Make OpenShift console available on port 443 (https)

Posted on Updated on

Introduction

The main reason why this blog post exist is that OpenShift V3 and Kubernetes is very close binded to port 8443. This could be changed in the future.

We at Cloudwerkstatt GmbH use a dedicated haproxy pod to provide the OpenShift v3 Web console on port 443 (https).

This concept could be used also for different services in the PaaS.

There are some ansible variables for openshift_master_api_port and openshift_master_console_port which suggest that you are able to change the port.

This ports are ‘internal’ ports and not designed to be the public ports. So changing this ports could crash your OpenShift setup!

In case that you want to you this variables you will also need to change a lot of OpenShift v3 and Kubernetes.

The describe solution is a more global and flexible solution then the external service solution.
The external service solution is much easier to setup it is described here

You will need the following to run this setup.

  • Time!
  • Understanding of OpenShift v3, Kubernetes and docker
  • SSL-Certificate for master.<your-domain> or *.<your-domain>
  • write access to a git repository
  • ssh key for deployment [optional]

Here a rudimentary picture which shows the idea and the flow.

OSv3-cons-443

Steps

Btw: Does I said you will need Time and Knowledge! ūüėČ

git clone

Due to the fact that you need to change the haproxy conf you must have a git repository from which OpenShift is able to build the haproxy

You can try to use this repo as base .

git clone https://github.com/cloudwerkstatt/openshift-master.git

Adopt ENV

You need to change the OPENSHIFT_MASTER_SERVER variable in the Dockerfile

Adopt master.cfg

You need to change the container-files/etc/haproxy/master.cfg

Add this into the global section.

ca-base /etc/ssl
crt-base /etc/ssl

Add ssl options to bind line

you need to add this to the bind line

ssl no-sslv3 crt /etc/ssl/certificates-all.pem

Test run

You can try the build with a simple docker build command

docker build --rm -t myhaproxy .

Now run

docker run -it --rm --net host -e OPENSHIFT_MASTER_SERVER=<your-master-ip> myhaproxy

When everything works you need to push the data to your git repository

git stuff

git add .
git commit -m 'init'
git push -u origin master

Create the project

oc new-project infra-services

Add ssl keys to service account

oc secrets new manage-certificate  certificates-all.pem=.../zerts_manage-certificate_all.pem
oc secrets add serviceaccount/default secret/manage-certificate

oc new-app

now create the app.

oc new-app <your-repo-url> --name=openshift-master

oc edit dc

You need to add the secret into the container.

Please take a look into the concept of the secrets here.

oc edit dc -n infra-services openshift-master
spec:
....
    spec:
      containers:
        volumeMounts: <-- Add from here 
        - mountPath: /etc/ssl
          name: secret-volume
          readOnly: true <-- until this line
      terminationGracePeriodSeconds: 30
      volumes: <-- Add from here
      - name: secret-volume
        secret:
          secretName: manage-certificate

After saving the changes a rebuild will start.

oc expose

Make the setup public available over the OpenShift default router

oc expose service openshift-master --hostname=manage.<your-domain>

Test #1

After all this steps and build process you should now see a running pod ūüėČ

A call to

curl -sS https://manage.<your-domain>|egrep hostPort

should now show the OpenShift internal masterPublicURL

egrep -i masterPublicURL /etc/origin/master/master-config.yaml

Ansible hosts file

To configure OpenShift with the new URL please add the following lines to the ansible hosts file

openshift_master_public_api_url=https://manage.{{ osm_default_subdomain }}
openshift_master_public_console_url={{ openshift_master_public_api_url }}/console
openshift_master_metrics_public_url={{ openshift_master_public_api_url }}/hawkular/metrics

and rerun the ansible playbook as described here

ANSIBLE_LOG_PATH=/tmp/ansible_log_$(date +%Y_%m_%d-%H_%M) ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/config.yml

Test #2

A call to

curl -sS https://manage.<your-domain>|egrep hostPort

should now show the OpenShift new public masterPublicURL

egrep -i masterPublicURL /etc/origin/master/master-config.yaml

Which should be the master.<your-domain>

ansible on centos 7.1

Posted on Updated on

You need the following packages after a centos minial installation

 yum install git gcc python-devel

Then follow the commands in the doc

http://docs.ansible.com/intro_installation.html

If you get the following error.

