Red Hat Logo

An Incremental Path to Microservices

As a consultant for Red Hat, I have the privilege of seeing many customers. Some of them are working to find ways to split their applications in smaller chunks to implement the microservices architecture. I’m sure this trend is generalized even outside my own group of the customers.

There is undoubtedly hype around microservices. Some organizations are moving toward microservices because it’s a trend, rather than to achieve a clear and measurable objective.

In the process, these organizations are missing a few key points, and when we all awake from this microservices “hype”, some of these organizations will discover that they now have to take care of ten projects when before they had one, without any tangible gain.

To understand what it takes to reap real benefits from microservices, let’s look at how this neologism came to being.

Continue reading “An Incremental Path to Microservices”

Improving User Experience using The Cloud

In part one of this series of blog posts, we discussed the importance of the user experience within the mobile industry, and how your API has a significant role in this. We followed up with part two, which demonstrates how to make API responses smaller and therefore use less network and fewer battery resources for mobile consumers.

Continue reading “Improving User Experience using The Cloud”

Container Images Compliance – what we built at ManageIQ to remove a security pain point – part 2

Part 2 of 2

In part one of this blog post, we mentioned a pain point in Container based environments. We introduced SCAP as a means to measure compliance in computer systems and introduced ManageIQ as a means of automating Cloud & Container based workflows.

Continue reading “Container Images Compliance – what we built at ManageIQ to remove a security pain point – part 2”


Join Red Hat Developers, a developer program for you to learn, share, and code faster – and get access to Red Hat software for your development.  The developer program and software are both free!

 


For more information about Red Hat OpenShift and other related topics, visit: OpenShift, OpenShift Online.

Container Images Compliance – what we built at ManageIQ to remove a security pain point – part 1

Part 1 of 2

“Docker is about running random crap from the Internet as root on your host”  – Dan Walsh

Continue reading “Container Images Compliance – what we built at ManageIQ to remove a security pain point – part 1”


Join Red Hat Developers, a developer program for you to learn, share, and code faster – and get access to Red Hat software for your development.  The developer program and software are both free!

 


For more information about Red Hat OpenShift and other related topics, visit: OpenShift, OpenShift Online.

Using Pipelines in OpenShift 3.3+ for CI/CD

It’s been a while since Red Hat released version 3.3 of OpenShift Container Platform, this version is full of features.

One of my favorites is the support for Pipelines (Tech Preview for now) that lets you easily integrate Jenkins builds on your OpenShift (Origin) Platform.

OpenShift Pipelines

OpenShift Pipelines are based on the Jenkins Pipeline plugin. (https://jenkins.io/solutions/pipeline/)

Integrating Jenkins Pipelines into OpenShift unlocks all the features for the CI/CD world enabling its users to easily manage repeatable tasks in the easiest way.

As you can imagine OpenShift lets you run a containerized version of the Jenkins container in one of your projects and then, after setting the right permission for the Jenkins’ ServiceAccount, it’ll do the job for you.

Pipelines are nothing more than a BuildConfig with type ‘JenkinsPipeline’.

But let’s take a more in-depth look using this simple scenario below:

  1. Jenkins OpenShift project: The base project, handling the Jenkins container and all the pipelines.
  2. Development OpenShift project: The project used for the development environment, it will handle the BuildConfig for building the app from source.
  3. Testing OpenShift project: The project used for the testing environment, it will not use any BuildConfig and it’ll expect ImageStream to be the only source for new deployments.

We’ll create two Pipelines that will simulate a Continuous Integration scenario:

  • Development Pipeline: It will trigger the BuildConfig for the development project and handle its deployment.
  • Testing Pipeline: It will handle the tagging/pulling/pushing operations to let the image flow from development project to testing project and then it will schedule a new deployment.

OpenShift start

First of all, I’ll start my OpenShift cluster, you can skip to the next section in case you’re already up & running.

For running OpenShift on my laptop, the easiest and fastest method I found is “oc cluster up”. All you need to do is to have a working Linux container daemon and an updated origin-clients package. On Fedora 25 I’ve successfully installed “origin-clients-1.3.1” from the default repos.

