Paul Bastide

Blog

  • Weekly Notes

    There are so many interesting things to share:

    1. google/go-containerregistry has some super helpful tools, in fact I raised a PR to make sure they build ppc64le binaries #1680

    crane is a tool for interacting with remote images and registries.

    You can extract a binary my-util for a given architecture using:

    crane export ppc64le/image-id:tag image.tar
tar xvf image.tar bin/my-util

    You can extract a binary from a manifest-listed image using:

    crane export --platform ppc64le image-id:tag image.tar
tar xvf image.tar bin/my-util
    1. I found ko which enables multiarch builds (a complete manifest list image).
    2. Quickly checking manifest-list image’s supported architectures
    podman manifest inspect registry.k8s.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2 | jq -r '.manifests[].platform.architecture'
amd64
arm
arm64
ppc64le
s390x
    1. My team tagged new releases for:

    a. IBM/powervs-tang-server-automation: v1.0.4 b. IBM/powervm-tang-server-automation: v1.0.0

  • Development Notes

    Here are some things I found interesting this week:

    Day-0 Day-1 Day-2 Definitions

    day-0: customized installation
    day-1: customization performed only once after installing a cluster,
    day-2: tasks performed multiple times during the life of a cluster

    Thanks to a Red Hat colleague for this wonderful definition.

    sfdisk tips

    I used sfdisk in a PowerVM project. I found these commands helpful

    # sfdisk --json /dev/mapper/mpatha
{
   "partitiontable": {
      "label": "dos",
      "id": "0x14fc63d2",
      "device": "/dev/mapper/mpatha",
      "unit": "sectors",
      "partitions": [
         {"node": "/dev/mapper/mpatha1", "start": 2048, "size": 8192, "type": "41", "bootable": true},
         {"node": "/dev/mapper/mpatha2", "start": 10240, "size": 251647967, "type": "83"}
      ]
   }
}

# sfdisk --dump /dev/mapper/mpatha
label: dos
label-id: 0x14fc63d2
device: /dev/mapper/mpatha
unit: sectors

/dev/mapper/mpatha1 : start=        2048, size=        8192, type=41, bootable
/dev/mapper/mpatha2 : start=       10240, size=   251647967, type=83
    https://www.computerhope.com/unix/sfdisk.htm

    Red Hat OpenShift Container Platform IPI Config for IBM Cloud VPC

    I generated an example configuration

    additionalTrustBundlePolicy: Proxyonly
apiVersion: v1
baseDomain: ocp-power.xyz
credentialsMode: Manual
compute:
- architecture: amd64
  hyperthreading: Enabled
  name: worker
  platform:
    ibmcloud:
      zones:
      - jp-osa-1 
  replicas: 3
controlPlane:
  architecture: amd64
  hyperthreading: Enabled
  name: master
  replicas: 3
  platform:
    ibmcloud:
      zones:
      - jp-osa-1
metadata:
  name: rdr-test
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 10.0.0.0/16
  networkType: OVNKubernetes
  serviceNetwork:
  - 172.30.0.0/16
  zones:
  - jp-osa2-1
platform:
  ibmcloud:
    region: jp-osa
    resourceGroupName: dev-resource-group
    vpcName: ma-compute-vpc
    controlPlaneSubnets: 
      - ma-compute-sn1 
    computeSubnets: 
      - ma-compute-sn1
publish: External
pullSecret: 'XYZWX'
sshKey: ssh-ed25519 XYZWX
fips: false

  • Weekly Notes

    Here are my weekly notes for the week of 10 April 2023

    Background on Confidential Computing

    Confidential Containers (CoCo) is a new sandbox project of the Cloud Native Computing Foundation (CNCF) that enables cloud-native confidential computing by taking advantage of a variety of hardware platforms and technologies.

    https://www.redhat.com/en/blog/what-confidential-containers-project

    It’s a very cool project, and I’ll be following it.

