Che: PKIX error and impossible to start workspaces on OCP 4.1

Created on 21 Jun 2019  路  18Comments  路  Source: eclipse/che

Description

2019-06-21 08:52:06,511[557-wjt8m-47779]  [WARN ] [unknown.jul.logger 49]               - Problem getting Pod json from Kubernetes Client[masterUrl=https://172.30.0.1:443/api/v1, headers={}, connectTimeout=5000, readTimeout=30000, operationAttempts=3, operationSleep=1000, streamProvider=org.openshift.ping.common.stream.TokenStreamProvider@3d3d5e6a] for cluster [EclipseLinkCommandChannel], namespace [che7], labels [app=che]; encountered [java.lang.Exception: 3 attempt(s) with a 1000ms sleep to execute [OpenStream] failed. Last failure was [javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]

And then:

2019-06-21 08:52:06,965[aceSharedPool-1]  [WARN ] [.i.k.KubernetesInternalRuntime 245]  - Failed to start Kubernetes runtime of workspace workspacef4huz4zllvbwgxom. Cause: Pod creation timeout exceeded. -id: workspacef4huz4zllvbwgxom.workspace -message: null

Reproduction Steps

  • Deploy Che 7 RC 2 on OCP 4.1
  • Create 5 workspaces
  • stop all of them
  • try to start a new workspace.

OS and version:
Che 7 RC 2 - OCP 4.1

kinbug severitP1 statublocked teaplatform
Source
picture slemeur

Most helpful comment

Max already send a review request https://www.eclipse.org/lists/eclipselink-dev/msg07786.html

picture skabashnyuk on 8 Aug 2019
👍2

All 18 comments

@slemeur could you precise the installation mode, and if installed from the che operator, the detail of your CheCluster Custom resource ?

davidfestal picture davidfestal on 21 Jun 2019

might be related to

  1. kubernetes.KUBE_PING using token auth does not verify CA and always d.... https://github.com/jgroups-extras/jgroups-kubernetes/pull/69
  2. CLOUD-3228 openshift.KUBE_PING doesn't work on OCP 4.1 since it only https://github.com/jboss-openshift/openshift-ping/pull/43
skabashnyuk picture skabashnyuk on 21 Jun 2019

@mshaposhnik what is the state of this task?

skabashnyuk picture skabashnyuk on 26 Jun 2019

I did brief investigation. We still can't upgrate to JGroups 4.x due to it is unsupported in Eclipse Link (https://bugs.eclipse.org/bugs/show_bug.cgi?id=531910)
So the only way to get it fixed is to ask jgroups-kubernetes guys to backport theirs CA fix into the 0.9.x banch (called stable) n theirs repo. It can't be done easily (by merge or cherry-pick) since old J-K versions have another code structure, modules etc

mshaposhnik picture mshaposhnik on 26 Jun 2019

We discussed yesterday that this is not a blocker for 7.0.0 release but will be a blocker for 7.1.0 release. Hence I am labelling it as P1 and setting the milestion to 7.1.0.

l0rd picture l0rd on 27 Jun 2019

So, i performed an bunch of testing and seems that switch to JGroups version 4.x and KUBE_PING version 1.10+ solves the described error. So the main impediment as for now is accepting PR in the EclipseLinlk (https://github.com/eclipse-ee4j/eclipselink/pull/500) and waiting for release of it.

mshaposhnik picture mshaposhnik on 6 Aug 2019

@l0rd @slemeur looks like https://github.com/eclipse-ee4j/eclipselink/pull/500 it is utterly important to get this PR merged before GA, should we ask someone from foundation to speed-up the review process?

ibuziuk picture ibuziuk on 8 Aug 2019

@ibuziuk this is not for GA, but 7.1.0

slemeur picture slemeur on 8 Aug 2019

@slemeur correct, I was just reviewing issue for 7.1.0 and looks like eclipse-ee4j/eclipselink#500 might be a blocker for it, so just a heads up - we might need to ask / push for review sooner rather than later

ibuziuk picture ibuziuk on 8 Aug 2019

Max already send a review request https://www.eclipse.org/lists/eclipselink-dev/msg07786.html

skabashnyuk picture skabashnyuk on 8 Aug 2019
👍2

it looks like no one on eclipse side reviewed https://github.com/eclipse-ee4j/eclipselink/pull/500
@slemeur @l0rd I guess this issue is a blocker for 7.1.0

ibuziuk picture ibuziuk on 20 Aug 2019

PR is merged, let's wait for EL release and the switch to new version.

mshaposhnik picture mshaposhnik on 12 Sep 2019
👍1

waiting for EclipseLink release

skabashnyuk picture skabashnyuk on 19 Sep 2019

EL fix was pushed in https://github.com/eclipse-ee4j/eclipselink/pull/500 on Sept 11 for the 2.7 branch. But no new EL releases since 2.6.8 on 19 Jun and 2.7.4 on 18 Jan, so looks like we're still blocked here.

As this blocks https://issues.jboss.org/browse/CRW-304 we need this for Che 7.2 (or 7.3 if upstream EclipseLink won't deliver in time).

Can anyone push on the EclipseLink team to deliver their next 2.7.x release?

nickboldt picture nickboldt on 22 Sep 2019

Lukas Jungmann response was

That they wish to have 2.7.5 this month

skabashnyuk picture skabashnyuk on 22 Sep 2019

Does that mean in the next 8 days? Or in time for 7.2?

nickboldt picture nickboldt on 22 Sep 2019

I believe that was a wish not an obligation. And I doubt that it can be a part of Eclipse Che 7.2.

skabashnyuk picture skabashnyuk on 22 Sep 2019

Too bad they don't do releases as part of the Eclipse simrel trains, or we'd have had it last week. :'(

nickboldt picture nickboldt on 22 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

apupier picture apupier  路  3Comments
InterestedInTechAndCake picture InterestedInTechAndCake  路  3Comments
sleshchenko picture sleshchenko  路  3Comments
amisevsk picture amisevsk  路  3Comments
luckymore0520 picture luckymore0520  路  3Comments