OpenShift & K8S Cheat Sheet
Contents
1 Helpers
1.1 .bash_profile
- openshift project/user prompt
function ps1(){ export PS1='[\u@\h($(oc whoami -c 2>/dev/null|cut -d/ -f3,1)) \W]\$ ' } function ps1e(){ export PS1='# [\d \t \u@\h($(oc whoami -c 2>/dev/null|cut -d/ -f3,1)) \W]\n$ ' }
- password gen
genpasswd() { local l=$1 [ "$l" == "" ] && l=12 for i in $(seq 20) do tr -dc A-Za-z0-9_=%.,: < /dev/urandom | head -c ${l} | xargs done }
1.2 xfce-vnc
PROJECT=classroom NR=10 PASSWORD=xxx DOMAIN=app.domain.com HOST=xfce oc new-project $PROJECT > $PROJECT-inventory.txt seq -w $NR | while read NR do URL=$HOST$NR.$DOMAIN URLS=$HOST$NR.$DOMAINS oc new-app --name=$HOST$NR --docker-image=docker.io/christian773/xfce-vnc:latest VNC_PW=$PASSWORD$NR oc volume dc/$HOST$NR --add --name=$PROJECT -t pvc --overwrite \ --claim-size=5G --claim-mode=ReadWriteMany --mount-path=/headless/Desktop/data --claim-name=$PROJECT oc expose svc/$HOST$NR --hostname=$URL --port=6901 echo "https://$URL Passwort: $PASSWORD$NR" >> $PROJECT-inventory.txt done cat $PROJECT-inventory.txt
- find large dirs
alias dush='du -sm * .[^\.]*|sort -n|tail'
- process lister
function px (){ PAT=$1 [ -z $PAT ] && PAT='.*' ps -eo ruser,ppid,pid,rss,vsz,etime,pcpu,tty,args | head -n1 ps -eo ruser,ppid,pid,rss,vsz,etime,pcpu,tty,args | grep -i "$PAT" | egrep -v "RUSER.*COMMAND|grep .* -i $PAT| $$ |ps -eo ruser.*args" }
- unlock ssh private for this session
alias skey='touch /tmp/.k$$ ; chmod 600 /tmp/.k$$ ; ssh-agent > /tmp/.k$$ ; . /tmp/.k$$ ; rm -f /tmp/.k$$ ; ssh-add'
1.3 xfce-vnc
PROJECT=classroom NR=10 PASSWORD=xxx DOMAIN=app.domain.com HOST=xfce oc new-project $PROJECT > $PROJECT-inventory.txt seq -w $NR | while read NR do URL=$HOST$NR.$DOMAIN URLS=$HOST$NR.$DOMAINS oc new-app --name=$HOST$NR --docker-image=docker.io/christian773/xfce-vnc:latest VNC_PW=$PASSWORD$NR oc volume dc/$HOST$NR --add --name=$PROJECT -t pvc --overwrite \ --claim-size=5G --claim-mode=ReadWriteMany --mount-path=/headless/Desktop/data --claim-name=$PROJECT oc expose svc/$HOST$NR --hostname=$URL --port=6901 echo "https://$URL Passwort: $PASSWORD$NR" >> $PROJECT-inventory.txt done cat $PROJECT-inventory.txt
- find large dirs
alias dush='du -sm * .[^\.]*|sort -n|tail'
- process lister
function px (){ PAT=$1 [ -z $PAT ] && PAT='.*' ps -eo ruser,ppid,pid,rss,vsz,etime,pcpu,tty,args | head -n1 ps -eo ruser,ppid,pid,rss,vsz,etime,pcpu,tty,args | grep -i "$PAT" | egrep -v "RUSER.*COMMAND|grep .* -i $PAT| $$ |ps -eo ruser.*args" }
- unlock ssh private for this session
alias skey='touch /tmp/.k$$ ; chmod 600 /tmp/.k$$ ; ssh-agent > /tmp/.k$$ ; . /tmp/.k$$ ; rm -f /tmp/.k$$ ; ssh-add'
2 Administration
2.1 daily cmds
oc get nodes -o wide oc get all -o wide --all-namespaces oc get ep -o wide oc get events --sort-by='.lastTimestamp' oc get rolebindings --all-namespaces oc get pv oc get pvc oc get projects oc get users oc get groups
2.2 inspect user/group permissions
oc get rolebinding -o wide -n gitea oc get rolebinding -o wide --all-namespaces
2.3 inspect imagestreams
oc get is -n openshift oc describe is php -n openshift oc export -n openshift isimage php@42c4a9072f
2.4 backup openshift objects
oc get all --all-namespaces --no-headers=true | awk '{print $1","$2}' | while read obj do NS=$(echo $obj | cut -d, -f1) OBJ=$(echo $obj | cut -d, -f2) FILE=$(echo $obj | sed 's/\//-/g;s/,/-/g') echo $NS $OBJ $FILE; oc export -n $NS $OBJ -o yaml > $FILE.yml done
