Extended build support is being removed - use chained builds instead

2017-10-12 Thread Ben Parees 
After much deliberation we've concluded that the chained builds[1] pattern
is a better approach for producing runtime-only application images,
compared with the experimental extended builds feature.  As a result, we
will be removing the extended builds feature from the v3.7 release[2].

Advantages of chained builds over extended builds that lead to this
decision:

* Supported by both docker and s2i build strategies, as well as
combinations of the two, compared with s2i strategy only for extended
builds.
* No need to create/manage a new assemble-runtime script
* Easy to layer application components into any thin runtime-specific image
* Can build the application artifacts image anywhere
* Better separation of concerns between the step that produces the
application artifacts and the step that puts them into an application image.

Because this feature was always marked as experimental, it will not be
going through a deprecation phase.

[1]
https://docs.openshift.org/latest/dev_guide/builds/advanced_build_operations.html#dev-guide-chaining-builds
[2]https://github.com/openshift/origin/pull/16811

-- 
Ben Parees | OpenShift
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Possible to use AWS elasitcsearch for OpenShift logging?

2017-10-12 Thread Marc Boorshtein 
I have built out a cluster on AWS using the ansible advanced install.  I
see that i can setup logging by creating infrastructure nodes that will
host elasticsearch.  AWS has an elasticsearch service.  Is there a way to
use that instead?

Thanks
Marc
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Single node cluster

2017-10-12 Thread Aleksandar Kostadinov 
Hi, for non-critical workloads I find `oc-cluster-wrapper` very 
convenient. You can wipe and recreate installations quickly when needed.


Just make sure you script all post-install configuration like 
configuring users, etc.


I find it more problematic that if you recreate the cluster you would 
lose your persistent volumes so highly depends on the use case. And my 
use case for such configuration is Jenkins slave pods.


I don't know how would you update the cluster when installed with 
cluster-wrapper.


If cluster is needed for more than ephemeral workloads and 
experimentation, probably the ansible approach would make more sense.


[1] https://github.com/openshift-evangelists/oc-cluster-wrapper

Tobias Florek wrote on 10/12/17 12:11:

Hi,

one of my clients wants to use openshift on only one server.
I am perfectly aware that this setup won't be HA and will have downtime
whenever it needs to be updated.

Is there any recommended way to deploy OpenShift? Should one use
openshift-ansible (with a one-host inventory)? Is using `oc cluster
up` possible (with --host-data-dir and --use-existing-config)?

Has anyone any experiences with operating and updating a single node
cluster in production?

Thank you,
  Tobias Florek



___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Origin router and X-Forwarded-For

2017-10-12 Thread Aleksandar Lazic 
Title: Re: Origin router and X-Forwarded-For


Hi Marcello Lorenzi.

have you used -servername in s_client?

The ssl solution is based on sni ( https://en.wikipedia.org/wiki/Server_Name_Indication )

Regards
Aleks

on Donnerstag, 12. Oktober 2017 at 13:02 was written:





Hi All,
thanks for the response and we checked the configuration. If I tried to check the certificated propagate with the passthrough configuration with openssl s_client  and the certificate provided is the wilcard domain certificate and not the pod itself. Is it normal?

Thanks,
Marcello

On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic  wrote:




Hi.

Additionally to joel suggestion can you also use reencrypted route if you want to talk encrypted with apache webserver.

https://docs.openshift.org/3.6/architecture/networking/routes.html#re-encryption-termination

Regards
Aleks

on Mittwoch, 11. Oktober 2017 at 15:51 was written:





Sorry I meant it say, it *cannot modify the http request in any way. 
On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson  wrote:




Hi Marcelo,

If you use Passthrough termination then that means that OpenShift cannot add the X-Forwarded-For header, because as the name suggests it is just passing the packets through and because it’s encrypted it can modify the http request in anyway. 

If you want X-Forwarded-For you will need to switch to Edge termination. 

Thanks,

Joel
On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi  wrote:




Hi All,
we tried to configure a route on Origin 3.6 with a Passthrough termination to an Apache webserver present into a single POD but we can't notice the X-Forwarded-Header to Apache logs. We tried to capture it without success.

Could you confirm if there are some method to extract it from the POD side?

Thanks,
Marcello
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au


-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au











smime.p7s
Description: S/MIME Cryptographic Signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Origin router and X-Forwarded-For

2017-10-12 Thread Marcello Lorenzi 
Hi All,
thanks for the response and we checked the configuration. If I tried to
check the certificated propagate with the passthrough configuration with
openssl s_client  and the certificate provided is the wilcard domain
certificate and not the pod itself. Is it normal?

