router host restrictions

[Miloslav Vlach]

Hi all,

I would like to ask if there is any option to secure the route.

For example, in apache I have the host restriction - only some IP address
or host are allowed to get the virtual host.

Is there any option how to do this in openshift ?

Thanks Mila
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: few basic questions about S2I and docker run

[Ben Parees]

On Mon, Sep 5, 2016 at 11:42 PM, Ravi  wrote:

>
> Ben,
>
> You have been very helpful. I am sincerely thankful.
>
> > ​I still think you'll get more mileage by trying to use the system as it
> > was designed to be used(build an image with your compiled source built
> > in) instead of trying to force a different workflow onto it.
>
> I understand and agree. Accordingly I need to working on 2 step solution
> 1. First step is to get my dockers up and running in a day or two.
> Considering how long it is taking me to understand the system, I want to do
> it the short way first. I.e. able to run following command from within
> openshift
> "docker run --rm -it -v /my/host/folder:/usr/src/myapp -w /usr/src/myapp
> openjdk:8-jre-alpine java myClass"
>
> This means
> - download jars/files from source control to a host folder foobar
> - mount the host folder foobar, that has my class files/jars into a java
> docker at /usr/src/myapp
> - run java docker (along with -w flag)
>

​i'd start by doing a basic tutorial with "oc cluster up" and building one
of the existing applications/running some of the existing images.

Then you can advance to building your own image (either building it using
openshift, or building it yourself via "docker build" and pushing the image
to a registry so you can then deploy it on openshift using "oc new-app" or
"oc run".
​



>
> 2. Once I can get system up, I will continue to understand how to make S2I
> operational and switch to it once I have enough confidence. I am struggling
> with the fact that running php through S2I seems to be straightforward. No
> special config etc is needed. However to run Java or Node code, the repo
> should have particular images or package.json etc. and so far I am not able
> to understand what I need to add to the repo to make it S2I compatible.
> In other words, if I create one php file, put in a repo, mention the git
> url in S2I, it works. If I create a single node file or java file or even
> jboss example git (https://github.com/jboss-deve
> loper/jboss-eap-quickstarts) in S2I, the build fails.
>

​i'm not sure what issues you are having with nodejs, but for java it is
true that the only s2i build images openshift itself provides assume you
are using maven to build your app, that your app produces an ear or war
file, and you are going to run that ear/war on eap, tomcat, or wildfly.  So
if you're trying to build/run a standalone java app, there is no out of the
box s2i builder image that can help you.  It would not be incredibly
difficult to write one, but given where you're at, i'd start by either
using a docker-type build, or building the image manually outside of
openshift and just using openshift to run the image.

I'd be happy to give you some pointers on creating a generic java s2i
builder image when you get to that point.
​



>
> I hope that makes sense.
> Regards
>
>
>
> On 9/5/2016 7:33 PM, Ben Parees wrote:
>
>>
>>
>> On Fri, Sep 2, 2016 at 4:27 PM, Ravi > > wrote:
>>
>>
>> Ben, thanks for pointing me in right direction. However, after a
>> week, I am still struggling and need help.
>>
>> The questions you raised are genuine issues which, if managed by
>> openshift will be easy to handle, however if openshift does not
>> manage them, then manually managing them is certainly a difficult
>> task.
>>
>> Leaving that aside, I have been struggling with running my app on
>> openshift. Here is a list of everything I tried
>>
>> As suggested by you, I tried to create a volume and run java docker
>> with it. I am getting really lost in variety of issues, here are some:
>>
>>
>> ​I still think you'll get more mileage by trying to use the system as it
>> was designed to be used(build an image with your compiled source built
>> in) instead of trying to force a different workflow onto it.
>> ​
>>
>>
>>
>> - unless I login with service:admin user (no password), I am not
>> authorized to mount a volume.
>>
>>
>> ​what type of volume?  what do you mean by "mount a volume"?  what
>> commands are you running?​  how is your pod or deployment config defined?
>>
>>
>>
>> - I can only login with service:admin on command line, the UI gives
>> me error. So basically I cannot visually see mounted volumes
>> - There is no way from UI to create a Volume Claim, I must define a
>> JSON
>>
>> - I was unable to find any documentation for this JSON and had to
>> copy from other places
>>
>>
>> ​​you can use "oc set volumes" to add volume claims to a deployment
>> config, once you have (as an administrator) defined persistent volumes
>> in your cluster.
>>
>> you can also "attach storage" to a deployment config from within the
>> openshift console, but that does not apply to your scenario since you
>> are trying to mount a "specific" volume into your pod instead of just
>> requesting persistent storage.
>>
>>
>>
>>
>> - 

