oc cluster up default subdomain

[Aaron Weitekamp]

I'm trying to spin up a development environment where I can run an
openshift-ansible playbook against an 'oc cluster up' cluster. It's working
except for the default subdomain does not match, causing TLS cert error:

oauthproxy.go:582: error redeeming code (client:172.17.0.1:52368): Post
https://127.0.0.1.nip.io:8443/oauth/token: x509: certificate is valid for
prometheus.openshift-metrics.svc,
prometheus.openshift-metrics.svc.cluster.local, not 127.0.0.1.nip.io

I would expect that 'oc cluster up --routing-suffix=127.0.0.1.nip.io' would
configure the subdomain. How can I configure this?
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

playbook2image source repo needs a home

[Aaron Weitekamp]

We are now using playbook2image[1] in openshift-ansible[2] as a way to
package playbooks in containers. This solves three problems:

- delivery: How to get playbooks to users
- runtime: How to run ansible on a host that doesn't have the
anisble-playbook CLI (e.g. atomic host)
- dependency: How to bundle a playbook with a particular version of ansible

It also leverages OpenShift source2image to build the playbooks.

I'm proposing to move this project to the OpenShift Github organization.
Any objections?

[1] https://github.com/aweiteka/playbook2image
[2] https://github.com/openshift/openshift-ansible
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: cluster wide service acount

[Aaron Weitekamp]

On Thu, Dec 1, 2016 at 5:19 PM, Jordan Liggitt  wrote:

> The dockercfg secret contains the value of one of the tokens (which is
> required to exist in order for the service account token to continue to be
> a valid credential) in dockercfg format
>
> ​This has been a source of confusion. I understand the need for a separate
dockercfg SA that references an actual token, but why the second token?
It's seems unnecessary and users don't know which one to use, why it's
there, etc.
​


> On Thu, Dec 1, 2016 at 4:59 PM, Srinivas Naga Kotaru (skotaru) <
> skot...@cisco.com> wrote:
>
>> For Docker login purpose, I could see another token ( I think this is
>> what you are talking about)
>>
>>
>>
>> cae-ops-dockercfg-04ccdkubernetes.io/dockercfg
>>1 1h
>>
>> cae-ops-token-5vrkfkubernetes.io/service-account-token
>> 3 1h
>>
>> cae-ops-token-jdhezkubernetes.io/service-account-token
>> 3 1h
>>
>>
>>
>> 1st token being used for Docker. Was wondering about other 2 tokens.
>>
>>
>>
>> --
>>
>> *Srinivas Kotaru*
>>
>>
>>
>> *From: *Jordan Liggitt 
>> *Date: *Thursday, December 1, 2016 at 1:39 PM
>>
>> *To: *Srinivas Naga Kotaru 
>> *Cc: *dev 
>> *Subject: *Re: cluster wide service acount
>>
>>
>>
>> One token is the one generated to mount into pods that run as the service
>> account.
>>
>> The other is the one wrapped into a dockercfg secret used as a credential
>> against the internal docker registry.
>>
>>
>>
>> On Thu, Dec 1, 2016 at 3:56 PM, Srinivas Naga Kotaru (skotaru) <
>> skot...@cisco.com> wrote:
>>
>> Thanks, it is working.  Able to login using service account token
>>
>>
>>
>> # oc get sa
>>
>> # oc get secrets
>>
>> #  oc get  secret  cae-ops-token-5vrkf  --template='{{.data.token}}'
>>
>>
>>
>> decode base64 token
>>
>>
>>
>> # oc login –token=
>>
>>
>>
>> *Qeustion:*
>>
>>
>>
>> I can see 2 secrets for each service accont and both are valied to login.
>> Any idea why 2 ?
>>
>>
>>
>> # oc get secrets
>>
>>
>>
>> cae-ops-token-5vrkfkubernetes.io/service-account-token
>> 3 35m
>>
>> cae-ops-token-jdhezkubernetes.io/service-account-token
>> 3 35m
>>
>>
>>
>> --
>>
>> *Srinivas Kotaru*
>>
>>
>>
>> *From: *Jordan Liggitt 
>> *Date: *Thursday, December 1, 2016 at 12:26 PM
>>
>>
>> *To: *Srinivas Naga Kotaru 
>> *Cc: *dev 
>> *Subject: *Re: cluster wide service acount
>>
>>
>>
>> If you have the service account's token, you can use it from the command
>> line like this:
>>
>> oc login --token=...
>>
>>
>>
>> The web console does not provide a way to log in with a service account
>> token.
>>
>>
>>
>> On Thu, Dec 1, 2016 at 3:19 PM, Srinivas Naga Kotaru (skotaru) <
>> skot...@cisco.com> wrote:
>>
>> Jordan
>>
>>
>>
>> That helps. Thanks for quick help.
>>
>>
>>
>> Can we use this sa account to login into console and OC clinet? If yes
>> how? I knew SA account only has non expired token but no password
>>
>>
>>
>>
>>
>> --
>>
>> *Srinivas Kotaru*
>>
>>
>>
>> *From: *Jordan Liggitt 
>> *Date: *Thursday, December 1, 2016 at 12:04 PM
>> *To: *Srinivas Naga Kotaru 
>> *Cc: *dev 
>> *Subject: *Re: cluster wide service acount
>>
>>
>>
>> Service accounts exist within a namespace but can be granted permissions
>> across the entire cluster, just like any other user. For example:
>>
>> oadm policy add-cluster-role-to-user cluster-reader
>> system:serviceaccount:openshift-infra:monitor-service-account
>>
>>
>>
>> On Thu, Dec 1, 2016 at 3:02 PM, Srinivas Naga Kotaru (skotaru) <
>> skot...@cisco.com> wrote:
>>
>> I knew we can create a service account per project and can be used as a
>> password less API work and automations activities. Can we create a service
>> account at cluster level and can be used for platform operations
>> (monitoring, automation, shared account for operation teams)?
>>
>>
>>
>> Intention is to have expiry free tokens.
>>
>>
>>
>> --
>>
>> *Srinivas Kotaru*
>>
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>>
>>
>>
>>
>>
>>
>
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: downloading oc client tool from openshift web interface

