Re: OpenShift Jenkins - Anonymous Web-hooks

[Graham Dumpleton]

I believe you should be using the web book URL from the pipeline build config.

You can get them from the web console page for the pipeline.

See:

* 
https://ruddra.com/posts/openshift-python-gunicorn-nginx-jenkins-pipelines-part-three/
 


Graham

> On 8 Feb 2019, at 5:03 pm, Sean Dawson  wrote:
> 
> Hi,
> 
> I have Jenkins running in an OpenShift cluster and I have a multi
> branch job set up, with the source git repository residing in
> Bitbucket server.
> 
> I wan't to set up a web hook from Bitbucket Server to Jenkins to
> trigger builds as soon as there are changes to the repo. In a vanilla
> Jenkins installation you are able to simply post the updates to
> "${JENKINS_URL}/bitbucket-scmsource-hook/notify" as mentioned in this
> article:
> 
> https://support.cloudbees.com/hc/en-us/articles/11553051-How-to-Trigger-Multibranch-Jobs-from-Bitbucket-Server-#configurationinbitbucketserver
> 
> However, our Jenkins instance is the OpenShift version and uses
> OpenShift to authenticate. When I try to post to this URL I get the
> following error:
> 
>{
>"kind": "Status",
>"apiVersion": "v1",
>"metadata": {
> 
>},
>"status": "Failure",
>"message": "forbidden: User \"system:anonymous\" cannot post path
> \"/bitbucket-scmsource-hook/notify\": no RBAC policy matched",
>"reason": "Forbidden",
>"details": {
> 
>},
>"code": 403
>}
> 
> Does anyone know of a way to allow the "system:anonymous" user to post
> to that path?
> 
> Thanks
> 
> Sean
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to create an app in OpenShift with existing local docker image

[Graham Dumpleton]

If you can't put the image up on a image registry where OpenShift can pull it 
from, you need to push it to the internal image registry of OpenShift. This 
creates an image stream in your project, you can then deploy it, or use it as 
an image for docker builds or source builds.

For uploading the image to the internal image registry, see:

* 
https://cookbook.openshift.org/image-registry-and-image-streams/how-do-i-push-an-image-to-the-internal-image-registry.html
 


For more information on deploying on OpenShift, suggest you read the free eBook 
at:

* https://www.openshift.com/deploying-to-openshift/ 


Graham



> On 14 Dec 2018, at 12:22 am, Anila Saifan  wrote:
> 
> Hi Guys,
> 
> I  have a  docker image in my local VM .I want to use this docker image to 
> start build and create app .In short I want OpenShift to use the local docker 
> image on the VM
> 
> What are the steps for the same.
> 
> I have a tar file I use docker load < docker.tar
> 
> A image Id is formed .
> 
> Now I want to know how do I point OpenShift to use this tar file or image I’d 
> to start a build or create app 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: error running application using customized image stream

[Graham Dumpleton]

A typical OpenShift environment isn't going to let you run 'sudo' anyway even 
if you resolve the error.

As to the error, it is because the /etc/passwd file lacks a user entry for that 
user ID.

See section 'Support Arbitrary User IDs' in:

https://docs.openshift.com/container-platform/3.10/creating_images/guidelines.html
 


If you use the method described of making the passwd file writable and adding 
an entry from the entry point, only use the image with OpenShift. If you want 
to use the image outside of OpenShift with docker and when using docker the 
environment is not dropping capabilities for running setuid, you need to take 
extra steps to secure the image properly so people can't become root.

As to why you don't see issue with docker as is, you will if you supply the '-u 
100011' option to docker run.

Graham

> On 17 Aug 2018, at 6:40 pm, dhanashree.kulka...@brown-iposs.eu wrote:
> 
> Hello,
> I am again having problem running my application using image stream I 
> created. As discussed last, I had changed the Dockerfile to use non-root 
> user. I have set uid of this non-root user to be 1001. But when I deploy the 
> application, the pod crashes frequently. In the logs I can see following:
> 
> sudo: unknown uid 100011: who are you?
> 
> This uid is the uid of the project in which I am running the application.
> If I run following, I get following:
> 
> $oc rsh  id
> sh-4.2$ id
> uid=100011 gid=0(root) groups=0(root),100011
> 
> Although, if I do $docker ps and run, I get following:
> 
> $docker exec -it 1fe3bbf19cb0 bash
> bash-4.2$ id
> uid=1001 gid=0(root) groups=0(root),100011
> 
> I am now confused why openshift isn't recognizing uid set from its own 
> uid-range.
> Here is another information:
> 
> oc describe project mec
> Name:  mec
> Created:  4 weeks ago
> Labels:   
> Annotations:  openshift.io/description=
>   openshift.io/display-name=
>   openshift.io/requester=dhanashree
>   openshift.io/sa.scc.mcs=s0:c11,c0
>   
> openshift.io/sa.scc.supplemental-groups=100011/1
>   
> openshift.io/sa.scc.uid-range=100011/1
> Display Name:  
> Description:  
> Status:   Active
> Node Selector:
> Quota:
> Resource limits:  
> 
> You can find my Dockerfile here. 
> (https://github.com/dhanugithub/omdockerimage/blob/master/Dockerfile)
> Kindly help. Thank you.
> 
> Best Regards,
> Dhanashree Kulkarni
> 
> brown-iposs GmbH
> Friedrich-Breuer-Straße 120
> 53225 Bonn
> Germany
> 
> Fon   +49 (0) 228 299 799 80
> Fax   +49 (0) 228 299 799 84
> mailto:birgit.bachm...@brown-iposs.eu
> www.brown-iposs.eu
> www.facebook.com/browniposs
> www.facebook.com/wimap4g
> 
> Directors: Dr. Bernd Schröder, Karsten Schmeling
> Trade register: 14385, Country court Bonn
> VAT-ID: DE814670174
> 
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte 
> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail 
> irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und 
> vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte 
> Weitergabe dieser Mail ist nicht gestattet.
> 
> This e-mail may contain confidential and/or privileged information. If you 
> are not the intended recipient (or have received this e-mail in error) please 
> notify the sender immediately and destroy this e-mail. Any unauthorised 
> copying, disclosure or distribution of the material in this e-mail is 
> strictly forbidden.
> 
> -Ursprüngliche Nachricht-
> Von: Dhanashree Kulkarni Kulkarni (dhanashree.kulka...@brown-iposs.eu) 
> [mailto:dhanashree.kulka...@brown-iposs.eu] 
> Gesendet: Wednesday, August 08, 2018 3:04 PM
> An: 'Aleksandar Lazic' ; 'Anton Hughes' 
> 
> Cc: 'users@lists.openshift.redhat.com' 
> Betreff: AW: error running application using customized image stream
> 
> Thank you so much. It worked. I changed work directory in Dockerfile and just 
> appended 'sudo' before chown in om_install.sh and om.sh.
> I was  struggling for this since 1 week. Now I can move ahead. Although the 
> application is still not working but I am happy that permission error is 
> gone. I will now look into why application isn't working.
> I will post again in case further query.
> Thank you again.
> 
> 
> Best Regards,
> Dhanashree Kulkarni
> 
> brown-iposs GmbH
> Friedrich-Breuer-Straße 120
> 53225 Bonn
> Germany
> 
> Fon   +49 (0) 228 299 799 80
> Fax   +49 (0) 228 299 799 84
> mailto:birgit.bachm...@brown-iposs.eu
> www.brown-iposs.eu
> www.facebook.com/browniposs
> www.facebook.com/wimap4g
> 
> Directors: Dr. 

Re: How to retrieve session token via rest api?

[Graham Dumpleton]

You can see what commands do by adding '--loglevel 9' option.

oc whoami -t --loglevel 9

What you will find in this case though is that for that token in particular it 
doesn't actually make any API calls, as all it is doing is getting it from the 
~/.kube/config file.

What do you want to use the token for? There may be more appropriate ways of 
creating a token you can use.

Graham

> On 1 Aug 2018, at 2:54 pm, Yu Wei  wrote:
> 
> Hi guys,
> 
> I could get session token via cli "oc whoami -t".
> 
> Could I get the same information via rest api?
> 
> I tried with api below, however, it returned many tokens. 
> Is there any method to filter that?
> curl -k \
> -H "Authorization: Bearer yqqouu8vFaip9AjMChmcgdtY7AszXMxWWJHwWhpn8Lw" \
> -H 'Accept: application/json' \
> https://10.1.241.54:8443/oapi/v1/oauthaccesstokens 
> 
> Thanks,
> 
> Jared
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: User "admin" cannot get securitycontextconstraints at the cluster scope

[Graham Dumpleton]

For Minishift I believe you can run:

oc adm policy add-scc-to-user anyuid -z default -n tomcat8 --as system:admin

So use user impersonation to run as system:admin.

> On 2 Aug 2018, at 6:46 pm, Clayton Coleman  wrote:
> 
> User “admin” (that’s the user name) must be given real admin
> privileges to perform that action, which the error is telling you you
> don’t have.
> 
> You must run as a cluster admin or other highly privileged user in
> order to modify the security rules.  The only user that has that by
> default is the system:admin user the initial install creates.
> 
>> On Aug 1, 2018, at 9:15 PM, Traiano Welcome  wrote:
>> 
>> Hi
>> 
>> I was working through the O'Reilly book "OpenShift for developers" but the 
>> example on page 75, where tomcat8 is run fails:
>> 
>> - The container remains in crashloop backoff
>> - The logs show the container is having permission issues:
>> 
>> 
>> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina load
>> WARNING: Unable to load server configuration from 
>> [/usr/local/tomcat/conf/server.xml]
>> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina load
>> WARNING: Permissions incorrect, read permission is not allowed on the file.
>> Aug 02, 2018 1:03:47 AM org.apache.catalina.startup.Catalina start
>> SEVERE: Cannot start server. Server instance is not configured.
>> 
>> 
>> - This appears to be due to openshift/minishift not allowing containers to 
>> run as root
>> - I try installing the anyuid addon and running this command:
>> - oc adm policy add-scc-to-user anyuid -z default -n tomcat8
>> - However it fails with this error despite the anyuid addon being applied:
>> 
>> 
>> Error from server (Forbidden): securitycontextconstraints "anyuid" is 
>> forbidden: User "admin" cannot get securitycontextconstraints at the cluster 
>> scope: User "admin" cannot get securitycontextconstraints at the cluster 
>> scope
>> 
>> 
>> 
>> How do I fix this?
>> 
>> Thanks in advance,
>> Traiano
>> 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Inject Custom CA during builds

[Graham Dumpleton]

The first will not work because you aren't root when a build occurs so can't 
copy files to locations which require root access.

For the second option, how has the build secret been set up in the build 
config? Specifically, what does the spec.source.secrets part of the build 
config look like, and what keys are defined in the secret?

$ oc explain bc.spec.source.secrets
RESOURCE: secrets <[]Object>

DESCRIPTION:
 secrets represents a list of secrets and their destinations that will be
 used only for the build.

 SecretBuildSource describes a secret and its destination directory that
 will be used only at the build time. The content of the secret referenced
 here will be copied into the destination directory instead of mounting.

FIELDS:
   destinationDir   
 destinationDir is the directory where the files from the secret should be
 available for the build time. For the Source build strategy, these will be
 injected into a container where the assemble script runs. Later, when the
 script finishes, all files injected will be truncated to zero length. For
 the Docker build strategy, these will be copied into the build directory,
 where the Dockerfile is located, so users can ADD or COPY them during
 docker build.

   secret-required-
 secret is a reference to an existing secret that you want to use in your
 build.

$ oc explain bc.spec.source.secrets.secret
RESOURCE: secret 

DESCRIPTION:
 secret is a reference to an existing secret that you want to use in your
 build.

 LocalObjectReference contains enough information to let you locate the
 referenced object inside the same namespace.

FIELDS:
   name 
 Name of the referent. More info:
 
https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names 


Graham

> On 17 Jul 2018, at 9:16 am, Ahmed Ossama  wrote:
> 
> Hi Everyone,
> 
> I have an OpenShift installation which is sitting behind an appliance which 
> intercepts outbound SSL traffic. Regular machines have the SSL certificate of 
> the appliance installed on them and they are able to access the internet 
> without any issues.
> 
> My issue is with during the build; Because OpenShift builds images in 
> containers, thus the container which is building the code doesn't have the 
> SSL certificate of the interceptor installed in it. So grabbing code 
> dependencies from npm, maven or pypi during a build fails because the build 
> tries to connect to the repo manager via HTTPs, but since the CA of the 
> interceptor is not installed in the build container it fails.
> 
> My question is: How can I inject the CA certificate of the interceptor in the 
> build container so that the traffic from the interceptor is trusted?
> 
> So far I've tried two options but they failed:
> 
> Option #1, have customized .s2i/bin/assemble script which downloads the 
> certificate in /etc/pki/ca-trust/source/anchors/ and running update-ca-trust. 
> But this option fails with:
> 
> $ oc logs dsqc-4-build
>   % Total% Received % Xferd  Average Speed   Time Time Time  Current
>  Dload  Upload   Total SpentLeft  Speed
>   0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 
> 0Warning: Failed to create the file
> Warning: 
> /etc/pki/ca-trust/source/anchors/ZscalerRootCertificate-2048-SHA256.cr
> Warning: t: Permission denied
>  52  1732   52   9010 0  14515  0 --:--:-- --:--:-- --:--:-- 14770
> curl: (23) Failed writing body (0 != 901)
> p11-kit: couldn't create file: 
> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt: Permission denied
> p11-kit: couldn't create file: 
> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem: Permission denied
> p11-kit: couldn't create file: 
> /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem: Permission denied
> p11-kit: couldn't create file: 
> /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem: Permission denied
> p11-kit: couldn't create file: /etc/pki/ca-trust/extracted/java/cacerts: 
> Permission denied
> /tmp/scripts/assemble: line 14: /tmp/scripts/s2i-setup: No such file or 
> directory
> error: build error: non-zero (13) exit code from 
> registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift@sha256:6c009f430da02bdcff618a7dcd085d7d22547263eeebfb8d6377a4cf6f58769d
> 
> Option #2: following the steps detailed in 
> https://docs.openshift.com/container-platform/3.9/dev_guide/builds/build_inputs.html#using-secrets-during-build
>  but it fails with the error:
> 
> $ oc logs po/dsqc-5-build
> error: Uploading to container failed: Error response from daemon: 
> {"message":"Error processing tar file(exit status 1): mkdir 
> /certs/..2018_07_16_23_14_03.650131122: no such file or directory"}
> ERROR: The destination directory for 
> "/var/run/secrets/openshift.io/build/root-certificate" injection must exist 
> 

Re: OC debug command does not show command prompt

[Graham Dumpleton]

Also ensure you have the correct oc command line client version corresponding 
to the oc cluster. When they are divergent you can get subtle problems.

