openshift / training Goto Github PK

Shell 100.00%

training's Introduction

OpenShift 4 (beta) on AWS

This tutorial walks you through setting up OpenShift the easy way. This guide is for people looking for a fully automated command to bring up a self-managed pre-release (beta) OpenShift 4 cluster on Amazon AWS.

The results of this tutorial should not be viewed as production ready.

Target Audience

The target audience for this tutorial is a user looking to install and operate a pre-release OpenShift 4 cluster for early access, who wants to understand how everything fits together.

Cluster Details

This document guides you through creating a highly available OpenShift cluster on AWS.

Documentation

With the third beta drop of OpenShift 4, this repository will link you to the work-in-progress official documentation. Currently that documentation is behind a user/password (for anti-search-engine-indexing purposes.

Username: stage-user
Password: zc9$!9S%&0N9hsBVSN42

Bugs vs. Cases

As this is pre-release software, it is completely unsupported, and you should not open support cases for any issues you encounter. However, we very much wish to collect feedback on documentation and other product issues. Should you encounter a problem, feel free to file a bug.

Exercises

This tutorial assumes you have familiarity with Amazon AWS.

training's People

Contributors

Stargazers

Watchers

Forkers

mdshuai codificat brenton sdodson sosiouxme ekuric jhadvig puzzle thesteve0 nkhare kausdev touqeerhussain ianmiell dobbymoodge veermuchandi wagonza dtschan sabre1041 zhouying7780 asabuki christian-posta jcantrill ximbesto lfryc adellape arsogukpinar thoraxe sborenst derdanu glamperi aslakknutsen bit4man akostadinov devop-mmcgrath ashcrow greddi jianlinliu allenfromminneapolis aveshagarwal zhaozhanqi torehaug mkn4fj miheer miminar jameswmills ghoelzer-aws gss-training-redhat hyunsookim7854 plakat cgwalters ajblum lhegdal tdawson marcusramberg shrutikamendhe directxman12 edseymour akram juhoffma m3r00t danjeffries1 josefkarasek christianh814 sbognann lalatendumohanty caracan zanhsieh noahchense wanghaoran1988 pcadeau sseago rh-asharma jkaurredhat chitaka btison suriyav nitinv-click2cloud jstakun hodrigohamalho mscherer dzungdo mattd72 m4vrick runcom 4sp1r3 kanedafromparis hashnao sudhirpandey lacoste jmarley jarekmisz albertoclarit guits maxamillion aaam kotarusv yepengxj kevensen piotrklimczak robvalk

training's Issues

Accessing https://hello-openshift.cloudapps.example.com didn't work for me

http work, https doesn't for some reason

[root@ose3-master ~]# curl -k -H "Host: hello-openshift.cloudapps.example.com" http://192.168.133.2
Hello OpenShift!
[root@ose3-master ~]# curl -k -H "Host: hello-openshift.cloudapps.example.com" https://192.168.133.2
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

may need to mention that libselinux-python needs to be installed

Thanks for this training documentation, very well written

The only gotcha so far is running under selinux while launching the ansible playbook will fail with :

failed: [ose3-node1.example.com] => {"failed": true}
msg: Aborting, target uses selinux but python bindings (libselinux-python) aren't installed!

installing the package fixes the issue,

not sure if this should be fixed in the openshift-ansible repo or here

wiring example cannot reuse the 'frontend' service

I followed the wiring example and when my route wasn't working I verified the pod was actually working as expected. When looking at routes.json I noticed it was missing a section for the wiring backend. It seems like the services are not namespaced in the router. This means that we cannot reuse the name frontend that the integrated example already used. This seems like a bug but we'll likely have to update the docs for now.

@rajatchopra, @abhgupta, either of you care to comment?

need dedicated development users "alice" and "joe"

identify non-essential headings

Issue #156 discussed there was a lot of "fluff" in the TOC. This has to do with doctoc and the use of markdown headings.

My suggestion would be to only generate TOC to 2 levels deep.

