Containers and Kubernetes

Get Involved. Join the Conversation.


  • Joydeepta Bhattacharjee

    Yes, to connect and SSH to your worker node you have your opc user and password set against in OCI node provisioned.

  • Joydeepta Bhattacharjee

    Have you tried to access through Service name the inter pod communication. Also , bind the Ingress with a domain URL and revert

  • Hassan Ajan

    Hi Karthik,

    I think you need to look at the header X-Forwarded-For or X-Real-IP, they should contain the IP of the client. 

    Check out for more details. 




  • Hassan Ajan


    How did you start the project? did you initialise it like this: 

    fn init --runtime python pythonfn
  • John K

    Thanks Ben! I guess I was confused because I was using the SSH command provided but in fact I could login with 

    ssh -i ~/.ssh/id_rsa opc@<>. Appreciate the response!

  • Ben Haworth

    Hi - presuming you mean log in to your compute instance (perhaps worker node?) via the Console Connection then this prompt for username/password is to be expected. 

    If you are working with the OCE service, unless you have done something very bad to a worker node, you shouldn't need to use the Console Connection and should be able to SSH directly to the IP of the worker node - see here:

    The SSH key you uploaded is used to authenticate you against the Console Connection service, which then provides you with a remote session to the Console of the Operating System.  You then need to authenticate against the OS, which is why you are getting a username and password prompt.  If you have not set up a user with local login rights in the OS (or changed/set the OPC user password etc) then you will not be able to log in - at this point the only use for the console connection is by rebooting the instance, you can enter the boot up commands to GRUB, or whatever, to launch maintenance mode and edit the system files to set up a user etc.  More details here:

    Hope that helps.

  • John K

    Thank you kindly Jon-Eric. I'll give this a go today! Very much appreciated.

  • Jon-Eric Eliker

    I understand your frustration.  The Compartment/VCN/Subnet steps are necessary simply because you are working within the Infrastructure service which, by definition, gives you control of the core elements in the environment. I could see a place for some "quickstart" configuration that gives you a basic setup in favor of deploying and testing your code quickly.  Short of that, see the below Terraform code that should give you the basic infrastructure you need for testing Functions like I describe above.  You can use this via Resource Manager in OCI (in the main menu like your original screenshot above) by following these steps below. Note that I assume you are using an administrator account in OCI (which is the case if you are using the first/only account created for you when you started the trial):

    1. Save the Terraform script below as a since file (call it for example)
    2. Zip that file (assume you will now have
    3. In OCI Resource Manager, create a new Stack specifying a Name (which will be suggested if you select the zip file first), Description, and attaching the zip file you created here
    4. On the next screen for the Stack, you'll see prompts for the variables I've defined in the Terraform code
      • Tenancy OCID should default to your OCI account so no change needed
      • Change the Compartment name if you'd like. Remember that a Compartment is a management security structure in OCI and doesn't affect network connectivity or interactions among infrastructure that you deploy. All that to say, the name of the Compartment isn't that exciting and relevant at this stage in the work you're doing
      • Also, the policy name is a variable for you to change. Probably not something you need to change (but I did in when testing so I made it a variable)
      • The CIDR range for the network being defined by this script may be something you want to alter. I picked a rather simple 10 address but use 200 in the second octet hopefully to make it easily co-exist with other networks you may have already defined while testing (assuming you would have selected 10.0 or something similar for any networks you already defined). Again, change this if you'd like but keep it at /16 for purposes of other assumptions in the remainder of the script
      • Finally, set the app name to something else if you wish.  For Functions, the application is a collection of functions so the name of a "real" application would probably be more descriptive that "hello-world." Here I am assuming your first app may only contain one function.
    5. Complete the Stack definition then, from the Stack details page, use "Terraform Actions" to plan your code (the default plan name suggested is fine)
    6. Once the Plan is complete, click back to the Stack (look at the breadcrumbs navigation near the top where you see "Job Details" last and click to the stack left of that) and use "apply" from the "Terraform Actions" menu. The default name and "automatically approve" are appropriate choices here as well.

