Openshift 简明教程

OpenShift - Basic Concept

在开始进行应用程序的实际设置和部署之前，我们需要了解 OpenShift V3 中使用的一些基本术语和概念。

Before beginning with the actual setup and deployment of applications, we need to understand some basic terms and concepts used in OpenShift V3.

Containers and Images

Images

这些是 OpenShift 的基本构建块，它们由 Docker 镜像组成。在 OpenShift 的每个 pod 中，管理集群在其内部运行自己的镜像。当我们配置一个 pod 时，我们有一个字段将从注册表中获得轮循。此配置文件将拉取镜像并将其部署到群集节点上。

These are the basic building blocks of OpenShift, which are formed out of Docker images. In each pod on OpenShift, the cluster has its own images running inside it. When we configure a pod, we have a field which will get pooled from the registry. This configuration file will pull the image and deploy it on the cluster node.

apiVersion: v1
kind: pod
metadata:
   name: Tesing_for_Image_pull -----------> Name of Pod
      spec:
containers:
- name: neo4j-server ------------------------> Name of the image
image: <Name of the Docker image>----------> Image to be pulled
imagePullPolicy: Always ------------->Image pull policy
command: [“echo”, “SUCCESS”] -------------------> Massage after image pull

要从其中拉取和创建图像，请运行以下命令。OC 是在登录后与 OpenShift 环境通信的客户端。

In order to pull and create an image out of it, run the following command. OC is the client to communicate with OpenShift environment after login.

$ oc create –f Tesing_for_Image_pull

Container

在将 Docker 图像部署到 OpenShift 集群时会创建此图像。在定义任何配置时，我们在配置文件中定义容器部分。一个容器可以在内部运行多个图像，运行在集群节点上的所有容器都由 OpenShift Kubernetes 管理。

This gets created when the Docker image gets deployed on the OpenShift cluster. While defining any configuration, we define the container section in the configuration file. One container can have multiple images running inside and all the containers running on cluster node are managed by OpenShift Kubernetes.

spec:
   containers:
   - name: py ------------------------> Name of the container
   image: python----------> Image going to get deployed on container
   command: [“python”, “SUCCESS”]
   restartPocliy: Never --------> Restart policy of container

以下是有关定义在其中运行多个图像的容器的规范。

Following are the specifications for defining a container having multiple images running inside it.

apiVersion: v1
kind: Pod
metadata:
   name: Tomcat
spec:
   containers:
   - name: Tomcat
   image: tomcat: 8.0
   ports:
   - containerPort: 7500
      imagePullPolicy: Always
      -name: Database
      Image: mongoDB
      Ports:
      - containerPort: 7501
imagePullPolicy: Always

在上面的配置中，我们定义了一个多容器 pod，其中包含两个 Tomcat 和 MongoDB 图像。

In the above configuration, we have defined a multi-container pod with two images of Tomcat and MongoDB inside it.

Pods and Services

Pods

Pod 可定义为 OpenShift（Kubernetes）集群节点中容器及其存储的集合。通常，我们有两种类型的 Pod，从单容器 Pod 到多容器 Pod。

Pod can be defined as a collection of container and its storage inside a node of OpenShift (Kubernetes) cluster. In general, we have two types of pod starting from a single container pod to multi-container pod.

Single Container Pod − 这些可以使用 OC 命令或基本配置 yml 文件轻松创建。

Single Container Pod − These can be easily created with OC command or by a basic configuration yml file.

$ oc run <name of pod> --image = <name of the image from registry>

使用简单的 yaml 文件创建它，如下所示。

Create it with a simple yaml file as follows.

apiVersion: v1
kind: Pod
metadata:
   name: apache
spec:
   containers:
   - name: apache
   image: apache: 8.0
   ports:
      - containerPort: 7500
imagePullPolicy: Always

创建上述文件后，它将生成一个带有以下命令的 Pod。

Once the above file is created, it will generate a pod with the following command.

$ oc create –f apache.yml

Multi-Container Pod − 多容器 Pod 是指在其内部运行多个容器的 Pod。它们是使用 yaml 文件创建的，如下所示。

Multi-Container Pod − Multi-container pods are those in which we have more than one container running inside it. They are created using yaml files as follows.

apiVersion: v1
kind: Pod
metadata:
   name: Tomcat
spec:
   containers:
   - name: Tomcat
   image: tomcat: 8.0
   ports:
      - containerPort: 7500
imagePullPolicy: Always
   -name: Database
   Image: mongoDB
   Ports:
      - containerPort: 7501
imagePullPolicy: Always

创建这些文件后，我们只需使用与上面相同的方法即可创建容器。

After creating these files, we can simply use the same method as above to create a container.