[Aaron Weitekamp]

On Tue, Jul 19, 2016 at 9:11 AM, Jessica Forrester 
wrote:

> Those links are fully customizable for that purpose, if you want to host
> the binaries somewhere else for people using your openshift cluster then
> you can override the locations.
> https://docs.openshift.org/latest/install_config/web_console_customization.html#adding-or-changing-links-to-download-the-cli
>
> ​On that same page is documentation[1] on how to host static content such
as the oc binaries. It would be very possible to automate this during
install. That seems very reasonable for some installations.

[1]
https://docs.openshift.org/latest/install_config/web_console_customization.html#serving-static-files
​


> On Tue, Jul 19, 2016 at 8:58 AM, Dusty Mabe  wrote:
>
>>
>>
>> On 07/19/2016 01:02 AM, Jonathan Yu wrote:
>> > Hey Dusty,
>> >
>> > Steve was trying to explain that you can:
>>
>> Yep. I understood what he sent and it was very helpful :)
>>
>> >
>> > 1. Log in to the OpenShift Web Console for the instance you are using
>> > 2. Click the "(?)" button on the upper left of the navigation menu bar,
>> next to your username, and click "About" in the dropdown menu that appears
>> > 3. There are links on the page to download the CLI tools
>>
>> Right. The links are there, but they point to the RH customer portal
>> and you have to log in etc, etc.. I was proposing a case where it
>> would be more useful to just host the client binaries directly rather
>> than linking somewhere else.
>>
>> There could be arguments for doing this or not doing this. I'd just
>> like to bring it up as an option. We could even have a link to the
>> "this version of openshift client" as well as link to the customer
>> portal for the "latest version of the openshift client".
>>
>> Thoughts?
>>
>>
>> > 4. It also shows the command you'll need (including an access token) to
>> log in to the instance, so it's *extremely* convenient :)
>> >
>> > Then you can follow the instructions here (there's a screenshot):
>> https://docs.openshift.com/enterprise/3.2/cli_reference/get_started_cli.html#installing-the-cli
>> >
>> > So if I'm reading your emails correctly, it seems we already have what
>> you're looking for (at least in OSE 3.2, not sure when it was introduced).
>> Hope this helps clarify what Steve has said.
>> >
>> > Would this have been clearer if there was a screenshot of the "?"
>> button and dropdown? If so, we can open an issue to have the documentation
>> updated accordingly.
>> >
>>
>>
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: OSE 3.2 - Registry - Unable to write

[Aaron Weitekamp]

On Tue, Jun 7, 2016 at 1:29 PM, Srinivas Naga Kotaru (skotaru) <
skot...@cisco.com> wrote:

