Openshift Examples - This repo does not provide end to end example but rather act as a rough draft for my work. use with caution. Buzzme at @twitter
Home Page: https://twitter.com/debianmaster
Hello,
Ive followed all of the instructions here but I am still not able to get any of the container metrics in prometheus. I am returning lots of other metrics such ass process_cpu_seconds_total, apiserver_audit_event_total, and kubelet_docker_operations to name a few. Is there something that needs to be done prior to this?
if you are installing OCP3.3 from a jump server there are too many places where the installer fails. I am able to move forward by adding become: yes at each failure but there are just too many places.
@enjk wrote
Projects provide for easier multi tenancy by:
if you are a lunatic
oc adm policy add-scc-to-group anyuid system:authenticated
3.3.0.34 has issues related to pipelines going to loop on deployment forever. this issue is fixed in 3.3.0.35
Grafana containers are crashing with following error :
chown: changing ownership of '/var/lib/grafana': Operation not permitted
kubectl get no | awk '{print $1}' | while read line;
do
kubectl label node $line beta.kubernetes.io/arch-;
done
JAVA_OPTS = -Duser.timezone=CST
NET_ADMIN privilege will give pod access to
Hello,
I successfully added prometheus and grafana and I was able to monitor my cluster.
However I am a bit worried about security.
In fact prometheus does not provide authentication mechanism.
So here by creating a route we expose all the metrics to the world.
Did you find some tricks to hide the metrics?
Regards
lvs -o data_percent,metadata_percent docker-vg --noheadings -S 'data_percent < 80 '
Add this to the UI notes https://github.com/debianmaster/openshift-examples/tree/master/disable-ui
Add this to the master-config.yaml
disabledFeatures:
- WebConsole
cd /etc/origin/master/named_certificates
unlink fullchain.pem
unlink privkey.pem
certbot renew
ln -s /etc/letsencrypt/live/ocp.52.14.195.108.nip.io/fullchain.pem
ln -s /etc/letsencrypt/live/ocp.52.14.195.108.nip.io/privkey.pem
systemctl restart atomic-openshift-master
if
openshift_master_cluster_public_hostname=ocp.52.14.195.108.nip.io
openshift_master_named_certificates=[{"certfile": "/etc/letsencrypt/live/ocp.52.14.195.108.nip.io/fullchain.pem", "keyfile": "/etc/letsencrypt/live/ocp.52.14.195.108.nip.io/privkey.pem", "names":["ocp.52.14.195.108.nip.io"]}]
openshift_master_overwrite_named_certificates=true
semanage fcontext -a -t svirt_sandbox_file_t "/registry(/.*)?"
host docker-registry.default.svc.cluster.local from masters and nodes
oc cluster up --image=registry.access.redhat.com/openshift3/ose
identityProviders:
- challenge: true
login: true
mappingMethod: claim
name: htpasswd_auth1
provider:
apiVersion: v1
file: /etc/origin/master/htpasswd
kind: HTPasswdPasswordIdentityProvider
- challenge: true
login: true
mappingMethod: claim
name: htpasswd_auth2
provider:
apiVersion: v1
file: /etc/origin/master/htpasswd2
kind: HTPasswdPasswordIdentityProvider```kubectl apply will look for any pending updates on object and carefully apply changes at the end while kubectl update will overwrite without caring about other processes working on same object. useful in scenarios where hpa and you are working on same object kubectl apply is preferred over edit/update
if you can't pull/push into the registry (and you're SURE it's not anything else);
run the following on ALL nodes
# systemctl stop atomic-openshift-node
# ovs-vsctl del-br br0
# systemctl start atomic-openshift-node```~ Christian
this location /etc/exports.d/openshift-ansible.exports
nmap -A storagehostname
The gitlab-ci template is really great with just a couple minor issues.
The token parameter in the config map is hard coded.
The runner was pulling a dated image.
I fixed it in this PR
#53
Thanks
~D
Currently the GlusterFS role is not entirely idempotent, that is
running it multiple times and may not yield the same results.
