Openshift初步學習問題集

 1.設置資源限額

詳細參考

https://docs.openshift.com/enterprise/3.2/admin_guide/quota.html#sample-resource-quota-definitions

先切換成system

ricdeMacBook-Pro:minishift ericnie$ oc login -u system:admin
Logged into "https://192.168.99.100:8443" as "system:admin" using existing credentials.

添加一個compute-resource.yaml

ericdeMacBook-Pro:minishift ericnie$ cat compute-resource.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-resources
spec:
  hard:
    pods: "4"
    requests.cpu: "1"
    requests.memory: 1Gi
    limits.cpu: "2"
    limits.memory: 2Gi

針對nodejs-examples項目建立資源限額

ericdeMacBook-Pro:minishift ericnie$ oc create -f compute-resource.yaml -n nodejs-examples
resourcequota "compute-resources" created

在界面中查看

 

2.oc和kubectl的區別

可以參考文檔

https://docs.openshift.com/container-platform/3.10/cli_reference/differences_oc_kubectl.html

詳細的增強包括

Full support for OpenShift resources
Resources such as DeploymentConfigs, BuildConfigs, Routes, ImageStreams, and ImageStreamTags are specific to OpenShift distributions, and not available in standard Kubernetes.

Authentication
The oc binary offers a built-in login command which allows authentication. See developer authentication and configuring authentication for more information.

Additional commands
For example, the additional command new-app makes it easier to get new applications started using existing source code or pre-built images.

 

3.Openshift和kubernetes的概念區別

摘了一張圖，黃色的是openshift組件，紫色的是Kubernetes的組件。

 

首先的區別在於Route和Router的概念，openshift暴露內部服務是通過Route的模式，也是通過一個域名，外部的調用可以通過域名來訪問到服務，在Openshift中,Router是通過HAProxy容器實現，提供反向代理的功能。和Kubernetes的概念映射的如下

第二個主要的概念是Project

在kubernetes里面,namspaces是沒有權限控制的，任何集群里的節點都可以看到不同的命名空間以及內部的資源，project是封裝了namespace的概念，同時加入了權限控制，通過用戶，組，認證和授權模塊可以控制不同的項目之間的允許的訪問。

 

4.Openshift啟動參數

啟動openshift start時，可以指定--public-master,如果沒有指定，則采用openshift-web-console命名空間的webconsole-config的configmap中的masterPublicURL

ericdeMacBook-Pro:templates ericnie$ oc get configmap --all-namespaces
NAMESPACE                  NAME                                    DATA      AGE
kube-system                extension-apiserver-authentication      6         5d
kube-system                kube-controller-manager                 0         5d
kube-system                kube-scheduler                          0         5d
kube-system                openshift-master-controllers            0         5d
openshift-core-operators   openshift-web-console-operator-config   1         5d
openshift-core-operators   openshift-web-console-operator-lock     0         5d
openshift-web-console      webconsole-config                       1         5d

 

ericdeMacBook-Pro:templates ericnie$ oc get configmap webconsole-config -n openshift-web-console -o yaml
apiVersion: v1
data:
  webconsole-config.yaml: |
    {"kind":"WebConsoleConfiguration","apiVersion":"webconsole.config.openshift.io/v1","servingInfo":{"bindAddress":"0.0.0.0:8443","bindNetwork":"tcp4","certFile":"/var/serving-cert/tls.crt","keyFile":"/var/serving-cert/tls.key","clientCA":"","namedCertificates":null,"maxRequestsInFlight":0,"requestTimeoutSeconds":0},"clusterInfo":{"consolePublicURL":"https://192.168.99.100:8443/console/","masterPublicURL":"https://192.168.99.100:8443","loggingPublicURL":"","metricsPublicURL":"","logoutPublicURL":""},"features":{"inactivityTimeoutMinutes":0,"clusterResourceOverridesEnabled":false},"extensions":{"scriptURLs":[],"stylesheetURLs":[],"properties":null}}
kind: ConfigMap
metadata:
  creationTimestamp: 2018-09-17T23:35:09Z
  name: webconsole-config
  namespace: openshift-web-console
  resourceVersion: "1765"
  selfLink: /api/v1/namespaces/openshift-web-console/configmaps/webconsole-config
  uid: 50a5db2f-bad2-11e8-b431-0800276bcf3b

 

5.推送鏡像到minishift/CDK Registry

設置環境變量鏈接到CDK的Docker Daemon

eval $(minishift docker-env)

login到鏡像倉庫

ericdeMacBook-Pro:template ericnie$ docker login -u `whoami` --password  `oc whoami -t` 172.30.1.1:5000
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

 

運行構建

ricdeMacBook-Pro:nginx ericnie$ docker build -t 172.30.1.1:5000/s2i-tomcat/nginx:1.14 .
Sending build context to Docker daemon  57.34kB
Step 1/5 : FROM docker.io/nginx:1.14
Trying to pull repository docker.io/library/nginx ...
sha256:2fa968a4b4013c2521115f6dde277958cf03229b95f13a0c8df831d3eca1aa61: Pulling from docker.io/library/nginx
802b00ed6f79: Pull complete
ed418bf9bf60: Pull complete
94fedb7de3b4: Pull complete
Digest: sha256:2fa968a4b4013c2521115f6dde277958cf03229b95f13a0c8df831d3eca1aa61
Status: Downloaded newer image for docker.io/nginx:1.14
 ---> 86898218889a
Step 2/5 : LABEL io.openshift.expose-services "8080:http"
 ---> Running in 73734282ca2a
 ---> eec013f84ad9
Removing intermediate container 73734282ca2a
Step 3/5 : COPY ./default.conf /etc/nginx/conf.d/default.conf
 ---> 4551d15551a0
Removing intermediate container 38608031666f
Step 4/5 : RUN chmod -R 777 /var/log/nginx /var/cache/nginx /var/run     && chgrp -R 0 /etc/nginx     && chmod -R g=u /etc/nginx
 ---> Running in 4116c4e42749

