Inventor's Paradox

When using Openshift Origin, by default all pods are running with 'restricted' context, where they are forced to use a generated user id. Some Containers just doesn't work that way, so we need to relax the restriction a bit. Reference :  https://blog.openshift.com/understanding-service-accounts-sccs/ Creating A service account First, create a service account in your project (see https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html ). These are a sample yaml to do that : kind: ServiceAccount apiVersion: v1 metadata: name: mysvcacct Note that underscore are not allowed as service account name despite the official openshift example contains it. Assigning anyuid Then, a cluster administrator should login to the project and assign anyuid SCC : oc login oc project theproject oc adm policy add-scc-to-user anyuid -z mysvcacct Using the service account Now, edit the deployment config or the replication controller config to use the serv...

When using and tending an Openshift Origin cluster (for example, Origin version 3.7), it is normal to start the storage allocation in small sizes. However soon we find that storage for registry get filled up quickly with images from each build process. This post will show how to clean them up. Preparation before pruning First you need oc (origin client) binary and a user account with cluster administration capability. If the openshift docker registry  is installed inside the cluster without external access, then you also going to need OS access to one of the hosts inside the cluster. First step is to login to the cluster from your client or inside one of the hosts: oc login Prune steps Reading the documentation (https://docs.openshift.com/enterprise/3.0/admin_guide/pruning_resources.html) we find that the pruning starts at deployment, then builds, and last images. Pruning Deployment  Run this to preview which deployment are going to be pruned: oc adm pru...

I just recently upgraded a database server that were previously running MySQL 5.1 (standard, Sun/Oracle version) into Percona Server 5.7. A few quirks notable enough to warrant this blog post. Planning and Preparation A Percona blog post ( mysql-upgrade-best-practices ) stated that the best way to upgrade with such huge difference in major version (5.1 to 5.7) is to do a full logical dump for all database except mysql, dump user and grants, uninstall database and remove datafiles, then install new version and import the logical dump and grants. But alas the database we are going to upgrade is so big and the IO subsystem became some sort of bottleneck when doing logical dump, our colleagues tried to do mysqldump and it tooks more than 2 days to run, prompting us to cancel the backup (otherwise it would interfere with workday application usage of the database).  Reading the blog I noted that : for major version upgrade, using logical dump  and restore dump is the safe...

Background We have deployed Openshift Origin based cluster based on  Origin Milestone 4 release. When security assessment performed on several of the applications in the cluster, some issues crop up and needs further remediation. Some issue related to application code, some others related to the openshift node configuration, which we shall discuss here. SSH issues One of the issues is SSH weak algorithm support. To remediate that, we need to tweak /etc/sshd/sshd_config by inserting additional lines : #mitigasi assesment security SSH weak algoritm support Ciphers aes128-ctr,aes192-ctr,aes256-ctr MACs hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com SSL issues The other issue is related to SSL crypto algorithms. The cipher suite 3DES is no longer considered secure, so  we need to tweak /etc/httpd/conf.d/000001_openshift_origin_node.conf (line 63) by adding   !3DES:!DES-CBC3-SHA  : SSLCipherSuite kEECDH: +kEECDH+ SHA :kEDH :+kEDH+SHA :+...

This post shows how to create LVM volume with thin provisioning, that is, only actually used ranges of the volume will actually be allocated. Check volume groups First, check lvm volume groups to find out which vg has space for our thin volume pool. vgdisplay Choose one of the volume groups with sufficient space. Because we are using thin provisioning, we could use less space than normal provisioning. Second, check existing logical volumes also.  lvs Creating thin volume pool Next, we create thin volume pool in the chosen volume group (example, vgdata). lvcreate -L 50G --thinpool globalthinpool vgdata Print the resulting volumes using lvs : We see that globalthinpool are created with logical size 50 gigabytes. Creating thinly provisioned volume Now we create thinly provisioned volume using previously created pool. lvcreate -V100G -T vgdata/globalthinpool -n dockerpool The command would create a 100 G logical volume using t...

Background Sometimes I need to run X Windows-based applications inside Docker containers, and running the server locally is too unpractical because of latency reasons or the working laptop has no X Windows Server. First I tried to create a VirtualBox-based Vnc Server, and it worked fine albeit a little slow, but Docker containers seem to have better memory and disk footprint. So I tried to create Vnc Server running X Windows inside a Docker container. I already tried suchja/x11server ( ref ) but it has strange problems ignoring cursor keys of my MacBook on webkit page (such as Pentaho Data Integration's Formula page). Starting point Many of my Docker images are based on Debian Jessie. So I start from the instructions from this DigitalOcean article :  https://www.digitalocean.com/community/tutorials/how-to-set-up-vnc-server-on-debian-8 .  This vnc server is based on XFCE Desktop Environment. The steps are basically is to install : xfce4  xfce4-goodies...

Background This post would describe notes that results from my initial exploration using docker. Docker could be described as a thin VM. Essentially docker runs processes in a linux host in a semi-isolated environment. It was a brilliant technical accomplishment that exploits several characteristic of running applications in a linux-based OS. First, that the result of package installation is the distribution of package files in certain directories, and changes to certain files. Second, that executable file from one Linux distribution could be run in another Linux distribution provided that all the required shared library and configuration files are in their places. Basic characteristic of Docker images Docker images are essentially similar to zip archives, organized as layer over layers. Each additional layer provide new file or changed files.  Docker image should be portable, means it could be used in different instances of application in different hosts. Docker images...