Graham

> On 7 Jun 2018, at 7:05 am, Brian Keyes  wrote:
> 
> if I ssh into one of the worker nodes and "oc login" I can start the debug 
> container and get a command prompt , so it may be some kind of proxy or 
> something here at my work site
> 
> On Wed, Jun 6, 2018 at 4:52 PM, Brian Keyes  > wrote:
> no I dont think so , but I am running the CLI on my local machine , I will 
> ssh  into one of the nodes and try
> 
> thanks
> 
> 
> On Wed, Jun 6, 2018 at 4:49 PM, Aleksandar Lazic  > wrote:
> On 06/06/2018 13:04, Brian Keyes wrote:
> If I do a "debug in terminal" in the console I always get a command prompt
> 
> if i goto the command line and do a "oc debug   i get this message
> 
> Debugging with pod/lster-1-2rqg9-debug, original command:
> container-entrypoint /tmp/scripts/run
> Waiting for pod to start ...
> Pod IP: 10.252.4.18
> If you don't see a command prompt, try pressing enter.
> 
> i hit enter many many times and do not ever get a command prompt
> 
> Are you behind a proxy?
> 
> -- 
> thanks
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
> 
> 
> 
> 
> -- 
> Brian Keyes
> Systems Engineer, Vizuri
> 703-855-9074(Mobile)
> 703-464-7030 x8239 (Office)
> 
> FOR OFFICIAL USE ONLY: This email and any attachments may contain information 
> that is privacy and business sensitive.  Inappropriate or unauthorized 
> disclosure of business and privacy sensitive information may result in civil 
> and/or criminal penalties as detailed in as amended Privacy Act of 1974 and 
> DoD 5400.11-R.
> 
> 
> 
> 
> -- 
> Brian Keyes
> Systems Engineer, Vizuri
> 703-855-9074(Mobile)
> 703-464-7030 x8239 (Office)
> 
> FOR OFFICIAL USE ONLY: This email and any attachments may contain information 
> that is privacy and business sensitive.  Inappropriate or unauthorized 
> disclosure of business and privacy sensitive information may result in civil 
> and/or criminal penalties as detailed in as amended Privacy Act of 1974 and 
> DoD 5400.11-R.
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: boto import command not found

[Graham Dumpleton]

The 'run' file must be an executable application.

For a shell script, that means it must start with:

#!/bin/bash

Thus you should be using:

#!/bin/bash

python /opt/app-root/src/.s2i/bin/app.py

You also should not be putting your 'app.py' file in the '.s2i/bin' directory. 
It should be in the root of the repo. That way it will be automatically copied 
to:

/opt/app-root/src

for you.

The question is though why you are even overriding the 'run' script. You can 
remove it as written, place your 'app.py' file in the root of the repo and the 
Python S2I will automatically find it in the /opt/app-root/src directory of the 
container and run it with Python for you.

I believe I already referred you to:

https://github.com/sclorg/s2i-python-container/tree/master/3.6 


where the behaviour of the S2I builder image is explained.

You shouldn't usually need to override either 'assemble' or 'run' if you use 
the S2I images as intended.

Graham

> On 5 Jun 2018, at 4:22 am, Brian Keyes  wrote:
> 
> 
> 
> I have a script that is running fine locally on my MAC , to run this script 
> on my MAC i just have to run the command "python run" ( run the the name of 
> my file ) and it will run fine 
> 
> 
> I have created a git hub repo at  github.com/brikeyes/os-sample-python.git 
>  and placed this working 
> python file in the required path in github  (os-sample-python 
> /.s2i 
> /bin 
> )
> 
> when I run this in openshift I get this error 
> 
> 
> "/tmp/scripts/run: line 1: import: command not found "
> 
> I get this also if I run it locally and do not include the word python in the 
> command like ./run , so I need to let it know how to run the script by 
> inserting the word " phython " right before it executes .s2i/bin/run 
> 
> I know I have python installed as it is in the requrements.txt file in git 
> hub ,
> 
> 
> thanks !
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: errors accessing egressnetworkpolicies.network.openshift.io when attempting to export project

[Graham Dumpleton]

You should avoid exporting secrets without being more specific by using a label 
selector or by name. This is because you will pick up special secrets related 
to that project instance. Loading those special secrets into a new project may 
break that project. Similar reason as to why have to be careful with service 
accounts and role bindings. Work out just the extra ones required by the 
application.

This is why should not always export secrets.

Graham

> On 2 Jun 2018, at 16:58, Aleksandar Lazic  wrote:
> 
> Hi.
> 
>> On 02/06/2018 13:18, Graham Dumpleton wrote:
>> For the basic Python application you wouldn't need to export most of
>> those and for some doing so would cause problems when you try to load
>> them again.
>> 
>> For a basic application with no secrets, configmaps or persistent
>> volumes, all you need is:
>> 
>>   oc export is,bc,dc,svc,route -o yaml
> 
> Just to be on the save site please add cm (=configmap ) and secrets to
> the export also, for the future case.
> 
> oc export is,bc,dc,svc,route,cm,secrets -o yaml
> 
>> Do not include pods, replicationcontrollers or endpoints.
>> 
>> You also want to be selective about what you export by using a label
>> selector.
>> 
>>   oc export is,bc,dc,svc,route --selector app=yourappname -o yaml
>> 
>> That way you get just what is necessary for the application.
>> 
>> Before they can be reloaded in a fresh project or OpenShift instance,
>> you would usually need to massage the result, especially fixing up
>> image references and reverting them to image stream references.
>> 
>> Overall you are better off to export as a template and edit the result
>> to create a template you can then deploy multiple times, where the
>> application name is parameterised.
> 
> Full ack, the command looks then like this.
> 
> FYI: As always in yaml **don't use TABS**
> 
> ```
> oc export is,bc,dc,svc,route,cm,secrets -o yaml 
> --as-template=MyPersonalTemplate
> ```
> 
> That's the link to the template doc
> https://docs.openshift.org/3.9/dev_guide/templates.html
> 
>> Graham
> 
> Best regards
> Aleks
> 
>>> On 2 Jun 2018, at 2:01 am, Brian Keyes  wrote:
>>> 
>>> I am attempting to follow these instructions
>>> 
>>> https://docs.openshift.com/container-platform/3.7/day_two_guide/project_level_tasks.html
>>>  
>>> <https://docs.openshift.com/container-platform/3.7/day_two_guide/project_level_tasks.html>
>>> 
>>> I want to backup THE sample python app and I created a script like this ( 
>>> from the documentation)
>>> 
>>> 
>>> 
>>> 
>>> $ for object in rolebindings serviceaccounts secrets imagestreamtags 
>>> podpreset cms egressnetworkpolicies rolebindingrestrictions limitranges 
>>> resourcequotas pvcs templates cronjobs statefulsets hpas deployments 
>>> replicasets poddisruptionbudget endpoints
>>> do
>>>  oc export $object -o yaml > $object.yaml
>>> done
>>> 
>>> --
>>> but when I run this I get some access denied errors like this , is this 
>>> saying that the objects I am attempting to back up do not exist?
>>> 
>>> 
>>> $ ./exportotherprojects.sh
>>> error: no resources found - nothing to export
>>> the server doesn't have a resource type "cms"
>>> Error from server (Forbidden): User "admin" cannot list 
>>> egressnetworkpolicies.network.openshift.io 
>>> <http://egressnetworkpolicies.network.openshift.io/> in the namespace 
>>> "sample-py": User "admin" cannot list 
>>> egressnetworkpolicies.network.openshift.io 
>>> <http://egressnetworkpolicies.network.openshift.io/> in project "sample-py" 
>>> (get egressnetworkpolicies.network.openshift.io 
>>> <http://egressnetworkpolicies.network.openshift.io/>)
>>> error: no resources found - nothing to export
>>> error: no resources found - nothing to export
>>> error: no resources found - nothing to export
>>> the server doesn't have a resource type "pvcs"
>>> error: no resources found - nothing to export
>>> error: no resources found - nothing to export
>>> error: no resources found - nothing to export
>>> the server doesn't have a resource type "hpas"
>>> error: no resources found - nothing to export
>>> error: no resources found - nothing to export
>>> Error from server (Forbidden): User "admin" cannot list 
>>> poddisruptionbudgets.policy in the namespace "sample-py": User "admin" 
>>> cannot list poddisruptionbudgets.policy in project "sample-py" (get 
>>> poddisruptionbudgets.policy)
>>> 
>>> 
>>> thanks
>>> 
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> 
> 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: errors accessing egressnetworkpolicies.network.openshift.io when attempting to export project

[Graham Dumpleton]

For the basic Python application you wouldn't need to export most of those and 
for some doing so would cause problems when you try to load them again.

For a basic application with no secrets, configmaps or persistent volumes, all 
you need is:

oc export is,bc,dc,svc,route -o yaml


Do not include pods, replicationcontrollers or endpoints.

You also want to be selective about what you export by using a label selector.

oc export is,bc,dc,svc,route --selector app=yourappname -o yaml

That way you get just what is necessary for the application.

Before they can be reloaded in a fresh project or OpenShift instance, you would 
usually need to massage the result, especially fixing up image references and 
reverting them to image stream references.

Overall you are better off to export as a template and edit the result to 
create a template you can then deploy multiple times, where the application 
name is parameterised.

Graham

> On 2 Jun 2018, at 2:01 am, Brian Keyes  wrote:
> 
> I am attempting to follow these instructions 
> 
> https://docs.openshift.com/container-platform/3.7/day_two_guide/project_level_tasks.html
>  
> 
> 
> I want to backup THE sample python app and I created a script like this ( 
> from the documentation)
> 
> 
> 
> 
> $ for object in rolebindings serviceaccounts secrets imagestreamtags 
> podpreset cms egressnetworkpolicies rolebindingrestrictions limitranges 
> resourcequotas pvcs templates cronjobs statefulsets hpas deployments 
> replicasets poddisruptionbudget endpoints
> do
>   oc export $object -o yaml > $object.yaml
> done
> 
> -- 
> but when I run this I get some access denied errors like this , is this 
> saying that the objects I am attempting to back up do not exist?
> 
> 
> $ ./exportotherprojects.sh
> error: no resources found - nothing to export
> the server doesn't have a resource type "cms"
> Error from server (Forbidden): User "admin" cannot list 
> egressnetworkpolicies.network.openshift.io 
>  in the namespace 
> "sample-py": User "admin" cannot list 
> egressnetworkpolicies.network.openshift.io 
>  in project "sample-py" 
> (get egressnetworkpolicies.network.openshift.io 
> )
> error: no resources found - nothing to export
> error: no resources found - nothing to export
> error: no resources found - nothing to export
> the server doesn't have a resource type "pvcs"
> error: no resources found - nothing to export
> error: no resources found - nothing to export
> error: no resources found - nothing to export
> the server doesn't have a resource type "hpas"
> error: no resources found - nothing to export
> error: no resources found - nothing to export
> Error from server (Forbidden): User "admin" cannot list 
> poddisruptionbudgets.policy in the namespace "sample-py": User "admin" cannot 
> list poddisruptionbudgets.policy in project "sample-py" (get 
> poddisruptionbudgets.policy)
> 
> 
> thanks 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: error running python script in openshift

[Graham Dumpleton]

Also check out:

https://github.com/sclorg/s2i-python-container/tree/master/3.6 
<https://github.com/sclorg/s2i-python-container/tree/master/3.6>

which describes more about the Python S2I image in particular. You can see the 
code there for it as well.

Graham

> On 31 May 2018, at 8:06 am, Graham Dumpleton  wrote:
> 
> If you want to supply your own way of starting up your application when using 
> Python S2I, supply an executable 'app.sh' file.  This should be a shell 
> script which runs your application. Ensure that the final application is run 
> using 'exec'. Eg.
> 
> #!/bin/bash
> 
> exec python my-custom-app.py
> 
> Again point you to:
> 
> https://www.openshift.com/deploying-to-openshift/ 
> <https://www.openshift.com/deploying-to-openshift/>
> 
> to understand how S2I works.
> 
> Graham
> 
>> On 31 May 2018, at 3:55 am, Brian Keyes > <mailto:bke...@vizuri.com>> wrote:
>> 
>> ok I found in the console an area to add environmental variables , but what 
>> is the value for "APP_FILE"? is it the name of the executable file i the git 
>> hub repo as in https://github.com/fusor/s2i-apb/blob/master/s2i/bin/run 
>> <https://github.com/fusor/s2i-apb/blob/master/s2i/bin/run>
>> 
>> so the value should be 
>> "run"
>> 
>> On Wed, May 30, 2018 at 3:27 PM, Brian Keyes > <mailto:bke...@vizuri.com>> wrote:
>> I am attempting to get just one of the repos to run so I can attempt to 
>> reverse engineer it to work with what I have .
>> 
>> but how would I resolve this error 
>> 
>> 
>> 
>> 
>> ERROR: don't know how to run your application.
>> Please set either APP_MODULE, APP_FILE or APP_SCRIPT environment variables, 
>> or create a file 'app.py' to launch your application.
>> 
>> I have been using the meathod of just renaming my exe to app.py up till now 
>> but I want to investigate how to do this another way 
>> 
>> were exactly do I set the variables here and what do I set them to ?
>> 
>> this is the git hub repo I am working with 
>> 
>> 
>> 
>> https://github.com/fusor/s2i-apb.git <https://github.com/fusor/s2i-apb.git>
>> 
>> thanks !!
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> --
>> Brian Keyes
>> Systems Engineer, Vizuri
>> 703-855-9074(Mobile)
>> 703-464-7030 x8239 (Office)
>> 
>> FOR OFFICIAL USE ONLY: This email and any attachments may contain 
>> information that is privacy and business sensitive.  Inappropriate or 
>> unauthorized disclosure of business and privacy sensitive information may 
>> result in civil and/or criminal penalties as detailed in as amended Privacy 
>> Act of 1974 and DoD 5400.11-R.
>> 
>> 
>> 
>> 
>> -- 
>> Brian Keyes
>> Systems Engineer, Vizuri
>> 703-855-9074(Mobile)
>> 703-464-7030 x8239 (Office)
>> 
>> FOR OFFICIAL USE ONLY: This email and any attachments may contain 
>> information that is privacy and business sensitive.  Inappropriate or 
>> unauthorized disclosure of business and privacy sensitive information may 
>> result in civil and/or criminal penalties as detailed in as amended Privacy 
>> Act of 1974 and DoD 5400.11-R.
>> 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com <mailto:users@lists.openshift.redhat.com>
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
>> <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: how to execute a script with S2i in openshift?

