Stream

Join this community to post or comment

Freemen Muaddib

Discussion  - 
 
Hi!
I'm new to OpenShift. I have some trouble installing a Docker image.
It seems I don't have enough privileges, because the image require ROOT privileges.

Here is what I did:

1) I followed the instructions on the email with the preview account:

"...Your OpenShift Online (Next Gen) Developer Preview account is ready! You can log in to the web console at console.preview.openshift.com with your GitHub account (fmuaddib). You can also navigate to the next gen web console by visiting www.openshift.com and selecting 'My Account > (Next Gen) Web Console' from the top navigation menu...."

2) I logged in to next gen openshift web administration page (with my Github account) and started a first project (named "prova2016").

3) - I downloaded and installed the oc command on my machine (mac os x).

4) I logged in my server with the token provided using the oc login command:

$ oc login https://api.preview.openshift.com --token=t4fAHbS....(cut)

Logged into "https://api.preview.openshift.com:443" as "fmuaddib" using the token provided.

Using project "prova2016".

5) I gave the command to install the docker for bugzilla:

$ oc new-app https://github.com/dklawren/docker-bugzilla

But I get this error:

--> Found image 9baab0a (13 days old) in image stream centos under tag "7" for "centos:7"

* A Docker build using source code from https://github.com/dklawren/docker-bugzilla will be created
* The resulting image will be pushed to image stream "docker-bugzilla:latest"
* This image will be deployed in deployment config "docker-bugzilla"
* Ports 22, 5900, 80 will be load balanced by service "docker-bugzilla"
* Other containers can access this service through the hostname "docker-bugzilla"
* WARNING: Image "docker-bugzilla" runs as the 'root' user which may not be permitted by your cluster administrator

--> Creating resources with label app=docker-bugzilla ...
error: buildconfigs "docker-bugzilla" is forbidden: build strategy Docker is not allowed

6) So I tried to give myself the privileges to allow root access to dockers images.
I tried this command:

$ oc adm policy add-role-to-user cluster-admin fmuaddib

But I got this:

error: You must be logged in to the server (attempt to grant extra privileges: [PolicyRule{Verbs:[], APIGroups:[], Resources:[*], ResourceNames:[], Restrictions:<nil>}] user=&{fmuaddib d6c50f05-76ab-11e6-8e26-0a63b9c1b48f [system:authenticated:oauth system:authenticated]} ownerrules=[PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[], Resources:[configmaps endpoints persistentvolumeclaims pods pods/attach pods/exec pods/log pods/portforward pods/proxy replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[], Resources:[buildconfigs buildconfigs/instantiate buildconfigs/instantiatebinary buildconfigs/webhooks buildlogs builds builds/clone builds/log deploymentconfigrollbacks deploymentconfigs deploymentconfigs/log deploymentconfigs/scale deployments generatedeploymentconfigs imagestreamimages imagestreamimports imagestreammappings imagestreams imagestreams/secrets imagestreamtags localresourceaccessreviews localsubjectaccessreviews processedtemplates projects resourceaccessreviews rolebindings roles routes subjectaccessreviews templateconfigs templates], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[autoscaling], Resources:[horizontalpodautoscalers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[batch], Resources:[jobs], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create delete deletecollection get list patch update watch], APIGroups:[extensions], Resources:[horizontalpodautoscalers jobs replicationcontrollers/scale], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[extensions], Resources:[daemonsets], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list watch], APIGroups:[], Resources:[bindings configmaps endpoints events imagestreams/status limitranges minions namespaces namespaces/status nodes persistentvolumeclaims persistentvolumes pods pods/log pods/status policies policybindings replicationcontrollers replicationcontrollers/status resourcequotas resourcequotas/status resourcequotausages routes/status securitycontextconstraints serviceaccounts services], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get update], APIGroups:[], Resources:[imagestreams/layers], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[update], APIGroups:[], Resources:[routes/status], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[users], ResourceNames:[~], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get list], APIGroups:[], Resources:[clusterroles], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[list], APIGroups:[], Resources:[projects], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[localsubjectaccessreviews subjectaccessreviews], ResourceNames:[], Restrictions:&{{ }}} PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[get], APIGroups:[], Resources:[], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[builds/source], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create get], APIGroups:[], Resources:[buildconfigs/webhooks], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[create], APIGroups:[], Resources:[projectrequests], ResourceNames:[], Restrictions:<nil>} PolicyRule{Verbs:[delete], APIGroups:[], Resources:[oauthaccesstokens oauthauthorizetokens], ResourceNames:[], Restrictions:<nil>}] ruleResolutionErrors=[])

But i don't understand this error, because I'm already logged in to the server!

