- OpenShift Tutorial
- OpenShift - Home
- OpenShift - Overview
- OpenShift - Types
- OpenShift - Architecture
- OpenShift - Environment Setup
- OpenShift - Basic Concept
- OpenShift - Getting Started
- OpenShift - Build Automation
- OpenShift - CLI
- OpenShift - CLI Operations
- OpenShift - Clusters
- OpenShift - Application Scaling
- OpenShift - Administration
- OpenShift - Docker and Kubernetes
- OpenShift - Security
- OpenShift Useful Resources
- OpenShift - Quick Guide
- OpenShift - Useful Resources
- OpenShift - Discussion
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
OpenShift - Basic Concept
Before beginning with the actual setup and deployment of applications, we need to understand some basic terms and concepts used in OpenShift V3.
Containers and Images
Images
These are the basic building blocks of OpenShift, which are formed out of Docker images. In each pod on OpenShift, the cluster has its own images running inside it. When we configure a pod, we have a field which will get pooled from the registry. This configuration file will pull the image and deploy it on the cluster node.
apiVersion: v1 kind: pod metadata: name: Tesing_for_Image_pull -----------> Name of Pod spec: containers: - name: neo4j-server ------------------------> Name of the image image: <Name of the Docker image>----------> Image to be pulled imagePullPolicy: Always ------------->Image pull policy command: [“echo”, “SUCCESS”] -------------------> Massage after image pull
In order to pull and create an image out of it, run the following command. OC is the client to communicate with OpenShift environment after login.
$ oc create –f Tesing_for_Image_pull
Container
This gets created when the Docker image gets deployed on the OpenShift cluster. While defining any configuration, we define the container section in the configuration file. One container can have multiple images running inside and all the containers running on cluster node are managed by OpenShift Kubernetes.
spec: containers: - name: py ------------------------> Name of the container image: python----------> Image going to get deployed on container command: [“python”, “SUCCESS”] restartPocliy: Never --------> Restart policy of container
Following are the specifications for defining a container having multiple images running inside it.
apiVersion: v1 kind: Pod metadata: name: Tomcat spec: containers: - name: Tomcat image: tomcat: 8.0 ports: - containerPort: 7500 imagePullPolicy: Always -name: Database Image: mongoDB Ports: - containerPort: 7501 imagePullPolicy: Always
In the above configuration, we have defined a multi-container pod with two images of Tomcat and MongoDB inside it.
Pods and Services
Pods
Pod can be defined as a collection of container and its storage inside a node of OpenShift (Kubernetes) cluster. In general, we have two types of pod starting from a single container pod to multi-container pod.
Single Container Pod − These can be easily created with OC command or by a basic configuration yml file.
$ oc run <name of pod> --image = <name of the image from registry>
Create it with a simple yaml file as follows.
apiVersion: v1 kind: Pod metadata: name: apache spec: containers: - name: apache image: apache: 8.0 ports: - containerPort: 7500 imagePullPolicy: Always
Once the above file is created, it will generate a pod with the following command.
$ oc create –f apache.yml
Multi-Container Pod − Multi-container pods are those in which we have more than one container running inside it. They are created using yaml files as follows.
apiVersion: v1 kind: Pod metadata: name: Tomcat spec: containers: - name: Tomcat image: tomcat: 8.0 ports: - containerPort: 7500 imagePullPolicy: Always -name: Database Image: mongoDB Ports: - containerPort: 7501 imagePullPolicy: Always
After creating these files, we can simply use the same method as above to create a container.
Service − As we have a set of containers running inside a pod, in the same way we have a service that can be defined as a logical set of pods. It’s an abstracted layer on top of the pod, which provides a single IP and DNS name through which pods can be accessed. Service helps in managing the load balancing configuration and to scale the pod very easily. In OpenShift, a service is a REST object whose deification can be posted to apiService on OpenShift master to create a new instance.
apiVersion: v1 kind: Service metadata: name: Tutorial_point_service spec: ports: - port: 8080 targetPort: 31999
Builds and Streams
Builds
In OpenShift, build is a process of transforming images into containers. It is the processing which converts the source code to an image. This build process works on pre-defined strategy of building source code to image.
The build processes multiple strategies and sources.
Build Strategies
Source to Image − This is basically a tool, which helps in building reproducible images. These images are always in a ready stage to run using the Docker run command.
Docker Build − This is the process in which the images are built using Docker file by running simple Docker build command.
Custom Build − These are the builds which are used for creating base Docker images.
Build Sources
Git − This source is used when the git repository is used for building images. The Dockerfile is optional. The configurations from the source code looks like the following.
source: type: "Git" git: uri: "https://github.com/vipin/testing.git" ref: "master" contextDir: "app/dir" dockerfile: "FROM openshift/ruby-22-centos7\nUSER example"
Dockerfile − The Dockerfile is used as an input in the configuration file.
source: type: "Dockerfile" dockerfile: "FROM ubuntu: latest RUN yum install -y httpd"
Image Streams − Image streams are created after pulling the images. The advantage of an image stream is that it looks for updates on the new version of an image. This is used to compare any number of Docker formatted container images identified by tags.