Re: few basic questions about S2I and docker run

[Ravi]

Ben,

You have been very helpful. I am sincerely thankful.

> ​I still think you'll get more mileage by trying to use the system as it
> was designed to be used(build an image with your compiled source built
> in) instead of trying to force a different workflow onto it.

I understand and agree. Accordingly I need to working on 2 step solution
1. First step is to get my dockers up and running in a day or two. 
Considering how long it is taking me to understand the system, I want to 
do it the short way first. I.e. able to run following command from 
within openshift

"docker run --rm -it -v /my/host/folder:/usr/src/myapp -w /usr/src/myapp
openjdk:8-jre-alpine java myClass"

This means
- download jars/files from source control to a host folder foobar
- mount the host folder foobar, that has my class files/jars into a java 
docker at /usr/src/myapp

- run java docker (along with -w flag)

2. Once I can get system up, I will continue to understand how to make 
S2I operational and switch to it once I have enough confidence. I am 
struggling with the fact that running php through S2I seems to be 
straightforward. No special config etc is needed. However to run Java or 
Node code, the repo should have particular images or package.json etc. 
and so far I am not able to understand what I need to add to the repo to 
make it S2I compatible.
In other words, if I create one php file, put in a repo, mention the git 
url in S2I, it works. If I create a single node file or java file or 
even jboss example git 
(https://github.com/jboss-developer/jboss-eap-quickstarts) in S2I, the 
build fails.


I hope that makes sense.
Regards



On 9/5/2016 7:33 PM, Ben Parees wrote:



On Fri, Sep 2, 2016 at 4:27 PM, Ravi > wrote:


Ben, thanks for pointing me in right direction. However, after a
week, I am still struggling and need help.

The questions you raised are genuine issues which, if managed by
openshift will be easy to handle, however if openshift does not
manage them, then manually managing them is certainly a difficult task.

Leaving that aside, I have been struggling with running my app on
openshift. Here is a list of everything I tried

As suggested by you, I tried to create a volume and run java docker
with it. I am getting really lost in variety of issues, here are some:


​I still think you'll get more mileage by trying to use the system as it
was designed to be used(build an image with your compiled source built
in) instead of trying to force a different workflow onto it.
​



- unless I login with service:admin user (no password), I am not
authorized to mount a volume.


​what type of volume?  what do you mean by "mount a volume"?  what
commands are you running?​  how is your pod or deployment config defined?



- I can only login with service:admin on command line, the UI gives
me error. So basically I cannot visually see mounted volumes
- There is no way from UI to create a Volume Claim, I must define a
JSON

- I was unable to find any documentation for this JSON and had to
copy from other places


​​you can use "oc set volumes" to add volume claims to a deployment
config, once you have (as an administrator) defined persistent volumes
in your cluster.

you can also "attach storage" to a deployment config from within the
openshift console, but that does not apply to your scenario since you
are trying to mount a "specific" volume into your pod instead of just
requesting persistent storage.




- After all this, how do I know which volume is being attached to
which volume claim?


​you aren't supposed to care.  You ask for persistent storage, the
system finds persistent storage to meet those needs, and you use it.

