[enterprise-3-9] Note on using the Administrative Commands

cli_reference/admin_cli_operations.adoc

@@ -56,6 +56,11 @@ This specifies:
 - An available `<option>` to perform the action on as well as a value for the
 option. Options include `--output`.
 
+[IMPORTANT]
+====
+include::getting_started/configure_openshift.adoc[tag=ocadm-note]
+====
+
 [[basic-admin-cli-operations]]
 
 == Basic CLI Operations

getting_started/configure_openshift.adoc

@@ -84,6 +84,12 @@ everything.
 ----
 oc adm policy add-cluster-role-to-user cluster-admin admin
 ----
++
+// tag::ocadm-note[]
+When running `oc adm` commands, you should run them only from 
+the first master listed in the Ansible host inventory file,
+by default *_/etc/ansible/hosts_*.
+// end::ocadm-note[]
 
 . You can use this username/password combination to log in via the web
 console or the command line. To test this, run the following command.

getting_started/install_openshift.adoc

@@ -195,6 +195,8 @@ basic authentication, user access, and routes.
 
 * `oc`: for normal project and application management
 * `oc adm`: for administrative tasks
++
+include::getting_started/configure_openshift.adoc[tag=ocadm-note]
 
 Use `oc --help` and `oc adm --help` to view all available options.
 

install_config/advanced_ldap_configuration/sssd_for_ldap_failover.adoc

@@ -67,6 +67,9 @@ in this topic they are kept separate.
 [[sssd-phase-1-certificate-generation]]
 == Phase 1: Certificate Generation
 
+Perform this procedure on the first master host listed in the Ansible host inventory file,
+by default *_/etc/ansible/hosts_*.
+
 . To ensure that communication between the authenticating proxy and
 {product-title} is trustworthy, create a set of Transport Layer Security (TLS)
 certificates to use during the other phases of this setup. In the

install_config/configuring_authentication.adoc

@@ -28,7 +28,7 @@ xref:../install_config/install/advanced_install.adoc#configuring-cluster-variabl
 
 [NOTE]
 ====
-{product-title} user names containing `/`, `:`, and `%` are not supported. 
+{product-title} user names containing `/`, `:`, and `%` are not supported.
 ====
 
 If you installed {product-title} using
@@ -866,11 +866,16 @@ xref:requestheader-master-ca-config[master's identity provider configuration].
 ----
 
 [NOTE]
+====
 The `oc adm ca create-signer-cert` command generates a certificate that is valid
 for five years. This can be altered with the `--expire-days` option, but for
 security reasons, it is recommended to not make it greater than this
 value.
 
+Run `oc adm` commands only from the first master listed in the Ansible host inventory file,
+by default *_/etc/ansible/hosts_*.
+====
+
 Generate a client certificate for the proxy. This can be done using any x509
 certificate tooling. For convenience, the `oc adm` CLI can be used:
 
@@ -903,10 +908,14 @@ that is specified for `*SSLCertificateFile*`. If a new certificate needs to be
 created, the `oc adm ca create-server-cert` command can be used.
 
 [NOTE]
+====
 The `oc adm create-api-client-config` command generates a certificate that is
 valid for two years. This can be altered with the `--expire-days` option, but
 for security reasons, it is recommended to not make it greater than
 this value.
+Run `oc adm` commands only from the first master listed in the Ansible host inventory file,
+by default *_/etc/ansible/hosts_*.
+====
 
 *Configuring Apache*
 

install_config/master_node_configuration.adoc

@@ -1101,6 +1101,9 @@ $ oc adm ca encrypt --genkey=bindPassword.key --out=bindPassword.encrypted
 > Data to encrypt: B1ndPass0rd!
 ----
 
+Run `oc adm` commands only from the first master listed in the Ansible host inventory file,
+by default *_/etc/ansible/hosts_*.
+
 [WARNING]
 ====
 Encrypted data is only as secure as the decrypting key. Care should be taken
@@ -1267,7 +1270,7 @@ The following examples are excerpts from a master *journald* log at various log
 4897 plugins.go:77] Registered admission plugin "NamespaceLifecycle"
 4897 start_master.go:290] Warning: assetConfig.loggingPublicURL: Invalid value: "": required to view aggregated container logs in the console, master start will continue.
 4897 start_master.go:290] Warning: assetConfig.metricsPublicURL: Invalid value: "": required to view cluster metrics in the console, master start will continue.
-4897 start_master.go:290] Warning: aggregatorConfig.proxyClientInfo: Invalid value: "": if no client certificate is specified, the aggregator will be unable to proxy to remote servers, 
+4897 start_master.go:290] Warning: aggregatorConfig.proxyClientInfo: Invalid value: "": if no client certificate is specified, the aggregator will be unable to proxy to remote servers,
 4897 start_master.go:412] Starting controllers on 0.0.0.0:8444 (v3.7.14)
 4897 start_master.go:416] Using images from "openshift3/ose-<component>:v3.7.14"
 4897 standalone_apiserver.go:106] Started health checks at 0.0.0.0:8444
@@ -1277,7 +1280,7 @@ The following examples are excerpts from a master *journald* log at various log
 4897 leaderelection.go:179] attempting to acquire leader lease...
 systemd[1]: Started Atomic OpenShift Master Controllers.
 4897 leaderelection.go:189] successfully acquired lease kube-system/openshift-master-controllers
-4897 event.go:218] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"kube-system", Name:"openshift-master-controllers", UID:"aca86731-ffbe-11e7-8d33-525400c845a8", APIVersion:"v1", 
+4897 event.go:218] Event(v1.ObjectReference{Kind:"ConfigMap", Namespace:"kube-system", Name:"openshift-master-controllers", UID:"aca86731-ffbe-11e7-8d33-525400c845a8", APIVersion:"v1",
 4897 start_master.go:627] Started serviceaccount-token controller
 4897 factory.go:351] Creating scheduler from configuration: {{ } [{NoVolumeZoneConflict <nil>} {MaxEBSVolumeCount <nil>} {MaxGCEPDVolumeCount <nil>} {MaxAzureDiskVolumeCount <nil>} {Mat
 4897 factory.go:360] Registering predicate: NoVolumeZoneConflict