> Can someone help here? Struck and unable to proceed next step
>
>
>
> --
>
> *Srinivas Kotaru*
>
>
>
> *From: *skotaru 
> *Date: *Monday, June 6, 2016 at 8:24 PM
> *To: *"dev@lists.openshift.redhat.com" 
> *Subject: *OSE 3.2 - Registry - Unable to write
>
>
>
> Hi
>
>
>
> Just finished installing OSE 3.2.  Registry throwing below error while
> doing a sample deployment.
>
>
>
> I0606 18:40:55.315293   1 sti.go:334] Successfully built
> alln-int-build-testing/cakephp-example-1:e6008a5f
>
> I0606 18:40:55.335600   1 cleanup.go:23] Removing temporary directory
> /tmp/s2i-build044311744
>
> I0606 18:40:55.335621   1 fs.go:156] Removing directory
> '/tmp/s2i-build044311744'
>
> I0606 18:40:55.370335   1 sti.go:268] Using provided push secret for
> pushing 172.30.84.20:5000/alln-int-build-testing/cakephp-example:latest
> image
>
> I0606 18:40:55.370389   1 sti.go:272] Pushing
> 172.30.84.20:5000/alln-int-build-testing/cakephp-example:latest image ...
>
> I0606 18:40:57.016159   1 sti.go:277] Registry server Address:
>
> I0606 18:40:57.016243   1 sti.go:278] Registry server User Name:
> serviceaccount
>
> I0606 18:40:57.016255   1 sti.go:279] Registry server Email:
> serviceacco...@example.org
>
> I0606 18:40:57.016262   1 sti.go:284] Registry server Password:
> <>
>
> F0606 18:40:57.016273   1 builder.go:204] Error: build error: Failed
> to push image. Response from registry is: Received unexpected HTTP status:
> 500 Internal Server Error
>
>
>
> Diagnostics on primary master throws below error
>
>
>
> ERROR: [DClu1020 from diagnostic ClusterRegistry@openshift
> /origin/pkg/diagnostics/cluster/registry.go:271]
>
>The pod logs for the "docker-registry-6-cqs51" pod belonging to
>
>the "docker-registry" service indicated the registry is unable to
> write to disk.
>
>This may indicate an SELinux denial, or problems with volume
>
>ownership/permissions.
>
>
>
>For volume permission problems please consult the Persistent
> Storage section
>
>of the Administrator's Guide.
>
>
>
>In the case of SELinux this may be resolved on the node by running:
>
>
>
>sudo chcon -R -t svirt_sandbox_file_t
> [PATH_TO]/openshift.local.volumes
>
>
>
>time="2016-06-06T19:00:08.144988457-04:00" level=error
> msg="response completed with error" err.code=UNKNOWN
> err.detail="filesystem: mkdir /registry/docker: permission denied"
> err.message="unknown error" go.version=go1.4.2 http.request.host="
> 172.30.84.20:5000" http.request.id=7cb19403-49f5-4909-b287-582e60685bec
> http.request.method=POST http.request.remoteaddr="10.1.0.1:38212"
> http.request.uri="/v2/alln-int-build-testing/busybox/blobs/uploads/"
> http.request.useragent="docker/1.9.1 go/go1.4.2
> kernel/3.10.0-327.13.1.el7.x86_64 os/linux arch/amd64"
> http.response.contenttype="application/json; charset=utf-8"
> http.response.duration=24.082081ms http.response.status=500
> http.response.written=156 instance.id=45d786ad-d663-4dfc-8c8e-aa4455aab742
> vars.name="alln-int-build-testing/busybox"
>
>
>
>
>
> While further analsys, it seems NFS volume mounted on registry container
> has root:root permissions
>
>
>
> # sudo docker exec -it 01b162687557 bash
>
>
>
> bash-4.2$ ls -ld /registry/
>
> drwxr-xr-x. 3 root root 4096 Jun  6 17:12 /registry/
>
>
>
> I tried to change ownership , but no luck. What to do ? is it bug or
> intended behaviour?
>
>
>
> bash-4.2$ whoami
>
> whoami: cannot find name for user ID 1001
>
>
>
> bash-4.2$ chown 1001 /registry/
>
> chown: changing ownership of '/registry/': Operation not permitted
>

It's not clear where your storage is from. Are you mounting directly to the
host[1] or using a persistent volume[2]? If mounted directly then you'll
want to be chown'ing the volume on the host per the docs, not from inside
the container. Try...

