The document discusses OpenShift security context constraints (SCCs) and how to configure them to allow running a WordPress container. It begins with an overview of SCCs and their purpose in OpenShift for controlling permissions for pods. It then describes issues running the WordPress container under the default "restricted" SCC due to permission errors. The document explores editing the "restricted" SCC and removing capabilities and user restrictions to address the errors. Alternatively, it notes the "anyuid" SCC can be used which is more permissive and standard for allowing the WordPress container to run successfully.
This document discusses AWS CodeStar and how it can help developers implement DevOps practices. AWS CodeStar allows developers to easily set up development environments, collaborate with teams, and integrate continuous delivery pipelines using AWS services like CodeCommit, CodeBuild, CodeDeploy, and CodePipeline. It provides project templates, team management features, and integrates with tools like Jira. The document demonstrates how to create a CodeStar project and use its dashboard and continuous delivery pipeline. It also provides an overview of the AWS mobile developer tools.
Marcel Birkner works as a staff reliability engineer at Instana, an application performance monitoring solution. He describes a typical day as an SRE, which involves handling alerts, supporting developers and customers, and prioritizing platform security, quality of service, and migrating systems to Kubernetes while embracing Google SRE principles like eliminating toil through automation. Birkner stresses the importance of communication, sharing knowledge, and constantly working to simplify systems to reduce complexity over time.
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...apidays
APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
API orchestration: to build resilient applications
Cherish Santoshi, Sr. Developer Relations Engineer at Orkes
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
CI/CD for a Docker Node.JS application using Code* services. This session will walkthrough what a solution like this would look like, what Code* services are used, how your build will work, and how deploys will work. The purpose of this session is to allow customers to see how to deploy their containerized applications in Amazon Elastic Container Service (ECS) Fargate using our CI/CD solutions. Come with your questions and pain points. We will also talk about how to use Bitbucket as your source control rather than Code Commit for the many customers already using BitBucket and Jenkins.
OpenShift is a Platform-as-a-Service that provides development environments on demand using containers. It automates application lifecycles including build, deploy, and retirement. OpenShift uses containers to package applications and dependencies in a portable way. Red Hat addresses concerns around adopting containers at scale through OpenShift, which provides security, scalability, integration, management and certification capabilities. OpenShift runs on a user's choice of infrastructure and orchestrates applications across nodes using Kubernetes.
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Amazon Elastic Container Service for Kubernetes (Amazon EKS) is an upcoming managed service for running Kubernetes on AWS. This session will provide an overview of Amazon EKS, why we built it, and how it works.
This document discusses AWS CodeStar and how it can help developers implement DevOps practices. AWS CodeStar allows developers to easily set up development environments, collaborate with teams, and integrate continuous delivery pipelines using AWS services like CodeCommit, CodeBuild, CodeDeploy, and CodePipeline. It provides project templates, team management features, and integrates with tools like Jira. The document demonstrates how to create a CodeStar project and use its dashboard and continuous delivery pipeline. It also provides an overview of the AWS mobile developer tools.
Marcel Birkner works as a staff reliability engineer at Instana, an application performance monitoring solution. He describes a typical day as an SRE, which involves handling alerts, supporting developers and customers, and prioritizing platform security, quality of service, and migrating systems to Kubernetes while embracing Google SRE principles like eliminating toil through automation. Birkner stresses the importance of communication, sharing knowledge, and constantly working to simplify systems to reduce complexity over time.
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...apidays
APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
API orchestration: to build resilient applications
Cherish Santoshi, Sr. Developer Relations Engineer at Orkes
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
CI/CD for a Docker Node.JS application using Code* services. This session will walkthrough what a solution like this would look like, what Code* services are used, how your build will work, and how deploys will work. The purpose of this session is to allow customers to see how to deploy their containerized applications in Amazon Elastic Container Service (ECS) Fargate using our CI/CD solutions. Come with your questions and pain points. We will also talk about how to use Bitbucket as your source control rather than Code Commit for the many customers already using BitBucket and Jenkins.
OpenShift is a Platform-as-a-Service that provides development environments on demand using containers. It automates application lifecycles including build, deploy, and retirement. OpenShift uses containers to package applications and dependencies in a portable way. Red Hat addresses concerns around adopting containers at scale through OpenShift, which provides security, scalability, integration, management and certification capabilities. OpenShift runs on a user's choice of infrastructure and orchestrates applications across nodes using Kubernetes.
