eBook - ePub
Learn OpenShift
Deploy, build, manage, and migrate applications with OpenShift Origin 3.9
Denis Zuev, Artemii Kropachev, Aleksey Usov
This is a test
Share book
- 504 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Learn OpenShift
Deploy, build, manage, and migrate applications with OpenShift Origin 3.9
Denis Zuev, Artemii Kropachev, Aleksey Usov
Book details
Book preview
Table of contents
Citations
About This Book
Gain hands-on experience of installing OpenShift Origin 3.9 in a production configuration and managing applications using the platform you built
Key Features
- Gain hands-on experience of working with Kubernetes and Docker
- Learn how to deploy and manage applications in OpenShift
- Get a practical approach to managing applications on a cloud-based platform
- Explore multi-site and HA architectures of OpenShift for production
Book Description
Docker containers transform application delivery technologies to make them faster and more reproducible, and to reduce the amount of time wasted on configuration. Managing Docker containers in the multi-node or multi-datacenter environment is a big challenge, which is why container management platforms are required. OpenShift is a new generation of container management platforms built on top of both Docker and Kubernetes. It brings additional functionality to the table, something that is lacking in Kubernetes. This new functionality significantly helps software development teams to bring software development processes to a whole new level.
In this book, we'll start by explaining the container architecture, Docker, and CRI-O overviews. Then, we'll look at container orchestration and Kubernetes. We'll cover OpenShift installation, and its basic and advanced components. Moving on, we'll deep dive into concepts such as deploying application OpenShift. You'll learn how to set up an end-to-end delivery pipeline while working with applications in OpenShift as a developer or DevOps. Finally, you'll discover how to properly design OpenShift in production environments.
This book gives you hands-on experience of designing, building, and operating OpenShift Origin 3.9, as well as building new applications or migrating existing applications to OpenShift.
What you will learn
- Understand the core concepts behind containers and container orchestration tools
- Understand Docker, Kubernetes, and OpenShift, and their relation to CRI-O
- Install and work with Kubernetes and OpenShift
- Understand how to work with persistent storage in OpenShift
- Understand basic and advanced components of OpenShift, including security and networking
- Manage deployment strategies and application's migration in OpenShift
- Understand and design OpenShift high availability
Who this book is for
The book is for system administrators, DevOps engineers, solutions architects, or any stakeholder who wants to understand the concept and business value of OpenShift.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Learn OpenShift an online PDF/ePUB?
Yes, you can access Learn OpenShift by Denis Zuev, Artemii Kropachev, Aleksey Usov in PDF and/or ePUB format, as well as other popular books in Computer Science & System Administration. We have over one million books available in our catalogue for you to explore.
Information
Security in OpenShift
Previously, we worked with advanced OpenShift resources, such as ImageStreams, ConfigMaps, and templates. Those resources allow you to simplify OpenShift resource management and the application delivery process.
In this chapter, we will introduce you to the realm of security in OpenShift. Any business' success depends on many factors, one of which is the company's ability to implement different security strategies for different users, departments, and applications. OpenShift is an enterprise-ready application platform that supports multiple security features, making it possible to integrate it into any corporate security landscape.
