Containers and Kubernetes

Get Involved. Join the Conversation.

Posts

  • Patrick Dizon
    SSH to worker nodeAnswered3
    Topic posted July 19, 2019 by Patrick DizonGreen Ribbon: 100+ Points, tagged Containers, Kubernetes 
    Title:
    SSH to worker node
    Summary:
    cannot SSH to worker node
    Content:

    Hello everyone

    I created a custom kubernetes cluster without LBAAS. when I added a node pool I specified a public key value after that each node has a public IP address. The problem now is that when I SSH to one of the worker nodes. It displays the following and asks for a password for the opc user. 

    Does anyone know what is wrong with what I did.

     

    Image:
  • Olivier Maurice
    Security problem on FSS hosted volume3
    Topic posted May 29, 2019 by Olivier MauriceRed Ribbon: 250+ Points, tagged Kubernetes 
    Title:
    Security problem on FSS hosted volume
    Summary:
    Some pods give a security problem when accessing FSS hosted exports
    Content:

    Hi,

    Not new to Kubernetes but also not an expert. The setting: a Kubernetes cluster (OKE) with the storage behind the PV and PVC residing on File Storage Service (FSS).

    When making a deployment based on Alpine, I can perfectly mount and use the volume in the pod.

    However, when switching to some more meaningful stuff, say MySQL or my latest try Prometheus, I just cannot make it fly. None of these containers can work with the export. In all cases the PV and PVC are bound.

    This is something security - related but I just can't figure it out. I have been squashing the root or all users to 1 or something in the 65K, nothing seemed to help.
    Also defined security context on pod level, to no avail. I am missing something, but it is clear I do not know what.

     

    What I have in place:

    Storageclass

    kind: StorageClass
    apiVersion: storage.k8s.io/v1beta1
    metadata:
      name: oci-fss
    provisioner: oracle.com/oci-fss
    parameters:
      mntTargetId: ocid1.mounttarget.oc1.eu_frankfurt_1.aaaa...aa
    

    PV

    apiVersion: v1
    kind: PersistentVolume
    metadata:
      name: prometheus-pv
      namespace: monitoring
      labels:
        app: prometheus
    spec:
      storageClassName: oci-fss
      capacity:
        storage: 100Gi
      accessModes:
        - ReadWriteMany
      mountOptions:
        - nosuid
      persistentVolumeReclaimPolicy: Delete # Reclaim policies are defined below
      nfs:
        # Replace this with the IP of your FSS file system in OCI
        server: 10.100.0.3
        # Replace this with the Path of your FSS file system in OCI
        path: "/k8s-prometheus"
        readOnly: false
    

     

    PVC
    
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
      name: prometheus-pvc
      namespace: monitoring
    spec:
      storageClassName: oci-fss
      accessModes:
        - ReadWriteMany
      resources:
        requests:
        # Although storage is provided here it is not used for FSS file systems
          storage: 100Gi
      selector:
        matchLabels:
          app: prometheus
    

     

    Deployment

    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: prometheus-deployment
      namespace: monitoring
    spec:
      replicas: 1
      template:
        metadata:
          labels:
            app: prometheus-server
        spec:
          containers:
            - name: prometheus
              image: prom/prometheus:v2.2.1
              args:
                - "--config.file=/etc/prometheus/prometheus.yml"
                - "--storage.tsdb.path=/prometheus/"
              ports:
                - containerPort: 9090
              volumeMounts:
                - name: prometheus-config-volume
                  mountPath: /etc/prometheus/
                - name: prometheus-storage-volume
                  mountPath: /prometheus/
          volumes:
            - name: prometheus-config-volume
              configMap:
                defaultMode: 420
                name: prometheus-server-conf
            - name: prometheus-storage-volume
              persistentVolumeClaim:
                claimName: prometheus-pvc
                readOnly: false
    

    Log output

    level=error ts=2019-05-29T07:17:48.980589701Z caller=main.go:582 err="Opening storage failed open DB in /prometheus/: open /prometheus/199323036: permission denied"
    
    level=info ts=2019-05-29T07:17:48.980731276Z caller=main.go:584 msg="See you next time!"
    
     
    Thanks for your ideas!
     
    Olivier
    Version:
    Kubernetes v1.11.5-3
  • Joydeepta Bhattacharjee
    Microservices and Containerization : Event driven...Answered3
    Topic posted March 22, 2019 by Joydeepta BhattacharjeeRed Ribbon: 250+ Points, tagged Containers, Kubernetes, Tip 
    Title:
    Microservices and Containerization : Event driven Interaction
    Summary:
    This post is dedicated to open up a developer discussion on implementing a Microservice Architecture Reference over OCI OKE and develop a agile event based approach to provide resiliency and atomicit
    Content:

     

    As micro services being so evident and also Oracle finally coming up with host of docker images for SOA 12c and subsequently OCI OKE, we have been overwhelmed with various problem statements about designing an effecting Micro-services design pattern. With this note, I would like to really traverse the path of Event based mechanism and less on orchestrating the pre-conceived steps we were accustomed to take in traditional monolithic Integration space.