Service − 由于我们有一组容器在 Pod 中运行，因此我们同样有一个服务可以定义为一组逻辑 Pod。它是位于 Pod 之上的抽象层，它提供一个可以通过其访问 Pod 的 IP 和 DNS 名称。服务有助于管理负载均衡配置并非常容易地缩放 Pod。在 OpenShift 中，服务是一个 REST 对象，可以将其神化发送到 OpenShift 主控中的 apiService 以创建新实例。

Service − As we have a set of containers running inside a pod, in the same way we have a service that can be defined as a logical set of pods. It’s an abstracted layer on top of the pod, which provides a single IP and DNS name through which pods can be accessed. Service helps in managing the load balancing configuration and to scale the pod very easily. In OpenShift, a service is a REST object whose deification can be posted to apiService on OpenShift master to create a new instance.

apiVersion: v1
kind: Service
metadata:
   name: Tutorial_point_service
spec:
   ports:
      - port: 8080
         targetPort: 31999

Builds and Streams

Builds

在 OpenShift 中，构建是将图像转换为容器的过程。它是将源代码转换为图像的处理过程。此构建过程使用构建源代码为图像制定预定义的策略。

In OpenShift, build is a process of transforming images into containers. It is the processing which converts the source code to an image. This build process works on pre-defined strategy of building source code to image.

此构建过程了多种策略和资源。

The build processes multiple strategies and sources.

Build Strategies

Source to Image − This is basically a tool, which helps in building reproducible images. These images are always in a ready stage to run using the Docker run command.
Docker Build − This is the process in which the images are built using Docker file by running simple Docker build command.
Custom Build − These are the builds which are used for creating base Docker images.

Build Sources

Git − 当使用 git 存储库构建图像时，将使用此资源。Dockerfile 是可选的。源代码中的配置如下所示。

Git − This source is used when the git repository is used for building images. The Dockerfile is optional. The configurations from the source code looks like the following.

source:
type: "Git"
git:
   uri: "https://github.com/vipin/testing.git"
   ref: "master"
contextDir: "app/dir"
dockerfile: "FROM openshift/ruby-22-centos7\nUSER example"

Dockerfile − Dockerfile 用作配置文件中的输入。

Dockerfile − The Dockerfile is used as an input in the configuration file.

source:
   type: "Dockerfile"
   dockerfile: "FROM ubuntu: latest
   RUN yum install -y httpd"

Image Streams − 在拉取图像后创建图像流。图像流的优点在于它会查找新图像版本的更新。这用于比较由标记标识的任意数量的 Docker 格式化容器图像。

Image Streams − Image streams are created after pulling the images. The advantage of an image stream is that it looks for updates on the new version of an image. This is used to compare any number of Docker formatted container images identified by tags.

在创建新映像时，映像流可以自动执行操作。所有构建和部署都可以监视映像操作，并据此执行操作。以下是我们定义构建流的方法。

Image streams can automatically perform an action when a new image is created. All the builds and deployments can watch for image action and perform an action accordingly. Following is how we define a build a stream.

apiVersion: v1
kind: ImageStream
metadata:
   annotations:
      openshift.io/generated-by: OpenShiftNewApp
   generation: 1
   labels:
      app: ruby-sample-build
   selflink: /oapi/v1/namespaces/test/imagestreams/origin-ruby-sample
   uid: ee2b9405-c68c-11e5-8a99-525400f25e34
spec: {}
status:
   dockerImageRepository: 172.30.56.218:5000/test/origin-ruby-sample
   tags:
   - items:
      - created: 2016-01-29T13:40:11Z
      dockerImageReference: 172.30.56.218:5000/test/origin-apache-sample
      generation: 1
      image: vklnld908.int.clsa.com/vipin/test
   tag: latest

Routes and Templates

Routes

在 OpenShift 中，路由通过创建和配置可外部访问的主机名将服务暴露给外部世界的方法。路由和端点用于将服务暴露给外部世界，用户在其中可以使用名称连接 (DNS) 来访问已定义的应用程序。

In OpenShift, routing is a method of exposing the service to the external world by creating and configuring externally reachable hostname. Routes and endpoints are used to expose the service to the external world, from where the user can use the name connectivity (DNS) to access defined application.

在 OpenShift 中，路由是通过管理员在集群上部署的路由器创建的。路由器用于将 HTTP (80) 和 https (443) 端口与外部应用程序绑定。

In OpenShift, routes are created by using routers which are deployed by OpenShift admin on the cluster. Routers are used to bind HTTP (80) and https (443) ports to external applications.

以下是路由支持的不同类型的协议 −

Following are the different kinds of protocol supported by routes −

HTTP
HTTPS
TSL and web socket

在配置服务时，选择器用于配置服务并使用该服务查找端点。以下是我们创建服务并通过使用适当协议为该服务进行路由的示例。

When configuring the service, selectors are used to configure the service and find the endpoint using that service. Following is an example of how we create a service and the routing for that service by using an appropriate protocol.

{
   "kind": "Service",
   "apiVersion": "v1",
   "metadata": {"name": "Openshift-Rservice"},
   "spec": {
      "selector": {"name":"RService-openshift"},
      "ports": [
         {
            "protocol": "TCP",
            "port": 8888,
            "targetPort": 8080
         }
      ]
   }
}

接下来，运行以下命令并创建服务。

Next, run the following command and the service is created.

