1. Manage OpenShift Container Platform Flashcards
- Use the web console to manage and configure an OpenShift cluster
Get the Web Console URL through oc login command
Login
# login
oc login -u user -p passwd https://api.ocp4.example.com:6443
# Get the console url
oc whoami –show-console
https://console-openshift-console.apps.ocp4.example.com
# Note: https://api.ocp4.example.com:6443 & https://console-openshift-console.apps.ocp4.example.com are
# examples url from RedHat Lab
Here is the Web Console documentation.
- Use the command-line interface to manage and configure an OpenShift cluster
You can manage an OpenShift cluster from the web console or by using the kubectl or oc command-line interfaces (CLI).
The kubectl commands are native to Kubernetes, and are a thin wrapper over the Kubernetes API.
The OpenShift oc commands are a superset of the kubectl commands, and add commands for the OpenShift-specific features
The main method of interacting with an RHOCP cluster is by using the oc command.
To install kubectl, follow this kubernetes documentation
To install oc download it from the web console to ensure that the CLI tools are compatible with the RHOCP cluster.
From the web console, navigate to Help → Command line tools.
Or append /command-line-tools in the Console Url
oc
# login & contexts
oc login $cluster_url
oc login -u user -p passwd $cluster_url
## login with api token: generate & copy the token from the CLI download page
oc login –token=sha256-xxx –server=$cluster_url
oc config
oc config get-contexts
# check cluster version - apis
oc version
oc cluster-info
oc get clusterversion
oc api-versions
oc api-resources
## resources from core api group
oc api-resources –api-group ‘’
# projetcs
## create project
oc new-project myapp
## Switch to the specific project
oc projetc previous-projet
## display current project
oc project
# oc get
oc get po
oc status #Display the status of the containers in the selected namespace.
oc get clusteroperators
oc get operators
oc get all # some resources like secrets, serviceaccounts are not displayed by all
…
# For further options
oc -h
- Query, format, and filter attributes of Kubernetes resources
Filtering
You can use the same filters, formats as you used to do with kubectl
-ljq--sort-by-o jsonpath- and a subcommand specific flag …
API resources - Filtering
# filter api resources
oc api-resources –namespaced
oc api-resources –api-group ‘’ # resources in the core api
oc api-resources –api-group config.openshift.iooc get pods -A -l=app=olm-operator
oc explain pod.specoc get events -n openshift-image-registry –sort-by .metadata.creationTimestampoc get node master01 -o json | jq ‘.status.conditions’
oc get node master01 -o jsonpath={.status.conditions}oc get no master01 -o jsonpath=’{.status.allocatable}{“\n”}’
oc get no -o jsonpath=’{range .items[*]}{.metadata.name}{“: “}{.status.addresses[?(@.type==”InternalIP”)]}{“\n”}{end}’
- Import, export, and configure Kubernetes resources
As with kubectl you can use create/apply/patch subcommands
oc create/apply/run/patch
oc create -f
oc run
oc apply
oc patch
- Locate and examine container images
Locate - registries
Red Hat distributes container images by using two registries:
registry.access.redhat.com where no authentication is required
registry.redhat.io where authentication is required).
You can also use another registries, your own or public ones.
Inspect container images with skopeo
Various tools can inspect and manage container images, including the oc image command and skopeo.
Skopeo is another tool to inspect and manage remote container images. With Skopeo, you can copy and sync container images from different container registries and repositories.
To install skopeo, follow the install.md
skopeo login/list-tags/inspect
# log in registry where authentification is reguired
skopeo login $registry
# list available tags of an image
skopeo list-tags docker://registry.access.redhat.com/ubi9/httpd-24
{
“Repository”: “registry.access.redhat.com/ubi9/httpd-24”,
“Tags”: [
“1-229”,
“1-217.1666632462”,
“1-201”,
“1-194.165519”]
# inspect an image
skopeo inspect docker://registry.access.redhat.com/ubi8:latest
{
“Name”: “registry.access.redhat.com/ubi8”,
“Digest”: “sha256:70fc…1173”,
“RepoTags”: [
“8.7-1054-source”,
“8.6-990-source”,
“8.6-754”,
“8.4-203.1622660121-source”,
…output omitted…
# inspect an image with config option to show the image config field
skopeo inspect –config docker://registry.ocp4.example.com:8443/redhattraining/docker-nginx:1.23
…output omitted…
“config”: {
“ExposedPorts”: {
“80/tcp”: {}
},
“Env”: [
“PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin”,
“NGINX_VERSION=1.23.3”,
“NJS_VERSION=0.7.9”,
“PKG_RELEASE=1~bullseye”
],
“Entrypoint”: [
“/docker-entrypoint.sh”
],
“Cmd”: [
“nginx”,
“-g”,
“daemon off;”
],
“Labels”: {
“maintainer”: “NGINX Docker Maintainers \u003cdocker-maint@nginx.com\u003e”
},
“StopSignal”: “SIGQUIT”
}
# inspect with format option
skopeo inspect –format \
“Name: {{.Name}}\n Digest: {{.Digest}}\n Release: {{.Labels.release}}” \
docker://registry.ocp4.example.com:8443/rhel9/mysql-80:latest
Name: registry.redhat.io/rhel9/mysql-80
Digest: sha256:d282…f38f
Release: 237
…
# copy an image from a SRC registry to a DST registry
skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
# Sync an image between two locations
skopeo sync –src docker –dest docker registry.access.redhat.com/ubi8/httpd-24 registry.example.com/httpd-24
# delete an image
skopeo delete docker://registry.example.com/skopeo:latest
Inspect - retrieve information about image with oc image
The oc image infocommand inspects and retrieves information about a container image.