     

    Challenge in Problem Space#

     

    1. Breaking in DDD business entities and developing CRUD Operations eventually forming the basis for commands
    2. Storing the updates with large business data in self-contained data store for that Business context or domain
    3. Publishing the events adapting to application changes to decouple subscribers or listeners
    4. Maintain the atomicity of the change between the action and the event generated and published allowing compensation during failure
    5. Synchronicity of query with change of event store in near real time impacting time lag
    6. Complexity of query formation across disparate MS data stores and choice of Materialized views over new edge document based storage like in MongoDB supporting relational + document structures
     

    Implementation of CQRS #

     

    It seems that as traditional Oracle Cloud BOM does not include any No-sql storage or document driven storage in Mongo db for custom query we have rely on Materialized Views
    Spring Boot api driven framework would be using it’s repository beans to update the event records in MySQL
    The update Order table triggered should also manage the transaction to post to Event store and publish events without supporting 2PC
    The application layer may implement a Façade with dispatcher and router to efficiently route the events to event store.
    The same dispatcher may be used to query from the materialized view to the presentation layer, to consumer or subscribers or may be to and reporting and analytics engine.
     

    With all these consideration in mind can we suggest a Reference architecture with some framework from Oracle to efficiently implement the pattern.

     

    These would be more evident as time has come to socially engineer a micro service with lead to change and adapt to business need of current time in a connected world of streams , bots , devices and legacy COTS more or less to co-exist at-least for a while. We also have to look for OKE Infra supporting event based messaging and storage and built a standard architecture to achieve resiliency .

  • Hasain Sab
    NodeJS application deployment giving Environment Version is...35.0
    Topic posted January 16, 2017 by Hasain SabGreen Ribbon: 100+ Points 
    Title:
    NodeJS application deployment giving Environment Version is not valid. Please fix and retry.
    Summary:
    NodeJS application deployment giving Environment Version is not valid. Please fix and retry.
    Content:

    NodeJS application deployment giving Environment Version is not valid. Please fix and retry.

    I used to give the "runtime":{"majorVersion" 4.4 "} earlier in mainfest.json file worked.

    Now it seems the current version of the node runtime seems to be 6.9.1 so i gave 6.0 , 6.3 and 6.9 as well. its failing and giving me above error. please help if anyone faced the issue or know what is the fix.

    Thanks,

    Hasain.

  • Raviraj Murdeshwar
    Access to OCCS worker node to deploy external build...35.0
    Topic posted January 27, 2017 by Raviraj MurdeshwarGreen Ribbon: 100+ Points 
    Title:
    Access to OCCS worker node to deploy external build artifacts for the docker.
    Summary:
    Access to OCCS worker node to deploy external build artifacts for the docker.
    Content:

    hi..

    We are trying to evaluate OCCS for our product. Right now, we have Dev and QA environment with application packaged with Docker. We have external configuration and keytab  files stored in volume which are passed to the docker at the run-time. It helps us to use 1 docker image for different environments like Dev and QA.

    For OCCS, do you allow SSH access to the worker node, so that we can deploy the config and keytab files ?

    Thanks ..

    Raviraj,

  • Joydeepta Bhattacharjee
    Kafka broker in Oracle cloud event hub connectivity through...2
    Topic posted August 27, 2019 by Joydeepta BhattacharjeeRed Ribbon: 250+ Points, tagged Containers, Kubernetes 
    Title:
    Kafka broker in Oracle cloud event hub connectivity through bootstrap service
    Summary:
    Microservice to connect a Kafka topic and publish message as part of Oracle event hub cloud
    Content:

    Hi Team ,

    Can any one give me a clear information around connecting a Kafka broker in a cloud event hub. The zookeeper is embedded so not able to validate connector and brokers are active or not . When the service is trying to connect thru a public Internet Url of a Cloud Event Hub - Dedicated service it's timing out

     

  • Mkothapalli418
    Issue with deploying an application in oracle cloud...25.0
    Topic posted April 4, 2018 by Mkothapalli418  
    Title:
    Issue with deploying an application in oracle cloud application container service
    Summary:
    Issue with deploying an application in oracle cloud application container service
    Content:

    Hi,

    When I am trying to deploy an application in application container service, I see the below error in activity log. I am also attaching the screenshot for it. Could someone please help with this.

