Open Stack

We recently deployed Magnum and I've been making my way through getting
both Swarm and Kubernetes running. I also ran into some initial issues.
These notes may or may not help, but thought I'd share them in case:

* We're using Barbican for SSL. I have not tried with the internal
x509keypair.

* I was only able to get things running with Fedora Atomic 27, specifically
the version used in the Magnum docs:
https://docs.openstack.org/magnum/latest/install/launch-instance.html

Anything beyond that wouldn't even boot in my cloud. I haven't dug into
this.

* Kubernetes requires a Cluster Template to have a label of
cert_manager_api=true set in order for the cluster to fully come up (at
least, it didn't work for me until I set this).

As far as troubleshooting methods go, check the cloud-init logs on the
individual instances to see if any of the "parts" have failed to run.
Manually re-run the parts on the command-line to get a better idea of why
they failed. Review the actual script, figure out the variable
interpolation and how it relates to the Cluster Template being used.

Eventually I was able to get clusters running with the stock
driver/templates, but wanted to tune them in order to better fit in our
cloud, so I've "forked" them. This is in no way a slight against the
existing drivers/templates nor do I recommend doing this until you reach a
point where the stock drivers won't meet your needs. But I mention it
because it's possible to do and it's not terribly hard. This is still a
work-in-progress and a bit hacky:

https://github.com/cybera/magnum-templates

Hope that helps,
Joe

On Fri, Aug 3, 2018 at 6:46 AM, Tobias Urdin <tobias.urdin at binero.se> wrote:

> Hello,
>
> I'm testing around with Magnum and have so far only had issues.
> I've tried deploying Docker Swarm (on Fedora Atomic 27, Fedora Atomic 28)
> and Kubernetes (on Fedora Atomic 27) and haven't been able to get it
> working.
>
> Running Queens, is there any information about supported images? Is Magnum
> maintained to support Fedora Atomic still?
> What is in charge of population the certificates inside the instances,
> because this seems to be the root of all issues, I'm not using Barbican but
> the x509keypair driver
> is that the reason?
>
> Perhaps I missed some documentation that x509keypair does not support what
> I'm trying to do?
>
> I've seen the following issues:
>
> Docker:
> * Master does not start and listen on TCP because of certificate issues
> dockerd-current[1909]: Could not load X509 key pair (cert:
> "/etc/docker/server.crt", key: "/etc/docker/server.key")
>
> * Node does not start with:
> Dependency failed for Docker Application Container Engine.
> docker.service: Job docker.service/start failed with result 'dependency'.
>
> Kubernetes:
> * Master etcd does not start because /run/etcd does not exist
> ** When that is created it fails to start because of certificate
> 2018-08-03 12:41:16.554257 C | etcdmain: open /etc/etcd/certs/server.crt:
> no such file or directory
>
> * Master kube-apiserver does not start because of certificate
> unable to load server certificate: open /etc/kubernetes/certs/server.crt:
> no such file or directory
>
> * Master heat script just sleeps forever waiting for port 8080 to become
> available (kube-apiserver) so it can never kubectl apply the final steps.
>
> * Node does not even start and times out when Heat deploys it, probably
> because master never finishes
>
> Any help is appreciated perhaps I've missed something crucial, I've not
> tested Kubernetes on CoreOS yet.
>
> Best regards
> Tobias
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180804/0519906c/attachment.html>