Enabling serverless on OpenShift

The first step in going serverless on OpenShift is installing the Serverless Operator through operatorhub, making sure to install for all namespaces, on the relavant channel, with Automatic approval. The official documentation is very clear, and takes one through everything required. Once the operator is installed, I then installed knative serving and knative eventing (once again following the docs), and in just a few minutes it looked like everything was installed and working.

My first service

Once the Serverless Operator was installed, it was time to look at deploying an actual application. Our Documentation is a good starter, and will get you up and running with the sample 'Hello World' service in short order. However, being an awkward cuss, I wanted to try something different, and a good candidate is my first app - it's a simple, self contained API, and is a great candidate.

To get up and running, I created an application is the same manner outlined in the previous post, and checked the 'Knative Service' option under the resource type to generate. Then it was build, and..... nothing. The service didn't start up correctly, even though the build had completed. It was then I remembered that my application starts up on port 3000 rather than 8080. Thankfully, this can be defined in the YAML for the Serverless Service by adding a containerPort declaration.

spec:
  containers:
    ports:
      - containerPort: 3000

Once this was added, the service completed creation, and all conditions on the service page showed up as 'True'. From there, it was a matter of hitting the URL, and seeing an Adventure Time quote returned!

Performance

We know that performance suffers with serverless and cold starts, so I thought I'd log a couple of tests to quantify it. These are individual runs, and absolutely not scientific (there may be future posts in making things perform better), but it's interesting to see that we go from 6 seconds to 21 milliseconds!

All in all this was a a lot more straightforward to get this up and running, and an application deployed. Kudos must go to the OpenShift team for integrating knative so well into the product, and I'll certainly be using it frequently in future.

To begin, I set up a RHEL8 VM, gave it an 80GB partition because I'm being a little frugal, and set it up in my usual manner, adding the usual repos, and registering it with IDM.

subscription-manager register
subscription-manager attach --pool=<pool id>
subscription-manager repos --disable=*
subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms
subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms
yum update
yum install ipa-client -y
ipa-client-install --enable-dns-updates

Once my base system was set up, I ran yum install nfs-utils, but to my surprise the package is already installed, so that's a small victory \o/. The next steps are starting the service, setting it to start at boot, and checking the status, all done like so

systemctl start nfs-server.service
systemctl enable nfs-server.service
systemctl status nfs-server.service

This now gives us a running nfs server, but it's a bit useless unless we create some shares on it. THis involves creating some suitable folders on the file system, and adding it to the /nfs/exports/ config file. I'll start with deciding that /mnt/nfs is a suitable directory to add my shares, and the first thing I want to store is the OpenShift registry, so I created the folder, added an entry to the exports file (which was empty), and applied it to the system, being sure to set the owner to nobody.

mkdir -p  /mnt/nfs/registry
chown -R nobody: /mnt/nfs/
chmod -R 777 /mnt/nfs/
vi /etc/exports
## Add this to empty exports file
/mnt/nfs/registry       192.168.10.0/24(rw,sync,no_all_squash,root_squash)
## Apply this change
exportfs -arv

What's been created is an export that is available to everything on the 192.168.10.0/24 subnet (which is now the subnet of my lab), and allows read and write access, that NFS writes to disk when requested. To check that this has been applied, exportfs -s will list all exports known to the system.

Finally, we want to ensure that the firewall rules allow connections, which can be achieved by the following:

firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --permanent --add-service=mountd
firewall-cmd --permanent --add-service=nfs
firewall-cmd --reload

This should now give us something that OpenShift can connect to, so we need to go back over there to configure a Persistent Volume, and Claim it for the registry. For this we can follow the previous post, by visiting Persistent Volumes -> Create Persistent Volume in the console, and adding the following YAML to configure:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: registry-pv
spec:
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Recycle
  nfs:
    server: 192.168.10.26
    path: /mnt/nfs/registry

This will create the volume with the name registry-pv, that is pointing to my NFS VM. The reclaim policy is set to Recycle so that space is freed up when a claim is deleted. This can also be set to Retain or Delete if required. In my case, I was keeping it simple so largely left things as default.

Once the Persistent Volume was created, I essentially have 10GB of 'space' that I want to use for the internal image registry, I need to claim sthis volume by creating a Persistent Volume Claim. In a similar manner to PVs, this can be done through the console, by visiting Persistent Volume Claims -> Create Persistent Volume Claim, and adding the following YAML to configure:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: registry-pvc
  namespace: openshift-image-registry
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 10Gi
  storageClassName: slow

In order to get the internal image registry to use our new claim, we need to edit the operator, run oc edit configs.imageregistry.operator.openshift.io, and under the spec section, add the following to make the registry managed, and using the pvc.

storage:
  pvc:
    claim: registry-pvc
replicas: 3
managementState: Managed

With that, you should be good to go, and if you build and deploy an application, you should see the images in the /mnt/nfs/registry directory, and all should be well.

Infrastructure nodes were a clear concept in the days of OpenShift 3, the Control Plane was clearly split into Master and Infra nodes, and then your App nodes held all your, well, Applications. If you look at the documentation for OCP 4, you'll see that Infra nodes barely get a mention. We simply have masters and workers, and so if you inspect your nodes on a fresh install, you get:

$ oc get nodes
NAME                       STATUS   ROLES    AGE     VERSION
ocp-jb9nq-master-0         Ready    master   20d     v1.17.1
ocp-jb9nq-master-1         Ready    master   20d     v1.17.1
ocp-jb9nq-master-2         Ready    master   20d     v1.17.1
ocp-jb9nq-worker-0-pxsfh   Ready    worker   17d     v1.17.1
ocp-jb9nq-worker-0-t48hm   Ready    worker   20d     v1.17.1
ocp-jb9nq-worker-0-w87sf   Ready    worker   20d     v1.17.1

Why would you want to have Infra nodes? Well, the simplest reason is to put your workloads on there that are not strictly part of the Control Plane, nor are they the Applications you want to run. The main items we mean when talking of such 'Infrastructure' is the handling of Routing, the Image Registry, Metrics, and Logging. Keeping these distinct from your applications gives a good separation of concerns, as well as the fact that Infra nodes don't incur subscription charges!

In order to create a new type of node, we need to create a new MachineSet. This can be done by expanding 'Compute', clicking on 'Machine Sets', then the 'Create Machine Set' button. You can copy the YAML for the existing worker MachineSet, and modify it by adding a label of node-role.kubernetes.io/infra: "", as well as modifying the role and type of the node to be infra. My config is the below:

apiVersion: machine.openshift.io/v1beta1
kind: MachineSet
metadata:
  labels:
    machine.openshift.io/cluster-api-cluster: ocp-jb9nq 
  name: ocp-jb9nq-infra-0
  namespace: openshift-machine-api
spec:
  replicas: 3
  selector:
    matchLabels:
      machine.openshift.io/cluster-api-cluster: ocp-jb9nq 
      machine.openshift.io/cluster-api-machineset: ocp-jb9nq-infra-0
  template:
    metadata:
      labels:
        machine.openshift.io/cluster-api-cluster: ocp-jb9nq 
        machine.openshift.io/cluster-api-machine-role: infra 
        machine.openshift.io/cluster-api-machine-type: infra 
        machine.openshift.io/cluster-api-machineset: ocp-jb9nq-infra-0 
    spec:
      metadata:
        labels:
          node-role.kubernetes.io/infra: "" 
      providerSpec:
        value:
          cluster_id: 652f7152-98e1-11ea-9fa7-901b0e33b3aa
          userDataSecret:
            name: worker-user-data
          name: ''
          credentialsSecret:
            name: ovirt-credentials
          metadata:
            creationTimestamp: null
          template_name: ocp-jb9nq-rhcos
          kind: OvirtMachineProviderSpec
          id: ''
          apiVersion: ovirtproviderconfig.openshift.io/v1beta1

This will create 3 replicas of my new MachineSet. Saving this file and waiting a few minutes will see RHV spin up some new VMs, assign them as Nodes and complete the configuration. If we run oc get nodes again, we will see the following.