[Graham Dumpleton]

Sorry, obviously meant to credit Frédéric.

> On 31 May 2018, at 8:00 am, Graham Dumpleton  wrote:
> 
> As Brian says, use a custom assemble script that calls the original.
> 
> For a description of customising the S2I build process, check out the free 
> eBook for OpenShift at:
> 
> https://www.openshift.com/deploying-to-openshift/ 
> <https://www.openshift.com/deploying-to-openshift/>
> 
> Chapter 9 covers this and more.
> 
> Graham
> 
>> On 31 May 2018, at 12:09 am, Frederic Giloux > <mailto:fgil...@redhat.com>> wrote:
>> 
>> Hi Brian
>> 
>> If you want your script to be executed by new builds it should be named 
>> assemble. It can then call the original assemble script, that you may have 
>> renamed, a python programm or any other thing you need. The run script is 
>> called when the final container is launched not during the build.
>> 
>> Regards,
>> 
>> Frédéric 
>> 
>> On Wed, 30 May 2018, 17:51 Brian Keyes, > <mailto:bke...@vizuri.com>> wrote:
>> I have an python script in my git hub repo
>> 
>> I want to run that script when I run "oc new-build"
>> 
>> Do I simply place the script in the git hub under   .s2i/bin/run  ?
>> 
>> is there anything else I have to do
>> 
>> thanks
>> 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com <mailto:users@lists.openshift.redhat.com>
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
>> <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com <mailto:users@lists.openshift.redhat.com>
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: error running python script in openshift

[Graham Dumpleton]

If you want to supply your own way of starting up your application when using 
Python S2I, supply an executable 'app.sh' file.  This should be a shell script 
which runs your application. Ensure that the final application is run using 
'exec'. Eg.

#!/bin/bash

exec python my-custom-app.py

Again point you to:

https://www.openshift.com/deploying-to-openshift/ 


to understand how S2I works.

Graham

> On 31 May 2018, at 3:55 am, Brian Keyes  wrote:
> 
> ok I found in the console an area to add environmental variables , but what 
> is the value for "APP_FILE"? is it the name of the executable file i the git 
> hub repo as in https://github.com/fusor/s2i-apb/blob/master/s2i/bin/run 
> 
> 
> so the value should be 
> "run"
> 
> On Wed, May 30, 2018 at 3:27 PM, Brian Keyes  > wrote:
> I am attempting to get just one of the repos to run so I can attempt to 
> reverse engineer it to work with what I have .
> 
> but how would I resolve this error 
> 
> 
> 
> 
> ERROR: don't know how to run your application.
> Please set either APP_MODULE, APP_FILE or APP_SCRIPT environment variables, 
> or create a file 'app.py' to launch your application.
> 
> I have been using the meathod of just renaming my exe to app.py up till now 
> but I want to investigate how to do this another way 
> 
> were exactly do I set the variables here and what do I set them to ?
> 
> this is the git hub repo I am working with 
> 
> 
> 
> https://github.com/fusor/s2i-apb.git 
> 
> thanks !!
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> --
> Brian Keyes
> Systems Engineer, Vizuri
> 703-855-9074(Mobile)
> 703-464-7030 x8239 (Office)
> 
> FOR OFFICIAL USE ONLY: This email and any attachments may contain information 
> that is privacy and business sensitive.  Inappropriate or unauthorized 
> disclosure of business and privacy sensitive information may result in civil 
> and/or criminal penalties as detailed in as amended Privacy Act of 1974 and 
> DoD 5400.11-R.
> 
> 
> 
> 
> -- 
> Brian Keyes
> Systems Engineer, Vizuri
> 703-855-9074(Mobile)
> 703-464-7030 x8239 (Office)
> 
> FOR OFFICIAL USE ONLY: This email and any attachments may contain information 
> that is privacy and business sensitive.  Inappropriate or unauthorized 
> disclosure of business and privacy sensitive information may result in civil 
> and/or criminal penalties as detailed in as amended Privacy Act of 1974 and 
> DoD 5400.11-R.
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: how to execute a script with S2i in openshift?

[Graham Dumpleton]

As Brian says, use a custom assemble script that calls the original.

For a description of customising the S2I build process, check out the free 
eBook for OpenShift at:

https://www.openshift.com/deploying-to-openshift/ 


Chapter 9 covers this and more.

Graham

> On 31 May 2018, at 12:09 am, Frederic Giloux  wrote:
> 
> Hi Brian
> 
> If you want your script to be executed by new builds it should be named 
> assemble. It can then call the original assemble script, that you may have 
> renamed, a python programm or any other thing you need. The run script is 
> called when the final container is launched not during the build.
> 
> Regards,
> 
> Frédéric 
> 
> On Wed, 30 May 2018, 17:51 Brian Keyes,  > wrote:
> I have an python script in my git hub repo
> 
> I want to run that script when I run "oc new-build"
> 
> Do I simply place the script in the git hub under   .s2i/bin/run  ?
> 
> is there anything else I have to do
> 
> thanks
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: how can I use a custom image with openshift

[Graham Dumpleton]

> On 24 May 2018, at 7:20 am, Brian Keyes  wrote:
> 
> I want to use a custom image that has alpline with python and boto3 installed 
> on it
> 
> I am seeing the console might have some way to do this , but I am not sure on 
> the procedure at all
> 
> would I , create a docker contaner , install boto3 manually , commit that to 
> an image and somehow get that image into openshift , maybe pull from dockerhub
> 
> any advice would be helpfull

I would recommend against using an Alpine based images. The benefits of using 
an Alpine image are overrated and you actually loose a lot by using them as it 
lacks tools you would need to debug your application when you have problems.

Running up a container and getting as interactive terminal in it, manually 
installing packages, and then stopping it and committing it is also not a good 
practice as it can't be automated and placed under version control.

For OpenShift what you want to research is the Source to Image (S2I) builders. 
This allows you to put your application source code for your web application 
into a Git repo, along with a requirements.txt file which lists what Python 
packages that need to be installed. An S2I build can then be set up in 
OpenShift which points to the repo and OpenShift will pull down the repo, 
automatically install any packages listed in requirements.txt, and set up your 
image so that when it is deployed, the web application is run.

An example of such a repo is:

https://github.com/OpenShiftDemos/os-sample-python 


To learn more about deploying applications to OpenShift, using S2I, I would 
suggest you read:

https://www.openshift.com/for-developers/ 

https://www.openshift.com/deploying-to-openshift/ 


Reading those will save you a lot of trial and error around working out how to 
use OpenShift.

Graham___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: suggestion for a long running python container for a demo

[Graham Dumpleton]

Hello world type application:

* https://github.com/OpenShiftDemos/os-sample-python 


More involved application which can optionally be hooked up to database etc.

* https://github.com/openshift-katacoda/blog-django-py 


The latter example is what is used in the freely downlable eBook on OpenShift:

* https://www.openshift.com/deploying-to-openshift/ 


as well as in the OpenShift interactive learning environment for some of the 
scenarios describing OpenShift fundamentals.

* https://learn.openshift.com/ 

Would highly recommend you check out these later resources if you haven't done 
so already.

Graham

> On 23 May 2018, at 4:01 am, Brian Keyes  wrote:
> 
> I am looking for a long running non exiting example for python , maybe to 
> ping a pubilc ip or something , just some thing to keep the container/POD 
> alive
> 
> thanks 
> 
> -- 
> Brian Keyes
> Systems Engineer, Vizuri
> 703-855-9074(Mobile)
> 703-464-7030 x8239 (Office)
> 
> FOR OFFICIAL USE ONLY: This email and any attachments may contain information 
> that is privacy and business sensitive.  Inappropriate or unauthorized 
> disclosure of business and privacy sensitive information may result in civil 
> and/or criminal penalties as detailed in as amended Privacy Act of 1974 and 
> DoD 5400.11-R.
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: simple hello world in python keeps crashing how to see why?

[Graham Dumpleton]

If that is really your whole application then as soon as the loop completes, 
the container will exit and the pod restarted. If that happens quick enough and 
keeps happening it would go into a fail state. For a normal deployment, you 
need to have an application, such as a WSGI application running on a WSGI 
server, which runs permanently. You wouldn't use a normal deployment for a 
short lived program that exits straight away.

What is it that you are ultimately wanting to do?

Graham

> On 22 May 2018, at 7:04 am, Brian Keyes  wrote:
> 
> I have an very very simple hello python 
> 
> 
> #start loop
> for x in range(0, 30):
> print ("hello python ") 
> 
> 
> but every time I run this on openshift it keeps crashing , why , would it be 
> best to scale this up so it is on all worker nodes let it crash and ssh into 
> the worker node and look at the docker logs ?
> 
> it has 2gb of ram allocated so I am not thinking that this is a memory issue 
> 
> any advice ?
> -- 
> thanks 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift cluster up --host-data-dir on Docker for Windows on a shared Drive

[Graham Dumpleton]

My experience in the past has been that using a local Windows directory for 
host data and persistent volumes when running oc cluster up on Windows caused 
problems. One reason for this is the inability to delete a file if it is in 
use. The case insensitive file system also caused issues for some applications 
when using persistent volumes. From memory PostgreSQL can be affected by this.

This first problem may not be the exact reason for your issue, but just be 
aware that you may have other issues because of these if you can get past the 
point you are at.

FWIW, I ended up using some tricks so the host data was persistent in the file 
system of the Docker VM, not the Windows host. Unfortunately it isn't easy to 
explain those tricks as they are part of a wrapper script used to run oc 
cluster up which does a lot of other stuff. The wrapper script hasn't been 
updated for quite a while and likely doesn't work with recent oc versions.


https://github.com/getwarped/powershift-cluster/blob/master/src/powershift/cluster/__init__.py#L184
 


Graham

> On 9 May 2018, at 8:22 am, Tien Hung Nguyen  wrote:
> 
> Hi,
> 
> I have a problem regarding OpenShift Origin 3.9 running on Docker for Windows 
> locally:
> 
> When I try to run oc cluster up --host-data-dir=/ocdata in order to persist 
> my data on the Hyper-V Docker (following 
> https://github.com/openshift/origin/blob/master/docs/cluster_up_down.md 
> ), 
> the data is not persisted correctly (no error messages) and I have to create 
> everything from the beginning which is pretty annoying.
> 
> However, when I share my local Drives with the Docker Hyper-V Machine like in 
> this photo:
> 
> 
> 
> 
> -> and start the OpenShift cluster with the command oc cluster up 
> --host-data-dir=D:/ocdata, I get the following error:
> 
> λ oc cluster up --host-data-dir=D:/ocdata
> Deleted existing OpenShift container
> Using Docker shared volumes for OpenShift volumes
> Using 10.0.75.2 as the server IP
> Starting OpenShift using openshift/origin:v3.9.0 ...
> -- Starting OpenShift container ...
>Creating initial OpenShift configuration
>Starting OpenShift using container 'origin'
> FAIL
>Error: could not start OpenShift container "origin"
>Details:
>  Last 10 lines of "origin" container log:
>  2018-05-09 15:15:22.869737 I | etcdserver: name = openshift.local
>  2018-05-09 15:15:22.869759 I | etcdserver: data dir = 
> /var/lib/origin/openshift.local.etcd
>  2018-05-09 15:15:22.869765 I | etcdserver: member dir = 
> /var/lib/origin/openshift.local.etcd/member
>  2018-05-09 15:15:22.869768 I | etcdserver: heartbeat = 100ms
>  2018-05-09 15:15:22.869771 I | etcdserver: election = 1000ms
>  2018-05-09 15:15:22.869774 I | etcdserver: snapshot count = 10
>  2018-05-09 15:15:22.869783 I | etcdserver: advertise client URLs = 
> https://127.0.0.1:4001 
>  2018-05-09 15:15:22.869793 I | etcdserver: initial advertise peer URLs = 
> https://127.0.0.1:7001 
>  2018-05-09 15:15:22.869806 I | etcdserver: initial cluster = 
> openshift.local=https://127.0.0.1:7001 
>  2018-05-09 15:15:22.883377 C | etcdserver: create wal error: rename 
> /var/lib/origin/openshift.local.etcd/member/wal.tmp 
> /var/lib/origin/openshift.local.etcd/member/wal: permission denied
> 
> 
> Please, could you tell me how to fix this in order start OpenShift Origin on 
> my local computer with the option  --host-data-dir on? Before this, I was 
> running Docker for Mac and everything worked fine but when I'm using Docker 
> for Windows on my Windows 10 computer, I'm getting some problems.
> 
> Regards,
> Tien
> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Openshift starter not routing

[Graham Dumpleton]

Are you on ca-central-1? An issue with routes on that cluster is being 
investigated.

