openshift container platform 3 - red hat customer portal · 2019-12-17 · openshift container...

OpenShift Container Platform 3.10

Configuring Clusters

OpenShift Container Platform 3.10 Installation and Configuration

Last Updated: 2019-12-17

OpenShift Container Platform 3.10 Configuring Clusters

OpenShift Container Platform 3.10 Installation and Configuration

Legal Notice

Copyright © 2019 Red Hat, Inc.

The text of and illustrations in this document are licensed by Red Hat under a Creative CommonsAttribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA isavailable athttp://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you mustprovide the URL for the original version.

Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert,Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift,Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United Statesand other countries.

Linux ® is the registered trademark of Linus Torvalds in the United States and other countries.

Java ® is a registered trademark of Oracle and/or its affiliates.

XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United Statesand/or other countries.

MySQL ® is a registered trademark of MySQL AB in the United States, the European Union andother countries.

Node.js ® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by theofficial Joyent Node.js open source or commercial project.

The OpenStack ® Word Mark and OpenStack logo are either registered trademarks/service marksor trademarks/service marks of the OpenStack Foundation, in the United States and othercountries and are used with the OpenStack Foundation's permission. We are not affiliated with,endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Abstract

OpenShift Installation and Configuration topics cover the basics of installing and configuringOpenShift in your environment. Use these topics for the one-time tasks required to get OpenShiftup and running.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of Contents

CHAPTER 1. OVERVIEW

CHAPTER 2. SETTING UP THE REGISTRY2.1. REGISTRY OVERVIEW

2.1.1. About the Registry2.1.2. Integrated or Stand-alone Registries2.1.3. Red Hat Quay Registries

2.2. DEPLOYING A REGISTRY ON EXISTING CLUSTERS2.2.1. Overview2.2.2. Deploying the Registry2.2.3. Deploying the Registry as a DaemonSet2.2.4. Registry Compute Resources2.2.5. Storage for the Registry

2.2.5.1. Production Use2.2.5.1.1. Use Amazon S3 as a Storage Back-end

2.2.5.2. Non-Production Use2.2.6. Enabling the Registry Console

2.2.6.1. Deploying the Registry Console2.2.6.2. Securing the Registry Console2.2.6.3. Troubleshooting the Registry Console

2.2.6.3.1. Debug Mode2.2.6.3.2. Display SSL Certificate Path

2.3. ACCESSING THE REGISTRY2.3.1. Viewing Logs2.3.2. File Storage2.3.3. Accessing the Registry Directly

2.3.3.1. User Prerequisites2.3.3.2. Logging in to the Registry2.3.3.3. Pushing and Pulling Images

2.3.4. Accessing Registry Metrics2.4. SECURING AND EXPOSING THE REGISTRY

2.4.1. Overview2.4.2. Manually Securing the Registry2.4.3. Manually Exposing a Secure Registry2.4.4. Manually Exposing a Non-Secure Registry

2.5. EXTENDED REGISTRY CONFIGURATION2.5.1. Maintaining the Registry IP Address2.5.2. Whitelisting Docker Registries2.5.3. Setting the Registry Hostname2.5.4. Overriding the Registry Configuration2.5.5. Registry Configuration Reference

2.5.5.1. Log2.5.5.2. Hooks2.5.5.3. Storage2.5.5.4. Auth2.5.5.5. Middleware

2.5.5.5.1. S3 Driver Configuration2.5.5.5.2. CloudFront Middleware2.5.5.5.3. Overriding Middleware Configuration Options2.5.5.5.4. Image Pullthrough2.5.5.5.5. Manifest Schema v2 Support

19

2020202020202020212121222223242425262627272727292930303132323335383939404141

4343444445454646484849

Table of Contents

1

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2.5.5.6. OpenShift2.5.5.7. Reporting2.5.5.8. HTTP2.5.5.9. Notifications2.5.5.10. Redis2.5.5.11. Health2.5.5.12. Proxy2.5.5.13. Cache

2.6. KNOWN ISSUES2.6.1. Overview2.6.2. Concurrent Build with Registry Pull-through2.6.3. Image Push Errors with Scaled Registry Using Shared NFS Volume2.6.4. Pull of Internally Managed Image Fails with "not found" Error2.6.5. Image Push Fails with "500 Internal Server Error" on S3 Storage2.6.6. Image Pruning Fails

CHAPTER 3. SETTING UP A ROUTER3.1. ROUTER OVERVIEW

3.1.1. About Routers3.1.2. Router Service Account

3.1.2.1. Permission to Access Labels3.2. USING THE DEFAULT HAPROXY ROUTER

3.2.1. Overview3.2.2. Creating a Router3.2.3. Other Basic Router Commands3.2.4. Filtering Routes to Specific Routers3.2.5. HAProxy Strict SNI3.2.6. TLS Cipher Suites3.2.7. Highly-Available Routers3.2.8. Customizing the Router Service Ports3.2.9. Working With Multiple Routers3.2.10. Adding a Node Selector to a Deployment Configuration3.2.11. Using Router Shards

3.2.11.1. Creating Router Shards3.2.11.2. Modifying Router Shards

3.2.12. Finding the Host Name of the Router3.2.13. Customizing the Default Routing Subdomain3.2.14. Forcing Route Host Names to a Custom Routing Subdomain3.2.15. Using Wildcard Certificates3.2.16. Manually Redeploy Certificates3.2.17. Using Secured Routes3.2.18. Using Wildcard Routes (for a Subdomain)3.2.19. Using the Container Network Stack3.2.20. Exposing Router Metrics3.2.21. ARP Cache Tuning for Large-scale Clusters3.2.22. Protecting Against DDoS Attacks

3.3. DEPLOYING A CUSTOMIZED HAPROXY ROUTER3.3.1. Overview3.3.2. Obtaining the Router Configuration Template3.3.3. Modifying the Router Configuration Template

3.3.3.1. Background3.3.3.2. Go Template Actions3.3.3.3. Router Provided Information

505151515252525252525353535454

5656565656575758585959606060616161

646667686869697071777779808181

8282828283


2

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3.3.3.4. Annotations3.3.3.5. Environment Variables3.3.3.6. Example Usage

3.3.4. Using a ConfigMap to Replace the Router Configuration Template3.3.5. Using Stick Tables3.3.6. Rebuilding Your Router

3.4. CONFIGURING THE HAPROXY ROUTER TO USE THE PROXY PROTOCOL3.4.1. Overview3.4.2. Why Use the PROXY Protocol?3.4.3. Using the PROXY Protocol

3.5. USING THE F5 ROUTER PLUG-IN3.5.1. Overview3.5.2. Prerequisites and Supportability

3.5.2.1. Configuring the Virtual Servers3.5.3. Deploying the F5 Router Plug-in3.5.4. F5 Router Plug-in Partition Paths3.5.5. Setting Up F5 Router Plug-in

CHAPTER 4. DEPLOYING RED HAT CLOUDFORMS4.1. DEPLOYING RED HAT CLOUDFORMS ON OPENSHIFT CONTAINER PLATFORM

4.1.1. Introduction4.2. REQUIREMENTS FOR RED HAT CLOUDFORMS ON OPENSHIFT CONTAINER PLATFORM4.3. CONFIGURING ROLE VARIABLES

4.3.1. Overview4.3.2. General Variables4.3.3. Customizing Template Parameters4.3.4. Database Variables

4.3.4.1. Containerized (Podified) Database4.3.4.2. External Database

4.3.5. Storage Class Variables4.3.5.1. NFS (Default)4.3.5.2. NFS External4.3.5.3. Cloud Provider4.3.5.4. Preconfigured (Advanced)

4.4. RUNNING THE INSTALLER4.4.1. Deploying Red Hat CloudForms During or After OpenShift Container Platform Installation4.4.2. Example Inventory Files

4.4.2.1. All Defaults4.4.2.2. External NFS Storage4.4.2.3. Override PV Sizes4.4.2.4. Override Memory Requirements4.4.2.5. External PostgreSQL Database

4.5. ENABLING CONTAINER PROVIDER INTEGRATION4.5.1. Adding a Single Container Provider

4.5.1.1. Adding Manually4.5.1.2. Adding Automatically

4.5.2. Multiple Container Providers4.5.2.1. Preparing the Script

4.5.2.1.1. Example4.5.2.2. Running the Playbook

4.5.3. Refreshing Providers4.6. UNINSTALLING RED HAT CLOUDFORMS

4.6.1. Running the Uninstall Playbook

8888899091

9393939394989898

100101102102

105105105106107107107108108108108109110110111111111111

112112112112113113113113113114114114115115116116116

Table of Contents

3

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4.6.2. Troubleshooting

CHAPTER 5. MASTER AND NODE CONFIGURATION5.1. CUSTOMIZING MASTER AND NODE CONFIGURATION AFTER INSTALLATION5.2. INSTALLATION DEPENDENCIES5.3. CONFIGURING MASTERS AND NODES5.4. MAKING CONFIGURATION CHANGES USING ANSIBLE