chown 1001:root /registry

[1]
https://docs.openshift.org/latest/install_config/install/docker_registry.html#registry-non-production-use
[2]
https://docs.openshift.org/latest/install_config/install/docker_registry.html#registry-production-use
​


>
>
> Srinivas Kotaru
>
>
>
>
>
> --
>
> *Srinivas Kotaru*
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Deploying Docker registry

[Aaron Weitekamp]

On Wed, May 11, 2016 at 12:39 PM, David Dimas 
wrote:

> Hi,
>
> I'm doing some integration work with Openshift Origin 1.1.6 and I'm
> running across this issue (occurs both with a binary built from source and
> using the binary release):
>
> # oc logs -f dc/docker-registry
>
> F0509 21:10:07.958966   1 deployer.go:70] couldn't get deployment
> default/docker-registry-1: Get
> https://172.30.0.1:443/api/v1/namespaces/default/replicationcontrollers/docker-registry-1
> :
> dial tcp172.30.0.1:443: i/o timeout
>
> Unless I'm misinterpreting something, that's a straight up TCP/IP timeout,
> yet when I use curl against this URL I get this:
>
> #curl
> https://172.30.0.1:443/api/v1/namespaces/default/replicationcontrollers/docker-registry-1
> 
> {
>   "kind": "Status",
>   "apiVersion": "v1",
>   "metadata": {},
>   "status": "Failure",
>   "message": "User \"system:anonymous\" cannot get replicationcontrollers
> in project \"default\"",
>   "reason": "Forbidden",
>   "details": {
> "name": "docker-registry-1",
> "kind": "replicationcontrollers"
>   },
>   "code": 403
> }
>
> Which I suppose is to be expected since I haven't supplied credentials,
> but clearly the service is reachable.
>

​An easy unauth'd health check path is curl REGISTRY:5000/healthz


> I've done nothing in this case but set up docker, run the openshift
> binary, and attempt to deploy the registry using these commands:
>
> #oc create serviceaccount registry -n default
> #oadm policy add-scc-to-user privileged
> system:serviceaccount:default:registry
> #oadm registry --service-account=registry \
>   --config=openshift.local.config/master/admin.kubeconfig \
>
> --credentials=openshift.local.config/master/openshift-registry.kubeconfig \
>   --mount-host=/opt/registry
>
>
>
​The registry command has been simplified so you shouldn't need to create
the sa and update policy. You should be able to run oadm registry
--mount-host=/opt/registry and be good to go. That will use a service
account in the registry pod. You can get logs from the registry pod:
oc get pods
oc logs 

​


> Can anyone help me?
>
> Thanks in advance.
>
> David
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: oc export

[Aaron Weitekamp]

On Tue, Mar 22, 2016 at 12:25 PM, Tomas Kral  wrote:

>
> On 03/18/2016 08:35 PM, Aaron Weitekamp wrote:
> > On Tue, Mar 15, 2016 at 9:50 AM, Tomas Kral  > <mailto:tk...@redhat.com>> wrote:
> >
> >
> >     On 03/15/2016 02:04 PM, Aaron Weitekamp wrote:
> > > On Tue, Mar 15, 2016 at 6:20 AM, Tomas Kral  > <mailto:tk...@redhat.com>
> > > <mailto:tk...@redhat.com <mailto:tk...@redhat.com>>> wrote:
> > >
> > >
> > >
> > > On 03/14/2016 07:11 PM, Aaron Weitekamp wrote:
> > > > On Mon, Mar 14, 2016 at 1:10 PM, Tomas Kral
> > mailto:tk...@redhat.com> <mailto:tk...@redhat.com
> > <mailto:tk...@redhat.com>>
> > > > <mailto:tk...@redhat.com <mailto:tk...@redhat.com>
> > <mailto:tk...@redhat.com
> > <mailto:tk...@redhat.com>>>> wrote:
> > > >
> > > > Thank you, that makes sense, but this is also what was
> > afraid of :(
> > > >
> > > > We want to be able to export any arbitrary application
> > that we know
> > > > nothing about :(
> > > > Now we need to figure out which object were generated
> > by OpenShift
> > > > internally and which one were created by developer.
> > > >
> > > >
> > > > ​You're introducing an additional requirement. :) Can you
> > confirm the
> > > > initial problem is resolved?
> > > >
> > >
> > > Not really, because I don't know how application was deployed.
> > > My initial assumption that `oc export all` will somehow
> > magically solve
> > > this for every application was wrong :(
> > > If I'm the one who deployed application than yes, I know
> > what objects to
> > > export. But if someone else created application it is hard
> > for me to
> > > figure out what to export.
> > >
> > >
> > > ​I think we need to understand the full use case. Maybe there's
> > > something that can be done to help you achieve what you're
> > looking for.
> > > Right now it's hard to understand why the person who did the
> > original
> > > deployment​
> > > ​ isn't involved in the export or migration. Can you spell out what
> > > you're trying to do?
> > > ​
> >
> > Sure.
> >
> > (BTW: I'm CC'ing container-tools because we are starting to touch
> > subjects that might be interesting for people there)
> >
> > We are trying to build tool that will allow users to export
> > application
> > from OpenShift as Nulecule application.
> > Result should be Nulecule application with Kubernetes and OpenShift
> > artifacts.
> >
> > We have following users stories in mind:
> >
> > 1.
> > I create an application in OpenShift.
> > Now I want to export it so it can be placed in any registry and then
> > redeployed into Kubernetes or OpenShift.
> >
> >
> > It's a good convention to add a label to every object created together,
> > something like app=
> > Then all of those things deployed together can be referenced, such as:
> >
> > oc export all -l app= -n  --as-template=
>
> And we are back to one of my original issues :-)
> If I do this as  you suggest, with 'all', then when deploying from this
> template I get some SE Linux error that sadly I know nothing about :(
> My current solution for this is to export everything except pods.
>