My cloud native security talk I gave at Innotech Austin 2018. I cover container and Kubernetes security topics, security features in Kubernetes, including opensource projects you will want to consider while building and maintaining cloud native applications.
Amazon Elastic Container Service for Kubernetes (Amazon EKS) is an upcoming managed service for running Kubernetes on AWS. This session will provide an overview of Amazon EKS, why we built it, and how it works.
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...Amazon Web Services
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Security Week at the San Francisco Loft
Continuous delivery (CD) enables teams to be more agile and quickens the pace of innovation. Too often, however, teams adopt CD without putting the right safety mechanisms in place. In this talk, we discuss opportunities for you to transform your software release process into a safer one. We explore various DevOps best practices, showcasing sample applications and code with AWS CodePipeline and AWS CodeDeploy. We discuss how to set up delivery pipelines with nonproduction testing stages, failure cases, rollbacks, redundancy, canary testing and blue/green deployments, and monitoring. We'll discuss continuous delivery practices for deploying to Amazon EC2, AWS Lambda, and Containers (such as Amazon ECS or AWS Fargate).
Level: 200
Speaker: Leo Zhadanovsky - Principal Solutions Architect, Cloudstart, AWS
- Microservices architecture breaks applications into small, independent services that focus on specific tasks and communicate over well-defined interfaces. This improves scalability, flexibility and allows for independent development and deployment of services.
- The architecture promotes separating concerns, with each small service handling a single "verb" of the application and teams owning service groups. Services are stateless and communicate asynchronously over lightweight protocols.
- Automating deployment through containerization allows for easy rollout of new versions with zero downtime and elastic scaling of services based on demand. Monitoring provides visibility into technical and business metrics of the distributed system.
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...InfluxData
Scaling Prometheus in Kubernetes seems easy with service-discovery, but quickly devolves into manual DevOps snowflake setup. Additionally, a single developer is able to overwhelm a federated Prometheus setup and impact the system as a whole without being able to self-service debug. In this talk, Chris will focus on a variety of architectures using Telegraf to scale scraping in Kubernetes and empower developers.
He’ll describe his experiences around scaling /metrics in the microservices of InfluxData’s Cloud 2.0 Kubernetes system…as he was the single developer that added just one more label…
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Amazon Web Services
In this session, we discuss best practices for securing your Kubernetes deployments on AWS. We cover how to use AWS IAM with Kubernetes role-based access control (RBAC) for new or existing Kubernetes deployments, and we dive deep into how Amazon EKS implements secure cluster configuration by default.
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane Carlos Santana
This document discusses disaster recovery strategies in Kubernetes and Crossplane. It defines disaster recovery as business continuity planning for larger, less frequent events like natural disasters or technical failures. The key metrics for disaster recovery are recovery time (RTO) and recovery point (RPO). It presents different disaster recovery strategies on a spectrum from backup and restore with high RTO/RPO to multi-site active-active configurations with near real-time RTO/RPO. The document then discusses Crossplane's support for disaster recovery through configuration package upgrades, CRD version rollbacks, and integration with backup tools like Velero. It provides an example disaster recovery scenario restoring databases and Kubernetes clusters across availability zones.
A Comprehensive Introduction to Kubernetes. This slide deck serves as the lecture portion of a full-day Workshop covering the architecture, concepts and components of Kubernetes. For the interactive portion, please see the tutorials here:
https://github.com/mrbobbytables/k8s-intro-tutorials
The document discusses Amazon EKS (Elastic Kubernetes Service), which allows users to run Kubernetes on AWS. It highlights that EKS manages the control plane for users and provides native integrations with other AWS services like load balancers, IAM, and container registry. The document also summarizes key capabilities like high availability of the Kubernetes masters, networking options, version upgrades, and how to provision Kubernetes nodes on EKS.
This document discusses enhancing the developer experience on AWS. It discusses how developer experience is about maximizing software development effectiveness through simplifying development, deployment, operations and support. It then discusses modern developer expectations and why developer experience is important for fast experimentation, reducing waste, and producing working and productive software. It provides an overview of the cloud development flow and various AWS services that can be used locally and in the cloud to code, build, collaborate, use serverless technologies and popular IDEs, demonstrate applications, automate infrastructure provisioning, observe applications, and use services like AWS X-Ray for observability purposes.