    If all goes as planned, you should find a new VCN under Networking in the OCI main menu.  You will need to choose the new compartment (using the Compartment selector in the lower left on the VCNs page) you created with the script in order to see the new VCN listed.

    Hopefully this is useful should you choose to press ahead testing Oracle Functions. Best wishes!

    ​Mythics, Inc.

    --- code below to copy to a new file ---

    variable "tenancy_ocid" {}
    variable "compartment_name" {
        default = "FnDemo"
    variable "policy_name" {
        default = "FnService"
    variable "vcn_cidr" {
        default = ""
    variable "fn_app_name" {
        default = "hello-world"
    resource "oci_identity_compartment" "demo_compartment" {
        compartment_id = "${var.tenancy_ocid}"
        name = "${var.compartment_name}"
        description = "For demonstration of Oracle Functions"
    resource "oci_identity_policy" "root_demo_policy" {
        compartment_id = "${oci_identity_compartment.demo_compartment.compartment_id}"
        description = "For Fn Service access to tenancy resources"
        name = "${var.policy_name}"
        statements = [
            "Allow service FaaS to read repos in tenancy"
    resource "oci_identity_policy" "compartment_demo_policy" {
        compartment_id = "${}"
        description = "For Fn Service access to compartment resources"
        name = "${var.policy_name}"
        statements = [
            "Allow service FaaS to use virtual-network-family in compartment ${}"
    resource "oci_core_vcn" "demo_vcn" {
        cidr_block = "${var.vcn_cidr}"
        compartment_id = "${}"
        display_name = "Demo VCN"
        dns_label = "demo"
    resource "oci_core_internet_gateway" "demo_ig" {
        compartment_id = "${}"
        display_name = "Internet Gateway"
        vcn_id = "${}"
    resource "oci_core_default_route_table" "demo_route_table" {
        manage_default_resource_id = "${oci_core_vcn.demo_vcn.default_route_table_id}"
        route_rules {
            network_entity_id = "${}"
            cidr_block = ""
    resource "oci_core_subnet" "demo_subnet" {
        cidr_block = "${cidrsubnet(oci_core_vcn.demo_vcn.cidr_block, 8, 1)}"
        compartment_id = "${}"
        display_name = "Public Subnet"
        vcn_id = "${}"
        prohibit_public_ip_on_vnic = "false"
    resource "oci_functions_application" "demo_app" {
        compartment_id = "${}"
        display_name = "${var.fn_app_name}"
        subnet_ids = [
    output "comp_id" {
        value = "Compartment id is ${}"

    -- code above to be copied to a new file --

  • Jon-Eric Eliker

    I'm seeing now that the end of my post was somehow lost.  Here is a link for a Functions tutorial that you might find interesting:

    Oracle Functions: Set up, creation, and deployment

    Mythics, Inc.


  • John K


    Thank you much for the info. I think the reason this is so frustrating is that every option has a seemingly endless array of prereqs.

    For example, to use Oracle functions I see the following prerequisites:

    Set up your tenancy (see Configuring Your Tenancy for Function Development)
    • Create Groups and Users to use with Oracle Functions, if they don't exist already     
    • Create Compartments to Own Network Resources and Oracle Functions Resources in the Tenancy, if they don't exist already     
    • Create the VCN and Subnets to Use with Oracle Functions, if they don't exist already     
    • Create Policies to Control Access to Network and Function-Related Resources, and more specifically:
      • Create a Policy to Give Oracle Functions Users Access to Oracle Cloud Infrastructure Registry Repositories
      • Create a Policy to Give Oracle Functions Users Access to Function-Related Resources
      • Create a Policy to Give Oracle Functions Users Access to Network Resources
      • Create a Policy to Give the Oracle Functions Service Access to Network Resources
      • Create a Policy to Give the Oracle Functions Service Access to Repositories in Oracle Cloud Infrastructure Registry    

