Updated diagnostic_tools for openshift-ansible image

[adellape]

Reworks #4579 and moves most of the content to the existing admin_guide/diagnostic_tools section, and adds subsections for ansible-playbook vs direct docker usage. Still adds mention of the openshift-ansible health checks to the scaling guide, but mostly links to the admin_guide for the details and usage. Still adds in the previously-undocumented checks (logging_index_time, etcd_traffic).

Preview:

http://file.rdu.redhat.com/~adellape/070517/scaling_preinstall/admin_guide/diagnostics_tool.html#additional-cluster-health-checks
http://file.rdu.redhat.com/~adellape/070517/scaling_preinstall/scaling_performance/optimizing_compute_resources.html#scaling-performance-debugging-using-openshift-ansible

[adellape]

PTAL @juanvallejo @sosiouxme @rhcarvalho

[adellape]

Document: [diagnostics] Document the use of the diagnostic tools in the official docs

[adellape]

Was musing with Juan we should add a callout explaining what's going on here.

[sosiouxme]

Yeah... there's a fairly detailed explanation of what's going on at https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINER_IMAGE.md#usage

As usual you have to weigh how much to say about all this... I have to say that the ssh key permissions are particularly fragile and quite difficult to debug when they're not right (ssh is really persnickety and not very informative unless you turn debug up to 11), so we really want to guide them down a single path, not make them confident in how to do it differently. We definitely need to mention not running this as root, that's likely to be a nasty surprise.

[sosiouxme]

pretty sure you need a second -e for the second parameter.

-e OPTS="-v -e openshift_check_logging_index_timeout_seconds=30 -e etcd_max_image_data_size_bytes=40000000000" \

[sosiouxme]

BTW are the callouts here going to interfere with copy/paste in the rendered version? Because they're really going to want to copy/paste this.

[rhcarvalho]

pretty sure you need a second -e for the second parameter.

👍

Or quotes, so that everything after -e goes as a single shell argument.

[sosiouxme]

should be playbooks/byo/openshift-checks/health.yml

[adellape]

@sosiouxme Do the other two instances need to be /byo as well?

[sosiouxme]

Yeah... there's a fairly detailed explanation of what's going on at https://github.com/openshift/openshift-ansible/blob/master/README_CONTAINER_IMAGE.md#usage

As usual you have to weigh how much to say about all this... I have to say that the ssh key permissions are particularly fragile and quite difficult to debug when they're not right (ssh is really persnickety and not very informative unless you turn debug up to 11), so we really want to guide them down a single path, not make them confident in how to do it differently. We definitely need to mention not running this as root, that's likely to be a nasty surprise.

[sosiouxme]

It's probably a bit confusing that we refer to it as openshift-ansible here, but later it has a different RPM name and a different image name. I'm not sure there's anything to be done about it, though... you have to call it something and origin/OCP have different names for everything.

[rhcarvalho]

We could use a conditional for the name, or in this particular case we could possible avoid giving it a name altogether:

Additional diagnostic health checks are available through the Ansible-based tooling used to install and manage {product-title} clusters.

[sosiouxme]

That's the OCP RPM name... I don't think we ship an RPM for Origin. I think we expect people to run out of a git clone.

[sosiouxme]

turns out this needs a :Z as well (at least in my test today)

-v /etc/ansible/hosts:/tmp/inventory:Z,ro \

[rhcarvalho]

I believe you. Wondering why we don't have it in README_CONTAINER_IMAGE.md. The ro is also "new" here, makes sense. We may update README_CONTAINER_IMAGE.md to match.

[codificat]

I didn't need :Z here in my tests, and ro would be covered by standard file perms (we're running as non-root by default). Considering that :Z would relabel the file on the host, better to leave it out if not needed:

# ls -Z /etc/ansible/hosts
-rw-r--r--. root root unconfined_u:object_r:net_conf_t:s0 /etc/ansible/hosts
# sesearch -A -s svirt_lxc_net_t -t net_conf_t
Found 2 semantic av rules:
   allow svirt_sandbox_domain file_type : filesystem getattr ; 
   allow svirt_sandbox_domain file_type : dir { getattr search open } ; 

If we do need it let's add it... just mentioning that I think it's worth double checking that it's necessary...

[adellape]

Leaving it alone for now, then.

[sosiouxme]

"Kibana log" is confusing here and it's a detail they don't need. Suggest: "log entry"

[sosiouxme]

again atomic-openshift-utils is OCP only

[sosiouxme]

distributed

[rhcarvalho]

Is the content duplication intentional? This paragraph is the same in two files (typo included).

[adellape]

Re-did this so that I'm re-using the shared content w/ an include::.