    Grabbing a v3.2.0 Ignition file

    curl -k http://api.demo.ocp-power.xyz:22624/config/worker -k -H "Accept: application/vnd.coreos.ignition+json;version=3.2.0" | jq -r . > worker-$(date +%Y-%m-%d).ign
    quick hack to get a worker MachineConfigPool Ignition

  • Weekly Tips and Notes

    The tips and notes for the week are included, I hope they help you.

    TIP: Check the System Admins on OpenShift

    A quick one to find the cluster-admins…

    ❯ oc --kubeconfig=./openstack-upi/auth/kubeconfig get clusterrolebindings -o json | jq -r '.items[] | select(.metadata.name=="cluster-admins") | .subjects[].name' | sort -u
system:admin
system:cluster-admins

    Ref: https://serverfault.com/questions/862728/how-to-list-users-with-role-cluster-admin-in-openshift

    Tip: Can I act as kube-admin?

    I needed to double check if I could act as kube:admin.

    ❯ oc --kubeconfig=./openstack-upi/auth/kubeconfig auth can-i create pod -A
yes

    Ref: https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/developer-cli-commands.html#oc-auth-can-i

    Blog Post: Advanced debugging techniques for OpenShift Container Platform on Power

    In this blog post, I am showing how to use advanced debugging techniques for OpenShift Container Platform on Power using bpftrace and lsof. This blog post unlocks the steps to debug complicated problems and you can follow these steps to debug the problems in your application or your cluster.

    It’s a solid blog on how to do advanced debugging on Red Hat OpenShift Container Platform on IBM Power.

    Ref: https://community.ibm.com/community/user/powerdeveloper/blogs/gaurav-bankar/2023/04/04/advanced-debugging-techniques-for-openshift-contai

    Tip: Double check the payload / architecture type

    To double check the Payload loaded in your cluster (amd64, multi, arm64, ppc64le, s390x).

    You can run:

    # oc get clusterversion version -o json | jq '.status.conditions[] | select(.type == "ReleaseAccepted")'
{
  "lastTransitionTime": "2023-04-04T13:27:49Z",
  "message": "Payload loaded version=\"4.13.0-rc.2\" image=\"quay.io/openshift-release-dev/ocp-release@sha256:09178ffe61123dbb6df7b91bea11cbdb0bb1168c4150fca712b170dbe4ad13e9\" architecture=\"Multi\"",
  "reason": "PayloadLoaded",
  "status": "True",
  "type": "ReleaseAccepted"
}

    Blog Post: Open Source Container images for Power now available in IBM Container Registry

    The IBM teams have added support for a variety of Open Source tools, and you can pull them from the ppc64le-oss registry.

    The IBM Linux on Power team is pleased to announce that we are centralizing our public open source container images in the IBM Container Registry (ICR). This should assure end users that IBM has authentically built these containers in a secure environment. Formerly, the indicator that a container was built by IBM was that they were in Docker Hub under the ibmcom namespace. The migration to the IBM Container Registry will add clarity to their origin.

    mongodb
4.4.18
docker pull icr.io/ppc64le-oss/mongodb-ppc64le:4.4.18
4.4.17
docker pull icr.io/ppc64le-oss/mongodb-ppc64le:4.4.17
    https://community.ibm.com/community/user/powerdeveloper/blogs/priya-seth/2023/04/05/open-source-containers-for-power-in-icr

    Tip: findmnt / sfdisk are super helpful.