NAME                       STATUS   ROLES            AGE     VERSION
ocp-jb9nq-infra-0-2zrvd    Ready    infra, worker    3d23h   v1.17.1
ocp-jb9nq-infra-0-rrppr    Ready    infra, worker    3d23h   v1.17.1
ocp-jb9nq-infra-0-zq5cd    Ready    infra, worker    4d      v1.17.1
ocp-jb9nq-master-0         Ready    master           20d     v1.17.1
ocp-jb9nq-master-1         Ready    master           20d     v1.17.1
ocp-jb9nq-master-2         Ready    master           20d     v1.17.1
ocp-jb9nq-worker-0-pxsfh   Ready    worker           17d     v1.17.1
ocp-jb9nq-worker-0-t48hm   Ready    worker           20d     v1.17.1
ocp-jb9nq-worker-0-w87sf   Ready    worker           20d     v1.17.1

So now we have 3 Infra Nodes, and just need something to run on them. The first thing we can do is move the IngressController. We need to edit it and modify the spec section to add a NodeSelector stanza in the following format

oc edit ingresscontroller default -n openshift-ingress-operator -o yaml

replace spec: {} with the following - it will ensure that pods go on a node labeled as infra

spec:
    nodePlacement:
      nodeSelector:
        matchLabels:
          node-role.kubernetes.io/infra: ""

You can confirm the correct nodes are in the right place by running

oc get pod -n openshift-ingress -o wide

To move the default registry, it is a similar pattern - first by editing the config/instance object

oc edit config/cluster

And adding the following in the spec

nodeSelector:
    node-role.kubernetes.io/infra: ""

Once again, this can be verified by running

oc get pods -o wide -n openshift-image-registry

To move monitoring, we need to create a ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |+
    alertmanagerMain:
      nodeSelector:
        node-role.kubernetes.io/infra: ""
    prometheusK8s:
      nodeSelector:
        node-role.kubernetes.io/infra: ""
    prometheusOperator:
      nodeSelector:
        node-role.kubernetes.io/infra: ""
    grafana:
      nodeSelector:
        node-role.kubernetes.io/infra: ""
    k8sPrometheusAdapter:
      nodeSelector:
        node-role.kubernetes.io/infra: ""
    kubeStateMetrics:
      nodeSelector:
        node-role.kubernetes.io/infra: ""
    telemeterClient:
      nodeSelector:
        node-role.kubernetes.io/infra: ""
    openshiftStateMetrics:
      nodeSelector:
        node-role.kubernetes.io/infra: ""

Applying the above can be done ising oc create

oc create -f cluster-monitoring-configmap.yaml

After a few minutes, you can check that the pods are in the correct place with the following command

oc get pod -n openshift-monitoring -o wide

The OpenShift documentation for moving cluster logging resources is quite comprehensive, and worth following (as it is for the moving of other resources described above).

You may notice then when creating the nodes, they will all have the role of infra, worker. This does mean that there is the possibility that Application workloads could get put on the nodes. If you want to remove the worker label, oc label node <node name> node-role.kubernetes.io/worker- will do it for you.

So, it was time for PV's, but what which one to choose? Given that my cluster is running on RHV, I could spin up a drive or some space on there, but that seemed a little complicated in many ways, so my eyes turned to my NAS... well, it does have 'Storage' as part of it's acronym... I have a Synology DS218+ to hold media, but it has plenty of spare space on it, so lets get adding an NFS share to it.

The Synology documentation gives a really good overview, and following that I carved out a 50GB share, tied to the subnet of my lab. There are many other authentication options that can be used, but for now I'm going with simple (complexity can be added later.)

Once this was in place, it was over to OpenShift to create Persistent Volume. This can be done through the ui, by visiting Persistent Volumes -> Create Persistent Volume in the console, and adding the following YAML to configure:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: synology
spec:
  capacity:
    storage: 50Gi
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Recycle
  storageClassName: slow
  nfs:
    server: 192.168.0.200
    path: /volume1/Homelab

This will create the volume with the name synology, that is pointing to my NFS mount point (/volume1/Homelab on 192.168.0.200). The reclaim policy is set to Recycle so that space is freed up when a claim is deleted. This can also be set to Retain or Delete if required. In my case, I was keeping it simple so largely left things as default.

Once the Persistent Volume was created, I essentially have 50GB of 'space' that I can use to store things. If I want to use any of that for an application, or for the internal image registry, I need to claim some of that volume. That is done by creating a Persistent Volume Claim. In a similar manner to PVs, this can be done through the console, by visiting Persistent Volume Claims -> Create Persistent Volume Claim, and adding the following YAML to configure:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: synology-pvc-images
  namespace: psychic-octopus
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
  storageClassName: slow

This is creating a claim called synology-pcvc-images and I'm specifying that it is 5GB in size. I also add storageClassName: slow to help reference it back to the PV created before. Saving the YAML file and waiting a few seconds should leave you with a result similar to below, with my PVC Bound to the correct PV.

You might notice in the screenshot above that it is a little misleading. Or at least, it was to me before checking with a colleague. The 'Capacity 50Gi' looked very wrong - that was the entirety of the PV, but I had only specified 5Gi in my configuration. It would seem that this little nugget refers to the face that it can expand up to 50Gi if it needs to, but verifying the YAML for the claim shows that 5Gi is correctly specified as it's size.

So there you have it - my cluster is now able to save stuff on my NAS - maybe the next step is hooking the claim up to the image registry... look out for that in a future installment.

Update

It turns out, like so many things in life, that storage in OpenShift is not as easy as I might have thought, or the above might have led you to believe. In fact, PV's and PVC's have a 1 <-> 1 relationship, and so in my example above, all I have done is created a 50GB folder for my images. Useful, but certainly not the intention when I set out. If I wanted more 'folders' or space for applications, using the method above I would have to create more PV's and more PVC's.

What I actually intended to do was to provision dynamic storage, probably through a StorageClass but it turns out this doesn't currently exist for NFS. So some more research is required on this one.

Normally, most beginner series starts with a 'Hello World' demonstration. It's ubiquitous, but it's also boring, so I'm not going to do that. Ok, so I have longer term reasons as well for not doing it, but bear with. No, in this case we're going to go straight in with a quotation generator. Not just any quotation generator, but one that takes quotes from one of the best cartoons ever, Adventure Time.

We'll also be using Node.js, in a move that will surprise nobody who I work with. Simply put, it's a straightforward language to learn, it's easy to get results quickly, and doesn't require a complex build stack or lots of configuration to both develop locally, or push to 'the cloud'. Other languages are available, but this is what we're using today.

We're going to create a little api. A very little api. A single endpoint in fact. You'll hit <url>/quote and there'll be a little JSON object of joy containing a nice quote from the show, and some metadata that we'll get into. The dataset is one that I built up ages ago (so in't entirely up to date with the show), and is a public gist that you can grab if you wish. Other than that, we will use fastify, a lovely little web framework for Node.js.

The code for the entire app is below.

const quotes = require('./data/adventure-time-quotes.json');
const fastify = require('fastify')({logger: true});

fastify.get('/quote', function(request, reply) {
    return reply.send(JSON.stringify(quotes[Math.floor(Math.random() * quotes.length)]));
});

fastify.listen(8080, '0.0.0.0', function(err, address) {
    if (err) {
        fastify.log.error(err)
        process.exit(1)
    }
    fastify.log.info(`server listening on ${address}`)
});

• First, we include our adventure-time-quotes.json file, that is in a folder named 'data'.
• We instantiate fastifiy, our web framework.
• We create our /quote route, which returns a random entry from adventure-time-quotes.json.
• We start our server on port 8080 (which is the default in OpenShift), and 0.0.0.0 means it'll listen on any ip interface.