Officially we only support running it once for deployment and if you
want to rerun the byo/config.yml playbook again you should comment out
the glusterfs and/or glusterfs_registry node groups. This is set to be
fixed for OCP 3.9
if you see PV pending issues check if you have all services accounts that are needed
especially in 3.3
there should be PV recycler accounts like this pv-recycler-controller
@sabre1041 wrote.
helm is a package manage for kubernetes. it contains a packaging model and facilitate the deploying of kubernetes resources to the cluster through a set of charts
third party resources are user defined kubernetes API objects
TPR's are defined at a cluster level (until 1.7) and each object is scoped to a particular namespace
an operator is an intelligent process that can be used to manage complex state. IE i need to be able to manage an etcd cluster than has needs to contain a certain replaca count and manage the overall lifecycle of the cluster. operators typically make use of TPR's to define state that is managed by the operator
the service catalog is part of the open service broker API that was donated by cloudfoundry
it allows for the creation of service brokers that can define which services are made available to the cluster. the broker manages the lifecycle of instances that are provided by the service. instances can be a postgresql database in a cluster. once an instance has been created, an application can bind to the instance which will create a set of resources for how applications can make use of the service. this is typically a secret. pod presets will be used to inject parameters into applications. Once complete with the service, a instance can be unbound and then deleted.
TODO
oc run rheltest --image=registry.access.redhat.com/rhel7/rhel-tools --restart=Never --attach -i --tty
lvremove docker-vg/docker-pool
rm -rf /var/lib/docker
cd /etc/sysconfig ; mv docker-storage docker-storage-old
docker-storage-setup
service docker start
good docs for eap imagestream https://access.redhat.com/documentation/en/red-hat-xpaas/0/paged/red-hat-xpaas-eap-image/chapter-3-reference-information
the s2i build flow is:
1) build pod launches, mounts the docker socket
2) build pod clones your source
3) build pod uses the docker socket to spawn a non-privileged container running your builder image (e.g. s2i-ruby)
4) build pod streams your source code into that non-privileged container
5) non-privileged container invokes your assemble script (consuming the source code) - this is the only place user logic runs
6) build pod uses the docker socket to commit your container when it completes
7) build pod uses the docker socket to push your new image to the registry
ou can force delete a pod with oc delete pod <podname> --now ...this is the same as --grace-period=0
Hi bro,
it's not an issue, I just have a question that, does I need to enable cluster metric in openshift before install prometheos and grafana as your instruction?
Thanks.
Hi,
I've tried the instruction exactly as they are specified in the video below:
https://www.youtube.com/watch?v=h0OdaZ-j6YI
I'm using openshift 3.7
Everything seems ok except that the graphana dashbord don't show me what's expected.
Everything is N/A. Just like whet you get in the cluster file system usage.
Any idea?
Thanks
kubectl describe node|grep -iA 3 allocatableyou can set livenes probe with oc set probe dc/webapp --readiness --get-url=http://:8080/healthz
Blackduck can scan non-RHEL and RHEL content. OpenSCAP can only scan RHEL content
lvm -a
How full/empty the local Docker storage is.
vgs -s 'vg_free < 1000'
to check how much bytes left on the thinpool.
docker info
Shows also the available capacity.
df -h
With the following command can you check some errors from lvm
journalctl -l |egrep -i lvm
When I execute the following command:
oc adm policy add-cluster-role-to-user cluster-reader -z default
I get error:
Error from server (Forbidden): User "developer" cannot list clusterrolebindings.authorization.openshift.io at the cluster scope: User "developer" cannot list all clusterrolebindings.au
thorization.openshift.io in the cluster (get clusterrolebindings.authorization.openshift.io)
Someone suggested running it as follows:
docker exec origin oc adm policy add-cluster-role-to-user cluster-reader -z default
This is not throwing any errors but when I start prometheus I see the following in the logs:
level=error ts=2017-12-18T07:03:44.408931326Z caller=main.go:211 component=k8s_client_runtime err="github.com/prometheus/prometheus/discovery/kubernetes/kubernetes.go:263: Failed to list *v1.Node: User \"system:serviceaccount:test:default\" cannot list nodes at the cluster scope: User \"system:serviceaccount:test:default\" cannot list all nodes in the cluster (get nodes)"
ย
oc patch dc/logging-es-{unique name} -p '{"spec":{"template":{"spec":{"nodeSelector":{"nodelabel":"logging-es-node-1"}}}}}'
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.