    Thanks to linode I learned about findmnt and sfdisk

    # Declare native filesystem and reload with partprobe
echo 'type=83' | sfdisk ${storage_device} || partprobe

# Format the disk
mkfs.xfs "${storage_device}1"

# Mount the fs to our storage folder.
mount -t xfs /dev/mapper/mpathb1 /<<Please replace with actual>

    # findmnt
TARGET                         SOURCE      FSTYPE      OPTIONS
/                              /dev/sda3   xfs         rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota
|-/proc                        proc        proc        rw,nosuid,nodev,noexec,relatime
| `-/proc/sys/fs/binfmt_misc   systemd-1   autofs      rw,relatime,fd=36,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=10696
|   `-/proc/sys/fs/binfmt_misc binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime
|-/sys                         sysfs       sysfs       rw,nosuid,nodev,noexec,relatime,seclabel
| |-/sys/kernel/security       securityfs  securityfs  rw,nosuid,nodev,noexec,relatime
| |-/sys/fs/cgroup             cgroup2     cgroup2     rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot
| |-/sys/fs/pstore             pstore      pstore      rw,nosuid,nodev,noexec,relatime,seclabel
| |-/sys/fs/bpf                none        bpf         rw,nosuid,nodev,noexec,relatime,mode=700
| |-/sys/fs/selinux            selinuxfs   selinuxfs   rw,nosuid,noexec,relatime
| |-/sys/kernel/tracing        tracefs     tracefs     rw,nosuid,nodev,noexec,relatime,seclabel
| |-/sys/kernel/debug          debugfs     debugfs     rw,nosuid,nodev,noexec,relatime,seclabel
| |-/sys/kernel/config         configfs    configfs    rw,nosuid,nodev,noexec,relatime
| `-/sys/fs/fuse/connections   fusectl     fusectl     rw,nosuid,nodev,noexec,relatime
|-/dev                         devtmpfs    devtmpfs    rw,nosuid,seclabel,size=7779520k,nr_inodes=121555,mode=755,inode64
| |-/dev/shm                   tmpfs       tmpfs       rw,nosuid,nodev,seclabel,inode64
| |-/dev/pts                   devpts      devpts      rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000
| |-/dev/mqueue                mqueue      mqueue      rw,nosuid,nodev,noexec,relatime,seclabel
| `-/dev/hugepages             hugetlbfs   hugetlbfs   rw,relatime,seclabel,pagesize=16M
|-/run                         tmpfs       tmpfs       rw,nosuid,nodev,seclabel,size=3126208k,nr_inodes=819200,mode=755,inode64
| `-/run/user/0                tmpfs       tmpfs       rw,nosuid,nodev,relatime,seclabel,size=1563072k,nr_inodes=390768,mode=700,inode64
|-/var/lib/nfs/rpc_pipefs      rpc_pipefs  rpc_pipefs  rw,relatime
`-/boot                        /dev/sdb2   xfs         rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota

  • Weekly Notes

    For the week, I ran across a few things and wrote one blog for the IBM Power Developer Exchange.

    1. Provisioning Fedora CoreOS on QEMU

    a. get the coreos container

    STREAM="stable"
coreos-installer download -s "${STREAM}" -p qemu -f qcow2.xz --decompress -C ~/.local/share/libvirt/images/

    b. create the qemu vm

    IGNITION_CONFIG="/path/to/example.ign"
IMAGE="/path/to/image.qcow2"
# for s390x/ppc64le:
IGNITION_DEVICE_ARG="-drive file=${IGNITION_CONFIG},if=none,format=raw,readonly=on,id=ignition -device virtio-blk,serial=ignition,drive=ignition"

qemu-kvm -m 2048 -cpu host -nographic -snapshot \
	-drive if=virtio,file=${IMAGE} ${IGNITION_DEVICE_ARG}
	-nic user,model=virtio,hostfwd=tcp::2222-:22
    1. coreos/butane has a nice getting started page with advanced configuration for OpenShift 4.13 link
    2. A curated list of OCP Security and Compliance info

    As you define, build, and run your OpenShift Container Platform cluster, you should be aware of the rich security features available. Here is a curated list of security and compliance focused resources on topics from configuring FIPS to using the Compliance Operator on the Power Platform: https://community.ibm.com/community/user/powerdeveloper/blogs/paul-bastide/2023/03/29/the-blog-of-blogs-security-and-compliance-resource #PDeX #IBM #IBMPower #RedHat #OpenShift #Containers #Security #Compliance

