oc进行操作前需要oc login登录,以dev登录
[root@node01 install]# oc login -u dev https://node01:8443
The server is using a certificate that does not match its hostname: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, openshift, openshift.default, openshift.default.svc, openshift.default.svc.cluster.local, 127.0.0.1, 172.17.0.1, 172.30.0.1, 192.168.163.135, not node01
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
Authentication required for https://node01:8443 (openshift)
Username: dev
Password:
Login successful.
You have one project on this server: "hello-world"
Using project "hello-world".
Welcome! See 'oc help' to get started.
通过oc new-project 命令创建一个新项目
[root@node01 install]# oc new-project hello-world-oc
Now using project "hello-world-oc" on server "https://node01:8443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git
to build a new example application in Ruby.
使用oc-newapp部署DockerHub等Docker镜像仓库的镜像
[root@node01 install]# oc new-project hello-world-oc
Now using project "hello-world-oc" on server "https://node01:8443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git
to build a new example application in Ruby.
[root@node01 install]# oc new-app openshift/hello-openshift
warning: Cannot find git. Ensure that it is installed and in your path. Git is required to work with git repositories.
--> Found Docker image 7af3297 (14 months old) from Docker Hub for "openshift/hello-openshift"
* An image stream will be created as "hello-openshift:latest" that will track this image
* This image will be deployed in deployment config "hello-openshift"
* Ports 8080/tcp, 8888/tcp will be load balanced by service "hello-openshift"
* Other containers can access this service through the hostname "hello-openshift"
--> Creating resources ...
imagestream "hello-openshift" created
deploymentconfig "hello-openshift" created
service "hello-openshift" created
--> Success
WARNING: No Docker registry has been configured with the server. Automatic builds and deployments may not function.
Run 'oc status' to view your app.
执行oc get pod可以查看当前项目的容器的列表,和k8s一样,在openshift中,所有的Docker容器都是被包裹在Pod容器内部,可以近似的认为Pod就是我们要运行的Docker容器本身
[root@node01 install]# oc get pod
NAME READY STATUS RESTARTS AGE
hello-openshift-1-qw9m7 1/1 Running 0 1m
执行oc describe pod可以查看Pod的名称、状态、所处的命名空间(项目),标签,IP等
[root@node01 install]# oc describe pod
Name: hello-openshift-1-qw9m7
Namespace: hello-world-oc
Security Policy: restricted
Node: node01/192.168.163.135
Start Time: Tue, 18 Jun 2019 01:39:10 -0700
Labels: app=hello-openshift
deployment=hello-openshift-1
deploymentconfig=hello-openshift
Status: Running
IP: 172.17.0.4
Controllers: ReplicationController/hello-openshift-1
Containers:
hello-openshift:
Container ID: docker://845956caa08624b68df50796274db2e1393f037e520d025f45153cc95a8fb57b
Image: openshift/hello-openshift@sha256:aaea76ff622d2f8bcb32e538e7b3cd0ef6d291953f3e7c9f556c1ba5baf47e2e
Image ID: docker-pullable://openshift/hello-openshift@sha256:aaea76ff622d2f8bcb32e538e7b3cd0ef6d291953f3e7c9f556c1ba5baf47e2e
Ports: 8080/TCP, 8888/TCP
State: Running
Started: Tue, 18 Jun 2019 01:39:15 -0700
Ready: True
Restart Count: 0
Volume Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-wg2zs (ro)
Environment Variables: <none>
Conditions:
Type Status
Initialized True
Ready True
PodScheduled True
Volumes:
default-token-wg2zs:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-wg2zs
QoS Class: BestEffort
Tolerations: <none>
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
3m 3m 1 {default-scheduler } Normal Scheduled Successfully assigned hello-openshift-1-qw9m7 to node01
2m 2m 1 {kubelet node01} spec.containers{hello-openshift} Normal Pulling pulling image "openshift/hello-openshift@sha256:aaea76ff622d2f8bcb32e538e7b3cd0ef6d291953f3e7c9f556c1ba5baf47e2e"
2m 2m 1 {kubelet node01} spec.containers{hello-openshift} Normal Pulled Successfully pulled image "openshift/hello-openshift@sha256:aaea76ff622d2f8bcb32e538e7b3cd0ef6d291953f3e7c9f556c1ba5baf47e2e"
2m 2m 1 {kubelet node01} spec.containers{hello-openshift} Normal Created Created container with docker id 845956caa086; Security:[seccomp=unconfined]
2m 2m 1 {kubelet node01} spec.containers{hello-openshift} Normal Started Started container with docker id 845956caa086
以及群管理员登录
在OpenShift中,默认的集群管理员是system:admin。此用户拥有最高权限,但没有密码,依赖于证书密钥。
1、拷贝登录配置文件,若提示已存在,选择覆盖
[root@node01 install]# mkdir -p ~/.kube
[root@node01 install]# cp /app/openshift/openshift.local.config/master/admin.kubeconfig ~/.kube/config
cp: overwrite ‘/root/.kube/config’? y
[root@node01 install]#
2、通过oc login命令登录
[root@node01 install]# oc login -u system:admin
Logged into "https://192.168.163.135:8443" as "system:admin" using existing credentials.