In order to run our code, we need a package.json file, which lays out dependencies, and the various run commands. You can run npm init in your applications folder for an interactive creation of the file, or copy out something like below

{
  "name": "adventure-time-quoter",
  "version": "1.0.0",
  "description": "The best quotes from the best show!",
  "main": "index.js",
  "scripts": {
    "start": "node --use_strict index.js"
  },
  "author": "Al Graham",
  "dependencies": {
    "fastify": "^2.14.1"
  }
}

The important parts in this are that we have fastify with a version of ^2.14.1 declared as a dependency - ^ is used to pull the latest major version of fastify that is equal to or greater than 2.14.1 (so in future it would pull 2.14.3, or 2.20.2, but never 3.x.y), and our main start command is node --use_strict index.js. This is the command that will be run by OpenShift to get your pod to start. You can test locally by running npm start and if you have everything correct, you'll be able to get quotes to your hearts content - but that's not on OpenShift. For that, we need to do a little more.

We need to create a project to house our apis. This can be done through the web console by going to the Developer area, and clicking on '+Add', and then selecting 'Create Project' from the Project's dropdown, and filling in some basic details

Then we can add a workload from Git, and fill in our repository details, select Node.js for our builder image, give it a name within OpenShift, and create a Deployment Config

Once you click 'Create', you have basically finished. Your application will be created, and you will see a cute little graphic representing it. Clicking on it expands some detailed information. In the below, you will see that the first build has just been started (this is automatically started when you add your application)

When the build finishes, and if it is successful (it should be successful), the ui will change to show that the application container is being created

When the creation has finished, you will see you container is running, and you should be able to access the route that was exposed.

In my case, I point a browser to http://adventure-time-quoter-mathematical.apps.ocp.bugcity.tech/quote and see a lovely, random quote from Lady Rainicorn

So there you have it, your first application running on OpenShift. Naturally, you will want to add more functionality, and some extra options for when you deploy, but you're on the way now.

The complete application I deployed is available on GitHub, albeit with some things added that weren't mentioned here, but feel free to take and deploy it if you want!

In the end I picked up a USG security gateway, 2 US‑8‑60W 8 port hubs, and a UAP-AC-IW In-Wall access point. I already had a Synology NAS, and so Docker on that was put into service to run the Controller software to save me getting a Cloud Key. Finally, because I'm a glutton for punishment, a Raspberry Pi 4 was also aquired, to run Pi Hole.

Once everything arrived, was plugged in, and recognised by the Controller software (which took longer than it should have due to some dodgy RJ45 sockets and my less than stellar crimping skills), it was time to sort out some networks. Eventually I settled on three:

• Computers n Shit -this is the 'main' computers in the house - our laptops, phones, the Nas, the Raspbrry Pi etc (192.168.0.0/24)
• Dangerous home assistant yokes -all the IoT devices we have, as well as game consoles, TV, DVR, etc (192.168.42.0/24)
• Homelab -the homelab -currently just BugCity (178.0.0.0/24)

The way Unifi works is that all of these networks have a gateway IP of the *.1 of their subnet (192.168.0.1, 192.168.42.1, 178.0.0.1), but this isn't an actual device, it's all internal. There is also a WAN network defined, that has the PPPoE connection to my ISP, and this is where I define the Raspberry Pi (on 192.168.0.210) as the DNS server for everything that connects to any of the networks.

There are also suitable firewall rules in place so that Computers n Shit can talk to anywhere, Dangerous home assistant yokes is isolated on its own, with a couple of devices specified by MAC address as being able to connect to the NAS, and Homelab is totally on its own.

Finally, I have 2 wireless networks defined, HTTP418 (for the Coffee Pot Control Protocol fans) which is part of Computers n Shit, and dodgy-bois which is for Dangerous home assistant yokes. Unifi also lets me choose networks for specific ports on the switches, so that is also used to specify the Homelab and some Dangerous home assistant yokes clients.

So far, so (fairly) straightforward (or maybe a little overkill). It's in the Raspberry Pi though, where things get interesting.

Pi Hole

Pi Hole is a black hole for Internet avertisements - basically, it blocks known advert urls at a DNS level. This gives one ad blocking before it even hits your network, saving you bandwidth, and annoying spouses, as they just love clicking on the first result in google for any search, which is always an ad.

The install and basic setup is pretty well covered in the documentation, and I was soon up and running, but it was then I started to want to get a little... esoteric. I'd read a couple of articles on DNS-over-HTTPS, and it seemed like a good idea to me - a fun way to stop any ISP shenanigans, and heck if the UK Government was against it being turned on by default in Firefox, it must be a good idea! Once again, the documentation was spot on, and soon I was up and running and ready to go. Or was I?

Internal Resolution

Once I had the basic setup working, it was time to take it one step further. I have a domain (lets call it foo.com) that points to my static IP, and is port forwarded to my NAS. This is massively convienient, and allows me to stream content when I'm away for work etc, and not have to remember an IP address. However, if I was inside the house, I'd prefer foo.com to resolve to the local address, to avoid a hop outside of my network. Also, it would be really handy to have all my lab DNS handled by IdM. I am using it for LDAP on the lab, and it makes sense to use it as a DNS resolver too. Keep everything in one place and all that.

Thankfully, Pi Hole ships a variant of dnsmasq called FTLDNS. This allows me to use standard dnsmasq declarations. I created a file, /etc/dnsmasq.d/bugcity.conf and entered some config, as follows:

localise-queries

no-resolv

domain-needed
bogus-priv

expand-hosts
domain=foo.com
local=/foo.com/
server=/0.0.178.in-addr.arpa/178.0.0.17
server=/bugcity.tech/178.0.0.17

• localise-queries means that it will look in /etc/hosts for entries
• no-resolv means that it will ignore /etc/resolv.conf
• domain-needed means it won't forward A or AAAA queries for plain names, without dots or domain parts. If the name is not known from /etc/hosts or DHCP then a "not found" answer is returned
• bogus-priv means that all reverse lookups for private IP ranges (ie 192.168.x.x, etc) which are not found in /etc/hosts or the DHCP leases file are answered with "no such domain"
• expand-hosts means that the domain will be added to simple names (without a period) in /etc/hosts in the same way as for DHCP-derived names.
• domain and local let me expand simple names and add foo.com, and tells FTL that it's locally resolved, so never go out to DNS for any foo.com addresses (the NAS address is specified in /etc/hosts)
• server these entries perform forward and reverse lookup from this device to the IDM install that has the IP 178.0.0.17. Basically, this means that any requests for a bugcity.tech address will be kicked to my IdM install, and handled there.

In IdM, I have a few things configured as pictured. Some come automatically when a machine is enrolled with IdM, api.ocp and apps.ocp are the IPs of my OpenShift cluster.

So, there we have it. Some decent routing for requests so that the things I want to keep internal stay internal, and anything that needs to go outside the network are using https, so no snooping by Vodafone :)

It was then that my naivety with the workings of OpenShift came to the fore, leading to a bit more work and googling that I'd expected, but I guess that's why I'm here - to go through the hassle so you don't have to. Or future me doesn't have too when I want to add another cron job in a few months.

Immediately, it was not apparant how to add a new cron job, given that I already had a working yaml file - so it was off to google, and this template popped up as a likely candidate. Scanning through it, the actual job looked pretty similar to mine, so this was going to be the path to success. Template downloaded, it was a matter of running

oc create -f ./cronjob-ldap-group-sync.yml -n openshift-config

to get it into OpenShift, in the openshift-config project. Why that one? Mostly because that was where all the LDAP config for authentication went. I'd probably suggest creating a new project for this, but live your own life!

This now had the template added to OpenShift. Now it was time to create something with it.

For this it was into the 'Developer' menu, then selected project openshift-config from the dropdown at the top of the page, then clicked the 'From Catalog' box (after pausing a moment to lament the lack of internationalisation for OpenShift. I want my catalogue damnit). Sticking cronjob-ldap-group-sync in the search box brought up my template, and 'Instantiate Template' got me filling in some variables.