If you're trying to set up a specific persistent volume definition with
existing content, and then ensure that particular PV gets assigned to
your Pod then you don't use a PVC, you just reference the volume
directly in the Pod definition as with the git repo volume example.



- I copied mongodb.json and switched image to java.json, this did
not work
- I decided, this was too complex, lets just do S2I. However, when I
cannot find any documentation how to do it. The example images work
but when i try my own node or JEE project, S2I fails. I am guessing
it needs some specific files in source to do this.
- While PHP project https://github.com/gshipley/simplephp
 works with S2I with only a
php file, when I create a nodejs file, it does not work. I could not
find documentation on how to get my node file to run.


​https://github.com/openshift/nodejs-ex

https://docs.openshift.org/latest/using_images/s2i_images/nodejs.html

​


- I tried to do walkthroughs, but most of them are using 

Re: few basic questions about S2I and docker run

[Cameron Braid]

Sorry to hijack your thread, but where is the "git repo volume example" ?

In origin gitI can see the gitserver (
https://github.com/openshift/origin/tree/master/examples/gitserver) but it
uses wither ephemeral or pvc.

Cheers

Cameron

On Tue, 6 Sep 2016 at 12:34 Ben Parees  wrote:

> On Fri, Sep 2, 2016 at 4:27 PM, Ravi  wrote:
>
>>
>> Ben, thanks for pointing me in right direction. However, after a week, I
>> am still struggling and need help.
>>
>> The questions you raised are genuine issues which, if managed by
>> openshift will be easy to handle, however if openshift does not manage
>> them, then manually managing them is certainly a difficult task.
>>
>> Leaving that aside, I have been struggling with running my app on
>> openshift. Here is a list of everything I tried
>>
>> As suggested by you, I tried to create a volume and run java docker with
>> it. I am getting really lost in variety of issues, here are some:
>>
>
> ​I still think you'll get more mileage by trying to use the system as it
> was designed to be used(build an image with your compiled source built in)
> instead of trying to force a different workflow onto it.
> ​
>
>
>>
>> - unless I login with service:admin user (no password), I am not
>> authorized to mount a volume.
>>
>
> ​what type of volume?  what do you mean by "mount a volume"?  what
> commands are you running?​  how is your pod or deployment config defined?
>
>
>
>> - I can only login with service:admin on command line, the UI gives me
>> error. So basically I cannot visually see mounted volumes
>> - There is no way from UI to create a Volume Claim, I must define a JSON
>>
> - I was unable to find any documentation for this JSON and had to copy
>> from other places
>>
>
> ​​you can use "oc set volumes" to add volume claims to a deployment
> config, once you have (as an administrator) defined persistent volumes in
> your cluster.
>
> you can also "attach storage" to a deployment config from within the
> openshift console, but that does not apply to your scenario since you are
> trying to mount a "specific" volume into your pod instead of just
> requesting persistent storage.
>
>
>
>
>> - After all this, how do I know which volume is being attached to which
>> volume claim?
>>
>
> ​you aren't supposed to care.  You ask for persistent storage, the system
> finds persistent storage to meet those needs, and you use it.
>
> If you're trying to set up a specific persistent volume definition with
> existing content, and then ensure that particular PV gets assigned to your
> Pod then you don't use a PVC, you just reference the volume directly in the
> Pod definition as with the git repo volume example.
>
>
>
>> - I copied mongodb.json and switched image to java.json, this did not work
>> - I decided, this was too complex, lets just do S2I. However, when I
>> cannot find any documentation how to do it. The example images work but
>> when i try my own node or JEE project, S2I fails. I am guessing it needs
>> some specific files in source to do this.
>> - While PHP project https://github.com/gshipley/simplephp works with S2I
>> with only a php file, when I create a nodejs file, it does not work. I
>> could not find documentation on how to get my node file to run.
>>
>
> ​https://github.com/openshift/nodejs-ex
> https://docs.openshift.org/latest/using_images/s2i_images/nodejs.html
> ​
>
>
>> - I tried to do walkthroughs, but most of them are using openshift online
>> and a command "rhc" that is not available to me.
>>
>
> ​i'm not sure what walkthroughs you found, but "rhc" is a command like
> tool for the previous version of openshift, v2.  So that is irrelevant to
> what you're trying to do.  The v3 online environment is here:
>
> https://console.preview.openshift.com/console/
>
> and you can find a tutorial here:
> https://github.com/openshift/origin/tree/master/examples/sample-app
> (if you already have an openshift cluster, you can start at step 7,
> "Create a new project in OpenShift. "
> ​
>
>
>>
>> And all I wanted to do was run one simple command:
>>
>> docker run --rm -it -v /my/host/folder:/usr/src/myapp -w /usr/src/myapp
>> openjdk:8-jre-alpine java myClass
>>
>> ARGGG!! HELP please.
>>
>>
>>
>> On 8/26/2016 3:24 PM, Ben Parees wrote:
>>
>>>
>>>
>>> On Fri, Aug 26, 2016 at 6:10 PM, Ravi Kapoor >> > wrote:
>>>
>>>
>>> Ben,
>>>
>>> Thank you so much for taking the time to explain. This is very
>>> helpful.
>>> If I may, I have a few followup questions:
>>>
>>> > ​That is not a great approach to running code.  It's fine for
>>> development, but you really want to be producing immutable images that a
>>> developer can hand to QE has tested it, they can hand that exact same image
>>> to prod, and there's no risk that pieces have changed.
>>>
>>> Q1: It seems like Lyft uses the approach I was mentioning i.e.
>>> inject code into dockers rather than copy 