 ---> 33c661ad8f2c
Removing intermediate container 4116c4e42749
Step 5/5 : EXPOSE 8080
 ---> Running in e53201093cc2
 ---> a755a18084c7
Removing intermediate container e53201093cc2
Successfully built a755a18084c7

因為只是形成在本地所以需要push到鏡像倉庫

ericdeMacBook-Pro:nginx ericnie$ docker push 172.30.1.1:5000/s2i-tomcat/nginx:1.14
The push refers to a repository [172.30.1.1:5000/s2i-tomcat/nginx]
c80e750e02fe: Pushed
efab8e612298: Pushed
935e451e5168: Pushed
4be6f9c212cc: Pushed
8b15606a9e3e: Pushed
1.14: digest: sha256:b6609de5c201305fd6b1061f8165bf6b9ff981714423ace6799217c11643f01b size: 1363

 

列出鏡像

ericdeMacBook-Pro:nginx ericnie$ oc get is -n s2i-tomcat
NAME        DOCKER REPO                            TAGS      UPDATED
myapp       172.30.1.1:5000/s2i-tomcat/myapp       latest
nginx 172.30.1.1:5000/s2i-tomcat/nginx       1.14      32 minutes ago
s2itomcat   172.30.1.1:5000/s2i-tomcat/s2itomcat   latest    26 hours ago

 

6.minishift 啟動報錯

minishift啟動如果報錯，信息為

-- Registering machine using subscription-manager
   Registration in progress .......................................................... FAIL [4m16.1s]
Error to register VM: ssh command error:
command : sudo -E subscription-manager register --auto-attach --username eric.nie@163.com --password ********
err     : exit status 70
output  : Registering to: subscription.rhsm.redhat.com:443/subscription
The system has been registered with ID: 0db491ae-a8fd-4e7d-b4c7-e97653f9a5db
The registered system name is: minishift
System certificates corrupted. Please reregister.

 

解決方法，啟動加入參數

minishift start --vm-driver=virtualbox --memory=4096 --skip-registration

 

7.mac上minishift或CDK無法上網情況

 

CDK啟動報錯,虛擬機無法訪問外網,折騰兩晚 :(

-- Checking if external host is reachable from the Minishift VM ...
   Pinging 8.8.8.8 ... fail

先檢查terminal自己是否能夠上網

nc -w 3 -z www.baidu.com 80
nc -w 3 -z 8.8.8.8 53

再檢查dns設置/etc/reslov.conf,結果發現reslov.conf已經修改成路由器的ip了。

在mac界面中手工把設置成外部dns

再次啟動

minishift start --vm-driver virtualbox --skip-registration

 

8.minishift啟動指定ip問題

多次構建中可能minishift啟動得到不同的ip,這會導致啟動認證失敗，錯誤如下：

- Starting OpenShift container ...
   Starting OpenShift using container 'origin'
   Waiting for API server to start listening
FAIL
   Error: cannot access master readiness URL https://192.168.99.100:8443/healthz/ready
   Details:
     Last 10 lines of "origin" container log:
     I1011 16:12:05.043763    2490 cache.go:32] Waiting for caches to sync for APIServiceRegistrationController controller
     I1011 16:12:05.084713    2490 logs.go:41] http: TLS handshake error from 192.168.99.100:48274: EOF
     I1011 16:12:05.088441    2490 logs.go:41] http: TLS handshake error from 192.168.99.100:48278: EOF
     I1011 16:12:05.095914    2490 logs.go:41] http: TLS handshake error from 192.168.99.100:48282: EOF
     I1011 16:12:05.099899    2490 logs.go:41] http: TLS handshake error from 192.168.99.100:48284: EOF
     I1011 16:12:05.103700    2490 logs.go:41] http: TLS handshake error from 192.168.99.100:48286: EOF
     I1011 16:12:05.103750    2490 autoregister_controller.go:136] Starting autoregister controller
     I1011 16:12:05.103759    2490 cache.go:32] Waiting for caches to sync for autoregister controller
     I1011 16:12:05.103791    2490 customresource_discovery_controller.go:152] Starting DiscoveryController
     I1011 16:12:05.103814    2490 naming_controller.go:274] Starting NamingConditionController


   Caused By:
     Error: Get https://192.168.99.100:8443/healthz/ready: x509: certificate is valid for 10.0.2.15, 127.0.0.1, 172.17.0.1, 172.30.0.1, 192.168.99.104, not 192.168.99.100

第一次成功啟動是獲取的192.168.99.104,而第二次啟動系統自動獲取了192.168.99.100的地址，導致環境變量minishift_kubeconfig中配置的地址和證書錯誤，通過下面命令把主機地址重新設置104.

 

minishift start --vm-driver virtualbox --public-hostname=192.168.99.104 --routing-suffix 192.168.99.104.nip.io

 

9.添加用戶

在master節點上運行

htpasswd /etc/origin/master/htpasswd  ericnie

然后就可以登錄和建立項目了.