One of the first things I noticed was a variable named 'Service Account' - oops, guess I'd better create one of those - quick jump over to the Users area in another browser, and soon ldap-group-syncer was born, and given appropriate permissions on the account.

Most of the other variable were straightforward, as I was copying values from my own earlier work, but there were a couple that gave me some pause. The default value for 'Group Filter' ((&(objectclass=ipausergroup)(memberOf=cn=openshift-users,cn=groups,cn=accounts,dc=myorg,dc=example,dc=com))) is a lot more restrictive, and therefore better than mine, and so I might investigate something similar later, but for now I stuck with the tried and tested (objectClass=groupOfNames). I also left 'Image' untouched at registry.access.redhat.com/openshift3/ose-cli even though there's probably an OpenShift4 version, but if it works it works.

Finally, there was the manner of the LDAP sync whitelist input field. Yup, not a text area, an input field. Clearly I had two lines to add (as mentioned in previous post), but how can I add a line break in an input field? The answer is that you try a bit, then stick a space in, click 'Create' and pretend that it's all grand. Back away slowly from the keyboard and have a snack...

Time passed, video calls were had, and then I flipped back over to the OpenShift console, to see a few red "!" - that's not good, lets see what's going on. As I kinda suspected, my whitelist was causing problems. I needed to get the dn's for the whitelist groups on to separate lines. To do this, I went to 'Config Maps' in the sidebar, ensured the correct project (openshift-config) was selected, and selected ldap-config. Into the YAML, and changed whitelist to

whitelist.txt: |-
    cn=superusers,cn=groups,cn=accounts,dc=bugcity,dc=tech
    cn=ocpusers,cn=groups,cn=accounts,dc=bugcity,dc=tech

click on save, and in theory I was done. But would have to wait an hour for the job to be run again. I can't have that, so over to the aforementioned, but heretofore unclicked 'Cron Jobs' item, selected my job, and jumped into the YAML to set schedule to */1 * * * * (that's 'every minute' for those that, like me, don't read cron), and within 60 seconds, my job was running again, and this time - success!

So, there we have it. OpenShift is talking to LDAP on IdM to perform Authentication, and every hour will sync LDAP groups with OpenShift, so we have RBAC in place. At some point, it'll be good to add a 'prune' job to run as well, but given that it's only me around, and I'm not going to be adding many users, it's at a lower priority.

What's the next step you ask (quietly)? Well, either some Ansible based Tower fun, or some Service Mesh shenanigans - you'll have to check back to find out.

Configuration comes in two parts - Authentication, and Authorisation/Role Based Access Control (RBAC). The first is the most basic connection, have you supplied the correct credentials, does the user belong in a specific group, or set of groups, that sort of thing. RBAC is more involved, and creates a periodic job that syncronises groups and pulls them into OpenShift, so you can apply specific Roles and Policies to them. This is the part were you could define that group foo in LDAP has the role cluster-admin etc etc. I leaned heavily on this article for most of what went on below, so it's worth having a scan over first.

LDAP Configuration

To begin, it was into IdM to get that side of things squared away. I created a group, ocpusers, and already have a superusers group that I am using as a 'catch all' one to give admin or whatver the highest power privileges are on any connected system, so this should be a good baseline - membership of either group will allow one to log into the cluster, and someone in the superusers group will be a cluser administrator. More complex setups can be considered and added later, but this is a good baseline from which to start. I also have two users to test with, tinyexplosions who is in both the ocpusers and superusers groups (among others), and ocp_user who is only in the ocpusers group.

It was then time to fire up ldapsearch to check out how my particular configuration reports things. Lets get the user tinyexplosions. This will give us the dn's of the various items we will want to query down the road.

ldapsearch -x  -LLL -H ldap://idm.bugcity.tech:389 \
-D "uid=admin,cn=users,cn=compat,dc=bugcity,dc=tech" \
-w <password> -b "cn=users,cn=accounts,dc=bugcity,dc=tech" \
-s sub "uid=tinyexplosions"

dn: uid=tinyexplosions,cn=users,cn=accounts,dc=bugcity,dc=tech
givenName: Tiny
sn: Explosions
uid: tinyexplosions
cn: Tiny Explosions
displayName: Tiny Explosions
initials: TE
gecos: Tiny Explosions
krbPrincipalName: tinyexplosions@BUGCITY.TECH
<snip... />
mail: tinyexplosions@bugcity.tech
memberOf: cn=superusers,cn=groups,cn=accounts,dc=bugcity,dc=tech
memberOf: cn=ocpusers,cn=groups,cn=accounts,dc=bugcity,dc=tech

OCP Configuration

Then, it was into OpenShift, to the cluster OAuth configurater /k8s/cluster/config.openshift.io~v1~OAuth/cluster, and then I used the UI to add an LDAP Identity provider. Based on the info gleaned from above, filled in the fields as follows:

• Name: ldap
• URL: ldap://idm.bugcity.tech:389?uid
• BindDN: uid=admin,cn=users,cn=compat,dc=bugcity,dc=tech
• Bind Password: <pw>
• ID: dn
• Preferred Username: uid
• Name: cn
• Email: mail
• CA File: <upload ca taken from IdM>

Once that was filled in, I waited a couple of minutes for it to apply, then logged out of the cluster, and was greeted with a new login screen, which was promising

Using the new ldap functionality, I input the details for the user tinyexplosions, and it logged me in! Logging out, and retrying authentication with the ocp_user user also allowed me to log in, which was expected, but not desired. From this point it was time to dig into the yaml, and make some changes in order to restrict auth by group.

Group Restrictions

The trick to narrow down the authentication to specific groups is to get the ldap url correct. If we look at the existing url, ldap://idm.bugcity.tech:389?uid. we can see that we're looking for a valid uid to be returned. We also want to see if a user is in a specific group. This is done by appending (memberOf=<group>) declarations to the url, so in our case we want to check for ocpusers group, so we can append (memberOf=cn=ocpusers,cn=groups,cn=accounts,dc=bugcity,dc=tech). The LDAP standard also allows for the differing operators to be added to join or exclude multiple entries, for example (&(memberOf=x)(memberOf=x)) would check that a user is a member of both x and y groups.

For our simple example, membership of either pertinent group is just fine, so we want to add (|(memberOf=cn=ocpusers,cn=groups,cn=accounts,dc=bugcity,dc=tech)(memberOf=cn=superusers,cn=groups,cn=accounts,dc=bugcity,dc=tech)) to the url. It is appended to our url, with ?? coming before it, and so the final yaml for my solution looks like below:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  annotations:
    release.openshift.io/create-only: 'true'
  creationTimestamp: '2020-05-18T21:41:18Z'
  generation: 14
  name: cluster
  resourceVersion: '2428122'
  selfLink: /apis/config.openshift.io/v1/oauths/cluster
  uid: 91f17651-559f-4f9b-b5fe-300f64e3e48a
spec:
  identityProviders:
    - ldap:
        attributes:
          email:
            - mail
          id:
            - dn
          name:
            - cn
          preferredUsername:
            - uid
        bindDN: 'uid=admin,cn=users,cn=compat,dc=bugcity,dc=tech'
        bindPassword:
          name: ldap-bind-password-n8t8w
        ca:
          name: ldap-ca-6mqjz
        insecure: false
        url: >-
          ldap://idm.bugcity.tech:389/cn=users,cn=accounts,dc=bugcity,dc=tech?uid??
          (|(memberOf=cn=ocpusers,cn=groups,cn=accounts,dc=bugcity,dc=tech)
          (memberOf=cn=superusers,cn=groups,cn=accounts,dc=bugcity,dc=tech))
      mappingMethod: claim
      name: ldap
      type: LDAP

Applying the above, and waiting the appropriate time for it to apply, and it was back to the login screen to test. First up I was able to successfully log in with both accounts. From there, it was back to IdM, and I removed user ocp_user from the ocpusers group, and was then unable to log into OpenShift with them. The user tinyexplosions continued to work, and remained able to log in with membership of either superusers or ocpusers enabled, or with membership of both groups enabled, which is what I wanted.

Syncing Groups

This is where things get a little trickier. The official documents are pretty good, so I sugegst reading through them first. Then fire up a text editor and write some more YAML (christ, does OpenShift love a bit of YAML). Nothing too fancy here though:

kind: LDAPSyncConfig
apiVersion: v1
url: ldap://idm.bugcity.tech:389
insecure: false
ca: "<relative/link/to/cert.pem>"
bindDN: "uid=admin,cn=users,cn=compat,dc=bugcity,dc=tech"
bindPassword: "<password>"
groupUIDNameMapping:
    "cn=superusers,cn=groups,cn=accounts,dc=bugcity,dc=tech": openshift_admins
rfc2307:
    groupsQuery:
        baseDN: "cn=accounts,dc=bugcity,dc=tech"
        scope: sub
        derefAliases: never
        filter: (objectClass=groupOfNames)
        pageSize: 0
    groupUIDAttribute: dn
    groupNameAttributes: [ cn ]
    groupMembershipAttributes: [ member ]
    usersQuery:
        baseDN: "cn=users,cn=accounts,dc=bugcity,dc=tech"
        scope: sub
        derefAliases: never
        pageSize: 0
    userUIDAttribute: dn
    userNameAttributes: [ uid ]

Of interest are the baseDn, filter and attribute fields. All of these should be familiar though. The baseDn is the one secified in the Tower integration, so you can copy those from the LDAP User Search and LDAP Group Search fields we added in our configuration last week. Also, the filter attribute is taken from the Tower config too - it's the LDAP Group Search filter, so can be added here too. The various attribute fields are to get the full dn of users, and the attribute we want to appear as a username in OpenShift. Finally, we have groupUIDNameMapping. This allows us to have a group with one name in LDAP, and another in OpenShift. In this case, we take our superusers group in LDAP, and call it openshift_admins in OCP.

As is stands, running this will take every group LDAP sees and add them as groups in OpenShift. Clearly this isn't desirable, and so that is where whitelists and blacklists come in. They are files that you can use to explicitly include or exclude groups from the sync. In our example, we only want the superusers and ocpusers groups to sync their info, so we add their dn's to a whitelist file

cn=superusers,cn=groups,cn=accounts,dc=bugcity,dc=tech
cn=ocpusers,cn=groups,cn=accounts,dc=bugcity,dc=tech

Once these resources are in place, you can run it against OpenShift (leave out the --confirm if you just want to test the output.

 oc adm groups sync --sync-config=./usersync.yaml --whitelist=./whitelist.txt --confirm

During some of my runs, I saw the following error, all it meant was the group openshift_admins already existed (and wasn't created by an earlier sync), and so I deleted the group and ran it again.

group "openshift_admins": openshift.io/ldap.host label did not match sync host: wanted idm.bugcity.tech, got

After a successful run, I could see my users and groups in OpenShift, and the only thing left to do was make the openshift_admins group cluster adminsitrators, meaning tinyexplosions can mess up anything they want!

oc adm policy add-cluster-role-to-group cluster-admin openshift_admins

Repeating the logout/login dance with user tinyexplosions and I was greeted with the Administrator overview, and some lovely errors to look into - but from an auth point of view, it was a rousing success.

Another useful command to know is oc adm groups prune --sync-config=./usersync.yaml --whitelist=./whitelist --confirm - this will remove users who no longer exist in the groups and keep you in tip top shape.

The only thing left to do now is make all the above a cron job, so that we can periodically sync, but that is for next time.

Then it was time to re-run fio, just to see what difference had been made. First on slow-disks - a RAID-0 pair of 500GB spinners

fsync/fdatasync/sync_file_range:
    sync (msec): min=3, max=359, avg=27.65, stdev=15.33
    sync percentiles (msec):
     |  1.00th=[    5],  5.00th=[   12], 10.00th=[   18], 20.00th=[   20],
     | 30.00th=[   22], 40.00th=[   24], 50.00th=[   26], 60.00th=[   28],
     | 70.00th=[   30], 80.00th=[   32], 90.00th=[   42], 95.00th=[   42],
     | 99.00th=[  112], 99.50th=[  128], 99.90th=[  157], 99.95th=[  163],
     | 99.99th=[  205]

99th percentile was faster, at 112ms, but still way above the 10ms recommended. Lets look at fast-disk, the SSD

 fsync/fdatasync/sync_file_range:
    sync (usec): min=293, max=31180, avg=1507.45, stdev=722.84
    sync percentiles (usec):
     |  1.00th=[  318],  5.00th=[  334], 10.00th=[  343], 20.00th=[  379],
     | 30.00th=[ 1401], 40.00th=[ 1418], 50.00th=[ 1860], 60.00th=[ 1876],
     | 70.00th=[ 1909], 80.00th=[ 1942], 90.00th=[ 1991], 95.00th=[ 2212],
     | 99.00th=[ 2606], 99.50th=[ 2671], 99.90th=[ 2868], 99.95th=[ 2900],
     | 99.99th=[ 7439]

That puts the 99th percentile at 2.6ms, well within what we need. With that, I decided to run the install on the fast drive to see what happened, so did a little bastion dance, some configuration and ran create cluster. 40 minutes or so later....

So, that told me a lot - or at least told me that it was either the networking, or the disks that were to blame. While it would be great to just move on and call it done, I can't just do that - I have to know for sure, so it was out with cluster-install destroy cluster and a reconfigure to use the slower disks.

That my friends, led to errors. Lots of timeout-y errors, the sort I have seen a lot in the last few days. This wasa the beginning of a saga that would consume most of the weekend, and lead to some interesting conclusions.

• I reinstalled everything from scratch, and attempted an install, and it worked.
• I deleted, and tried another install on a fast disk, it worked (though didn't finish cleanly, I had to reboot a master).
• I deleted, and tried on slow-disks and it failed.

So, that was getting somewhere - maybe it is disk speed that is the problem. To dig deeper, I then

• Deleted, Tried Install again on slow-disks - failure.
• Deleted, Tried Install on fast-disk - failure.
• Deleted, Tried Install on fast-disk - failure.
• Deleted, Tried Install on fast-disk - failure.

Damnit, that means I can't rule out disks for sure. It was back to a fresh install of everything, RHEL 7 on the Server, RHEV, set up a clean Bastion VM, and install on fast-disk. Success! Then the thought hit me, in the previous tests, after the sucessful install of OCP, I had spun up an IdM server - could that have been the problem? Only one way to find out...

• Deleted, Tried Install on fast-disk - failure.
• Deleted, Tried Install on fast-disk - failure.
• Deleted, Tried Install on fast-disk - failure.
• Deleted, Tried Install on fast-disk - failure.

Head, meet wall. This made no sense to me. I was spinning up a new VM, installing RHEL on it, and using it as a bastion each time. Deleting VMs on RHV should clear everything out, but I just wasn't seeing that happen. In a bit of desparation, I had one last idea. What if it was Unifi being an asshole with DHCP. I knew things were getting IPs ok, but maybe, just maybe.

Only thing to do was to turn off the server, and change subnet on the network. 178.0.0.x became 170.0.0.x. Booted up, created a bastion, ran the installer, and.... failure! THat was when I realised I'd changed two things instead of one. I'd also specified a new name for the cluster lab.bugcity.tech, not ocp.bugcity.tech and guess who hadn't updated that in dnsmasq of PiHole ;(

Restarted server, changed subnet, made correct changes in PiHole, and started the install dance again. This time - success!

So there you have it - exactly what the cause is, I don't know, but changing network settings seemed to fix things.

It looks like it was DNS.

During one debug session, I was sshing into a node, and tried (and failed) to do it directly via hostname. This led to some interesting experiments

$ ping ocp-nln68-master-1
PING ocp-nln68-master-1.bugcity.tech.bugcity.tech (178.0.0.11): 56 data bytes

What was interesting was the .bugcity.tech.bugcity.tech, and the fact that it was resolving to the server 178.0.0.11, rather than the expected 178.0.0.59 This disappeared after a while, but got me digging deeper. Then something struck me. I run a Raspberry Pi with Pi-Hole on it as my network’s DNS (it calls out to cloudflare dns over https), and I use it’s built in fork of dnsmasq to do some local serving of traffic (again, I barely know what any of it does, but it seems to work). Here’s a snippet from /etc/dnsmasq.d/01-pihole.conf

local-ttl=2
local=/etc/hosts/
log-async
address=/.bugcity.tech/178.0.0.11
address=/.ocp.bugcity.tech/178.0.0.200
address=/.apps.ocp.bugcity.tech/178.0.0.210
server=127.0.0.1#5053
server=::1#5053
domain-needed
bogus-priv
except-interface=nonexisting

short aside, once I decided to buy a lab, like most good techies, I went out and purchased a domain, bugcity.tech -I would use this a lot...

I also created a nice separate network for lab based play, you know, following best practise and separating traffic and all that good stuff (again, I feel I must stress that I don't really understand any of this stuff deeply, so if you're an expert, feel free to roll your eyes). It was configured as below

Note the domain name I gave the network - bugcity.tech. Then, once I got my hot little fingers on the server, I fired it up (eventually) and stuck, you guessed it! bugcity.tech as its hostname, and therefore the host for RHEV. That’s a lot of work for a single name, and while I don’t have a specific evidence that this is too blame, I am highly suspicious, so things need to change.

Another thing I investigated while all this was going on was disk speed. According to this article, I needed check if the 99th percentile of fdatasync durations is less than 10ms. I dutifully ran the wee tool and got, well less than that.

sync (msec): min=3, max=478, avg=20.59, stdev=36.51
    sync percentiles (msec):
     |  1.00th=[    4],  5.00th=[    6], 10.00th=[    6], 20.00th=[    9],
     | 30.00th=[   10], 40.00th=[   12], 50.00th=[   14], 60.00th=[   16],
     | 70.00th=[   17], 80.00th=[   18], 90.00th=[   20], 95.00th=[   84],
     | 99.00th=[  205], 99.50th=[  268], 99.90th=[  351], 99.95th=[  384],
     | 99.99th=[  443]

Things looked better on the SSD

fsync/fdatasync/sync_file_range:
    sync (usec): min=305, max=19953, avg=1602.23, stdev=720.84
    sync percentiles (usec):
     |  1.00th=[  326],  5.00th=[  347], 10.00th=[  388], 20.00th=[  586],
     | 30.00th=[ 1434], 40.00th=[ 1614], 50.00th=[ 1860], 60.00th=[ 1876],
     | 70.00th=[ 1975], 80.00th=[ 2147], 90.00th=[ 2278], 95.00th=[ 2376],
     | 99.00th=[ 2868], 99.50th=[ 2933], 99.90th=[ 3032], 99.95th=[ 4080],
     | 99.99th=[13829]

And looked a little better running on the final drive (the first result is 2 drives formatted as one large disk)

fsync/fdatasync/sync_file_range:
    sync (usec): min=8232, max=97259, avg=20732.36, stdev=6345.02
    sync percentiles (usec):
     |  1.00th=[11207],  5.00th=[11994], 10.00th=[12911], 20.00th=[14746],
     | 30.00th=[16581], 40.00th=[18482], 50.00th=[20317], 60.00th=[22414],
     | 70.00th=[24249], 80.00th=[25297], 90.00th=[27132], 95.00th=[33162],
     | 99.00th=[33424], 99.50th=[33424], 99.90th=[73925], 99.95th=[74974],
     | 99.99th=[91751]

Better, but the SSD was the only thing that beat the required 10ms. I had some interesting discussions about this on gChat, and while parts went over my head, the consensus seemed to be that this was a pretty stringent requirement, and that things should work even on the slowest partition, but to be sure I made certain the OpenShift VMs were going on the last drive, but still, no install.

This is a rambling way to say I’m starting again. Clean boot on the server -it’s a lab, they’re designed to be rebuilt on occasion, and reconfigure everything - but I’ll make changes this time.

First off, I’ll change the IP range and domain name on the network, let’s go '172' and ‘bugcity.local’.

Second, I’ll choose a better hostname for the server (maybe keep it simple and ‘server.bugcity.tech’, or just ‘server’).

Third, I’ll modify how I’m using disks. I currently have a 240GB SSD, and 3 500gb spinning disks, with the SSD set to be the boot volume. I will change this, and set one of the 500gb drives as the boot. It may mean that startup time is affected a bit, but I don’t exactly plan to reboot a lot, so I’ll deal.

Once RHEV is back up, I’ll create one volume for VMs that is the SSD, and I’ll stripe the remaining two spinning disks as RAID-0 -and re-run fio to check results, but I think this should help eliminate disks from the equation, and possibly DNS.

I’ll only know for certain once I have finished. But I bet it’s DNS

It’s always DNS.

IdM comes with LDAP built right in, and the official documentation is pretty good, as is a slightly older QuickStart I was pointed to, but there were a couple of things I had to figure out, so it’s worth sharing.

First off, install ldapsearch -it’s invaluable in verifying the correct values for each field, because as good as IdM is, it doesn’t seem to have a central area where you can see Distinguished Names, Common Names etc, and so the command line tool is darn useful.

Second (and I wish I’d actually bothered to do this earlier), familiarise yourself with the location of Tower’s log files /var/log/tower/tower.log is the one you want, and the only place you’ll be able to see any errors in your config -the UI will only say “username or password incorrect”, which is less than helpful.

With that preamble out the way, I next created a user and a group in IdM (‘tower_admin’ and ‘tower_administrators’ Respectively) to test the setup out, then fired up the ldap settings screen in Tower.

A combination of the linked documentation and playing with the command line led me to the correct LDAP URI, and BIND DN, and gave me the basis to run all queries on.

ldapsearch -x  -H ldap://idm.bugcity.tech:389 -D "uid=admin,cn=users,cn=compat,dc=bugcity,dc=tech" -w <password>
// get the tower_admin user
ldapsearch -x  -H ldap://idm.bugcity.tech:389 -D "uid=admin,cn=users,cn=compat,dc=bugcity,dc=tech" -w <password> -b "cn=users,cn=accounts,dc=bugcity,dc=tech" "(uid=tower_admin)"
# tower_admin, users, accounts, bugcity.tech
dn: uid=tower_admin,cn=users,cn=accounts,dc=bugcity,dc=tech
givenName: Tower
sn: Administrator
uid: tower_admin
cn: Tower Administrator
displayName: Tower Administrator
initials: TA
gecos: Tower Administrator
krbPrincipalName: tower_admin@BUGCITY.TECH
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/tower_admin
mail: tower_admin@bugcity.tech
krbCanonicalName: tower_admin@BUGCITY.TECH
ipaUniqueID: dcdf8396-9421-11ea-816b-566f23430002
uidNumber: 1145600001
gidNumber: 1145600001
mepManagedEntry: cn=tower_admin,cn=groups,cn=accounts,dc=bugcity,dc=tech
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=bugcity,dc=tech
memberOf: cn=tower_administrators,cn=groups,cn=accounts,dc=bugcity,dc=tech
krbLastPwdChange: 20200513131525Z
krbPasswordExpiration: 20200513131525Z
krbLoginFailedCount: 0
krbExtraData:: AALt8rtecm9vdC9hZG1pbkBCVUdDSVRZLlRFQ0gA

This user gave me most of the information needed to fill in the rest of the fields, such as the attribues to map, the DN of the group, and the attribute used to search for the user (uid).