Re: few basic questions about S2I and docker run

[Ben Parees]

On Fri, Sep 2, 2016 at 4:27 PM, Ravi  wrote:

>
> Ben, thanks for pointing me in right direction. However, after a week, I
> am still struggling and need help.
>
> The questions you raised are genuine issues which, if managed by openshift
> will be easy to handle, however if openshift does not manage them, then
> manually managing them is certainly a difficult task.
>
> Leaving that aside, I have been struggling with running my app on
> openshift. Here is a list of everything I tried
>
> As suggested by you, I tried to create a volume and run java docker with
> it. I am getting really lost in variety of issues, here are some:
>

​I still think you'll get more mileage by trying to use the system as it
was designed to be used(build an image with your compiled source built in)
instead of trying to force a different workflow onto it.
​


>
> - unless I login with service:admin user (no password), I am not
> authorized to mount a volume.
>

​what type of volume?  what do you mean by "mount a volume"?  what commands
are you running?​  how is your pod or deployment config defined?



> - I can only login with service:admin on command line, the UI gives me
> error. So basically I cannot visually see mounted volumes
> - There is no way from UI to create a Volume Claim, I must define a JSON
>
- I was unable to find any documentation for this JSON and had to copy from
> other places
>

​​you can use "oc set volumes" to add volume claims to a deployment config,
once you have (as an administrator) defined persistent volumes in your
cluster.

you can also "attach storage" to a deployment config from within the
openshift console, but that does not apply to your scenario since you are
trying to mount a "specific" volume into your pod instead of just
requesting persistent storage.




> - After all this, how do I know which volume is being attached to which
> volume claim?
>

​you aren't supposed to care.  You ask for persistent storage, the system
finds persistent storage to meet those needs, and you use it.

If you're trying to set up a specific persistent volume definition with
existing content, and then ensure that particular PV gets assigned to your
Pod then you don't use a PVC, you just reference the volume directly in the
Pod definition as with the git repo volume example.