  • Handy Dandy Tricks for the Week

    As I work with Linux and the OpenShift Container Platform, I run into some handy tips, tricks and patterns that make my job easier, and I wanted to share with you all (and so I can find these details in the future):

    1. Verifying etcd data is encrypted

    The etcd depends on the Kube-APIServer and OpenShift-APIServer to encrypt a subset of the API Resources, and transparently with AES-CBC (and eventually AES-GCM). The subset includes: Secrets, Config maps, Routes, OAuth access tokens, OAuth authorize tokens.

    To verify the the contents are actually encrypted one can look at https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#verifying-that-data-is-encrypted or https://docs.openshift.com/container-platform/4.12/security/encrypting-etcd.html

    2. Using a Pod to run lsof across the whole Node

    You can create a debug Pod with lsof.

    1. Create a debug Pod with elevated privileges.
    cat << EOF > bpftrace-diagnostic-0.yaml
kind: Pod
apiVersion: v1
metadata:
  annotations:
    openshift.io/scc: node-exporter
  name: bpftrace-diagnostic-0
  namespace: openshift-etcd
spec:
  nodeSelector:
    kubernetes.io/os: linux
  restartPolicy: Always
  priority: 2000000000
  schedulerName: default-scheduler
  enableServiceLinks: true
  terminationGracePeriodSeconds: 30
  preemptionPolicy: PreemptLowerPriority
  containers:
    - name: diagnostic
      image: quay.io/centos/centos:stream8
      imagePullPolicy: IfNotPresent
      command: [ "sh", "-c", "sleep inf" ]
      resources:
        requests:
          cpu: 1000m
          memory: 2048Mi
      volumeMounts:
      - name: host-sys
        mountPath: /sys
      terminationMessagePath: /dev/termination-log
      securityContext:
        privileged: true
        seccompProfile:
          type: RuntimeDefault
        capabilities:
          add:
            - CAP_SYS_ADMIN
            - CAP_FOWNER
            - NET_ADMIN
            - SYS_ADMIN
          drop:
            - ALL
        runAsUser: 0
        runAsGroup: 0
        runAsNonRoot: false
        readOnlyRootFilesystem: false
        allowPrivilegeEscalation: true
  volumes:
  - name: host-sys
    hostPath:
      path: /sys
      type: Directory
  nodeName: master-0
  priorityClassName: system-cluster-critical
  hostPID: true
  hostIPC: true
  hostNetwork: true
EOF
    1. Delete an existing pod and apply a new pod.
    oc delete pod/bpftrace-diagnostic-0; oc apply -f bpftrace-diagnostic-0.yaml
    1. Connect to the Pod
    oc rsh pod/bpftrace-diagnostic-0
    1. You can install lsof and verify the files open with a specific process.
    ❯ dnf install -y lsof
❯ ps -ef | grep 'etcd '
root     1236199 1235495  0 16:31 pts/1    00:00:00 grep etcd 
root     2273604 2273591  2 Mar17 ?        02:41:43 etcd grpc-proxy start --endpoints ........
❯  lsof +p 2273591

    With lsof you can see the open files and connections for that process.

    3. Verifying FIPS usage with GO

    Red Hat’s development site has an awesome article on Is your Go application FIPS compliant?. It shows you how to confirm if your application has FIPS/uses FIPS.

    To confirm my container used FIPS, I connected to the project, grabbed the files off the container, and saw the libraries referenced.

