Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [root@domdev01 ~]$ oc get nodes
- NAME STATUS ROLES AGE VERSION
- doadev01.sg.gbs.pro Ready compute 3d v1.11.0+d4cacc0
- doidev01.sg.gbs.pro Ready infra 3d v1.11.0+d4cacc0
- doidev02.sg.gbs.pro Ready infra 3d v1.11.0+d4cacc0
- domdev01.sg.gbs.pro Ready master 3d v1.11.0+d4cacc0
- domdev02.sg.gbs.pro Ready master 3d v1.11.0+d4cacc0
- domdev03.sg.gbs.pro Ready master 3d v1.11.0+d4cacc0
- [root@domdev01 ~]$ oc get pods | egrep "Error|CrashLoopBack"
- [root@domdev01 ~]$
- https://docker-registry-default.internalservices-dev.devops.tst
- ### Namespace "webconsole-config" ConfigMap
- ### per modificare il puntamento delle metriche su tutte le app
- apiVersion: webconsole.config.openshift.io/v1
- clusterInfo:
- adminConsolePublicURL: https://console.apps-dev.devops.tst/
- consolePublicURL: https://doconsole-dev.sg.gbs.tst/console/
- loggingPublicURL: https://kibana.apps-dev.devops.tst
- logoutPublicURL: ''
- masterPublicURL: https://doconsole-dev.sg.gbs.tst:443
- metricsPublicURL: https://hawkular-metrics.apps-dev.devops.tst/hawkular/metrics
- extensions:
- properties: {}
- scriptURLs: []
- stylesheetURLs: []
- features:
- clusterResourceOverridesEnabled: false
- inactivityTimeoutMinutes: 0
- kind: WebConsoleConfiguration
- servingInfo:
- bindAddress: 0.0.0.0:8443
- bindNetwork: tcp4
- certFile: /var/serving-cert/tls.crt
- clientCA: ''
- keyFile: /var/serving-cert/tls.key
- maxRequestsInFlight: 0
- namedCertificates: null
- requestTimeoutSeconds: 0
- [root@domdev01 ~]$
- [root@domdev01 ~]$ oc new-app bsella https://git.sg.gbs.pro/projects/ARCH/repos/openshift --source-secret=bancasella-bitbucket
- W1204 11:31:44.435411 14761 dockerimagelookup.go:233] Docker registry lookup failed: Get https://registry-1.docker.io/v2/: x509: certifi cate is valid for *.NET.GBS.PRE, not registry-1.docker.io
- error: local file access failed with: stat bsella: no such file or directory
- error: unable to locate any images in image streams, templates loaded in accessible projects, template files, local docker images with nam e "bsella"
- error: git ls-remote failed with: execution of git ls-remote https://git.sg.gbs.pro/projects/ARCH/repos/openshift timed out after 30s; lo cal file access failed with: stat https://git.sg.gbs.pro/projects/ARCH/repos/openshift: no such file or directory
- error: unable to locate any images in image streams, templates loaded in accessible projects, template files, local docker images with nam e "https://git.sg.gbs.pro/projects/ARCH/repos/openshift"
- Argument 'https://git.sg.gbs.pro/projects/ARCH/repos/openshift' was classified as an image, image~source, or loaded template reference.
- The 'oc new-app' command will match arguments to the following types:
- 1. Images tagged into image streams in the current project or the 'openshift' project
- - if you don't specify a tag, we'll add ':latest'
- 2. Images in the Docker Hub, on remote registries, or on the local Docker engine
- 3. Templates in the current project or the 'openshift' project
- 4. Git repository URLs or local paths that point to Git repositories
- --allow-missing-images can be used to point to an image that does not exist yet.
- See 'oc new-app -h' for examples.