So that’s all, let’s “oc cluster up” my OpenShift platform:

[alex@freddy ~]$ oc cluster up --host-data-dir=/var/lib/origin/openshift.local.data --use-existing-config --version=v1.3.1 --public-hostname=192.168.123.1
-- Checking OpenShift client ... OK
-- Checking Docker client ... OK
-- Checking Docker version ... OK
-- Checking for existing OpenShift container ... Deleted existing OpenShift container
-- Checking for openshift/origin:v1.3.1 image ... OK
-- Checking Docker daemon configuration ... OK
-- Checking for available ports ...
-- Checking type of volume mount ... Using nsenter mounter for OpenShift volumes
-- Creating host directories ... OK
-- Finding server IP ... Using public hostname IP 192.168.123.1 as the host IP Using 192.168.123.1 as the server IP
-- Starting OpenShift container ...
Starting OpenShift using container 'origin'
Waiting for API server to start listening
OpenShift server started
-- Installing registry ... OK
-- Installing router ... OK
-- Importing image streams ... OK
-- Importing templates ... OK
-- Login to server ... OK
-- Creating initial project "myproject" ...
Now using project "myproject" on server "https://192.168.123.1:8443".
-- Server Information ...
OpenShift server started.
The server is accessible via web console at:
https://192.168.123.1:8443
You are logged in as:
User: developer
Password: developer
To login as administrator:
oc login -u system:admin

Please note: I’ve manually created the “host-data” folder, the other options used are self-explanatory.

The Jenkins project

We should now be ready to sign into our OpenShift platform. openshift-first-login

Now, let’s create our first project, the Jenkins project: fireshot-capture-35-openshift-web-console-https___192-168-123-1_8443_console_create-project

Select the “Jenkins ephemeral” template. fireshot-capture-36-openshift-web-console_-https___192-168-123-1_8443_console

Leave all the parameters set to default and press create. At the end, you should see a notice like the following: Make a note of the generated password. You may need this in the future. (Anyway you can easily recover it should you need it).

fireshot-capture-37-openshift-web-console_-https___192-168-123-1_8443_console

Enabling Pipelines feature (currently in Tech Preview)

As you can see by clicking on the Builds tab menu, there is no trace of the Pipelines support. As specified in the title this feature is a tech preview, so we need to activate it. fireshot-capture-40-openshift-web-conso_-https___127-0-0-1_8443_console_project_jenkins_overview

For activating the Pipelines feature we need to create a JS config file, for enabling it:

# echo "window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE.pipelines = true;" >> /var/lib/origin/openshift.local.config/master/tech-preview.js

Please note: You can create the file in a location you prefer. Then we need to inject the file through the master-config.yaml file, in my case, using “oc cluster up”, it’s located in “/var/lib/origin/openshift.local.config/master/”. Place the following lines in your config file:

assetConfig: ... extensionScripts: - /var/lib/origin/openshift.local.config/master/tech-preview.js

Then restart your OpenShift master. You should then be able to find the Pipelines section under the Builds tab: fireshot-capture-41-openshift-web-conso_-https___127-0-0-1_8443_console_project_jenkins_overview

We’re almost ready to start working on our pipelines.

The development project

We can now create the development project, which we’ll use as a root for source building:

$ oc new-project development --display-name="Development" --description="Development project"
Now using project "development" on server "https://192.168.123.1:8443".

We can now use the template I just prepared for our development environment. In this demo, we’ll use the nodejs-example application available in the standard set of the OpenShift templates. Let’s populate the just created development project:

$ oc new-app https://raw.githubusercontent.com/alezzandro/nodejs-ex/master/openshift/templates/nodejs-dev.json
--> Deploying template nodejs-example for "https://raw.githubusercontent.com/alezzandro/nodejs-ex/master/openshift/templates/nodejs-dev.json"

Node.js
———
This is an example of a Node.js application with no database. For more information about using this template, including OpenShift considerations, see https://github.com/openshift/nodejs-ex/blob/master/README.md.

