Learn OpenShift
eBook - ePub

Learn OpenShift

Deploy, build, manage, and migrate applications with OpenShift Origin 3.9

  1. 504 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Learn OpenShift

Deploy, build, manage, and migrate applications with OpenShift Origin 3.9

About this book

Gain hands-on experience of installing OpenShift Origin 3.9 in a production configuration and managing applications using the platform you built

Key Features

  • Gain hands-on experience of working with Kubernetes and Docker
  • Learn how to deploy and manage applications in OpenShift
  • Get a practical approach to managing applications on a cloud-based platform
  • Explore multi-site and HA architectures of OpenShift for production

Book Description

Docker containers transform application delivery technologies to make them faster and more reproducible, and to reduce the amount of time wasted on configuration. Managing Docker containers in the multi-node or multi-datacenter environment is a big challenge, which is why container management platforms are required. OpenShift is a new generation of container management platforms built on top of both Docker and Kubernetes. It brings additional functionality to the table, something that is lacking in Kubernetes. This new functionality significantly helps software development teams to bring software development processes to a whole new level.

In this book, we'll start by explaining the container architecture, Docker, and CRI-O overviews. Then, we'll look at container orchestration and Kubernetes. We'll cover OpenShift installation, and its basic and advanced components. Moving on, we'll deep dive into concepts such as deploying application OpenShift. You'll learn how to set up an end-to-end delivery pipeline while working with applications in OpenShift as a developer or DevOps. Finally, you'll discover how to properly design OpenShift in production environments.

This book gives you hands-on experience of designing, building, and operating OpenShift Origin 3.9, as well as building new applications or migrating existing applications to OpenShift.

What you will learn

  • Understand the core concepts behind containers and container orchestration tools
  • Understand Docker, Kubernetes, and OpenShift, and their relation to CRI-O
  • Install and work with Kubernetes and OpenShift
  • Understand how to work with persistent storage in OpenShift
  • Understand basic and advanced components of OpenShift, including security and networking
  • Manage deployment strategies and application's migration in OpenShift
  • Understand and design OpenShift high availability

Who this book is for

The book is for system administrators, DevOps engineers, solutions architects, or any stakeholder who wants to understand the concept and business value of OpenShift.

Trusted by 375,005 students

Access to over 1.5 million titles for a fair monthly price.

Study more efficiently using our study tools.

Information

Publisher
Packt Publishing
Year
2018
Print ISBN
9781788992329
Edition
1
eBook ISBN
9781788999649
Topic
Computer Science
Subtopic
Cloud Computing
Index
Computer Science

Security in OpenShift

Previously, we worked with advanced OpenShift resources, such as ImageStreams, ConfigMaps, and templates. Those resources allow you to simplify OpenShift resource management and the application delivery process.
In this chapter, we will introduce you to the realm of security in OpenShift. Any business' success depends on many factors, one of which is the company's ability to implement different security strategies for different users, departments, and applications. OpenShift is an enterprise-ready application platform that supports multiple security features, making it possible to integrate it into any corporate security landscape.
This chapter will provide you with an understanding of the following concepts:
  • Authentication—users and identities, service accounts, and identity providers
  • Authorization and role-based access control
  • Admission controllers
  • Security context constraints
  • Storing sensitive data in OpenShift

Technical requirements

For this section, we will have to make use of Vagrant to demonstrate the difference between these methods, as we will require two VMs: one for single-node OpenShift cluster, and the other for the FreeIPA server. Use the following Vagrantfile to spin up an environment:
$ cat Vagrantfile 
$lab_idm = <<SCRIPT
cat <<EOF >> /etc/hosts
172.24.0.11 openshift.example.com openshift
172.24.0.12 idm.example.com idm
EOF
sed -i '/^127.0.0.1.*idm.*$/d' /etc/hosts
yum -y update
yum -y install ipa-server
systemctl restart dbus
ipa-server-install -r IDM.EXAMPLE.COM -n idm.example.com -p idmsecret -a idmsecret --unattended
echo idmsecret | kinit admin
echo supersecret | ipa user-add alice --first Alice --last Springs --password
SCRIPT

$lab_openshift = <<SCRIPT
cat <<EOF >> /etc/hosts
172.24.0.12 idm.example.com idm
EOF
yum -y update
yum install -y epel-release git docker
yum install -y ansible
systemctl start docker
systemctl enable docker
git clone -b release-3.9 https://github.com/openshift/openshift-ansible /root/openshift-ansible
ssh-keygen -f /root/.ssh/id_rsa -N ''
cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
ssh-keyscan 172.24.0.11 >> .ssh/known_hosts
cp .ssh/known_hosts /root/.ssh/known_hosts
ssh-copy-id -i /root/.ssh/id_rsa [email protected]
reboot
SCRIPT