Thanks,
Marcello

On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic 
wrote:

> Hi.
>
> Additionally to joel suggestion can you also use reencrypted route if you
> want to talk encrypted with apache webserver.
>
> https://docs.openshift.org/3.6/architecture/networking/
> routes.html#re-encryption-termination
>
> Regards
> Aleks
>
> on Mittwoch, 11. Oktober 2017 at 15:51 was written:
>
>
> Sorry I meant it say, it *cannot modify the http request in any way.
> On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
> Hi Marcelo,
>
> If you use Passthrough termination then that means that OpenShift cannot
> add the X-Forwarded-For header, because as the name suggests it is just
> passing the packets through and because it’s encrypted it can modify the
> http request in anyway.
>
> If you want X-Forwarded-For you will need to switch to Edge termination.
>
> Thanks,
>
> Joel
> On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi 
> wrote:
>
> Hi All,
> we tried to configure a route on Origin 3.6 with a Passthrough
> termination to an Apache webserver present into a single POD but we can't
> notice the X-Forwarded-Header to Apache logs. We tried to capture it
> without success.
>
> Could you confirm if there are some method to extract it from the POD side?
>
> Thanks,
> Marcello
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users --
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au --
>
> Kind Regards,
>
> Joel Pearson
> Agile Digital | Senior Software Consultant
>
> Love Your Software™ | ABN 98 106 361 273
> p: 1300 858 277 | m: 0405 417 843 <0405417843> | w: agiledigital.com.au
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Single node cluster

2017-10-12 Thread Tobias Florek 
Hi,

one of my clients wants to use openshift on only one server. 
I am perfectly aware that this setup won't be HA and will have downtime
whenever it needs to be updated.

Is there any recommended way to deploy OpenShift? Should one use
openshift-ansible (with a one-host inventory)? Is using `oc cluster
up` possible (with --host-data-dir and --use-existing-config)?

Has anyone any experiences with operating and updating a single node
cluster in production?

Thank you,
 Tobias Florek


signature.asc
Description: signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: prune images from registry - getsockopt: connection timed out

2017-10-12 Thread Maciej Zarczynski 



On 11.10.2017 19:03, Ben Parees wrote:



On Wed, Oct 11, 2017 at 10:44 AM, Maciej Zarczynski 
mailto:m.zarczyn...@adbglobal.com>> wrote:


Hi,

for a while we are running openshift origin standalone docker-registry
and it works pretty well, but when i try to prune images i am facing
following situation:

[root@c37ee07bf04f /]# time oc adm prune images
--keep-tag-revisions=10 --confirm

error: error communicating with registry 172.30.146.162:5000
: [Get
https://172.30.146.162:5000/healthz
: dial tcp
172.30.146.162:5000 : getsockopt:
connection timed out, Get http://172.30.146.162:5000/healthz
: dial tcp 172.30.146.162:5000
: getsockopt: connection timed out]



it looks like the machine you're running prune from doesn't have 
access to the cluster network.  can you run the command from one of 
your cluster nodes?


i already tried and the error message was very similar but the problem 
was letsencrypt certificate which is not valid for registry svc ip.
Running on the node:  oc adm prune images --keep-tag-revisions=10 
--confirm  --insecure-skip-tls-verify=true

did the trick.
Thanks for help.



real    4m38.046s

user    0m9.118s

sys    0m0.529s

[root@c37ee07bf04f /]# time oc adm prune images
--keep-tag-revisions=1 --confirm

error: error communicating with registry 172.30.146.162:5000
: [Get
https://172.30.146.162:5000/healthz
: dial tcp
172.30.146.162:5000 : getsockopt:
connection timed out, Get http://172.30.146.162:5000/healthz
: dial tcp 172.30.146.162:5000
: getsockopt: connection timed out]