At AWS re:Invent, we have launched support for blue/green deployments for services hosted using AWS Fargate and Amazon Elastic Container Service (Amazon ECS). Blue/green deployments help you minimize downtime during application updates. They allow you to launch a new version of your application alongside the old version and test the new version before you reroute traffic to it. You can also monitor the deployment process and, if there is an issue, quickly roll back.
In this workshop, you will create a new service in AWS Fargate that uses AWS CodeDeploy to manage the deployments, testing, and traffic cutover for you.
Devops core principles
CI/CD basics
CI/CD with asp.net core webapi and Angular app
Iac Why and What?
Demo using Azure and Azure Devops
Docker why and what ?
Demo using Azure and Azure Devops
Kubernetes why and what?
Demo using Azure and Azure Devops
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar SeriesAmazon Web Services
As your teams and infrastructure grow, it becomes more difficult to track IT resource changes as well as identify who made changes and when. It also becomes harder to enforce standards for your infrastructure resources, resulting in configuration drift and potential security issues. On AWS, you can easily standardize infrastructure configurations for commonly used IT services while also enabling self-service provisioning for your company. Once these resources are provisioned, you can then track how these resources are connected and monitor configuration changes and drift. In this session, we will discuss how you can achieve a sophisticated level of standardization, configuration compliance, and monitoring using a combination of AWS Service Catalog, AWS Config, and AWS CloudTrail.
Learning Objectives:
Understand how to use AWS services to enable governance while providing self-service
Learn to codify your business policies to promote compliance
How to improve security without sacrificing developer productivity
Today, the development and operations landscape has shifted to a more collaborative model merging the two (DevOps). Developers need to know much more about the operational components of their software - especially around network programming, services development, and continuous deployment. Likewise, the developer's IT counterpart needs to know much more about development - especially around infrastructure automation (Chef/Puppet), automated testing, and continuous deployment.
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
Serverless Streaming Data Processing using Amazon Kinesis AnalyticsAmazon Web Services
by Adrian Hornsby, Technical Evanglist, AWS
As more and more organizations strive to gain real-time insights into their business, streaming data has become ubiquitous. Typical streaming data analytics solutions require specific skills and complex infrastructure. However, with Amazon Kinesis Analytics, you can analyze streaming data in real-time with standard SQL—there is no need to learn new programming languages or processing frameworks. In this session, we dive deep into the capabilities of Amazon Kinesis Analytics using real-world examples. We’ll present an end-to-end streaming data solution using Amazon Kinesis Streams for data ingestion, Amazon Kinesis Analytics for real-time processing, and Amazon Kinesis Firehose for persistence. We review in detail how to write SQL queries using streaming data and discuss best practices to optimize and monitor your Amazon Kinesis Analytics applications. Lastly, we discuss how to estimate the cost of the entire system.
Asymmetric multi-processing (AMP) systems fulfill the need for high performance and real-time by combining the responsiveness of a MCU with the processing power of an application processor which runs a full OS.
This talk will present a technical overview on asymmetric multiprocessing platforms focussing on motivations, use cases and how to handle interprocess communication between MCU and MPU in practice.
OpenStack is a open source software for creating private and public clouds that coordinated collection of software from a few dozen related projects. This presentation give you an introduction about OpenStack community and basic how to contribute to OpenStack project
OpenStack Thailand Chapter - User and Contributor MeetUp #1 at EGA on November 30, 2016
OpenShift 4, the smarter Kubernetes platformKangaroot
OpenShift 4 introduces automated installation, patching, and upgrades for every layer of the container stack from the operating system through application services.
This document provides an overview of how APIs are defined and served in the Kubernetes API server (kube-apiserver). It describes:
- How API types are defined using Golang types and registered with the API server's scheme
- How the generic API server handles requests and calls back to installed API groups
- How custom resource definitions (CRDs) are supported via the CRD and aggregator APIs
- Key components like conversion, defaulting, storage, and filters that process each request
- Live debugging techniques for the API server using tools like mux routers and request tracing
In 3 sentences or less, it outlines the architecture of the Kubernetes API server for defining, registering, and serving custom
Red Hat OpenShift on Bare Metal and Containerized StorageGreg Hoelzer
OpenShift Hyper-Converged Infrastructure allows building a container application platform from bare metal using containerized Gluster storage without virtualization. The document discusses building a "Kontainer Garden" test environment using OpenShift on RHEL Atomic hosts with containerized GlusterFS storage. It describes configuring and testing the environment, including deploying PHP/MySQL and .NET applications using persistent storage. The observations are that RHEL Atomic is mature enough to evaluate for containers, and Docker/Kubernetes with containerized storage provide an alternative to virtualization for density and scale.