> On 17 Apr 2018, at 6:33 am, Leandro  wrote:
> 
> Hi All,
> 
> Is there currently any problem with the openshift Starter? Since last 
> Thursday, I have noticed the following problems:
> 
> - In a new deployment, a Pod is not able to connect to the database on 
> another Pod, failing with the message: No route to host.
> - In an older deployment, the solution is able to connect to the database 
> normally, but the route is not available, showing the message "Application is 
> not available", the same behavior presented here below:
> 
> https://stackoverflow.com/questions/49852367/route-to-application-stopped-working-in-openshift-online-3-9
>  
> 
> 
> Is anybody experiencing the same problem? How can we fix this?
> 
> Best regards,
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Help using ImageStreams, DCs and ImagePullSecrets templates with a GitLab private registry (v3.6)

[Graham Dumpleton]

You are possibly hitting a bug with oc where it was generating the dockerconfig 
json in wrong format in 3.7.

If you used 3.6 oc client with 3.7 backend just when creating the secret it 
will work, if this is the issue I am thinking of.

If want confirmation, perhaps try with a 3.6 client.

Graham

> On 10 Apr 2018, at 7:45 am, Alan Christie  
> wrote:
> 
> Ah ha!
> 
> OK, the first approach did not work but your second suggestion worked!! Phew, 
> thanks … although I had to remove the “-w0" argument (they’re not recognised 
> on OSX). So the following allowed me to pull from gitlab: -
> 
> oc create -f - < apiVersion: v1
> kind: Secret
> metadata:
>   name: pullsecret
> type: kubernetes.io/dockerconfigjson 
> data:
>   .dockerconfigjson: $(echo -n "{\"auths\":{\"registry.gitlab.com 
> \":{\"auth\":\"`echo -n 
> "$GITLAB_USER:$GITLAB_PASSWORD" | base64`\"}}}"|base64)
> EOF
> 
> Thank you.
> 
> I am still intrigued to know why my previous secret (which works with 3.6) 
> does not work and in 3.7 I have to resort to this new approach.
> 
> Alan.
> 
>> On 9 Apr 2018, at 21:29, Pavel Gashev > > wrote:
>> 
>> Alan,
>>  
>> Just try the following:
>>  
>> # docker login registry.gitlab.com 
>> # oc create secret generic --from-file=.dockerconfigjson=.docker/config.json 
>> --type=kubernetes.io/dockerconfigjson 
>>  pullsecret
>>  
>> another way:
>>  
>> # GITLAB_USER=user
>> # GITLAB_PASSWORD=password
>> # oc create -f - <> apiVersion: v1
>> kind: Secret
>> metadata:
>>   name: pullsecret
>> type: kubernetes.io/dockerconfigjson 
>> data:
>>   .dockerconfigjson: $(echo -n "{\"auths\":{\"registry.gitlab.com 
>> \":{\"auth\":\"`echo -n 
>> "$GITLAB_USER:$GITLAB_PASSWORD" | base64 -w0`\"}}}"|base64 -w0)
>> EOF
>>  
>> From: > > on behalf of Alan 
>> Christie > >
>> Date: Monday, 9 April 2018 at 01:57
>> To: Gaurav P >
>> Cc: users > >
>> Subject: Re: Help using ImageStreams, DCs and ImagePullSecrets templates 
>> with a GitLab private registry (v3.6)
>>  
>> Sorry Guys, but I’m getting nowhere here. 
>>  
>> A long time has passed and I have been doing other things but keep returning 
>> to this and trying every single combination of URL that I can but nothing is 
>> working for me with GitLab.
>>  
>> The good news is that I have simplified the problem…
>>  
>> My simple setup, which is perfectly able to pull images from GitLab in v3.6, 
>> uses just one secret and does not need the “oc secrets link […]” command. 
>> This simple setup does not work with OpenShift v3.7. Instead I get image 
>> pull errors (shown in attached screenshot).  Is there anyone who’s pulled an 
>> image from GitLab? And can someone explain why my single secret setup works 
>> in 3.6 but does not in 3.7?
>>  
>> Alan.
>>  
>> 
>> 
>> 
>> On 19 Jan 2018, at 15:56, Gaurav P > > wrote:
>>  
>> Louis,
>> 
>> In our case, it is Artifactory. Relevant headers:
>> 
>> HTTP/1.1 401 Unauthorized
>> Server: Artifactory/5.4.5
>> X-Artifactory-Id: 
>> X-Artifactory-Node-Id: 
>> WWW-Authenticate: Basic realm="Artifactory Realm"
>> 
>> Note however that in the case of Artifactory, Docker registries have to be 
>> fronted by haproxy, so the Basic auth might be coming from there...
>>  
>> - Gaurav
>>  
>> On Fri, Jan 19, 2018 at 3:03 AM, Louis Santillan > > wrote:
>> Gaurav, Alan, 
>>  
>> What is the full (redact if necessary for artifactory) output of `curl -kv 
>> https:///v2//`?
>>  
>> I get the following headers when I naively hit 
>> `https://registry.gitlab.com/v2/myproject/myimage/manifests/latest` 
>> 
>> 
>> 1.
>> Content-Length:
>> 
>> 
>> 160
>> 
>> 
>> 2.
>> Content-Type:
>> 
>> 
>> application/json; charset=utf-8
>> 
>> 
>> 3.
>> Date:
>> 
>> 
>> Fri, 19 Jan 2018 07:58:26 GMT
>> 
>> 
>> 4.
>> Docker-Distribution-Api-Version:
>> 
>> 
>> registry/2.0
>> 
>> 
>> 5.
>> Www-Authenticate:
>> 
>> 
>> Bearer realm="https://gitlab.com/jwt/auth 
>> ",service="container_registry",scope="repository:myproject/myimage:pull"
>> 
>> 
>> 6.
>> X-Content-Type-Options:
>> 
>> 
>> nosniff
>> 
>> Looks like `https://gitlab.com/jwt/auth`  is 
>> the auth URL Maciej is speaking of.
>>  
>> The docs also mention having to `link` 

Re: Deployment Strategy: lifecycle hooks how to inject configuration

[Graham Dumpleton]

> On 22 Feb 2018, at 11:42 pm, Fernando Lozano <floz...@redhat.com> wrote:
> 
> Hi Graham,
> 
> If the image was designed to be configured using environment variables or 
> configuration files that can be provided as volumes, yes you don't need a 
> custom image. But from Dan message I expect more extensive customizations 
> which would become cumbersome.
> 
> And the idea of forcing the image to run a different command than its 
> entrypoint, them get more files from a volume, to customize the image or 
> compensate for deficiencies in the original entrypoint command, seem also 
> cumbersome to me. You are making extensive changes each time you start the 
> container (to it's ephemeral read/write layer). I don't see the advantage 
> compared to just creating a child image with an extra layer that has the 
> customizations.

Using a configmap and overriding the command is definitely not the best way of 
going about it and not suggesting it as something you would use all the time. I 
only raised it because as an option it can technically work for some cases when 
you get stuck and don't have another easy way.

As an example, in OpenShift Online you can't do docker builds, so it can be 
convenient sometimes when using a third party product image from Docker Hub to 
customise startup. Having to build locally a custom version of a third party 
product image and pushing it back up to Docker Hub to be able to deploy it on 
OpenShift Online can be a pain. If you have full control over the cluster and 
can do docker builds in it, then not an issue as is easy to create a custom 
image.

Using configmaps like this isn't even restricted to overriding the command to 
edit in place config. If the application allows the location of config to be 
overridden by an environment variable, you could even map an alternate 
configuration file in from the configmap. This can be easier than having a 
custom command to try and edit the in place one on the fly. Alternatively you 
still also have the custom command and change options given to application to 
have it use alternate config from configmap.

The thing is that Kubernetes/OpenShift has these various options and so has a 
lot of flexibility. You may not use them, but still worthwhile knowing about 
them as can be useful to someone at some point.

Graham

> []s, Fernando Lozano
> 
> 
> 
> On Wed, Feb 21, 2018 at 7:40 PM, Graham Dumpleton <gdump...@redhat.com 
> <mailto:gdump...@redhat.com>> wrote:
> Another example of where this can be useful is where the primary process in 
> the container doesn't do what is required of process ID 1. That is, reap 
> zombie processes. If that becomes an issue you can use a run script wrapper 
> like:
> 
> #!/bin/sh
> 
> trap 'kill -TERM $PID' TERM INT
> 
> /usr/libexec/s2i/run &
> 
> PID=$!
> wait $PID
> trap - TERM INT
> wait $PID
> STATUS=$?
> exit $STATUS
> 
> This simple alternative to a mini init process manager such as tini, will 
> work fine in many cases.
> 
> Replace /usr/libexec/s2i/run with actual program to run.
> 
> Graham
> 
>> On 22 Feb 2018, at 9:33 am, Graham Dumpleton <gdump...@redhat.com 
>> <mailto:gdump...@redhat.com>> wrote:
>> 
>> Badly worded perhaps.
>> 
>> In some cases you don't have the ability to modify an existing image with 
>> the application in it, plus you may not want to create a new custom image as 
>> a layer on top. In those cases, if all you need to do is some minor tweaks 
>> to config prior to the application starting in the container you can use the 
>> configmap trick as described. It will work so long as the config files you 
>> need to change can be modified as the user the container is run as.
>> 
>> So you can do:
>> 
>> oc create configmap blog-run-script --from-file=run
>> 
>> oc set volume dc/blog --add --type=configmap \
>> --configmap-name=blog-run-script \
>> --mount-path=/opt/app-root/scripts
>> 
>> oc patch dc/blog --type=json --patch \
>> '[{"op":"add",
>>"path":"/spec/template/spec/containers/0/command",
>>"value":["bash","/opt/app-root/scripts/run"]}]'
>> 
>> So the 'run' script makes the changes and then executes original command to 
>> start the application in the container.
>> 
>> Graham
>> 
>>> On 22 Feb 2018, at 9:22 am, Fernando Lozano <floz...@redhat.com 
>>> <mailto:floz...@redhat.com>> wrote:
>>> 
>>> Hi Graham,
>>> 
>>> This doesn't make sense to me:
>>> 
>>> >  3. If don't want to create a new custom image.
&

Re: Deployment Strategy: lifecycle hooks how to inject configuration

[Graham Dumpleton]

Another example of where this can be useful is where the primary process in the 
container doesn't do what is required of process ID 1. That is, reap zombie 
processes. If that becomes an issue you can use a run script wrapper like:

#!/bin/sh

trap 'kill -TERM $PID' TERM INT

/usr/libexec/s2i/run &

PID=$!
wait $PID
trap - TERM INT
wait $PID
STATUS=$?
exit $STATUS

This simple alternative to a mini init process manager such as tini, will work 
fine in many cases.

Replace /usr/libexec/s2i/run with actual program to run.

Graham

> On 22 Feb 2018, at 9:33 am, Graham Dumpleton <gdump...@redhat.com> wrote:
> 
> Badly worded perhaps.
> 
> In some cases you don't have the ability to modify an existing image with the 
> application in it, plus you may not want to create a new custom image as a 
> layer on top. In those cases, if all you need to do is some minor tweaks to 
> config prior to the application starting in the container you can use the 
> configmap trick as described. It will work so long as the config files you 
> need to change can be modified as the user the container is run as.
> 
> So you can do:
> 
> oc create configmap blog-run-script --from-file=run
> 
> oc set volume dc/blog --add --type=configmap \
> --configmap-name=blog-run-script \
> --mount-path=/opt/app-root/scripts
> 
> oc patch dc/blog --type=json --patch \
> '[{"op":"add",
>"path":"/spec/template/spec/containers/0/command",
>"value":["bash","/opt/app-root/scripts/run"]}]'
> 
> So the 'run' script makes the changes and then executes original command to 
> start the application in the container.
> 
> Graham
> 
>> On 22 Feb 2018, at 9:22 am, Fernando Lozano <floz...@redhat.com 
>> <mailto:floz...@redhat.com>> wrote:
>> 
>> Hi Graham,
>> 
>> This doesn't make sense to me:
>> 
>> >  3. If don't want to create a new custom image.
>> 
>> If you wanna run your application in a container you have to create a custom 
>> image with the application. There's no way around, because container images 
>> are immutable. You can only choose how you will build your custom image. 
>> This is the way containers are supposed to work, with or without OpenShift.
>> 
>> 
>> []s, Fernando Lozano
>> 
>> 
>> On Wed, Feb 21, 2018 at 6:15 PM, Graham Dumpleton <gdump...@redhat.com 
>> <mailto:gdump...@redhat.com>> wrote:
>> 
>> 
>>> On 22 Feb 2018, at 3:21 am, Fernando Lozano <floz...@redhat.com 
>>> <mailto:floz...@redhat.com>> wrote:
>>> 
>>> Hi Dan,
>>> 
>>> As you learned, lifecycle hooks were not made to change anything inside a 
>>> container image. Remember that container images are, by design, immutable. 
>>> It looks you want to build a custom container image that includes your 
>>> customizations to the wildfly configs plus your application. There are two 
>>> ways to accomplish that with OpenShift:
>>> 
>>> 1. Create a Dockerfile that uses the standard wildfly container image as 
>>> the parent, and adds your customization.
>>> 
>>> 2. Use the OpenShift source-to-image (s2i) process to add configurations 
>>> and your application. See the OpenShift docs about the wildfly s2i builder 
>>> image for details, this is easier than using a Dockerfile. The standard s2i 
>>> processes builds the application from sources, but it also supports feeding 
>>> an application war/ear.
>> 
>> 3. If don't want to create a new custom image, but want to add additional 
>> actions before application started in the container, mount a shell script 
>> into the container from a config map. Override the command for the pod to 
>> run your script mounted from config map. Do you work in the script, with 
>> your script then doing an exec on the original command for the application.
>> 
>> Graham
>> 
>>> []s, Fernando Lozano
>>> 
>>> 
>>> On Wed, Feb 21, 2018 at 9:43 AM, Dan Pungă <dan.pu...@gmail.com 
>>> <mailto:dan.pu...@gmail.com>> wrote:
>>> Hello all!
>>> 
>>> Trying to build an OShift configuration for running a Java app with a 
>>> Wildfly server.
>>> I've setup this with ChainBuilds where the app's artifacts are combined 
>>> with a runtime image of Wildfly.
>>> 
>>> For this particular app, however, I need to do some configuration on the 
>>> Wildfly environment, so that the app is properly deployed and works.
>

Re: Deployment Strategy: lifecycle hooks how to inject configuration

[Graham Dumpleton]

Badly worded perhaps.

