", Project name : " + project.getName());

The results show my openshift project information.

=======================================================================
v1, ok

========================Openshift Project====================================
Openshift API version : v1, Project namespace : josephproject-openshift, Project name : josephproject-openshift

I thought I could monitor my openshift projects on manageiq like these client codes.

halfer
  • 19,824
  • 17
  • 99
  • 186
Joseph Hwang
  • 1,337
  • 3
  • 38
  • 67

1 Answers1

0

OpenShift Online does not provide you with sufficient access rights to be able to grant the application cluster-reader access. Giving you cluster-reader access would mean you could see a list of everyones projects in the cluster, which for a shared environment used by others isn't something you really want to be giving non admin people.

Your ability to run ManageIQ in OpenShift Online will be quite limited. It is intended to be installed by an administrator for the whole cluster, with access granted to non admin users only if desired by the administrators.

Graham Dumpleton
  • 57,726
  • 6
  • 119
  • 134
  • Thank your your detail explanation. Cloud you check my **updated** part of thread, pls? – Joseph Hwang Jun 03 '17 at 01:20
  • What exactly are you wanting to monitor that the OpenShift web console doesn't provide you? The web console provides metrics charts for application pods and has logging. There has been some issues with these on us-east-1 and since ManageIQ is likely using same underlying metrics provider, it is probably not going to work for those right now either. – Graham Dumpleton Jun 03 '17 at 03:23
  • Also, is this in preparation for later trying to monitor applications you might run in the paid tier. Using ManageIQ in starter tier doesn't make a great deal of sense from perspective that ManageIQ will chew up half you resource allocation or more, making it hard to deploy an application to be monitored. – Graham Dumpleton Jun 03 '17 at 03:24
  • Thank you so much for your advice. It is really helpful. – Joseph Hwang Jun 03 '17 at 04:11
  • Some issues with api.starter-us-east-1.openshift.com are solved and then, I tried to configure openshift monitoring instance in ManageIQ again. But the terrible same error message are thrown **HTTP status code 403, User "gladiator67@naver.com" cannot list all pods in the cluster** And the same ERROR in evm.log Any idea will be appreciated! – Joseph Hwang Jun 11 '17 at 07:26
  • As the answer already indicated, to list all pods in a cluster, you would need at least ``cluster-reader`` role. That is not available to you in OpenShift Online as it can only be granted by an admin and you would never get it as it breaks security as you could then see other users projects. – Graham Dumpleton Jun 11 '17 at 07:54