*: add support for journal-gatewayd

[crawford]

This allows the user to stream logs from the bootstrap node without the
need for SSH. This read-only view into the bootstrap process is
convenient for those who wish not to use SSH in their cluster. Right
now, this requires the user to manually invoke curl to fetch the logs,
but this could be done automatically by the installer in the future.

[abhinavdahiya]

Is it possible to add a unit test to test this part of the code?

[abhinavdahiya]

since we are using the same set of cert/key pair for server,client-authn and client-authz can we drop the -ca

[abhinavdahiya]

this feels out of place in addSystemdUnits it seems like it belongs here 907a22d#diff-2d9b655c8052ca2e3bdd9004778c75bcR357

[crawford]

It can't go there because the key and cert need to be readable by journal-gatewayd (which doesn't run as root). I should probably also change the owner of these files... I hope that works on RHCOS...

[wking]

Can you pull 0bc0117 out into it's own PRs (and maybe split the auto-generated SVG rebuild into a separate commit?)? Those look like orthogonal changes that we can land without further discussion (once CI gets working again).

[wking]

Can we add a check here that says "if the directory name doesn't end with .d we ignore it" (possibly with a debug-level log)? From the systemd docs, it looks like they require all drop-in directories to have a .d suffix. But I'm not all that familiar with systemd, maybe I'm just misreading the docs.

[crawford]

I'm going to add a trace-level log line for that case. Trace should really only be used by developers which seems appropriate for this kind of message. Should I mention the "trace" level in the help output, or just keep that goodie for ourselves?

[wking]

Should I mention the "trace" level in the help output, or just keep that goodie for ourselves?

I'd mention it. Users should recognize it as "the level after debug" even if they're non-devs, so I don't expect it will be too distracting.

[wking]

Should the installer connect to this automatically and stream it into the installer logs (like we do for Terraform) instead of polling for the API? I'm fine leaving that to follow-up work, but I don't think we need to document this manual approach if we're planning on adding a built-in approach in the future.

[crawford]

That's a good question. I'd prefer to always stream these logs, but I'm not sure how to handle the case where a network connection is not available. Do we just optimistically stream them and ignore it otherwise?

[wking]

... but I'm not sure how to handle the case where a network connection is not available.

We currently rely on network connections to the load balancers for our Kubernetes API and event waits. When those work, I expect this access to the bootstrap journal will usually work as well. When it doesn't (access from inside a restrictive firewall?), I'm fine logging a warning and falling back to the Kubernetes API wait.

[chancez]

I once wrote a simple package to talk to gatewayd, in case you ever do want to do that: coreos/go-systemd#86

Also: Having an installer sub-command to that does the equivalent curl would be pretty nice.

[crawford]

Can you pull 0bc0117 out into it's own PRs

@wking done in #993.

[crawford]

Let's see if the registry gateway issue has been resolved...
/retest

[wking]

You could set a variable for the user name and override for .bash_history before feeding into FileFromBytes. But certainly not a blocker; we can always do something like that later if we want ;).

[crawford]

/retest

[crawford]

2019/01/11 05:24:22 Build installer succeeded after 30m50s
2019/01/11 05:24:23 Ran for 37m45s
error: could not run steps: could not copy stable imagestreamtag: Timeout: request did not complete within allowed duration

That's not one I've seen before, but it sounds related to the recent registry failures we've seen.

/retest

[sttts]

This looks awesome!

[crawford]

level=error msg="Error: Error applying plan:"
level=error
level=error msg="1 error occurred:"
level=error msg="\t* aws_route53_record.etcd_a_nodes[2]: 1 error occurred:"
level=error msg="\t* aws_route53_record.etcd_a_nodes.2: [ERR]: Error building changeset: timeout while waiting for state to become 'accepted' (timeout: 5m0s)"

/retest

[crawford]

Rebased onto master. @wking can I get another one of those /lgtms?

[abhinavdahiya]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: abhinavdahiya, crawford

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [abhinavdahiya,crawford]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wking]

@sferich888, there were some troubleshooting-doc changes here.

[sferich888]

Where is this service defined? Where is it's source.

[wking]

Where is this service defined? Where is it's source.

The service this is a drop-in for? I'd guess in a package RHCOS pulls in.

[sferich888]

I thought this was offered by the kubelet? And it's debug port.

[crawford]

This is journal-gatewayd, which is included (at my request) in RHCOS.

[wking]

Should this line be dropped?

[crawford]

All systemd directives act as lists and each entry adds another item to the list. Simple services (like journal-gatewayd) can only have a single item for ExecStart, so we have to clear the list with an empty entry.