Paul Bastide

Category: OpenShift

  • Learning Resources for Operators – First Two Weeks Notes

    To quote the Kubernetes website, “The Operator pattern captures how you can write code to automate a task beyond what Kubernetes itself provides.” The following is an compendium to use while Learning Operators.

    The defacto SDK to use is the Operator SDK which provides HELM, Ansible and GO scaffolding to support your implementation of the Operator pattern.

    The following are education classes on the OperatorSDK

    When Running through the CO0201EN intermediate operators course, I did hit the case where I had to create a ClusterRole and ClusterRoleBinding for the ServiceAccount, here is a snippet that might helper others:

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  namespace: memcached-operator-system
  name: service-reader-cr-mc
rules:
- apiGroups: ["cache.bastide.org"] # "" indicates the core API group
  resources: ["memcacheds"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  namespace: memcached-operator-system
  name: ext-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: service-reader-cr-mc
subjects:
- kind: ServiceAccount
  namespace: memcached-operator-system
  name: memcached-operator-controller-manager

    The reason for the above, I missed adding a kubebuilder declaration: 

    //+kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
//+kubebuilder:rbac:groups=core,resources=pods,verbs=get;list;watch

    Thanks to https://stackoverflow.com/a/60334649/1873438

    The following are articles worth reviewing:

    The following are good Go resources:

    1. Go Code Comments – To write idiomatic Go, you should review the Code Review comments.
    2. Getting to Go: The Journey of Go’s Garbage Collector – The reference for Go and Garbage Collection in go
    3. An overview of memory management in Go – good overview of Go Memory Management
    4. Golang: Cost of using the heap – net 1M allocation seems to stay in the stack, outside it seems to be on the heap
    5. golangci-lint – The aggregated linters project is worthy of an installation and use. It’ll catch many issues and has a corresponding GitHub Action.
    6. Go in 3 Weeks A comprehensive training for Go. Companion to GitHub Repo
    7. Defensive Coding Guide: The Go Programming Language

    The following are good OpenShift resources:

    1. Create OpenShift Plugins – You must have a CLI plug-in file that begins with oc- or kubectl-. You create a file and put it in /usr/local/bin/
    2. Details on running Code Ready Containers on Linux – The key hack I learned awas to ssh -i ~/.crc/machines/crc/id_ecdsa core@<any host in the /etc/hosts>
      1. I ran on VirtualBox Ubuntu 20.04 with Guest Additions Installed
      2. Virtual Box Settings for the Machine – 6 CPU, 18G
        1. System > Processor > Enable PAE/NX and Enable Nested VT-X/AMD-V (which is a must for it to work)
        1. Network > Change Adapter Type to virtio-net and Set Promiscuous Mode to Allow VMS
      3. Install openssh-server so you can login remotely
      4. It will not install without a windowing system, so I have the default windowing environment installed.
      5. Note, I still get a failure on startup complaining about a timeout. I waited about 15 minutes post this, and the command oc get nodes –context admin –cluster crc –kubeconfig .crc/cache/crc_libvirt_4.10.3_amd64/kubeconfig now works.
    3. CRC virsh cheatsheet – If you are running Code Ready Containers and need to debug, you can use the virsh cheatsheet.

  • Digital Developer Conference – Hybrid Cloud: Integrating Healthcare Data in a Serverless World

    Recently I developed and presented this lab… which gets released in late September 2021.

    In this lab, developers integrate a healthcare data application using IBM FHIR Server with Red Hat OpenShift Serverless to create and respond to a healthcare scenario.

    This lab is a companion to the session Integrating Healthcare Data in a Serverless World at Digital Developer Conference – Hybrid Cloud.

    The content for this lab can be found at https://ibm.biz/ibm-fhir-server-healthcare-serverless.

    Have fun! Enjoy… Ask Questions… I’m here to help.

  • Playing with buildah and ubi-micro: Part 1

    buildah is an intriguing open source tool to build of Open Container Initiative (OCI) container images using a scripted approach versus a traditional Dockerfile. It’s fascinating and I’ve started to use podman and buildah to build my project’s images.

