Re: OIDC role mapping?
Hi, I'd gladly know if that's possible as well. So far in our tests (keycloak OIDC and OKD 3.11 as well) we did not manage to do it. Best regards, -- Benjamin Guillon - Mail original - De: "Jon Stanley" À: "users" Envoyé: Mardi 3 Décembre 2019 06:20:07 Objet: OIDC role mapping? Is it possible to map roles based on OpenID claims? I've successfully got a cluster authenticating with OIDC, but I'm wondering if I can do authorization over there too :). My IDP that I'm using for testing is Keycloak, so that should be the easiest thing to do, right? :). I can't find any documentation or enhancement proposal about that. ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
CephFS external storage
Hey there, I'm investigating possible alternatives to NFS for ReadWriteMany capable external storage. We're running OKD 3.11 and we are already using Ceph RBD succesfully. However, since we would like RWM capabilities we were wondering if it was possible to use CephFS (which supports RWM and is available in Kubernetes Vanilla since v1.5+). Anyone knows if that's possible or will be possible in the near future? Ideally we'd like to be able to create a storage class for dynamic provisioning but manual provisioning would be a good start. Any other viable alternatives suggestions to NFS? Thanks a lot! -- Benjamin Guillon CNRS/IN2P3 Computing Center 21 Avenue Pierre de Coubertin, CS70202 69627 Villeurbanne Cedex, France smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: CephFS external storage
Hi Samuel, Thanks for this information. I'll give it a try then! Best regards, -- Benjamin Guillon CNRS/IN2P3 Computing Center 21 Avenue Pierre de Coubertin, CS70202 69627 Villeurbanne Cedex, France De: "Samuel Martín Moro" À: "Benjamin Guillon" Cc: "users" Envoyé: Mardi 8 Octobre 2019 10:30:31 Objet: Re: CephFS external storage Hi, CephFS works on OKD 3.11 -- and probably earlier. Kubernetes docs are pretty much accurate dealing with CephFS on OpenShift. You'ld need a specific provisioner, with admin privileges over your Ceph cluster (creating CephFS volumes would create a Ceph keyring with limited privileges, such as your Pods may not access shares they're not meant to use) One small detail though: I couldn't manage to make it work using the cephfs kernel driver. If you end up unable to read/write your shares, try installing ceph-fuse instead ( [ https://github.com/openshift/origin/issues/21778 | https://github.com/openshift/origin/issues/21778 ] ) Other alternatives, glusterfs obviously. Viable: I wouldn't go there. Stuff like CIFS shares. Though can break some applications (eg: jenkins, low posix compliance) Haven't had much time to extensively test cephfs. I seem to remember the MDS leak (13.x) All in all, there's no perfect solution. Depending on your application, if you're lucky, another take on it could be to look into s3 (radosgw) integration. Regards. On Tue, Oct 8, 2019 at 9:32 AM Benjamin Guillon < [ mailto:benjamin.guil...@cc.in2p3.fr | benjamin.guil...@cc.in2p3.fr ] > wrote: Hey there, I'm investigating possible alternatives to NFS for ReadWriteMany capable external storage. We're running OKD 3.11 and we are already using Ceph RBD succesfully. However, since we would like RWM capabilities we were wondering if it was possible to use CephFS (which supports RWM and is available in Kubernetes Vanilla since v1.5+). Anyone knows if that's possible or will be possible in the near future? Ideally we'd like to be able to create a storage class for dynamic provisioning but manual provisioning would be a good start. Any other viable alternatives suggestions to NFS? Thanks a lot! -- Benjamin Guillon CNRS/IN2P3 Computing Center 21 Avenue Pierre de Coubertin, CS70202 69627 Villeurbanne Cedex, France ___ users mailing list [ mailto:users@lists.openshift.redhat.com | users@lists.openshift.redhat.com ] [ http://lists.openshift.redhat.com/openshiftmm/listinfo/users | http://lists.openshift.redhat.com/openshiftmm/listinfo/users ] -- Samuel Martín Moro {EPITECH.} 2011 "Nobody wants to say how this works. Maybe nobody knows ..." Xorg.conf(5) smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: OKD 3.11 Router sharding and exposed routes
Hello again, Additionaly, is there a way to set a default label on route creation? Read about blueprints somewhere but I didn't find any documentation on how to use this. Thanks a lot ! -- Benjamin Guillon CNRS/IN2P3 Computing Center 21 Avenue Pierre de Coubertin, CS70202 69627 Villeurbanne Cedex, France - Mail original - De: "Benjamin Guillon" À: "users" Envoyé: Mardi 12 Mai 2020 17:20:24 Objet: OKD 3.11 Router sharding and exposed routes Hello there, I'm playing with router sharding and I don't know how to "unexpose" a route on a router. Is there a command for this? I wish to leverage route labels in order to pick which route gets exposed where. Anyone managed to do this? The only way I found is deleting the route and creating it again with a new label (to expose it to another router for instance). I'm running a OKD 3.11 cluster. Thanks for the feedback. -- Benjamin Guillon ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
OKD 3.11 Router sharding and exposed routes
Hello there, I'm playing with router sharding and I don't know how to "unexpose" a route on a router. Is there a command for this? I wish to leverage route labels in order to pick which route gets exposed where. Anyone managed to do this? The only way I found is deleting the route and creating it again with a new label (to expose it to another router for instance). I'm running a OKD 3.11 cluster. Thanks for the feedback. -- Benjamin Guillon smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Slides from Openshift Commons briefing July 25 2019
Hello, Was going back through this video of the Openshift commons briefing: https://www.openshift.com/blog/introduction-fedora-coreos-fcos-with-benjamin-gilbert-and-ben-breard-red-hat-openshift-commons-briefing But the slides are not available anymore ... https://blog.openshift.com/wp-content/uploads/Fedora-CoreOS-OpenShift-Commons-Briefing-July-25-2019.pdf Would it be possible to get them back online? Thanks ! -- Benjamin Guillon smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Installing packages on OKD 4 nodes
Hello, I'm deploying an OKD4 cluster on Openstack. I wish to configure NTP on my nodes and for that I need to install a PTP dependency: linuxptp. And enable the kvm_ptp module in the kernel. However, I couldn't manage to install the package through ignition. I had to do it manually with rpm-ostree: rpm-ostree install linuxptp. Am I missing something here? How am I supposed to provide packages or drivers cluster wide through Ignition? Can such a task be done through the MachineConfig Operator? Thanks for the help! -- Benjamin Guillon CNRS/IN2P3 Computing Center 21 Avenue Pierre de Coubertin, CS70202 69627 Villeurbanne Cedex, France smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: Installing packages on OKD 4 nodes
Hi Joel, Well, no: /dev/ptp0 does not magically exists. Wouldn't that be too easy? :) As for a FCOS specific documentation regarding NTP/PTP I'm afraid I didn't find any. Best, -- Benjamin De: "Joel Pearson" À: "Benjamin Guillon" Cc: "users" Envoyé: Mercredi 28 Octobre 2020 13:56:05 Objet: Re: Installing packages on OKD 4 nodes Hi Benjamin, Those docs you’ve mentioned are for regular fedora not fedora coreos I believe which I’m pretty sure are very different. So I presume you have checked that /dev/ptp0 doesn’t already magically exist? Thanks, Joel Sent from my iPhone On 28 Oct 2020, at 11:45 pm, Benjamin Guillon wrote: BQ_BEGIN Hi Joel, Thanks for the reply :) I did give a try to the Openshift PTP operator and works well aside from the fact that I can't use it here since I'm not running on Baremetal. Our cluster indeed runs on our in-house Openstack platform. Usually we use the KVM PTP module with something like: refclock PHC /dev/ptp0 poll 2 In the chrony.conf file. But that's for our usual CentOs based VMs, not FCOS :/ So now I'm just trying to reproduce that setup on FCOS. I found this Fedora documentation earlier about PTP https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/servers/Configuring_PTP_Using_ptp4l/ Where they mention this linuxptp package, hence my questions. If I can't manage this, I'll resort to using standard NTP instead of PTP. Best, Benjamin De: "Joel Pearson" À: "Benjamin Guillon" Cc: "users" Envoyé: Mercredi 28 Octobre 2020 12:56:19 Objet: Re: Installing packages on OKD 4 nodes Ahh I found the support article that talks about OpenShift 4 and PTP [ https://access.redhat.com/solutions/5106141 | https://access.redhat.com/solutions/5106141 ] If you don't have access to that solution the crux of it is that the PTP operator is for baremetal nodes (so probably not you, as you mentioned OpenStack). The chrony config they mention is: $ cat << EOF | base64 -w0 refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0 driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync logdir /var/log/chrony EOF On Wed, 28 Oct 2020 at 22:32, Joel Pearson < [ mailto:japear...@agiledigital.com.au | japear...@agiledigital.com.au ] > wrote: BQ_BEGIN Hi Benjamin, Have you checked if you actually need it? At least enterprise openshift 4.x already had ptp support in the kernel (without a module), as I bumped into it earlier in the year for PTP Azure syncing, I opened a support ticket and it turned out I just needed this in chrony.conf refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0 So I think it'd be worth checking if you already have /dev/ptp0 available before installing linuxptp. I realise OKD uses Fedora Core OS instead of RedHat Core OS, so the default kernel modules might be different. Here are some docs for [ https://docs.okd.io/latest/installing/install_config/installing-customizing.html#installation-special-config-crony_installing-customizing | configuring chrony ] , I think you just need to switch the iburst line for the refclock one. Otherwise, if the PTP support you need is more complicated than I needed on Azure, you could potentially look at the specific [ https://docs.okd.io/latest/networking/multiple_networks/configuring-ptp.html | PTP operator ] in the OKD docs. Hope this helps. Thanks, Joel On Sat, 24 Oct 2020 at 03:00, Benjamin Guillon < [ mailto:benjamin.guil...