In some cases you don't have the ability to modify an existing image with the 
application in it, plus you may not want to create a new custom image as a 
layer on top. In those cases, if all you need to do is some minor tweaks to 
config prior to the application starting in the container you can use the 
configmap trick as described. It will work so long as the config files you need 
to change can be modified as the user the container is run as.

So you can do:

oc create configmap blog-run-script --from-file=run

oc set volume dc/blog --add --type=configmap \
--configmap-name=blog-run-script \
--mount-path=/opt/app-root/scripts

oc patch dc/blog --type=json --patch \
'[{"op":"add",
   "path":"/spec/template/spec/containers/0/command",
   "value":["bash","/opt/app-root/scripts/run"]}]'

So the 'run' script makes the changes and then executes original command to 
start the application in the container.

Graham

> On 22 Feb 2018, at 9:22 am, Fernando Lozano <floz...@redhat.com> wrote:
> 
> Hi Graham,
> 
> This doesn't make sense to me:
> 
> >  3. If don't want to create a new custom image.
> 
> If you wanna run your application in a container you have to create a custom 
> image with the application. There's no way around, because container images 
> are immutable. You can only choose how you will build your custom image. This 
> is the way containers are supposed to work, with or without OpenShift.
> 
> 
> []s, Fernando Lozano
> 
> 
> On Wed, Feb 21, 2018 at 6:15 PM, Graham Dumpleton <gdump...@redhat.com 
> <mailto:gdump...@redhat.com>> wrote:
> 
> 
>> On 22 Feb 2018, at 3:21 am, Fernando Lozano <floz...@redhat.com 
>> <mailto:floz...@redhat.com>> wrote:
>> 
>> Hi Dan,
>> 
>> As you learned, lifecycle hooks were not made to change anything inside a 
>> container image. Remember that container images are, by design, immutable. 
>> It looks you want to build a custom container image that includes your 
>> customizations to the wildfly configs plus your application. There are two 
>> ways to accomplish that with OpenShift:
>> 
>> 1. Create a Dockerfile that uses the standard wildfly container image as the 
>> parent, and adds your customization.
>> 
>> 2. Use the OpenShift source-to-image (s2i) process to add configurations and 
>> your application. See the OpenShift docs about the wildfly s2i builder image 
>> for details, this is easier than using a Dockerfile. The standard s2i 
>> processes builds the application from sources, but it also supports feeding 
>> an application war/ear.
> 
> 3. If don't want to create a new custom image, but want to add additional 
> actions before application started in the container, mount a shell script 
> into the container from a config map. Override the command for the pod to run 
> your script mounted from config map. Do you work in the script, with your 
> script then doing an exec on the original command for the application.
> 
> Graham
> 
>> []s, Fernando Lozano
>> 
>> 
>> On Wed, Feb 21, 2018 at 9:43 AM, Dan Pungă <dan.pu...@gmail.com 
>> <mailto:dan.pu...@gmail.com>> wrote:
>> Hello all!
>> 
>> Trying to build an OShift configuration for running a Java app with a 
>> Wildfly server.
>> I've setup this with ChainBuilds where the app's artifacts are combined with 
>> a runtime image of Wildfly.
>> 
>> For this particular app, however, I need to do some configuration on the 
>> Wildfly environment, so that the app is properly deployed and works.
>> - update a server module (grabbing the contents from the web and copying 
>> them in the right location inside Wildfly)
>> - add system properties and some other configuration to Wildfly's 
>> standalone.xml configuration file
>> - create some directory structure
>> 
>> I've tried to run all this with the Recreate deployment starategy and as a 
>> mid-hook procedure (so the previous deployment pod is scaled down), but all 
>> these changes aren't reflected in the actual(new) deployment pod.
>> 
>> Taking a closer look at the docs, I've found this line "Pod-based lifecycle 
>> hooks execute hook code in a new pod derived from the template in a 
>> deployment configuration."
>> So whatever I'm doing in my hook, is actually done in a different pod, the 
>> hook pod, and not in the actual deployment pod. Did I understand this 
>> correctly?
>> If so, how does the injection work here? Does it have to do with the fact 
>> that the deployment

Re: Deployment Strategy: lifecycle hooks how to inject configuration

[Graham Dumpleton]

> On 22 Feb 2018, at 3:21 am, Fernando Lozano  wrote:
> 
> Hi Dan,
> 
> As you learned, lifecycle hooks were not made to change anything inside a 
> container image. Remember that container images are, by design, immutable. It 
> looks you want to build a custom container image that includes your 
> customizations to the wildfly configs plus your application. There are two 
> ways to accomplish that with OpenShift:
> 
> 1. Create a Dockerfile that uses the standard wildfly container image as the 
> parent, and adds your customization.
> 
> 2. Use the OpenShift source-to-image (s2i) process to add configurations and 
> your application. See the OpenShift docs about the wildfly s2i builder image 
> for details, this is easier than using a Dockerfile. The standard s2i 
> processes builds the application from sources, but it also supports feeding 
> an application war/ear.

3. If don't want to create a new custom image, but want to add additional 
actions before application started in the container, mount a shell script into 
the container from a config map. Override the command for the pod to run your 
script mounted from config map. Do you work in the script, with your script 
then doing an exec on the original command for the application.

Graham

> []s, Fernando Lozano
> 
> 
> On Wed, Feb 21, 2018 at 9:43 AM, Dan Pungă  > wrote:
> Hello all!
> 
> Trying to build an OShift configuration for running a Java app with a Wildfly 
> server.
> I've setup this with ChainBuilds where the app's artifacts are combined with 
> a runtime image of Wildfly.
> 
> For this particular app, however, I need to do some configuration on the 
> Wildfly environment, so that the app is properly deployed and works.
> - update a server module (grabbing the contents from the web and copying them 
> in the right location inside Wildfly)
> - add system properties and some other configuration to Wildfly's 
> standalone.xml configuration file
> - create some directory structure
> 
> I've tried to run all this with the Recreate deployment starategy and as a 
> mid-hook procedure (so the previous deployment pod is scaled down), but all 
> these changes aren't reflected in the actual(new) deployment pod.
> 
> Taking a closer look at the docs, I've found this line "Pod-based lifecycle 
> hooks execute hook code in a new pod derived from the template in a 
> deployment configuration."
> So whatever I'm doing in my hook, is actually done in a different pod, the 
> hook pod, and not in the actual deployment pod. Did I understand this 
> correctly?
> If so, how does the injection work here? Does it have to do with the fact 
> that the deployment has to have persistent volumes? So the hooks actually do 
> changes inside a volume that will be mounted with the deployment pod too...
> 
> Thank you!
> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Absence of master-config.yaml

[Graham Dumpleton]

> On 9 Feb 2018, at 1:50 am, Cesar Wong  wrote:
> 
> If using cluster up, you will find the config by default both inside the 
> container and on the file system of the host at 
> /var/lib/origin/openshift.local.config/master

Just be aware that if using Docker for Mac or Docker for Windows, the file is 
on the file system of the VM host that Docker is run in, not the Mac/Windows 
file system.

> If you need to make a change to the master-config.yaml, start the cluster, 
> bring it back down (with `oc cluster down`), make the change, and start the 
> next time with the `--use-existing-config` flag so your changes get picked up 
> and don't get overwritten.
> 
> On Thu, Feb 8, 2018 at 9:36 AM, Luke Meyer  > wrote:
> 
> 
> On Thu, Feb 8, 2018 at 2:43 AM, Gaurav Ojha  > wrote:
> Thank you for your reply. Just a couple more questions:
> 
> Is there any way to create this file when I launch by openshift start?
> 
> openshift start --write-config= ...
> (see --help and also note --master-config and --node-config flags)
> 
> Pardon me, but when you say "it should be inside the container", you mean the 
> host on which I am running openshift on, or the openshift container which 
> starts as a result of this?
> 
> Inside the container named "origin" that "oc cluster up" runs on docker.
> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Permissions problem mounting file from ConfigMap

[Graham Dumpleton]

I don't know. But should be within a minute or so.

Do note that this refresh ability does depend on it being enabled in the 
cluster master configuration. It should be, although have seen where cluster 
was upgraded from 3.5 to 3.6, the setting somehow got lost and had to be fixed 
after the fact when issue was found that refresh wasn't occuring.

Graham

> On 13 Dec 2017, at 9:33 pm, Joel Pearson <japear...@agiledigital.com.au> 
> wrote:
> 
> Oh, I didn't realise configmaps got updated without a Pod restart.  How long 
> does it take to update?  I see in 
> (https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#mounted-configmaps-are-updated-automatically
>  
> <https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#mounted-configmaps-are-updated-automatically>)
>  it says the kubelet sync period + ttl.  What are the OpenShift defaults for 
> that?
> 
> On Wed, Dec 13, 2017 at 8:41 PM Graham Dumpleton <gdump...@redhat.com 
> <mailto:gdump...@redhat.com>> wrote:
> If you copy it rather than symlink, you will loose the ability that an update 
> to the configmap will be reflected automatically inside of the container 
> after a short period. If the file was something that was rescanned by the 
> application, this allows changes to be pushed into a container without 
> needing to do a restart. If you only read the file once on start up, then 
> copying would be fine.
> 
> Graham
> 
> 
> 
>> On 13 Dec 2017, at 8:26 pm, Tim Dudgeon <tdudgeon...@gmail.com 
>> <mailto:tdudgeon...@gmail.com>> wrote:
>> 
>> Graham,
>> 
>> Thanks for your help on this.
>> I had managed to work around the problem in a way similar to how you 
>> described (but copying not symlinking). Not nice, but it works! 
>> 
>> On 12/12/17 21:10, Graham Dumpleton wrote:
>>> A belated update on this.
>>> 
>>> The problem with using subPath is due to a SELinux issue in the kernel.
>>> 
>>> There is an issue about it at:
>>> 
>>> https://github.com/openshift/origin/issues/16951 
>>> <https://github.com/openshift/origin/issues/16951>
>>> 
>>> Whether you see it will depend on how SELinux is setup I guess.
>>> 
>>> The only work around would be to mount it as a directory '..data' in the 
>>> target directory, and then you create a symlink from startup run script in 
>>> your source code to symlink the file in the '..data' directory into the 
>>> parent. Know of no other solution at this point.
>>> 
>>> Graham
>>> 
>>>> On 9 Dec 2017, at 8:36 pm, Tim Dudgeon <tdudgeon...@gmail.com 
>>>> <mailto:tdudgeon...@gmail.com>> wrote:
>>>> 
>>>> If you mount onto a new directory you get the same problem.
>>>> It only seems to happen when specifying a subPath as follows:
>>>> 
>>>> - mountPath: 
>>>> /usr/local/tomcat/webapps/portal/META-INF/context.xml
>>>>   name: squonk-sso-config
>>>>   subPath: context.xml
>>>>   readOnly: true
>>>> 
>>>> If the whole configMap is mounted to a directory the contents are readable.
>>>> 
>>>> And as mentioned already, if you do this in Minishift it works fine.
>>>> 
>>>> 
>>>> On 09/12/17 02:16, Graham Dumpleton wrote:
>>>>> The permissions is correct. It is shown as decimal, not the octal you are 
>>>>> setting it with.
>>>>> 
>>>>>>>> '%o' % 420
>>>>> '644'
>>>>> 
>>>>> What happens when you mount the configmap onto a directory separate from 
>>>>> anything else?
>>>>> 
>>>>> Graham
>>>>> 
>>>>>> On 9 Dec 2017, at 4:02 am, Tim Dudgeon <tdudgeon...@gmail.com 
>>>>>> <mailto:tdudgeon...@gmail.com>> wrote:
>>>>>> 
>>>>>> More on this.
>>>>>> 
>>>>>> I find when I look a the deployment yaml that the volume ends up looking 
>>>>>> like this:
>>>>>> 
>>>>>>   volumes:
>>>>>> - configMap:
>>>>>> defaultMode: 420
>>>>>> name: squonk-sso-config
>>>>>>   name: squonk-sso-config
>>>>>> 
>>>>>> This is despite `oc explain pod.spec.volumes.configMap` stating that

Re: Permissions problem mounting file from ConfigMap

[Graham Dumpleton]

If you copy it rather than symlink, you will loose the ability that an update 
to the configmap will be reflected automatically inside of the container after 
a short period. If the file was something that was rescanned by the 
application, this allows changes to be pushed into a container without needing 
to do a restart. If you only read the file once on start up, then copying would 
be fine.