The following service(s) have been created in your project: nodejs-example.

For more information about using this template, including OpenShift considerations, see https://github.com/openshift/nodejs-ex/blob/master/README.md.

* With parameters:
* Name=nodejs-example
* Namespace=openshift
* Memory Limit=512Mi
* Git Repository URL=https://github.com/alezzandro/nodejs-ex.git
* Git Reference=
* Context Directory=
* Application Hostname=
* GitHub Webhook Secret=cR48n2GX67ADfxwi63uGomiXjxgMUCEykekbNR0G # generated
* Generic Webhook Secret=Hvx3stEhQuAmKPnjaujQHvYFV1cl1cvmh4IjXnri # generated
* Database Service Name=
* MongoDB Username=
* MongoDB Password=
* Database Name=
* Database Administrator Password=
* Custom NPM Mirror URL=

–> Creating resources with label app=nodejs-example …
service “nodejs-example” created
route “nodejs-example” created
imagestream “nodejs-example” created
buildconfig “nodejs-example” created
deploymentconfig “nodejs-example” created
–> Success
Use ‘oc start-build nodejs-example’ to start a build.
Run ‘oc status’ to view your app.

As you can see by running “oc get pods”, no deployment has started so no pods will be seen. This is a wanted behavior because we want to manage the build process and the deployment through a Jenkins’ Pipeline. For achieving this, I’ve just edited the original nodejs-ex template and removed all the triggers from the DeploymentConfig. Looking at our development project we’ll have created the following elements at the end: A BuildConfig, an ImageStream, a DeploymentConfig, a Route and a Service.

$ oc get all
NAME
bc/nodejs-example
NAME
is/nodejs-example
NAME
dc/nodejs-example
NAME
routes/nodejs-example
NAME
svc/nodejs-example

The testing project

We can now setup the testing project, like the development project I’ve already set up a template, removing the BuildConfig section. We’ll promote the container built in the development project to testing, using Jenkins Pipeline. Let’s create and populate the environment:

$ oc new-project testing --display-name="Testing" --description="Testing project"
Now using project "testing" on server "https://192.168.123.1:8443".

You can add applications to this project with the ‘new-app’ command. For example, try:

oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

to build a new example application in Ruby.

$ oc new-app https://raw.githubusercontent.com/alezzandro/nodejs-ex/master/openshift/templates/nodejs-test.json
–> Deploying template nodejs-example for “https://raw.githubusercontent.com/alezzandro/nodejs-ex/master/openshift/templates/nodejs-test.json”

Node.js
———
This is an example of a Node.js application with no database. For more information about using this template, including OpenShift considerations, see https://github.com/openshift/nodejs-ex/blob/master/README.md.

The following service(s) have been created in your project: nodejs-example.

For more information about using this template, including OpenShift considerations, see https://github.com/openshift/nodejs-ex/blob/master/README.md.

* With parameters:
* Name=nodejs-example
* Namespace=openshift
* Memory Limit=512Mi
* Git Repository URL=https://github.com/alezzandro/nodejs-ex.git
* Git Reference=
* Context Directory=
* Application Hostname=
* GitHub Webhook Secret=XFlNUpDsLBotlrcyAnRQdLkKyq65iKE6xOMxqQr5 # generated
* Generic Webhook Secret=LX3PdBcU4dTKPyvTi8aw02VeXBjCxuJpyA7kgV8c # generated
* Database Service Name=
* MongoDB Username=
* MongoDB Password=
* Database Name=
* Database Administrator Password=
* Custom NPM Mirror URL=

–> Creating resources with label app=nodejs-example …
service “nodejs-example” created
route “nodejs-example” created
imagestream “nodejs-example” created
deploymentconfig “nodejs-example” created
–> Success
Run ‘oc status’ to view your app.