Minishift allows users to run OpenShift locally by downloading the Minishift binary from GitHub and executing "./minishift start" in their terminal to launch a single-node OpenShift cluster using a hypervisor like xhyve, providing access to the web console. Users can then log in and interact with the local OpenShift deployment, getting support via the Minishift IRC channel or mailing list.
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Securit...Amazon Web Services
CI/CD Pipeline Security: Advanced Continuous Delivery Best Practices: Security Week at the San Francisco Loft
Continuous delivery (CD) enables teams to be more agile and quickens the pace of innovation. Too often, however, teams adopt CD without putting the right safety mechanisms in place. In this talk, we discuss opportunities for you to transform your software release process into a safer one. We explore various DevOps best practices, showcasing sample applications and code with AWS CodePipeline and AWS CodeDeploy. We discuss how to set up delivery pipelines with nonproduction testing stages, failure cases, rollbacks, redundancy, canary testing and blue/green deployments, and monitoring. We'll discuss continuous delivery practices for deploying to Amazon EC2, AWS Lambda, and Containers (such as Amazon ECS or AWS Fargate).
Level: 200
Speaker: Leo Zhadanovsky - Principal Solutions Architect, Cloudstart, AWS
- Microservices architecture breaks applications into small, independent services that focus on specific tasks and communicate over well-defined interfaces. This improves scalability, flexibility and allows for independent development and deployment of services.
- The architecture promotes separating concerns, with each small service handling a single "verb" of the application and teams owning service groups. Services are stateless and communicate asynchronously over lightweight protocols.
- Automating deployment through containerization allows for easy rollout of new versions with zero downtime and elastic scaling of services based on demand. Monitoring provides visibility into technical and business metrics of the distributed system.
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...InfluxData
Scaling Prometheus in Kubernetes seems easy with service-discovery, but quickly devolves into manual DevOps snowflake setup. Additionally, a single developer is able to overwhelm a federated Prometheus setup and impact the system as a whole without being able to self-service debug. In this talk, Chris will focus on a variety of architectures using Telegraf to scale scraping in Kubernetes and empower developers.
He’ll describe his experiences around scaling /metrics in the microservices of InfluxData’s Cloud 2.0 Kubernetes system…as he was the single developer that added just one more label…
Kubernetes Clusters Security with Amazon EKS (CON338-R1) - AWS re:Invent 2018Amazon Web Services
In this session, we discuss best practices for securing your Kubernetes deployments on AWS. We cover how to use AWS IAM with Kubernetes role-based access control (RBAC) for new or existing Kubernetes deployments, and we dive deep into how Amazon EKS implements secure cluster configuration by default.
Navigating Disaster Recovery in Kubernetes and CNCF Crossplane Carlos Santana
This document discusses disaster recovery strategies in Kubernetes and Crossplane. It defines disaster recovery as business continuity planning for larger, less frequent events like natural disasters or technical failures. The key metrics for disaster recovery are recovery time (RTO) and recovery point (RPO). It presents different disaster recovery strategies on a spectrum from backup and restore with high RTO/RPO to multi-site active-active configurations with near real-time RTO/RPO. The document then discusses Crossplane's support for disaster recovery through configuration package upgrades, CRD version rollbacks, and integration with backup tools like Velero. It provides an example disaster recovery scenario restoring databases and Kubernetes clusters across availability zones.
A Comprehensive Introduction to Kubernetes. This slide deck serves as the lecture portion of a full-day Workshop covering the architecture, concepts and components of Kubernetes. For the interactive portion, please see the tutorials here:
https://github.com/mrbobbytables/k8s-intro-tutorials
The document discusses Amazon EKS (Elastic Kubernetes Service), which allows users to run Kubernetes on AWS. It highlights that EKS manages the control plane for users and provides native integrations with other AWS services like load balancers, IAM, and container registry. The document also summarizes key capabilities like high availability of the Kubernetes masters, networking options, version upgrades, and how to provision Kubernetes nodes on EKS.
