Tag Archives: ose3

How-To – Use kubernetes/openshift watch parameter in REST interface

Some api or oapi calls support the watch parameter

E.G: https://docs.openshift.com/enterprise/3.1/rest_api/openshift_v1.html#list-or-watch-objects-of-kind-route

list or watch objects of kind Route

GET /oapi/v1/namespaces/{namespace}/routes

Parameters

Type
Name
Description
Required
Schema
Default

QueryParameter

pretty

If ‘true’, then the output is pretty printed.

false

string

QueryParameter

labelSelector

A selector to restrict the list of returned objects by their labels. Defaults to everything.

false

string

QueryParameter

fieldSelector

A selector to restrict the list of returned objects by their fields. Defaults to everything.

false

string

QueryParameter

watch

Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.

false

boolean

QueryParameter

resourceVersion

When specified with a watch call, shows changes that occur after that particular version of a resource. Defaults to changes from the beginning of history.

false

string

Let’s check this route

$ oc get route helloworld-route
NAME               HOST/PORT                                           PATH      SERVICE      LABELS           INSECURE POLICY   TLS TERMINATION
helloworld-route   spring-boot-helloworld.plainjava.appad4.tsi-af.de             helloworld   app=helloworld                    

 

So as an user for this project/namespace with the necessary rights you’ll get the existing route objects by:

$ curl -k -H "Authorization: Bearer $(oc whoami -t)" -X GET "https://172.30.0.1/oapi/v1/namespaces/plainjava/routes/helloworld-route"
{
  "kind": "Route",
  "apiVersion": "v1",
  "metadata": {
    "name": "helloworld-route",
    "namespace": "plainjava",
    "selfLink": "/oapi/v1/namespaces/plainjava/routes/helloworld-route",
    "uid": "480cbb83-4e5c-11e6-885c-0050560461a7",
    "resourceVersion": "11567709",
    "creationTimestamp": "2016-07-20T09:28:13Z",
    "labels": {
      "app": "helloworld"
    }
  },
  "spec": {
    "host": "spring-boot-helloworld.plainjava.appad4.tsi-af.de",
    "to": {
      "kind": "Service",
      "name": "helloworld"
    },
    "port": {
      "targetPort": 8080
    }
  },
  "status": {}
}

 

Now, Setting a watch and modifying the host of the route and change it back again. Check the modification message for the host.:

{"type":"ADDED","object":{"kind":"Route","apiVersion":"v1","metadata":{"name":"helloworld-route","namespace":"plainjava","selfLink":"/oapi/v1/namespaces/plainjava/routes/helloworld-route","uid":"480cbb83-4e5c-11e6-885c-0050560461a7","resourceVersion":"11567709","creationTimestamp":"2016-07-20T09:28:13Z","labels":{"app":"helloworld"}},"spec":{"host":"spring-boot-helloworld.plainjava.appad4.tsi-af.de","to":{"kind":"Service","name":"helloworld"},"port":{"targetPort":8080}},"status":{}}}
{"type":"MODIFIED","object":{"kind":"Route","apiVersion":"v1","metadata":{"name":"helloworld-route","namespace":"plainjava","selfLink":"/oapi/v1/namespaces/plainjava/routes/helloworld-route","uid":"480cbb83-4e5c-11e6-885c-0050560461a7","resourceVersion":"14600520","creationTimestamp":"2016-07-20T09:28:13Z","labels":{"app":"helloworld"}},"spec":{"host":"spring-boot-helloworld-1.plainjava.appad4.tsi-af.de","to":{"kind":"Service","name":"helloworld"},"port":{"targetPort":8080}},"status":{}}}
{"type":"MODIFIED","object":{"kind":"Route","apiVersion":"v1","metadata":{"name":"helloworld-route","namespace":"plainjava","selfLink":"/oapi/v1/namespaces/plainjava/routes/helloworld-route","uid":"480cbb83-4e5c-11e6-885c-0050560461a7","resourceVersion":"14600675","creationTimestamp":"2016-07-20T09:28:13Z","labels":{"app":"helloworld"}},"spec":{"host":"spring-boot-helloworld.plainjava.appad4.tsi-af.de","to":{"kind":"Service","name":"helloworld"},"port":{"targetPort":8080}},"status":{}}}

How-To Use supervisord in Docker Images

Supervisord is “a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating systems.”

  • To install in your Dockefile get it from the epel repository – you have to enable epel first, of course.
    FROM rhel7
    ...
    yum install -y --enablerepo=epel supervisor
  • Config is in /etc/supervisord.conf
    You have to set “nodaemon=true”, so that supervisord will start in foreground

    [supervisord]
    nodaemon=true
    ...
  • Important is, that unix signals are passed to supervisord, so that there’ll be no zombies in case of deletion of the container
    • Find this blog post about signals in docker containers
    • Supervisord will handle it’s subprocesses according to the signals it gets. So it is important, that it runs as PID 1 in the container and is not started by a shell.
      • So verify, that supervisord is started in the exec format
    • If you manage a shell script with supervisord, ensure, that you catch relevant signals within you script and proceed accordingly
      ...
      function clean_up {
              # Perform program cleanup
              ...
              exit 0
      }
      trap clean_up SIGHUP SIGINT SIGTERM
  • If you want to manage a daemon process with your supervisord, you have to ensure, that it runs in the foreground – most daemon start commands are supporting this. Otherwise, you could use this script. See this post.
    #! /usr/bin/env bash
    set -eu
    pidfile="/var/run/your-daemon.pid"
    command=/usr/sbin/your-daemon
    # Proxy signals
    function kill_app(){
        kill $(cat $pidfile)
        exit 0 # exit okay
    }
    trap "kill_app" SIGINT SIGTERM
    # Launch daemon
    exec $command
    sleep 2
    # Loop while the pidfile and the process exist
    while [ -f $pidfile ] && kill -0 $(cat $pidfile) ; do
        sleep 0.5
    done
    exit 1000 # exit unexpected

    “kill -0” doesn’t send any kill signals, it only checks, if the permissions are sufficient to kill the process.

  • Don’t use “sleep inf” or “tail -f /dev/null” at the end of your scripts in order to block its ending. They won’t pass unix signals. Instead as described above, use a loop with a short sleep
  • Also important to mention is that the default behaviour of supervisord is to NOT restart programs when they finish with an exit code of “0”.
    • So ensure, that in case of crashes, your programs, daemons etc. are exiting with a non-0 state, so that supervisord knows that it should have to restart them
  • Supervisord will not end, when all programs have been finished. So even if all your programs have been exited with code 0, the supervisor process will run further on. If you want to have another behaviour, you have to implement an  event listener.
  • If supervisord is killed, it waits for the programs to be ended before it terminates
  • Here’s a test script I used for the investigations
    #!/bin/bash
    set -e
    echo "This program is running as PID $$ "
    function trap_with_arg() {
        func="$1" ; shift
        for sig ; do
            trap "$func $sig" "$sig"
        done
    }
    function clean_up {
        # Perform program exit
        echo Trapped: $1
        if [[ "$1" == "SIGTERM" ]] ; then
            exit 0
        else
            exit 1
        fi
    }
    trap_with_arg clean_up SIGHUP SIGINT SIGTERM
    while /bin/true ; do
        sleep 0.5
    done

How-To – Use YUM installer in containers

Using a RHEL base image, you’ll just use yum the “usual” way in installing packages for your container.

Though containers should be small and only contain the really necessary packages, there are some best-practices.

  1. Enable only the necessary repositories.
    yum install -y –disablerepo=”*” –enablerepo=”…” …
    Inside a RHEL7 container, subscription-manager is disabled. But on the host system check with: subscription-manager repos –list-enabled
  2. Don’t install documentation with your packages, because you might not need it and it just consumes space
    yum install/update –setopt=tsflags=nodocs …
  3. Check if it makes sense for you to use “delta rpm” https://www.certdepot.net/rhel7-get-started-delta-rpms/
    It is so far only available for rhel-7-server-rpms:
    yum install -y –setopt=tsflags=nodocs –disablerepo=”*” –enablerepo=”rhel-7-server-rpms” deltarpm
  4. Change your yum repository settings for further commands permanently. So for example only get security updates for rhel7 server rpms
    RUN yum install -y –setopt=tsflags=nodocs –disablerepo=”*” –enablerepo=”rhel-7-server-rpms” yum-utils  && \
    yum-config-manager –disable “*” && \
    yum-config-manager –enable rhel-7-server-rpms && \
    yum update -y –setopt=tsflags=nodocs && \
  5. Use provided PGP Keys (check /etc/pki/rpm-gpg)

    rpm –import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release \

    && rpm –import http://… \
    ,,,,
  6. How to enable EPEL

    rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm \
    && rpm –import file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 \
    && yum install -y –enablerepo=epel …
  7. yum clean all at the end

    && yum clean all

How-To – using images from central registry in production (atomic registry)

This how-to covers what has to be done to pull an image located in atomic registry into an openshift deployment.