Graham


> On 13 Dec 2017, at 8:26 pm, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
> 
> Graham,
> 
> Thanks for your help on this.
> I had managed to work around the problem in a way similar to how you 
> described (but copying not symlinking). Not nice, but it works! 
> 
> On 12/12/17 21:10, Graham Dumpleton wrote:
>> A belated update on this.
>> 
>> The problem with using subPath is due to a SELinux issue in the kernel.
>> 
>> There is an issue about it at:
>> 
>> https://github.com/openshift/origin/issues/16951 
>> <https://github.com/openshift/origin/issues/16951>
>> 
>> Whether you see it will depend on how SELinux is setup I guess.
>> 
>> The only work around would be to mount it as a directory '..data' in the 
>> target directory, and then you create a symlink from startup run script in 
>> your source code to symlink the file in the '..data' directory into the 
>> parent. Know of no other solution at this point.
>> 
>> Graham
>> 
>>> On 9 Dec 2017, at 8:36 pm, Tim Dudgeon <tdudgeon...@gmail.com 
>>> <mailto:tdudgeon...@gmail.com>> wrote:
>>> 
>>> If you mount onto a new directory you get the same problem.
>>> It only seems to happen when specifying a subPath as follows:
>>> 
>>> - mountPath: 
>>> /usr/local/tomcat/webapps/portal/META-INF/context.xml
>>>   name: squonk-sso-config
>>>   subPath: context.xml
>>>   readOnly: true
>>> 
>>> If the whole configMap is mounted to a directory the contents are readable.
>>> 
>>> And as mentioned already, if you do this in Minishift it works fine.
>>> 
>>> 
>>> On 09/12/17 02:16, Graham Dumpleton wrote:
>>>> The permissions is correct. It is shown as decimal, not the octal you are 
>>>> setting it with.
>>>> 
>>>>>>> '%o' % 420
>>>> '644'
>>>> 
>>>> What happens when you mount the configmap onto a directory separate from 
>>>> anything else?
>>>> 
>>>> Graham
>>>> 
>>>>> On 9 Dec 2017, at 4:02 am, Tim Dudgeon <tdudgeon...@gmail.com 
>>>>> <mailto:tdudgeon...@gmail.com>> wrote:
>>>>> 
>>>>> More on this.
>>>>> 
>>>>> I find when I look a the deployment yaml that the volume ends up looking 
>>>>> like this:
>>>>> 
>>>>>   volumes:
>>>>> - configMap:
>>>>> defaultMode: 420
>>>>> name: squonk-sso-config
>>>>>   name: squonk-sso-config
>>>>> 
>>>>> This is despite `oc explain pod.spec.volumes.configMap` stating that the 
>>>>> default for defaultMode is 0644.
>>>>> 
>>>>> Even when I specify defaultMode: 0644 in the template it ends up being 
>>>>> 420.
>>>>> 
>>>>> Any idea what's going on?
>>>>> 
>>>>> 
>>>>> On 08/12/17 16:44, Tim Dudgeon wrote:
>>>>>> Hi All,
>>>>>> 
>>>>>> I'm having a problem mounting a file from a ConfigMap when running on an 
>>>>>> Openshift origin environment, but when doing the same on Minishift it 
>>>>>> works fine.
>>>>>> 
>>>>>> I'm mounting the context.xml file from the ConfigMap into the container 
>>>>>> like this:
>>>>>> 
>>>>>>   spec:
>>>>>> containers:
>>>>>> - image: ...
>>>>>>   ...
>>>>>>   volumeMounts:
>>>>>> - mountPath: 
>>>>>> /usr/local/tomcat/webapps/portal/META-INF/context.xml
>>>>>>   name: my-configmap-vol
>>>>>>   subPath: context.xml
>>>>>>   readOnly: true
>>>>>> volumes:
>>>>>>   - name: my-configmap-vol
>>>>>> configMap:
>>>>>>   name: squonk-sso-config
>>>>>> 
>>>>>> Within the container the file is there but has permissions problems:
>>>>>> 
>>>>>> # ls -l
>>>>>> ls: cannot access 'context.xml': Permission denied
>>>>>> total 4
>>>>>> -rw-r--r--. 1 root root 104 Dec  5 12:48 MANIFEST.MF
>>>>>> -?? ? ??  ?? context.xml
>>>>>> 
>>>>>> Any idea what's the problem?
>>>>>> 
>>>>> ___
>>>>> users mailing list
>>>>> users@lists.openshift.redhat.com <mailto:users@lists.openshift.redhat.com>
>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
>>>>> <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>
>>> 
>> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Permissions problem mounting file from ConfigMap

[Graham Dumpleton]

A belated update on this.

The problem with using subPath is due to a SELinux issue in the kernel.

There is an issue about it at:

https://github.com/openshift/origin/issues/16951 
<https://github.com/openshift/origin/issues/16951>

Whether you see it will depend on how SELinux is setup I guess.

The only work around would be to mount it as a directory '..data' in the target 
directory, and then you create a symlink from startup run script in your source 
code to symlink the file in the '..data' directory into the parent. Know of no 
other solution at this point.

Graham

> On 9 Dec 2017, at 8:36 pm, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
> 
> If you mount onto a new directory you get the same problem.
> It only seems to happen when specifying a subPath as follows:
> 
> - mountPath: /usr/local/tomcat/webapps/portal/META-INF/context.xml
>   name: squonk-sso-config
>   subPath: context.xml
>   readOnly: true
> 
> If the whole configMap is mounted to a directory the contents are readable.
> 
> And as mentioned already, if you do this in Minishift it works fine.
> 
> 
> On 09/12/17 02:16, Graham Dumpleton wrote:
>> The permissions is correct. It is shown as decimal, not the octal you are 
>> setting it with.
>> 
>>>>> '%o' % 420
>> '644'
>> 
>> What happens when you mount the configmap onto a directory separate from 
>> anything else?
>> 
>> Graham
>> 
>>> On 9 Dec 2017, at 4:02 am, Tim Dudgeon <tdudgeon...@gmail.com> wrote:
>>> 
>>> More on this.
>>> 
>>> I find when I look a the deployment yaml that the volume ends up looking 
>>> like this:
>>> 
>>>   volumes:
>>> - configMap:
>>> defaultMode: 420
>>> name: squonk-sso-config
>>>   name: squonk-sso-config
>>> 
>>> This is despite `oc explain pod.spec.volumes.configMap` stating that the 
>>> default for defaultMode is 0644.
>>> 
>>> Even when I specify defaultMode: 0644 in the template it ends up being 420.
>>> 
>>> Any idea what's going on?
>>> 
>>> 
>>> On 08/12/17 16:44, Tim Dudgeon wrote:
>>>> Hi All,
>>>> 
>>>> I'm having a problem mounting a file from a ConfigMap when running on an 
>>>> Openshift origin environment, but when doing the same on Minishift it 
>>>> works fine.
>>>> 
>>>> I'm mounting the context.xml file from the ConfigMap into the container 
>>>> like this:
>>>> 
>>>>   spec:
>>>> containers:
>>>> - image: ...
>>>>   ...
>>>>   volumeMounts:
>>>> - mountPath: 
>>>> /usr/local/tomcat/webapps/portal/META-INF/context.xml
>>>>   name: my-configmap-vol
>>>>   subPath: context.xml
>>>>   readOnly: true
>>>> volumes:
>>>>   - name: my-configmap-vol
>>>> configMap:
>>>>   name: squonk-sso-config
>>>> 
>>>> Within the container the file is there but has permissions problems:
>>>> 
>>>> # ls -l
>>>> ls: cannot access 'context.xml': Permission denied
>>>> total 4
>>>> -rw-r--r--. 1 root root 104 Dec  5 12:48 MANIFEST.MF
>>>> -?? ? ??  ?? context.xml
>>>> 
>>>> Any idea what's the problem?
>>>> 
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Version 3.8 and 3.9 confusion

[Graham Dumpleton]

Others can fill in more details, but as I understand it yes, the next full 
release will be 3.9. This is in order to catch back up with the Kubernetes 
releases.

> On 11 Dec 2017, at 7:28 pm, Per Carlson  wrote:
> 
> Hi.
> 
> I just noticed a message on the dev mailinglist:
> 
> > We've branched master for release-3.8 and created a v3.9.0-alpha.0 tag.
> > This is because 3.8 is a "skip" release where we'll only do an internal
> > data upgrade and then go from 3.7 to 3.9 directly.
> 
> Does that mean there will never be a (public) 3.8 release?
> 
> In a recent (November 2017) roadmap for the enterprise version, both 3.8 and 
> 3.9 are mentioned.
> 
> -- 
> Pelle
> 
> Research is what I'm doing when I don't know what I'm doing.
> - Wernher von Braun
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Permissions problem mounting file from ConfigMap

[Graham Dumpleton]

The permissions is correct. It is shown as decimal, not the octal you are 
setting it with.

>>> '%o' % 420
'644'

What happens when you mount the configmap onto a directory separate from 
anything else?

Graham

> On 9 Dec 2017, at 4:02 am, Tim Dudgeon  wrote:
> 
> More on this.
> 
> I find when I look a the deployment yaml that the volume ends up looking like 
> this:
> 
>   volumes:
> - configMap:
> defaultMode: 420
> name: squonk-sso-config
>   name: squonk-sso-config
> 
> This is despite `oc explain pod.spec.volumes.configMap` stating that the 
> default for defaultMode is 0644.
> 
> Even when I specify defaultMode: 0644 in the template it ends up being 420.
> 
> Any idea what's going on?
> 
> 
> On 08/12/17 16:44, Tim Dudgeon wrote:
>> Hi All,
>> 
>> I'm having a problem mounting a file from a ConfigMap when running on an 
>> Openshift origin environment, but when doing the same on Minishift it works 
>> fine.
>> 
>> I'm mounting the context.xml file from the ConfigMap into the container like 
>> this:
>> 
>>   spec:
>> containers:
>> - image: ...
>>   ...
>>   volumeMounts:
>> - mountPath: 
>> /usr/local/tomcat/webapps/portal/META-INF/context.xml
>>   name: my-configmap-vol
>>   subPath: context.xml
>>   readOnly: true
>> volumes:
>>   - name: my-configmap-vol
>> configMap:
>>   name: squonk-sso-config
>> 
>> Within the container the file is there but has permissions problems:
>> 
>> # ls -l
>> ls: cannot access 'context.xml': Permission denied
>> total 4
>> -rw-r--r--. 1 root root 104 Dec  5 12:48 MANIFEST.MF
>> -?? ? ??  ?? context.xml
>> 
>> Any idea what's the problem?
>> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OpenShift environment in Prod: Security: pro and cons

[Graham Dumpleton]

You could start out by reading the OpenShift Security Container Guide if you 
haven't already.

* https://docs.openshift.com/container-platform/latest/security/index.html 


There was also this Tech N’ Talk briefing about security.

* 
https://blog.openshift.com/tech-n-talk-ten-layers-of-container-security-with-red-hats-kirsten-newcomer/
 


There is a number of related links off that post as well.

Graham

> On 19 Nov 2017, at 8:09 am, Den Cowboy  wrote:
> 
> I would like to know the pro and cons of openshift in a production 
> environment from a security standpoint.
> I am used to the three-tier architecture or separation via VLAN 
> (presentation, Application, database), can you apply the same types of 
> controls in a containerized environment and more specifically in openshift. 
> If so how?
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Builder unable to resolve github.com

[Graham Dumpleton]

The required setup instructions can be seen at:

https://github.com/openshift/origin/blob/master/docs/cluster_up_down.md#linux 


It describes what you need to do with the firewall.

> On 13 Nov 2017, at 7:35 am, Marc Boorshtein  wrote:
> 
> is your machine (the centos7 vm) running dnsmasq or anything else on port 53? 
>  If so, shut it down prior to bringing up your cluster.
> 
> 
> Nothing is running on 53:
> tcp0  0 localhost:10443 0.0.0.0:*   LISTEN
>  
> tcp0  0 localhost:10444 0.0.0.0:*   LISTEN
>  
> tcp0  0 0.0.0.0:http0.0.0.0:*   LISTEN
>  
> tcp0  0 0.0.0.0:senomix02   0.0.0.0:*   LISTEN
>  
> tcp0  0 0.0.0.0:ssh 0.0.0.0:*   LISTEN
>  
> tcp0  0 localhost:smtp  0.0.0.0:*   LISTEN
>  
> tcp0  0 0.0.0.0:https   0.0.0.0:*   LISTEN
>  
> tcp0  0 0.0.0.0:pcsync-https0.0.0.0:*   LISTEN
>  
> tcp6   0  0 [::]:jetcmeserver   [::]:*  LISTEN
>  
> tcp6   0  0 [::]:ssh[::]:*  LISTEN
>  
> tcp6   0  0 [::]:afs3-callback  [::]:*  LISTEN
>  
> tcp6   0  0 localhost:smtp  [::]:*  LISTEN
>  
> tcp6   0  0 [::]:newoak [::]:*  LISTEN
>  
> tcp6   0  0 [::]:10250  [::]:*  LISTEN
>  
> udp0  0 0.0.0.0:64109    0.0.0.0:* 
>  
> udp0  0 0.0.0.0:20230    0.0.0.0:* 
>  
> udp0  0 0.0.0.0:senomix02   0.0.0.0:* 
>  
> udp0  0 0.0.0.0:bootpc  0.0.0.0:* 
>  
> udp0  0 0.0.0.0:bootpc  0.0.0.0:* 
>  
> udp0  0 localhost:323   0.0.0.0:* 
>  
> udp6   0  0 [::]:64109  [::]:*
>  
> udp6   0  0 [::]:15385  [::]:*
>  
> udp6   0  0 localhost:323   [::]:*
>  
> raw6   0  0 [::]:ipv6-icmp  [::]:*  7 
>  
> raw6   0  0 [::]:ipv6-icmp  [::]:* 
> 
> Firewalld is running...should I add an open up 53?
> 
>  
> what the master container can resolve is not relevant, but if you want to 
> diagnose things further, start a different pod (like the jenkins pod) and rsh 
> into that pod and see
> 1) whether it can resolve hosts
> 2) what its /etc/resolv.conf value is
> 3) whether it has external connectivity (independent of its ability to 
> resolve hostnames)
> 
> I did fire up another container and it can't resolve service DNS names
> 
>  
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Hard Disk is full because of OpenShift Origin

[Graham Dumpleton]

A question for OP. Are you using options to oc cluster up to persist data when 
shutting it down?

