cancel
Showing results for 
Search instead for 
Did you mean: 
richardallred
Flight Engineer
Flight Engineer
  • 1,563 Views

DO180 OCP4.0 Hot Fix

As of 10/1 a new blueprint has been deployed to ROLE, these hotfixes are no longer necessary for the DO180 classroom environment.



These hotfixes address two distinct issues reported with student labs not working in DO180 Classrooms deployed after 2019-09-11.  The following set of instructions should be run either by the students as instructed, or alternatively scripted by the instructor to lay down the steps. Issues should be reported through normal Red Hat training support channels.

 

 

O180-OCP4.0 - Hot Fix Docker Registry Cert

Manual fix instructions:

 

Essentially you are copying the docker registry certificate from the Services machine and placing it on workstation, master0, worker0, and worker1 and then trusting it again.  You then must restart the cluster machines (master0, worker0, worker1) to get the cluster to recognize the new cert.

 

Details:

 

Login to workstation as student then run:

 

sudo -i

scp root@services:/etc/pki/ca-trust/source/anchors/example.com.crt /etc/pki/ca-trust/source/anchors

 

It's okay to overwrite the existing one - now trust it

 

update-ca-trust extract 

 

Repeat this process on master0, worker0, and worker1

 

sudo ssh core@master0

sudo -i

scp root@services:/etc/pki/ca-trust/source/anchors/example.com.crt /etc/pki/ca-trust/source/anchors

update-ca-trust extract

 

Repeat for worker0 and worker1

 

Restart the three VMs master0, worker0, and worker1

 

Once they are rebooted it can take up to 5-10 minutes for the cluster to allow you to log in.

 

To Test the fix on Workstation:

sudo podman pull registry.lab.example.com/httpd:2.4

 

You should get no CA errors and the image should be visible via 

 

sudo podman images

 

To test the fix in the OCP Cluster:

Login to the cluster using the kubeadmin credentials (see course for details)

oc new-project test

oc new-app registry.lab.example.com/httpd:2.4 --insecure-registry

 

Observe the output of the following command:

oc get events 

 

you should see a successful pull of the container but the container will error out because it needs to run as root.  This can be ignored.  The fact that you can pull the container shows the issue is fixed.
 
 
 

O180-OCP4.0 - Hot Fix Web Console Access and Route Creation

Manual Fix instructions:

Problem accessing the OCP web console and other OCP routes:

From workstation:

ssh root@lb

vi /etc/haproxy/haproxy.cfg

Make the bottom of the file look like this (you're changing the ports on http and https):

backend http
   #mode tcp
   mode http
   balance roundrobin
   server http1 172.25.250.51:31577 check
   server http2 172.25.250.52:31577 check

backend https
   mode tcp
   balance roundrobin
   option ssl-hello-chk
   server http1 172.25.250.51:31941 check
   server http2 172.25.250.52:31941 check

Save the file and restart haproxy:

systemctl restart haproxy

Test the console with curl or Firefox

Browse: https://console-openshift-console.apps.cluster.lab.example.com

Use kubeadmin to login - password is on workstation /home/student/auth/kubeadmin-password

Labels (3)
0 Kudos
0 Replies
Join the discussion
You must log in to join this conversation.