API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 14th, 2018
335
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.02 KB | None | 0 0
raw download clone embed print report
  1. [root@domdev01 ~]$ oc get nodes
  2. NAME STATUS ROLES AGE VERSION
  3. doadev01.sg.gbs.pro Ready compute 3d v1.11.0+d4cacc0
  4. doidev01.sg.gbs.pro Ready infra 3d v1.11.0+d4cacc0
  5. doidev02.sg.gbs.pro Ready infra 3d v1.11.0+d4cacc0
  6. domdev01.sg.gbs.pro Ready master 3d v1.11.0+d4cacc0
  7. domdev02.sg.gbs.pro Ready master 3d v1.11.0+d4cacc0
  8. domdev03.sg.gbs.pro Ready master 3d v1.11.0+d4cacc0
  9.  
  10.  
  11.  
  12. [root@domdev01 ~]$ oc get pods | egrep "Error|CrashLoopBack"
  13. [root@domdev01 ~]$
  14.  
  15.  
  16.  
  17.  
  18.  
  19. https://docker-registry-default.internalservices-dev.devops.tst
  20.  
  21.  
  22.  
  23.  
  24.  
  25.  
  26. ### Namespace "webconsole-config" ConfigMap
  27. ### per modificare il puntamento delle metriche su tutte le app
  28.  
  29. apiVersion: webconsole.config.openshift.io/v1
  30. clusterInfo:
  31. adminConsolePublicURL: https://console.apps-dev.devops.tst/
  32. consolePublicURL: https://doconsole-dev.sg.gbs.tst/console/
  33. loggingPublicURL: https://kibana.apps-dev.devops.tst
  34. logoutPublicURL: ''
  35. masterPublicURL: https://doconsole-dev.sg.gbs.tst:443
  36. metricsPublicURL: https://hawkular-metrics.apps-dev.devops.tst/hawkular/metrics
  37. extensions:
  38. properties: {}
  39. scriptURLs: []
  40. stylesheetURLs: []
  41. features:
  42. clusterResourceOverridesEnabled: false
  43. inactivityTimeoutMinutes: 0
  44. kind: WebConsoleConfiguration
  45. servingInfo:
  46. bindAddress: 0.0.0.0:8443
  47. bindNetwork: tcp4
  48. certFile: /var/serving-cert/tls.crt
  49. clientCA: ''
  50. keyFile: /var/serving-cert/tls.key
  51. maxRequestsInFlight: 0
  52. namedCertificates: null
  53. requestTimeoutSeconds: 0
  54.  
  55.  
  56.  
  57.  
  58.  
  59.  
  60.  
  61.  
  62.  
  63.  
  64.  
  65.  
  66.  
  67.  
  68.  
  69.  
  70.  
  71.  
  72.  
  73.  
  74.  
  75. [root@domdev01 ~]$
  76. [root@domdev01 ~]$ oc new-app bsella https://git.sg.gbs.pro/projects/ARCH/repos/openshift --source-secret=bancasella-bitbucket
  77. W1204 11:31:44.435411 14761 dockerimagelookup.go:233] Docker registry lookup failed: Get https://registry-1.docker.io/v2/: x509: certifi cate is valid for *.NET.GBS.PRE, not registry-1.docker.io
  78. error: local file access failed with: stat bsella: no such file or directory
  79. error: unable to locate any images in image streams, templates loaded in accessible projects, template files, local docker images with nam e "bsella"
  80. error: git ls-remote failed with: execution of git ls-remote https://git.sg.gbs.pro/projects/ARCH/repos/openshift timed out after 30s; lo cal file access failed with: stat https://git.sg.gbs.pro/projects/ARCH/repos/openshift: no such file or directory
  81. error: unable to locate any images in image streams, templates loaded in accessible projects, template files, local docker images with nam e "https://git.sg.gbs.pro/projects/ARCH/repos/openshift"
  82.  
  83. Argument 'https://git.sg.gbs.pro/projects/ARCH/repos/openshift' was classified as an image, image~source, or loaded template reference.
  84.  
  85. The 'oc new-app' command will match arguments to the following types:
  86.  
  87. 1. Images tagged into image streams in the current project or the 'openshift' project
  88. - if you don't specify a tag, we'll add ':latest'
  89. 2. Images in the Docker Hub, on remote registries, or on the local Docker engine
  90. 3. Templates in the current project or the 'openshift' project
  91. 4. Git repository URLs or local paths that point to Git repositories
  92.  