I just suggested using "all" to get all the things that were deployed
together. We know kube doesn't understand routes or templates or
deploymentconfigs or buildconfigs. So in my gist[1] I described the common
openshift-kubernetes objects.

[1] https://gist.github.com/aweiteka/a8bf75930e235879bcdd
​


>
>
> >
> > ​If you control the deployment you can pass this label in (web ui, oc
> > new-app, API).
> > ​
> >
> >
> >
> > 2.
> > I created a new application from a bunch of 'container mirco-sevices'
> > and components (i.e. a set of nested Nulecules, or templates)
> >  - for example, added management, added a DB etc etc.
> >
> > Now I want to export the new composite definition and ->Reta

Re: oc export

[Aaron Weitekamp]

On Tue, Mar 15, 2016 at 9:50 AM, Tomas Kral  wrote:

>
> On 03/15/2016 02:04 PM, Aaron Weitekamp wrote:
> > On Tue, Mar 15, 2016 at 6:20 AM, Tomas Kral  > <mailto:tk...@redhat.com>> wrote:
> >
> >
> >
> > On 03/14/2016 07:11 PM, Aaron Weitekamp wrote:
> > > On Mon, Mar 14, 2016 at 1:10 PM, Tomas Kral  <mailto:tk...@redhat.com>
> > > <mailto:tk...@redhat.com <mailto:tk...@redhat.com>>> wrote:
> > >
> > > Thank you, that makes sense, but this is also what was afraid
> of :(
> > >
> > > We want to be able to export any arbitrary application that we
> know
> > > nothing about :(
> > > Now we need to figure out which object were generated by
> OpenShift
> > > internally and which one were created by developer.
> > >
> > >
> > > ​You're introducing an additional requirement. :) Can you confirm
> the
> > > initial problem is resolved?
> > >
> >
> > Not really, because I don't know how application was deployed.
> > My initial assumption that `oc export all` will somehow magically
> solve
> > this for every application was wrong :(
> > If I'm the one who deployed application than yes, I know what
> objects to
> > export. But if someone else created application it is hard for me to
> > figure out what to export.
> >
> >
> > ​I think we need to understand the full use case. Maybe there's
> > something that can be done to help you achieve what you're looking for.
> > Right now it's hard to understand why the person who did the original
> > deployment​
> > ​ isn't involved in the export or migration. Can you spell out what
> > you're trying to do?
> > ​
>
> Sure.
>
> (BTW: I'm CC'ing container-tools because we are starting to touch
> subjects that might be interesting for people there)
>
> We are trying to build tool that will allow users to export application
> from OpenShift as Nulecule application.
> Result should be Nulecule application with Kubernetes and OpenShift
> artifacts.
>
> We have following users stories in mind:
>
> 1.
> I create an application in OpenShift.
> Now I want to export it so it can be placed in any registry and then
> redeployed into Kubernetes or OpenShift.
>
>
It's a good convention to add a label to every object created together,
something like app=
Then all of those things deployed together can be referenced, such as:

oc export all -l app= -n  --as-template=

​If you control the deployment you can pass this label in (web ui, oc
new-app, API).
​