real    4m37.320s

user    0m9.141s

sys    0m0.564s

[root@c37ee07bf04f /]# time oc adm prune images
--keep-tag-revisions=10 | wc

Dry run enabled - no modifications will be made. Add --confirm to
remove images

  27771   53320 2861369

real    0m23.583s

user    0m10.540s

sys    0m0.576s

[root@c37ee07bf04f /]# time oc adm prune images
--keep-tag-revisions=1 | wc

Dry run enabled - no modifications will be made. Add --confirm to
remove images

     47      53    3031

real    0m23.728s

user    0m9.060s

sys    0m0.465s

[root@c37ee07bf04f /]# oc get svc -n default

NAME               CLUSTER-IP       EXTERNAL-IP   PORT(S)        
         AGE

docker-registry    172.30.146.162    5000/TCP               
  138d

kubernetes         172.30.0.1        443/TCP,53/UDP,53/TCP 
   138d

registry-console   172.30.142.214    9000/TCP               
  138d

router             172.30.105.200   
80/TCP,443/TCP,1936/TCP   138d

[root@c37ee07bf04f /]# oc version

oc v3.6.0+c4dd4cf

kubernetes v1.6.1+5115d708d7

features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://intentionally.removed.com:8443


openshift v1.5.0+031cbe4

kubernetes v1.5.2+43a9be4


As you can see above, dry run works without problem and return a bunch
of elements for removeal but when flag --confirm is added problem
appears.

At fist i thought that docker-registry pod i failing with healthchecks
but after after some investigation it is probably not the cause, at
least i don't see any events for docker-registry pod.

Is it possible to change some timeouts values for origin-master ? (I
suspect that the error is caused by origin-master which breaks
connection after ~ 277s from oc cli to registry)

I was also thinking about workaround: Use output from dry-run and pass
to some other tool (skopeo maybe?).

Have you ever faced such problem?


Best Regards,
Maciej Żarczyński


[https://www.adbglobal.com/wp-content/uploads/adb.png
]
adbglobal.com >
[https://www.adbglobal.com/wp-content/uploads/linkedin_logo.png

]>      
 [https://www.adbglobal.com/wp-content/uploads/twitter_logo.png
]
>
     
[https://www.adbglobal.com/wp-content/uploads/pinterest_logo.png
]
>

___

Re: Service Discovery with DNS lookup

2017-10-12 Thread Aleksandar Lazic 
Title: Re: Service Discovery with DNS lookup


Hi Barış Aydınöz.

What exact error do you have?

Are every Masters up and reachable?

oc get nodes
oc get ep kubernetes

Is on every machine the network manger setuped?

systemctl status NetworkManager
egrep ^ /etc/resolv.conf
egrep NetworkManager /etc/resolv.conf

Is on every machine the dnsmasq setuped?

systemctl status dnsmasq
egrep ^ /etc/dnsmasq.d/*

Regards
aleks

on Mittwoch, 11. Oktober 2017 at 12:47 was written:





Hi everyone,

In OCP 3.5, we can query our services like below in dev environment where there is single node. Also org.xbill lib works.

[root@ip-10-20-4-38 ec2-user]# nslookup hz.default.svc.cluster.local 172.30.0.1
Server: 172.30.0.1
Address: 172.30.0.1#53

Name: hz.default.svc.cluster.local
Address: 10.129.0.130
Name: hz.default.svc.cluster.local
Address: 10.129.0.131
But, on staging we have a multi-machine installation and we got DNS failures when we query with org.xbill.DNS.Lookup
As a workaround, when we define DNS statically, which is 172.30.0.1, and pass to application it works, how can we overcome this static definition?

Thanks in advance.






smime.p7s
Description: S/MIME Cryptographic Signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Origin router and X-Forwarded-For

2017-10-12 Thread Aleksandar Lazic 
Title: Re: Origin router and X-Forwarded-For


Hi.

Additionally to joel suggestion can you also use reencrypted route if you want to talk encrypted with apache webserver.

https://docs.openshift.org/3.6/architecture/networking/routes.html#re-encryption-termination

Regards
Aleks

on Mittwoch, 11. Oktober 2017 at 15:51 was written:





Sorry I meant it say, it *cannot modify the http request in any way. 
On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson  wrote:




Hi Marcelo,

If you use Passthrough termination then that means that OpenShift cannot add the X-Forwarded-For header, because as the name suggests it is just passing the packets through and because it’s encrypted it can modify the http request in anyway. 

If you want X-Forwarded-For you will need to switch to Edge termination. 

Thanks,

Joel
On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi  wrote:




Hi All,
we tried to configure a route on Origin 3.6 with a Passthrough termination to an Apache webserver present into a single POD but we can't notice the X-Forwarded-Header to Apache logs. We tried to capture it without success.

Could you confirm if there are some method to extract it from the POD side?

Thanks,
Marcello
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au


-- 
Kind Regards,

Joel Pearson
Agile Digital | Senior Software Consultant

Love Your Software™ | ABN 98 106 361 273
p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au





smime.p7s
Description: S/MIME Cryptographic Signature
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users