With all the config in place, I still couldn’t get it working, and so I verified and changed every setting what felt like hundreds of times, before thinking to look in Tower’s logs. Opening the log file revealed

2020-05-13 15:54:45,497 WARNING  django_auth_ldap Caught LDAPError while authenticating tower_admin: CONNECT_ERROR({'desc': 'Connect error', 'info': 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (self signed certificate in certificate chain)'},)

(Yes, I know I need to sort out a load of certificate stuff, it’s on the long finger -mostly because I’d really like to have IdM use LetsEncrypt as a CA, but I don’t know where to start that journey). Flipping the 'LDAP start tls' toggle to off in Tower led to a successful login, and all seemed well.

To test the functionality a little more, there were some extra steps I wanted to verify. To ensure I’m parsing group membership correctly, it was back to IdM to create what will be my ‘main’ user, ‘tinyexplosions’, and expressly not add it to Tower Administrators. Trying to log into tower was a no go, so that box has been checked.

Secondly, I wanted to return to the is_superuser clause in the tower config. Even though I’m the only user here, it’s worth fleshing this out, so I wanted to look at adding it. In IdM, I added a new group, calling it 'super_users', and added the 'tinyexplosions' user to both this and the 'tower_administrators' groups. In Tower, I added the following in the 'LDAP user flags by group' field

{
 "is_superuser": [
  "cn=super_users,cn=groups,cn=accounts,dc=bugcity,dc=tech"
 ]
}

This means that an LDAP user who is a member of the above group will be a super user in tower, giving the full access. This is verified by logging in as both 'tinyexplosions' and 'tower_admin' and seeing the differences

This should be a good baseline for going forward, as I have a superuser group to set roles in an other applications I want to integrate with LDAP, as well as having Tower correctly integrated.

Addendum

I was pointed out to me that the easiest way to have my IdM certs trusted was to enroll the machine in IdM, and that that would even allow me to log into the machine over LDAP. Queue lightbulb moment, and feeling a bit daft - of course that makes sense, why use any other method to log in!

yum install ipa-client
ipa-client-install --enable-dns-updates

Was all it took (adding in my IdM server details), and after a reboot, I could enable the 'LDAP start tls' toggle, and feel even more secure in my authentication.

There was a little bit of mucking around in IdM to get thingd as I like, namely

• Added a new group, idm_client_sudoers, which will govern who can auth into hosts
• Added a Host Group, idmclients and added the new client tower.bugcity.tech to it
• Added HBAC rule called idmclient and added idm_client_sudoers user group, and the idmclients host group to it
• Added Sudo rule sudoers and added idm_client_sudoers to it

I'm already starting to see how groups in LDAP can get out of control, but in for a penny, in for a pound!

subscription-manager repos --enable ansible-2.9-for-rhel-8-x86_64-rpms
yum install ansible

After that was a quick check of the minimum specs for tower, and the requisite bumping of resources (4 GB RAM, 2 CPUs) and a VM restart, then to the Ansible Tower documents to figure stuff out. It was a download of the bundled Installation Program, then modify the default inventory to add some passwords

[tower]
localhost ansible_connection=local

[database]

[all:vars]
admin_password='password'

pg_host=''
pg_port=''

pg_database='awx'
pg_username='awx'
pg_password='password'

rabbitmq_port=5672
rabbitmq_vhost=tower
rabbitmq_username=tower
rabbitmq_password='password'
rabbitmq_cookie=rabbitmqcookie

# Needs to be true for fqdns and ip addresses
rabbitmq_use_long_name=false
# Needs to remain false if you are using localhost

And a ./setup.sh to get going. First time round there was an error thanks to rsync not being installed, but once I did that we had Tower up and running in a jiffy!

The plan was to get LDAP auth setup between Tower and Idm, but the siren song of OpenShift IPI on RHEV was too strong, and I got a little distracted by that, but more on that another day.

It seemed quite straightforward, I wanted to install the Manager and Databases all on one machine (the actual server), and so that simply required adding a couple of repos, installing rhvm and running engine-setup

subscription-manager repos --enable=rhel-7-server-rhv-4.3-manager-rpms
subscription-manager repos --enable=rhel-7-server-rhv-4-manager-tools-rpms
subscription-manager repos --enable=rhel-7-server-ansible-2.9-rpms
subscription-manager repos --enable=jb-eap-7.2-for-rhel-7-server-rpms
yum install rhvm

Ah, if only it was that easy. The install of rhvm failed, complaining that python2-jmespath couldn't be found, and I spent a good hour or so trying to get to the bottom of it -not helped by my lack of knowledge of all this stuff. Eventually, I took the nuclear option, modified /etc/yum/pluginconf.d/search-disabled-repos.conf to set notify_only=0 and re-ran the setup. After a long time churning through all the repos known to man, and eventually installed correctly. Turns out our docs aren't entirely correct, and the rhel-7-server-extras-rpms repo is also needed.

Once we were installed, the setup went ok - ran engine-setup, to configure it on the current host, didn't install the overlay network, installed the web proxy, and got the installer to configure all the databases. It all went smoothly, and a few minutes later, I was greeted with a dashboard.

From there, it was time to add the first host to the system. Because I'm rolling everything into the one system, my single host is also the base install of RHEL. This time, the documents were spot on, and I soon had a host added.

Next to configure was a storage domain, for that I added a local mount made up from a couple of the drives, and ensured the default ovirtmgmt network would act as a bridge. Once complete, it was time to spin up my first VM.

Creating VM's in RHV

There were a couple of things I found when trying to get VM's running, that might be useful for others. THe first was in getting an iso into the system to add to my machines. This is done by going to Storage -> Domains -> Domain, then selecting the 'Disks' option at the top. Then you click 'Upload -> Start' and add your iso:

Once it's in place, you should see 'rhel-8.2-x86_64-dvd.iso' available as a cd in 'Boot Options', and can set the First Device in the Boot Sequence to be CD-ROM, and you're off. I had to install an oVirt SPICE console on my Mac, which let me open the GUI to complete the install by running remote-viewer ~/Downloads/console.vv.

One final note is that for some reason, once RHEL 8 was installed, it wouldn't let me register with Subscription Manager - there was an SSL based error, that took some time to bottom out, and I ended up changing proxy_scheme=http to proxy_scheme=https in the rhsm.conf file. Once that was completed, registration went fine and I was back where I was towrds the end of last week!

In this instance, it was a couple of remarks from a colleague about IPA being available in OpenShift 4.4 for RHV, and this article from our docs that has led to me moving away from libvirt for managing my VMs, and going with Red Hat Virtualisation -a lot of the built in orchestration with the installers etc is there, and Mainly the existence of an IPI route to OpenShift swings the balance for me.

It’s not a bad time to do it either, as I only have a single VM running IdM at the moment, and even though I should be able to move it easily under RHV, in a worst case scenario, it’s an easy item to recreate (as I now know what docs to look at, and which config to use)

So, libvirt out, RHV in, and let’s see what other fundamental changes get made over the next little while as I learn more about how everything hangs together.

FreeIPA is a good OSS version, but once again, I decided to go downstream, and attempt to install a Red Hat Identity Management Server. Skimming the documentation led me quickly to the thorny issue of DNS (Integrated or not) and root CA’s (external or integrated), and I started to run out of certainty as to what I needed, and if I could get it suitably configured.

I’m very much a tinkerer, and so my home network setup is suitably enterprise-y and non trivial, and consider my lack of expertise, a damn miracle that it works at all (I will write it up in further detail at some point I expect). The main thing to note at this point is that I run Ubiquiti everywhere, have the homelab segregated on its own VLAN, and everything talks to the world via a Raspberry Pi running PiHole, that itself is configured to use DNS over HTTPs. It all means I probably could set up just about any type of setup, as long as I could figure out what the setup needs to be.