What is the correct way to rise my privileges? Anyone can help? Thanks!

1
Paul Maddocks's profile photo
 
Openshift will not run an image that requires root.
You will need to modify the Dockerfile accordingly. 
Add a comment...

Diane Mueller

Blog posts  - 
 
Don't Miss this OpenShift Community Event in Seattle Nov 7th; great line-up and opportunity to meet and connect with project leads and peers across the OpenShift Kubernetes ecosystem! 
The OpenShift Commons Gathering will bring together the brightest technical minds to discuss the future of OpenShift and it's related upstream open source projects. The 2016 event will gather developers, DevOps professionals and SysAdmins together to explore the next steps in making container technologies successful and secure.
1
Add a comment...

Deo R. Tripathi

Discussion  - 
 
Hi ,
    Can we install openshift origin without dns??
1
Devan Goodwin's profile photo
 
For test purposes or a real world cluster?
Add a comment...

Estefania Guimil

Development  - 
 
Hi everyone,
I'm trying to deploy a java application with springboot on Openshift. I had build a docker image, but i'm not sure what configurations are needed. When I deploy in Openshift I got an ImagePullBackOff error. Could someone help me out or anyone has a tutorial for this? I'm new to docker and Openshift.
Thanks
1
Akshaya Khare's profile photo
 
You need to have that image pushed in a docker registry, it can be either a registry in openshift or a local docker registry...
Add a comment...

Frédéric Nell

Discussion  - 
 
I've two docker images, one is a webserver and the other is a backend Rest application. I deployed those images in an Openshift cluster. I want to configure my pods where the webserver is running to access the pods where the backend Rest application is running but I can't figure out how I can specify to my front-end pods that they have to communicate with my back-end service. I can only reach the pod ip but that's not what I want as I want to keep scalability advantage.

I tried to access it like this:

via a defined route: svc-backend.router.default.svc.cluster.local
via his service name: svc-backend.environment.svc.cluster.local
via his ip adress (internal): 172.30.214.192
via master host + service name: master.svc-backend.environment.svc.cluster.local

But it didn't worked for me. So I start to think that it's maybe not the right way to do it or I m missing something but cannot figure out what :(
1
JML Crucciata's profile photoFrédéric Nell's profile photo
2 comments
 
Thanks for the answer, actually I had a problem with my SDN network. During the starting process some network interfaces who are used by Kubernetes couldn't be created. Therefore it was impossible for me to communicate through services address or name. 
Add a comment...

Akshaya Khare

Discussion  - 
 
0
down vote
favorite


I used a "jenkins-1-centos7" image to deploy in my openshift to run projects on my jenkins image. It successfully worked and after many configurations, I duplicated a new image out of this jenkins container. Now I want to use this image to be used as a base for further development, but deploying a pod on to this image fails with the error "ErrImagePull".

On my investigations, I found that openshift needs the image to be present in the docker registry in order to deploy pods successfully. I deployed another app for docker registries, now when I try to push my updated image into this docker registry it fails with the message "authentication required". I've given admin privileges to my user.

docker push <local-ip>:5000/openshift/<new-updated-image>
The push refers to a repository [<local-ip>:5000/openshift/<new-updated-image>] (len: 1)
c014669e27a0: Preparing
unauthorized: authentication required

How can I make sure that the modified image gets deployed successfully? 
1
Rahul Jain's profile photoAkshaya Khare's profile photo
5 comments
 
First of all you need to have a registry where your newly created image has to be registered, so that openshift can recognize it.

There are two ways to go about this:
1) The ideal way would be to create a docker registry pod within your project and push your local image into the docker registry, I guess
the steps from lorenz will help you out:
http://stackoverflow.com/questions/38572097/deploying-a-modified-jenkins-image-in-openshift-fails/38632622?noredirect=1#comment64715649_38632622
2) Or you can do what i did, create a local docker registry in your system, you can follow the below link:
http://www.informit.com/articles/article.aspx?p=2464012

Docker tag and Docker push images steps will remain the same in both cases, then try deploying pods again and I'm sure it should work.