5.4.1. Using the htpasswd commmand5.5. MAKING MANUAL CONFIGURATION CHANGES5.6. MASTER CONFIGURATION FILES

5.6.1. Admission Control Configuration5.6.2. Asset Configuration5.6.3. Authentication and Authorization Configuration5.6.4. Controller Configuration5.6.5. etcd Configuration5.6.6. Grant Configuration5.6.7. Image Configuration5.6.8. Image Policy Configuration5.6.9. Kubernetes Master Configuration5.6.10. Network Configuration5.6.11. OAuth Authentication Configuration5.6.12. Project Configuration5.6.13. Scheduler Configuration5.6.14. Security Allocator Configuration5.6.15. Service Account Configuration5.6.16. Serving Information Configuration5.6.17. Volume Configuration5.6.18. Basic Audit5.6.19. Advanced Audit5.6.20. Specifying TLS ciphers for etcd

5.7. NODE CONFIGURATION FILES5.7.1. Pod and Node Configuration5.7.2. Docker Configuration5.7.3. Local Storage Configuration5.7.4. Setting Node Queries per Second (QPS) Limits and Burst Values5.7.5. Parallel Image Pulls with Docker 1.9+

5.8. PASSWORDS AND OTHER SENSITIVE DATA5.9. CREATING NEW CONFIGURATION FILES5.10. LAUNCHING SERVERS USING CONFIGURATION FILES5.11. VIEWING MASTER AND NODE LOGS

5.11.1. Configuring Logging Levels5.12. RESTARTING MASTER AND NODE SERVICES

CHAPTER 6. OPENSHIFT ANSIBLE BROKER CONFIGURATION6.1. OVERVIEW6.2. MODIFYING THE OPENSHIFT ANSIBLE BROKER CONFIGURATION6.3. REGISTRY CONFIGURATION

6.3.1. Production or Development6.3.2. Storing Registry Credentials6.3.3. Mock Registry6.3.4. Dockerhub Registry6.3.5. APB Filtering6.3.6. Local OpenShift Container Registry

116

118118118118118

120121122122123124125125127127128128129130132133134134135136137138141

143145145146146147147148148149150155

156156157157158159161161161

162


4

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

6.3.7. Red Hat Container Catalog Registry6.3.8. Red Hat Connect Partner Registry6.3.9. Multiple Registries

6.4. BROKER AUTHENTICATION6.4.1. Basic Auth

6.4.1.1. Deployment Template and Secrets6.4.1.2. Configuring Service Catalog and Broker Communication

6.4.2. Bearer Auth6.4.2.1. Deployment Template and Secrets6.4.2.2. Configuring Service Catalog and Broker Communication

6.5. DAO CONFIGURATION6.6. LOG CONFIGURATION6.7. OPENSHIFT CONFIGURATION6.8. BROKER CONFIGURATION6.9. SECRETS CONFIGURATION6.10. RUNNING BEHIND A PROXY

6.10.1. Registry Adapter Whitelists6.10.2. Configuring the Broker Behind a Proxy Using Ansible6.10.3. Configuring the Broker Behind a Proxy Manually6.10.4. Setting Proxy Environment Variables in Pods

CHAPTER 7. ADDING HOSTS TO AN EXISTING CLUSTER7.1. ADDING HOSTS

Procedure7.2. ADDING ETCD HOSTS TO EXISTING CLUSTER7.3. REPLACING EXISTING MASTERS WITH ETCD COLOCATED7.4. MIGRATING THE NODES

CHAPTER 8. ADDING THE DEFAULT IMAGE STREAMS AND TEMPLATES8.1. OVERVIEW8.2. OFFERINGS BY SUBSCRIPTION TYPE

8.2.1. OpenShift Container Platform Subscription8.2.2. xPaaS Middleware Add-on Subscriptions

8.3. BEFORE YOU BEGIN8.4. PREREQUISITES8.5. CREATING IMAGE STREAMS FOR OPENSHIFT CONTAINER PLATFORM IMAGES8.6. CREATING IMAGE STREAMS FOR XPAAS MIDDLEWARE IMAGES8.7. CREATING DATABASE SERVICE TEMPLATES8.8. CREATING INSTANT APP AND QUICKSTART TEMPLATES8.9. WHAT’S NEXT?

CHAPTER 9. CONFIGURING CUSTOM CERTIFICATES9.1. OVERVIEW9.2. CONFIGURING A CERTIFICATE CHAIN9.3. CONFIGURING CUSTOM CERTIFICATES DURING INSTALLATION9.4. CONFIGURING CUSTOM CERTIFICATES FOR THE WEB CONSOLE OR CLI9.5. CONFIGURING A CUSTOM MASTER HOST CERTIFICATE9.6. CONFIGURING A CUSTOM WILDCARD CERTIFICATE FOR THE DEFAULT ROUTER9.7. CONFIGURING A CUSTOM CERTIFICATE FOR THE IMAGE REGISTRY9.8. CONFIGURING A CUSTOM CERTIFICATE FOR A LOAD BALANCER9.9. RETROFIT CUSTOM CERTIFICATES INTO A CLUSTER

9.9.1. Retrofit Custom Master Certificates into a Cluster9.9.2. Retrofit Custom Router Certificates into a Cluster

9.10. USING CUSTOM CERTIFICATES WITH OTHER COMPONENTS

163163163164164164165166166167168168168169169170170170171171

173173173175175177

179179179179180180180181181

182182183

184184184184185186187188189190190191191

Table of Contents

5

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CHAPTER 10. REDEPLOYING CERTIFICATES10.1. OVERVIEW10.2. CHECKING CERTIFICATE EXPIRATIONS

10.2.1. Role Variables10.2.2. Running Certificate Expiration Playbooks

Other Example Playbooks10.2.3. Output Formats

HTML ReportJSON Report

10.3. REDEPLOYING CERTIFICATES10.3.1. Redeploying All Certificates Using the Current OpenShift Container Platform and etcd CA10.3.2. Redeploying a New or Custom OpenShift Container Platform CA10.3.3. Redeploying a New etcd CA10.3.4. Redeploying Master Certificates Only10.3.5. Redeploying etcd Certificates Only10.3.6. Redeploying Node Certificates10.3.7. Redeploying Registry or Router Certificates Only

10.3.7.1. Redeploying Registry Certificates Only10.3.7.2. Redeploying Router Certificates Only

10.3.8. Redeploying Custom Registry or Router Certificates10.3.8.1. Redeploying Registry Certificates Manually10.3.8.2. Redeploying Router Certificates Manually

CHAPTER 11. CONFIGURING AUTHENTICATION AND USER AGENT11.1. OVERVIEW11.2. IDENTITY PROVIDER PARAMETERS11.3. CONFIGURING IDENTITY PROVIDERS

11.3.1. Configuring identity providers with Ansible11.3.2. Configuring identity providers in the master configuration file

11.3.2.1. Manually provisioning a user when using the lookup mapping method11.3.3. Allow all11.3.4. Deny all11.3.5. HTPasswd11.3.6. Keystone

11.3.6.1. Configuring authentication on the master11.3.6.2. Creating Users with Keystone Authentication11.3.6.3. Verifying Users

11.3.7. LDAP authentication11.3.8. Basic authentication (remote)

11.3.8.1. Configuring authentication on the master11.3.8.2. Troubleshooting

11.3.9. Request headerApache authentication using Request header

Installing the prerequisitesConfiguring ApacheConfiguring the masterRestarting servicesVerifying the configuration

11.3.10. GitHub11.3.10.1. Registering the application on GitHub11.3.10.2. Configuring authentication on the master11.3.10.3. Creating users with GitHub authentication11.3.10.4. Verifying users

192192192192193194194194194195196196198198198199199199199199199201

204204204205205207207208208209

211211213213213216217219

220222223224226226226227227228230230


6

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

11.3.11. GitLab11.3.12. Google11.3.13. OpenID connect

11.4. TOKEN OPTIONS11.5. GRANT OPTIONS11.6. SESSION OPTIONS11.7. PREVENTING CLI VERSION MISMATCH WITH USER AGENT

CHAPTER 12. SYNCING GROUPS WITH LDAP12.1. OVERVIEW12.2. CONFIGURING LDAP SYNC

12.2.1. LDAP client configuration12.2.2. LDAP query definition12.2.3. User-defined name mapping

12.3. RUNNING LDAP SYNC12.4. RUNNING A GROUP PRUNING JOB12.5. SYNC EXAMPLES

12.5.1. Syncing groups by using RFC 2307 schema12.5.1.1. RFC2307 with user-defined name mappings

12.5.2. Syncing groups by using RFC 2307 with user-defined error tolerances12.5.3. Syncing groups by using Active Directory12.5.4. Syncing groups by using augmented Active Directory