$ oc create -f ~/training/content/Openshift-Rservice.json

这是服务在创建后的样子。

This is how the service looks like after creation.

$ oc describe service Openshift-Rservice

Name:              Openshift-Rservice
Labels:            <none>
Selector:          name = RService-openshift
Type:              ClusterIP
IP:                172.30.42.80
Port:              <unnamed> 8080/TCP
Endpoints:         <none>
Session Affinity:  None
No events.

使用以下代码为服务创建路由。

Create a routing for service using the following code.

{
   "kind": "Route",
   "apiVersion": "v1",
   "metadata": {"name": "Openshift-service-route"},
   "spec": {
      "host": "hello-openshift.cloudapps.example.com",
      "to": {
         "kind": "Service",
         "name": "OpenShift-route-service"
      },
      "tls": {"termination": "edge"}
   }
}

当使用 OC 命令创建路由时，会创建路由资源的新实例。

When OC command is used to create a route, a new instance of route resource is created.

Templates

模板在 OpenShift 中被定义为可以多次使用的标准对象。它使用一组占位符进行参数化，这些占位符用于创建多个对象。这可用于创建从 Pod 到网络的任何内容，用户有权创建这些内容。如果图像中的 CLI 或 GUI 界面中的模板上传到项目目录，则可以创建对象列表。

Templates are defined as a standard object in OpenShift which can be used multiple times. It is parameterized with a list of placeholders which are used to create multiple objects. This can be used to create anything, starting from a pod to networking, for which users have authorization to create. A list of objects can be created, if the template from CLI or GUI interface in the image is uploaded to the project directory.

apiVersion: v1
kind: Template
metadata:
   name: <Name of template>
   annotations:
      description: <Description of Tag>
      iconClass: "icon-redis"
      tags: <Tages of image>
objects:
   - apiVersion: v1
   kind: Pod
   metadata:
      name: <Object Specification>
spec:
   containers:
      image: <Image Name>
      name: master
      ports:
      - containerPort: <Container port number>
         protocol: <Protocol>
labels:
   redis: <Communication Type>

Authentication and Authorization

Authentication

在 OpenShift 中，在配置主客户端结构时，主服务器会随 OAuth 服务器的内置特性而来。OAuth 服务器用于生成用于对 API 进行身份验证的令牌。由于 OAuth 作为主服务器的默认设置，因此我们默认使用允许所有身份提供商。存在可以按 /etc/openshift/master/master-config.yaml 配置的不同身份提供商。

In OpenShift, while configuring master and client structure, master comes up with an inbuilt feature of OAuth server. OAuth server is used for generating tokens, which is used for authentication to the API. Since, OAuth comes as a default setup for master, we have the Allow All identity provider used by default. Different identity providers are present which can be configured at /etc/openshift/master/master-config.yaml.

OAuth 中存在不同类型的身分提供者。

There are different types of identity providers present in OAuth.

Allow All
Deny All
HTPasswd
LDAP
Basic Authentication

Allow All

apiVersion: v1
   kind: Pod
   metadata:
      name: redis-master
   spec:
      containers:
         image: dockerfile/redis
         name: master
      ports:
      - containerPort: 6379
         protocol: TCP
      oauthConfig:
      identityProviders:
      - name: my_allow_provider
         challenge: true
         login: true
      provider:
         apiVersion: v1
         kind: AllowAllPasswordIdentityProvider

Deny All

apiVersion: v1
kind: Pod
metadata:
   name: redis-master
spec:
   containers:
      image: dockerfile/redis
   name: master
   ports:
   - containerPort: 6379
      protocol: TCP
   oauthConfig:
   identityProviders:
   - name: my_allow_provider
      challenge: true
      login: true
   provider:
      apiVersion: v1
      kind: DenyAllPasswordIdentityProvider

HTPasswd

为了使用 HTPasswd，我们需要首先在主计算机上设置 Httpd-tools，然后按照我们对其他工具所做的相同方式进行配置。

In order to use HTPasswd, we need to first set up Httpd-tools on the master machine and then configure it in the same way as we did for others.

identityProviders:
   - name: my_htpasswd_provider
      challenge: true
      login: true
      provider:
         apiVersion: v1
         kind: HTPasswdPasswordIdentityProvider

Authorization

授权是 OpenShift 主服务器的一个功能，用于验证用户。这意味着它检查试图执行操作的用户以查看用户是否有权对给定项目执行该操作。这帮助管理员控制对项目的访问。

Authorization is a feature of OpenShift master, which is used to validate for validating a user. This means that it checks the user who is trying to perform an action to see if the user is authorized to perform that action on a given project. This helps the administrator to control access on the projects.

授权策略使用以下方式控制 −

Authorization policies are controlled using −

Rules
Roles
Bindings

授权评估使用以下方法完成 −

Evaluation of authorization is done using −

Identity
Action
Bindings

使用策略 −

Using Policies −

Cluster policy
Local policy