You have access to the following projects and can switch between them with 'oc project <projectname>':
* default
hello-world
hello-world-oc
kube-system
openshift
openshift-infra
Using project "default".
3、执行oc whoami命令,可见登录用户
[root@node01 install]# oc whoami
system:admin
尝试oc get node查看集群节点信息,只有管理员可以看
[root@node01 install]# oc get node
NAME STATUS AGE
node01 Ready 5h
添加Router
Router是OpenShift集群中一个重要组件,它是外部访问集群内容器应用的入口,集群外部的请求都会先到达Router,并由Router分发到具体的容器中。
切换到dafault项目
[root@node01 install]# oc project default
Already on project "default" on server "https://192.168.163.135:8443".
Router组件需要读取集群的信息,关联系统账号Service Account,并为此账号赋权。Service Account是OpenShift中专门供程序和组件使用的账号,不同的用户会关联不同的安全上下文SCC,用户和组也会关联到不同的系统角色。
[root@node01 install]# oadm policy add-scc-to-user privileged system:serviceaccount:default:router
(无须执行上述命令)
执行oadm router 命令创建Router实例,指定创建一个名为router的Router。参数–replicas=1表明,只创建一个实例,实际生产中会创建多个来实现负载均衡和防止单点失效。
[root@node01 install]# oadm router router01 --replicas=1 --service-account=router
info: password for stats user admin has been set to 0l5zAz4Hy5
--> Creating router router01 ...
warning: serviceaccounts "router" already exists
clusterrolebinding "router-router01-role" created
deploymentconfig "router01" created
service "router01" created
--> Success
oadm面向集群管理员,可以进行集群管理配置。
通过oc get pod -n default命令可以查看Router容器的状态。
[root@node01 install]# oc get pod -n default
NAME READY STATUS RESTARTS AGE
router-1-deploy 0/1 Error 0 38m
router01-1-hp6t8 1/1 Running 0 1m
显示Router容器的状态为Running,查看端口监听状态,发现80、443正在被Haproxy监听。
[root@node01 install]# ss -ltn |egrep -w "80|443"
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:443 *:*
技术上来说Router就是运行在容器中的一个经过特殊配置的Haproxy。
至此,Router组件部署完成。
Router控制集群外部IP访问内部
添加Registry
部署集群内部的Docker Registry ,即内部的Docker镜像仓库。S2I辅助将应用的源代码转换成可以部署的Docker镜像。
1、切换到default项目
2、执行如下命令部署Registry
[root@node01 install]# oadm registry --config /app/openshift/openshift.local.config/master/admin.kubeconfig --service-account=registry
--> Creating registry registry ...
serviceaccount "registry" created
clusterrolebinding "registry-registry-role" created
deploymentconfig "docker-registry" created
service "docker-registry" created
--> Success
3、执行oc get pod可见Registry容器处于运行状态
[root@node01 install]# oc get pod
NAME READY STATUS RESTARTS AGE
docker-registry-1-deploy 1/1 Running 0 39s
docker-registry-1-ncm7p 0/1 ContainerCreating 0 32s
router-1-deploy 0/1 Error 0 45m
router01-1-hp6t8 1/1 Running 0 8m
本例中,我们部署的Registry没有启用HTTPS,所以需要修改Docker的配置让Docker以非HTTPS的方式连接到Registry。修改/etc/sysconfig/docker文件,为OPTIONS变量值追加 --insecure-registry=https://172.130.0.0/16。修改后的变量值如下
OPTIONS='--selinux-enabled --log-driver=journald --registry-mirror=https://docker.mirrors.ustc.edu.cn --insecure-registry=172.30.0.0/16'
至此,Registry组件部署完成。
添加Image Stream
Image Stream是一组镜像的集合,在一个Image Stream中定义一些名称标签(tag),并定义这些名字及标签指向的具体镜像。实际航,在OpenShift上部署容器应用,并不一定要用到Image Stream,直接指定镜像的地址也可以完成部署。使用Image Stream是方便的将一组相关联的镜像进行整合管理使用。OpenShift Origin默认为用户定义了一系列开箱急用的Image Stream。
1、切换到openshift项目、
2、通过以下命令可以导入Image Stream
[root@node01 install]# curl https://raw.githubusercontent.com/openshift/origin/v1.