12.6. NESTED MEMBERSHIP SYNC EXAMPLE12.7. LDAP SYNC CONFIGURATION SPECIFICATION

12.7.1. v1.LDAPSyncConfig12.7.2. v1.StringSource12.7.3. v1.LDAPQuery12.7.4. v1.RFC2307Config12.7.5. v1.ActiveDirectoryConfig12.7.6. v1.AugmentedActiveDirectoryConfig

CHAPTER 13. CONFIGURING LDAP FAILOVER13.1. PREREQUISITES FOR CONFIGURING BASIC REMOTE AUTHENTICATION13.2. GENERATING AND SHARING CERTIFICATES WITH THE REMOTE BASIC AUTHENTICATION SERVER

13.3. CONFIGURING SSSD FOR LDAP FAILOVER13.4. CONFIGURING APACHE TO USE SSSD13.5. CONFIGURING OPENSHIFT CONTAINER PLATFORM TO USE SSSD AS THE BASIC REMOTEAUTHENTICATION SERVER

CHAPTER 14. CONFIGURING THE SDN14.1. OVERVIEW14.2. AVAILABLE SDN PROVIDERS

Installing VMware NSX-T (™) on OpenShift Container Platform14.3. CONFIGURING THE POD NETWORK WITH ANSIBLE14.4. CONFIGURING THE POD NETWORK ON MASTERS14.5. CONFIGURING THE POD NETWORK ON NODES14.6. EXPANDING THE SERVICE NETWORK14.7. MIGRATING BETWEEN SDN PLUG-INS

14.7.1. Migrating from ovs-multitenant to ovs-networkpolicy14.8. EXTERNAL ACCESS TO THE CLUSTER NETWORK14.9. USING FLANNEL

CHAPTER 15. CONFIGURING NUAGE SDN

231232233236236237238

240240240240241242242243243243246247250252254258258260260261

263264

266266

266267269

272

274274274274274275276276278278279280

283

Table of Contents

7

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15.1. NUAGE SDN AND OPENSHIFT CONTAINER PLATFORM15.2. DEVELOPER WORKFLOW15.3. OPERATIONS WORKFLOW15.4. INSTALLATION

CHAPTER 16. CONFIGURING KURYR SDN16.1. KURYR SDN AND OPENSHIFT CONTAINER PLATFORM16.2. INSTALLATION16.3. VERIFICATION

CHAPTER 17. CONFIGURING FOR AMAZON WEB SERVICES (AWS)17.1. OVERVIEW

17.1.1. Configuring authorization for Amazon Web Services (AWS)17.1.1.1. Configuring the OpenShift Container Platform cloud provider at installation17.1.1.2. Configuring the OpenShift Container Platform cloud provider after installation.

17.2. CONFIGURING A SECURITY GROUP17.2.1. Overriding Detected IP Addresses and Host Names

17.2.1.1. Configuring the OpenShift Container Platform registry for Amazon Web Services (AWS)17.2.1.1.1. Configuring the OpenShift Container Platform inventory to use S317.2.1.1.2. Manually configuring OpenShift Container Platform registry to use S317.2.1.1.3. Verify the registry is using S3 storage

17.3. CONFIGURING AWS VARIABLES17.4. CONFIGURING OPENSHIFT CONTAINER PLATFORM FOR AWS

17.4.1. Configuring OpenShift Container Platform for AWS with Ansible17.4.2. Manually Configuring OpenShift Container Platform Masters for AWS17.4.3. Manually Configuring OpenShift Container Platform Nodes for AWS17.4.4. Manually Setting Key-Value Access Pairs

17.5. APPLYING CONFIGURATION CHANGES17.6. LABELING CLUSTERS FOR AWS

17.6.1. Resources That Need Tags17.6.2. Tagging an Existing Cluster17.6.3. About Red Hat OpenShift Container Storage

CHAPTER 18. CONFIGURING FOR RED HAT VIRTUALIZATION18.1. CONFIGURING RED HAT VIRTUALIZATION OBJECTS18.2. CONFIGURING OPENSHIFT CONTAINER PLATFORM FOR RED HAT VIRTUALIZATION

CHAPTER 19. CONFIGURING FOR OPENSTACK19.1. OVERVIEW19.2. BEFORE YOU BEGIN

19.2.1. OpenShift Container Platform Prerequisites19.2.1.1. Enabling Octavia: OpenStack Load Balancing as a Service (LBaaS)19.2.1.2. Creating OpenStack User Accounts, Projects, and Roles19.2.1.3. Create an OpenStack Flavor19.2.1.4. Creating an OpenStack Keypair19.2.1.5. Setting up DNS for OpenShift Container Platform19.2.1.6. Creation of OpenShift Container Platform Networks via OpenStack19.2.1.7. Creating OpenStack Deployment Host Security Group19.2.1.8. OpenStack Cinder Volumes

19.2.1.8.1. Docker Volume19.2.1.8.2. Registry volume

19.2.1.9. Creating and Configuring the Deployment Instance19.2.1.10. Deployment Host Configuration for OpenShift Container Platform

19.3. PROVISIONING OPENSHIFT CONTAINER PLATFORM INSTANCES USING THE OPENSHIFT ANSIBLE

283283283283

286286286288

289289289290290291292292293294295298298298299300300300301301301302

303303304

307307307307307309310311312313314315315315316317


8

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PLAYBOOKS19.3.1. Preparing the Inventory for Provisioning

19.3.1.1. all.yml configuration19.3.1.2. OSEv3.yml

19.3.2. OpenStack Prerequisites Playbook19.4. REGISTERING WITH SUBSCRIPTION MANAGER THE OPENSHIFT CONTAINER PLATFORM INSTANCES

19.5. INSTALLING OPENSHIFT CONTAINER PLATFORM BY USING AN ANSIBLE PLAYBOOK19.6. APPLYING CONFIGURATION CHANGES TO EXISTING OPENSHIFT CONTAINER PLATFORMENVIRONMENT

19.6.1. Configuring OpenStack Variables on an existing OpenShift Environment19.6.2. Configuring Zone Labels for Dynamically Created OpenStack PVs

CHAPTER 20. CONFIGURING FOR GOOGLE COMPUTE ENGINE20.1. BEFORE YOU BEGIN

20.1.1. Configuring authorization for Google Cloud Platform20.1.2. Google Compute Engine objects

20.2. CONFIGURING OPENSHIFT CONTAINER PLATFORM FOR GCE20.2.1. Option 1: Configuring OpenShift Container Platform for GCP using Ansible20.2.2. Option 2: Manually configuring OpenShift Container Platform for GCE

20.2.2.1. Manually configuring master hosts for GCE20.2.2.2. Manually configuring node hosts for GCE

20.2.3. Configuring the OpenShift Container Platform registry for GCP20.2.3.1. Manually configuring OpenShift Container Platform registry for GCP

20.2.3.1.1. Verify the registry is using GCP object storage20.2.4. Configuring OpenShift Container Platform to use GCP storage20.2.5. About Red Hat OpenShift Container Storage

20.3. USING THE GCP EXTERNAL LOAD BALANCER AS A SERVICE

CHAPTER 21. CONFIGURING FOR AZURE21.1. BEFORE YOU BEGIN

21.1.1. Configuring authorization for Microsoft Azure21.1.2. Configuring Microsoft Azure objects

21.2. THE AZURE CONFIGURATION FILE21.3. EXAMPLE INVENTORY FOR OPENSHIFT CONTAINER PLATFORM ON MICROSOFT AZURE21.4. CONFIGURING OPENSHIFT CONTAINER PLATFORM FOR MICROSOFT AZURE

21.4.1. Configuring OpenShift Container Platform for Azure using Ansible21.4.2. Manually configuring OpenShift Container Platform for Microsoft Azure

21.4.2.1. Manually configuring master hosts for Microsoft Azure21.4.2.2. Manually configuring node hosts for Microsoft Azure

21.4.3. Configuring the OpenShift Container Platform registry for Microsoft Azure21.4.4. Configuring OpenShift Container Platform to use Microsoft Azure storage21.4.5. About Red Hat OpenShift Container Storage

21.5. USING THE MICROSOFT AZURE EXTERNAL LOAD BALANCER AS A SERVICE21.5.1. Deploying a sample application using a load balancer

CHAPTER 22. CONFIGURING FOR VMWARE VSPHERE22.1. BEFORE YOU BEGIN

22.1.1. VMware vSphere cloud provider prerequisites22.2. CONFIGURING OPENSHIFT CONTAINER PLATFORM FOR VSPHERE

22.2.1. Option 1: Configuring OpenShift Container Platform for vSphere using Ansible22.2.2. Option 2: Manually configuring OpenShift Container Platform for vSphere