> On 27 Oct 2017, at 10:58 pm, Mauricio Améndola  
> wrote:
> 
> Hello,
> The correct way to remove old images is using “oadm prune….”[1]  command. I 
> remember that there are two folders that increase a lot due to tmp files. 
> 
> - /var/lib/origin
> - /var/lib/docker
> 
> Try oadm prune and give some feedback
> Regards,
> 
> [1] 
> https://docs.openshift.com/container-platform/3.6/admin_guide/pruning_resources.html
>  
> 
> 
> 
>> On Oct 26, 2017, at 6:37 PM, Tien Hung Nguyen > > wrote:
>> 
>> Hi everybody,
>> 
>> I have a problem with my hard drive space. Since I'm using OpenShift locally 
>> with Docker, I have the problem that my hard drive space gets full very fast 
>> and I can't remove it. I have already run the commands 'oc cluster down' and 
>> the 'docker rmi [imageip] commands to deleted unused images but it has no 
>> effect.
>> 
>> Please, could you tell me how to free up my disk space properly?
>> 
>> Thank you!
>> 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com 
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Hard Disk is full because of OpenShift Origin

[Graham Dumpleton]

What platform are you on?

If you are on MacOS X or Windows try the following.

Run:

docker run --rm -it -v /:/mnt busybox /bin/sh

This will give you an interactive shell in busybox, but where /mnt has the 
Docker VM file system mounted.

Then go to:

   /mnt/var/lib/origin

and see how much space is being taken up by running 'du -ks .'.

There is a chance that if you were using persistent volumes in OpenShift, that 
any data is still taking up space if the directories weren't cleaned up.

This though is data that the Docker VM would be taking up. If the VM disk file 
has expanded, then removing anything in it may not reclaim it. Not sure how VM 
disk space works and whether can reclaim or whether just expands.

I am not sure where the comparable directory is when using Docker service on 
Linux.

For that you could perhaps run:

docker exec -it origin bash

when oc cluster up is running and then go to:

/var/lib/origin/

in the origin container and see space consumed there. Will be same directory as 
get to above, and mounted from external place Docker service has it.

Graham

> On 27 Oct 2017, at 4:50 pm, Tien Hung Nguyen <tienhng.ngu...@gmail.com> wrote:
> 
> I have checked the volumes already using the docker command docker volume ls. 
> However, everything seems pretty normal there.
> 
> Furthermore, I have checked my images with docker images ls. I have found a 
> lot of old images created by OpenShift, which used a lot of GBs on my Hard 
> Disk. That‘s why I started to manually delete those images with the docker 
> command: docker rmi [imageid], but that didn‘t change my hard disk space at 
> all. 
> 
> Do you have any other ideas?
> 
>> Am 27.10.2017 um 01:24 schrieb Graham Dumpleton <gdump...@redhat.com>:
>> 
>> See if you have a lot of docker volumes that haven't been cleaned up 
>> properly.
>> 
>>   docker volume ls
>> 
>> Maybe that is hanging onto space.
>> 
>> Graham
>> 
>>> On 27 Oct 2017, at 8:37 am, Tien Hung Nguyen <tienhng.ngu...@gmail.com> 
>>> wrote:
>>> 
>>> Hi everybody,
>>> 
>>> I have a problem with my hard drive space. Since I'm using OpenShift 
>>> locally with Docker, I have the problem that my hard drive space gets full 
>>> very fast and I can't remove it. I have already run the commands 'oc 
>>> cluster down' and the 'docker rmi [imageip] commands to deleted unused 
>>> images but it has no effect.
>>> 
>>> Please, could you tell me how to free up my disk space properly?
>>> 
>>> Thank you!
>>> 
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>> 


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Hard Disk is full because of OpenShift Origin

[Graham Dumpleton]

See if you have a lot of docker volumes that haven't been cleaned up properly.

docker volume ls

Maybe that is hanging onto space.

Graham

> On 27 Oct 2017, at 8:37 am, Tien Hung Nguyen  wrote:
> 
> Hi everybody,
> 
> I have a problem with my hard drive space. Since I'm using OpenShift locally 
> with Docker, I have the problem that my hard drive space gets full very fast 
> and I can't remove it. I have already run the commands 'oc cluster down' and 
> the 'docker rmi [imageip] commands to deleted unused images but it has no 
> effect.
> 
> Please, could you tell me how to free up my disk space properly?
> 
> Thank you!
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Using Custom SCC and Service Account in Deployment

[Graham Dumpleton]

What is documented in that blog does work.

Instead of:

oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct

use:

oc adm policy add-scc-to-user anyuid -z mysvcacct

as the blog explains, and make sure you are in the correct project in case when 
you switched to admin you weren't, or add '-n yourprojectname' option to 
commands.

The form of what you ran is:

oc adm policy add-scc-to-user  \
system:serviceaccount::

If you only have three parts to colon separate argument, it is interpreted as:

oc adm policy add-scc-to-group  \
system:serviceaccounts:

So you aren't strictly adding it to just the service account, but to all 
service accounts in namespace. That should have yielded same result, but maybe 
not and definitely probably not want you wanted, especially if you ran it in 
the wrong project.

Graham

> On 27 Jul 2017, at 4:49 AM, Isuru Haththotuwa  wrote:
> 
> Hi all, 
> 
> I'm trying to allow Docker containers to be run in openshift using the user 
> specified in the Dockerfile itself, without using a random user id. I see 
> that its possible to do this using the command [1], where all authenticated 
> users will be added to the anyuid group. Without doing this for all users, 
> can I do it for one specific user? I tried the following:
> Create a service account in default project using command [2]
> Add the service account to the anyuid scc using command [3]
> Referred this service account name in the Deployment definition as shown in 
> the sample [4]
> However, still the container seems to start with a random user id. Is this 
> approach incorrect? What is the link between service account and the user we 
> set in the Docker images (with USER keyword)?
> 
> 
> [1]. oc adm policy add-scc-to-group anyuid system:authenticated
> 
> [2]. oc create serviceaccount mysvcacct
> 
> [3]. oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct
> 
> [4]. https://blog.openshift.com/understanding-service-accounts-sccs/ 
> 
> 
> -- 
> Thanks and Regards,
> Isuru 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How could I deploy redis cluster on openshift origin cluster?

[Graham Dumpleton]

See:

https://github.com/sclorg/redis-container 


The image can be found at:

https://hub.docker.com/r/centos/redis-32-centos7/ 


Graham


> On 24 Jul 2017, at 1:26 PM, Yu Wei  wrote:
> 
> Hi,
> I want to deploy redis cluster on openshfit origin cluster.
> Is there any images, deployment that could be used?
> 
> Thanks,
> Jared, (韦煜）
> Software developer
> Interested in open source software, big data, Linux
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: no mcrypt in s2i-php

[Graham Dumpleton]

> On 19 Jul 2017, at 10:10 AM, Ben Parees  wrote:
> 
> 
> 
> On Tue, Jul 18, 2017 at 6:26 PM, Piotr Baranowski  > wrote:
> Is there any reason for the s2i-php-builder not to contain the mcrypt library 
> and php-mcrypt extension?
> 
> It is very popular and I'd say crucial to majority of LAMP apps. 
> 
> I had to recreate a s2i-php image so it contains the missing php packages, 
> but still, I'd like to understand why.
> 
> It comes down to what packages our SCL team is able to package/maintain.  If 
> there's an SCL package for it, it should be easy to include in the image, 
> otherwise it will need to be packaged so we can properly 
> build+maintain/support it.

You will also get concerns from the SCL team and others about the size of any 
packages which people suggest be added. If every single package that someone 
wanted were added, the size of the image would grow dramatically. We would end 
up with same as the overly bloated official Docker images using Debian on 
Docker Hub for various language stacks.

If weren't for the pushback on that, I am sure I would have a string of 
packages would like to see added. One right now for example which encountered 
in last day is ImageMagick being missing. It stops me from using official 
Python S2I builder for a specific application in Python space.

> 
> Note that there's already an issue open requesting this particular package:
> https://github.com/sclorg/s2i-php-container/issues/161 
> 
> 
> I'm also copying Honza who leads the SCL team responsible for the images.
> 
> 
>  
> 
> best regards
> -- 
> Piotr Baranowski
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
> 
> 
> 
> 
> -- 
> Ben Parees | OpenShift
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Running sshd in a Docker Container on Openshift

[Graham Dumpleton]

> On 10 Jul 2017, at 11:55 PM, Itamar Turner-Trauring  
> wrote:
> 
> It is possible to run sshd on OpenShift, if other options don't work - we do 
> it as part of the Telepresence remote debugging tool we built for OpenShift 
> and Kubernetes (https://telepresence.io ).
> 
> Here's a shortened (and untested) Dockerfile:
> 
> ...
> 
> And here's run.sh:
> 
> #!/usr/bin/env sh
> set -e
> USER_ID="$(id -u)"
> GROUP_ID="$(id -g)"
> 
> # This is a terrible hack to allow SSH login to a runtime-specified UID
> echo "telepresence::${USER_ID}:${GROUP_ID}:Telepresence 
> User:/usr/src/app:/bin/ash" >> /etc/passwd

I wouldn't say this is a terrible hack. Necessary in some cases, but not 
terrible.

Some of the current S2I builders use a different way of achieving the same 
thing by pre-loading shared libraries into applications using nss_wrapper 
package. Making the passwd file writable and adding an entry in startup screen 
is cleaner and no one has been able to identify any potential problems from 
making passwd file group writable. It is possible that nss_wrapper method will 
be replaced with way you are doing it.

Graham___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Running sshd in a Docker Container on Openshift

[Graham Dumpleton]

Anther ad-hoc way of moving data between pods is possible if you have 'netcat' 
tools installed in image for each application.

Look at the example in:


http://www.microhowto.info/howto/copy_a_file_from_one_machine_to_another_using_netcat.html
 
<http://www.microhowto.info/howto/copy_a_file_from_one_machine_to_another_using_netcat.html>

The idea though is that on source pod you run:

tar zc *.txt | nc -l 6

and on target pod you pull them using:

nc pod-name 6 | tar zx

Replace 'pod-name' with actual pod name. The pod-name is mapped in internal DNS 
so you don't have to worry about what the IP address is.

Graham

> On 10 Jul 2017, at 7:43 AM, Graham Dumpleton <gdump...@redhat.com> wrote:
> 
> If your applications are in the same project, you may find it easier to mount 
> an extra persistent volume temporarily in the source pod. Access the pod 
> using 'oc rsh' and copy the files into that persistent volume and then detach 
> it from that pod. Then mount the persistent volume into the target pod and 
> use as is, or copy into the target pod persistent volume and then detach and 
> delete the temporary persistent volume.
> 
> We recently published a scenario in our interactive learning portal for 
> OpenShift about transferring files in and out of an application. We didn't 
> specifically cover moving files between pods, but mounting pods against a 
> temporary application to pre-load data into a persistent volume was covered. 
> What I suggest as a bit of a variation on that.
> 
> You can see the scenario at:
> 
> https://learn.openshift.com/ <https://learn.openshift.com/>
> 
> It was called:
> 
> Transferring Files in and out of Containers
> 
> Graham
> 
>> On 10 Jul 2017, at 12:10 AM, Isuru Haththotuwa <isurulu...@gmail.com 
>> <mailto:isurulu...@gmail.com>> wrote:
>> 
>> Hi Marko, 
>> 
>> On Sun, Jul 9, 2017 at 4:29 PM, Marko Lukša <marko.lu...@gmail.com 
>> <mailto:marko.lu...@gmail.com>> wrote:
>> There's no need to run sshd. Use oc rsh or oc exec.
>> Thanks for the reply. However, I am trying to run a rsync pull from a 
>> different pod to this particular pod, that is the reason why I'm trying to 
>> run sshd. Would this be possible with rsh?  
>> 
>> On Jul 9, 2017 12:02 PM, "Isuru Haththotuwa" <isurulu...@gmail.com 
>> <mailto:isurulu...@gmail.com>> wrote:
>> Hi, 
>> 
>> I'm trying to do $subject. Using the minimal docker sample found at [1]. 
>> While this works perfectly in bare docker, when I'm trying to run on 
>> Openshift it fails with the error [2]. When I tried to re-create the ssh 
>> keys at startup with ssh-keygen -A, gave me the error [3]. I read that 
>> Openshift uses a random user id (usually 10) when starting a 
>> container, I created a user with the same id, gave permission to 
>> /etc/ssh/ssh* and ran. Still did not work.
>> 
>> Seems a permission issue. Any idea what is going wrong here?
>> 
>> [1]. 
>> https://docs.docker.com/engine/examples/running_ssh_service/#build-an-eg_sshd-image
>>  
>> <https://docs.docker.com/engine/examples/running_ssh_service/#build-an-eg_sshd-image>
>> 
>> [2].
>> Could not load host key: /etc/ssh/ssh_host_rsa_key
>> Could not load host key: /etc/ssh/ssh_host_dsa_key
>> Could not load host key: /etc/ssh/ssh_host_ecdsa_key
>> Could not load host key: /etc/ssh/ssh_host_ed25519_key
>> 
>> [3].
>> open /etc/ssh/ssh_host_key failed: Permission denied.
>> ssh-keygen: generating new host keys: RSA1 Saving the key failed: 
>> /etc/ssh/ssh_host_key.
>> ssh-keygen: generating new host keys: RSA Saving the key failed: 
>> /etc/ssh/ssh_host_rsa_key.
>> open /etc/ssh/ssh_host_rsa_key failed: Permission denied.
>> open /etc/ssh/ssh_host_dsa_key failed: Permission denied.
>> ssh-keygen: generating new host keys: DSA Saving the key failed: 
>> /etc/ssh/ssh_host_dsa_key.
>> open /etc/ssh/ssh_host_ecdsa_key failed: Permission denied.
>> ssh-keygen: generating new host keys: ECDSA Saving the key failed: 
>> /etc/ssh/ssh_host_ecdsa_key.
>> open /etc/ssh/ssh_host_ed25519_key failed: Permission denied.
>> ssh-keygen: generating new host keys: ED25519 Saving the key failed: 
>> /etc/ssh/ssh_host_ed25519_key.
>> 
>> -- 
>> Thanks and Regards,
>> Isuru 
>> 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com <mailto:users@lists.openshift.redhat.com>
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
>> <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>
>> 
>> 
>> 
>> 
>> -- 
>> Thanks and Regards,
>> Isuru 
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com <mailto:users@lists.openshift.redhat.com>
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> 

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Running sshd in a Docker Container on Openshift

[Graham Dumpleton]

If your applications are in the same project, you may find it easier to mount 
an extra persistent volume temporarily in the source pod. Access the pod using 
'oc rsh' and copy the files into that persistent volume and then detach it from 
that pod. Then mount the persistent volume into the target pod and use as is, 
or copy into the target pod persistent volume and then detach and delete the 
temporary persistent volume.