- [root@domdev01 ~]$
- gbs02293
- sella112018
- [root@domdev01 ~]$ docker login git.sg.gbs.pro -u gbs02293
- Password:
- Error response from daemon: Get https://git.sg.gbs.pro/v1/users/: dial tcp 172.20.136.117:443: i/o timeout
- [root@domdev01 ~]$
- [root@domdev01 ~]$ docker images
- REPOSITORY TAG IMAGE ID CREATED SIZE
- registry.redhat.io/rhel7/etcd 3.2.22 635bb36d7fc7 13 days ago 259 MB
- registry.redhat.io/openshift3/ose-node v3.11 901c817d48cc 3 weeks ago 1.17 GB
- registry.redhat.io/openshift3/ose-control-plane v3.11 e043f4037c7f 3 weeks ago 807 MB
- registry.redhat.io/openshift3/ose-kube-rbac-proxy v3.11.43 346b8706ab75 3 weeks ago 487 MB
- registry.redhat.io/openshift3/ose-console v3.11 3d8540e8cdb8 3 weeks ago 254 MB
- registry.redhat.io/openshift3/ose-web-console v3.11 c9309fc930f5 3 weeks ago 322 MB
- registry.redhat.io/openshift3/ose-pod v3.11 47ea091bca33 3 weeks ago 238 MB
- registry.redhat.io/openshift3/ose-pod v3.11.43 47ea091bca33 3 weeks ago 238 MB
- registry.redhat.io/openshift3/ose-service-catalog v3.11.43 dc09eb43a18c 3 weeks ago 309 MB
- registry.redhat.io/openshift3/ose-template-service-broker v3.11.43 354b1216b490 3 weeks ago 313 MB
- registry.redhat.io/openshift3/prometheus-node-exporter v3.11.43 1ca7e0622370 3 weeks ago 225 MB
- registry.redhat.io/openshift3/ose-logging-fluentd v3.11.43 0fef36d87b56 3 weeks ago 289 MB
- registry.redhat.io/openshift3/registry-console v3.11 73938699cd8a 3 weeks ago 237 MB
- docker-registry-default.internalservices-dev.devops.tst:5000/bsella/apache-httpd latest ff2239568726 2 months ago 353 MB
- docker-registry-default.router.default.svc.cluster.local/sella/apache-httpd 1.0 ff2239568726 2 months ago 353 MB
- [root@domdev01 ~]$
- [root@domdev01 ~]$
- [root@domdev01 ~]$ docker push docker-registry-default.internalservices-dev.devops.tst:5000/bsella/apache-httpd
- The push refers to a repository [docker-registry-default.internalservices-dev.devops.tst:5000/bsella/apache-httpd]
- Get https://docker-registry-default.internalservices-dev.devops.tst:5000/v1/_ping: Gateway Timeout
- [root@domdev01 ~]$
- [root@domdev01 ~]$
- [root@domdev01 ~]$ telnet docker-registry-default.internalservices-dev.devops.tst 5000
- Trying 172.17.244.49...
- [root@domdev01 ~]$ docker push docker-registry-default.internalservices-dev.devops.tst/bsella/apache-httpd
- The push refers to a repository [docker-registry-default.internalservices-dev.devops.tst/bsella/apache-httpd]
- 74647f952e28: Retrying in 1 second
- 9cd8a8f6bf9d: Retrying in 1 second
- 22888f7bc143: Retrying in 1 second
- 170cdd8a9ac5: Retrying in 1 second
- 911cee7531eb: Retrying in 1 second
- f0897fc7c83e: Waiting
- cd97d0208235: Waiting
- f9bf6da67ad7: Waiting
- 1d31b5806ba4: Waiting
- ####### LOGGING
- # For each infra node run the following command:
- chown 1000:1000 /mnt/local-storage/elasticsearch-storage
- # From one master node run the following commands:
- oc project openshift-logging
- oc adm policy add-scc-to-user privileged system:serviceaccount:openshift-logging:aggregated-logging-elasticsearch
- oc scale dc logging-es-data-master-ak4ni4on --replicas=0
- oc patch dc logging-es-data-master-ak4ni4on -p '{"spec":{"template":{"spec":{"containers":[{"name":"elasticsearch","securityContext":{"privileged": true}}]}}}}'
- oc label node doipre01.sg.gbs.pro logging-es-node=1
- oc set volume dc logging-es-data-master-ak4ni4on --add --overwrite --name=elasticsearch-storage --type=hostPath --path=/mnt/local-storage/elasticsearch-storage
- oc rollout latest dc/logging-es-data-master-ak4ni4on
- oc scale dc logging-es-data-master-ak4ni4on --replicas=1
- #################
- ## REGISTRY ##
- - update route in:
- - Hostname: docker-registry.internalservices.devops.pre
- - TLS Termination : reencrypt
- ## REGISTRY CONSOLE ##
- - Create a new secret with CRT+KEY+CA
- - Key: extensio -> .cert
- - Mount secret to container:
- - Add this secret to application: registry-console
- - Add secret as Volume with Mount Path: /etc/cockpit/ws-certs.d
- - example: oc set volume dc/registry-console --add --overwrite --name=cert-console-registry-3fr5 --type=secret --secret-name=cert-registry-console --mount-path=/etc/cockpit/ws-certs.d --read-only=true
- - update route in:
- - Hostname: registry-console.internalservices.devops.pre (example)
- - TLS Termination : reencrypt
- - Certificate: registry-console crt
- - Private Key: registry-console key
- - CA Certificate: registry-console crt + CA
- - Destination CA Certificate: registry-console crt + CA
- - update Oauthclient with new redirect:
- - oc edit oauthclient cockpit-oauth-client
- - and edit:
- - redirectURIs: https://registry-console.internalservices.devops.pre
- ## PROMETHEUS ##
- - From openshift-monitoring project edit the following route:
- - alertmanager-main
- - Hostname: alertmanager-main-openshift-monitoring.internalservices.devops.pre (example)