22.2.2.1. Manually configuring master hosts for vSphere22.2.2.2. Manually configuring node hosts for vSphere

320320320325327

328329

330330330

332332332333336336338338339340341341

344345345

348348348349351351

354354355355356357361

362362363

365365365367367370371

374

Table of Contents

9

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22.2.2.3. Applying Configuration Changes22.2.3. Configuring OpenShift Container Platform to use vSphere storage

Prerequisites22.2.3.1. Provisioning VMware vSphere volumes

22.2.3.1.1. Creating persistent volumes22.2.3.1.2. Formatting VMware vSphere volumes

22.2.3.2. Provisioning VMware vSphere volumes via a Storage Class22.2.4. About Red Hat OpenShift Container Storage22.2.5. Configuring the OpenShift Container Platform registry for vSphere

22.2.5.1. Configuring the OpenShift Container Platform registry for vSphere using Ansible22.2.5.2. Manually configuring OpenShift Container Platform registry for vSphere

22.3. BACKUP OF PERSISTENT VOLUMES

CHAPTER 23. CONFIGURING LOCAL VOLUMES23.1. OVERVIEW23.2. MOUNTING LOCAL VOLUMES23.3. CONFIGURING THE LOCAL PROVISIONER23.4. DEPLOYING THE LOCAL PROVISIONER23.5. ADDING NEW DEVICES23.6. CONFIGURING RAW BLOCK DEVICES

23.6.1. Preparing raw block devices23.6.2. Deploying raw block device provisioners23.6.3. Using raw block device persistent volumes

CHAPTER 24. CONFIGURING PERSISTENT STORAGE24.1. OVERVIEW24.2. PERSISTENT STORAGE USING NFS

24.2.1. Overview24.2.2. Provisioning24.2.3. Enforcing Disk Quotas24.2.4. NFS Volume Security

24.2.4.1. Group IDs24.2.4.2. User IDs24.2.4.3. SELinux24.2.4.4. Export Settings

24.2.5. Reclaiming Resources24.2.6. Automation24.2.7. Additional Configuration and Troubleshooting

24.3. PERSISTENT STORAGE USING RED HAT GLUSTER STORAGE24.3.1. Overview

24.3.1.1. converged mode24.3.1.2. independent mode24.3.1.3. Standalone Red Hat Gluster Storage24.3.1.4. GlusterFS Volumes24.3.1.5. gluster-block Volumes24.3.1.6. Gluster S3 Storage

24.3.2. Considerations24.3.2.1. Software Prerequisites24.3.2.2. Hardware Requirements24.3.2.3. Storage Sizing24.3.2.4. Volume Operation Behaviors24.3.2.5. Volume Security

24.3.2.5.1. POSIX Permissions

375376376376376377377378378379379380

381381381382383384384385386387

389389389389390391391

392393394394395396396397397397397398398399399399399400400401401401


10

24.3.2.5.2. SELinux24.3.3. Support Requirements24.3.4. Installation

24.3.4.1. independent mode: Installing Red Hat Gluster Storage Nodes24.3.4.2. Using the Installer

24.3.4.2.1. Example: Basic converged mode Installation24.3.4.2.2. Example: Basic independent mode Installation24.3.4.2.3. Example: converged mode with an Integrated OpenShift Container Registry24.3.4.2.4. Example: converged mode for OpenShift Logging and Metrics24.3.4.2.5. Example: converged mode for Applications, Registry, Logging, and Metrics24.3.4.2.6. Example: independent mode for Applications, Registry, Logging, and Metrics

24.3.5. Uninstall converged mode24.3.6. Provisioning

24.3.6.1. Static Provisioning24.3.6.2. Dynamic Provisioning

24.4. PERSISTENT STORAGE USING OPENSTACK CINDER24.4.1. Overview24.4.2. Provisioning Cinder PVs

24.4.2.1. Creating the Persistent Volume24.4.2.2. Cinder PV format24.4.2.3. Cinder volume security

24.5. PERSISTENT STORAGE USING CEPH RADOS BLOCK DEVICE (RBD)24.5.1. Overview24.5.2. Provisioning

24.5.2.1. Creating the Ceph Secret24.5.2.2. Creating the Persistent Volume

24.5.3. Ceph Volume Security24.6. PERSISTENT STORAGE USING AWS ELASTIC BLOCK STORE

24.6.1. Overview24.6.2. Provisioning

24.6.2.1. Creating the Persistent Volume24.6.2.2. Volume Format24.6.2.3. Maximum Number of EBS Volumes on a Node

24.7. PERSISTENT STORAGE USING GCE PERSISTENT DISK24.7.1. Overview24.7.2. Provisioning

24.7.2.1. Creating the Persistent Volume24.7.2.2. Volume Format

24.8. PERSISTENT STORAGE USING ISCSI24.8.1. Overview24.8.2. Provisioning

24.8.2.1. Enforcing Disk Quotas24.8.2.2. iSCSI Volume Security24.8.2.3. iSCSI Multipathing24.8.2.4. iSCSI Custom Initiator IQN

24.9. PERSISTENT STORAGE USING FIBRE CHANNEL24.9.1. Overview24.9.2. Provisioning

24.9.2.1. Enforcing Disk Quotas24.9.2.2. Fibre Channel Volume Security

24.10. PERSISTENT STORAGE USING AZURE DISK24.10.1. Overview24.10.2. Prerequisites

402402403403403405406408409

411413416416416419

420420421421422422424424424424425427427427428428429429430430430430431

432432432433433433433434434434435435435435436

Table of Contents

11

24.10.3. Provisioning24.10.4. Configuring Azure Disk for regional cloud

24.10.4.1. Creating the Persistent Volume24.10.4.2. Volume Format

24.11. PERSISTENT STORAGE USING AZURE FILE24.11.1. Overview24.11.2. Before you begin24.11.3. Example configuration files24.11.4. Configuring Azure File for regional cloud24.11.5. Creating the PV24.11.6. Creating the Azure Storage Account secret

24.12. PERSISTENT STORAGE USING FLEXVOLUME PLUG-INS24.12.1. Overview24.12.2. FlexVolume drivers

24.12.2.1. FlexVolume drivers with master-initiated attach/detach24.12.2.2. FlexVolume drivers without master-initiated attach/detach

24.12.3. Installing FlexVolume drivers24.12.4. Consuming storage using FlexVolume drivers

24.13. USING VMWARE VSPHERE VOLUMES FOR PERSISTENT STORAGE24.13.1. Overview

Prerequisites24.13.2. Provisioning VMware vSphere volumes

24.13.2.1. Creating persistent volumes24.13.2.2. Formatting VMware vSphere volumes

24.14. PERSISTENT STORAGE USING LOCAL VOLUME24.14.1. Overview24.14.2. Provisioning24.14.3. Creating Local Persistent Volume Claim24.14.4. Feature Status

24.15. PERSISTENT STORAGE USING CONTAINER STORAGE INTERFACE (CSI)24.15.1. Overview24.15.2. Architecture

24.15.2.1. External CSI Controllers24.15.2.2. CSI Driver DaemonSet

24.15.3. Example Deployment24.15.4. Dynamic Provisioning24.15.5. Usage

24.16. PERSISTENT STORAGE USING OPENSTACK MANILA24.16.1. Overview24.16.2. Installation and Setup

24.16.2.1. Starting the External Provisioner24.16.3. Usage

24.17. DYNAMIC PROVISIONING AND CREATING STORAGE CLASSES24.17.1. Overview24.17.2. Available dynamically provisioned plug-ins24.17.3. Defining a StorageClass

24.17.3.1. Basic StorageClass object definition24.17.3.2. StorageClass annotations24.17.3.3. OpenStack Cinder object definition24.17.3.4. AWS ElasticBlockStore (EBS) object definition24.17.3.5. GCE PersistentDisk (gcePD) object definition24.17.3.6. GlusterFS object definition24.17.3.7. Ceph RBD object definition

436436436438438438438439440440440442442442443446446447448448448449449450450450451451451452452452453454454458459459459460460463463463464465465466466467467468469


12

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

24.17.3.8. Trident object definition24.17.3.9. VMware vSphere object definition24.17.3.10. Azure File object definition24.17.3.11. Azure Disk object definition

24.17.4. Changing the default StorageClass24.17.5. Additional information and examples

24.18. VOLUME SECURITY24.18.1. Overview24.18.2. SCCs, Defaults, and Allowed Ranges24.18.3. Supplemental Groups24.18.4. fsGroup24.18.5. User IDs24.18.6. SELinux Options

24.19. SELECTOR-LABEL VOLUME BINDING24.19.1. Overview24.19.2. Motivation24.19.3. Deployment

24.19.3.1. Prerequisites24.19.3.2. Define the Persistent Volume and Claim24.19.3.3. Deploy the Persistent Volume and Claim