Now there is another point, even i tried the EXPOSE command for creating new images from containers, but for some reason the images did not have my latest changes. I used s2i (source to image) to create new image and that worked successfully. So I hope that your command was successful in your case, but if not you can try s2i.
Let me know whatever happens...
Add a comment...

Divya Bandaru

Development  - 
 
Hi.I need small help.
I deployed Hello world application in openshift and when
I was trying to deploy geoserver war in the application,i got stuck.
I tried many ways by creating diy app,pushing war file in webapps directory.But none of them worked.
Please help me in publishing geoserver war in tomcat.
1
Add a comment...

Balakrishnan S

Howtos and Guides  - 
 
I have created a project and deployed Gogs with persistent volume and everything is working perfectly.
I have crated a account for Gogs and added some repositories in it.
Then I deleted the OpenShift project.

Now! I want to deploy Gogs again and use the same persistent volume i.e.like restore the old.

Gogs had two pods, one is MySQL and other is Gogs itself. And `pvc` configuration for both are same.

I just wanna know how to make MySQL pod choose the existing MySQL volume and Gogs choose the existing Gogs volume?
1
Add a comment...

Balakrishnan S

Howtos and Guides  - 
 
Please help me solve this issue.

>> I did:
1:
`oc cluster up --host-data-dir=/home/linux/_my/_apps/origin-host-config-dir --use-existing-config`
2: created a project web "gogs" with "mysql-ephemeral".
3: Went to http://gogs.machine-ip.xip.io(service route) and populated and data.
4: Every thing worked fine. I restarted the system.
5: Now used the same command
`oc cluster up --host-data-dir=/home/linux/_my/_apps/origin-host-config-dir --use-existing-config`

>> Expected:
gogs.machine-ip.xip.io to run with the populated data.

>> Actually this is what happened:
http://gogs.machine-ip.xip.io works!!!
But!!! what it actually did is that it destroyed all the containers that it created and recreated it again.
So, now I lost my data.

>> Questions:
Is is a bug or a feature?
How can I prevent the containers being destroyed and have persistent data but without persistent volume?


1
JML Crucciata's profile photoBalakrishnan S's profile photo
2 comments
 
+JML Crucciata thanks
Add a comment...

Ambica Uday Kishore

Suggestions and Ideas  - 
 
Hi. Need some urgent help on Openshift Connections. Please help me ASAP.
1
Add a comment...

About this community

Welcome to the official OpenShift Origin community. Want to run your own open-source PaaS? Interested in developing your own plugins or cartridges for OpenShift Origin? This community is a place for you to meet other developers, share your development tips and tricks and challenges, and to stay up-to-date on the OpenShift Origin platform. If you are interested in the OpenShift from a users perspective, check out the OpenShift page (http://goo.gl/KnT03) See Also: GitHub Project: http://goo.gl/Rud1O irc.freenode.org: - #openshift - #openshift-dev twitter: - @openshift - #openshift
https://openshift.redhat.com/community/open-source

Robert Swain

Discussion  - 
 
I want to create a cluster where all hosts have two network interfaces connected to separate subnets. The purpose is that one subnet is connected to the internet and the other is used for a VPN. I want to be able to then expose services on one, the other or both of those subnets.

I've been looking into this functionality with plain Kubernetes and it seems that if one could have one ingress controller connected to each of the subnets and a way to write an ingress rule for a service that could select which controller was to be used, that that could be a solution. It seems it may need some work to achieve.

Is this anything that OpenShift Origin supports, perhaps with some OpenStack integration?
1
Robert Swain's profile photo
 
I did some digging into the routes documentation and it looks like the default haproxy router does a lot of things I want out of the box.

Also, looking at https://docs.openshift.org/latest/install_config/router/default_haproxy_router.html it seems I could probably have two routers, one with an haproxy image somehow set up to bind on one interface to one subnet and another one set up to bind to an interface to the other subnet.

Specifically from https://docs.openshift.org/latest/install_config/router/default_haproxy_router.html#using-router-shards it seems like maybe it is possible to then have router labels in order to be able to select which router is used when setting up a route for a service. Is that a correct understanding?