>
> 2.
> I created a new application from a bunch of 'container mirco-sevices'
> and components (i.e. a set of nested Nulecules, or templates)
>  - for example, added management, added a DB etc etc.
>
> Now I want to export the new composite definition and ->Retain<- the
> granularity  and nesting of my service definitions.
>

I
​ would recommend unique labels so you can reference things separately.
​


> Result would be set of Nulecule apps (some probably nested) and
> corresponding images that can be again placed in registry.
>
>
> 3.
> I want to create a new mirco service using OpenShift
> I want to export it for OTHER to use.
>
>
>
> Right now I'm focusing mainly on number one.
>
> >
> >
> >
> >
> > > If you're comfortable with exporting everything in a project then
> > > replace "all" with the set of resources Clayton listed.
> >
> > You and Clayton suggested doing `oc export dc,svc,route,is` but what
> if
> > application also includes ReplicationControllers that were created
> > directly without DeploymentConfig?
> > For example I have RC that was created "directly by user" and other
> RC
> > that was created by DC. Now I need to export only first RC and
> instead
> > of second one I should export DC.
> >
> > It looks like, that for our use case, we need to export 'all' and
> than
> > do some filtering.
> > This is was what my followup question was about.
> >
> > Is there a way how to figure out what objects were created by user
> and
> > what objects were generated by OpenShift?
> > Can annotations that I have mentioned be used for this?
> >
> > > It is
> > > dangerously presumptive that there's only one "application" in a
> > > projec

Re: oc export

[Aaron Weitekamp]

On Tue, Mar 15, 2016 at 6:20 AM, Tomas Kral  wrote:

>
>
> On 03/14/2016 07:11 PM, Aaron Weitekamp wrote:
> > On Mon, Mar 14, 2016 at 1:10 PM, Tomas Kral  > <mailto:tk...@redhat.com>> wrote:
> >
> > Thank you, that makes sense, but this is also what was afraid of :(
> >
> > We want to be able to export any arbitrary application that we know
> > nothing about :(
> > Now we need to figure out which object were generated by OpenShift
> > internally and which one were created by developer.
> >
> >
> > ​You're introducing an additional requirement. :) Can you confirm the
> > initial problem is resolved?
> >
>
> Not really, because I don't know how application was deployed.
> My initial assumption that `oc export all` will somehow magically solve
> this for every application was wrong :(
> If I'm the one who deployed application than yes, I know what objects to
> export. But if someone else created application it is hard for me to
> figure out what to export.
>

​I think we need to understand the full use case. Maybe there's something
that can be done to help you achieve what you're looking for. Right now
it's hard to understand why the person who did the original deployment​
​ isn't involved in the export or migration. Can you spell out what you're
trying to do?
​


>
>
> > If you're comfortable with exporting everything in a project then
> > replace "all" with the set of resources Clayton listed.
>
> You and Clayton suggested doing `oc export dc,svc,route,is` but what if
> application also includes ReplicationControllers that were created
> directly without DeploymentConfig?
> For example I have RC that was created "directly by user" and other RC
> that was created by DC. Now I need to export only first RC and instead
> of second one I should export DC.
>
> It looks like, that for our use case, we need to export 'all' and than
> do some filtering.
> This is was what my followup question was about.
>
> Is there a way how to figure out what objects were created by user and
> what objects were generated by OpenShift?
> Can annotations that I have mentioned be used for this?
>
> > It is
> > dangerously presumptive that there's only one "application" in a
> > project. You may export unexpected objects depending on what the user
> > has deployed in the project.​
>
> This is deliberate simplification to make things little easier for us.
> We are exporting whole project, because right now I don't have any idea
> how we are going to decide what is "one application" or how user of this
> exporter should specify this.
>
> >
> >
> > I can see that ReplicationController that is generated by
> > DeploymentConfig has annotation 'openshift.io/deployment-config.name
> > <http://openshift.io/deployment-config.name>:
> > ...' and same apply for its Pods.
> >
> > For Pod that was created by ReplicationController (that is not from
> > DeploymentConfig) I see annotation 'kubernetes.io/created-by
> > <http://kubernetes.io/created-by>: ...'
> >
> > Can we rely on those annotations to decide what to export and what to
> > leave behind? Is this documented somewhere?
> >
> >
> >
> >
> > On 03/14/2016 04:48 PM, Clayton Coleman wrote:
> > > Export is a lower level tool that does not *exactly* export an
> entire
> > > application, but rather tries to give you the tools to build it.
> > >
> > > I would suggest instead of running "oc export all", you try "oc
> export
> > > dc,svc,route,is".   "all" includes pods, replication controllers,
> > > build configs, and builds, some of which you do not need.  We
> expect
> > > at some point in the future to have a higher level "export-app"
> > > command, but when you export you need to determine what you want to
> > > copy over and what you want to leave behind.
> > >
> > > On Mon, Mar 14, 2016 at 11:13 AM, Tomas Kral  > <mailto:tk...@redhat.com>> wrote:
> > >> Hi all,
> > >> I'm working on project where we are basically using `oc export`
> for
> > >> exporting project and importing it to another OpenShift instance.
> > >>
> > >> But it is not working as I would expect.
> > >>
> > >> My understanding of export feature is that it can be u