    $ oc project myapp
$ oc get pods
$ oc cp app-5d69757bd6-57g9x:/usr/bin/app /tmp/app
$ go tool nm /tmp/app | grep FIPS
11b5a4b0 T _cgo_af9b144e6dc6_Cfunc__goboringcrypto_FIPS_mode
138c30d8 d _g_FIPS_mode
137c2570 d crypto/tls.defaultCipherSuitesFIPS
137c25f0 d crypto/tls.defaultFIPSCipherSuitesTLS13
137c2610 d crypto/tls.defaultFIPSCurvePreferences
102007d0 t vendor/github.com/golang-fips/openssl-fips/openssl.enableBoringFIPSMode
138c3467 d vendor/github.com/golang-fips/openssl-fips/openssl.strictFIPS

    Thus, you can show that it uses FIPS mode.

    4. Verifying the ignition contents from a qcow2 image

    I was playing with Single Node OpenShift, and needed to see how out of date my code and igntion file were.

    Checking this iso tells me your RHCOS is out-of-date (about 4 months):

    isoinfo -l -i ./rhcos-live.iso  | grep -i IGN
----------   0    0    0          262144 Dec 13 2022 [   2378 00]  IGNITION.IMG;1

    I checked the qcow2 image that the iso was converted to, and the mounted it so I could extract some files:

    ❯ modprobe nbd max_part=8
❯ qemu-nbd --connect=/dev/nbd0 /var/lib/libvirt/images/rhcos-live-2023-03-21.qcow2
❯ fdisk /dev/nbd0 -l
❯ mkdir -p /mnt/tmp-f
❯ mount /dev/nbd0p1 /mnt/tmp-f
❯ find /mnt/tmp-f/
/mnt/tmp-f/
/mnt/tmp-f/coreos
/mnt/tmp-f/coreos/features.json
/mnt/tmp-f/coreos/kargs.json
/mnt/tmp-f/coreos/miniso.dat
/mnt/tmp-f/EFI
/mnt/tmp-f/EFI/redhat
/mnt/tmp-f/EFI/redhat/grub.cfg
/mnt/tmp-f/images
/mnt/tmp-f/images/efiboot.img
/mnt/tmp-f/images/ignition.img
/mnt/tmp-f/images/pxeboot
/mnt/tmp-f/images/pxeboot/initrd.img
/mnt/tmp-f/images/pxeboot/rootfs.img
/mnt/tmp-f/images/pxeboot/vmlinuz
/mnt/tmp-f/isolinux
/mnt/tmp-f/isolinux/boot.cat
/mnt/tmp-f/isolinux/boot.msg
/mnt/tmp-f/isolinux/isolinux.bin
/mnt/tmp-f/isolinux/isolinux.cfg
/mnt/tmp-f/isolinux/ldlinux.c32
/mnt/tmp-f/isolinux/libcom32.c32
/mnt/tmp-f/isolinux/libutil.c32
/mnt/tmp-f/isolinux/vesamenu.c32
/mnt/tmp-f/zipl.prm

    from link I learned I could scan the ignition.img for ‘fyre’ which was part of the ssh public key.

    I then catted out the ingintion file to confirm it had the updated content.

    ❯ xzcat /mnt/tmp-f/images/ignition.img | grep myid | wc -l
1

    This shows how to dig into the contents.

    5. List of Operating System Short Ids for coreos

    I need to find the os-variant for coreos, so I could use it on libvirt. Fortunately, the libosinfo package provides a tool the details on the oeprating systems wiht osinfo-query os.

    ❯ osinfo-query os | grep coreos
 fedora-coreos-next   | Fedora CoreOS  | Next    | http://fedoraproject.org/coreos/next    
 fedora-coreos-stable | Fedora CoreOS  | Stable  | http://fedoraproject.org/coreos/stable  
 fedora-coreos-testing | Fedora CoreOS | Testing | http://fedoraproject.org/coreos/testing

    I then added --os-variant=fedora-coreos-next to my virt-install command.