Here's the resulting TOC if we do that:

- [OpenShift Beta 3](#openshift-beta-3)
  - [Architecture and Requirements](#architecture-and-requirements)
  - [Setting Up the Environment](#setting-up-the-environment)
  - [Ansible-based Installer](#ansible-based-installer)
  - [Watching Logs](#watching-logs)
  - [Auth, Projects, and the Web Console](#auth-projects-and-the-web-console)
  - [Your First Application](#your-first-application)
  - [Adding Nodes](#adding-nodes)
  - [Regions and Zones](#regions-and-zones)
  - [Services](#services)
  - [Routing](#routing)
  - [The Complete Pod-Service-Route](#the-complete-pod-service-route)
  - [Project Administration](#project-administration)
  - [Preparing for STI: the Registry](#preparing-for-sti-the-registry)
  - [STI - What Is It?](#sti---what-is-it)
  - [A Fully-Integrated "Quickstart" Application](#a-fully-integrated-quickstart-application)
  - [Creating and Wiring Disparate Components](#creating-and-wiring-disparate-components)
  - [Rollback/Activate and Code Lifecycle](#rollbackactivate-and-code-lifecycle)
- [ Welcome to an OpenShift v3 Demo App! ](#welcome-to-an-openshift-v3-demo-app)
- [ This is my crustom demo! ](#this-is-my-crustom-demo)
  - [Customized Build and Run Processes](#customized-build-and-run-processes)
  - [Lifecycle Pre and Post Deployment Hooks](#lifecycle-pre-and-post-deployment-hooks)
  - [Arbitrary Docker Image (Builder)](#arbitrary-docker-image-builder)
  - [Conclusion](#conclusion)
- [APPENDIX - Installing in IaaS clouds](#appendix---installing-in-iaas-clouds)
  - [Generic cloud install](#generic-cloud-install)

It looks like there are some formatting issues causing missing appendices and etc, but would everyone agree this is a "better" TOC?

Otherwise we are looking at:

- [OpenShift Beta 3](#openshift-beta-3)
  - [Architecture and Requirements](#architecture-and-requirements)
    - [Architecture](#architecture)
    - [Requirements](#requirements)
  - [Setting Up the Environment](#setting-up-the-environment)
    - [Use a Terminal Window Manager](#use-a-terminal-window-manager)
    - [DNS](#dns)
    - [Assumptions](#assumptions)
    - [Git](#git)
    - [Your Environment](#your-environment)
    - [Preparing Each VM](#preparing-each-vm)
    - [Grab Docker Images (Optional, Recommended)](#grab-docker-images-optional-recommended)
    - [Clone the Training Repository](#clone-the-training-repository)
    - [REMINDER](#reminder)
  - [Ansible-based Installer](#ansible-based-installer)
    - [Install Ansible](#install-ansible)
    - [Generate SSH Keys](#generate-ssh-keys)
    - [Distribute SSH Keys](#distribute-ssh-keys)
    - [Clone the Ansible Repository](#clone-the-ansible-repository)
    - [Configure Ansible](#configure-ansible)
    - [Modify Hosts](#modify-hosts)
    - [Run the Ansible Installer](#run-the-ansible-installer)
    - [Add Development Users](#add-development-users)
  - [Watching Logs](#watching-logs)
  - [Auth, Projects, and the Web Console](#auth-projects-and-the-web-console)
    - [Configuring htpasswd Authentication](#configuring-htpasswd-authentication)
    - [A Project for Everything](#a-project-for-everything)
    - [Web Console](#web-console)
  - [Your First Application](#your-first-application)
    - ["Resources"](#resources)
    - [Applying Quota to Projects](#applying-quota-to-projects)
    - [Login](#login)
    - [Grab the Training Repo Again](#grab-the-training-repo-again)
    - [The Hello World Definition JSON](#the-hello-world-definition-json)
    - [Run the Pod](#run-the-pod)
    - [Looking at the Pod in the Web Console](#looking-at-the-pod-in-the-web-console)
    - [Quota Usage](#quota-usage)
    - [Extra Credit](#extra-credit)
    - [Delete the Pod](#delete-the-pod)
    - [Quota Enforcement](#quota-enforcement)
  - [Adding Nodes](#adding-nodes)
    - [Modifying the Ansible Configuration](#modifying-the-ansible-configuration)
  - [Regions and Zones](#regions-and-zones)
    - [Scheduler and Defaults](#scheduler-and-defaults)
    - [The NodeSelector](#the-nodeselector)
    - [Customizing the Scheduler Configuration](#customizing-the-scheduler-configuration)
    - [Restart the Master](#restart-the-master)
    - [Label Your Nodes](#label-your-nodes)
  - [Services](#services)
  - [Routing](#routing)
    - [Creating the Router](#creating-the-router)
    - [Router Placement By Region](#router-placement-by-region)
  - [The Complete Pod-Service-Route](#the-complete-pod-service-route)
    - [Creating the Definition](#creating-the-definition)
    - [Status Report, Captain!](#status-report-captain)
    - [Verifying the Service](#verifying-the-service)
    - [Verifying the Routing](#verifying-the-routing)
    - [The Web Console](#the-web-console)
  - [Project Administration](#project-administration)
    - [Deleting a Project](#deleting-a-project)
  - [Preparing for STI: the Registry](#preparing-for-sti-the-registry)
    - [Registry Placement By Region (optional)](#registry-placement-by-region-optional)
  - [STI - What Is It?](#sti---what-is-it)
    - [Create a New Project](#create-a-new-project)
    - [Switch Projects](#switch-projects)
    - [A Simple Code Example](#a-simple-code-example)
    - [CLI versus Console](#cli-versus-console)
    - [Adding the Builder ImageStreams](#adding-the-builder-imagestreams)
    - [Wait, What's an ImageStream?](#wait-whats-an-imagestream)
    - [Adding Code Via the Web Console](#adding-code-via-the-web-console)
    - [The Web Console Revisited](#the-web-console-revisited)
    - [Examining the Build](#examining-the-build)
    - [Testing the Application](#testing-the-application)
    - [Adding a Route to Our Application](#adding-a-route-to-our-application)
    - [Implications of Quota Enforcement on Scaling](#implications-of-quota-enforcement-on-scaling)
  - [A Fully-Integrated "Quickstart" Application](#a-fully-integrated-quickstart-application)
    - [A Project for the Quickstart](#a-project-for-the-quickstart)
    - [A Quick Aside on Templates](#a-quick-aside-on-templates)
    - [Adding the Template](#adding-the-template)
    - [Create an Instance of the Template](#create-an-instance-of-the-template)
    - [The Template is Alive!](#the-template-is-alive)
    - [Using Your App](#using-your-app)
  - [Creating and Wiring Disparate Components](#creating-and-wiring-disparate-components)
    - [Create a New Project](#create-a-new-project-1)
    - [Stand Up the Frontend](#stand-up-the-frontend)
    - [Visit Your Application](#visit-your-application)
    - [Create the Database Config](#create-the-database-config)
    - [Visit Your Application Again](#visit-your-application-again)
    - [Replication Controllers](#replication-controllers)
    - [Revisit the Webpage](#revisit-the-webpage)
  - [Rollback/Activate and Code Lifecycle](#rollbackactivate-and-code-lifecycle)
    - [Fork the Repository](#fork-the-repository)
    - [Update the BuildConfig](#update-the-buildconfig)
    - [Change the Code](#change-the-code)
- [ Welcome to an OpenShift v3 Demo App! ](#welcome-to-an-openshift-v3-demo-app)
- [ This is my crustom demo! ](#this-is-my-crustom-demo)
    - [Start a Build with a Webhook](#start-a-build-with-a-webhook)
    - [Oops!](#oops)
    - [Rollback](#rollback)
    - [Activate](#activate)
  - [Customized Build and Run Processes](#customized-build-and-run-processes)
    - [Add a Script](#add-a-script)
    - [Kick Off a Build](#kick-off-a-build)
    - [Watch the Build Logs](#watch-the-build-logs)
    - [Did You See It?](#did-you-see-it)
  - [Lifecycle Pre and Post Deployment Hooks](#lifecycle-pre-and-post-deployment-hooks)
    - [A Rails Database Migration](#a-rails-database-migration)
    - [Examining the Deployment Configuration](#examining-the-deployment-configuration)
    - [Modifying the Hooks](#modifying-the-hooks)
    - [Quickly Clean Up](#quickly-clean-up)
    - [Build Again](#build-again)
    - [Verify the Migration](#verify-the-migration)
  - [Arbitrary Docker Image (Builder)](#arbitrary-docker-image-builder)
    - [That Project Thing](#that-project-thing)
    - [Build Wordpress](#build-wordpress)
    - [Test Your Application](#test-your-application)
    - [Application Resource Labels](#application-resource-labels)
  - [Conclusion](#conclusion)
- [APPENDIX - Installing in IaaS clouds](#appendix---installing-in-iaas-clouds)
  - [Generic cloud install](#generic-cloud-install)
    - [An example hosts file (/etc/ansible/hosts)](#an-example-hosts-file-etcansiblehosts)
    - [Testing the auto-detected values](#testing-the-auto-detected-values)