You can use the oc image infocommand to identify the ID/hash SHA and to list the image layers of a container image.
oc image info/append/mirror
oc image info registry.access.redhat.com/ubi9/httpd-24:1-233 –filter-by-os amd64
Name: registry.access.redhat.com/ubi9/httpd-24:1-233
Digest: sha256:4186...985b
...output omitted...
Image Size: 130.8MB in 3 layers
Layers: 79.12MB sha256:d74e...1cad
17.32MB sha256:dac0...a283
34.39MB sha256:47d8...5550
OS: linux
Arch: amd64
Entrypoint: container-entrypoint
Command: /usr/bin/run-httpd
Working Dir: /opt/app-root/src
User: 1001
Exposes Ports: 8080/tcp, 8443/tcp
Environment: container=oci
...output omitted...
HTTPD_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/httpd/
HTTPD_APP_ROOT=/opt/app-root
HTTPD_CONFIGURATION_PATH=/opt/app-root/etc/httpd.d
oc image append
# to add layers to container images, and then push the container image to a registry.
oc image extract
# to extract or copy files from a container image to a local disk.
# Use this command to access the contents of a container image without first running the image as a container.
oc image mirror
# copy or mirror container images from one container registry or repository to another
- Create and delete projects
oc new-project/project
# create project
oc new-project test-proj
# show current project
oc project
# delete project
oc delete project test-proj
- Examine resources and cluster status
???+ note “Operators
oc get clusteroperators
oc describe clusteroperators openshift-apiserver
oc get node master01 -o jsonpath={.status.conditions}
oc adm top po -A --sum
- View logs
Logs - Crictl
oc logs $mypod
oc adm node-logs master01 -u crio –tail 1
oc adm node-logs master01 -u kubelet –since=2023-09-10 11:12:13’
# you can ssh on a node and use critcl command
crictl pods
crictl ps
crictl logs $container
…
- Monitor cluster events and alerts
Events - Components
oc get events -A
oc get events -n openshift-image-registry –sort-by .metadata.creationTimestamp
# check monitoring stack logs
oc get all -n openshift-monitoring –show-kind
NAME READY STATUS RESTARTS AGE
pod/alertmanager-main-0 6/6 Running 85 34d
pod/cluster-monitoring-operator-56b769b58f-dtmqj 2/2 Running 34 35d
pod/kube-state-metrics-75455b796c-8q28d 3/3 Running 51 35d
…output omitted…
oc logs alertmanager-main-0 -n openshift-monitoring
ts=2023-03-16T14:21:50.479Z caller=main.go:231 level=info msg="Starting Alertmanager" version="(version=0.24.0, branch=rhaos-4.12-rhel-8, revision=519cbb87494d2830821a0da0a657af69d852c93b)"
# check cluster components errors/events
oc get co
- Assess the health of an OpenShift cluster
Health - Debug
# Check cluster core components status
oc get co
# check clusteroperators conditions
oc get clusteroperators
oc describe clusteroperators xxx
## check a clusteroperator pods
oc get po -n openshift-apiserver
# check operators
oc get operators
oc get pod -n openshift-dns-operator dns-operator-64688bfdd4-8zklh -o json | jq .status
# examining Cluster Metrics
oc adm top po -A –sum
# you can view Cluster Metrics on Web console
# check Node Status
oc get no
NAME STATUS ROLES AGE VERSION
master01 Ready control-plane,master,compute 35d v1.25.4+77bec7a
oc get node master01 -o json | jq ‘.status.conditions’
oc get node master01 -o jsonpath=\
*’{“Allocatable:\n”}{.status.allocatable}{“\n\n”}
{“Capacity:\n”}{.status.capacity}{“\n”}’
# check node logs
oc adm node-logs master01 -u crio –tail 1
-- Logs begin at Thu 2023-02-09 21:19:09 UTC, end at Fri 2023-03-17 15:11:43 UTC. --
Mar 17 06:16:09.519642 master01 crio[2987]: time="2023-03-17 06:16:09.519474755Z" level=info msg="Image status:
&ImageStatusResponse{Image:&Image{Id:6ef8...79ce,RepoTags:[],RepoDigests:
- Troubleshoot common container, pod, and cluster events and alerts
containers - pods
Debug pod/node
# the basics
oc get po
oc logs $mypod
oc describe $mypod
# check tag availability if ImagePullbackOff
skopeo list-tags …
# edit/patch/describe pod
oc edit $mypod
oc describe $mypod
oc patch
# display the status of the containers in the selected namespace.
oc status
# create debug pod for $mypod
oc debug pod/$mypod
# start a remote shell in $mypod directly
oc rsh $mypod
# for further actions, use exec
oc exec $mypod – $mycmd
Find out more in troubleshooting documentation.
node - cluster
Node Logs - Debug
oc adm node-logs master01
oc adm node-logs master01 -u kubelet –tail 3
# debug node
oc debug node/master01
# possible actions on node
chroot /host
systemctl status kubelet
systemctl is-active crio
# gather cluster debugg logs
oc adm must-gather –dest-dir /home/student/must-gather
# gather kube-apiserver logs
oc adm inspect clusteroperator/kube-apiserver –dest-dir /home/student/inspect –since 5m
- Use product documentation
Take a look in the RHOCP official document