We recently published a scenario in our interactive learning portal for 
OpenShift about transferring files in and out of an application. We didn't 
specifically cover moving files between pods, but mounting pods against a 
temporary application to pre-load data into a persistent volume was covered. 
What I suggest as a bit of a variation on that.

You can see the scenario at:

https://learn.openshift.com/ 

It was called:

Transferring Files in and out of Containers

Graham

> On 10 Jul 2017, at 12:10 AM, Isuru Haththotuwa  wrote:
> 
> Hi Marko, 
> 
> On Sun, Jul 9, 2017 at 4:29 PM, Marko Lukša  > wrote:
> There's no need to run sshd. Use oc rsh or oc exec.
> Thanks for the reply. However, I am trying to run a rsync pull from a 
> different pod to this particular pod, that is the reason why I'm trying to 
> run sshd. Would this be possible with rsh?  
> 
> On Jul 9, 2017 12:02 PM, "Isuru Haththotuwa"  > wrote:
> Hi, 
> 
> I'm trying to do $subject. Using the minimal docker sample found at [1]. 
> While this works perfectly in bare docker, when I'm trying to run on 
> Openshift it fails with the error [2]. When I tried to re-create the ssh keys 
> at startup with ssh-keygen -A, gave me the error [3]. I read that Openshift 
> uses a random user id (usually 10) when starting a container, I 
> created a user with the same id, gave permission to /etc/ssh/ssh* and ran. 
> Still did not work.
> 
> Seems a permission issue. Any idea what is going wrong here?
> 
> [1]. 
> https://docs.docker.com/engine/examples/running_ssh_service/#build-an-eg_sshd-image
>  
> 
> 
> [2].
> Could not load host key: /etc/ssh/ssh_host_rsa_key
> Could not load host key: /etc/ssh/ssh_host_dsa_key
> Could not load host key: /etc/ssh/ssh_host_ecdsa_key
> Could not load host key: /etc/ssh/ssh_host_ed25519_key
> 
> [3].
> open /etc/ssh/ssh_host_key failed: Permission denied.
> ssh-keygen: generating new host keys: RSA1 Saving the key failed: 
> /etc/ssh/ssh_host_key.
> ssh-keygen: generating new host keys: RSA Saving the key failed: 
> /etc/ssh/ssh_host_rsa_key.
> open /etc/ssh/ssh_host_rsa_key failed: Permission denied.
> open /etc/ssh/ssh_host_dsa_key failed: Permission denied.
> ssh-keygen: generating new host keys: DSA Saving the key failed: 
> /etc/ssh/ssh_host_dsa_key.
> open /etc/ssh/ssh_host_ecdsa_key failed: Permission denied.
> ssh-keygen: generating new host keys: ECDSA Saving the key failed: 
> /etc/ssh/ssh_host_ecdsa_key.
> open /etc/ssh/ssh_host_ed25519_key failed: Permission denied.
> ssh-keygen: generating new host keys: ED25519 Saving the key failed: 
> /etc/ssh/ssh_host_ed25519_key.
> 
> -- 
> Thanks and Regards,
> Isuru 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
> 
> 
> 
> 
> -- 
> Thanks and Regards,
> Isuru 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: How to grant system:admin rights to admin?

[Graham Dumpleton]

> On 7 Jun 2017, at 3:01 AM, Ulf Lilleengen <l...@redhat.com> wrote:
> 
> Hi Henryk,
> 
> Not sure if this is applicable to your setup, but an alternative is to point 
> oc to admin.kubeconfig. E.g.:
> 
> oc --config /var/lib/origin/openshift.local.config/master/admin.kubeconfig 
> adm policy add-cluster-role-to-user cluster-admin developer
> 
> I've been using this way as 'oc login -u system:admin' didn't work with my 
> dev setup (created using 'oc cluster up') for some reason. It seems to work 
> when using minishift, so I'd love to know what's causing it as well.

If you have access to the master node that will work. Sometimes the master 
nodes will already have cached login as admin from setup of cluster and just 
being able to access the master node as root will leave you as admin user 
anyway.

Another alternative is if you have granted specific user sudoer role access, 
then such a user could use impersonation to run:

oc admin policy add-cluster-role-to-user cluster-admin developer --as 
system:admin

See:


https://docs.openshift.com/online/architecture/additional_concepts/authentication.html#authentication-impersonation
 
<https://docs.openshift.com/online/architecture/additional_concepts/authentication.html#authentication-impersonation>

Graham

> Hth,
> 
> Ulf
> 
> On 06. juni 2017 16:16, Henryk Konsek wrote:
>> Hi Graham,
>> That would be probably fine. I assume that I should log in as system:admin 
>> in order to execute those commands, right?
>> The problem is that I cannot switch to system:admin...
>> oc login -u system:admin
>> Authentication required for https://localhost:8443 <https://localhost:8443/> 
>> (openshift)
>> Username: system:admin
>> Password:
>> error: username system:admin is invalid for basic auth
>> Any idea what I'm doing wrong?
>> Cheers!
>> pon., 5 cze 2017 o 12:28 użytkownik Graham Dumpleton <gdump...@redhat.com 
>> <mailto:gdump...@redhat.com> <mailto:gdump...@redhat.com 
>> <mailto:gdump...@redhat.com>>> napisał:
>> > On 5 Jun 2017, at 8:13 PM, Henryk Konsek <hekon...@gmail.com 
>> <mailto:hekon...@gmail.com>
>><mailto:hekon...@gmail.com <mailto:hekon...@gmail.com>>> wrote:
>> >
>> > Hi,
>> >
>> > Quick question. Is there an easy way to grant "system:admin"
>>privileges to "admin" user? I'd like to make it possible for 'admin'
>>user to list projects and namespaces for example. I'm aware that
>>this is not recommended for production environment, but this is
>>something we need for an automation of our integration tests suite.
>>Not sure if suits your requirements, but presuming 'username'
>>exists, as user who already has admin rights, try:
>> oc adm policy add-cluster-role-to-user cluster-reader username
>>If only want them to be able to read view stuff but not modify, or:
>> oc adm policy add-cluster-role-to-user cluster-admin username
>>if want to allow them full edit ability on cluster.
>>Replace 'username' with actual name of user.
>>Graham
>> -- 
>> Henryk Konsek
>> https://linkedin.com/in/hekonsek
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com <mailto:users@lists.openshift.redhat.com>
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
>> <http://lists.openshift.redhat.com/openshiftmm/listinfo/users>
> 
> -- 
> Ulf

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: help with redinessProbe check

[Graham Dumpleton]

If you need to use a complex command as a readiness or liveness probe, you are 
better off having a script which is part of the container image and running 
that, having all knowledge of what to do inside of the script.

This has the benefit that the details of the probe can be a part of the Git 
repository used as the source for building the image and it can be kept in sync 
with what the applications requires for the probe.

The danger of putting a more complex command in the deployment config resource 
is that you ship an updated image which needs to do it differently and you 
forget to update the deployment config at the same time. So better to have in 
the image a script and keep the name the same all the time. Then can readily 
update the script in new versions of the image and don't have to change the 
deployment config.

Also, by being in the image you can avoid using 127.0.0.1, which doesn't 
actually test the external accessibility of the application properly. You 
should instead use $HOSTNAME instead of 127.0.0.1. That way you are using the 
pod name and the internal OpenShift DNS will be looked up to get the pod IP and 
so you connect via it. This ensures it is visible outside, where as using 
127.0.0.1 will not catch where application incorrectly listened on only the 
loopback interface.

One warning about using a command script for a probe which I think still 
applies, although was a while back I last looked.

Because of a limitation in Docker service, it is not possible to interrupt a 
command used as a probe. This means that even though a timeout is specified for 
the probe, it doesn't work properly. If the probe were actually to hang, then 
it wouldn't be detected properly. The probe also wouldn't be retried properly.

I need to go back and retest to see what the current situation is.

Was from before I learnt about the problems with the timeout I think, but 
perhaps watch:

 https://www.youtube.com/watch?v=zeA5hxxy8ms 


I got most of the details correct in it I think.

Graham

> On 6 Jun 2017, at 2:08 PM, Marc Boorshtein  wrote:
> 
> I'm trying to use the following command as my liveness check:
> 
> /usr/bin/curl --insecure https://127.0.0.1:8443/check_alive 
>  2>/dev/null | grep Anonymous || exit 1
> 
> I tried:
> 
> readinessProbe:
> exec:
>   command:
> - '/usr/bin/curl'
> - '--insecure'
> - 'https://127.0.0.1:8443/check_alive 
> '
> - '2>/dev/null'
> - '|'
> - 'grep'
> - 'Anonymous'
> - '||'
> - 'exit'
> - '1'
> 
> and 
> 
> readinessProbe:
> exec:
>   command:
> - '/usr/bin/curl --insecure 
> https://127.0.0.1:8443/check_alive  
> 2>/dev/null | grep Anonymous || exit 1'
> 
> but openshift doesn't seem to like that either.  Thoughts?  Any help is 
> greatly appreciated.
> 
> Thanks
> Marc
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: openshift origin graphs?

[Graham Dumpleton]

> On 21 May 2017, at 11:30 AM, Hetz Ben Hamo  wrote:
> 
> Hi,
> 
> I just installed Openshift Origin using the Ansible installer. Everything 
> seems to work, but on many youtube video I have seen some really nice graphs 
> like maps (containers, pods, nodes, network etc) as well as other graphs for 
> CPU etc..
> 
> So what do I need to change/add/edit to see those graphs?

The first sounds like the topology visualisation. This was dropped and is not 
in recent OpenShift versions.

The others are metric charts. You need to enable installation of metrics in the 
Ansible setup file when installing. Have you done that?

Graham___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Simple Java S2I

[Graham Dumpleton]

Have you seen:

https://blog.openshift.com/using-openshift-enterprise-grade-spring-boot-deployments/
 


Graham

> On 3 Mar 2017, at 5:55 PM, Sobkowiak Krzysztof  
> wrote:
> 
> Hi
> 
> I'm using OpenShift by starting the newest Minishift. I'd like to use s2i for 
> my Spring Boot application, but I can see only wildfly template on my 
> OpenShift instance. During the Roadshow event there were something like 
> simple-java-s2i available. Can I find somewhere instructions how to use s2i 
> with plain Java or Spring Boot application?
> 
> Kindly regards
> Krzysztof
> 
> -- 
> Krzysztof Sobkowiak
> 
> JEE & OSS Architect, Integration Architect
> Apache Software Foundation Member (http://apache.org/ )
> Apache ServiceMix Committer & PMC Member (http://servicemix.apache.org/ 
> )
> Senior Solution Architect @ Capgemini SSC (http://www.capgeminisoftware.pl/ 
> )
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: oc .env files

[Graham Dumpleton]

> On 15 Dec 2016, at 9:06 AM, Ben Parees  wrote:
> 
> 
> 
> On Wed, Dec 14, 2016 at 4:53 PM, Clayton Coleman  > wrote:
> The process command does now include an "--env-file" option - so you could do 
> "oc process -f template-file.yaml --env-file .oc_env | oc apply -f -"
> 
> ​I think Phillipe is looking for a "cluster environment definition" file 
> which controls what cluster+namespace the resources are "applied" to, not env 
> variable inputs to the template processing, but that's basically what the 
> .kube/config file specifies/controls today (ie it controls what 
> cluster+project your oc commands are going to operate against)
> 

The problem being though that it can only refer to one cluster at a time. Thus 
you can easily stuff up when have multiple windows open against apps for 
different clusters or users and you forgot that you had changed which one you 
were logged in to. Yes, you can use --cluster=‘’ option (if that works how I 
think), but still have to remember to add it explicitly, where as if you could 
capture that in a configuration file in the repo itself and oc would look for 
it in some way you could be sure you were always working against correct 
cluster.

BTW, I can’t find any docs about —env-file in oc help strings for that command. 
Also just noticed that ‘oc options’ sends output to stderr and not stdout which 
is a bit strange. If using —help on a command still goes to stdout.

Graham

> 
> On Wed, Dec 14, 2016 at 4:06 PM, Philippe Lafoucrière 
>  > wrote:
> Hi,
> 
> We're having fun with the "oc apply" command, which solves a lot of 
> configuration issues we've had in the past.
> There's just one thing I would like to have in oc: a local .oc_env file to 
> define some defaults, like:
> 
> - Current cluster url (make sure we're hitting the production cluster, not 
> any of the test clusters)
> - Current namespace (to make sure apply won't fu.. up another project if we 
> forget to specify it).
> 
> Is there something we could see in the future?
> 
> Thanks,
> Philippe
> 
> -- 
> Philippe Lafoucrière - CEO
> http://www.tech-angels.com 
> https://gemnasium.com 
> France : +33 (0) 3 65 96 02 92
> Canada: +1 (418) 478-1175 
> USA: +1 (954) 607-7443 
> 
> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
> 
> 
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com 
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users 
> 
> 
> 
> 
> 
> -- 
> Ben Parees | OpenShift
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users