OpenShift

Expanding on my previous blog post on getting buildah to run with user namespaces or as rootless. There is another important security topic to talk about is how to run everything on OpenShift Pipeline as non root and not just the buildah task. On OpenShift Pipelines we made the conscious decision to run all the TaskRuns and Pipelinerun by default under a custom ServiceAccount called pipelines. That’s it, unless overridden by the user in its pipelinerun or taskrun, it will use the pipelines ServiceAccount which has a few elevated privileges....

Part of my new job working with Fabric8 is to having it deployed via minishift. Everything is nice and working (try it it’s awesome https://fabric8.io/guide/getStarted/gofabric8.html) as long you deploy it on your local workstation. The thing is that my desktop macosx laptop has only 8GB of RAM and is not very well up to the task to get all the services being deployed when I have my web browser and other stuff hogging the memory....

By default when you install an OpenShift install it would automatically generate its own certificates. It uses those certificates for communication between nodes and as well to automatically auth the admin account. By default those same certificates are the one provided for the OpenShift console and API. Since it is auto generated you will when connecting to the website with you webbrowser get an ugly error message : and as the error message says that’s not very secure #sadpanda....

I have been meaning to automate my deployment directly from my small python application without having to use the openshift client (oc) directly. OpenShift use a REST API and the oc client uses it to communicate with the server, you can actually see all the REST operation the oc client is doing if you specify the –loglevel=7 (it goes to 10 to get even more debug info) : $ oc --loglevel=7 get pod 2>&1 |head -10 I0919 09:59:20....

In latest openshift client (oc) there is a nifty (relatively) new feature to get you a OpenShift cluster starting (very) quickly. It’s a pretty nice way to get you a new openshift origin environment on your laptop without the hassle. On macosx there is a (as well relatively) new lightweight virtualization solution called xhyve it’s a bit like KVM in the sense of being lightweight and does not need like virtualbox or vmware to get a UI running....

Sometime ago or at least when I started doing programming in the late 90s XML was all the rage, it promised to be the panacea for everything from data to storage to data presentation and processing. People realized that it was just complexity as Joel Spolski points out an attempt to make the complex seem accessible to ordinary people.. Really people were annoyed to write all those tags as those ‘<’ and ‘>’ are hard to reach on a qwerty keyboard....

I am lucky enough to have a cloud available to me for free it obviously runs OpenStack and I can kick VM like I want. Since I am playing with OpenShift a lot lately I have seen issues in that cloud where pushing an image to the internal registry was just randomly failing. Networking is definitely not my pedigree but I could definitely sense it was a networking issue. Since I could nost just blame the underlying cloud (hey it’s free!...

Something that has come up when using OpenShift and that was tricky enough to be shared on a blog post. On OpenShift you have this routers and registry which by default are on the master nodes and that’s fine. Things get tricky if you don’t want anything else in there. I finally figured this out after digging in some internal mailing lists and this is actually not too difficult. The key thing is to have this on the ‘default’ namespace annotations :...

I have been experimenting a lot with OpenShift v3 and love how everything work well together plugging Kubernetes and Docker with a PAAS workflow. One of the thing that I don’t get is to have to write manually verbose json templates, it’s wonderful for machines and to parse but writing it can get as painful as (dear I said it) XML. OpenShift natively support very nicely yaml files and it’s a straight conversion of what you would have in json format....