- - put into the fields Certificate, CA Certificate, Destination CA Certificate the value contained into the secret alertmanager-main-tls/tls.crt
- - put into the fields Private Key the value contained into the secret alertmanager-main-tls/tls.key
- - prometheus-k8s
- - Hostname: prometheus-k8s-openshift-monitoring.internalservices.devops.pre (example)
- - put into the fields Certificate, CA Certificate, Destination CA Certificate the value contained into the secret prometheus-k8s-tls/tls.crt
- - put into the fields Private Key the value contained into the secret prometheus-k8s-tls/tls.key
- - grafana
- - Hostname: grafana-openshift-monitoring.internalservices.devops.pre (example)
- - put into the fields Certificate, CA Certificate, Destination CA Certificate the value contained into the secret grafana-tls/tls.crt
- - put into the fields Private Key the value contained into the secret grafana-tls/tls.key
- ## ROUTE SHARDING ##
- https://docs.openshift.com/container-platform/3.11/install_config/router/default_haproxy_router.html#using-router-shards
- https://blog.openshift.com/openshift-router-sharding-for-production-and-development-traffic/
- # Router pre
- oc scale dc/router --replicas=0
- oc adm router router-pre --replicas=2 --force-subdomain='${name}-${namespace}.apps.devops.pre' --selector="region=pre,node-role.kubernetes.io/infra=true"
- oc set env dc/router-pre "DEFAULT_CERTIFICATE_PATH=/etc/pki/tls/private/tls.crt" "EXTENDED_VALIDATION=true" ROUTER_OVERRIDE_HOSTNAME-
- oc set volume dc/router-pre --add --overwrite --name=metrics-server-certificate --secret-name=router-metrics-tls --mount-path=/etc/pki/tls/metrics
- oc set volume dc/router-pre --add --overwrite --name=server-certificate --secret-name=router-certs --mount-path=/etc/pki/tls/private
- # Router test
- oc adm router router-tst --replicas=2 --force-subdomain='${name}-${namespace}.apps.devops.tst' --selector="region=test,node-role.kubernetes.io/infra=true"
- oc set env dc/router-tst "DEFAULT_CERTIFICATE_PATH=/etc/pki/tls/private/tls.crt" "EXTENDED_VALIDATION=true" ROUTER_OVERRIDE_HOSTNAME-
- oc set volume dc/router-tst --add --overwrite --name=metrics-server-certificate --secret-name=router-metrics-tls --mount-path=/etc/pki/tls/metrics
- oc set volume dc/router-tst --add --overwrite --name=server-certificate --secret-name=router-certs --mount-path=/etc/pki/tls/private
- Aggiungere la label a tutti i progetti presenti Infrastrutturali:
- oc label namespace openshift-infra region=pre
- oc label namespace default region=pre
- oc label namespace openshift-infra region=pre
- oc label namespace openshift-logging region=pre
- oc label namespace openshift-metrics-server region=pre
- oc label namespace openshift-monitoring region=pre
- oc label namespace kube-service-catalog region=pre
- oc label namespace openshift-console region=pre
- oc set env dc/router-pre NAMESPACE_LABELS="region=pre"
- oc set env dc/router-tst NAMESPACE_LABELS="region=test"
- # EXAMPLE project creation
- oc new-project tester-pre
- oc label namespace tester-pre region=pre
- oc annotate namespace tester-pre --overwrite "openshift.io/node-selector"="region=pre"
- oc new-project tester-tst
- oc label namespace tester-tst region=test
- oc annotate namespace tester-tst --overwrite "openshift.io/node-selector"="region=test"
- ### IDENTITY
- oc create clusterrolebinding BSclusterADMINS --clusterrole=cluster-admin --group=OpenShift_Admin
- oc new-project system-cronjobs
- oc process -f cronjob-ldap-group-sync.yml -p NAMESPACE="system-cronjobs" -p LDAP_URL="cn=openshift_pro,ou=PrivateCloud,OU=UtenzeTecniche,DC=SG,DC=GBS,DC=PRO" | oc create -f-
- Per togliere la possibilità agli utenti ReadOnly di crearsi dei proprio progetto:
- oadm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
- oc annotate clusterrolebinding.rbac self-provisioner 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite
- ## EXTERNAL REGITRY
- oc create sa external-puller
- #######
- for i in $(cat /root/hosts_pro) ; do scp /root/config.json $i:/var/lib/origin/.docker/config.json ; done
- for i in $(cat /root/hosts_pro) ; do ssh $i "hostname ; systemctl restart docker ; sleep 10s" ; done
- service account sul registry con permessi di push e pull
- service account di deploy e build si associa il secret generato su all-in-one
- oc secrets new-dockercfg external-registry --docker-email=admin@openshift.pro --docker-username=admin --docker-password=password --docker-server=registry.devops.pro
- ,registry.devops.pro
- 017194fab48cc282de613694fabe04a3 /etc/sysconfig/docker
- 017194fab48cc282de613694fabe04a3 /etc/sysconfig/docker
- oc create secret docker-registry external-registry \
- --docker-server=registry.devops.pro \
- --docker-username=admin \
- --docker-password=qHNwQ9taX844p2QOZuLNi8iHohXrMdIhi1B5d2ftZEU \
- --docker-email=admin@registry.pro
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement