From rhallise at redhat.com Fri Dec 1 17:08:37 2017 From: rhallise at redhat.com (Ryan Hallisey) Date: Fri, 1 Dec 2017 12:08:37 -0500 Subject: [Ansible-service-broker] CI and broker brief outage Message-ID: Hey folks, In order to merge the bind credential change, the broker in master and Travis CI are going to be temporarily broken. Once PR#555 merges, everything will go back to normal. Thanks, Ryan PR #555 https://github.com/openshift/ansible-service-broker/pull/555 PR #555 dependencies: https://github.com/ansibleplaybookbundle/ansible-asb-modules/pull/8 https://github.com/ansibleplaybookbundle/apb-base/pull/7 From dymurray at redhat.com Fri Dec 1 20:36:20 2017 From: dymurray at redhat.com (Dylan Murray) Date: Fri, 1 Dec 2017 15:36:20 -0500 Subject: [Ansible-service-broker] APB Tutorial Blogs Message-ID: All, I have posted a couple tutorials in markdown to be used as blogs for the 3.7 release. The first walks through creating a Mediawiki and Postgres APB and focuses on showing an example of binding. I also did one on RocketChat demonstrating persistent storage. Please feel free leave some feedback or tell me how I can improve this and make it better. I consider it still a WIP as I'm just getting used to reading it outside of vim. https://github.com/dymurray/apb-blogs/ Thanks, Dylan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Wed Dec 6 14:33:11 2017 From: rhallise at redhat.com (Ryan Hallisey) Date: Wed, 6 Dec 2017 09:33:11 -0500 Subject: [Ansible-service-broker] Kubernetes apbs Message-ID: Morning, I put together a pull request documenting the pattern for creating apbs on kubernetes and openshift [1]. If you want to see it in code, the relevant pull requests are [2][3][4]. A short summary of how this works - The broker is going to pass in the 'cluster' it's running on as an extravar to the apb. Then, the apb is then going to run either the playbook: 'kubernetes' or 'openshift'. If anyone wants to help getting this kubernetes work finished, I'll need some reviews on the pull requests below and I'll need some help adding Kubernetes playbooks to all the apbs we currently have. Thanks, -Ryan [1] - https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/pull/171 [2] - https://github.com/ansibleplaybookbundle/mediawiki-apb/pull/17 [3] - https://github.com/ansibleplaybookbundle/postgresql-apb/pull/23 [4] - https://github.com/openshift/ansible-service-broker/pull/577 From jmatthew at redhat.com Thu Dec 7 17:34:46 2017 From: jmatthew at redhat.com (John Matthews) Date: Thu, 7 Dec 2017 12:34:46 -0500 Subject: [Ansible-service-broker] APB Developer Guide published to docs.openshift.com Message-ID: The APB Developer Guide was recently published to docs.openshift.com as part of the 3.7 release. https://docs.openshift.com/container-platform/3.7/apb_devel/index.html -------------- next part -------------- An HTML attachment was scrubbed... URL: From rhallise at redhat.com Mon Dec 11 21:00:27 2017 From: rhallise at redhat.com (Ryan Hallisey) Date: Mon, 11 Dec 2017 16:00:27 -0500 Subject: [Ansible-service-broker] k8s-playbook meeting summary Message-ID: Hey folks, Here are the takeaways from today meeting: k8s-apbs options: https://gist.github.com/rthallisey/17d89614ace66ae841dfbdc9baf8bdd1 >From the gist, we're going to use a combination of options 3 and 5: Use kubernetes resources everywhere and use When statements in ansible. As for action items, I'll update https://github.com/ansibleplaybookbundle/mediawiki-apb/pull/17 and https://github.com/ansibleplaybookbundle/postgresql-apb/pull/23 to reflect options 3 and 5. Then, I'll update my apb documentation patch here: https://github.com/ansibleplaybookbundle/ansible-playbook-bundle/pull/171 . Finally, the pull request that identifies the cluster we're running on is ready to go: https://github.com/openshift/ansible-service-broker/pull/577 . Thanks, -Ryan From mhrivnak at redhat.com Tue Dec 12 16:14:24 2017 From: mhrivnak at redhat.com (Michael Hrivnak) Date: Tue, 12 Dec 2017 11:14:24 -0500 Subject: [Ansible-service-broker] proxy testing Message-ID: Using catasb for my cluster, I tested using a proxy with the service broker. Everything appeared to work. Here is what I did: - ran a proxy on a separate physical machine and watched its traffic: $ sudo docker run --name squid -d --rm -p 3128:3128 sameersbn/squid:3.3.8-23 $ sudo docker exec -it squid tail -f /var/log/squid3/access.log - set environment variables on the asb deployment config, which triggered a redeploy: no_proxy=.svc,172.30.0.1 http_proxy=http://myhost:3128 https_proxy=http://myhost:3128 - apb relist - provision and bind mediawiki and postgresql. Everything worked as expected. Note that the APBs themselves are not getting proxy settings in their environment, so that remains an unsolved problem. The versions I tested: $ oc version oc v3.9.0-alpha.0+4d15c88-84 kubernetes v1.8.1+0d5291c features: Basic-Auth GSSAPI Kerberos SPNEGO Server https://172.17.0.1:8443 openshift v3.9.0-alpha.0+d1ca9a7-82 kubernetes v1.8.1+0d5291c -- Michael Hrivnak Principal Software Engineer, RHCE Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: From mhrivnak at redhat.com Wed Dec 13 20:28:43 2017 From: mhrivnak at redhat.com (Michael Hrivnak) Date: Wed, 13 Dec 2017 15:28:43 -0500 Subject: [Ansible-service-broker] bind APB, review requested Message-ID: Because we don't have enough overloaded terminology, I decided to make my first APB install "bind", the DNS service. I would appreciate your review, and please don't hold back! I'm relatively new to openshift and ansible, so you can help me out by pointing out anything you would have done differently and why. https://github.com/mhrivnak/bind-apb https://hub.docker.com/r/mhrivnak/bind-apb/ One specific question came up. DNS traffic defaults to UDP, which limits my options for exposing the service externally. I went with the LoadBalancer approach, which assigns a dedicated IP from a pool of external addresses. Is that reasonable? Is there another option you would have used? I also hit some funny errors trying to expose both TCP and UDP on the loadbalancer service. I didn't try many iterations of it, but if you have a suggestion or idea, I'm all ears. Going through the exercise of making this has been very helpful for getting familiar with much of the stack. I appreciate everyone's help pointing me in the right direction. Thanks! -- Michael Hrivnak Principal Software Engineer, RHCE Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: From dzager at redhat.com Thu Dec 14 14:31:46 2017 From: dzager at redhat.com (David Zager) Date: Thu, 14 Dec 2017 14:31:46 +0000 Subject: [Ansible-service-broker] Sprint 141 Release Notes Message-ID: Bugs - Bug 1510486 - Return 403 for disallowed actions (#586) Other Enhancements - Integrate with coveralls for code coverage (#548) - remove unneeded paragraph from license header (#549) - Expose the pod name/namespace to APB (#546) - Proposal to improve bind credential extraction (#550) - Setup tls support for k8s deployments (#496) - using table driven testing (#551) - Use the Kubernetes API for namespaces check (#552) - Integrate a new ci framework for travis (#463) - Update copr link in Makefile comments (#559) - adding ability to connnect over SSL w/o authentication. (#558) - Pull apb templates from their respective git repos (#560) - First pass at last_operation description proposal (#537) - Update vendor directory (#562) - Create a Kubernetes Client struct (#561) - Rebase k8s templates to pickup etcd name change (#563) - Give cluster client the log object (#565) - Few fixes to the local deploy templates (#568) - Use the rbac API when creating and deleting policy (#556) - docs and ci template updates for apb name changes (#573) - Broker should extract credentials from secret (#555) - Identify the cluster in the NewRuntime call (#574) - Config impl (#567) - fixes README to reflect behavioral changes (#578) - Remove unused ocLogin function (#580) - Adding ability to warn and filter out bad specs. (#571) - fixes a typo and clarifies the name of "kube-service-catalog" (#583) - Resolve runtime version from local openshift (#581) - Make prep-local explicit and update docs (#587) - Notify the apb what cluster it's running on with extravars (#577) - Change the python path to /usr/bin/env (#591) - Upgrading dependancies to K8s 1.8.5 (#589) -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmontleo at redhat.com Thu Dec 14 15:04:15 2017 From: jmontleo at redhat.com (Jason Montleon) Date: Thu, 14 Dec 2017 10:04:15 -0500 Subject: [Ansible-service-broker] bind APB, review requested In-Reply-To: References: Message-ID: <21c99604-0e83-1943-8ceb-74cb0aec25cb@redhat.com> I don't think your app container will run in a restricted scc unless you do the rest of the steps; specify the user numerically and create an entrypoint with the snippet of code they specified: " Because the user ID of the container is generated dynamically, it will not have an associated entry in /etc/passwd. This can cause problems for applications that expect to be able to look up their user ID. One way to address this problem is to dynamically create a passwd file entry with the container?s user ID as part of the image?s start script. This is what a Dockerfile might include: RUN chmod g=u /etc/passwd ENTRYPOINT [ "uid_entrypoint" ] USER 1001 Where uid_entrypoint contains: if ! whoami &> /dev/null; then if [ -w /etc/passwd ]; then echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd fi fi " I think we've used a different variant of this as well: USER_ID=$(id -u) if [ ${USER_UID} != ${USER_ID} ]; then sed "s@${USER_NAME}:x:\${USER_ID}:@${USER_NAME}:x:${USER_ID}:@g" ${BASE_DIR}/etc/passwd.template > /etc/passwd fi With additional ENV stuff set in the Dockerfile: ENV USER_NAME=www-data \ USER_UID=1001 \ BASE_DIR=/home/www-data ENV HOME=${BASE_DIR} apb base and mediawiki are two app containers maintained by us where we deal with this. It looks like apb-base entrypoint is using similar to the example in the docs you mentioned in the Dockerfile. https://github.com/fusor/dockerfiles/blob/master/mediawiki123:latest https://github.com/ansibleplaybookbundle/apb-base Bind could be a nice neat example of multiple plans. One for caching only, another that sets up persistent storage and creates a ddns zone or zones, rndc key for managing it, etc. On 12/13/2017 03:28 PM, Michael Hrivnak wrote: > Because we don't have enough overloaded terminology, I decided to make > my first APB install "bind", the DNS service. I would appreciate your > review, and please don't hold back! I'm relatively new to openshift and > ansible, so you can help me out by pointing out anything you would have > done differently and why. > > https://github.com/mhrivnak/bind-apb > https://hub.docker.com/r/mhrivnak/bind-apb/ > > One specific question came up. DNS traffic defaults to UDP, which limits > my options for exposing the service externally. I went with the > LoadBalancer approach, which assigns a dedicated IP from a pool of > external addresses. Is that reasonable? Is there another option you > would have used? > > I also hit some funny errors trying to expose both TCP and UDP on the > loadbalancer service. I didn't try many iterations of it, but if you > have a suggestion or idea, I'm all ears. > > Going through the exercise of making this has been very helpful for > getting familiar with much of the stack. I appreciate everyone's help > pointing me in the right direction. > > Thanks! > > -- > > Michael Hrivnak > > Principal Software Engineer, RHCE > > Red Hat > > > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > -- Jason Montleon | email: jmontleo at redhat.com Software Engineer | gpg key: 0x069E3022 Red Hat, Inc. | irc: jmontleo desk: 978-392-3930 | cell: 508-496-0663 From mhrivnak at redhat.com Thu Dec 14 21:05:17 2017 From: mhrivnak at redhat.com (Michael Hrivnak) Date: Thu, 14 Dec 2017 16:05:17 -0500 Subject: [Ansible-service-broker] bind APB, review requested In-Reply-To: <21c99604-0e83-1943-8ceb-74cb0aec25cb@redhat.com> References: <21c99604-0e83-1943-8ceb-74cb0aec25cb@redhat.com> Message-ID: Thanks! For the scc issue, based on "This can cause problems for applications that expect to be able to look up their user ID.", I made an assumption that since named seemed to run happily as-is, perhaps it does not need to look up its own user ID. How common is that? Should we assume that all apps might want to look up their user in /etc/passwd, unless proven otherwise? Is it a good idea to add the entrypoint logic in all cases? On Thu, Dec 14, 2017 at 10:04 AM, Jason Montleon wrote: > I don't think your app container will run in a restricted scc unless you > do the rest of the steps; specify the user numerically and create an > entrypoint with the snippet of code they specified: > > " > Because the user ID of the container is generated dynamically, it will not > have an associated entry in /etc/passwd. This can cause problems for > applications that expect to be able to look up their user ID. One way to > address this problem is to dynamically create a passwd file entry with the > container?s user ID as part of the image?s start script. This is what a > Dockerfile might include: > > RUN chmod g=u /etc/passwd > ENTRYPOINT [ "uid_entrypoint" ] > USER 1001 > > Where uid_entrypoint contains: > > if ! whoami &> /dev/null; then > if [ -w /etc/passwd ]; then > echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} > user:${HOME}:/sbin/nologin" >> /etc/passwd > fi > fi > " > > I think we've used a different variant of this as well: > USER_ID=$(id -u) > if [ ${USER_UID} != ${USER_ID} ]; then > sed "s@${USER_NAME}:x:\${USER_ID}:@${USER_NAME}:x:${USER_ID}:@g" > ${BASE_DIR}/etc/passwd.template > /etc/passwd > fi > > With additional ENV stuff set in the Dockerfile: > ENV USER_NAME=www-data \ > USER_UID=1001 \ > BASE_DIR=/home/www-data > ENV HOME=${BASE_DIR} > > > apb base and mediawiki are two app containers maintained by us where we > deal with this. It looks like apb-base entrypoint is using similar to the > example in the docs you mentioned in the Dockerfile. > > https://github.com/fusor/dockerfiles/blob/master/mediawiki123:latest > https://github.com/ansibleplaybookbundle/apb-base > > Bind could be a nice neat example of multiple plans. One for caching only, > another that sets up persistent storage and creates a ddns zone or zones, > rndc key for managing it, etc. > > > On 12/13/2017 03:28 PM, Michael Hrivnak wrote: > >> Because we don't have enough overloaded terminology, I decided to make my >> first APB install "bind", the DNS service. I would appreciate your review, >> and please don't hold back! I'm relatively new to openshift and ansible, so >> you can help me out by pointing out anything you would have done >> differently and why. >> >> https://github.com/mhrivnak/bind-apb >> https://hub.docker.com/r/mhrivnak/bind-apb/ >> >> One specific question came up. DNS traffic defaults to UDP, which limits >> my options for exposing the service externally. I went with the >> LoadBalancer approach, which assigns a dedicated IP from a pool of external >> addresses. Is that reasonable? Is there another option you would have used? >> >> I also hit some funny errors trying to expose both TCP and UDP on the >> loadbalancer service. I didn't try many iterations of it, but if you have a >> suggestion or idea, I'm all ears. >> >> Going through the exercise of making this has been very helpful for >> getting familiar with much of the stack. I appreciate everyone's help >> pointing me in the right direction. >> >> Thanks! >> >> -- >> >> Michael Hrivnak >> >> Principal Software Engineer, RHCE >> >> Red Hat >> >> >> >> _______________________________________________ >> Ansible-service-broker mailing list >> Ansible-service-broker at redhat.com >> https://www.redhat.com/mailman/listinfo/ansible-service-broker >> >> > -- > Jason Montleon | email: jmontleo at redhat.com > Software Engineer | gpg key: 0x069E3022 > Red Hat, Inc. | irc: jmontleo > desk: 978-392-3930 | cell: 508-496-0663 > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > https://www.redhat.com/mailman/listinfo/ansible-service-broker > -- Michael Hrivnak Principal Software Engineer, RHCE Red Hat -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmontleo at redhat.com Thu Dec 14 21:26:07 2017 From: jmontleo at redhat.com (Jason Montleon) Date: Thu, 14 Dec 2017 16:26:07 -0500 Subject: [Ansible-service-broker] bind APB, review requested In-Reply-To: References: <21c99604-0e83-1943-8ceb-74cb0aec25cb@redhat.com> Message-ID: On 12/14/2017 04:05 PM, Michael Hrivnak wrote: > Thanks! > > For the scc issue, based on "This can cause problems for applications > that expect to be able to look up their user ID.", I made an assumption > that since named seemed to run happily as-is, perhaps it does not need > to look up its own user ID. > That's possible. > How common is that? Should we assume that all apps might want to look up > their user in /etc/passwd, unless proven otherwise? Is it a good idea to > add the entrypoint logic in all cases? > If it doesn't need it it's probably fine. Looking at some db pods I have running it seems they also doesn't have an issue with this, so I guess there are more than a couple services where it isn't an issue. bash-4.2$ whoami whoami: cannot find name for user ID 1000550000 bash-4.2$ grep mysql /etc/passwd mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin bash-4.2$ whoami whoami: cannot find name for user ID 1000400000 bash-4.2$ grep postgres /etc/passwd postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash > On Thu, Dec 