[sosiouxme]

needs a -e per param

-e openshift_check_logging_index_timeout_seconds=30 -e etcd_max_image_data_size_bytes=40000000000

[rhcarvalho]

I tested just to be sure. We can use a single -e if the argument is quoted (because of spaces).

-e "openshift_check_logging_index_timeout_seconds=30 etcd_max_image_data_size_bytes=40000000000" is also correct.

And so is using single quotes (avoids shell expansion):

-e 'openshift_check_logging_index_timeout_seconds=30 etcd_max_image_data_size_bytes=40000000000'

[adellape]

Making it separate -e entries on separate lines (without quotes) for readability.

[rhcarvalho]

Changing the anchor will break existing links, is it worth it?

[adellape]

There was only one xref in the docs repo and it's updated in this PR. This content has only appeared so far in the Origin docs, so not too worried about links out in the wild.

[rhcarvalho]

Note: same comment as https://github.com/openshift/openshift-docs/pull/4713/files#r125776778

[rhcarvalho]

The role name is internal implementation detail, should not be in the documentation.

[rhcarvalho]

Note: this is implemented in openshift/openshift-ansible#4682, not merged yet as of now.

[rhcarvalho]

Merged today

[sosiouxme]

... meaning it will probably be in 3.6.1 not 3.6.0

[rhcarvalho]

This doesn't exist. We use a more generic package_version check to check versions of multiple packages, including Open vSwitch.

[juanvallejo]

Hm, that was my fault. I believe I initially started the Open vSwitch check in a check of its own

[adellape]

Ack, will remove.

[rhcarvalho]

FWIW it doesn't need to be in the inventory file, it can be with a -e flag as well (among the other ways to set variables in Ansible).

[adellape]

Adding mention of that method as well.

[rhcarvalho]

user-defined

Or rather:

To set variables in the command-line, include ...

[rhcarvalho]

I tested just to be sure. We can use a single -e if the argument is quoted (because of spaces).

-e "openshift_check_logging_index_timeout_seconds=30 etcd_max_image_data_size_bytes=40000000000" is also correct.

And so is using single quotes (avoids shell expansion):

-e 'openshift_check_logging_index_timeout_seconds=30 etcd_max_image_data_size_bytes=40000000000'

[rhcarvalho]

pretty sure you need a second -e for the second parameter.

👍

Or quotes, so that everything after -e goes as a single shell argument.

[rhcarvalho]

Is the content duplication intentional? This paragraph is the same in two files (typo included).

[adellape]

@juanvallejo @sosiouxme @rhcarvalho Comments addressed. Changes pushed and preview updated.

http://file.rdu.redhat.com/~adellape/070517/scaling_preinstall/admin_guide/diagnostics_tool.html#ansible-based-tooling-health-checks
http://file.rdu.redhat.com/~adellape/070517/scaling_preinstall/scaling_performance/optimizing_compute_resources.html#scaling-performance-debugging-using-ansible

[juanvallejo]

ping @rhcarvalho or @sosiouxme wondering if there are any more comments on this?

[rhcarvalho]

Merged today

[rhcarvalho]

Should we have some link in this paragraph tying back to the logging docs, or is it clear what "logging stack" we're referring to?

[sosiouxme]

I think we could. And actually the name could use some standardization too. I see it called variously "cluster logging", "aggregated logging", "the logging stack", and "the EFK stack".

https://docs.openshift.org/latest/install_config/aggregate_logging.html is probably what we want to link to. I don't have a strong preference on standard name but "cluster logging" seems straightforward.

[adellape]

Done.

[rhcarvalho]

I'd consider that more important than knowing the variable name would be to explain when one should bother to change the default? I think we're missing that.

[adellape]

@sosiouxme When should one bother?

[sosiouxme]

Don't think we need the long variable name twice. Don't like "is not able to be". And to Rodolfo's point:

Users that either require lower-latency log aggregation or are comfortable with higher latency may adjust this timeout with an Ansible variable. For example, setting openshift_check_logging_index_timeout_seconds=45 relaxes the timeout to 45 seconds.

[rhcarvalho]

This can be misleading, it should be -e openshift_disable_check=name1,name2,....

[adellape]

Done.

[sosiouxme]

So "an" environment variable yes?

[sosiouxme]

There needs to be a substantial up-front warning about using these checks. They are not without side effects; running them can make changes to the hosts. Mostly those changes would be installing dependencies so the checks can gather needed information, and so they shouldn't be of much concern. My main concern is that some of the roles from the installer are invoked as pre-requisites to gather information the checks require, and those roles don't have a concept of not changing anything important. They try to ensure the system components they deal with are configured consistently with the inventory, even though you're not running from an installer playbook. So if the admin didn't install with Ansible, or ran the install with different/extra variables specified than what's in the inventory file, or made manual config changes after installing, they could easily find that running the checks re-configures their hosts according to the inventory file. Networking and Docker (for instance) can be affected.