This isn't terrible, but it is a little chatty.

Thoughts?

@sdodson
@sosiouxme

update test-complete.json (complete) example to use RC to allow for manual scaling and other things

customized "action hook" that does something

it would be great if someone could write an sti build script that does something "Viewable/observable" to demonstrate an action hook.

"new-app" uses centos templates by default

osc new-app https://github.com/openshift/simple-openshift-sinatra-sti.git -o yaml will generate the following YAML:

apiVersion: v1beta1
creationTimestamp: null
items:
- apiVersion: v1beta1
  containerPort: 8080
  creationTimestamp: null
  id: simple-openshift-sinatra
  kind: Service
  port: 8080
  portName: simple-openshift-sinatra-sti-tcp-8080
  ports:
  - containerPort: 8080
    name: simple-openshift-sinatra-sti-tcp-8080
    port: 8080
    protocol: TCP
  protocol: TCP
  selector:
    deploymentconfig: simple-openshift-sinatra-sti
- apiVersion: v1beta1
  kind: ImageStream
  metadata:
    creationTimestamp: null
    name: simple-openshift-sinatra-sti
  spec: {}
  status:
    dockerImageRepository: ""
- apiVersion: v1beta1
  kind: BuildConfig
  metadata:
    creationTimestamp: null
    name: simple-openshift-sinatra-sti
  parameters:
    output:
      to:
        name: simple-openshift-sinatra-sti
    source:
      git:
        uri: https://github.com/openshift/simple-openshift-sinatra-sti.git
      type: Git
    strategy:
      stiStrategy:
        builderImage: openshift/ruby-20-centos7
        clean: true
        image: openshift/ruby-20-centos7
      type: STI
  triggers:
  - github:
      secret: bvtxaMKm4ysaKcZrDr1F
    type: github
  - generic:
      secret: mFBjA2_8lqfRxT-SUF49
    type: generic
- apiVersion: v1beta1
  kind: DeploymentConfig
  metadata:
    creationTimestamp: null
    name: simple-openshift-sinatra-sti
  template:
    controllerTemplate:
      podTemplate:
        desiredState:
          manifest:
            containers:
            - capabilities: {}
              image: library/simple-openshift-sinatra-sti:latest
              imagePullPolicy: ""
              name: simple-openshift-sinatra-sti
              ports:
              - containerPort: 8080
                name: simple-openshift-sinatra-sti-tcp-8080
                protocol: TCP
              resources: {}
            id: ""
            restartPolicy: {}
            version: v1beta2
            volumes: null
        labels:
          deploymentconfig: simple-openshift-sinatra-sti
      replicaSelector:
        deploymentconfig: simple-openshift-sinatra-sti
      replicas: 1
    strategy:
      type: Recreate
  triggers:
  - type: ConfigChange
  - imageChangeParams:
      automatic: true
      containerNames:
      - simple-openshift-sinatra-sti
      from:
        name: simple-openshift-sinatra-sti
      lastTriggeredImage: ""
      tag: latest
    type: ImageChange
kind: List

The image chosen is openshift/ruby-20-centos7. While the Docker configuration defaults to adding registry.access.redhat.com, as far as I know, there is no matching image there.