# ansible all -m ping
Traceback (most recent call last):
 File "/root/ansible/bin/ansible", line 39, in <module>
 from ansible.utils.display import Display
 File "/root/ansible/lib/ansible/utils/display.py", line 28, in <module>
 from ansible import constants as C
 File "/root/ansible/lib/ansible/constants.py", line 26, in <module>
 from six.moves import configparser
ImportError: No module named six.moves

try to install

pip install six

This is six

This is the used python version.

# python -V
Python 2.7.5

check_and_status_ajp

Posted on Updated on

I have searched for a ping for the ajp protocol ( https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html ) and found some http://lmgtfy.com/?q=ajpping.

From my point of view they have some weakness.

  • not¬†accurate¬†enough for the current it environments
  • don’t¬†measure the operations
  • don’t write a graph-able line out

Due to these facts I have used jffry’s (¬†http://www.perlmonks.org/?node_id=766945 ) script as base for my extended version.

https://github.com/git001/check_and_status_ajp

With the output line

%Y-%m-%d %T host %s ip %s port %s connect %f syswrite %f sysread %f timeouted %d timeout %d good_answer %d

you can easily create a picture with your preferred¬†tool ( gnuplot, splunk, excel, R, …)

certutil commands

Posted on

How to remove all entries in nss-db

rm <DIR_OF_NSS_DB>/*.db

How to see CAs in nss-db

certutil -L -d <DIR_OF_NSS_DB>

How to see KEYs in nss-db

certutil -K -d <DIR_OF_NSS_DB>

How to add CAs in nss-db

certutil -A -d  <DIR_OF_NSS_DB> -n <NIC-NAME> -t C,C,P -i <CERTIFIKATE-FILE>

How to create Key and CSR

cat /dev/urandom > noise_file

certutil -R -s “CN=<HOST_COMMON_NAME,OU=<OU>,O=<O>,L=<LOCATION>,C=<COUNTY>,ST=<STATE>” -g 2048 -o mycert.req ¬†-d <DIR_OF_NSS_DB> -a -n ¬†<NIC-NAME> -z noise_file

 

Doc of cert util

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil

claws mail with ecc certificate

Posted on

I have try to use claws-mail with my ecc mail certificate.

You need a gnutls which supports ecc certificate which is available on CentOS 7.

I have only need to install liblockfile from the software repository.

The second requirement is libetpan

http://rpmfind.net//linux/RPM/epel/testing/7/x86_64/l/libetpan-1.6-1.el7.x86_64.html

and claws him self

http://rpmfind.net//linux/RPM/epel/testing/7/x86_64/c/claws-mail-3.11.1-5.el7.x86_64.html

Please pay attention that this is the current version at the time I write this post, this will change in the future

Build own ChatSecure Android client

Posted on

Step by step description based on

https://github.com/guardianproject/ChatSecureAndroid/blob/master/BUILD

to build your own chatsecure client

Most important you need a 32bit Build platform due to the fact that the “aapt” is a

file adt-bundle-linux-x86_64-20140321/sdk/build-tools/android-4.4.2/aapt

adt-bundle-linux-x86_64-20140321/sdk/build-tools/android-4.4.2/aapt: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.8, not stripped

  1. I have used a Ubuntu 14.04 x32 Instance with 1 GB RAM on https://digitalocean.com/
  2. I haved downloaded the latest Linux 32bit ADT Bundle from https://developer.android.com/sdk/index.html
    1. wget https://dl.google.com/android/adt/22.6.2/adt-bundle-linux-x86-20140321.zip
  3. apt-get install ant libbcel-java openjdk-7-jdk unzip git
  4. unzip adt-bundle-linux-x86-20140321.zip
  5. export PATH=/root/adt-bundle-linux-x86-20140321/sdk/tools:${PATH}
  6. git clone https://github.com/guardianproject/ChatSecureAndroid.git
  7. cd ChatSecureAndroid/
  8. git submodule update –init
  9. ./update-ant-build.sh
  10. ant debug
  11. Now you have a ChatSecure-debug.apk in bin directory