> - I copied mongodb.json and switched image to java.json, this did not work
> - I decided, this was too complex, lets just do S2I. However, when I
> cannot find any documentation how to do it. The example images work but
> when i try my own node or JEE project, S2I fails. I am guessing it needs
> some specific files in source to do this.
> - While PHP project https://github.com/gshipley/simplephp works with S2I
> with only a php file, when I create a nodejs file, it does not work. I
> could not find documentation on how to get my node file to run.
>

​https://github.com/openshift/nodejs-ex
https://docs.openshift.org/latest/using_images/s2i_images/nodejs.html
​


> - I tried to do walkthroughs, but most of them are using openshift online
> and a command "rhc" that is not available to me.
>

​i'm not sure what walkthroughs you found, but "rhc" is a command like tool
for the previous version of openshift, v2.  So that is irrelevant to what
you're trying to do.  The v3 online environment is here:

https://console.preview.openshift.com/console/

and you can find a tutorial here:
https://github.com/openshift/origin/tree/master/examples/sample-app
(if you already have an openshift cluster, you can start at step 7, "Create
a new project in OpenShift. "
​


>
> And all I wanted to do was run one simple command:
>
> docker run --rm -it -v /my/host/folder:/usr/src/myapp -w /usr/src/myapp
> openjdk:8-jre-alpine java myClass
>
> ARGGG!! HELP please.
>
>
>
> On 8/26/2016 3:24 PM, Ben Parees wrote:
>
>>
>>
>> On Fri, Aug 26, 2016 at 6:10 PM, Ravi Kapoor > > wrote:
>>
>>
>> Ben,
>>
>> Thank you so much for taking the time to explain. This is very
>> helpful.
>> If I may, I have a few followup questions:
>>
>> > ​That is not a great approach to running code.  It's fine for
>> development, but you really want to be producing immutable images that a
>> developer can hand to QE has tested it, they can hand that exact same image
>> to prod, and there's no risk that pieces have changed.
>>
>> Q1: It seems like Lyft uses the approach I was mentioning i.e.
>> inject code into dockers rather than copy code inside dockers
>> (ref: https://youtu.be/iC2T3gJsB0g?t=595
>> ). In this approach there are
>>
>> only two elements - the image (which will not change) and the code
>> build/tag which will also not change. So what else can change?
>>
>>
>>
>> Since you're mounting the code from the local filesystem into the
>> running container, how do you know the code is the same on every machine
>> that you're running the 

Re: Dockers will be consuming large amount of memory

[Clayton Coleman]

Yes, that should generally not be an issue.  Quota and limits should
effectively box the containers, although you may want to use the downward
API to tune your app (JVM or otherwise) to fit within the limits you
specify at your container level.

On Fri, Aug 26, 2016 at 4:05 AM, David Strejc 
wrote:

> Dear all,
>
> does anyone have experience with running "big microservices"?
>
> We got scenario where we expect process in docker consuming about 120GB of
> RAM.
>
> Let's say when I got server with 512GB of RAM will I be able to setup
> Open Shift in a way
> that it will deploy 4 running docker images onto individual nodes?
>
> Many thanks.
>
> David Strejc
> https://octopussystems.cz
> t: +420734270131
> e: david.str...@gmail.com
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Promoting deploymentconfigs etc. from dev->testing->production

[Ben Parees]

On Mon, Sep 5, 2016 at 8:59 AM, Pieter Nagel  wrote:

> All documentation I've seen so far shows how to build a Continuous
> Delivery pipeline by tagging a specific image for testing/deployment.
>
> But apps consist of more than single images, they also consist of
> surrounding deployment configs, services etc. that combine all together
> into a working system.
>
> How does one manage the promotion of the entire set of these through the
> entire CD pipeline?
>
> In effect, I want to take a specific deploymentconfig from which a
> specific "known good" deployment in development was created, and clone that
> into testing -> production, along with related services and routes, except
> that image references should be rewritten to reuse the exact same "known
> good" images.
>