24.20. ENABLING CONTROLLER-MANAGED ATTACHMENT AND DETACHMENT24.20.1. Overview24.20.2. Determining What Is Managing Attachment and Detachment24.20.3. Configuring Nodes to Enable Controller-managed Attachment and Detachment

24.21. PERSISTENT VOLUME SNAPSHOTS24.21.1. Overview24.21.2. Features24.21.3. Installation and Setup

24.21.3.1. Starting the External Controller and Provisioner24.21.3.2. Managing Snapshot Users

24.21.4. Lifecycle of a Volume Snapshot and Volume Snapshot Data24.21.4.1. Persistent Volume Claim and Persistent Volume

24.21.4.1.1. Snapshot Promoter24.21.4.2. Create Snapshot24.21.4.3. Restore Snapshot24.21.4.4. Delete Snapshot

CHAPTER 25. PERSISTENT STORAGE EXAMPLES25.1. OVERVIEW25.2. SHARING AN NFS MOUNT ACROSS TWO PERSISTENT VOLUME CLAIMS

25.2.1. Overview25.2.2. Creating the Persistent Volume25.2.3. Creating the Persistent Volume Claim25.2.4. Ensuring NFS Volume Access25.2.5. Creating the Pod25.2.6. Creating an Additional Pod to Reference the Same PVC

25.3. COMPLETE EXAMPLE USING CEPH RBD25.3.1. Overview25.3.2. Installing the ceph-common Package25.3.3. Creating the Ceph Secret25.3.4. Creating the Persistent Volume25.3.5. Creating the Persistent Volume Claim25.3.6. Creating the Pod

470471471472473474474474474478481

483485486486487487487487488489489489490490490490491491

493494494494495496496

498498498498498499500501

505507507507507508509510

Table of Contents

13

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

25.3.7. Defining Group and Owner IDs (Optional)25.3.8. Setting ceph-user-secret as Default for Projects

25.4. USING CEPH RBD FOR DYNAMIC PROVISIONING25.4.1. Overview25.4.2. Creating a pool for dynamic volumes25.4.3. Using an existing Ceph cluster for dynamic persistent storage25.4.4. Setting ceph-user-secret as the default for projects

25.5. COMPLETE EXAMPLE USING GLUSTERFS25.5.1. Overview25.5.2. Prerequisites25.5.3. Static Provisioning25.5.4. Using the Storage

25.6. COMPLETE EXAMPLE USING GLUSTERFS FOR DYNAMIC PROVISIONING25.6.1. Overview25.6.2. Prerequisites25.6.3. Dynamic Provisioning25.6.4. Using the Storage

25.7. MOUNTING VOLUMES ON PRIVILEGED PODS25.7.1. Overview25.7.2. Prerequisites25.7.3. Creating the Persistent Volume25.7.4. Creating a Regular User25.7.5. Creating the Persistent Volume Claim25.7.6. Verifying the Setup

25.7.6.1. Checking the Pod SCC25.7.6.2. Verifying the Mount

25.8. SWITCHING AN INTEGRATED OPENSHIFT CONTAINER REGISTRY TO GLUSTERFS25.8.1. Overview25.8.2. Prerequisites25.8.3. Manually Provision the GlusterFS PersistentVolumeClaim25.8.4. Attach the PersistentVolumeClaim to the Registry

25.9. BINDING PERSISTENT VOLUMES BY LABELS25.9.1. Overview

25.9.1.1. Assumptions25.9.2. Defining Specifications

25.9.2.1. Persistent Volume with Labels25.9.2.2. Persistent Volume Claim with Selectors25.9.2.3. Volume Endpoints25.9.2.4. Deploy the PV, PVC, and Endpoints

25.10. USING STORAGE CLASSES FOR DYNAMIC PROVISIONING25.10.1. Overview25.10.2. Scenario 1: Basic Dynamic Provisioning with Two Types of StorageClasses25.10.3. Scenario 2: How to enable Default StorageClass behavior for a Cluster

25.11. USING STORAGE CLASSES FOR EXISTING LEGACY STORAGE25.11.1. Overview

25.11.1.1. Scenario 1: Link StorageClass to existing Persistent Volume with Legacy Data25.12. CONFIGURING AZURE BLOB STORAGE FOR INTEGRATED DOCKER REGISTRY

25.12.1. Overview25.12.2. Before You Begin25.12.3. Overriding Registry Configuration

CHAPTER 26. CONFIGURING EPHEMERAL STORAGE26.1. OVERVIEW

511511512512512513516517517517518521

523523523524525526526527527527528529529529529529530530533533533534534534535535536536536536539543543543546546546546

548548


14

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26.2. ENABLING EPHEMERAL STORAGE

CHAPTER 27. WORKING WITH HTTP PROXIES27.1. OVERVIEW27.2. CONFIGURING NO_PROXY27.3. CONFIGURING HOSTS FOR PROXIES27.4. CONFIGURING HOSTS FOR PROXIES USING ANSIBLE27.5. PROXYING DOCKER PULL27.6. USING MAVEN BEHIND A PROXY27.7. CONFIGURING S2I BUILDS FOR PROXIES27.8. CONFIGURING DEFAULT TEMPLATES FOR PROXIES27.9. SETTING PROXY ENVIRONMENT VARIABLES IN PODS27.10. GIT REPOSITORY ACCESS

CHAPTER 28. CONFIGURING GLOBAL BUILD DEFAULTS AND OVERRIDES28.1. OVERVIEW28.2. SETTING GLOBAL BUILD DEFAULTS

28.2.1. Configuring Global Build Defaults with Ansible28.2.2. Manually Setting Global Build Defaults

28.3. SETTING GLOBAL BUILD OVERRIDES28.3.1. Configuring Global Build Overrides with Ansible28.3.2. Manually Setting Global Build Overrides

CHAPTER 29. CONFIGURING PIPELINE EXECUTION29.1. OVERVIEW29.2. OPENSHIFT JENKINS CLIENT PLUGIN29.3. OPENSHIFT JENKINS SYNC PLUGIN

CHAPTER 30. CONFIGURING ROUTE TIMEOUTS

CHAPTER 31. CONFIGURING NATIVE CONTAINER ROUTING31.1. NETWORK OVERVIEW31.2. CONFIGURE NATIVE CONTAINER ROUTING31.3. SETTING UP A NODE FOR CONTAINER NETWORKING31.4. SETTING UP A ROUTER FOR CONTAINER NETWORKING

CHAPTER 32. ROUTING FROM EDGE LOAD BALANCERS32.1. OVERVIEW32.2. INCLUDING THE LOAD BALANCER IN THE SDN32.3. ESTABLISHING A TUNNEL USING A RAMP NODE

32.3.1. Configuring a Highly-Available Ramp Node

CHAPTER 33. AGGREGATING CONTAINER LOGS33.1. OVERVIEW33.2. PRE-DEPLOYMENT CONFIGURATION33.3. SPECIFYING LOGGING ANSIBLE VARIABLES33.4. DEPLOYING THE EFK STACK33.5. UNDERSTANDING AND ADJUSTING THE DEPLOYMENT

33.5.1. Ops Cluster33.5.2. Elasticsearch

33.5.2.1. Persistent Elasticsearch Storage33.5.2.1.1. Using NFS as a persistent volume33.5.2.1.2. Using NFS as local storage33.5.2.1.3. Configuring hostPath storage for Elasticsearch33.5.2.1.4. Changing the Scale of Elasticsearch

548

550550550551551

552553553553554554

555555555556557558558559

561561562562

564

565565565566566

567567567567570

571571571

572581582582582584585587588590

Table of Contents

15

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33.5.2.1.5. Expose Elasticsearch as a Route33.5.3. Fluentd33.5.4. Kibana33.5.5. Curator

33.5.5.1. Creating the Curator Configuration33.6. CLEANUP33.7. TROUBLESHOOTING KIBANA33.8. SENDING LOGS TO AN EXTERNAL ELASTICSEARCH INSTANCE33.9. SENDING LOGS TO AN EXTERNAL SYSLOG SERVER33.10. PERFORMING ADMINISTRATIVE ELASTICSEARCH OPERATIONS33.11. REDEPLOYING EFK CERTIFICATES33.12. CHANGING THE AGGREGATED LOGGING DRIVER33.13. MANUAL ELASTICSEARCH ROLLOUTS