Never one to let the unknown get to me, I spun up a RHEL 8 VM, and did the usual subscription manager dance, and ensured I had the correct repos enabled

subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms
subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms

After a few hours of things not working, and getting really frustrated with it all, I reached out to some of my wonderful colleagues, who helped me pinpoint that I was looking at the wrong feckin docs! Yes, I had RTFM, just it was the wrong FM! Finally, I opened the correct documentation and set about following the instructions to configure an IdM Server with integrated DNS, and an integrated CA as root CA. That step was ok, just needed to enable correct repositories, install the required modules, and then start the installer

yum module enable idm:DL1
yum distro-sync
// Install With Integrated DNS
yum module install idm:DL1/dns
ipa-server-install

The installer asks a load of questions, and I (not entirely blindly) accepted mostly the defaults, as it was reading the correct stuff from my /etc/hosts file etc, but then I was temporarily stumped when the installer failed with some name server based errors, but good old google came to the rescue, and so I re-ran the installer with the correct flag:

ipa-server-install --allow-zone-overlap

This time, the installer completed successfully, and going to idm.bugcity.tech in a browser gave me a lovely IdM GUI to log into (as I’ve said before, I love a good GUI).

There will be a lot to dig into I’m sure to configure this properly, as well as getting it to play well with Tower, OpenShift etc etc, but as per usual, it all looks to have installed ok, and so all that is for another day.

VMWare

The defacto standard, and probably the most popular orchestrator of VMs that we see. It’s a fair point to ask why I’d look anywhere else, and if I’m honest, if I was 100% focussed on maximising customer based setups, I’d be daft not to look at it.

The downsides though are that it’s proprietary, fairly expensive (unless you know VMUG types), and I simply would like to at least dabble in the Open Source side -and having employee access to Red Hat Products is really helpful.

Red Hat Enterprise Virtualisation

With VMWare discounted (at least for now, I may end up back there eventually!) the natural contender is our offering, RHEV. I had a look around the documentation and quickly got scared off by the talk of nodes and manager environments, and just suspect that the learning curve is steeper than I need right now -I’m here to learn container platforms, not virtualisation!

Libvirt

In many ways the easiest/most basic solution -there is decent support in Cockpit, my server admin tool of choice, and it’s also a good option to build from. Start easy, and if I need to get more complex, I can up my game to one of the other choices.

Getting going was a matter of installing some packages

sudo yum install cockpit-machines*
virt-install package

Then jumping over to cockpit, and using the GUI.

I did have to get an OS iso onto BugCity, so I used

scp rhel-server-7.8-x86_64-dvd.iso tinyexplosions@bugcity:/var/lib/libvirt/images/rhel-server-7.8-x86_64-dvd.iso

to get the iso into /var/lib/libvirt/images. Then I created some storage, a bridge network, and spun up my first VM - the GUI is fairly intuitive

It's worth noting that the problems I had with RHEL 8 disappear under Libvirt - all connection to storage is taken care of, so I can run as many RHEL 8 VMs as I could possibly want, so that's a success!

Once you start the VM, you'll see the standard install prompts for RHEL, which you can go through via the console in Cockpit. With that, we have a good base system, and an ability to spin up VMs at will, that bridge their network onto the lan, so we can ssh into them, leaving us one step closer to OpenShift. First though, we need Authentication.

A note on licencing/suscriptions etc: I have access to employee SKUs for a lot of Red Hat products, so will be using the downstream versions, but in most cases there is an Open Source upstream project to provide the same functionality

Once the ISO was downloaded, it was time to get it onto a USB stick. I (like many of us I suspect) have a load hanging around, so grabbed an 8GB one, and cleared everything off, formatting it to FAT32. The next thing to do is to get the ISO onto the memory key.

If you've newly formatted it, unmount it (I performed all this in the Disk Utility application on my Mac), then it's off for our first foray to the command line.

First things first, lets find out where my newly formatted USB stick is. As I'm a mac user, diskutil list will give me the address of all disks, my output can be seen below, with the USB stick at /dev/disk2.

The next stage is to use dd to move the ISO onto the Disk. I changed into the directory containing the RHEL download, and used sudo dd if=rhel-8.2-x86_64-boot.iso of=/dev/disk2 to create the boot media. After a short wait, I got confirmation that everything had moved across just fine.

From there, it's time to take the USB stick, whack it into the server, plug in a keyboard, and power up to see what happens. I followed the official install guide, and after a little bit, had the installer up and running. That is where my problems started. For some reason, the installer was unable to see any of the 4 HDDs the machine has in it. I rebooted, checked to be sure there was actually drives in it, used the onboard RAID to create a volume, yet still there was no disks showing in the installer.

Then the penny dropped.

Being the inexperienced soul that I am, when configuring up the server, there were a number of choices that I made somewhat blindly, and HDD choice was one of them. The configuration offered me both the choice of SAS drives as well as SATA. A quick google informed me that SAS was not some kind of Andy McNabb Special Forces tie in, but Serial Attached SCSI - that sounded suitably geeky to me, so I greedily added four to my basket.

Turns out, this was possibly a bad idea - seems RHEL 8 removed the support for a lot of SAS cards -particularly those common in the sort of repurposed servers homelabs love - the curse of looking for a bargain I guess. I spent a little time reading some articles, ended up looking to side load the SAS drivers, and then realised I wasn't that brave, and downloaded RHEL 7.8.

Followed the same steps above (sneaky dd to get a boot USB), and tried again, this time successfully! I went through the installer, picked sensible defaults - created it as an Infrastructure Server, a Virtualisation Host with System Administration Tools and System Management enabled, sat back and let it do it's thing. 20 or so minutes later (maybe longer, I wasn't timing), and I had success.

Managing the Sucker

The first thing to do on any RHEL machine it seems is the good old Subscription Manager dance

subscription-manager register
subscription-manager list --available --all
subscription-manager attach --pool=<id>

A quick refresh of all repos

subscription-manager repos --disable=*
subscription-manager repos --enable=rhel-7-server-rpms
subscription-manager repos --enable=rhel-7-server-extras-rpms
subscription-manager repos --enable=rhel-7-server-optional-rpms
yum update

Then, on the advice of a friend, I installed Cockpit - a really nice, web based gui for administering servers - it will certainly make life a lot easier when getting started, and looks kinda pretty to, which doesn't hurt - who knew this stuff was available these days!

The setup instructions are quite clear, and after a few more commands, and some unblocking of ports, I was able to login and see some of my wee servers stats.

The eagle-eyed, or nosy of you might well see the 'Virtual Machines' tab on the dashboard, but that is what the next post will get into.

I had always thought that getting my own setup would be many thousands of pounds, but some new found time in my hands, and some chats led me to bargainhardware.co.uk -the home of loads of refurbished bits, with really good prices! A lot of playing with various configurator tools later, and for the (not insane) price of a little over £700, I was on the ladder.

Enter bugcity, my new foray into the world of homelabs, a Fujitsu Celsius R930n Workstation. My main plan is to run OpenShift, and a couple ancillary bits and bobs, so memory was the most crucial thing I was told. This beastie has 256GB of the stuff, and plenty of unused slots to add more should I need it. It’s also home to a pair of Xeon 8 core processors running at 2.10GHz and about 2TB of storage, on 4 disks (a mix of SSD and spinning platters).

Yes, I could have probably got more for my money going for a rack server, and it would have totally increased the cool factor, but I don’t (sadly) have a rack, or a garage, or really any place to put a big noisy computer, so hard as is was to resist, this tower is mine.

The current plan is to have an OpenShift 4 cluster, Ansible Tower, IdM, Gitlab and Quay all running on this, with maybe even a separate Jenkins instance to simulate the sort of setup we see on the job. I have little to no experience of installing and maintaining any of this, so there’ll be lots of stupid questions to my workmates, and I’ll try capture the high and lowlights here for all to laugh at.

First step (I think) is to install RHEL, and decide what form of VM management I want to use, but that’s for the next post...