OpenShift & K8S Cheat Sheet

From Bitbull Wiki
Revision as of 19:38, 15 November 2019 by Chris (talk | contribs) (→‎run as root (anyuid))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

1 Helpers

1.1 .bash_profile

  • openshift project/user prompt
function ps1(){
   export PS1='[\u@\h($(oc whoami -c 2>/dev/null|cut -d/ -f3,1)) \W]\$ '
}
function ps1e(){
   export PS1='# [\d \t \u@\h($(oc whoami -c 2>/dev/null|cut -d/ -f3,1)) \W]\n$ '
}
  • password gen
genpasswd() {
        local l=$1
        [ "$l" == "" ] && l=12
	for i in $(seq 20)
	do
           tr -dc A-Za-z0-9_=%.,: < /dev/urandom | head -c ${l} | xargs 
	done

 }

1.2 xfce-vnc

PROJECT=classroom
NR=10
PASSWORD=xxx
DOMAIN=app.domain.com
HOST=xfce

oc new-project $PROJECT
> $PROJECT-inventory.txt

seq -w $NR | while read NR
do
   URL=$HOST$NR.$DOMAIN
   URLS=$HOST$NR.$DOMAINS
   oc new-app --name=$HOST$NR --docker-image=docker.io/christian773/xfce-vnc:latest VNC_PW=$PASSWORD$NR
   oc volume dc/$HOST$NR --add --name=$PROJECT -t pvc --overwrite \
   --claim-size=5G --claim-mode=ReadWriteMany --mount-path=/headless/Desktop/data --claim-name=$PROJECT
   oc expose svc/$HOST$NR --hostname=$URL --port=6901
   echo "https://$URL      Passwort: $PASSWORD$NR" >> $PROJECT-inventory.txt
done
cat $PROJECT-inventory.txt
  • find large dirs
alias dush='du -sm * .[^\.]*|sort -n|tail'
  • process lister
function px (){
   PAT=$1
   [ -z $PAT ] && PAT='.*'
   ps  -eo ruser,ppid,pid,rss,vsz,etime,pcpu,tty,args | head -n1
   ps  -eo ruser,ppid,pid,rss,vsz,etime,pcpu,tty,args | grep -i "$PAT" | egrep -v "RUSER.*COMMAND|grep .* -i $PAT| $$ |ps -eo ruser.*args"
}
  • unlock ssh private for this session
alias skey='touch /tmp/.k$$ ; chmod 600 /tmp/.k$$ ; ssh-agent > /tmp/.k$$ ; . /tmp/.k$$ ; rm -f /tmp/.k$$ ; ssh-add'

1.3 xfce-vnc

PROJECT=classroom
NR=10
PASSWORD=xxx
DOMAIN=app.domain.com
HOST=xfce

oc new-project $PROJECT
> $PROJECT-inventory.txt

seq -w $NR | while read NR
do
   URL=$HOST$NR.$DOMAIN
   URLS=$HOST$NR.$DOMAINS
   oc new-app --name=$HOST$NR --docker-image=docker.io/christian773/xfce-vnc:latest VNC_PW=$PASSWORD$NR
   oc volume dc/$HOST$NR --add --name=$PROJECT -t pvc --overwrite \
   --claim-size=5G --claim-mode=ReadWriteMany --mount-path=/headless/Desktop/data --claim-name=$PROJECT
   oc expose svc/$HOST$NR --hostname=$URL --port=6901
   echo "https://$URL      Passwort: $PASSWORD$NR" >> $PROJECT-inventory.txt
done
cat $PROJECT-inventory.txt
  • find large dirs
alias dush='du -sm * .[^\.]*|sort -n|tail'
  • process lister
function px (){
   PAT=$1
   [ -z $PAT ] && PAT='.*'
   ps  -eo ruser,ppid,pid,rss,vsz,etime,pcpu,tty,args | head -n1
   ps  -eo ruser,ppid,pid,rss,vsz,etime,pcpu,tty,args | grep -i "$PAT" | egrep -v "RUSER.*COMMAND|grep .* -i $PAT| $$ |ps -eo ruser.*args"
}
  • unlock ssh private for this session
alias skey='touch /tmp/.k$$ ; chmod 600 /tmp/.k$$ ; ssh-agent > /tmp/.k$$ ; . /tmp/.k$$ ; rm -f /tmp/.k$$ ; ssh-add'

2 Administration

2.1 daily cmds

oc get nodes -o wide
oc get all -o wide --all-namespaces
oc get ep -o wide
oc get events --sort-by='.lastTimestamp'
oc get rolebindings --all-namespaces
oc get pv
oc get pvc
oc get projects
oc get users
oc get groups

2.2 inspect user/group permissions

oc get rolebinding -o wide -n gitea
oc get rolebinding -o wide --all-namespaces

2.3 inspect imagestreams

oc get is -n openshift
oc describe is php -n openshift
oc export -n openshift isimage php@42c4a9072f


2.4 backup openshift objects

oc get all --all-namespaces --no-headers=true | awk '{print $1","$2}' | while read obj
do
  NS=$(echo $obj | cut -d, -f1)
  OBJ=$(echo $obj | cut -d, -f2)
  FILE=$(echo $obj | sed 's/\//-/g;s/,/-/g')
  echo $NS $OBJ $FILE; oc export -n $NS $OBJ -o yaml > $FILE.yml
done


3 snippets

3.1 run as root (anyuid)

oc create serviceaccount sa-anyuid
oc adm policy add-scc-to-user anyuid -z sa-anyuid
# create new-app before to get a dc
oc patch dc/deployment-config-name --patch '{"spec":{"template":{"spec":{"serviceAccountName": "sa-anyuid"}}}}'

3.2 run as root (anyuid) for every pod in project

oc adm policy add-scc-to-user anyuid -z default

4 deployment examples

4.1 imagestream demo (build service)

  • get all the imagestreams
oc get is -n openshift
  • inspect nginx imagestream
oc describe is nginx -n openshift
  • setup new project
oc new-project is-demo
  • setup the dev environment
oc new-app --name=html-dev  nginx:1.10~https://github.com/joe-speedboat/openshift.html.devops.git#master
oc get all
oc logs -f builds/html-dev-1

oc get svc
oc expose svc/html-dev --hostname=html-dev.app.domain.com
oc get route

curl http://html-dev.app.domain.com
  • show this app to the qa team
oc get is
oc tag docker-registry.default.svc:5000/is-demo/html-dev:latest is-demo/html-qa:1.0
oc get is
oc new-app --name=html-qa --image-stream="is-demo/html-qa:1.0"
oc expose svc/html-qa --hostname=html-qa.app.domain.com
curl html-qa.app.domain.com
  • now go and make some changes to the git repo, then push it to github
now lets build the latest dev release
oc start-build html-dev
oc status
oc get pods
  • check dev application for latest changes
curl http://html-dev.app.domain.com
  • check if qa application remains in desired state
curl html-qa.app.domain.com
  • now commit the new dev branch to qa branch
oc get is
oc tag docker-registry.default.svc:5000/is-demo/html-dev html-qa:1.1
  • change the imagestream to newer release
oc edit dc/html-qa
oc get dc
oc get pods
  • check if qa application is reflecting latest changes from v1.1
curl html-qa.app.domain.com
  • now we rollback the qa release to v1.0
oc edit dc/html-qa
oc get dc
oc get pods
  • check if qa application is reflecting the rollbacked version v1.0
curl html-qa.app.domain.com

4.2 gitea

URL=git.app.domain.com
PROJECT=gitea

oc new-project $PROJECT

oc create sa anyuid
oc adm policy add-scc-to-user anyuid -z anyuid

oc new-app --name gitea --docker-image=docker.io/gitea/gitea
oc patch dc/gitea --patch '{"spec":{"template":{"spec":{"serviceAccountName": "anyuid"}}}}'

oc volumes dc --all
oc volume dc/gitea --add --name=gitea-volume-1 -t pvc --claim-name=gitea-data --claim-size=5G --overwrite
oc volumes dc --all

oc expose svc/gitea --hostname=$URL --port=3000
firefox git.app.domain.com

5 database backup

5.1 mariadb (os v3.9)

  • install global backup template
oc create -f https://raw.githubusercontent.com/joe-speedboat/mariadb-backup-cronjob/master/mariadb-backup-template.yaml

6 Maintenance

6.1 CleanUp old docker images on nodes

Keeping up to three tag revisions 1, and keeping resources (images, image streams and pods) younger than sixty minutes:
oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m
Pruning every image that exceeds defined limits:
oc adm prune images --prune-over-size-limit
CopyPaste example
oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm
oc adm prune images --prune-over-size-limit --confirm
Retrieved from "http://www.bitbull.ch/wiki/index.php?title=OpenShift_%26_K8S_Cheat_Sheet&oldid=4295"