33.13.1. Performing an Elasticsearch Rolling Cluster Restart33.13.2. Performing an Elasticsearch Full Cluster Restart

CHAPTER 34. AGGREGATE LOGGING SIZING GUIDELINES34.1. OVERVIEW34.2. INSTALLATION

34.2.1. Large Clusters34.3. SYSTEMD-JOURNALD AND RSYSLOG34.4. SCALING UP EFK LOGGING34.5. STORAGE CONSIDERATIONS

CHAPTER 35. ENABLING CLUSTER METRICS35.1. OVERVIEW35.2. BEFORE YOU BEGIN35.3. METRICS PROJECT35.4. METRICS DATA STORAGE

35.4.1. Persistent Storage35.4.2. Capacity Planning for Cluster Metrics

Known Issues and Limitations35.4.3. Non-Persistent Storage

35.5. METRICS ANSIBLE ROLE35.5.1. Specifying Metrics Ansible Variables35.5.2. Using Secrets

35.5.2.1. Providing Your Own Certificates35.6. DEPLOYING THE METRIC COMPONENTS

35.6.1. Metrics Diagnostics35.7. SETTING THE METRICS PUBLIC URL35.8. ACCESSING HAWKULAR METRICS DIRECTLY

35.8.1. OpenShift Container Platform Projects and Hawkular Tenants35.8.2. Authorization

35.9. SCALING OPENSHIFT CONTAINER PLATFORM CLUSTER METRICS PODS35.10. CLEANUP35.11. PROMETHEUS ON OPENSHIFT CONTAINER PLATFORM

35.11.1. Setting Prometheus Role Variables35.11.2. Deploying Prometheus Using Ansible Installer

35.11.2.1. Additional Methods for Deploying Prometheus35.11.2.2. Accessing the Prometheus Web UI35.11.2.3. Configuring Prometheus for OpenShift Container Platform

35.11.3. OpenShift Container Platform Metrics via Prometheus35.11.3.1. Current Metrics

590591

602603606606606608609612612613615615616

618618618

620620621621

623623623623623624624626626626627630630630631

632632633633633633633634635635636636637637


16

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35.11.4. Undeploying Prometheus

CHAPTER 36. CUSTOMIZING THE WEB CONSOLE36.1. OVERVIEW36.2. LOADING EXTENSION SCRIPTS AND STYLESHEETS

36.2.1. Setting Extension Properties36.3. EXTENSION OPTION FOR EXTERNAL LOGGING SOLUTIONS36.4. CUSTOMIZING AND DISABLING THE GUIDED TOUR36.5. CUSTOMIZING DOCUMENTATION LINKS36.6. CUSTOMIZING THE LOGO36.7. CUSTOMIZING THE MEMBERSHIP WHITELIST36.8. CHANGING LINKS TO DOCUMENTATION36.9. ADDING OR CHANGING LINKS TO DOWNLOAD THE CLI

36.9.1. Customizing the About Page36.10. CONFIGURING NAVIGATION MENUS

36.10.1. Top Navigation Dropdown Menus36.10.2. Application Launcher36.10.3. System Status Badge36.10.4. Project Left Navigation

36.11. CONFIGURING FEATURED APPLICATIONS36.12. CONFIGURING CATALOG CATEGORIES36.13. CONFIGURING QUOTA NOTIFICATION MESSAGES36.14. CONFIGURING THE CREATE FROM URL NAMESPACE WHITELIST36.15. DISABLING THE COPY LOGIN COMMAND

36.15.1. Enabling Wildcard Routes36.16. CUSTOMIZING THE LOGIN PAGE

36.16.1. Example Usage36.17. CUSTOMIZING THE OAUTH ERROR PAGE36.18. CHANGING THE LOGOUT URL36.19. CONFIGURING WEB CONSOLE CUSTOMIZATIONS WITH ANSIBLE36.20. CHANGING THE WEB CONSOLE URL PORT AND CERTIFICATES

CHAPTER 37. DEPLOYING EXTERNAL PERSISTENT VOLUME PROVISIONERS37.1. OVERVIEW37.2. BEFORE YOU BEGIN

37.2.1. External Provisioners Ansible Role37.2.2. External Provisioners Ansible Variables37.2.3. AWS EFS Provisioner Ansible Variables

37.3. DEPLOYING THE PROVISIONERS37.3.1. Deploying the AWS EFS Provisioner

37.3.1.1. AWS EFS Object Definition37.4. CLEANUP

639

640640640641

642642642642643643644644645645646646647648649650651651651651652652653653654

655655655655655656657657657658

Table of Contents

17


18

CHAPTER 1. OVERVIEWThis guide covers further configuration options available for your OpenShift Container Platform clusterpost-installation.

CHAPTER 1. OVERVIEW

19

CHAPTER 2. SETTING UP THE REGISTRY

2.1. REGISTRY OVERVIEW

2.1.1. About the Registry

OpenShift Container Platform can build container images from your source code, deploy them, andmanage their lifecycle. To enable this, OpenShift Container Platform provides an internal, integratedDocker registry that can be deployed in your OpenShift Container Platform environment to locallymanage images.

2.1.2. Integrated or Stand-alone Registries

During an initial installation of a full OpenShift Container Platform cluster, it is likely that the registry wasdeployed automatically during the installation process. If it was not, or if you want to further customizethe configuration of your registry, see Deploying a Registry on Existing Clusters .

While it can be deployed to run as an integrated part of your full OpenShift Container Platform cluster,the OpenShift Container Platform registry can alternatively be installed separately as a stand-alonecontainer image registry.

To install a stand-alone registry, follow Installing a Stand-alone Registry . This installation path deploysan all-in-one cluster running a registry and specialized web console.

2.1.3. Red Hat Quay Registries

If you need an enterprise-quality container image registry, Red Hat Quay is available both as a hostedservice and as software you can install in your own data center or cloud environment. Advanced registryfeatures in Red Hat Quay include geo-replication, image scanning, and the ability to rollback images.

Visit the Quay.io site to set up your own hosted Quay registry account. After that, the Quay Tutorialhelps you login to the Quay registry and start managing your images. Alternatively, refer to GettingStarted with Red Hat Quay for information on setting up your own Red Hat Quay registry.

At the moment, you access your Red Hat Quay registry from OpenShift as you would any remotecontainer image registry. To learn how to set up credentials to access Red Hat Quay as a securedregistry, refer to Allowing Pods to Reference Images from Other Secured Registries .

2.2. DEPLOYING A REGISTRY ON EXISTING CLUSTERS

2.2.1. Overview

If the integrated registry was not previously deployed automatically during the initial installation of yourOpenShift Container Platform cluster, or if it is no longer running successfully and you need to redeployit on your existing cluster, see the following sections for options on deploying a new registry.

NOTE

This topic is not required if you installed a stand-alone registry.

2.2.2. Deploying the Registry

To deploy the integrated Docker registry, use the oc adm registry command as a user with cluster


20

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/architecture/#docker-imageshttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/architecture/#integrated-openshift-registryhttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/installing_clusters/#install-config-installing-stand-alone-registryhttps://quay.iohttps://quay.io/tutorial/https://access.redhat.com/documentation/en-us/red_hat_quay/2.9/html-single/getting_started_with_red_hat_quay/https://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/developer_guide/#allowing-pods-to-reference-images-from-other-secured-registrieshttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/installing_clusters/#install-config-installing-stand-alone-registry

1

2

3

To deploy the integrated Docker registry, use the oc adm registry command as a user with clusteradministrator privileges. For example:

$ oc adm registry --config=/etc/origin/master/admin.kubeconfig \ 1 --service-account=registry \ 2 --images='registry.access.redhat.com/openshift3/ose-${component}:${version}' 3

--config is the path to the CLI configuration file for the cluster administrator.

--service-account is the service account used to run the registry’s pod.

Required to pull the correct image for OpenShift Container Platform.

This creates a service and a deployment configuration, both called docker-registry. Once deployedsuccessfully, a pod is created with a name similar to docker-registry-1-cpty9.

To see a full list of options that you can specify when creating the registry:

$ oc adm registry --help

The value for --fs-group must be permitted by the SCC used by the registry (typically, the restrictedSCC).

2.2.3. Deploying the Registry as a DaemonSet

Use the oc adm registry command to deploy the registry as a DaemonSet with the --daemonsetoption.

Daemonsets ensure that when nodes are created, they contain copies of a specified pod. When thenodes are removed, the pods are garbage collected.

For more information on DaemonSets, see Using Daemonsets.

2.2.4. Registry Compute Resources

By default, the registry is created with no settings for compute resource requests or limits . Forproduction, it is highly recommended that the deployment configuration for the registry be updated toset resource requests and limits for the registry pod. Otherwise, the registry pod will be considered aBestEffort pod.

See Compute Resources for more information on configuring requests and limits.

2.2.5. Storage for the Registry

The registry stores container images and metadata. If you simply deploy a pod with the registry, it usesan ephemeral volume that is destroyed if the pod exits. Any images anyone has built or pushed into theregistry would disappear.

This section lists the supported registry storage drivers. See the Docker registry documentation formore information.

The following list includes storage drivers that need to be configured in the registry’s configuration file:

Filesystem. Filesystem is the default and does not need to be configured.