    Apr 4, 2018 3:37:11 PM UTC Activity Submitted
    Apr 4, 2018 3:37:11 PM UTC Activity Started
    Apr 4, 2018 3:37:14 PM UTC Initialized application creation...
    Apr 4, 2018 3:37:16 PM UTC Acquired resources for instance(2G) web.1...
    Apr 4, 2018 3:37:25 PM UTC Started load balancer configuration for service [MyApp].
    Apr 4, 2018 3:37:51 PM UTC Deployed application(v1) for instance(2G) web.1...
    Apr 4, 2018 4:18:13 PM UTC Unable to complete load balancer configuration. LBaaS Error: Request Id [] of [600604-1522856245757:listener_1] failed. Please contact Oracle Cloud Support
    Apr 4, 2018 4:18:16 PM UTC Failed to create application...

    oor.png

  • Jie Zhao
    what is the difference between management node and worker...25.0
    Topic posted May 25, 2017 by Jie ZhaoGreen Ribbon: 100+ Points 
    Title:
    what is the difference between management node and worker node? Is it necessary to add more management nodes and how?
    Summary:
    what is the difference between management node and worker node? Is it necessary to add more management nodes and how?
    Content:

    what is the difference between management node and worker node?

    Is management node for Docker management platform (like k8s or Mesos)?

    Is it necessary to add more management nodes and how?

  • Ranjans
    unable to invoke the function in oci1
    Topic posted August 22, 2019 by Ranjans Red Ribbon: 250+ Points, tagged Containers, Docker 
    Title:
    unable to invoke the function in oci
    Summary:
    unable to invoke the function in oci
    Content:

    As per Python SDK , when I am importing the config value, the function is not getting invoke and is error out . The function has been built using python .

    The following command is used to invoke the function

    fn invoke  app_py pythonfn

     

    *************************

    import json
    import io
    import oci
    from oci.config import from_file
    import sys
    from fdk import response


    config = from_file(profile_name="DEFAULT")
    print(conf)

    def handler(ctx, data: io.BytesIO=None):


        try:
            body = json.load(data)
    .................
    ....................
    ..........................

  • Joydeepta Bhattacharjee
    Pod to Pod communication with service name Should be...15.0
    Topic posted July 20, 2019 by Joydeepta BhattacharjeeRed Ribbon: 250+ Points, tagged Containers, Docker, Kubernetes, Tip 
    Title:
    Pod to Pod communication with service name Should be followed with Ingress Resource to realise a decouple connection
    Summary:
    Instead of accessing IP which changes with deployment I would like to access pod deployment with service created which is not working in OCI OKE setup
    Content:

    kubectl describe services kube-dns --namespace kube-system

     

    Name:              kube-dns
    Namespace:         kube-system
    Labels:            addonmanager.kubernetes.io/mode=Reconcile
                       k8s-app=kube-dns
                       kubernetes.io/cluster-service=true
                       kubernetes.io/name=KubeDNS
    Annotations:       kubectl.kubernetes.io/last-applied-configuration:
                         {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"addonmanager.kubernetes.io/mode":"Reconcile","k8s-app":"kube-d...
    Selector:          k8s-app=kube-dns
    Type:              ClusterIP
    IP:                10.96.5.5
    Port:              dns  53/UDP
    TargetPort:        53/UDP
    Endpoints:         10.244.1.21:53,10.244.1.23:53
    Port:              dns-tcp  53/TCP
    TargetPort:        53/TCP
    Endpoints:         10.244.1.21:53,10.244.1.23:53
    Session Affinity:  None
    Events:            <none>
    [opc@test ~]$

     

    , kubectl describe svc my-api 

    [opc@test ~]$ kubectl describe svc springbootapp-demo-service
    Name:                     springbootapp-demo-service
    Namespace:                default
    Labels:                   <none>
    Annotations:              <none>
    Selector:                 app=app
    Type:                     LoadBalancer
    IP:                       10.96.157.177
    LoadBalancer Ingress:     132.145.235.116
    Port:                     <unset>  80/TCP
    TargetPort:               8035/TCP
    NodePort:                 <unset>  30963/TCP
    Endpoints:                10.244.0.26:8035,10.244.0.27:8035,10.244.0.30:8035 + 1 more...
    Session Affinity:         None
    External Traffic Policy:  Cluster
    Events:                   <none>

     

    Now  when i exec(kubectl exec -it  **Pod) to a pod and wget the other pod by FQDN it's not reached. I also connected a busy-box image to debug the kube-dns networking between pods. 

    Exec to the pod takes to prompt as  kubectl exec -it nodejs-deployment-6bffdcb99c-lf8gn sh and tried to wget below end point dummy but unreachable though IP is looked up.

     wget http://springbootapp-demo-service/demo/test
    Connecting to springbootapp-demo-service(10.96.157.177:8035)

    This has been fixed now by renaming the selector lebel in deployment yml to unique name as they are in default name space