@cc.in2p3.fr | benjamin.guil...@cc.in2p3.fr ] > wrote: BQ_BEGIN Hello, I'm deploying an OKD4 cluster on Openstack. I wish to configure NTP on my nodes and for that I need to install a PTP dependency: linuxptp. And enable the kvm_ptp module in the kernel. However, I couldn't manage to install the package through ignition. I had to do it manually with rpm-ostree: rpm-ostree install linuxptp. Am I missing something here? How am I supposed to provide packages or drivers cluster wide through Ignition? Can such a task be done through the MachineConfig Operator? Thanks for the help! -- Benjamin Guillon CNRS/IN2P3 Computing Center 21 Avenue Pierre de Coubertin, CS70202 69627 Villeurbanne Cedex, France ___ users mailing list [ mailto:users@lists.openshift.redhat.com | users@lists.openshift.redhat.com ] [ http://lists.openshift.redhat.com/openshiftmm/listinfo/users | http://lists.openshift.redhat.com/openshiftmm/listinfo/users ] BQ_END BQ_END BQ_END smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: Installing packages on OKD 4 nodes
Hi Joel, Thanks for the reply :) I did give a try to the Openshift PTP operator and works well aside from the fact that I can't use it here since I'm not running on Baremetal. Our cluster indeed runs on our in-house Openstack platform. Usually we use the KVM PTP module with something like: refclock PHC /dev/ptp0 poll 2 In the chrony.conf file. But that's for our usual CentOs based VMs, not FCOS :/ So now I'm just trying to reproduce that setup on FCOS. I found this Fedora documentation earlier about PTP https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/servers/Configuring_PTP_Using_ptp4l/ Where they mention this linuxptp package, hence my questions. If I can't manage this, I'll resort to using standard NTP instead of PTP. Best, Benjamin De: "Joel Pearson" À: "Benjamin Guillon" Cc: "users" Envoyé: Mercredi 28 Octobre 2020 12:56:19 Objet: Re: Installing packages on OKD 4 nodes Ahh I found the support article that talks about OpenShift 4 and PTP [ https://access.redhat.com/solutions/5106141 | https://access.redhat.com/solutions/5106141 ] If you don't have access to that solution the crux of it is that the PTP operator is for baremetal nodes (so probably not you, as you mentioned OpenStack). The chrony config they mention is: $ cat << EOF | base64 -w0 refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0 driftfile /var/lib/chrony/drift makestep 1.0 3 rtcsync logdir /var/log/chrony EOF On Wed, 28 Oct 2020 at 22:32, Joel Pearson < [ mailto:japear...@agiledigital.com.au | japear...@agiledigital.com.au ] > wrote: Hi Benjamin, Have you checked if you actually need it? At least enterprise openshift 4.x already had ptp support in the kernel (without a module), as I bumped into it earlier in the year for PTP Azure syncing, I opened a support ticket and it turned out I just needed this in chrony.conf refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0 So I think it'd be worth checking if you already have /dev/ptp0 available before installing linuxptp. I realise OKD uses Fedora Core OS instead of RedHat Core OS, so the default kernel modules might be different. Here are some docs for [ https://docs.okd.io/latest/installing/install_config/installing-customizing.html#installation-special-config-crony_installing-customizing | configuring chrony ] , I think you just need to switch the iburst line for the refclock one. Otherwise, if the PTP support you need is more complicated than I needed on Azure, you could potentially look at the specific [ https://docs.okd.io/latest/networking/multiple_networks/configuring-ptp.html | PTP operator ] in the OKD docs. Hope this helps. Thanks, Joel On Sat, 24 Oct 2020 at 03:00, Benjamin Guillon < [ mailto:benjamin.guil...@cc.in2p3.fr | benjamin.guil...@cc.in2p3.fr ] > wrote: BQ_BEGIN Hello, I'm deploying an OKD4 cluster on Openstack. I wish to configure NTP on my nodes and for that I need to install a PTP dependency: linuxptp. And enable the kvm_ptp module in the kernel. However, I couldn't manage to install the package through ignition. I had to do it manually with rpm-ostree: rpm-ostree install linuxptp. Am I missing something here? How am I supposed to provide packages or drivers cluster wide through Ignition? Can such a task be done through the MachineConfig Operator? Thanks for the help! -- Benjamin Guillon CNRS/IN2P3 Computing Center 21 Avenue Pierre de Coubertin, CS70202 69627 Villeurbanne Cedex, France ___ users mailing list [ mailto:users@lists.openshift.redhat.com | users@lists.openshift.redhat.com ] [ http://lists.openshift.redhat.com/openshiftmm/listinfo/users | http://lists.openshift.redhat.com/openshiftmm/listinfo/users ] BQ_END smime.p7s Description: S/MIME Cryptographic Signature ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users