21

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/cli_reference/#cli-reference-manage-cli-profileshttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/architecture/#roleshttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/developer_guide/#dev-guide-daemonsetshttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/developer_guide/#dev-guide-compute-resourceshttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/developer_guide/#quality-of-service-tiershttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/developer_guide/#dev-guide-compute-resourceshttps://docs.docker.com/registry/configuration/#storagehttps://docs.docker.com/registry/storage-drivers/filesystem

S3. See the CloudFront configuration documentation for more information.

OpenStack Swift

Google Cloud Storage (GCS)

Microsoft Azure

Aliyun OSS

General registry storage configuration options are supported. See the Docker registry documentationfor more information.

The following storage options need to be configured through the filesystem driver:

GlusterFS Storage

Ceph Rados Block Device

NOTE

For more information on supported persistent storage drivers, see Configuring PersistentStorage and Persistent Storage Examples .

2.2.5.1. Production Use

For production use, attach a remote volume or define and use the persistent storage method of yourchoice.

For example, to use an existing persistent volume claim:

$ oc volume deploymentconfigs/docker-registry --add --name=registry-storage -t pvc \ --claim-name= --overwrite

IMPORTANT

Testing shows issues with using the RHEL NFS server as a storage backend for thecontainer image registry. This includes the OpenShift Container Registry and Quay.Therefore, using the RHEL NFS server to back PVs used by core services is notrecommended.

Other NFS implementations on the marketplace might not have these issues. Contactthe individual NFS implementation vendor for more information on any testing that waspossibly completed against these OpenShift core components.

2.2.5.1.1. Use Amazon S3 as a Storage Back-end

There is also an option to use Amazon Simple Storage Service storage with the internal Docker registry.It is a secure cloud storage manageable through AWS Management Console. To use it, the registry’sconfiguration file must be manually edited and mounted to the registry pod. However, before you startwith the configuration, look at upstream’s recommended steps .

Take a default YAML configuration file as a base and replace the filesystem entry in the storagesection with s3 entry such as below. The resulting storage section may look like this:


22

https://github.com/docker/docker.github.io/blob/master/registry/storage-drivers/s3.md#cloudfront-as-middleware-with-s3-backendhttps://docs.docker.com/registry/storage-drivers/swift/https://docs.docker.com/registry/storage-drivers/gcs/https://docs.docker.com/registry/storage-drivers/azure/https://docs.docker.com/registry/storage-drivers/oss/https://docs.docker.com/registry/configuration/#maintenancehttps://docs.docker.com/registry/storage-drivers/filesystemhttps://aws.amazon.com/s3/getting-started/https://docs.docker.com/docker-trusted-registry/configure/config-storage/#amazon-s3

1

2

Replace with your Amazon access key.

Replace with your Amazon secret key.

All of the s3 configuration options are documented in upstream’s driver reference documentation.

Overriding the registry configuration will take you through the additional steps on mounting theconfiguration file into pod.

WARNING

When the registry runs on the S3 storage back-end, there are reported issues.

If you want to use a S3 region that is not supported by the integrated registry you are using, see S3Driver Configuration.

2.2.5.2. Non-Production Use

For non-production use, you can use the --mount-host= option to specify a directory for theregistry to use for persistent storage. The registry volume is then created as a host-mount at thespecified .

IMPORTANT

The --mount-host option mounts a directory from the node on which the registrycontainer lives. If you scale up the docker-registry deployment configuration, it ispossible that your registry pods and containers will run on different nodes, which canresult in two or more registry containers, each with its own local storage. This will lead tounpredictable behavior, as subsequent requests to pull the same image repeatedly maynot always succeed, depending on which container the request ultimately goes to.

storage: cache: layerinfo: inmemory delete: enabled: true s3: accesskey: awsaccesskey 1 secretkey: awssecretkey 2 region: us-west-1 regionendpoint: http://myobjects.local bucket: bucketname encrypt: true keyid: mykeyid secure: true v4auth: false chunksize: 5242880 rootdirectory: /s3/object/name/prefix


23

https://docs.docker.com/registry/storage-drivers/s3/

The --mount-host option requires that the registry container run in privileged mode. This isautomatically enabled when you specify --mount-host. However, not all pods are allowed to runprivileged containers by default. If you still want to use this option, create the registry and specify that ituse the registry service account that was created during installation:

$ oc adm registry --service-account=registry \ --config=/etc/origin/master/admin.kubeconfig \ --images='registry.access.redhat.com/openshift3/ose-${component}:${version}' \ --mount-host=

IMPORTANT

The Docker registry pod runs as user 1001. This user must be able to write to the hostdirectory. You may need to change directory ownership to user ID 1001 with thiscommand:

$ sudo chown 1001:root

2.2.6. Enabling the Registry Console

OpenShift Container Platform provides a web-based interface to the integrated registry. This registryconsole is an optional component for browsing and managing images. It is deployed as a statelessservice running as a pod.

NOTE

If you installed OpenShift Container Platform as a stand-alone registry, the registryconsole is already deployed and secured automatically during installation.

IMPORTANT

If Cockpit is already running, you’ll need to shut it down before proceeding in order toavoid a port conflict (9090 by default) with the registry console.

2.2.6.1. Deploying the Registry Console

IMPORTANT

You must first have exposed the registry.

1. Create a passthrough route in the default project. You will need this when creating the registryconsole application in the next step.

$ oc create route passthrough --service registry-console \ --port registry-console \ -n default

2. Deploy the registry console application. Replace with the URL of theOpenShift Container Platform OAuth provider, which is typically the master.

$ oc new-app -n default --template=registry-console \ -p OPENSHIFT_OAUTH_PROVIDER_URL="https://:8443" \


24

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/installing_clusters/#security-warninghttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/installing_clusters/#install-config-installing-stand-alone-registry

-p REGISTRY_HOST=$(oc get route docker-registry -n default --template='{{ .spec.host }}') \ -p COCKPIT_KUBE_URL=$(oc get route registry-console -n default --template='https://{{ .spec.host }}')

NOTE

If the redirection URL is wrong when you are trying to log in to the registryconsole, check your OAuth client with oc get oauthclients.

3. Finally, use a web browser to view the console using the route URI.

2.2.6.2. Securing the Registry Console

By default, the registry console generates self-signed TLS certificates if deployed manually per thesteps in Deploying the Registry Console . See Troubleshooting the Registry Console for moreinformation.

Use the following steps to add your organization’s signed certificates as a secret volume. This assumesyour certificates are available on the oc client host.

1. Create a .cert file containing the certificate and key. Format the file with:

One or more BEGIN CERTIFICATE blocks for the server certificate and the intermediatecertificate authorities

A block containing a BEGIN PRIVATE KEY or similar for the key. The key must not beencryptedFor example:

-----BEGIN CERTIFICATE-----MIIDUzCCAjugAwIBAgIJAPXW+CuNYS6QMA0GCSqGSIb3DQEBCwUAMD8xKTAnBgNVBAoMIGI0OGE2NGNkNmMwNTQ1YThhZTgxOTEzZDE5YmJjMmRjMRIwEAYDVQQDDAls...-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIDUzCCAjugAwIBAgIJAPXW+CuNYS6QMA0GCSqGSIb3DQEBCwUAMD8xKTAnBgNVBAoMIGI0OGE2NGNkNmMwNTQ1YThhZTgxOTEzZDE5YmJjMmRjMRIwEAYDVQQDDAls...-----END CERTIFICATE----------BEGIN PRIVATE KEY-----MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyOJ5garOYw0sm8TBCDSqQ/H1awGMzDYdB11xuHHsxYS2VepPMzMzryHR137I4dGFLhvdTvJUH8lUS...-----END PRIVATE KEY-----

The secured registry should contain the following Subject Alternative Names (SAN) list:

Two service hostnames.For example:


25

docker-registry.default.svc.cluster.localdocker-registry.default.svc

Service IP address.For example:

172.30.124.220

Use the following command to get the Docker registry service IP address:

oc get service docker-registry --template='{{.spec.clusterIP}}'

Public hostname.For example:

docker-registry-default.apps.example.com

Use the following command to get the Docker registry public hostname:

oc get route docker-registry --template '{{.spec.host}}'

For example, the server certificate should contain SAN details similar to the following:

X509v3 Subject Alternative Name: DNS:docker-registry-public.openshift.com, DNS:docker-registry.default.svc, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.2.98, IP Address:172.30.2.98

The registry console loads a certificate from the /etc/cockpit/ws-certs.d directory. Ituses the last file with a .cert extension in alphabetical order. Therefore, the .cert fileshould contain at least two PEM blocks formatted in the OpenSSL style.

If no certificate is found, a self-signed certificate is created using the opensslcommand and stored in the 0-self-signed.cert file.

