2019-02-16: How to get started with OpenShift Online
Why?
I want to experiment with setting up a build and deploy pipeline using OpenShift CLI from a Workspace/Sandbox Container.
Code
https://bitbucket.org/geircode/openshift_online_cli
Goal
- Build a local Container image on Windows Host and push it to OpenShift Online
- Automatically deploy this Container Image when it is changed
This article will be real-time documentation on how I managed to reach my goals, with every quirk and pitfall I encountered on my the way there.
Getting started
OpenShift already has some documentation so I will be following this guide => https://docs.openshift.com/online/getting_started/beyond_the_basics.html#getting-started-beyond-the-basics
- First, create an account at Red Hat OpenShift => https://manage.openshift.com/sign_in, and choose the free subscription, or pay for one. That is up to you.
After login, click "Open Web Console":
and you will have something like this:
Now, I will jump to installing-the-openshift-cli and do this from a container.
In the guide it says "First, download the OpenShift Online CLI from the About page in the OpenShift Online web console.", but why is not this link just inserted into the guide. Are there that many CLI's versions? Where is this list of versions? Also, why is there not an container-friendly way to do this from the start? Because, since I want to install this into my Container Image using Dockerfile, I need an public URL that doesn't change so much.
Finding the OpenShift Online CLI URL
- Searching Docker Hub for OpenShift Online CLI => https://hub.docker.com/search?q=openshift%20online%20cli&type=image
This search returns several promising hits, but none from the official OpenShift publisher. The docs refers to the CLI as "OpenShift Online CLI", so I expect to find something called similar to this that I can download and run in order to install the CLI tools.
Browsing to the "About page" in my OpenShift instance I find this:
Here are the links I wanted to find in the docs:
https://mirror.openshift.com/pub/openshift-v3/clients/3.11.69/linux/oc.tar.gz
How to install this into my Container Image? What FROM should I take?
Looking into the examples in my Docker Hub search, I can not find any that is actually using this client tool.
I do however find stuff like this:
https://hub.docker.com/r/openshift/origin-cli, but this doesn't link to where it was build from. No documentation.
or
https://hub.docker.com/r/thelab/openshift-client, but this is built from something called "openshift-origin-client-tools-v1.3.2-ac1d579-linux-64bit.tar.gz". What's the difference?
Browsing to "https://docs.openshift.com/container-platform/3.6/cli_reference/get_started_cli.html", I find the installation section for linux, and since I want to install this on Ubuntu, the docs tells me to go to: https://access.redhat.com/downloads/content/290
Navigating to this URL, it turns out that I need to have an Red Hat account (Retrospect: At this point I had not read and/or understood that I needed an OpenShift Enterprise subscription to download the tools):
Login in, I get prompted to buy a subscription:
Why do I need a Red Hat subscription to download the Ubuntu OpenShift client for the OpenShift Online CLI?
Why not just give access to this directly from the docs? The on-boarding process for using OpenShift Online just keeps getting longer (since I am doing this from a Container, which should have first class support from the very beginning).
Ah, it just keeps getting worse. Click on the link "Browse available evaluations now" I get a long list of options.
Which one do I need in order to download OpenShift Online CLI for Ubuntu?
This is a never ending rabbit hole, and I have not even logged into OpenShift Online yet. Is the rest of the OpenShift experience just like this?
Onward into the hole I go and click on "Request an Evaluation" for "Red Hat Enterprise Linux".
Of course, there are more options. I go for the big red button.
But I do not want to install Red Hat, but now I see the "SUPPORT" tab! Do I have access to the OpenShift Online CLI for Ubuntu now?
- OK, going back a few steps.
Apparently, I had not read this earlier:
The link before the URL says: "After logging in with your Red Hat account, you must have an active OpenShift Enterprise subscription to access the downloads page".
Going back to:
and search for "OpenShift Enterprise" I get nothing, but if I search for "OpenShift":
Can this be the subscription I need in order to download OpenShift Online CLI for any other linux distro than Red Hat?
- Clicking on the "Request an Evaluation" link:
- Clicking the big red button
Do I have access now to download OpenShift Online CLI for Ubuntu?
Retracing my steps:
- https://docs.openshift.com/online/getting_started/beyond_the_basics.html#getting-started-beyond-the-basics
- OpenShift Online => About Page
- https://docs.openshift.com/online/cli_reference/get_started_cli.html
hmm, and here I got sidetracked into:
which is not OpenShift Online, but "Container Platform". Probably because of some Google search.
Right, back to basics:
So, that explains it. OpenShift Online refers to the About Page in order to get the right version of the installed OpenShift on that instance. OpenShift Container Platform is the on-premise solution, but I am guessing it's the same as the OpenShift Online solution given the right version.
Okay, trying to get the Linux package to work with Ubuntu:
FROM ubuntu:bionic RUN apt-get update RUN apt-get install -y jq wget libssl1.0.0 libssl-dev RUN apt-get update RUN cd /tmp \ && wget https://mirror.openshift.com/pub/openshift-v3/clients/3.11.69/linux/oc.tar.gz \ && tar -xvzf oc.tar.gz \ && mv oc /usr/local/bin/ \ && rm -rf oc oc.tar.gz RUN cd /lib/x86_64-linux-gnu RUN ln -s libssl.so.1.0.0 libssl.so.10 RUN ln -s libcrypto.so.1.0.0 libcrypto.so.10 ENTRYPOINT tail -f /dev/null
When I try to run this I get this error:
This is the same error others have had for some time now:
https://github.com/openshift/origin/issues/21061
Default back into using RHEL Container.
The official image is not on Docker Hub, but on theirs own servers: https://access.redhat.com/containers/?tab=overview#/registry.access.redhat.com/rhel7
Why not Docker Hub as well? Then they get faster on-boarding and it's easier to use, and then people can later switch to Red Hat when they need to.
Discovery/Idea 
It seems that Centos and Fedora is part of Red Hat. Perhaps I can use these instead of the commercial RHEL distro.
And Fedora and CentOS exists as official container images on Docker Hub:
https://hub.docker.com/_/fedora
https://hub.docker.com/_/centos
What is the difference: https://www.educba.com/centos-vs-fedora/
- It seems that CentOS is based on RHEL and on the same code base, and can be used instead of RHEL.
New Dockerfile based on CentOS:
FROM centos RUN yum -y update; yum clean all # https://fedoraproject.org/wiki/EPEL RUN yum -y install epel-release; yum clean all RUN yum -y install wget RUN mkdir install \ && cd /install \ && wget https://github.com/openshift/origin/releases/download/v3.9.0/openshift-origin-client-tools-v3.9.0-191fece-linux-64bit.tar.gz \ && tar -xvzf openshift-origin-client-tools-v3.9.0-191fece-linux-64bit.tar.gz \ && cd openshift-origin-client-tools-v3.9.0-191fece-linux-64bit \ && mv oc /usr/local/bin/ \ && rm -rf oc oc.tar.gz ENTRYPOINT tail -f /dev/null
Great success! Now I finally have a functional Container running with "oc" installed.
Login OpenShift Online
Going back to my OpenShift Online instance and open the "About" page and open "Command line tools":
To login, I have several options. The most Container friendly way is to make some secrets in the docker-compose file and inject this into the Container when starting up, and making sure that these secrets are not the git repository. Any Dockerfile must be environment agnostic and get the parameters from outside. I.e. the Container con/figures out where it is from the Environment setup.
But how? I can not use "oc login" because that forces me to login every time I want to login into the OpenShift cluster, and that is not very 'automatic'. I can not use the token provided in the About page from clicking on the "Copy" button, because the Container can not access this in any nice and practical way.
Usually, in AWS, Azure and Docker tooling, I can configure tooling with setting Environment variables instead of using the command line. The "oc" does not have this option, and because of this is not container friendly to use.
Best practice would be to set inject "APIKEY" in the Container using secrets. Without the possibility to configure the "oc login" through Environment variables, everything gets a bit more difficult/cumbersome.
Aha, I accidentally wrote some bad login config, and then I got this:
bash-4.2$ oc status error: Missing or incomplete configuration info. Please login or point to an existing, complete config file: 1. Via the command-line flag --config 2. Via the KUBECONFIG environment variable 3. In your home directory as ~/.kube/config To view or setup config directly use the 'config' command. bash-4.2$
So it IS possible to use Environment variables. This was missing in the documentation. Nice.
To login, I added docker secrets, and a script that logs in on start.
TODO: copy in the dockerfile
Deploy images from Docker Hub on OpenShift Online
Another block from Red Hat is this: https://blog.openshift.com/deploying-images-from-dockerhub/
Oh my. It does not matter if I run the application inside the container as root, because the Container is only doing ONE thing and it is to run whatever I want it to run. If anyone is able to hack the container, the container itself is a sandbox and unable to hurt anyone but itself.
In the blog above, the writer mentions this:
The general problem we see everyday is that containers are trying to run as root. Is that a good idea? Not really, would you let the application running directly on the OS run as root? No! You would not and the same is true with containers. Applications should run as a regular use.
But I don not think the writer fully know how Containers are run and how they are accessed. A Container is not a server and it is not a multipurpose VM. It already runs securely and fully isolated on the Docker Deamon and it is by best practice always stateless. You can not "login" to a Container unless you have done something creatively. To be able to "login" into the container, you have to login into the orchestrator first. The Container itself is not accessible from outside.
This "Block" is basically to scare and force users to use Red hat instead of anything else.
So, how do we get around this blockade?
Deploying the containers => To deploy custom containers, you need to use the terminal as it’s not yet exposed in the web UI.
Again, Red hat has not made it easy to "import" docker images from Docker hub, and is forcing users to use the terminal to do this.
https://docs.openshift.com/online/using_images/other_images/other_container_images.html
OpenShift Online runs containers using an arbitrarily assigned user ID. This behavior provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node. Due to this restriction, images that run as root will not deploy as expected on OpenShift Online.
Haha. Nice try. What "due to a container engine vulnerability" are you talking about? Without any reference to any documentation whatsoever.
Moving on: Trying to deploy Images from Docker Hub => https://blog.openshift.com/deploying-images-from-dockerhub/
Using my own image: https://cloud.docker.com/u/geircode/repository/docker/geircode/openshift_online_cli
oc new-app geircode/openshift_online_cli
Todo: copy in updated Dockerfile with USER 1001
https://access.redhat.com/containers/
- but does not contain a "Centos" image
https://stackoverflow.com/questions/27701930/add-user-to-docker-container
https://blog.openshift.com/image-streams-faq/
oc import-image openshift-online-cli --from=geircode/openshift_online_cli --confirm
How do I update my Container Image in OpenShift manually or automatically?
How do I make a BuildConfig, and how do I add it to OpenShift?
The OpenShift documentation did not provide any examples on how to do this, but I found this: https://dzone.com/articles/4-ways-to-build-applications-in-openshift-1
Run this to create an example build. Source code => https://github.com/openshift/nodejs-ex.git
oc new-build https://github.com/openshift/nodejs-ex.git
This adds a build to the OpenShift:
Getting more information from "oc"
[root@0e95815c27b5 scripts]# oc new-build -h Create a new build by specifying source code This command will try to create a build configuration for your application using images and code that has a public repository. It will lookup the images on the local Docker installation (if available), a Docker registry, or an image stream. If you specify a source code URL, it will set up a build that takes your source code and converts it into an image that can run inside of a pod. Local source must be in a git repository that has a remote repository that the server can see. Once the build configuration is created a new build will be automatically triggered. You can use 'oc status' to check the progress. Usage: oc new-build (IMAGE | IMAGESTREAM | PATH | URL ...) [options] Examples: # Create a build config based on the source code in the current git repository (with a public # remote) and a Docker image oc new-build . --docker-image=repo/langimage # Create a NodeJS build config based on the provided [image]~[source code] combination oc new-build openshift/nodejs-010-centos7~https://github.com/openshift/nodejs-ex.git # Create a build config from a remote repository using its beta2 branch oc new-build https://github.com/openshift/ruby-hello-world#beta2 # Create a build config using a Dockerfile specified as an argument oc new-build -D $'FROM centos:7\nRUN yum install -y httpd' # Create a build config from a remote repository and add custom environment variables oc new-build https://github.com/openshift/ruby-hello-world -e RACK_ENV=development # Create a build config from a remote private repository and specify which existing secret to use oc new-build https://github.com/youruser/yourgitrepo --source-secret=yoursecret # Create a build config from a remote repository and inject the npmrc into a build oc new-build https://github.com/openshift/ruby-hello-world --build-secret npmrc:.npmrc
How to build an Image from a Bitbucket repository
https://blog.openshift.com/private-git-repositories-part-5-hosting-repositories-bitbucket/
[root@1a2a23ff157b scripts]# oc new-build https://GeirIvarJerstad@bitbucket.org/geircode/openshift_online_cli.git
--> Found Docker image 1e1148e (2 months old) from Docker Hub for "centos"
* An image stream will be created as "centos:latest" that will track the source image
* A Docker build using source code from https://GeirIvarJerstad@bitbucket.org/geircode/openshift_online_cli.git will be created
* The resulting image will be pushed to image stream "openshiftonlinecli:latest"
* Every time "centos:latest" changes a new build will be triggered
--> Creating resources with label build=openshiftonlinecli ...
imagestream "centos" created
imagestream "openshiftonlinecli" created
error: buildconfigs.build.openshift.io "openshiftonlinecli" is forbidden: build strategy Docker is not allowed
--> Failed
[root@1a2a23ff157b scripts]#
Oh, well. So close. Apparently, docker strategy is not allowed in OpenShift Online : https://stackoverflow.com/questions/46839811/allow-docker-strategy-in-openshift-3