As you can see by running “oc get pods”, no deployment has started so no pods will be seen. This is a wanted behavior because we want to manage the deployment through a Jenkins’ Pipeline. For achieving this, I’ve just edited the original nodejs-ex template and removed all the triggers from the DeploymentConfig. Looking at our testing project we’ll have at the end the following elements created:

$ oc get all
NAME
is/nodejs-example
NAME
dc/nodejs-example
NAME
routes/nodejs-example
NAME
svc/nodejs-example

Please note: As I said before, there is no BuildConfig, we’ll promote the container built in the development project to testing, using Jenkins Pipeline.

Pipelines definition and import

Ok, we’re now ready to define our Pipelines. I’ve prepared two Jenkins’ pipelines, one for the development project and one for the testing project. Return back to the Jenkins project and import the two BuildConfigs containing the pre-configured pipelines:

$ oc project jenkins
Now using project "jenkins" on server "https://192.168.123.1:8443".

$ oc create -f https://raw.githubusercontent.com/alezzandro/nodejs-ex/master/openshift/pipeline/development-pipeline.yaml
buildconfig “development-pipeline” created

$ oc create -f https://raw.githubusercontent.com/alezzandro/nodejs-ex/master/openshift/pipeline/promote2testing-pipeline.yaml
buildconfig “testing-pipeline” created

$ oc get bc
NAME TYPE FROM LATEST
development-pipeline JenkinsPipeline 0
testing-pipeline JenkinsPipeline 0

We can now take a look a what the two pipelines will be able to do.

Jenkins development pipeline

apiVersion: v1
kind: BuildConfig
metadata:
annotations:
pipeline.alpha.openshift.io/uses: '[{"name": "nodejs-example", "namespace": "development",
"kind": "DeploymentConfig"}]'
creationTimestamp: 2016-12-22T13:54:23Z
labels:
app: jenkins-pipeline-development
name: development-pipeline
template: application-template-development-pipeline
name: development-pipeline
namespace: jenkins
resourceVersion: "5781"
selfLink: /oapi/v1/namespaces/jenkins/buildconfigs/development-pipeline
uid: 24c166c2-c84e-11e6-b4f7-68f7286606f4
spec:
output: {}
postCommit: {}
resources: {}
runPolicy: Serial
source:
type: None
strategy:
jenkinsPipelineStrategy:
jenkinsfile: |-
node('maven') {
stage 'build'
openshiftBuild(buildConfig: 'nodejs-example', showBuildLogs: 'true', namespace: 'development')
stage 'deploy'
openshiftDeploy(deploymentConfig: 'nodejs-example', namespace: 'development')
}
type: JenkinsPipeline
...

As you can see this BuildConfig’s type is: “JenkinsPipeline” with a well-defined “JenkinsPipelineStrategy” defined through a “JenkinsFile”. The pipeline itself is composed of two stages:

  1. Build: we start the build process in the project/namespace “development” through the “BuildConfig” named: “nodejs-example”.
  2. Deploy: after the build, we can then start a new deployment in the project/namespace “development” through the “DeploymentConfig” named: “nodejs-example”.

 

Jenkins testing pipeline

$ oc get bc/testing-pipeline -o yaml
apiVersion: v1
kind: BuildConfig
metadata:
annotations:
pipeline.alpha.openshift.io/uses: '[{"name": "nodejs-example", "namespace": "testing",
"kind": "DeploymentConfig"}]'
creationTimestamp: 2016-12-22T13:54:30Z
labels:
app: jenkins-pipeline-testing
name: testing-pipeline
template: application-template-testing-pipeline
name: testing-pipeline
namespace: jenkins
resourceVersion: "5994"
selfLink: /oapi/v1/namespaces/jenkins/buildconfigs/testing-pipeline
uid: 292fa5e5-c84e-11e6-b4f7-68f7286606f4
spec:
output: {}
postCommit: {}
resources: {}
runPolicy: Serial
source:
type: None
strategy:
jenkinsPipelineStrategy:
jenkinsfile: |-
node('maven') {
stage 'tag'
openshiftTag(namespace: 'development', sourceStream: 'nodejs-example', sourceTag: 'latest', destinationNamespace: 'testing', destinationStream: 'nodejs-example', destinationTag: 'latest')
stage 'deploy'
openshiftDeploy(deploymentConfig: 'nodejs-example', namespace: 'testing')
}
type: JenkinsPipeline
...