  93. --allow-missing-images can be used to point to an image that does not exist yet.
  94.  
  95. See 'oc new-app -h' for examples.
  96. [root@domdev01 ~]$
  97.  
  98.  
  99.  
  100.  
  101. gbs02293
  102. sella112018
  103.  
  104.  
  105. [root@domdev01 ~]$ docker login git.sg.gbs.pro -u gbs02293
  106. Password:
  107. Error response from daemon: Get https://git.sg.gbs.pro/v1/users/: dial tcp 172.20.136.117:443: i/o timeout
  108. [root@domdev01 ~]$
  109.  
  110.  
  111. [root@domdev01 ~]$ docker images
  112. REPOSITORY TAG IMAGE ID CREATED SIZE
  113. registry.redhat.io/rhel7/etcd 3.2.22 635bb36d7fc7 13 days ago 259 MB
  114. registry.redhat.io/openshift3/ose-node v3.11 901c817d48cc 3 weeks ago 1.17 GB
  115. registry.redhat.io/openshift3/ose-control-plane v3.11 e043f4037c7f 3 weeks ago 807 MB
  116. registry.redhat.io/openshift3/ose-kube-rbac-proxy v3.11.43 346b8706ab75 3 weeks ago 487 MB
  117. registry.redhat.io/openshift3/ose-console v3.11 3d8540e8cdb8 3 weeks ago 254 MB
  118. registry.redhat.io/openshift3/ose-web-console v3.11 c9309fc930f5 3 weeks ago 322 MB
  119. registry.redhat.io/openshift3/ose-pod v3.11 47ea091bca33 3 weeks ago 238 MB
  120. registry.redhat.io/openshift3/ose-pod v3.11.43 47ea091bca33 3 weeks ago 238 MB
  121. registry.redhat.io/openshift3/ose-service-catalog v3.11.43 dc09eb43a18c 3 weeks ago 309 MB
  122. registry.redhat.io/openshift3/ose-template-service-broker v3.11.43 354b1216b490 3 weeks ago 313 MB
  123. registry.redhat.io/openshift3/prometheus-node-exporter v3.11.43 1ca7e0622370 3 weeks ago 225 MB
  124. registry.redhat.io/openshift3/ose-logging-fluentd v3.11.43 0fef36d87b56 3 weeks ago 289 MB
  125. registry.redhat.io/openshift3/registry-console v3.11 73938699cd8a 3 weeks ago 237 MB
  126. docker-registry-default.internalservices-dev.devops.tst:5000/bsella/apache-httpd latest ff2239568726 2 months ago 353 MB
  127. docker-registry-default.router.default.svc.cluster.local/sella/apache-httpd 1.0 ff2239568726 2 months ago 353 MB
  128. [root@domdev01 ~]$
  129. [root@domdev01 ~]$
  130. [root@domdev01 ~]$ docker push docker-registry-default.internalservices-dev.devops.tst:5000/bsella/apache-httpd
  131. The push refers to a repository [docker-registry-default.internalservices-dev.devops.tst:5000/bsella/apache-httpd]
  132. Get https://docker-registry-default.internalservices-dev.devops.tst:5000/v1/_ping: Gateway Timeout
  133. [root@domdev01 ~]$
  134. [root@domdev01 ~]$
  135.  
  136.  
  137.  
  138. [root@domdev01 ~]$ telnet docker-registry-default.internalservices-dev.devops.tst 5000
  139. Trying 172.17.244.49...
  140.  
  141. [root@domdev01 ~]$ docker push docker-registry-default.internalservices-dev.devops.tst/bsella/apache-httpd
  142. The push refers to a repository [docker-registry-default.internalservices-dev.devops.tst/bsella/apache-httpd]
  143. 74647f952e28: Retrying in 1 second
  144. 9cd8a8f6bf9d: Retrying in 1 second
  145. 22888f7bc143: Retrying in 1 second
  146. 170cdd8a9ac5: Retrying in 1 second
  147. 911cee7531eb: Retrying in 1 second
  148. f0897fc7c83e: Waiting
  149. cd97d0208235: Waiting
  150. f9bf6da67ad7: Waiting
  151. 1d31b5806ba4: Waiting
  152.  