3 snippets
3.1 run as root (anyuid)
oc create serviceaccount sa-anyuid oc adm policy add-scc-to-user anyuid -z sa-anyuid # create new-app before to get a dc oc patch dc/deployment-config-name --patch '{"spec":{"template":{"spec":{"serviceAccountName": "sa-anyuid"}}}}'
3.2 run as root (anyuid) for every pod in project
oc adm policy add-scc-to-user anyuid -z default
4 deployment examples
4.1 imagestream demo (build service)
- get all the imagestreams
oc get is -n openshift
- inspect nginx imagestream
oc describe is nginx -n openshift
- setup new project
oc new-project is-demo
- setup the dev environment
oc new-app --name=html-dev nginx:1.10~https://github.com/joe-speedboat/openshift.html.devops.git#master oc get all oc logs -f builds/html-dev-1
oc get svc oc expose svc/html-dev --hostname=html-dev.app.domain.com oc get route
curl http://html-dev.app.domain.com
- show this app to the qa team
oc get is oc tag docker-registry.default.svc:5000/is-demo/html-dev:latest is-demo/html-qa:1.0 oc get is oc new-app --name=html-qa --image-stream="is-demo/html-qa:1.0" oc expose svc/html-qa --hostname=html-qa.app.domain.com curl html-qa.app.domain.com
- now go and make some changes to the git repo, then push it to github
- now lets build the latest dev release
oc start-build html-dev oc status oc get pods
- check dev application for latest changes
curl http://html-dev.app.domain.com
- check if qa application remains in desired state
curl html-qa.app.domain.com
- now commit the new dev branch to qa branch
oc get is oc tag docker-registry.default.svc:5000/is-demo/html-dev html-qa:1.1
- change the imagestream to newer release
oc edit dc/html-qa oc get dc oc get pods
- check if qa application is reflecting latest changes from v1.1
curl html-qa.app.domain.com
- now we rollback the qa release to v1.0
oc edit dc/html-qa oc get dc oc get pods
- check if qa application is reflecting the rollbacked version v1.0
curl html-qa.app.domain.com
4.2 gitea
URL=git.app.domain.com PROJECT=gitea oc new-project $PROJECT oc create sa anyuid oc adm policy add-scc-to-user anyuid -z anyuid oc new-app --name gitea --docker-image=docker.io/gitea/gitea oc patch dc/gitea --patch '{"spec":{"template":{"spec":{"serviceAccountName": "anyuid"}}}}' oc volumes dc --all oc volume dc/gitea --add --name=gitea-volume-1 -t pvc --claim-name=gitea-data --claim-size=5G --overwrite oc volumes dc --all oc expose svc/gitea --hostname=$URL --port=3000 firefox git.app.domain.com
5 database backup
5.1 mariadb (os v3.9)
- install global backup template
oc create -f https://raw.githubusercontent.com/joe-speedboat/mariadb-backup-cronjob/master/mariadb-backup-template.yaml
- more information can be found on git repo mariadb-backup-cronjob
6 Maintenance
6.1 CleanUp old docker images on nodes
- Keeping up to three tag revisions 1, and keeping resources (images, image streams and pods) younger than sixty minutes:
oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m
- Pruning every image that exceeds defined limits:
oc adm prune images --prune-over-size-limit
- CopyPaste example
oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm oc adm prune images --prune-over-size-limit --confirm