As in the previous BuildConfig, you can see this BuildConfig’s type is: “JenkinsPipeline” with a well-defined “JenkinsPipelineStrategy” defined through a “JenkinsFile”. The pipeline itself is composed of two stages:

  1. Tag: we tag the latest ImageStream built on “development” project, setting the destination to “testing” project. Through this action, we’re promoting the image from dev to test environment.
  2. Deploy: after the image promotion, we can then deploy the new image in the “testing” project through the “DeploymentConfig” named: “testing”.

 

Jenkins Service Account

Now, we need to enable Jenkins service account (sa) to access and edit resources on “development” and “testing” project:

$ oc policy add-role-to-user edit system:serviceaccount:jenkins:jenkins -n testing
$ oc policy add-role-to-user edit system:serviceaccount:jenkins:jenkins -n development

Run the pipelines!

We’re now ready to see the pipelines in action! You can access the Pipelines page through Builds->Pipelines. 

We’re almost ready, just click on the “Start Pipeline” button for the “development-pipeline”. You’ll see the Build starting and moving forward:

Clicking on the “View Log” link will redirect you to the Jenkins login page. You can gain access through user “admin” and the generated password. The password is in the environment variables for the Jenkins pod.

At end of the process, you’ll see all the steps completed and marked in green:

We now have at least one image ready for the promotion process. We can start the testing-pipeline:

Finally, we can check the result by querying OpenShift using the web interface: Development project:

Testing project:

Or by console:

$ oc project development
Now using project "development" on server "https://192.168.123.1:8443".

$ oc get pods
NAME READY STATUS RESTARTS AGE
nodejs-example-1-build 0/1 Completed 0 23m
nodejs-example-1-trurc 1/1 Running 0 22m

$ oc project testing
Now using project “testing” on server “https://192.168.123.1:8443”.

$ oc get pods
NAME READY STATUS RESTARTS AGE
nodejs-example-1-b1kcf 1/1 Running 0 19m

That’s all! Should you have any doubts, please comment!

About Alessandro

Alessandro Arrichiello is a Platform Consultant for Red Hat Inc. He has a passion for GNU/Linux systems, that began at age 14 and continues today. He worked with tools for automating Enterprise IT: configuration management and continuous integration through virtual platforms. He’s now working on distributed cloud environment involving PaaS (OpenShift), IaaS (OpenStack) and Processes Management (CloudForms), Containers building, instances creation, HA services management, workflows build.


Join Red Hat Developers, a developer program for you to learn, share, and code faster – and get access to Red Hat software for your development.  The developer program and software are both free!

 


For more information about Red Hat OpenShift and other related topics, visit: OpenShift, OpenShift Online.

Red Hat Logo

Architectural Cross-Cutting Concerns of Cloud Native Applications

Several organizations are wondering (and sometimes struggling on) how to port their current workloads to cloud environments.

Continue reading “Architectural Cross-Cutting Concerns of Cloud Native Applications”


Join Red Hat Developers, a developer program for you to learn, share, and code faster – and get access to Red Hat software for your development.  The developer program and software are both free!

 


For more information about Red Hat OpenShift and other related topics, visit: OpenShift, OpenShift Online.

Red Hat Logo

Spring Boot and OAuth2 with Keycloak

The tutorial Spring Boot and OAuth2 showed how to enable OAuth2 with Spring Boot with Facebook as AuthProvider; this blog is the extension of showing how to use KeyCloak as AuthProvider instead of Facebook. I intend to keep this example as close to the original Spring Boot and OAuth2 and will explain the changes to the configuration to make the same application work with KeyCloak. The source code for the examples are available in the github repositories listed below.

This project deploys and gets KeyCloak running in your environment.  Refer to the README on the repo for more information on how to set it up and get started.