  153.  
  154.  
  155. ####### LOGGING
  156. # For each infra node run the following command:
  157. chown 1000:1000 /mnt/local-storage/elasticsearch-storage
  158.  
  159. # From one master node run the following commands:
  160. oc project openshift-logging
  161. oc adm policy add-scc-to-user privileged system:serviceaccount:openshift-logging:aggregated-logging-elasticsearch
  162. oc scale dc logging-es-data-master-ak4ni4on --replicas=0
  163. oc patch dc logging-es-data-master-ak4ni4on -p '{"spec":{"template":{"spec":{"containers":[{"name":"elasticsearch","securityContext":{"privileged": true}}]}}}}'
  164. oc label node doipre01.sg.gbs.pro logging-es-node=1
  165. oc set volume dc logging-es-data-master-ak4ni4on --add --overwrite --name=elasticsearch-storage --type=hostPath --path=/mnt/local-storage/elasticsearch-storage
  166. oc rollout latest dc/logging-es-data-master-ak4ni4on
  167. oc scale dc logging-es-data-master-ak4ni4on --replicas=1
  168.  
  169.  
  170. #################
  171.  
  172. ## REGISTRY ##
  173. - update route in:
  174. - Hostname: docker-registry.internalservices.devops.pre
  175. - TLS Termination : reencrypt
  176. ## REGISTRY CONSOLE ##
  177. - Create a new secret with CRT+KEY+CA
  178. - Key: extensio -> .cert
  179. - Mount secret to container:
  180. - Add this secret to application: registry-console
  181. - Add secret as Volume with Mount Path: /etc/cockpit/ws-certs.d
  182. - example: oc set volume dc/registry-console --add --overwrite --name=cert-console-registry-3fr5 --type=secret --secret-name=cert-registry-console --mount-path=/etc/cockpit/ws-certs.d --read-only=true
  183. - update route in:
  184. - Hostname: registry-console.internalservices.devops.pre (example)
  185. - TLS Termination : reencrypt
  186. - Certificate: registry-console crt
  187. - Private Key: registry-console key
  188. - CA Certificate: registry-console crt + CA
  189. - Destination CA Certificate: registry-console crt + CA
  190. - update Oauthclient with new redirect:
  191. - oc edit oauthclient cockpit-oauth-client
  192. - and edit:
  193. - redirectURIs: https://registry-console.internalservices.devops.pre
  194.  
  195. ## PROMETHEUS ##
  196. - From openshift-monitoring project edit the following route:
  197. - alertmanager-main
  198. - Hostname: alertmanager-main-openshift-monitoring.internalservices.devops.pre (example)
  199. - put into the fields Certificate, CA Certificate, Destination CA Certificate the value contained into the secret alertmanager-main-tls/tls.crt
  200. - put into the fields Private Key the value contained into the secret alertmanager-main-tls/tls.key
  201. - prometheus-k8s
  202. - Hostname: prometheus-k8s-openshift-monitoring.internalservices.devops.pre (example)
  203. - put into the fields Certificate, CA Certificate, Destination CA Certificate the value contained into the secret prometheus-k8s-tls/tls.crt
  204. - put into the fields Private Key the value contained into the secret prometheus-k8s-tls/tls.key
  205. - grafana
  206. - Hostname: grafana-openshift-monitoring.internalservices.devops.pre (example)
  207. - put into the fields Certificate, CA Certificate, Destination CA Certificate the value contained into the secret grafana-tls/tls.crt
  208. - put into the fields Private Key the value contained into the secret grafana-tls/tls.key
  209.  
  210. ## ROUTE SHARDING ##
  211. https://docs.openshift.com/container-platform/3.11/install_config/router/default_haproxy_router.html#using-router-shards
  212. https://blog.openshift.com/openshift-router-sharding-for-production-and-development-traffic/
  213.  
  214. # Router pre
  215. oc scale dc/router --replicas=0
  216. oc adm router router-pre --replicas=2 --force-subdomain='${name}-${namespace}.apps.devops.pre' --selector="region=pre,node-role.kubernetes.io/infra=true"
  217. oc set env dc/router-pre "DEFAULT_CERTIFICATE_PATH=/etc/pki/tls/private/tls.crt" "EXTENDED_VALIDATION=true" ROUTER_OVERRIDE_HOSTNAME-
  218. oc set volume dc/router-pre --add --overwrite --name=metrics-server-certificate --secret-name=router-metrics-tls --mount-path=/etc/pki/tls/metrics
  219. oc set volume dc/router-pre --add --overwrite --name=server-certificate --secret-name=router-certs --mount-path=/etc/pki/tls/private
  220. # Router test
  221. oc adm router router-tst --replicas=2 --force-subdomain='${name}-${namespace}.apps.devops.tst' --selector="region=test,node-role.kubernetes.io/infra=true"
  222. oc set env dc/router-tst "DEFAULT_CERTIFICATE_PATH=/etc/pki/tls/private/tls.crt" "EXTENDED_VALIDATION=true" ROUTER_OVERRIDE_HOSTNAME-
  223. oc set volume dc/router-tst --add --overwrite --name=metrics-server-certificate --secret-name=router-metrics-tls --mount-path=/etc/pki/tls/metrics
  224. oc set volume dc/router-tst --add --overwrite --name=server-certificate --secret-name=router-certs --mount-path=/etc/pki/tls/private
  225.  
  226. Aggiungere la label a tutti i progetti presenti Infrastrutturali:
  227. oc label namespace openshift-infra region=pre
  228. oc label namespace default region=pre
  229. oc label namespace openshift-infra region=pre
  230. oc label namespace openshift-logging region=pre
  231. oc label namespace openshift-metrics-server region=pre
  232. oc label namespace openshift-monitoring region=pre
  233. oc label namespace kube-service-catalog region=pre
  234. oc label namespace openshift-console region=pre
  235.  
  236. oc set env dc/router-pre NAMESPACE_LABELS="region=pre"
  237. oc set env dc/router-tst NAMESPACE_LABELS="region=test"
  238.  
  239. # EXAMPLE project creation
  240. oc new-project tester-pre
  241. oc label namespace tester-pre region=pre
  242. oc annotate namespace tester-pre --overwrite "openshift.io/node-selector"="region=pre"
  243. oc new-project tester-tst
  244. oc label namespace tester-tst region=test
  245. oc annotate namespace tester-tst --overwrite "openshift.io/node-selector"="region=test"
  246.  
  247.  
  248. ### IDENTITY
  249. oc create clusterrolebinding BSclusterADMINS --clusterrole=cluster-admin --group=OpenShift_Admin
  250.  
  251. oc new-project system-cronjobs
  252. oc process -f cronjob-ldap-group-sync.yml -p NAMESPACE="system-cronjobs" -p LDAP_URL="cn=openshift_pro,ou=PrivateCloud,OU=UtenzeTecniche,DC=SG,DC=GBS,DC=PRO" | oc create -f-
  253.  
  254. Per togliere la possibilità agli utenti ReadOnly di crearsi dei proprio progetto:
  255. oadm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
  256. oc annotate clusterrolebinding.rbac self-provisioner 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite
  257.  
  258. ## EXTERNAL REGITRY
  259. oc create sa external-puller
  260.  
  261.  
  262. #######
  263. for i in $(cat /root/hosts_pro) ; do scp /root/config.json $i:/var/lib/origin/.docker/config.json ; done
  264. for i in $(cat /root/hosts_pro) ; do ssh $i "hostname ; systemctl restart docker ; sleep 10s" ; done
  265.  
  266.  
  267.  
  268. service account sul registry con permessi di push e pull
  269. service account di deploy e build si associa il secret generato su all-in-one
  270.  
  271. oc secrets new-dockercfg external-registry --docker-email=admin@openshift.pro --docker-username=admin --docker-password=password --docker-server=registry.devops.pro
  272.  
  273.  
  274.  
  275. ,registry.devops.pro
  276.  
  277.  
  278. 017194fab48cc282de613694fabe04a3 /etc/sysconfig/docker
  279. 017194fab48cc282de613694fabe04a3 /etc/sysconfig/docker
  280.  
  281.  
  282. oc create secret docker-registry external-registry \
  283. --docker-server=registry.devops.pro \
  284. --docker-username=admin \
  285. --docker-password=qHNwQ9taX844p2QOZuLNi8iHohXrMdIhi1B5d2ftZEU \
  286. --docker-email=admin@registry.pro
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!