Re: oc export

[Aaron Weitekamp]

On Mon, Mar 14, 2016 at 1:10 PM, Tomas Kral  wrote:

> Thank you, that makes sense, but this is also what was afraid of :(
>
> We want to be able to export any arbitrary application that we know
> nothing about :(
> Now we need to figure out which object were generated by OpenShift
> internally and which one were created by developer.
>

​You're introducing an additional requirement. :) Can you confirm the
initial problem is resolved?

If you're comfortable with exporting everything in a project then replace
"all" with the set of resources Clayton listed. It is dangerously
presumptive that there's only one "application" in a project. You may
export unexpected objects depending on what the user has deployed in the
project.​


> I can see that ReplicationController that is generated by
> DeploymentConfig has annotation 'openshift.io/deployment-config.name:
> ...' and same apply for its Pods.
>
> For Pod that was created by ReplicationController (that is not from
> DeploymentConfig) I see annotation 'kubernetes.io/created-by: ...'
>
> Can we rely on those annotations to decide what to export and what to
> leave behind? Is this documented somewhere?
>
>
>
>
> On 03/14/2016 04:48 PM, Clayton Coleman wrote:
> > Export is a lower level tool that does not *exactly* export an entire
> > application, but rather tries to give you the tools to build it.
> >
> > I would suggest instead of running "oc export all", you try "oc export
> > dc,svc,route,is".   "all" includes pods, replication controllers,
> > build configs, and builds, some of which you do not need.  We expect
> > at some point in the future to have a higher level "export-app"
> > command, but when you export you need to determine what you want to
> > copy over and what you want to leave behind.
> >
> > On Mon, Mar 14, 2016 at 11:13 AM, Tomas Kral  wrote:
> >> Hi all,
> >> I'm working on project where we are basically using `oc export` for
> >> exporting project and importing it to another OpenShift instance.
> >>
> >> But it is not working as I would expect.
> >>
> >> My understanding of export feature is that it can be used to move
> >> objects between clusters or projects and I can use `oc export all` to
> >> move/copy whole project.
> >>
> >> I've deployed MLB Parks sample application
> >> (https://github.com/gshipley/openshift3mlbparks)
> >>
> >> Then I'm trying to move it to another project on same cluster using
> command:
> >>
> >> oc -n mlbparks export all | oc -n import create -f -
> >>
> >>
> >> But I get following errors:
> >>
> >> Error from server: replicationControllers "mongodb-1" already exists
> >> Error from server: Pod "mlbparks-1-build" is forbidden: unable to
> >> validate against any security context constraint: ..
> >>
> >> Rest of the error and all steps that I'm doing are here:
> >> http://paste.fedoraproject.org/339618/96469114/
> >>
> >>
> >> I'm running Origin v1.1.1
> >>
> >>
> >> Is there something that is fundamentally wrong with my understanding of
> >> `oc export`?
> >>
> >>
> >> --
> >> Tomas
> >>
> >> ___
> >> dev mailing list
> >> dev@lists.openshift.redhat.com
> >> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: oc export

[Aaron Weitekamp]

On Mon, Mar 14, 2016 at 11:13 AM, Tomas Kral  wrote:

> Hi all,
> I'm working on project where we are basically using `oc export` for
> exporting project and importing it to another OpenShift instance.
>
> But it is not working as I would expect.
>
> My understanding of export feature is that it can be used to move
> objects between clusters or projects and I can use `oc export all` to
> move/copy whole project.
>
> I've deployed MLB Parks sample application
> (https://github.com/gshipley/openshift3mlbparks)
>
> Then I'm trying to move it to another project on same cluster using
> command:
>
> oc -n mlbparks export all | oc -n import create -f -
>

​I'm not sure export is what you want when migrating to another project but
I think you need to pass --as-template=. It would
also be better to be more selective in your export. Use the label selector
so you just migrate the application and/or specify the objects you want.

oc -l name=mlbparks -n mlbparks export --as-template=mlbparks
svc,dc,bc,is,route | oc -n import create -f -
​


>
>
> But I get following errors:
>
> Error from server: replicationControllers "mongodb-1" already exists
> Error from server: Pod "mlbparks-1-build" is forbidden: unable to
> validate against any security context constraint: ..
>
> Rest of the error and all steps that I'm doing are here:
> http://paste.fedoraproject.org/339618/96469114/
>
>
> I'm running Origin v1.1.1
>
>
> Is there something that is fundamentally wrong with my understanding of
> `oc export`?
>
>
> --
> Tomas
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: Hosting MySQL images in OpenShift Origin

[Aaron Weitekamp]

On Wed, Mar 2, 2016 at 9:05 AM, Ben Parees  wrote:

> Take a look at this template which deploys mysql:
>
> https://github.com/openshift/origin/blob/master/examples/db-templates/mysql-ephemeral-template.json
> (or this one which uses persistent storage:
> https://github.com/openshift/origin/blob/master/examples/db-templates/mysql-persistent-template.json
> )
>
> And this application which deploys both a DB and an application that
> communicates with that DB:
>
> https://github.com/openshift/origin/blob/master/examples/quickstarts/cakephp-mysql.json
> (source for the application is here:
> https://github.com/openshift/cakephp-ex)
>
> I would not necessarily expect you to deploy a single mysql instance and
> have each app create its own DB in that instance.  I'd expect each app to
> just deploy its own mysql instance for testing.  I think you will find that
> easier to setup.
>
>
While one db per app is straightforward and there​
​ are many examples of this, aren't there benefits to hosting a single DB​
​ service that apps can use? This is the enterprise model. It seems to me
the question is how to share a service across projects. Once that's in
place it should "just work" but I couldn't figure out how that might be
done. oc policy ... ?
​


>
>
> On Wed, Mar 2, 2016 at 4:13 AM, David Balakirev <
> david.balaki...@adnovum.hu> wrote:
>
>> Hi,
>>
>> I am trying to host MySQL containers inside OpenShift. The goal would be
>> that projects could connect to a given container, setup a database for
>> themselves remotely and execute their integration tests.
>>
>> The first question could be: is this something OpenShift could be used
>> for or not?
>>
>> For my installation I created a project with a single MySQL app
>> (mysql:latest).
>>
>> On the server, I can connect to the database via TCP (--protocol=tcp):
>> * via the IP of the pod
>> * via the IP of the service (that was auto created for me)
>>
>> Of course the goal would be to access the database from our corporate
>> network.
>>
>> After digesting many threads on Stackoverflow, especially [1] and [2] I
>> think the conclusion is that only port 80/443/8000/8443 could be
>> accessed externally.
>>
>> I know of services, routes and port-forwarding, but probably I did not
>> yet understand when they should be used.
>>
>> I can use port-forwarding to map 3306 to a local port, then I access the
>> database via "-h localhost".
>>
>> I0302 09:20:01.1333889195 portforward.go:213] Forwarding from
>> 127.0.0.1:49220 -> 3306
>> I0302 09:20:01.1335169195 portforward.go:213] Forwarding from
>> [::1]:49220 -> 3306
>>
>> But I assume I cannot use this to expose the port because of what I have
>> found in [1] and [2].
>>
>> Routes I learned could be used to match a path, but I think that is
>> better used for HTTP services.
>>
>> Frankly I did not yet understand the role of a Router in this context.
>>
>> Could someone please let me know if it is possible to do what I want or
>> not? RTFM is perfect for me, provided I can see a specific example for
>> exposing a TCP port somehow. It is possible the solution is there but I did
>> not realize.
>>
>> I am using Origin: 1.1.3.
>>
>> Thanks in advance,
>> Dave
>>
>> [1]
>> 
>> http://stackoverflow.com/
>> questions/33985138/how-to-host-and-access-murmur-mumble-server-on-openshift-without-port-forwardi?rq=1
>> [2]
>> 
>> http://stackoverflow.com/
>> questions/33838765/openshift-v3-confusion-on-services-and-routes
>>
>> ___
>> dev mailing list
>> dev@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>
>>
>
>
> --
> Ben Parees | OpenShift
>
>
> ___
> dev mailing list
> dev@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev