Tag Archives: exported

1. openshift preparement

title: “1. openshift preparement”
date: 2020-02-04T15:58:26
slug: 2-openshift-preparement

Instructions from here:

https://docs.openshift.com/container-platform/3.11/install/host_preparation.html

Copy ssh public key to each Node

ssh-keygen -b 2048
cat /root/.ssh/id\_rsa.pub >> /root/.ssh/authorized\_keys

set selinux to enforcing

sed "s/permissive/enforcing/g" -i /etc/selinux/config
reboot

Registering hosts

subscription-manager register --username=tomskiffb --password=v3NtPkdo7nfijV7SoZhf
subscription-manager refresh
subscription-manager list --available --matches '\*OpenShift\*'
subscription-manager attach --pool=<pool\_id>
subscription-manager repos --disable="\*"
yum repolist
yum-config-manager --disable \\*
subscription-manager repos \
 --enable="rhel-7-server-rpms" \
 --enable="rhel-7-server-extras-rpms" \
 --enable="rhel-7-server-ose-3.11-rpms" \
 --enable="rhel-7-server-ansible-2.8-rpms"
yum install -y wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct openshift-ansible docker-1.13.1
yum -y update
reboot

Install Docker Storage (attach second hard disc here: /dev/vdb)

cat <<EOF > /etc/sysconfig/docker-storage-setup
DEVS=/dev/vdb
VG=docker-vg
EOF

docker-storage-setup

cat /etc/sysconfig/docker-storage
DOCKER\_STORAGE\_OPTIONS="--storage-driver devicemapper --storage-opt dm.fs=xfs --storage-opt dm.thinpooldev=/dev/mapper/rhel-docker--pool --storage-opt dm.use\_deferred\_removal=true --storage-opt dm.use\_deferred\_deletion=true "

lvs
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
docker-pool rhel twi-a-t--- 9.29g 0.00 0.12

systemctl start docker
systemctl enable docker
systemctl is-active docker

cat <<EOF > /etc/ansible/hosts
[OSEv3:children]
masters
nodes
etcd

# Set variables common for all OSEv3 hosts
[OSEv3:vars]
oreg\_auth\_user=tomskiffb
oreg\_auth\_password=v3NtPkdo7nfijV7SoZhf
openshift\_web\_console\_install=true
osm\_use\_cockpit=true
# SSH user, this user should allow ssh based auth without requiring a password
ansible\_ssh\_user=root

# If ansible\_ssh\_user is not root, ansible\_become must be set to true
#ansible\_become=true

openshift\_deployment\_type=openshift-enterprise
deployment\_subtype=registry
openshift\_hosted\_infra\_selector=""

# uncomment the following to enable htpasswd authentication; defaults to DenyAllPasswordIdentityProvider
#openshift\_master\_identity\_providers=[{'name': 'htpasswd\_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]

# host group for masters
[masters]
registry.os.asanger.eu

# host group for etcd
[etcd]
registry.os.asanger.eu

# host group for nodes, includes region info
[nodes]
registry.os.asanger.eu openshift\_node\_group\_name='node-config-all-in-one'
EOF

Configure static DNS and Search Domain and disable automatic DNS configure

nmtui

Remove automatically hostname and hosts configuration by removing the lines:

  • update_hostname
  • update_etc_hosts
vi /etc/cloud/cloud.cfg

Set Hostname:

echo "registry.os.asanger.eu" > /etc/hostname

Update /etc/hosts

echo "127.0.0.1 localhost" > /etc/hosts
echo "::1 localhost" >> /etc/hosts

reboot

cd /usr/share/ansible/openshift-ansible
ansible-playbook playbooks/prerequisites.yml
ansible-playbook playbooks/deploy\_cluster.yml

2. DNS

title: “2. DNS”
date: 2020-02-04T15:43:54
slug: 1-dns

Adopt to external ip address in /etc/named.conf, /etc/named/zones/registry.os.asanger.eu, /etc/named/zones/1.168.192.in-addr.arpa

yum install -y bind bind-utils
systemctl enable named
firewall-cmd --zone=public --add-port=53/udp --permanent
firewall-cmd --zone=public --add-port=53/tcp --permanent
firewall-cmd --reload

cat <<EOF > /etc/named.conf
options {
 listen-on port 53 { any; };
 listen-on-v6 port 53 { ::1; };
 directory "/var/named";
 dump-file "/var/named/data/cache\_dump.db";
 statistics-file "/var/named/data/named\_stats.txt";
 memstatistics-file "/var/named/data/named\_mem\_stats.txt";
 recursing-file "/var/named/data/named.recursing";
 secroots-file "/var/named/data/named.secroots";
 allow-query { any; };
 allow-recursion { 192.168.1.0/24; };
 forwarders {
 8.8.8.8;
 };

 recursion yes;
 dnssec-enable yes;
 dnssec-validation yes;

 /\* Path to ISC DLV key \*/
 bindkeys-file "/etc/named.root.key";
 managed-keys-directory "/var/named/dynamic";
 pid-file "/run/named/named.pid";
 session-keyfile "/run/named/session.key";

};

logging {
 channel default\_file {
 file "/var/log/named/default.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel general\_file {
 file "/var/log/named/general.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel database\_file {
 file "/var/log/named/database.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel security\_file {
 file "/var/log/named/security.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel config\_file {
 file "/var/log/named/config.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel resolver\_file {
 file "/var/log/named/resolver.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel xfer-in\_file {
 file "/var/log/named/xfer-in.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel xfer-out\_file {
 file "/var/log/named/xfer-out.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel notify\_file {
 file "/var/log/named/notify.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel client\_file {
 file "/var/log/named/client.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel unmatched\_file {
 file "/var/log/named/unmatched.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel queries\_file {
 file "/var/log/named/queries.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel network\_file {
 file "/var/log/named/network.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel update\_file {
 file "/var/log/named/update.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel dispatch\_file {
 file "/var/log/named/dispatch.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel dnssec\_file {
 file "/var/log/named/dnssec.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };
 channel lame-servers\_file {
 file "/var/log/named/lame-servers.log" versions 3 size 5m;
 severity dynamic;
 print-time yes;
 };

 category default { default\_file; };
 category general { general\_file; };
 category database { database\_file; };
 category security { security\_file; };
 category config { config\_file; };
 category resolver { resolver\_file; };
 category xfer-in { xfer-in\_file; };
 category xfer-out { xfer-out\_file; };
 category notify { notify\_file; };
 category client { client\_file; };
 category unmatched { unmatched\_file; };
 category queries { queries\_file; };
 category network { network\_file; };
 category update { update\_file; };
 category dispatch { dispatch\_file; };
 category dnssec { dnssec\_file; };
 category lame-servers { lame-servers\_file; };
};

zone "." IN {
 type hint;
 file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";
EOF

mkdir /etc/named/zones
mkdir /var/log/named/
chown named /var/log/named/

cat <<EOF > /etc/named/named.conf.local
zone "registry.os.asanger.eu" IN {
 type master;
 file "/etc/named/zones/registry.os.asanger.eu";
};

zone "1.168.192.in-addr.arpa" {
 type master;
 file "/etc/named/zones/1.168.192.in-addr.arpa";
};
EOF

cat <<EOF > /etc/named/zones/registry.os.asanger.eu
\$TTL 600
@ IN SOA registry.os.asanger.eu. admin.api-v2.match-club.ru. (
 3 ; Serial
 604800 ; Refresh
 86400 ; Retry
 2419200 ; Expire
 604800 ) ; Negative Cache TTL
;

; name servers - NS records
 IN NS registry.os.asanger.eu.

registry.os.asanger.eu. IN A 192.168.1.7
EOF

cat <<EOF > /etc/named/zones/1.168.192.in-addr.arpa
\$TTL 86400
@ IN SOA localhost. root.localhost. (
 20091028 ; serial
 28800 ; refresh
 14400 ; retry
 3600000 ; expire
 86400 ; default\_ttl
)
 IN NS registry.os.asanger.eu.