install_config/redeploying_certificates.adoc

@@ -538,6 +538,9 @@ $ oc adm ca create-server-cert \
     --key=/etc/origin/master/registry.key \
     --signer-serial=/etc/origin/master/ca.serial.txt
 ----
++
+Run `oc adm` commands only from the first master listed in the Ansible host inventory file,
+by default *_/etc/ansible/hosts_*.
 
 . Update the `registry-certificates` secret with the new registry certificates:
 +

install_config/registry/securing_and_exposing_registry.adoc

@@ -50,7 +50,9 @@ docker-registry   docker-registry=default                   docker-registry=defa
 . You can use an existing server certificate, or create a key and server
 certificate valid for specified IPs and host names, signed by a specified CA. To
 create a server certificate for the registry service IP and the
-*docker-registry.default.svc.cluster.local* host name:
+*docker-registry.default.svc.cluster.local* host name,
+run the following command from the first master listed in the Ansible host inventory file,
+by default *_/etc/ansible/hosts_*:
 +
 ----
 $ oc adm ca create-server-cert \
@@ -105,7 +107,7 @@ to `false` (the default setting) in the master configuration file, linking
 secrets to a service is not required.
 ====
 +
-. Pause the `docker-registry` service: 
+. Pause the `docker-registry` service:
 +
 ----
 $ oc rollout pause dc/docker-registry
@@ -156,7 +158,7 @@ $ oc patch dc/docker-registry -p '{"spec": {"template": {"spec": {"containers":[
   }]}}}}'
 ----
 +
-. Resume the `docker-registry` service: 
+. Resume the `docker-registry` service:
 +
 ----
 $ oc rollout resume dc/docker-registry

install_config/revhistory_install_config.adoc

@@ -9,6 +9,19 @@
 
 // do-release: revhist-tables
 
+== Mon Feb 26 2018
+
+// tag::install_config_mon_feb_26_2018[]
+[cols="1,3",options="header"]
+|===
+
+|Affected Topic |Description of Change
+//Mon Feb 26 2018
+|xref:../install_config/index.adoc#install-config-index[Installation and Configuration]
+|Added information in multiple locations to use `oc adm ca` commands from the first master only.
+
+|===
+
 == Fri Feb 23 2018
 
 // tag::install_config_fri_feb_23_2018[]

install_config/router/default_haproxy_router.adoc

@@ -954,6 +954,9 @@ $ oc adm ca create-server-cert --signer-cert=$CA/ca.crt \
 The `oc adm ca create-server-cert` command generates a certificate that is valid
 for two years. This can be altered with the `--expire-days` option, but for
 security reasons, it is recommended to not make it greater than this value.
+
+Run `oc adm` commands only from the first master listed in the Ansible host inventory file,
+by default *_/etc/ansible/hosts_*.
 ====
 
 The router expects the certificate and key to be in PEM format in a single

registry_quickstart/administrators/system_configuration.adoc

@@ -118,6 +118,9 @@ Here we create a self-signed certificate so docker clients can connect using
 TLS. While other tools like openssl may be used to create certificates, the
 master API provides a tool that may also be used.
 
+Execute the following commands from the first master listed in the Ansible host inventory file,
+by default *_/etc/ansible/hosts_*:
+
 . Exec into the atomic-registry-master container to access the CLI and change directory
 +
 ----

welcome/revhistory_full.adoc

@@ -11,6 +11,10 @@ date.
 
 // do-release: revhist-tables
 
+== Mon Feb 26 2018
+.Installation and Configuration
+include::install_config/revhistory_install_config.adoc[tag=install_config_mon_feb_26_2018]
+
 == Wed Mar 21 2018
 .Installation and Configuration
 include::install_config/revhistory_install_config.adoc[tag=install_config_wed_mar_21_2018]