Skip to content

Releases: sosiouxme/origin

Initial beta3 diagnostics release

07 May 12:06
Compare
Choose a tag to compare
Pre-release

The binary below is a preview of the diagnostics capability that is planned for the openshift binary with the next beta release. Diagnostics can check for systemd service status, scan journald for log messages that indicate various things are failing to connect, and run some client diagnostics. It tries to add context and interpret messages for people who know a little bit but can't easily understand error messages like:

x509: certificate is valid for 127.0.0.1, 172.16.4.15, 172.17.42.1, not 10.3.10.240

Example output (would normally be color coded):

./openshift-diagnostics client --server=https://10.3.10.240:8443/ 
[Note] Beginning discovery of environment
WARN:  No 'osc' executable was found in your path
WARN:  No 'openshift' executable was found in your path
...
[Note] Running diagnostic: client.ContactMaster
       Description: Test contacting the OpenShift master
ERROR: (*url.Error) Get https://10.3.10.240:8443/v1beta1/projects?namespace=: x509: certificate is valid for 127.0.0.1, 172.16.4.15, 172.17.42.1, not 10.3.10.240

       This means that the certificate in use by the OpenShift API server
       (master) does not match the hostname by which you are addressing it:
         10.3.10.240
       so a secure connection is not allowed.

       In theory, this *could* mean that someone is intercepting your connection
       and presenting a valid certificate for another server, which is why secure
       validation fails in this case.  However, the most likely explanation
       is that the server certificate needs to be updated to include the name
       you are using to reach it. If you are using certificates generated by
       OpenShift itself, then the --public-master flag on the OpenShift master is
       usually the easiest way to do this. If you need something more complicated
       (for instance, multiple public addresses for the API), then you will need
       to custom generate the server certificate with the right names yourself.

       If you are unconcerned about any of this, you can add the
       --insecure-skip-tls-verify flag to bypass secure (TLS) verification,
       but this is risky and should not be necessary.
       ** Connections could be intercepted and your credentials stolen. **


Summary of diagnostics execution:
WARN:  Warnings seen: 2
ERROR: Errors seen: 1

v3 diagnostics have a long way to go to match the scope of the v2 oo-diagnostics, but they are evolving and feedback is welcome.