Image streams can automatically perform an action when a new image is created. All the builds and deployments can watch for image action and perform an action accordingly. Following is how we define a build a stream.
apiVersion: v1 kind: ImageStream metadata: annotations: openshift.io/generated-by: OpenShiftNewApp generation: 1 labels: app: ruby-sample-build selflink: /oapi/v1/namespaces/test/imagestreams/origin-ruby-sample uid: ee2b9405-c68c-11e5-8a99-525400f25e34 spec: {} status: dockerImageRepository: 172.30.56.218:5000/test/origin-ruby-sample tags: - items: - created: 2016-01-29T13:40:11Z dockerImageReference: 172.30.56.218:5000/test/origin-apache-sample generation: 1 image: vklnld908.int.clsa.com/vipin/test tag: latest
Routes and Templates
Routes
In OpenShift, routing is a method of exposing the service to the external world by creating and configuring externally reachable hostname. Routes and endpoints are used to expose the service to the external world, from where the user can use the name connectivity (DNS) to access defined application.
In OpenShift, routes are created by using routers which are deployed by OpenShift admin on the cluster. Routers are used to bind HTTP (80) and https (443) ports to external applications.
Following are the different kinds of protocol supported by routes −
- HTTP
- HTTPS
- TSL and web socket
When configuring the service, selectors are used to configure the service and find the endpoint using that service. Following is an example of how we create a service and the routing for that service by using an appropriate protocol.
{ "kind": "Service", "apiVersion": "v1", "metadata": {"name": "Openshift-Rservice"}, "spec": { "selector": {"name":"RService-openshift"}, "ports": [ { "protocol": "TCP", "port": 8888, "targetPort": 8080 } ] } }
Next, run the following command and the service is created.
$ oc create -f ~/training/content/Openshift-Rservice.json
This is how the service looks like after creation.
$ oc describe service Openshift-Rservice Name: Openshift-Rservice Labels: <none> Selector: name = RService-openshift Type: ClusterIP IP: 172.30.42.80 Port: <unnamed> 8080/TCP Endpoints: <none> Session Affinity: None No events.
Create a routing for service using the following code.
{ "kind": "Route", "apiVersion": "v1", "metadata": {"name": "Openshift-service-route"}, "spec": { "host": "hello-openshift.cloudapps.example.com", "to": { "kind": "Service", "name": "OpenShift-route-service" }, "tls": {"termination": "edge"} } }
When OC command is used to create a route, a new instance of route resource is created.
Templates
Templates are defined as a standard object in OpenShift which can be used multiple times. It is parameterized with a list of placeholders which are used to create multiple objects. This can be used to create anything, starting from a pod to networking, for which users have authorization to create. A list of objects can be created, if the template from CLI or GUI interface in the image is uploaded to the project directory.
apiVersion: v1 kind: Template metadata: name: <Name of template> annotations: description: <Description of Tag> iconClass: "icon-redis" tags: <Tages of image> objects: - apiVersion: v1 kind: Pod metadata: name: <Object Specification> spec: containers: image: <Image Name> name: master ports: - containerPort: <Container port number> protocol: <Protocol> labels: redis: <Communication Type>
Authentication and Authorization
Authentication
In OpenShift, while configuring master and client structure, master comes up with an inbuilt feature of OAuth server. OAuth server is used for generating tokens, which is used for authentication to the API. Since, OAuth comes as a default setup for master, we have the Allow All identity provider used by default. Different identity providers are present which can be configured at /etc/openshift/master/master-config.yaml.
There are different types of identity providers present in OAuth.
- Allow All
- Deny All
- HTPasswd
- LDAP
- Basic Authentication
Allow All
apiVersion: v1 kind: Pod metadata: name: redis-master spec: containers: image: dockerfile/redis name: master ports: - containerPort: 6379 protocol: TCP oauthConfig: identityProviders: - name: my_allow_provider challenge: true login: true provider: apiVersion: v1 kind: AllowAllPasswordIdentityProvider
Deny All
apiVersion: v1 kind: Pod metadata: name: redis-master spec: containers: image: dockerfile/redis name: master ports: - containerPort: 6379 protocol: TCP oauthConfig: identityProviders: - name: my_allow_provider challenge: true login: true provider: apiVersion: v1 kind: DenyAllPasswordIdentityProvider
HTPasswd
In order to use HTPasswd, we need to first set up Httpd-tools on the master machine and then configure it in the same way as we did for others.
identityProviders: - name: my_htpasswd_provider challenge: true login: true provider: apiVersion: v1 kind: HTPasswdPasswordIdentityProvider
Authorization
Authorization is a feature of OpenShift master, which is used to validate for validating a user. This means that it checks the user who is trying to perform an action to see if the user is authorized to perform that action on a given project. This helps the administrator to control access on the projects.
Authorization policies are controlled using −
- Rules
- Roles
- Bindings
Evaluation of authorization is done using −
- Identity
- Action
- Bindings
Using Policies −
- Cluster policy
- Local policy