Authentication and Authorization Create local htpasswd file: htpasswd -c -B -b ./htpasswd admin redhat htpasswd -b ./htpasswd developer developer Then login as admin and create secret: oc create secret generic localusers \ --from-file htpasswd=./htpasswd \ -n openshift-config Can also use set to udpate secret: oc set data secret/localusers -n openshift-config --from-file htpasswd=./htpasswd Add cluster-admin role to new admin account, and it’s ok to ignore warnings since admin is not existed in the system yet:

Continue reading

Taint, Toleration, Label, And Node Selector In Kubernetes can be confusing in daily work, worth a post here. Taint It functions like assigning nodes with default attribute, like a tatoo, this tatoo has its magic effects. kubectl taint nodes node1 key1=value1:NoSchedule # add taint kubectl taint nodes node1 key1=value1:NoSchedule- # remove taint it translates to set attribute for node1 that there will be NoSchedule unless if pod have toleration parameter key1=value1.

Continue reading

Redhat KVM

A simple memo about how to create proper PXE bootable KVM instances on RHEL8. Create Virtual Port Multiple different type of port can be used on KVM instances, you can choose physical interface such as eno1 or bond0, or you can use bridge as its overlayer. Create bond0 based on eno2: nmcli con add type team con-name bond0 ifname bond0 config '{"runner": {"name": "activebackup"}}' nmcli con add type team-slave con-name bond0-eno2 ifname eno2 master bond0 nmcli dev dis eno2 nmcli con up bond0 Create bridge:

Continue reading

This method has been tested working on a single master k8s, for multi-master clusters, may not work! Kubernetes requires certs on each nodes/masters to validate each other’s integrity, if the cert ever gets expired, you’d see an error like this: Unable to connect to the server: x509: certificate has expired or is not yet valid.. To fix this cluster, we first need to verify the cert status by: $ openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.

Continue reading

Redhat Openstack has build-in pacemaker to manage few docker containers status, and it also affects how Mariadb works on Openstack. Usually when you see a Mariadb failure on Redhat Openstack, you would see some thing like this: [[email protected] etc]# pcs status Cluster name: tripleo_cluster Stack: corosync Current DC: controller1 (version 1.1.19-8.el7_6.2-c3c624ea3d) - partition with quorum Last updated: Thu May 7 21:55:43 2020 Last change: Thu May 7 21:51:15 2020 by hacluster via crmd on controller2 12 nodes configured 36 resources configured Online: [ controller1 controller2 controller3 ] GuestOnline: [ [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] ] Full list of resources: Docker container set: rabbitmq-bundle [10.

Continue reading

Mariadb in a Galera Cluster Maintenance and Recovery¶ Introduction¶ This document covers how to perform system maintenance with the Mariadb database in active production, and how to recover from power outages, or network failure. Environment¶ SCM (Scyld Cloud Manager) currently leverages the Kolla OpenStack project which packages the OpenStack services into Docker containers. The mariadb database utilizes galera to run a database cluster on the three OpenStack controller systems. The cluster provides high availability as well as scalability.

Continue reading

Terraform Hints

Terraform now provides new functions, making itself more powerful as a configuration mgmt tool. Here are some memos: To make var value join with fixed string: "test-${each.key}" cidrsubnet From Terraform official documents, they have an example as following and explained in none humane language way. So I’ll try to interpret it from a Network Expert perspective. cidrsubnet(prefix, newbits, netnum) And an example below: > cidrsubnet("172.16.0.0/12", 4, 2) 172.18.0.0/16 > cidrsubnet("10.1.2.0/24", 4, 15) 10.

Continue reading

HyperFlex Hints

Upgrade and Mantainance Tool HyperFlex Cluster can be managed by using daemon agent on ESXi hosts directly, users may ssh into agents and issue stcli commands: stcli cluster start or stcli cluster stop can bring down/up entire ceph cluster. stcli node maintenanceMode --ip <hostIP> --mode enter and put a host into HX MM. Upgrade HX agents only: stcli cluster upgrade --components hxdp \ --location /tmp/storfs-packages-1.8.1c-19694.tgz \ --vcenter-user [email protected] Upgrade can be extremely heavy load for hosts, it puts hosts in maintenance mode one by one, and it may cause issue because DRS will try to move vm back onto the host in upgrading process, and the migration takes too long sometime may cause stcli cluster upgrade process timeout.

Continue reading

Website security seems increasingly important these days, and have caused some users hesitated to visit a webpage without a trusted cert. To have such a site, owner needs to take care of Domain Name, Server Hosting and SSL certs in tradition,which is way too high for non-profit personal blogs. Is it possible to get them all in one for FREE? The answer is Yes!, let me show you how to get them quickly.

Continue reading

转自int32bit blgo OpenStack高级特性简介 1. 虚拟机软删除 通常情况下,当用户删除虚拟机时,虚拟机会立即从hypervisor底层删除,不可撤回。为了防止人为误操作,Nova支持开启软删除(soft delete)功能,或者称为延迟删除,延迟删除时间通过Nova配置项/etc/nova/nova.conf的reclaim_instance_interval项指定,如下: [DEFAULT] ... reclaim_instance_interval = 120 此时虚拟机执行普通删除操作时,Nova不会立即删除虚拟机,而是会等待两分钟的时间,在此时间间隔内,管理员可以随时恢复虚拟机,只有在超过120秒后虚拟机才会真正执行删除操作,不可恢复。 为了演示该功能,我们删除一台虚拟机int32bit-test-2: # nova list +--------------------------------------+-----------------+--------+------------+-------------+-------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+-----------------+--------+------------+-------------+-------------------+ | 8f082394-ffd2-47db-9837-a8cbd1e011a1 | int32bit-test-1 | ACTIVE | - | Running | private=10.0.0.6 | | 9ef2eea4-77dc-4994-a2d3-a7bc59400d22 | int32bit-test-2 | ACTIVE | - | Running | private=10.0.0.13 | +--------------------------------------+-----------------+--------+------------+-------------+-------------------+ # nova delete 9ef2eea4-77dc-4994-a2d3-a7bc59400d22 Request to delete server 9ef2eea4-77dc-4994-a2d3-a7bc59400d22 has been accepted.

Continue reading

Author's picture

Charles

Love coding and new technologies

Cloud Solution Consultant

Canada