This project is the same application used in Spring Boot and OAuth2 with some modifications done for this specific demo. The application deployment environment can be either minikube or MiniShift or RHEL CDK,  as a developer you don’t need to worry how it’s deployed there, as the application makes use of the super fabric8, which does the seamless deployment across different Kubernetes based environments. So from the projects all you have to do is issue the maven commands, the README of projects will guide you with the required maven commands. OK, I hope we spoke enough on how to setup, where to find source etc., but what was really done to make this work is what we will see now. Before we go further let’s take a look at the applicaiton.yml, which was used on the original Spring Boot and OAuth2.

The important changes from this one with respect to Keycloak are:

  • accessTokenUri

 The required REST URI to get the “access_token” for Keycloak is “http://keycloakHost:keycloakPort/auth/realms/{relam}/protocol/openid-connect/token”.

  • userAuthorizationUri

 The required REST URI to authorize a user for Keycloak is “http://keycloakHost:keycloakPort/auth/realms/{relam}/protocol/openid-connect/auth”.

  • tokenName

We don’t need to set this explicitly, as by default spring-security uses the “access_token” which can be retrieved form Keycloak OAuth2 response.

  • authenticationScheme

This property is used to define how the credentials are sent to the Auth provider, Keycloak expects it to be “header”, we can ignore this property as spring-security-oauth by default sets the “header” authentication scheme.

  • clientAuthenticationScheme

This property will be used to determine how the “token” is transmitted to the Auth provider, as Keycloak uses the “header” based authentication scheme we can either set this property to “header” or skip it, as by default the clientAuthenticaitonScheme is set to “header” by spring-security-oauth.

I preferred to set these values specifically for better readability and understanding of the application.yml. For this demo application we will be using a realm called “springboot” with a clientId as “spring-boot-demos”, the new application.yml with the updates for Keycloak looks as follows:

The environment variables ${CLIENT_ID} and ${CLIENT_SECRET} are made available via the Kubernetes secret, which are the base64 encoded values of clientId “spring-boot-demos” and its corresponding client secret which is available here. The ${KEYCLOAK_URL} will be dynamically computed via fabric8 annotations and set as environment variable in the springbook-keycloak-demo deployment, this is done using the exposecontroller pod which will be available from fabric8 and will be deployed to the minikube or  MiniShift or RHEL CDK environments. Please refer to the fabric8 documentation on how to set it up for the environment of your choice. Now we are all set to deploy the application and check its integration with Keycloak, to get the application deployed you need to do the following.

  • Setup KeyCloak with demo realm
    • Clone the keycloak-demo-server setup from github, lets call the project directory as $KEYCLOAK_SERVER_HOME.
    • Form the $KEYCLOAK_SERVER_HOME run command “mvn clean install fabric8:deploy”, this command will deploy Keycloak  with demo realm and users pre-loaded.
    • To access the Keycloak url, use the command “gofabric8 service keycloak-demo-server –url” to obtain the url of the deployed Keycloak and use the output url on the console to access Keycloak.
    • The default admin credentials is “admin/admin”.
    • For demo users and more detailed deployment configuration refer to the README.
  • Deploy the Spring Boot demo application
    • Clone the keycloak-demo-server setup from github, lets call the project directory as $DEMO_APP_HOME.
    • Form the $DEMO_APP_HOME run the command “mvn -Pfabric8 clean install fabric8:deploy”, this command will deploy the Spring Boot application.
    • To access the application url, use the command “gofabric8 service springboot-keycloak-demo –url” to obtain the url of the deployed application and use the output url on the console to access the application.
    • The demo users found here can be used to login to the demo application.
    • For any additional details on deployment refer to README.