    I picked ubi-micro as my startingn point. Per Red Hat, ubi-microis the smallest possible image excludinng the package manager and all of its dependencies which are normally included in a container image. This approach is an alternative to the current release of the IBM FHIR Server image. The following only documents my first stages with Java testing.

    1. On Fedora, install the prerequisites.
    # sudo dnf install buildah -y
Last metadata expiration check: 0:23:36 ago on Thu 02 Sep 2021 10:06:55 AM EDT.
Dependencies resolved.
=====================================================================================================================================================================
 Package                               Architecture                         Version                                      Repository                             Size
=====================================================================================================================================================================
Installing:
 buildah                               x86_64                               1.21.4-5.fc33                                updates                               7.9 M

Transaction Summary
=====================================================================================================================================================================
Install  1 Package

Total download size: 7.9 M
Installed size: 29 M
Downloading Packages:
buildah-1.21.4-5.fc33.x86_64.rpm                                                                                                     7.2 MB/s | 7.9 MB     00:01
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                6.2 MB/s | 7.9 MB     00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                             1/1
  Installing       : buildah-1.21.4-5.fc33.x86_64                                                                                                                1/1
  Running scriptlet: buildah-1.21.4-5.fc33.x86_64                                                                                                                1/1
  Verifying        : buildah-1.21.4-5.fc33.x86_64                                                                                                                1/1

Installed:
  buildah-1.21.4-5.fc33.x86_64

Complete!
    1. Start the new image
    # microcontainer=$(buildah from registry.access.redhat.com/ubi8/ubi-micro)
Trying to pull registry.access.redhat.com/ubi8/ubi-micro:latest...
Getting image source signatures
Copying blob 4f4fb700ef54 done
Copying blob 098a109c8679 done
Copying config c5ba898d36 done
Writing manifest to image destination
Storing signatures
    1. Confirm the container name.
    # echo $microcontainer
ubi-micro-working-container
    1. Mount the layer locally and display the path.
    # micromount=$(buildah mount $microcontainer)
# echo $micromount
/var/lib/containers/storage/overlay/14c524d6a5ef0e94887bc52685dbe911b40a5a9e39a6df00dc3b02e5f5ad7796/merged
    1. Setup the AdoptOpennJdk repository.
    cat <<'EOF' > $micromount/etc/yum.repos.d/adoptopenjdk.repo
[AdoptOpenJDK]
name=AdoptOpenJDK
baseurl=http://adoptopenjdk.jfrog.io/adoptopenjdk/rpm/rhel/8/$basearch
enabled=1
gpgcheck=1
gpgkey=https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
EOF
    1. Install to micromount without any ancillary dependencies.
    yum install \
    --installroot $micromount \
    --releasever 8 \
    --setopt install_weak_deps=false \
    --nodocs -y \
    adoptopenjdk-11-openj9xl.x86_64

    Results in:

    ------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                               8.9 MB/s | 193 MB     00:21
warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.
warning: /var/lib/containers/storage/overlay/14c524d6a5ef0e94887bc52685dbe911b40a5a9e39a6df00dc3b02e5f5ad7796/merged/var/cache/dnf/AdoptOpenJDK-096a01411439d076/packages/adoptopenjdk-11-openj9xl-11.0.10+9.openj9-0.24.0-3.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 74885c03: NOKEY
AdoptOpenJDK                                                                                         13 kB/s | 3.1 kB     00:00
warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.
Importing GPG key 0x74885C03:
 Userid     : "AdoptOpenJDK (used for publishing RPM and DEB files) <adoptopenjdk@gmail.com>"
 Fingerprint: 8ED1 7AF5 D7E6 75EB 3EE3 BCE9 8AC3 B291 7488 5C03
 From       : https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public
    1. Clean up the dependencies
    # yum clean all \
 --installroot $micromount
warning: Found bdb Packages database while attempting sqlite backend: using bdb backend.
61 files removed
    1. Unmount the container
    buildah umount $microcontainer
    1. Coommit the image
    buildah commit $microcontainer ubi-micro-java
    1. Confirm the image
    # buildah images
REPOSITORY                                  TAG        IMAGE ID       CREATED          SIZE
localhost/ubi-micro-java                    latest     334404b8ebf2   22 seconds ago   43 MB

    It’s about 40M smaller than the ubi-minimal as it has no docs and ancillary dependencies.