    6. Using qemu-kvm with a port number less than 1024

    I needed to forward a privileged port, and was blocked with qemu-kvm and virt-install. I thought there was another process that might be listening on the port… so I checked…

    ❯ netstat -plutn | grep 443
tcp        0      0 0.0.0.0:6443            0.0.0.0:*               LISTEN      1026882/qemu-kvm

    It was not, and it turned out to be a known issue with qemu-kvm and selinux.

    The ports < 1024 are privileged, and only a root process (or a process with CAP_NET_BIND_SERVICE capabilities in Linux) can bind a socket to them. link to article

    I ran the following:

    ❯ setcap CAP_NET_BIND_SERVICE+ep /usr/libexec/qemu-kvm

    I recreated the image with virt-install and --network network=default,model=e1000,hostfwd=tcp::443-:443,hostfwd=tcp::6443-:6443'

    Good luck, it worked so far for me.

    7. Using bpftrace with a Pod

    You can use bpftrace to do analysis at the Kernel level (some kprobes are not available).

    1. Create a debug Pod with elevated privileges.
    cat << EOF > bpftrace-diagnostic-0.yaml
kind: Pod
apiVersion: v1
metadata:
  annotations:
    openshift.io/scc: node-exporter
  name: bpftrace-diagnostic-0
  namespace: openshift-etcd
spec:
  nodeSelector:
    kubernetes.io/os: linux
  restartPolicy: Always
  priority: 2000000000
  schedulerName: default-scheduler
  enableServiceLinks: true
  terminationGracePeriodSeconds: 30
  preemptionPolicy: PreemptLowerPriority
  containers:
    - name: diagnostic
      image: quay.io/centos/centos:stream8
      imagePullPolicy: IfNotPresent
      command: [ "sh", "-c", "sleep inf" ]
      resources:
        requests:
          cpu: 1000m
          memory: 2048Mi
      volumeMounts:
      - name: host-sys
        mountPath: /sys
      terminationMessagePath: /dev/termination-log
      securityContext:
        privileged: true
        seccompProfile:
          type: RuntimeDefault
        capabilities:
          add:
            - CAP_SYS_ADMIN
            - CAP_FOWNER
            - NET_ADMIN
            - SYS_ADMIN
          drop:
            - ALL
        runAsUser: 0
        runAsGroup: 0
        runAsNonRoot: false
        readOnlyRootFilesystem: false
        allowPrivilegeEscalation: true
  volumes:
  - name: host-sys
    hostPath:
      path: /sys
      type: Directory
  nodeName: master-0
  priorityClassName: system-cluster-critical
  hostPID: true
  hostIPC: true
  hostNetwork: true
EOF
    1. Delete an existing Pod and apply a new Pod.
    oc delete pod/bpftrace-diagnostic-0; oc apply -f bpftrace-diagnostic-0.yaml
    1. Connect to the Pod
    oc rsh pod/bpftrace-diagnostic-0
    1. Check the file open with bpftrace
    dnf install -y bpftrace
bpftrace -e 'tracepoint:syscalls:sys_enter_open  { printf("%s %s\n", comm, str(args->filename));}'

    You can see files open.

    ❯ bpftrace -e 'kprobe:vfs_open { printf("open path: %s\n", str(((struct path *)arg0)->dentry->d_name.name)); }' | grep so | grep cry
open path: libgcrypt.so.20.2.5
open path: libgcrypt.so.20.2.5
open path: libgcrypt.so.20.2.5
open path: libgcrypt.so.20.2.5
open path: .libgcrypt.so.20.hmac
open path: .libgcrypt.so.20.hmac
open path: libcrypto.so.1.1.1k

    You can see FIPS checks.

    ❯ bpftrace -e 'kprobe:vfs_open { printf("open path: %s\n",                                  str(((struct path *)arg0)->dentry->d_name.name)); }' | grep fips         
open path: fips_enabled
open path: fips_enabled

    Link to bpftrace docs https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md#2-kprobekretprobe-dynamic-tracing-kernel-level-arguments

    You can see the cool things happening on your Node.