You need to wait for sometime for the pods to be available and running before you can use the application. Last but not the least, the Keycloak setup using the steps described above has a mock url set for the client “spring-boot-demos” pointing to localhost:8080, you need to update this using the Keycloak admin console and set client urls to application url retrieved using the command “gofabric8 service springboot-keycloak-demo –url” e.g. assuming that your application url from command “gofabric8 service springboot-keycloak-demo –url” is “http://192.168.64.14:30219” then the following screenshots shows the updates done via Keycloak console.

screen-shot-2016-12-12-at-10-29-35-pmscreen-shot-2016-12-12-at-10-30-13-pm

There you go, now you have a spring boot demo application configured to work with Keycloak, your application can now be configured with Single OAuth2 provider KeyCloak which can then be configured to provide;

  • New User Registrations
  • Integrate with LDAP
  • Integrate with Third Party Identity providers like GitHub, Google etc.,
  • And much more…

Join Red Hat Developers, a developer program for you to learn, share, and code faster – and get access to Red Hat software for your development.  The developer program and software are both free!

 


For more information about Red Hat OpenShift and other related topics, visit: OpenShift, OpenShift Online.

That app you love, part 10: Long live "that app you love"

Welcome to the tenth and final installment of That App You Love, a blog series in which I show you how to you can make almost any app into a first-class cloud citizen. If you want to start from the beginning, jump back and check out Part 1: Making a Connection. You’ll need the docker service and the oc utility to follow along in this post; for instructions check out Part 5: Upping Our (Cloud) Game.

Wow, we’ve come a long way! Back in Part 1, we were struck with this crazy idea – let’s take an app we love, containerize it, and then kick it up to the cloud in a way that is secure, robust, and stateful. Along the way, we explored:

  • The idea of a Config-and-Run container image
  • A mini-cloud that we can run on a single machine, with a single command
  • A cast of objects that turned our app into a fully-fledged cloud citizen

And in this final installment, we’ll hit on a few last items that will really put that minty fresh scent on That App You Love.

Continue reading “That app you love, part 10: Long live "that app you love"”


Join Red Hat Developers, a developer program for you to learn, share, and code faster – and get access to Red Hat software for your development.  The developer program and software are both free!

 


For more information about Red Hat OpenShift and other related topics, visit: OpenShift, OpenShift Online.

That app you love, part 9: Storage and statefulness

Welcome to the ninth installment of That App You Love, a blog series in which I show you how to you can make almost any app into a first-class cloud citizen. If you want to start from the beginning, jump back and check out Part 1: Making a Connection. You’ll need the docker service and the oc utility to follow along in this post; for instructions check out Part 5: Upping Our (Cloud) Game.

In Part 8 we learned how to deploy our app in a way that is repeatable, and also adds some basic security to our application. Now it’s time to create some state for the containerized ZNC app we’ve been playing with – but hey, forget about ZNC! We’re really talking about That App You Love, and we are very close to achieving a cloud-friendly version that is secure, robust, and stateful.

Continue reading “That app you love, part 9: Storage and statefulness”


Join Red Hat Developers, a developer program for you to learn, share, and code faster – and get access to Red Hat software for your development.  The developer program and software are both free!

 


For more information about Red Hat OpenShift and other related topics, visit: OpenShift, OpenShift Online.

Understanding OpenShift Security Context Constraints

OpenShift gives its administrators the ability to manage a set of security context constraints (SCCs) for limiting and securing their cluster. Security context constraints allow administrators to control permissions for pods using the CLI.

SCCs allow an administrator to control the following:

  1. Running of privileged containers.
  2. Capabilities a container can request to be added.
  3. Use of host directories as volumes.
  4. The SELinux context of the container.
  5. The user ID.
  6. The use of host namespaces and networking.
  7. Allocating an ‘FSGroup’ that owns the pod’s volumes
  8. Configuring allowable supplemental groups
  9. Requiring the use of a read only root file system
  10. Controlling the usage of volume types
  11. Configuring allowable seccomp profiles

Continue reading “Understanding OpenShift Security Context Constraints”


Join Red Hat Developers, a developer program for you to learn, share, and code faster – and get access to Red Hat software for your development.  The developer program and software are both free!

 


For more information about Red Hat OpenShift and other related topics, visit: OpenShift, OpenShift Online.