    Tip: Starting with the IBM FHIR Server

    To start with the IBM FHIR Server image, you can use:

    buildah from --pull docker.io/ibmcom/ibm-fhir-server:latest

[root@localhost ~]# buildah from --pull docker.io/ibmcom/ibm-fhir-server:latest
Trying to pull docker.io/ibmcom/ibm-fhir-server:latest...
Getting image source signatures
Copying blob e2bef77118c7 done
Copying blob 45cc8b7f2b43 done
Copying blob 5627e846e80f done
Copying blob 5f6bf015319e done
Copying blob 87212cfd39ea done
Copying blob b89ea354ae59 done
Copying blob 4a939b72e1c6 done
Copying blob d3cbf41efb4e done
Copying blob 4feff1abc28e done
Copying blob 9ff4465d271b done
Copying blob 5e41012b4001 done
Copying blob 410af8b678f6 done
Copying blob 2f26dc40d01f done
Copying blob 1415c9c2e161 done
Copying blob e374de62001e done
Copying blob 94d978ce0b1f done
Copying blob 1fabae8675b6 done
Copying blob 7b088cbebf16 done
Copying blob 4167c1ebbd85 done
Copying config 637552c186 done
Writing manifest to image destination
Storing signatures
ibm-fhir-server-working-container

    Tip: Pullinng Fedora

    If you need to use Fedora, you can use fedora-minimal.

    # buildah from --pull registry.fedoraproject.org/fedora-minimal

    To remove the image

    $ podman image rm registry.fedoraproject.org/fedora-minimal:34

    Tip: Runnning with SELINUX

    If you are running with SELINUX, you should set specific selinux permissions.

    1. set the permission
    $ setsebool -P container_manage_cgroup 1
    1. Confirm the permission
    $ getsebool container_manage_cgroup
container_manage_cgroup --> on

    References

  • Recipe: Testing Restricted Policies with OpenShift and the IBM FHIR Server Schema Tool

    Docker: ibmcom/ibm-fhir-schematool supports onboarding and offboarding of a schema in support of the IBM FHIR Server. I am working on a project that runs on OpenShift using CodeReadyContainers, and I needed to test the image with a restricted policy.

    Note, these are roughly my notes from testing, and converted to a post.

    Recipe

    1. Start up Code Ready Containers or create your OpenShift environment.

    2. Connect to the Docker registry in CRC

    docker login -u kubeadmin -p $(oc whoami -t) default-route-openshift-image-registry.apps-crc.testing
    1. Build your Docker image with a new tag
    docker build . -t default/ibm-fhir-schematool:latest
docker push default/ibm-fhir-schematool:latest
    1. Login to OpenShift
    oc login -u $(oc whoami) -p $(oc whoami -t)
    1. Create a new persistence.json using one of the examples as a template
    oc create secret generic persistence-json --from-file=persistence-onboard-example.json -n=default
    1. Add the restricted policy to the developer user.
    oc adm policy add-scc-to-user restricted developer
    1. Add the developer user to the default namespace.
    oc adm policy add-role-to-user edit developer -n=default
    1. Make the locak registry lookup use relative names
    oc set image-lookup  --all
    1. Create a new pod.yaml
    apiVersion: v1
kind: Pod
metadata:
  name: ibm-fhir-server-schematool
spec:
  containers:
    - name: test-container
      image: default/ibm-fhir-schematool
      env:
        - name: ENV_TOOL_INPUT
          valueFrom:
            secretKeyRef:
              name: persistence-json
              key: persistence-onboard-example.json
    1. Create the pod.
    oc apply -f pod.yaml --as=developer  -n=default
    1. Check the logs, and you should see a successful run.
    oc logs pod/ibm-fhir-server-schematool

    References