​Yes this is a space we are actively investigating.  As you note, there are
two parts to promotion, one being the promoted "content" (images, normally)
and the other being the promoted "configuration".  Today for promoting
configuration the basic flow would be to do an "oc export" from one
environment and then "oc apply" those resources to your next environment
(possibly with some manual transformation of the resources in between).
But Gabe and Justin from my team (on CC) are actively working on how we
make that story better.  Keep an eye on these trello cards:

https://trello.com/c/HlQpE52w/848-8-provide-example-of-promoting-application-between-datacenters-projects-evg
https://trello.com/c/Mvuy5Afi/993-8-define-an-environment-resource-r-d

The first one is intended to develop some documentation that users can use
today to manually go through promotion flows via oc export/apply/etc, but
with more prescriptive direction.  The second represents our longer term
vision to make promotion between environments a first class feature of
OpenShift, with specific tools for accomplishing it.

​I'm sure Gabe and Justin would be very interested to hear more about your
specific use case in order to ensure it is covered as they are thinking
about this.




>
> Is there a better procedure than "check if the definition of the
> deploymentconfig changed during the last cycle, and if so, `oc apply` the
> relevant changes to the testing/production projects before tagging the
> image"?
>
> --
> Pieter Nagel
> Lautus Solutions (Pty) Ltd
> Building 27, The Woodlands, 20 Woodlands Drive, Woodmead, Gauteng
> 0832587540
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>


-- 
Ben Parees | OpenShift
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Promoting deploymentconfigs etc. from dev->testing->production

[Pieter Nagel]

All documentation I've seen so far shows how to build a Continuous Delivery
pipeline by tagging a specific image for testing/deployment.

But apps consist of more than single images, they also consist of
surrounding deployment configs, services etc. that combine all together
into a working system.

How does one manage the promotion of the entire set of these through the
entire CD pipeline?

In effect, I want to take a specific deploymentconfig from which a specific
"known good" deployment in development was created, and clone that into
testing -> production, along with related services and routes, except that
image references should be rewritten to reuse the exact same "known good"
images.

Is there a better procedure than "check if the definition of the
deploymentconfig changed during the last cycle, and if so, `oc apply` the
relevant changes to the testing/production projects before tagging the
image"?

-- 
Pieter Nagel
Lautus Solutions (Pty) Ltd
Building 27, The Woodlands, 20 Woodlands Drive, Woodmead, Gauteng
0832587540
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

origin crashed

[Candide Kemmler]

Hi,

I have a development server setup made up of two nodes (1 master - 1 slave) 
running a bunch of different projects and environments which just crashed badly 
on me.

Symptoms are: all containers in all projects are in pending state (orange 
circle) - when I try to `delete all`, things get removed but pods hang in a 
'terminating' state. oc describe gives me uninteresting information that I 
already know (basically that pods are Pending) and oc logs tells me that it 
(could not find the requested resource).

I tried to `sudo systemctl restart origin-master` as it seems to have produced 
good results in the past, but that didn't help this time. I also tried that in 
combination with a full system reboot.

Finally I tried running the ansible scripts in hopes of updating origin to the 
latest version (it's still running 1.1.6) but I got the following error log:

failed: [paas.intrinsic.world] => {"changed": false, "cmd": ["oc", "create", 
"-n", "openshift", "-f", 
"/usr/share/openshift/examples/image-streams/image-streams-centos7.json"], 
"delta": "0:00:00.180874", "end": "2016-09-05 07:20:12.050123", "failed": true, 
"failed_when_result": true, "rc": 1, "start": "2016-09-05 07:20:11.869249", 
"stdout_lines": [], "warnings": []}
stderr: unable to connect to a server to handle "imagestreamlists": the server 
has asked for the client to provide credentials

FATAL: all hosts have already failed -- aborting

PLAY RECAP 
   to retry, use: --limit @/Users/candide/config.retry

apps.intrinsic.world   : ok=48   changed=0unreachable=0failed=0
localhost  : ok=15   changed=0unreachable=0failed=0
paas.intrinsic.world   : ok=207  changed=0unreachable=0failed=1

My last option is to reinstall everything from scratch but before I do this I 
wanted to know if you guys had other ideas on how to get on top of things again.

Candide

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users