  • Things I learned this week

    Things that I’ve learned for the week:

    1. containerbuildsystem/atomic-reactor recently released v4.5.0 which is a simple python library for building docker images – supporting OSBS 2.0 components.
    2. Redbooks: IBM Cloud Pak for Data on IBM zSystems is a high-level overview of IBM zSystems with Cloud Pak for Data.
    3. Redbooks: Introduction to IBM PowerVM introduces PowerVM virtualization technologies on Power servers.
    4. operator-framework/operator-sdk v1.28.0 is released. On a Mac, use brew upgrade operator-sdk.
    5. LinkedIn: Treating IBM Power like cattle will help you modernize! is a new blog from an IBMer which highlights a mentality switch:

    Changing how you view your solutions can free you to modernise, evolve, and detect the challenges that lie ahead from a far better vantage point.

    1. k8s.gcr.io being redirected and may have some consequences on your environment.

    On Monday, March 20th, traffic from the older k8s.gcr.io registry will be redirected to registry.k8s.io with the eventual goal of sunsetting k8s.gcr.io.

    1. I was told about a very cool link to see all the various SIGs link

  • Things for the Week

    This week I learned a few things of interest:

    In close collaboration with Red Hat the IBM Power Ecosystem team has continued efforts to enable and advance products running on the Power platform. Click here to review the new releases in February: https://community.ibm.com/community/user/powerdeveloper/blogs/ashwini-sule/2023/03/02/red-hat-products-february-2023-releases

    IBM Power Developer Exchange

    I found the list helpful when using the Power architecture and OpenShift.

    Want to develop applications with Red Hat OpenShift Dev Spaces but don’t know where to start? This blog outlines the step-by-step process for installing OpenShift Dev Spaces on the Red Hat OpenShift Container Platform on IBM Power: https://community.ibm.com/community/user/powerdeveloper/blogs/sachin-itagi/2023/03/03/developing-net-applications-on-ibm-power-using-vis 

    IBM Power Developer Exchange

    I haven’t stayed current on all the cool things in OpenShift, I thought this one held the most promise for end-to-end devops.

    I needed to figure out why my Worker’s networking was disconnected from the network:

    oc get nodes
ssh core@osa21-worker-1.sslip.io
nmcli device
nmcli con reload env3
nslookup quay.io

    After the restart the networking worked. It told me there was something wrong with the local networking, so I checked the DNS Operator. I had to restart the operator and make some changes to a DNS server that was actually up.

    If you hit some networking issues, the above will help.

    You can solve the multi-architecture multi-image problem when automating and sharing images across IBM Power and x86 with container manifests. Learn how here: https://community.ibm.com/community/user/powerdeveloper/viewdocument/build-multi-architecture-container?CommunityKey=2d4070a1-ca52-4e83-8efb-02b41c42459e&tab=librarydocuments 

    IBM Power Developer Exchange

    If you need to build manifest images the above is very helpful.

  • How to grab ignition files

    I was helping a colleague grab the latest ignition files for his OpenShift Container Platform workers.

    1. Connect to the bastion
    ❯ ssh root@<hostname>
    1. List the master nodes and select a master node
    ❯ oc get nodes -lnode-role.kubernetes.io/master=
NAME                                                        STATUS   ROLES                  AGE     VERSION
master-0.ocp-power.xyz   Ready    control-plane,master   5d19h   v1.25.2+7dab57f
master-1.ocp-power.xyz   Ready    control-plane,master   5d19h   v1.25.2+7dab57f
master-2.ocp-power.xyz   Ready    control-plane,master   5d19h   v1.25.2+7dab57f
    1. Get the IP address
    ❯ oc get nodes master-2.ocp-power.xyz -o json | jq -r .status.addresses
[
  {
    "address": "192.168.100.240",
    "type": "InternalIP"
  },
  {
    "address": "master-2.ocp-power.xyz",
    "type": "Hostname"
  }
]
    1. The Machine Config Server has the latest igntion file
    ❯ curl https://192.168.100.240:22623/config/worker -k -H "Accept: application/vnd.coreos.ignition+json;version=3.2.0" | jq -r . > worker-$(date +%Y-%m-%d).ign

    worker can be replaced with master or any other MachineConfigPool

    The machine-config-server is hosted on each of the master nodes and the bootstrap node.

    Note, this makes it download ignition version 3.2.0.

    1. Download the ignition file
    ❯ scp root@<hostname>:'~'/worker-$(date +%Y-%m-%d).ign .
worker-2023-03-02.ign                          100%  357KB 249.3KB/s   00:01

    You can use this file for your work with worker ignition.

    Refer to https://github.com/openshift/machine-config-operator/blob/e39fea2d5c1d6991df4f7dd526b6292238f2ecfc/pkg/server/api.go#L196

  • Interesting Things of the Week for February 17, 2023

    Security Implementation with Red Hat OpenShift on IBM Power Systems

    …As with any production system, it is important to ensure the security of an OpenShift deployment. This includes secure deployment and configuration of the OpenShift components, as well as ongoing maintenance and monitoring to ensure the continued security of the environment. This Redpaper publication provides a comprehensive overview of the security best practices for deploying Red Hat OpenShift on IBM Power systems…

    IBM Redpaper: https://www.redbooks.ibm.com/redpieces/abstracts/redp5690.html

    The IBM RedPaper is pretty comprehensive on Securing OpenShift (note it’s a draft).

    Power Developer Exchange: Installing single node OpenShift to PowerVM

    CHONGSHI ZHANG shows how to install a SNO (single node OpenShift) to a PowerVM instance. It’s very powerful for development and other purposes.

    IBM Power Developer Exchange: https://community.ibm.com/community/user/powerdeveloper/blogs/chongshi-zhang/2023/02/09/installing-sno-to-powervm

    The Power Developer Exchange has a detailed approach to Single Node OpenShift.

    A script to rotate Encryption keys for etcd

    oc patch kubeapiserver cluster --type merge -p "
spec:
  unsupportedConfigOverrides:
    encryption:
      reason: force KAS rotation `date`
"
    Rotating Encryption Keys on OpenShift etcd https://patch-diff.githubusercontent.com/raw/ocp-power-automation/ocp4-playbooks-extras/pull/45.patch

    The above code is super handy for rotating the etcd encryption keys.

    Red Hat updated the oc-compliance kubectl plugin.

    RHEA-2023:0797 https://access.redhat.com/errata/RHEA-2023:0797

    oc-compliance is now updated.

    Error: creating build container: copying system image from manifest list: Source image rejected: None of the signatures were accepted

    [2/2] STEP 1/4: FROM registry.access.redhat.com/ubi8/ubi:8.7-1054.1675788412
Trying to pull registry.access.redhat.com/ubi8/ubi:8.7-1054.1675788412...
Error: creating build container: copying system image from manifest list: Source image rejected: None of the signatures were accepted, reasons: open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory

    You can then override the trust

    # podman image trust set -t reject default
# podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release -t signedBy registry.access.redhat.com
# podman image trust show
    https://access.redhat.com/solutions/5525441

    The latest podman runs into some issues with trusting sources.

    Error: error copying image "78b2869b282bf2f28a5e873d6ade079e83d77765223c7bcd180b77cbc8fe4751": Source image rejected: Running image containers-storage:[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@78b2869b282bf2f28a5e873d6ade079e83d77765223c7bcd180b77cbc8fe4751 is rejected by policy.

    In podman, you might hit the above, and need to switch to insecureAcceptAnything when you do a podman push.

    You’ll want to modify /etc/containers/policy.json default from type reject to insecureAcceptAnything

        "default": [
        {
            "type": "insecureAcceptAnything"
        }