    Configuring Your Client Environment for Function Development

    • Set up an Oracle Cloud Infrastructure API Signing Key for Use with Oracle Functions    
    • Create a Profile in the Oracle Cloud Infrastructure CLI Configuration File
    • Create and Configure a Copy of oci-curl     
    • Install Docker for Use with Oracle Functions
    • Install the Fn Project CLI
    • Create an Fn Project CLI Context to Connect to Oracle Cloud Infrastructure
    • Set the Context for the Fn Project CLI Using the oracle.profile Parameter
    • Generate an Auth Token to Enable Login to Oracle Cloud Infrastructure Registry
    • Start Docker     
    • Log in to Oracle Cloud Infrastructure Registry

    Each of these  steps has its own list of instructions with additional prereqs. I imagine just doing these steps will take me all weekend and even then I'm not confident I'll be able to do this. I'm a developer, not a DevOps person and I just didn't anticipate that deployment would be so difficult. Just venting my frustration but I am obviously lacking in the skills needed to deploy.

  • Jon-Eric Eliker

    Hi John.  You are correct that there are still some outdated tutorials out there related to Oracle Cloud services which has changed substantially in the past few years.  You should find the information on and to be up-to-date regardless what you might find through open Internet searching.
    Here you'll find links to almost everything related to Oracle Cloud services.  You'll find the Major divisions "Applications," "Platform," "Infrastructure," and "Resources" at the top. You'll probably be most interested in what you find in Infrastructure (related to OCI) and Platform (services that leverage OCI such as the Developer Cloud Service).
    This is the main documentation set for OCI.

    What likely matches your interests (as I read from your post) will be one of the following:

    • OCI Container Engine for Kubernetes ("OKE")
      Use this to launch and manage Docker instances controlled via Kubernetes.  OCI does much of the setup for you leaving you to create, deploy, and run your Docker images. Notably, this service will probably involve OCI Registry "(OCIR") as well to store your Docker images. Kumar's tutorial link above uses OKE
    • Oracle Developer Cloud Service
      This is a PaaS service that uses OCI resources (i.e. the servers you use for development and deployment are built in OCI).  You access this from the My Services page and not directly from OCI as shown in your screenshot. I don't recall if trial accounts include Developer Cloud Services but, if so, you can reach that by selecting My Services from the OCI menu then finding Developer Cloud under the My Services page menu (top left hamburger button).
    • OCI Functions
      This one is most intriguing to me.  Functions, based on the open-source Fn project, provides you the means to deploy one or more functions independently. If this is new to you, consider that the goal here is to provide "Functions as a Service" allowing granular control over scaling, costs, and maintenance all the way down to the function level.  This is probably the quickest to deploy of the three options. I did a node "hello world" deployment in about 5 min after reading your message above. There is a bit of overhead for setup if you've never used Functions before (I had for Python work previously) but in all shouldn't take you more than 15-30 minutes the first time and 5 minutes thereafter.
  • Kumar Dhanagopal

    To get started with creating a K8s cluster on Oracle Cloud, you might this tutorial useful:

    Also see the reference links included at the end of the tutorial.

  • Dario Stella

    Hi, I am having the same issue but with another software running in the pods. Have you fix it?

    Thanks in advance

  • Karthik Murthy

    Thank you Joydeepta.

    I would like to preserve the IP of my external client that the backend pod sees. Consider the scenario below

    Client -- OCI LoadBalancer -- Ingress -- BackEnd Pod (Client IP)-- <Public IP of OCI LB> -------- (Backend Pod IP) 

    I expect to see src IP being preserved upto Backend Pod i.e the backend pod to see that the request is coming in from Or atleast that the request is coming in from the IP of the Ingress Pod. Right now the backend pod sees the request coming in from a private IP of the LB. I hope my expectation is clear

  • Joydeepta Bhattacharjee

    Is it that you are looking to preserve the Ip which your consumer sees when calling the externalised POD? Ask is not clear ? You have a Ingress rule which would give you a host mapped against the OCI Load balencer IP which your consumer app may use .