2. Create the secret:

$ oc create secret generic console-secret \ --from-file=/path/to/console.cert

3. Add the secrets to the registry-console deployment configuration:

$ oc volume dc/registry-console --add --type=secret \ --secret-name=console-secret -m /etc/cockpit/ws-certs.d

This triggers a new deployment of the registry console to include your signed certificates.

2.2.6.3. Troubleshooting the Registry Console

2.2.6.3.1. Debug Mode

The registry console debug mode is enabled using an environment variable. The following command


26

The registry console debug mode is enabled using an environment variable. The following commandredeploys the registry console in debug mode:

$ oc set env dc registry-console G_MESSAGES_DEBUG=cockpit-ws,cockpit-wrapper

Enabling debug mode allows more verbose logging to appear in the registry console’s pod logs.

2.2.6.3.2. Display SSL Certificate Path

To check which certificate the registry console is using, a command can be run from inside the consolepod.

1. List the pods in the default project and find the registry console’s pod name:

$ oc get pods -n defaultNAME READY STATUS RESTARTS AGEregistry-console-1-rssrw 1/1 Running 0 1d

2. Using the pod name from the previous command, get the certificate path that the cockpit-wsprocess is using. This example shows the console using the auto-generated certificate:

$ oc exec registry-console-1-rssrw remotectl certificatecertificate: /etc/cockpit/ws-certs.d/0-self-signed.cert

2.3. ACCESSING THE REGISTRY

2.3.1. Viewing Logs

To view the logs for the Docker registry, use the oc logs command with the deployment configuration:

$ oc logs dc/docker-registry2015-05-01T19:48:36.300593110Z time="2015-05-01T19:48:36Z" level=info msg="version=v2.0.0+unknown"2015-05-01T19:48:36.303294724Z time="2015-05-01T19:48:36Z" level=info msg="redis not configured" instance.id=9ed6c43d-23ee-453f-9a4b-031fea6460022015-05-01T19:48:36.303422845Z time="2015-05-01T19:48:36Z" level=info msg="using inmemory layerinfo cache" instance.id=9ed6c43d-23ee-453f-9a4b-031fea6460022015-05-01T19:48:36.303433991Z time="2015-05-01T19:48:36Z" level=info msg="Using OpenShift Auth handler"2015-05-01T19:48:36.303439084Z time="2015-05-01T19:48:36Z" level=info msg="listening on :5000" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002

2.3.2. File Storage

Tag and image metadata is stored in OpenShift Container Platform, but the registry stores layer andsignature data in a volume that is mounted into the registry container at /registry. As oc exec does notwork on privileged containers, to view a registry’s contents you must manually SSH into the nodehousing the registry pod’s container, then run docker exec on the container itself:

1. List the current pods to find the pod name of your Docker registry:

# oc get pods


27

Then, use oc describe to find the host name for the node running the container:

# oc describe pod

2. Log into the desired node:

# ssh node.example.com

3. List the running containers from the default project on the node host and identify the containerID for the Docker registry:

# docker ps --filter=name=registry_docker-registry.*_default_

4. List the registry contents using the oc rsh command:

# oc rsh dc/docker-registry find /registry/registry/docker/registry/docker/registry/registry/docker/registry/v2/registry/docker/registry/v2/blobs 1/registry/docker/registry/v2/blobs/sha256/registry/docker/registry/v2/blobs/sha256/ed/registry/docker/registry/v2/blobs/sha256/ed/ede17b139a271d6b1331ca3d83c648c24f92cece5f89d95ac6c34ce751111810/registry/docker/registry/v2/blobs/sha256/ed/ede17b139a271d6b1331ca3d83c648c24f92cece5f89d95ac6c34ce751111810/data 2/registry/docker/registry/v2/blobs/sha256/a3/registry/docker/registry/v2/blobs/sha256/a3/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4/registry/docker/registry/v2/blobs/sha256/a3/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4/data/registry/docker/registry/v2/blobs/sha256/f7/registry/docker/registry/v2/blobs/sha256/f7/f72a00a23f01987b42cb26f259582bb33502bdb0fcf5011e03c60577c4284845/registry/docker/registry/v2/blobs/sha256/f7/f72a00a23f01987b42cb26f259582bb33502bdb0fcf5011e03c60577c4284845/data/registry/docker/registry/v2/repositories 3/registry/docker/registry/v2/repositories/p1/registry/docker/registry/v2/repositories/p1/pause 4/registry/docker/registry/v2/repositories/p1/pause/_manifests/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/e9a2ac6418981897b399d3709f1b4a6d2723cd38a4909215ce2752a5c068b1cf/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/e9a2ac6418981897b399d3709f1b4a6d2723cd38a4909215ce2752a5c068b1cf/signatures 5/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/e9a2ac6418981897b399d3709f1b4a6d2723cd38a4909215ce2752a5c068b1cf/signatures/sha256/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/e9a2ac6418981897b399d3709f1b4a6d2723cd38a4909215ce2752a5c068b1cf/signatures/sha256/ede17b139a271d6b1331ca3d83c648c24f92cece5f89d95ac6c34ce751111810/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/e9a2ac6418981897b399d3709f1b4a6d2723cd38a4909215ce2752a5c068b1cf/signatures/sha256/ede17b139a271d6b1331ca3d83c648c24f92cece5f89d95ac6c34ce751111810/link 6


28

1

2

3

4

5

6

7

8

9

/registry/docker/registry/v2/repositories/p1/pause/_uploads 7/registry/docker/registry/v2/repositories/p1/pause/_layers 8/registry/docker/registry/v2/repositories/p1/pause/_layers/sha256/registry/docker/registry/v2/repositories/p1/pause/_layers/sha256/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4/registry/docker/registry/v2/repositories/p1/pause/_layers/sha256/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4/link 9/registry/docker/registry/v2/repositories/p1/pause/_layers/sha256/f72a00a23f01987b42cb26f259582bb33502bdb0fcf5011e03c60577c4284845/registry/docker/registry/v2/repositories/p1/pause/_layers/sha256/f72a00a23f01987b42cb26f259582bb33502bdb0fcf5011e03c60577c4284845/link

This directory stores all layers and signatures as blobs.

This file contains the blob’s contents.

This directory stores all the image repositories.

This directory is for a single image repository p1/pause.

This directory contains signatures for a particular image manifest revision.

This file contains a reference back to a blob (which contains the signature data).

This directory contains any layers that are currently being uploaded and staged for thegiven repository.

This directory contains links to all the layers this repository references.

This file contains a reference to a specific layer that has been linked into this repository viaan image.

2.3.3. Accessing the Registry Directly

For advanced usage, you can access the registry directly to invoke docker commands. This allows you topush images to or pull them from the integrated registry directly using operations like docker push or docker pull. To do so, you must be logged in to the registry using the docker login command. Theoperations you can perform depend on your user permissions, as described in the following sections.

2.3.3.1. User Prerequisites

To access the registry directly, the user that you use must satisfy the following, depending on yourintended usage:

For any direct access, you must have a regular user for your preferred identity provider. Aregular user can generate an access token required for logging in to the registry. System users,such as system:admin, cannot obtain access tokens and, therefore, cannot access the registrydirectly.For example, if you are using HTPASSWD authentication, you can create one using the followingcommand:

# htpasswd /etc/origin/master/htpasswd

For pulling images, for example when using the docker pull command, the user must have the


29

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/architecture/#usershttps://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/architecture/#users

For pulling images, for example when using the docker pull command, the user must have theregistry-viewer role. To add this role:

$ oc policy add-role-to-user registry-viewer

For writing or pushing images, for example when using the docker push command, the usermust have the registry-editor role. To add this role:

$ oc policy add-role-to-user registry-editor

For more information on user permissions, see Managing Role Bindings.

2.3.3.2. Logging in to the Registry

NOTE

Ensure your user satisfies the prerequisites for accessing the registry directly.

To log in to the registry directly:

1. Ensure you are logged in to OpenShift Container Platform as a regular user:

$ oc login

2. Log in to the Docker registry by using your access token:

docker login -u openshift -p $(oc whoami -t) :

NOTE

You can pass any value for the username, the token contains all necessary information.Passing a username that contains colons will result in a login failure.

2.3.3.3. Pushing and Pulling Images

After logging in to the registry , you can perform docker pull and docker push operations against yourregistry.

IMPORTANT

You can pull arbitrary images, but if you have the system:registry role added, you canonly push images to the registry in your project.

In the following examples, we use:

Component Value

172.30.124.220

5000


30

https://access.redhat.com/documentation/en-us/openshift_container_platform/3.10/html-single/cluster_administration/#managing-role-bindings

openshift

busybox

omitted (defaults to latest)

1. Pull an arbitrary image:

$ docker pull docker.io/busybox

2. Tag the new image with th

openshift container platform 3 - red hat customer portal · 2019-12-17 · openshift container...

Documents