14, 2017 at 10:04 AM, Jason Montleon > wrote: > > I don't think your app container will run in a restricted scc unless > you do the rest of the steps; specify the user numerically and > create an entrypoint with the snippet of code they specified: > > " > Because the user ID of the container is generated dynamically, it > will not have an associated entry in /etc/passwd. This can cause > problems for applications that expect to be able to look up their > user ID. One way to address this problem is to dynamically create a > passwd file entry with the container?s user ID as part of the > image?s start script. This is what a Dockerfile might include: > > RUN chmod g=u /etc/passwd > ENTRYPOINT [ "uid_entrypoint" ] > USER 1001 > > Where uid_entrypoint contains: > > if ! whoami &> /dev/null; then > ? if [ -w /etc/passwd ]; then > ? ? echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} > user:${HOME}:/sbin/nologin" >> /etc/passwd > ? fi > fi > " > > I think we've used a different variant of this as well: > USER_ID=$(id -u) > if [ ${USER_UID} != ${USER_ID} ]; then > ? sed "s@${USER_NAME}:x:\${USER_ID}:@${USER_NAME}:x:${USER_ID}:@g" > ${BASE_DIR}/etc/passwd.template > /etc/passwd > fi > > With additional ENV stuff set in the Dockerfile: > ENV USER_NAME=www-data \ > ? ? USER_UID=1001 \ > ? ? BASE_DIR=/home/www-data > ENV HOME=${BASE_DIR} > > > apb base and mediawiki are two app containers maintained by us where > we deal with this. It looks like apb-base entrypoint is using > similar to the example in the docs you mentioned in the Dockerfile. > > https://github.com/fusor/dockerfiles/blob/master/mediawiki123:latest > > https://github.com/ansibleplaybookbundle/apb-base > > > Bind could be a nice neat example of multiple plans. One for caching > only, another that sets up persistent storage and creates a ddns > zone or zones, rndc key for managing it, etc. > > > On 12/13/2017 03:28 PM, Michael Hrivnak wrote: > > Because we don't have enough overloaded terminology, I decided > to make my first APB install "bind", the DNS service. I would > appreciate your review, and please don't hold back! I'm > relatively new to openshift and ansible, so you can help me out > by pointing out anything you would have done differently and why. > > https://github.com/mhrivnak/bind-apb > > https://hub.docker.com/r/mhrivnak/bind-apb/ > > > One specific question came up. DNS traffic defaults to UDP, > which limits my options for exposing the service externally. I > went with the LoadBalancer approach, which assigns a dedicated > IP from a pool of external addresses. Is that reasonable? Is > there another option you would have used? > > I also hit some funny errors trying to expose both TCP and UDP > on the loadbalancer service. I didn't try many iterations of it, > but if you have a suggestion or idea, I'm all ears. > > Going through the exercise of making this has been very helpful > for getting familiar with much of the stack. I appreciate > everyone's help pointing me in the right direction. > > Thanks! > > -- > > Michael Hrivnak > > Principal Software Engineer, RHCE > > Red Hat > > > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > > https://www.redhat.com/mailman/listinfo/ansible-service-broker > > > > -- > Jason Montleon? ? ?| email: jmontleo at redhat.com > > Software Engineer? | gpg key: 0x069E3022 > Red Hat, Inc.? ? ? | irc: jmontleo > desk: 978-392-3930 | cell: 508-496-0663 > > > _______________________________________________ > Ansible-service-broker mailing list > Ansible-service-broker at redhat.com > > https://www.redhat.com/mailman/listinfo/ansible-service-broker > > > > > > -- > > Michael Hrivnak > > Principal Software Engineer, RHCE > > Red Hat > -- Jason Montleon | email: jmontleo at redhat.com Software Engineer | gpg key: 0x069E3022 Red Hat, Inc. | irc: jmontleo desk: 978-392-3930 | cell: 508-496-0663 From rhallise at redhat.com Tue Dec 19 15:50:20 2017 From: rhallise at redhat.com (Ryan Hallisey) Date: Tue, 19 Dec 2017 10:50:20 -0500 Subject: [Ansible-service-broker] Broker running on k8s video Message-ID: Hey folks, The broker running on kubernetes demo has been published. The kubernetes cluster was setup by catasb using the kubeadm tool. I plan on adding a kubernetes gate to the ansible-service-broker repo and a similar script to run_latest_build.sh using minikube after the new year. https://youtu.be/ub2FqeVIcws Thanks, -Ryan