7 IN PTR registry.os.asanger.eu.
EOF

systemctl restart named
dig @localhost registry.os.asanger.eu
dig -x @localhost 192.168.1.7

Create User with Database and grant remote rights

title: “Create User with Database and grant remote rights”
date: 2020-01-26T11:41:46
slug: create-user-with-database-and-grant-remote-rights

create database mqtt;

# Allow general Connection to DB
CREATE USER 'mqtt'@'localhost' IDENTIFIED BY 'mqtt';
CREATE USER 'mqtt'@'%' IDENTIFIED BY 'mqtt';

# Allow Connection to DB mqtt
GRANT ALL ON mqtt.\* TO 'mqtt'@'localhost';
GRANT ALL ON mqtt.\* TO 'mqtt'@'%';

Log Authentication

title: “Log Authentication”
date: 2020-01-26T11:24:39
slug: log-authentication

[server]
general\_log\_file = /var/log/mysql/mysql.log
general\_log = 1
log\_warnings = 2

allow to set userID

title: “allow to set userID”
date: 2020-01-18T21:00:02
slug: allow-docker-users

oc adm policy add-scc-to-user anyuid -z default -n emqx-openshift

where z = Service Account, get Service accounts with:

oc get sa -n prometheus

Add scc to All Users (sa) in a Namespace:

oc adm policy add-scc-to-group anyuid system:serviceaccounts:prometheus

Add privileged right to user

oc adm policy add-scc-to-user privileged -nkubevirt -z ayoung

EMQX

title: “EMQX”
date: 2020-01-18T15:09:53
slug: emqx

kind: "BuildConfig"
apiVersion: "v1"
metadata:
 name: "emqx-openshift"
spec:
 runPolicy: "Serial"
 source:
 git:
 uri: "https://github.com/xforze/emqx-openshift.git"
 strategy:
 dockerStrategy:
 noCache: true
 type: docker
 output:
 to:
 kind: "ImageStreamTag"
 name: "emqx-openshift:latest"

apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
 name: emqx-openshift

apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
 name: emqx-openshift
spec:
 securityContext:
 runAsUser: 999
 replicas: 1
 template:
 metadata:
 annotations:
 openshift.io/generated-by: OpenShiftWebConsole
 creationTimestamp: null
 labels:
 app: emqx-openshift
 deploymentconfig: emqx-openshift
 spec:
 containers:
 - image: >-
 172.30.1.1:5000/emqx-openshift/emqx-openshift@sha256:d2b501278f6d2d797a35143915adcc0e9218547e89e6c2c27c4f6f9898020f0e
 imagePullPolicy: Always
 name: emqx-openshift
 dnsPolicy: ClusterFirst
 restartPolicy: Always
 schedulerName: default-scheduler
 terminationGracePeriodSeconds: 30
 test: false
 triggers:
 - type: ConfigChange
 - imageChangeParams:
 automatic: true
 containerNames:
 - emqx-openshift
 from:
 kind: ImageStreamTag
 name: 'emqx-openshift:latest'
 namespace: emqx-openshift
 lastTriggeredImage: >-
 172.30.1.1:5000/emqx-openshift/emqx-openshift@sha256:d2b501278f6d2d797a35143915adcc0e9218547e89e6c2c27c4f6f9898020f0e
 type: ImageChange

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
 name: emqx
 namespace: emqx-openshift
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: view
subjects:
- kind: ServiceAccount
 name: default
 namespace: emqx-openshift
---
apiVersion: v1
kind: Service
metadata:
 name: emqx-openshift
 namespace: emqx-openshift
spec:
 clusterIP: 172.30.149.223
 externalIPs:
 - 192.168.1.27
 - 192.168.1.22
 externalTrafficPolicy: Cluster
 ports:
 - name: emqx-openshift
 nodePort: 32063
 port: 18083
 protocol: TCP
 targetPort: 18083
 - name: emqx-openshift-11883
 nodePort: 31548
 port: 11883
 protocol: TCP
 targetPort: 11883
 - name: emqx-openshift-1883
 nodePort: 32764
 port: 1883
 protocol: TCP
 targetPort: 1883
 - name: emqx-openshift-8883
 nodePort: 31726
 port: 8883
 protocol: TCP
 targetPort: 8883
 - name: emqx-openshift-9091
 nodePort: 31821
 port: 9091
 protocol: TCP
 targetPort: 9091
 selector:
 deploymentconfig: emqx-openshift
 sessionAffinity: None
 type: LoadBalancer