The last example in that section would seem to apply and suggest I could do something like have one router with a route selector ROUTE_LABELS="routerselection in (vpn, both)" and the other with ROUTE_LABELS="routerselection in (public, both)". According to https://docs.openshift.org/latest/architecture/core_concepts/routes.html#router-sharding this kind of overlapping sharding is supported and so any route specifying a label routerselection=both would be published then on both routers. Is that correct?
Add a comment...

Srdjan Ristic

Howtos and Guides  - 
 
Hello everyone,

I have a little problem. I keep getting the default view where it says: "Welcome to your JBossEWS (Apache/Tomcat) application on OpenShift" even though I committed and pushed my code (Java Spring application) successfully. Everything went fine, when I pushed the code build was successful, and servers restarted successfully, but when I tryed to access my application on nameoftheapp.rhcloud.com I got the default page. My application creates war file with name ROOT so I guess my Java application should be available at the nameoftheapp.rhcloud.com destination. If anyone could help me out and tell me what I did wrong, or what I missed, I would really appreciate?
1
Add a comment...

Cameron Braid

Discussion  - 
 
Hi,

I'm working on setting up an origin master native HA setup

The docs say : The advanced installation method does not currently support multiple HAProxy load balancers in an active-passive setup.
https://docs.openshift.org/latest/install_config/install/advanced_install.html#multiple-masters

1) Doesn't that mean that the load balancer would be a single point of failure ?

2) is it just the installation method that doesn't support installing multiple instances? I.e. I presume I can setup my own redundant ha proxy load banalcers and point them all to the three master nodes ?

3) what is the difference between openshift_master_cluster_hostname and openshift_master_cluster_public_hostname. Am I right in saying that the nodes will resolve the master api via openshift_master_cluster_hostname and the openshift_master_cluster_public_hostname is for things like the oc client tool ?

4) is there a way to get the masters to listen on a different port ?

5) say I run 3 masters. If I connect to a passive master port 8443, will it proxy traffic to the active master ? Or will it respond with a failing health check so that the loadbalancer takes it out of service ?

Thanks

Cameron
1
Add a comment...

Ben Dang

Discussion  - 
 
What are the recommendations/guidelines for project namespaces? We have a monolithic application that we are slowly breaking up into microservices. Is it recommended to have a project per microservice? Furthermore, we also have a need to make many "production" grade environments with all of these microservices set to a specific version. In this case we promote and certify a collection of microservices instead of individual microservices.

Options running through my head:

option 1: {microservice}-{env}

option 2: {microservice}

option 3: {env}




1
Sun-Jin Jang's profile photo
 
Google's solution is foor. Alwayis occured some trouble.
So you are not sure that.
Add a comment...

Akshaya Khare

Howtos and Guides  - 
 
It was quite daunting going through the rest api page of openshift, but I am still nowhere near my answer

1)How can I create a new-app through rest api? Similar to the below command:

# oc new-app <image-name>

Any help would be appreciated...
1
Jason DeTiberus's profile photoAkshaya Khare's profile photo
2 comments
 
ouch, this is going to take some time then... thanks anyways :)
Add a comment...

Rahul Jain

Howtos and Guides  - 
 
I have created docker image from existing running rhel7 container.

Added my jar file and java command, commited and build new image, i can spin this new image with docker container but when i use oc run AA --image=newimage it gives error crashback. Oc restart container few times but every time same error.

Please advice what step i should follow to achieve it.
2
Rahul Jain's profile photoAkshaya Khare's profile photo
3 comments
 
yup, you need to create a local registry for docker, push your newly created image there, and then try using it.
Right now openshift is not able to identify this new image...
This site helped me to deploy a local registry and using it:
http://www.informit.com/articles/article.aspx?p=2464012

Add a comment...

Balakrishnan S

Howtos and Guides  - 
 
OpenShift Origin StackOverflow Documentation Proposal

http://stackoverflow.com/documentation/openshift-origin/commit

3
Add a comment...

Balakrishnan S

Howtos and Guides  - 
 
I found out that Origin's Router only supports HTTP and HTTPS. In that case how to access MySQL service from external system via client like HeideSQL?
1
Balakrishnan S's profile photo

Ambica Uday Kishore

Suggestions and Ideas  - 
 
Hi. Need some urgent help on Openshift Connections. Please help me ASAP.
1
Add a comment...
 
Hi. Need some urgent help on Openshift Connections. Please help me ASAP.
1
Add a comment...