@brenton @sdodson

"Update the BuildConfig" has a hardcoded beta3 branch.

When you create the fork and update the build config we aren't setting the branch to master. That's the only branch the fork will have.

put htpasswd file in /etc/openshift

build logs appear to be blocked

We'll probably have to track this as a BZ if we actually need a code change:

osc build-logs sin-89d70fac-c2b1-11e4-b853-525400b33d1d
Forbidden: "/osapi/v1beta1/redirect/buildLogs/sin-89d70fac-c2b1-11e4-853-525400b33d1d?namespace=sinatra" denied by default

Copy the .kubeconfig file into a place where the CLI tools look for

Should we copy /var/lib/openshift/openshift.local.certificatesopenshift-client/.kubeconfig instead of
/var/lib/openshift/openshift.local.certificates/admin/.kubeconfig ?

osc probably needs its own .kubeconfig

Right now the ansible installer is setting KUBECONFIG=/var/lib/openshift/openshift.local.certificates/admin/.kubeconfig in .bash_profile. The problem with this is when we change the default context things start to break. Namely, the ansible node registration process will break because it will attempt to use the demo context.

Add appendix for installing non-Linux clients

[beta2] Wordpress Docker image setup instructions state wrong subfolder

Looking at Arbitrary Docker Image (Builder), the subfolder beta2/wordpress is empty...so I grabbed from CentOS location

"Customizing the Scheduler Configuration" doesn't clearly state that this needs to be done as root

"Visit Your Application Again" should mention that a real app would likely use DNS instead of environment variables.

We need an appendix on how to get the Windows and OS X client tool.

Discuss project/namespace early on.

It seems to me that training should discuss projects much earlier. IMHO, everything being deployed that's not infrastructure (router, registry) ought to be in a project (not "default").

This experience sucks a bit, as you have a choice of adding "-n foo" everywhere or "openshift ex config" / edit .kubeconfig / manually create ~/.kubecfg_ns. But it just seems like good hygiene.

use root.crt and not cert.crt for ex login

Add EAP or EWS examples

[beta2] Subscription Manager setup in setup instructions

There seems to be some assumption about why an end user can do with RH subscriptions. It would be helpful to set that as a prereq or a point to some help in section Preparing Each VM which first hits on this.

Typical errors one might see if not a properly signed on subscriber would be:

* is not a valid repository ID
"rhel-server-7-ose-beta-rpms" is not a valid repository ID
later in "Run the Ansible Installer"

    TASK: [openshift_master | Install OpenShift Master package] ******************* 
    failed: [ose3-master.example.com] => {"changed": false, "failed": true, "rc": 0, "results": []}
    msg: No Package matching 'openshift-master' found available, installed or updated

    FATAL: all hosts have already failed -- aborting

    PLAY RECAP ******************************************************************** 
               to retry, use: --limit @/root/config.retry

    ose3-master.example.com    : ok=23   changed=6    unreachable=0    failed=1

"htpasswd:alice" should just be "alice"

do not use go templates in actions

"osc config use-context wordpress" should be "osc project wordpress"

Trailing commas in JSON maps causes failure

Not sure if this is a doc bug or a tools bug, but following the beta-3 training doc, "osc create -f quota.json --namespace=demo" fails because of the trailing comma in JSON maps. Removing the two extraneous commas allows the command to succeed.

[beta2] Would be helpful to give a brief overview of the topology being used

I had a hard time piecing together what I was accomplishing in the beta 2 setup in the sense that there were some assumptions about the configuration (ose3-master, ose3-node1, ose3-node2, a couple of users, apps, etc). I would be helpful to have some brief overview in text and/or diagram to help illustrate this.

See https://github.com/openshift/training/blob/master/beta-2-setup.md

update the uninstall docs with steps for post beta3

There's a few more dirs to remove now due to the config refactoring.