So the checks should only be used on clusters that have been deployed with Ansible and using the same inventory it was deployed with. I'm not sure how to say this in a way that isn't terrifying to the user. Basically, if you wouldn't run the install with your inventory (and expect it to change nothing) then don't run the checks with it either, because the run may perform (some of) the same changes.

[rhcarvalho]

I consider this a bug in the check runner 😢
It is not the user's fault the implications of how the checks are implemented. We should fix it, since IIUC it did not start that way.

[adellape]

@sosiouxme How's this big ol warning:

http://file.rdu.redhat.com/~adellape/070517/scaling_preinstall/admin_guide/diagnostics_tool.html#ansible-based-tooling-health-checks

[adellape]

@rhcarvalho Oops, didn't see your comment.

[sosiouxme]

@rhcarvalho well that would involve decomposing roles into "informational" versus "transformational". With the caveat that even "informational" roles can install dependencies. It's probably worth doing but I don't think it will be quick.

[sosiouxme]

@adellape That warning LGTM.

[adellape]

@openshift/team-documentation PTAL:

http://file.rdu.redhat.com/~adellape/070517/scaling_preinstall/admin_guide/diagnostics_tool.html#additional-cluster-health-checks
http://file.rdu.redhat.com/~adellape/070517/scaling_preinstall/scaling_performance/optimizing_compute_resources.html#scaling-performance-debugging-using-openshift-ansible

[ahardin-rh]

LGTM

[sosiouxme]

I wouldn't say "user-defined" here as most users will use the default. And it's good to mention the default. So something like:

It fails if a new log entry cannot be queried through Elasticsearch within a timeout (by default, 30 seconds).

And below, I'd use a different configured timeout, e.g. 45 seconds.

[adellape]

👍

[sosiouxme]

This is the location for OCP... do we ship the installer RPM for Origin? I don't think we do. I don't want to complicate this but maybe for Origin we need to describe cloning the repo...

[sosiouxme]

s/common/byo/

[sosiouxme]

also s/common/byo/

[adellape]

I'll ifdef this for OCP vs Origin.

[sosiouxme]

The :Z requires some explanation too. As the repo docs explain:

Note that the ssh key is mounted with the :Z flag: this is also required so that the container can read the ssh key from its restricted SELinux context; this means that your original ssh key file will be re-labeled to something like system_u:object_r:container_file_t:s0:c113,c247. For more details about :Z please check the docker-run(1) man page. Please keep this in mind when providing these volume mount specifications because this could have unexpected consequences: for example, if you mount (and therefore re-label) your whole $HOME/.ssh directory you will block sshd from accessing your keys. This is a reason why you might want to work on a separate copy of the ssh key, so that the original file's labels remain untouched.

ssh is exceedingly picky about what it accepts as keys, and having the wrong SELinux label on the file (which is virtually inevitable at least on the initial run) causes it to silently skip the key and blithely fail to connect without further explanation. It's a pretty infuriating user experience. This is also why it's so important to have the container user matching the user ID on the keyfile.

The mention of mounting a .ssh directory leads to yet more discussion; I don't like it but this probably has to be pretty verbose because this is what everyone will get hung up on adapting to their specific usage. You might want to mount a whole .ssh directory for various reasons, among them because you want to use an ssh config to match keys with hosts or tweak other connection parameters, or because you want to provide a known_hosts file and have ssh validate host keys (which is disabled by default config and can be re-enabled by setting the envvar -e ANSIBLE_HOST_KEY_CHECKING=True on the cmdline or a few more complicated ways).

Finally we should probably mention providing a vault password. Probably in a future update because frankly I know nothing about it yet.

[adellape]

👍

[sosiouxme]

Well, it's not used by it but I guess used according to it. Or as indicated by it?

The same need for :Z labeling can apply to this (or really anything that's mounted in). The label on /etc/ansible/hosts is typically suitable already for use in the container and they can get away without :Z relabeling. However if the inventory file is in a user home directory for instance, it will not be available to the user in the container and they will need to relabel it. I'm not sure there's a graceful way to explain this.

[sosiouxme]

And we haven't even discussed dynamic inventory, which is a whole 'nother topic.

[sosiouxme]

It's probably worth saying that this is the location relative to /usr/share/ansible/openshift-ansible inside the container. You could also fully specify e.g. PLAYBOOK_FILE=/usr/share/ansible/openshift-ansible/playbooks/byo/openshift-checks/health.yml

[adellape]

👍

[sosiouxme]

All variables can be user-defined so that's kind of redundant. The example's clear enough but I'd suggest this say:

Set any variables desired for a single run with the -e key=value format.