Enable externalIP

title: “Enable externalIP”
date: 2020-01-18T14:36:25
slug: enable-externalip

vi /mnt/sda1/var/lib/minishift/base/kube-apiserver/master-config.yaml

networkConfig:
 clusterNetworks:
 - cidr: 10.128.0.0/14
 hostSubnetLength: 9
 externalIPNetworkCIDRs:
 - 192.168.0.0/16
 ingressIPNetworkCIDR: 172.29.0.0/16

Docker Build Config & Deploy App

title: “Docker Build Config & Deploy App”
date: 2020-01-18T10:51:24
slug: docker-build-config

kind: "BuildConfig"
apiVersion: "v1"
metadata:
 name: "my-webapp-docker"
spec:
 runPolicy: "Serial"
 triggers:
 -
 type: "GitHub"
 github:
 secret: "secret101"
 - type: "Generic"
 generic:
 secret: "secret101"
 -
 type: "ImageChange"
 source:
 git:
 uri: "https://github.com/xforze/python-test.git"
 strategy:
 dockerStrategy:
 noCache: true
 type: docker
 output:
 to:
 kind: "ImageStreamTag"
 name: "webapp-sample:latest"

Create a new ImageStream:

apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
 name: webapp-sample

Deploy the Application

apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
metadata:
 name: webapp-sample
spec:
 replicas: 1
 paused: false
 strategy:
 type: Rolling
 template:
 metadata:
 labels:
 name: webapp-sample
 spec:
 containers:
 - image: >-
 172.30.1.1:5000/my-webapp/webapp-sample:latest
 imagePullPolicy: Always
 name: webapp-sample
 restartPolicy: Always
 triggers:
 - type: ConfigChange
 - imageChangeParams:
 automatic: true
 containerNames:
 - webapp-sample
 from:
 kind: ImageStreamTag
 name: 'webapp-sample:latest'
 lastTriggeredImage: >-
 172.30.1.1:5000/my-webapp/webapp-sample:latest
 type: ImageChange

Create a Service:

apiVersion: v1
kind: Service
metadata:
 name: webapp-sample
spec:
 selector:
 deploymentconfig: webapp-sample
 ports:
 ports:
 - name: web
 port: 8080
 protocol: TCP
 targetPort: 8080

Create a Service with external IP:

apiVersion: v1
kind: Service
metadata:
 name: webapp-sample
spec:
 externalIPs:
 - 192.168.42.132
 ports:
 - port: 8080
 protocol: TCP
 selector:
 deploymentconfig: webapp-sample
 type: LoadBalancer

Add Role to User

title: “Add Role to User”
date: 2020-01-18T09:36:46
slug: add-role-to-user

oc adm policy add-cluster-role-to-user cluster-admin administrator
cluster role "cluster-admin" added: "administrator"

Curl the Api

title: “Curl the Api”
date: 2020-01-18T09:17:25
slug: curl-the-api

Login as Developer:

oc login
Authentication required for https://192.168.42.132:8443 (openshift)
Username: debeloper
Password:
Login successful.

Get the User Token:

oc whoami -t
uVBxWxgBPwa3B\_92d4Avckq974cUIW6BvBFxpdXNLDw

Curl the API:

curl -k https://192.168.42.132:8443/oapi/v1/users -H "Authorization: Bearer uVBxWxgBPwa3B\_92d4Avckq974cUIW6BvBFxpdXNLDw"