[beta2] Setup for adding customer STI scripts not as expected

In going through Add a Script I must confess to never having used GitHub web interface to do this. I could do this simply from CLI and would expect most users to. Perhaps a minor point but found this a bit unusual from typical flow.

need an explicit declaration of hostname/DNS resolution for the hosts - not just the wildcard.

namespaces shouldn't have hyphens

(Note for anyone following the beta1 script as I know Erik filed openshift/origin#933)

Although openshift/kubernetes currently allow your namespace to have dashes and periods, when this namespace is used in an image you're building, the registry won't accept it. You'll get something like:

Successfully built 172.30.17.217:5001/integrated-project/origin-ruby-sample
Build error: API error (500): Invalid namespace name (integrated-project), only [a-z0-9_] are allowed, size between 4 and 30

This is arguably a bug in OS/k8s... namespace validations should probably match the registry. But for now, use namespaces that will be valid with the registry if you're going to build an image.

Use the RHEL image streams

https://raw.githubusercontent.com/openshift/origin/master/examples/image-streams/image-streams-rhel7.json

osc needs to use token auth (or something other than certs)

I haven't seen how we're configuring auth for the joe user. To continue testing beta2 and work around the problem I browsed to https://ose3-master.example.com:8443/oauth/token/request

Once I had the token I added the following to my .kubeconfig:

- name: joe
  user:
    token: <token from browser request>

references to "ex generate" should be removed.

osc new-app https://github.com/openshift/centos7-wordpress.git

integrated-template.json should use the rhel image streams

We need to generate a cert for hello-openshift.cloudapps.example.com

The router doesn't have wildcard cert support now. I believe this was a somewhat recent change and a side effect of allowing you to have a TLS only route without getting the default HTTP route. Until openshift/origin#1779 lands we'll need to generate a cert to demo TLS.

It would be nice to weave "Lifecycle pre and post deployment hooks" into the main section

Right now it's only an appendix. That's better than nothing. My only concern is that it's so long it might complicate the flow of the rest of the training.

[beta2] Setup instructions a bit mysterious what on what ansible playbook is doing

Without knowing too much ansible, I found it a bit mysterious what `ansible-playbook playbooks/byo/config.yml' was really doing. The section titled Run the Ansible Installer and subsequent ones, I wasn't sure what state it would be after the installer. A few words on what it was doing (perhaps the answer will be read config.yml)

need update for uninstallation to include docker and etc.

sinatra sti example needs nodeSelector

need better documentation of the architecture of the beta environment

[beta2] Setup difficult getting DNS behaving

Not sure there is a specific bug or fix, this was just an area that I struggled with the most. Perhaps due to VirtualBox, issues with wireless on Mac, iptables firewall port being blocked, etc. Perhaps seasoned OpenShifters are used to all this but I spent a fairly significantly larger percentage of time on this than I feel like I should have. With all the variables involved (host OS, VM software, etc) though it might be helpful to have a single "golden" configuration to reference.

Must switch to 'master' context before creating projects

When I ran this command I got a 403:

openshift ex new-project integrated --display-name="Frontend/Backend" \
--description='A demonstration of a "quickstart/template"' \
--admin=htpasswd:joe

At that point in the doc I was still in the sinatra context. I'm guessing we have to switch back to the master context to run that.

move webhooks later

Makes more sense to talk about webhooks in the wiring example after forking the code and changing it. I am working on this along with other wordpress stuff.

need to explain dc and etc in new complete dialogue

add appendix for configuring proxy settings for builds

Discuss need for DNS

Despite stating that you need to set up DNS entries, there will be those for whom this is (or seems) about as easy as flapping their wings and flying to the moon. For those folks, who will nevertheless try to work around using /etc/hosts, I would suggest a discussion of what breaks if you don't have DNS entries for the hosts and wildcard domain, so they can make an informed decision and not just ignore the directions and get stuck.

I think you can actually work around the need in most cases, though I need to go through and find out for sure. The most evident immediate problem is that containers don't see the host's /etc/hosts so they won't be able to resolve any FQDNs, so they need to be configured with IPs.