Vagrant.configure(2) do |config|
 config.vm.define "openshift" do |conf|
 conf.vm.box = "centos/7"
 conf.vm.hostname = 'openshift.example.com'
 conf.vm.network "private_network", ip: "172.24.0.11"
 conf.vm.provider "virtualbox" do |v|
 v.memory = 4096
 v.cpus = 2
 end
 conf.vm.provision "shell", inline: $lab_openshift
 end

 config.vm.define "idm" do |conf|
 conf.vm.box = "centos/7"
 conf.vm.hostname = 'idm.example.com'
 conf.vm.network "private_network", ip: "172.24.0.12"
 conf.vm.provider "virtualbox" do |v|
 v.memory = 2048
 v.cpus = 1
 end
 conf.vm.provision "shell", inline: $lab_idm
 end
end
The preceding file may seem complicated compared to the one from the Chapter 6, OpenShift Installation, but all it does is automates the steps, performed in that chapter manually, because the purpose of this chapter is to discuss security while building on the knowledge you gained up to this point. Also, it sets up FreeIPA server on another VM and creates a user that will be used later in this chapter.
The command systemctl restart dbus is necessary to prevent installation of FreeIPA from failing during restart of certification manager.

We used the same simple password for both the directory manager and IPA admin for simplicity, but in a production setup, make sure that you use complex and unique passwords!
Run vagrant up and wait until it finishes all the work. It may take up to 30 mins depending on your internet connectivity and compute resources:
$ vagrant up
Bringing machine 'openshift' up with 'virtualbox' provider...
Bringing machine 'idm' up with 'virtualbox' provider...
...
<output omitted>
...

Once it's done, open SSH session into the openshift VM and become root:
$ vagrant ssh openshift
[vagrant@openshift ~]$ sudo -i
[root@openshift ~]#
Do not be alarmed by some of the output in red produced by the command above. Many CentOS commands, like yum, send warning, errors, and even other information alike to the standard error, which all gets interpreted as errors by Vagrant.
Then use the following Ansible inventory file to install OpenShift on the openshift VM. If you went through the Chapter 6, OpenShift Installation, you will notice that this is the same file with added openshift_master_identity_providers variable:
# cat /etc/ansible/hosts
...
<output omitted>
...
[masters]
172.24.0.11

[nodes]
172.24.0.11 openshift_node_labels="{'region': 'infra', 'zone': 'default'}" openshift_schedulable=true

[etcd]
172.24.0.11

[OSEv3:vars]
openshift_deployment_type=origin
openshift_disable_check=memory_availability,disk_availability
openshift_ip=172.24.0.11
ansible_service_broker_install=false
openshift_master_cluster_hostname=172.24.0.11
openshift_master_cluster_public_hostname=172.24.0.11
openshift_hostname=172.24.0.11
openshift_public_hostname=172.24.0.11
openshift_master_identity_providers=[{'name': 'LDAP', 'challenge': 'true', 'login': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'mappingMethod': 'claim', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'insecure': 'true', 'bindDN': 'uid=admin,cn=users,cn=accounts,dc=idm,dc=example,dc=com', 'bindPassword': 'idmsecret', 'url': 'ldap://idm.example.com/cn=users,cn=accounts,dc=idm,dc=example,dc=com?uid'}, {'name': 'PASSWORD_FILE', 'challenge': 'true', 'login': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'mappingMethod': 'claim', 'filename': '/etc/origin/master/.users'}]

[OSEv3:children]
masters
nodes
etcd
Even though openshift_schedulab...

Table of contents

  1. Title Page
  2. Copyright and Credits
  3. Packt Upsell
  4. Contributors
  5. Preface
  6. Containers and Docker Overview
  7. Kubernetes Overview
  8. CRI-O Overview
  9. OpenShift Overview
  10. Building an OpenShift Lab
  11. OpenShift Installation
  12. Managing Persistent Storage
  13. Core OpenShift Concepts
  14. Advanced OpenShift Concepts
  15. Security in OpenShift
  16. Managing OpenShift Networking
  17. Deploying Simple Applications in OpenShift
  18. Deploying Multi-Tier Applications Using Templates
  19. Building Application Images from Dockerfile
  20. Building PHP Applications from Source Code
  21. Building a Multi-Tier Application from Source Code
  22. CI/CD Pipelines in OpenShift
  23. OpenShift HA Architecture Overview
  24. OpenShift HA Design for Single and Multiple DCs
  25. Network Design for OpenShift HA
  26. What is New in OpenShift 3.9?
  27. Assessments
  28. Other Books You May Enjoy

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.5M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1.5 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Learn OpenShift by Denis Zuev, Artemii Kropachev, Aleksey Usov in PDF and/or ePUB format, as well as other popular books in Computer Science & Cloud Computing. We have over 1.5 million books available in our catalogue for you to explore.