This chapter will provide you with an understanding of the following concepts:
- Authenticationâusers and identities, service accounts, and identity providers
- Authorization and role-based access control
- Admission controllers
- Security context constraints
- Storing sensitive data in OpenShift
Technical requirements
For this section, we will have to make use of Vagrant to demonstrate the difference between these methods, as we will require two VMs: one for single-node OpenShift cluster, and the other for the FreeIPA server. Use the following Vagrantfile to spin up an environment:
$ cat Vagrantfile
$lab_idm = <<SCRIPT
cat <<EOF >> /etc/hosts
172.24.0.11 openshift.example.com openshift
172.24.0.12 idm.example.com idm
EOF
sed -i '/^127.0.0.1.*idm.*$/d' /etc/hosts
yum -y update
yum -y install ipa-server
systemctl restart dbus
ipa-server-install -r IDM.EXAMPLE.COM -n idm.example.com -p idmsecret -a idmsecret --unattended
echo idmsecret | kinit admin
echo supersecret | ipa user-add alice --first Alice --last Springs --password
SCRIPT
$lab_openshift = <<SCRIPT
cat <<EOF >> /etc/hosts
172.24.0.12 idm.example.com idm
EOF
yum -y update
yum install -y epel-release git docker
yum install -y ansible
systemctl start docker
systemctl enable docker
git clone -b release-3.9 https://github.com/openshift/openshift-ansible /root/openshift-ansible
ssh-keygen -f /root/.ssh/id_rsa -N ''
cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
ssh-keyscan 172.24.0.11 >> .ssh/known_hosts
cp .ssh/known_hosts /root/.ssh/known_hosts
ssh-copy-id -i /root/.ssh/id_rsa [email protected]
reboot
SCRIPT
Vagrant.configure(2) do |config|
config.vm.define "openshift" do |conf|
conf.vm.box = "centos/7"
conf.vm.hostname = 'openshift.example.com'
conf.vm.network "private_network", ip: "172.24.0.11"
conf.vm.provider "virtualbox" do |v|
v.memory = 4096
v.cpus = 2
end
conf.vm.provision "shell", inline: $lab_openshift
end
config.vm.define "idm" do |conf|
conf.vm.box = "centos/7"
conf.vm.hostname = 'idm.example.com'
conf.vm.network "private_network", ip: "172.24.0.12"
conf.vm.provider "virtualbox" do |v|
v.memory = 2048
v.cpus = 1
end
conf.vm.provision "shell", inline: $lab_idm
end
end
The preceding file may seem complicated compared to the one from the Chapter 6, OpenShift Installation, but all it does is automates the steps, performed in that chapter manually, because the purpose of this chapter is to discuss security while building on the knowledge you gained up to this point. Also, it sets up FreeIPA server on another VM and creates a user that will be used later in this chapter.
The command systemctl restart dbus is necessary to prevent installation of FreeIPA from failing during restart of certification manager.
We used the same simple password for both the directory manager and IPA admin for simplicity, but in a production setup, make sure that you use complex and unique passwords!
We used the same simple password for both the directory manager and IPA admin for simplicity, but in a production setup, make sure that you use complex and unique passwords!
Run vagrant up and wait until it finishes all the work. It may take up to 30 mins depending on your internet connectivity and compute resources:
$ vagrant up
Bringing machine 'openshift' up with 'virtualbox' provider...
Bringing machine 'idm' up with 'virtualbox' provider...
...
<output omitted>
...
Once it's done, open SSH session into the openshift VM and become root:
$ vagrant ssh openshift
[vagrant@openshift ~]$ sudo -i
[root@openshift ~]#
Do not be alarmed by some of the output in red produced by the command above. Many CentOS commands, like yum, send warning, errors, and even other information alike to the standard error, which all gets interpreted as errors by Vagrant.
Then use the following Ansible inventory file to install OpenShift on the openshift VM. If you went through the Chapter 6, OpenShift Installation, you will notice that this is the same file with added openshift_master_identity_providers variable:
# cat /etc/ansible/hosts
...
<output omitted>
...
[masters]
172.24.0.11
[nodes]
172.24.0.11 openshift_node_labels="{'region': 'infra', 'zone': 'default'}" openshift_schedulable=true
[etcd]
172.24.0.11
[OSEv3:vars]
openshift_deployment_type=origin
openshift_disable_check=memory_availability,disk_availability
openshift_ip=172.24.0.11
ansible_service_broker_install=false
openshift_master_cluster_hostname=172.24.0.11
openshift_master_cluster_public_hostname=172.24.0.11
openshift_hostname=172.24.0.11
openshift_public_hostname=172.24.0.11
openshift_master_identity_providers=[{'name': 'LDAP', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'mappingMethod': 'claim', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'insecure': 'true', 'bindDN': 'uid=admin,cn=users,cn=accounts,dc=idm,dc=example,dc=com', 'bindPassword': 'idmsecret', 'url': 'ldap://idm.example.com/cn=users,cn=accounts,dc=idm,dc=example,dc=com?uid'}, {'name': 'PASSWORD_FILE', 'challenge': 'true', 'login': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'mappingMethod': 'claim', 'filename': '/etc/origin/master/.users'}]
[OSEv3:children]
masters
nodes
etcd
Even though openshift_schedulab...