400: Invalid request
[root@node01 install]# curl https://raw.githubusercontent.com/openshift/origin/v1.5.1/examples/image-streams/image-streams-centos7.json|oc create -f - -n openshift
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 35657 100 35657 0 0 27373 0 0:00:01 0:00:01 --:--:-- 27386
imagestream "ruby" created
imagestream "nodejs" created
imagestream "perl" created
imagestream "php" created
imagestream "python" created
imagestream "wildfly" created
imagestream "mysql" created
imagestream "mariadb" created
imagestream "postgresql" created
imagestream "mongodb" created
imagestream "redis" created
imagestream "jenkins" created
3、通过oc get is -n openshift命令,可以列出刚才导入的Image Stream对象。
[root@node01 install]# oc get is -n openshift
NAME DOCKER REPO TAGS UPDATED
jenkins 172.30.168.123:5000/openshift/jenkins
mariadb 172.30.168.123:5000/openshift/mariadb
mongodb 172.30.168.123:5000/openshift/mongodb
mysql 172.30.168.123:5000/openshift/mysql
nodejs 172.30.168.123:5000/openshift/nodejs 4,latest,0.10 41 seconds ago
perl 172.30.168.123:5000/openshift/perl 5.20,5.16,latest + 1 more... 29 seconds ago
php 172.30.168.123:5000/openshift/php latest,7.0,5.6 + 1 more... 17 seconds ago
postgresql 172.30.168.123:5000/openshift/postgresql
python 172.30.168.123:5000/openshift/python latest,3.5,3.4 + 2 more... 3 seconds ago
redis 172.30.168.123:5000/openshift/redis
ruby 172.30.168.123:5000/openshift/ruby latest,2.3,2.2 + 1 more... 55 seconds ago
wildfly 172.30.168.123:5000/openshift/wildfly
此时,如果访问OpenShift的Web控制台,进入Hello World项目,单机Overview的Add to project,可看见一些列可用的镜像被罗列在页面上。
添加Template
部署容器应用很简单。直接通过docker -run 或oc new-app命令直接完成,但复杂的、带参数的、外部依赖的。OpenShift引入应用部署模板Template的概念,定义满足企业需求的应用部署模板,构建企业内部的软件市场。
1、切换到openshift项目
2、下载并创建一个CakePHP实例应用的Template,用户可以在服务目录单击相关的条目意见部署一个CakePHP应用和一个MySQL数据库。
[root@node01 install]# oc create -f https://raw.githubusercontent.com/openshift/origin/v1.5.1/examples/quickstarts/cakephp-mysql.json -n openshift
template "cakephp-mysql-example" created
使用oc get template cakephp-mysql-example -o json -n openshift查看模板的详细内容
[root@node01 install]# oc get template cakephp-mysql-example -o json -n openshift
{
"apiVersion": "v1",
"kind": "Template",
"labels": {
"template": "cakephp-mysql-example"
},
"message": "The following service(s) have been created in your project: ${NAME}, ${DATABASE_SERVICE_NAME}.\n\nFor more information about using this template, including OpenShift considerations, see https://github.com/openshift/cake-ex/blob/master/README.md.",
"metadata": {
"annotations": {
"description": "An example CakePHP application with a MySQL database. For more information about using this template, including OpenShift considerations, see https://github.com/openshift/cakephp-ex/blob/master/README.md.\n\nWARNING: Any data stored will be lost upon pod destruction. Only use this template for testing.",
"iconClass": "icon-php",
"openshift.io/display-name": "CakePHP + MySQL (Ephemeral)",
"tags": "quickstart,php,cakephp",
"template.openshift.io/documentation-url": "https://github.com/openshift/cakephp-ex",
"template.openshift.io/long-description": "This template defines resources needed to develop a CakePHP application, including a build configuration, application deployment configuration, and database deployment configuration. The database is stored in non-persistent storage, so this configuration should be used for experimental purposes only.",
"template.openshift.io/provider-display-name": "Red Hat, Inc.",
"template.openshift.io/support-url": "https://access.redhat.com"
},
"creationTimestamp": "2019-06-18T10:14:51Z",
"name": "cakephp-mysql-example",
"namespace": "openshift",
"resourceVersion": "5852",
"selfLink": "/oapi/v1/namespaces/openshift/templates/cakephp-mysql-example",
"uid": "e927db62-91b1-11e9-bd87-000c29c44e6d"
},
刷新Openshift Web控制台的目录界面,输入cake,即可看到刚刚导入的应用模板。
在OpenShift Origin的GitHub中有许多模板,按需下载,并通过oc create -f 导入系统中。
OpenShift Origin示例:https://github.com/openshift/origin/tree/v1.5.1/examples
请执行下面命令导入wildfly-basic-s2i模板,以后会用到。
[root@node01 install]# oc create -f https://raw.githubusercontent.com/nichochen/openshift-book-source/master/template/wildfly-basic-s2i.template.json -n openshift
template "wildfly-basic-s2i" created
注意,openshift项目创建所有Image Stream及template对集群内所有用户和项目可见。
部署应用
部署CakePHP应用及MySQL数据库。
1、登录OpenShift Web控制台,创建一个名为hello-world-php的项目,输入项目名称hello-world-php及项目显示名为Hello World PHP,并Create。
2、在服务过滤器中输入cake,找到cakephp-mysql-example模板
3、选取Template后跳转至参数输入页面,在参数输入页面为Application Hostname属性赋值 php.apps.examples.com,并create
4、跳转至overview,此时OpenShift会在后台穿件响应对象,并下载相关的容器镜像。Mysql容器会较快完成,CakePHP涉及镜像构建,即Source to Image,view log可看日志,Openshift汇总GitHub仓库总下载指定的PHP源代码,然后将代码注入一个含PHP运行环境的镜像,最终生成一个包含PHP应用及PHP运行环境的新镜像,并将新的镜像推送到前文部署的内部镜像仓库。