Openshift Posts

How to Solve Openshift “Failed to pull image, unauthorized: authentication required”

Just recently got an unique error, this happens when my application is pulling an image within a different Openshift namespace. In this example, im creating my application in “xyz-project” and try to pull image from “abc-project”. Here’s the complete error detail,

Failed to pull image "image-registry.openshift-image-registry.svc:5000/abc-project/image01@sha256:xxxxxxxxxxxx": 
rpc error: code = Unknown desc = Error reading manifest sha256:xxxxxxxxxxxx in 
image-registry.openshift-image-registry.svc:5000/abc-project/image01: unauthorized: authentication required

Solution for this is quite easy, actually we need to give a specific access right in order for “xyz-project” to be able to pull image from “abc-project”.

oc policy add-role-to-user system:image-puller system:serviceaccount:xyz-project:default -n abc-project

Hope it helps.

Get ImageStream Name and SHA from All DeploymentConfig within a Namespace on Openshift 4

There are times where we want to display list of DC within one Namespace, and want to see what are the images involved within it. We can do that easily by using a simple OC command like below,

oc get dc -n  <namespace> --no-headers -o template \
     --template='{{range.items}}{{.metadata.namespace}}{{"/"}}{{.metadata.name}}{{" - "}}
     {{(index .spec.template.spec.containers 0).image}}{{"\n"}}{{end}}'

Delete All Pods Within a Specific Project or Namespace in Openshift 4

Sometimes we got some pods stuck in our namespace and unable to be deleted within a specific timeframe so we need to delete them forcefully, but sometimes it becomes problematic when we have like hundreds of them. Well deleting all of them is actually quite easy, all i have to do is run below command.

oc delete pod  -n youropenshiftprojectname --grace-period=0 --force --all

Installing Prometheus and Grafana on Top of Openshift 4

Creating and deploying application on top of Openshift is one thing, but doing health monitoring for those applications is a whole new different thing. Thats why on this session im trying to share on how to deploy Prometheus, for monitoring appliction statistics, and Grafana, for visualizing it, to support the day-to-day activity and operations.

So before started too far, lets start with a brief introduction on what is Prometheus and Grafana.

According to its site (https://prometheus.io/), Prometheus is an open-source systems monitoring and alerting toolkit. It has multiple visualization tools and Grafana as one of it. On Grafana’s website, https://grafana.com/, we can see that it is an open source visualization and analytics software, which allows us to query, visualize, alerting and explore our metrics freely.

Okay, there are multiple ways of installing those two items. One way is by using Openshift Operator, and another way is installed it manually either by using template, or a simple container image installation. For this time, we are using the last approach, and that is container image deployment.

Lets start by installing Prometheus first,

for this example, im using openshift/prometheus image from docker hub.

Once image has been created, next is creating a configuration file for storing list of prometheus api needed to be scrape from, for this example im scrapping statistics from application App01 which located on project Project01 on top of the same OCP4 instance.

global:
  scrape_interval: 15s
  scrape_timeout: 10s
  evaluation_interval: 15s
alerting:
  alertmanagers:
  - static_configs:
    - targets: []
    scheme: http
    timeout: 10s
scrape_configs:
- job_name: project01
  scrape_interval: 15s
  scrape_timeout: 10s
  metrics_path: /metrics
  scheme: http
  static_configs:
  - targets:
    - app01.project01.svc.cluster.local:8080
  basic_auth:
      username: dev01
      password: password

Save it with name “prometheus.yml”, and push it to OCP4 secret by using below command

oc create cm prometheus-config --from-file=prometheus.yaml

And mount it to Prometheus’s DeploymentConfig

oc volume dc/prometheus --add --name=prometheus-config --type=configmap --configmap-name=prometheus-config --mount-path=/etc/prometheus/

Expose your installed Prometheus service, and access it directly thru browser. A successfully installation will shows a target end point like this,

Next step is to install Grafana. The same installation methodology is being use, and that is using container image deployment. Im using grafana/grafana:6.0.1 image from DockerHub for this example.

Login by using admin/admin credentials,

Set the datasource as prometheus,

Add prometheus url and scrape interval, and press Save button

We can start by creating a Grafana dashboard based on Prometheus statistics,

There is other approach of installating Prometheus and Grafana, and that is by using yml template. I cover those approach on my Github page,

https://github.com/edwin/prometheus-and-grafana-openshift4-template-yml

Have fun.

Building Containerized Images on Openshift 4 and Push the Result to Third Party Image Registry

Sometimes in our pipeline, we need to build a docker images based on a specific Dockerfile and push the result to an external Image Registry such as Quay, Docker Hub or even on-premise Nexus or JFrog.

On this example, im trying to simulate build a simple java application, containerized it, and push it to Quay. The rough concept can be seen below,

1. Jenkins pull latest java code from Github, do testing and Maven build
2. Containerizing Maven build result and push it to Quay
3. Openshift Pre-Prod and Prod will pull from Quay, if build result is considered stable enough

For this example, im using a simple Dockerfile,

FROM registry.access.redhat.com/ubi8/ubi-minimal:8.0

MAINTAINER Muhammad Edwin < edwin at redhat dot com >

LABEL BASE_IMAGE="registry.access.redhat.com/ubi8/ubi-minimal:8.0"
LABEL JAVA_VERSION="11"

RUN microdnf install --nodocs java-11-openjdk-headless && microdnf clean all

WORKDIR /work/
COPY target/*.jar /work/application.jar

EXPOSE 8080
CMD ["java", "-jar", "application.jar"]

And build it in a Jenkins pipeline, on this example im deploying to Quay

node('maven') {
    stage ('pull code') {
        sh "git clone https://github.com/edwin/hello-world-java-docker.git source"
    }
    stage ('mvn build') {
        dir("source") {
            sh "mvn clean package"
        }
    }
    stage ('build and push') {
        dir("source") {
            sh "oc new-build --strategy docker --name=hello-world-java-docker \
                        --binary --to-docker \
                        --to=quay.io/edwinkun/hello-world-java-docker || true"
            sh "oc start-build hello-world-java-docker --from-dir=. --follow --wait "
        }
    }
}

One thing you need to remember is that we need to register our Quay credentials in order to be able to push there. And we can achieve it by using this command,

oc create secret docker-registry --docker-server=quay.io \
	--docker-username=edwinkun --docker-password=******* \
	--docker-email=unused \
	quay-login

oc secrets link default quay-login

Run our Jenkins pipeline and we can see the result on Jenkins dashboard,

When successfully deployed, we can see the pipeline log result will be like this,

And lastly we can see that the containerized image is successfully deployed to Quay

Code for above example can be found on this Github link,

https://github.com/edwin/hello-world-java-docker