Having two in there could be confusing.

[adellape]

👍

[sosiouxme]

@sosiouxme <https://github.com/sosiouxme> Do the other two instances need to be /byo as well?

Yes... yes, they all do. No one should be running /common playbooks directly.

[sosiouxme]

s/common/byo/

[mburke5678]

"deployed using Ansible and using the same inventory file with which it was deployed"
Is there a programmatic way to determine this?

[sosiouxme]

Err... run the playbook and see if it changes anything?

Seeing what would be changed without making the changes is what the --check ansible flag is for but I honestly don't know how accurate or useful it is with as much custom stuff as openshift-ansible includes. Could be fine, could be broken, could even make changes anyway. I don't think it's a use case anyone's paying attention to.

[rhcarvalho]

@adellape how far do you think we are from getting it merged? :-)

[sosiouxme]

Sorry, still a few things to fix up.

[sosiouxme]

Just a small quibble I missed before.

s/health checks/health check playbooks/

(the health checks themselves don't make the problem changes, the playbooks have dependencies that make them)

[sosiouxme]

If we're going to link to github instructions in the next paragraph, it's probably worth mentioning that you can run it as a system container as well.

"using the Docker CLI or atomic..."

Or, go the other way and remain agnostic:

"... or as a containerized version of openshift-ansible." And "containerized method" below.

[sosiouxme]

nit: how about "higher-than-normal"?

[sosiouxme]

It also checks that docker storage is configured in a supportable way. Meaning, with a storage driver and backing storage device that are supported for usage with Docker.

In particular, the default configuration of Docker storage is not supported. I'm not sure how much to say about this; probably worth linking to any docs we have on Docker storage configuration.

[sosiouxme]

and Kibana

[sosiouxme]

This check similarly only runs if logging is enabled. Should it be grouped with the others? They're all related but the focus of this one is a little different, it's end-to-end...

[sosiouxme]

would still prefer a single key=value here

[adellape]

Whoops.

[sosiouxme]

I would reword this just a bit to be clearer about the problem and stronger in the suggested remedy.

Keep this in mind for these volume mount specifications because it could have unexpected consequences. For example, if you mount (and therefore relabel) your $HOME/.ssh directory, sshd will become unable to access your public keys to allow remote login. To avoid altering the original file labels, mounting a copy of the SSH key (or directory) is recommended.

[sosiouxme]

This will be confusing as to whether it needs to be added on the docker command or in the OPTS var. It needs to be set on the docker command.

... and can be re-enabled with an environment variable by adding -e ANSIBLE_HOST_KEY_CHECKING=True to the docker command line.

[adellape]

@sosiouxme OK thanks, changes made, see latest commit.

[adellape]

@sosiouxme bump

[sosiouxme]

A few nits but LGTM

[sosiouxme]

s/packet/package/ here; this supplies tools that can't be installed as packages on AH. Not sure what an immutable packet tree would mean :)

[adellape]

😊

[sosiouxme]

Technically these aren't environment variables... I think you can safely s/environment//

On a docker command line, -e sets an environment variable. On an ansible command line, -e sets an extra variable or inventory variable. They look the same but they're accessed in completely different ways...

[sosiouxme]

Yeah, dependencies like Ansible and the playbooks :) Other dependencies aren't really much of a problem for this playbook, so I don't know that I'd put this as the motivation. The purpose of the image is to be able to run playbooks on a system with nothing more than Docker. You could even run it on a Mac or Atomic Host.

Not a big deal, but maybe something like:

"It is possible to run the openshift-ansible playbooks in a Docker container, avoiding the need for installing and configuring Ansible, on any host that can run the {ose,origin}-ansible image via the Docker CLI."

[sosiouxme]

It would be nice to have these changes made at least for 3.6.1 if not before...

[adellape]

@sosiouxme Thanks! Changes made and I'll merge after Travis finishes. It will get published w/ next Monday's release.

[adellape]

[rev_history]
|xref:../admin_guide/diagnostics_tool.adoc#admin-guide-diagnostics-tool[Diagnostics Tool]
|Enhanced the xref:../admin_guide/diagnostics_tool.adoc#ansible-based-tooling-health-checks[Ansible-based Health Checks] section with information on running via ansible-playbook or Docker CLI.
%
|xref:../scaling_performance/optimizing_compute_resources.adoc#scaling-performance-compute-resources[Optimizing Compute Resources]
|Added the xref:../scaling_performance/optimizing_compute_resources.adoc#scaling-performance-debugging-using-ansible[Debugging Using Ansible-based Health Checks] section.
%