General steps:

  • add secret
  • add pull secret to build configuration

see also

https://docs.openshift.com/container-platform/3.3/dev_guide/builds.html

secret to access private central docker registry

oc secrets new-dockercfg registry-appaoc-roambee
--docker-server='registry-appaoc.tsi-af.de:443'--docker-password=eyJh...14wA
--docker-email=unused --docker-username=unused

use provided token for password

when using a build configuration, add to build configuration

oc set build-secret --pull bc/telegraf registry-appaoc-roambee

when using a deployment configuration, add secret to service account

oc secrets add sa/default secrets/registry-appaoc-roambee --for=pull

Setup Gitlab for automatic builds

Webhook triggers allow you to trigger a new build by sending a request to the OpenShift API endpoint. This can be done automatically with gitlab after you have pushed code changes.

Step-by-step guide

  1. Each Build Configuration has two Trigger Urls. One for Github and the other for generic git triggers. With gitlab you have to use the generic trigger url.
    You can find the Url in your project -> browse -> builds

    triggerurls

  2. Another way to obtain the trigger url is via the commandline. Just replace test with the name of your build config. 
    user@workstation:~$ oc describe bc test
    ...
    Webhook GitHub: https://master4.tsi-af.de:8443/oapi/v1/namespaces/test/buildconfigs/test/webhooks/3bd0cf0835e4b8ed/github
    Webhook Generic: https://master4.tsi-af.de:8443/oapi/v1/namespaces/test/buildconfigs/test/webhooks/980b8feafc60d8d7/generic
    ...
  3. Now you have to set the webhook in your gitlab repository.
    You can adjust this url in your repostiroy, tab settings -> web hooks.    webhookgitlab
  4. To test your web hook either change your code and push it to the repository or use the test button in the gitlab webintefacewebhookgitlabtest
    If there aren’t any issues you the information “Hook succesfully executed” wil be shown. If you now take a look over to the
    openshift webinterface you can see the build running in a newly created pod.

    testbuild_running

Related links:

https://docs.openshift.com/enterprise/3.0/dev_guide/builds.html#webhook-triggers

 

Setup Eclipse for Openshift

This guide helps to install Eclipse for Windows in order to access Openshift 3 and to develop Applications for the PaaS.

Prerequisites

check network connecti0ns and make sure the configuration of eclipse includes a proxy.

see Window->Preferences->General->Network Connection

image2015-6-22-11-40-17

Step-by-step guide

  1. Download and install Eclipse Mars from https://eclipse.org/downloads/packages/eclipse-ide-java-and-dsl-developers/marsm4
  2. Add the update site
      1. Click from the toolbar ‘Help > Install New Sofware’
      2. Click the ‘Add’ button and a dialog appears
      3. Enter a value for the name
      4. Enter ‘http://download.jboss.org/jbosstools/updates/nightly/mars/‘ for the location. Note: Alternative updates are available from the JBoss Tools Downloads. The various releases and code freeze dates are listed on the JBoss JIRA site
      5. Click ‘OK’ to add the update site
  3. Type ‘OpenShift’ in the text input box to filter the choices
  4. Check ‘JBoss OpenShift v3 Tools’ and click ‘Next’
  5. Click ‘Next’ again, accept the license agreement, and click ‘Finish’

 

Connecting to the Server

Your Eclipse Network settings should be configured as follows to work fine behind the coporate proxy. With this settings it was possible to establish a connection to the openshift master.

image2015-6-23-7-50-44

  1. Click ‘New Connection Wizard’ and a dialog appears (see below)
  2. Select a v3 connection type
  3. Uncheck default server
  4. Enter the URL to the OpenShift server instance (e.g. https://master1.tsi-af.de:8443)
  5. Enter the username and password for the connection (e.g. joe / redhat)

image2015-6-23-7-53-3

 

A successful connection will allow you to expand the OpenShift explorer tree and browse the projects associated with the account and the resources associated with each project.

bildschirmfoto-2015-06-23-um-14-13-26

Right now (OSE 3, Drop 4) it is not possible to create a new Application with this plugin.

bildschirmfoto-2015-06-23-um-14-13-11

 

CI/CD: Jenkins 2 on openshift

Jenkins 2 overview and setup – APPAGILE

We specifically unveil the steps with oc and an example workflow for Jenkins 2.

IMPORTANT: after installing the OpenShift plugin for Jenkins, always check the box enabling the OpenShift builder support (also for the related OpenShift Jenkins builder API) in the build configuration panel of your project.

Setup

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# setup ci jenkins
oc new-project ci
oc new-app library/jenkins:2.0
oc expose svc jenkins
# setup sample for jenkins build
oc new-project demo
oc new-app eap64-basic-s2i \
--param=APPLICATION_NAME=demo-jenkins \
--param=SOURCE_REPOSITORY_URL=<HTTPS>://gitlabappadev.tsi-af.de/julien.siebenthal/demo-jenkins.git \
--param=SOURCE_REPOSITORY_REF=2.7.0.Final \
--param=CONTEXT_DIR=demo
# setup a secret to access correctly the private repos if needed
oc secrets new-basicauth basicsecret --username=<your_username> --password=<your_password>
oc setbuild-secret --sourcebc/demo-jenkinsbasicsecret
# setup policies
oc policy add-role-to-user edit system:serviceaccount:ci:default -n ci
oc policy add-role-to-user edit system:serviceaccount:demo:default -n demo
oc policy add-role-to-user edit system:serviceaccount:ci:default -n demo

On the Jenkins pipeline side here is the Groovy script based on the Ticket-Monster example.

We give the export of the buildconfig that can be used in relation with oc create :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
apiVersion: v1
kind: BuildConfig
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftNewApp
  creationTimestamp: null
  labels:
    app: eap64-basic-s2i
    application: demo-jenkins
    template: eap64-basic-s2i
    xpaas: 1.3.2
  name: demo-jenkins
spec:
  nodeSelector: null
  output:
    to:
      kind: ImageStreamTag
      name: demo-jenkins:latest
  postCommit: {}
  resources: {}
  runPolicy: Serial
  source:
    contextDir: demo
    git:
      ref: 2.7.0.Final
      uri: <HTTPS>://gitlabappadev.tsi-af.de/julien.siebenthal/demo-jenkins.git
    sourceSecret:
      name: basicsecret
    type: Git
  strategy:
    sourceStrategy:
      forcePull: true
      from:
        kind: ImageStreamTag
        name: jboss-eap64-openshift:1.4
        namespace: openshift
    type: Source

Security

To pull/push from/to a private repo, setup with the Credential binding plugin a new domain and credential, see Jenkins access to Gitdev private repo using ssh, to Gitlabappadev using https

  • user/private_key for ssh based pull/push
  • user/password for https based pull/push

use a git https based approach use (gitlabappadev.tsi-af.de, seems git ssh not enabled) :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
node {
  stage 'Checkout'
  git branch: '2.7.0.Final', credentialsId: '3a6a12be-0b9a-45af-9c41-4f21fa1543e3', url: '<HTTPS>://gitlabappadev.tsi-af.de/julien.siebenthal/demo-jenkins.git'
  // ** NOTE: This 'M3' maven tool must be configured in the global configuration.
  defmvnHome = tool 'M3'
  stage 'Build'
  sh "${mvnHome}/bin/mvn -f demo/pom.xml clean install"
  stage 'Deploy'
  defbuilder = newcom.openshift.jenkins.plugins.pipeline.OpenShiftBuilder("""demo-jenkins""demo"null"""""""""true""""""")
  stepbuilder
}

Jenkins web console

From there you can directly interact with the web console of your project.

screen%20shot%202016-11-24%20at%2009_38_12

Jenkins access to Gitdev private repo using ssh, to Gitlabappadev using https:

  1. Access your jenkins pod
    1. access jump server
    2. locate where your Jenkins pod run (which node), then ssh to the corresponding machine
    3. from there in the shell:
      >> docker exec -it <jenkins_pod_ID> /bin/bash
    4. cd in the pod session
    5. you should be in the /var/jenkins_home
    6. create a ssh key in my case:
      >> ssh-keygen -t rsa -C “USERNAME@masterd3.tsi-af.de
    7. it asks for a passphrase, you should put one and record it somewhere safe
    8. a pair is created, by default the id_rsa (private key) and id_rsa.pub (public key)
    9. not finished, once done you must be sure you can access the gitdev (gitlab) server, type :
      >> ssh -T git@gitdev.tsi-af.de
    10. during the authentication process the daemon asks for the passphrase you have introduced earlier if you set one, give it
    11. the ssh daemon will ask you if you want to authenticate to the gitdev server, obviously yes.
  2. In the Jenkins web console
    1. be sure to have the proper module for ssh authentication so to say:
      1. SSH-Agent plugin
      2. SSH plugin (normally it is required by the first one and will be installed automatically)
      3. Credentials binding plugin
    2. restart the Jenkins server once the plugins are downloaded
    3. then you should go into the Credentials option displayed from now on the web console
      1. you should define a domain
        1. set this to the hostname gitdev.tsi-af.de
      2. and from this domain a key based new credential
        1. indicate you want a ssh authentication with private key and indicate the correct location of it (in my case /var/jenkins_home/.ssh/id_rsa) and do not forget to set the passphrase
        2. IMPORTANT: leave the credentialID field empty, once you save, one will be created automatically for you. This ID is tremendously important, it will be added into the Jenkinsfile workflow script
        3. save the credential.screen%20shot%202016-11-18%20at%2012_03_27
    4. go in your workflow build project and adapt the script, mine is:
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      node {
        stage 'Checkout'
        git branch: '2.7.0.Final', credentialsId: '9cae6b3a-4437-4a33-b99e-c3174f90670f', url: 'git@gitdev.tsi-af.de:jdesiebe/myticket-monster.git'
        // ** NOTE: This 'M3' maven tool must be configured in the global configuration.
        def mvnHome = tool 'M3'
        stage 'Build'
        sh "${mvnHome}/bin/mvn -f demo/pom.xml clean install"
        stage 'Deploy'
        def builder = new com.openshift.jenkins.plugins.pipeline.OpenShiftBuilder("""ticket-monster""demo"null"""""""""true""""""")
        step builder
      }
    5. As you see in the script, a credentialID field is added and refer to the credential we added just before, also we indicate to Jenkins that we want to use the ssh prototcol to pull the git repo.
  3. Restart your build, it should work (Lächeln).
  4. if you want to get momentarily access to private repos from gitlabappadev.tsi-af.de use https
    1. in that case set a new domain and a credential with username/password setup, no need for a key

Jenkins based documentation on the web related to workflows and security

OpenShift Ecosystem: Microsoft Visual Studio , OpenShift and .NET with Click2Cloud

Found a very useful description to use configurte Microsoft Visual Studio with openShift on RedHats openShift BLOG.

I made a copy to make that step-by-step description available.


Red Hat OpenShift 3 provides an API, Web Console and CLI for interfacing with the environment. However, learning these tools and remembering additional commands can become one more hurdle for a developer, which can slow adoption.

Ideally,  a developer can work  from their favorite IDE without having to use a different tool. This is what drove us at Click2Cloud to create the OpenShift 3, Docker Container and Kubernetes based Dev-Ops Extension for Microsoft Visual Studio 2015. This solution from Click2Cloud allows developers to connect to multiple OpenShift environments and deploy applications with ease from an environment they know and love.

How to Install the Click2Cloud Extension and Deploy a .NET Application in 5 Steps

Step 1 – Download and install the extension from the Microsoft Visual Studio Gallery.

image00

Step 2 – Launch the extension and Sign-in to OpenShift 3 environment

image02

Step 3 – Create Project, .NET application from custom templates or open existing project

image01    image04

Step 4 – View Webhook URL for the newly created application or for a running one and trigger a new build by sending a request to OpenShift API endpoint.

image03

image06

Step 5 – View Pod, Build Logs from OpenShift 3 and Start Build

image05

image07

Please Note: Users can use Click2Cloud’s ASP.NET 5.0 Docker builder image to create a .NET based application in OpenShift.

 

In addition to the Visual Studio plugin, we also provide a Docker Explorer plugin that can be used in tandem for a complete view of your development artifacts — see it it action here. We are just scratching the surface of what are providing to enhance the developer experience with OpenShift for Windows users. If you want to learn more, then  check us out at http://click2cloud.net today!

 

Author

This OpenShift Ecosystem post was created by Prashanth Mishra, VP, Business Dev. at Click2Cloud Inc.

Do not hesitate to connect with Prashanth if you want to learn more about Click2Cloud:

Twitter – https://twitter.com/TWIT2PM

Facebook – https://www.facebook.com/writetoprashant

LinkedIn – https://www.linkedin.com/in/mishrap