This document discusses enhancing the developer experience on AWS. It discusses how developer experience is about maximizing software development effectiveness through simplifying development, deployment, operations and support. It then discusses modern developer expectations and why developer experience is important for fast experimentation, reducing waste, and producing working and productive software. It provides an overview of the cloud development flow and various AWS services that can be used locally and in the cloud to code, build, collaborate, use serverless technologies and popular IDEs, demonstrate applications, automate infrastructure provisioning, observe applications, and use services like AWS X-Ray for observability purposes.
At AWS re:Invent, we have launched support for blue/green deployments for services hosted using AWS Fargate and Amazon Elastic Container Service (Amazon ECS). Blue/green deployments help you minimize downtime during application updates. They allow you to launch a new version of your application alongside the old version and test the new version before you reroute traffic to it. You can also monitor the deployment process and, if there is an issue, quickly roll back.
In this workshop, you will create a new service in AWS Fargate that uses AWS CodeDeploy to manage the deployments, testing, and traffic cutover for you.
Devops core principles
CI/CD basics
CI/CD with asp.net core webapi and Angular app
Iac Why and What?
Demo using Azure and Azure Devops
Docker why and what ?
Demo using Azure and Azure Devops
Kubernetes why and what?
Demo using Azure and Azure Devops
Improving Infrastructure Governance on AWS - AWS June 2016 Webinar SeriesAmazon Web Services
As your teams and infrastructure grow, it becomes more difficult to track IT resource changes as well as identify who made changes and when. It also becomes harder to enforce standards for your infrastructure resources, resulting in configuration drift and potential security issues. On AWS, you can easily standardize infrastructure configurations for commonly used IT services while also enabling self-service provisioning for your company. Once these resources are provisioned, you can then track how these resources are connected and monitor configuration changes and drift. In this session, we will discuss how you can achieve a sophisticated level of standardization, configuration compliance, and monitoring using a combination of AWS Service Catalog, AWS Config, and AWS CloudTrail.
Learning Objectives:
Understand how to use AWS services to enable governance while providing self-service
Learn to codify your business policies to promote compliance
How to improve security without sacrificing developer productivity
Today, the development and operations landscape has shifted to a more collaborative model merging the two (DevOps). Developers need to know much more about the operational components of their software - especially around network programming, services development, and continuous deployment. Likewise, the developer's IT counterpart needs to know much more about development - especially around infrastructure automation (Chef/Puppet), automated testing, and continuous deployment.
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
Serverless Streaming Data Processing using Amazon Kinesis AnalyticsAmazon Web Services
by Adrian Hornsby, Technical Evanglist, AWS
As more and more organizations strive to gain real-time insights into their business, streaming data has become ubiquitous. Typical streaming data analytics solutions require specific skills and complex infrastructure. However, with Amazon Kinesis Analytics, you can analyze streaming data in real-time with standard SQL—there is no need to learn new programming languages or processing frameworks. In this session, we dive deep into the capabilities of Amazon Kinesis Analytics using real-world examples. We’ll present an end-to-end streaming data solution using Amazon Kinesis Streams for data ingestion, Amazon Kinesis Analytics for real-time processing, and Amazon Kinesis Firehose for persistence. We review in detail how to write SQL queries using streaming data and discuss best practices to optimize and monitor your Amazon Kinesis Analytics applications. Lastly, we discuss how to estimate the cost of the entire system.
Asymmetric multi-processing (AMP) systems fulfill the need for high performance and real-time by combining the responsiveness of a MCU with the processing power of an application processor which runs a full OS.
This talk will present a technical overview on asymmetric multiprocessing platforms focussing on motivations, use cases and how to handle interprocess communication between MCU and MPU in practice.
OpenStack is a open source software for creating private and public clouds that coordinated collection of software from a few dozen related projects. This presentation give you an introduction about OpenStack community and basic how to contribute to OpenStack project
OpenStack Thailand Chapter - User and Contributor MeetUp #1 at EGA on November 30, 2016
OpenShift 4, the smarter Kubernetes platformKangaroot
OpenShift 4 introduces automated installation, patching, and upgrades for every layer of the container stack from the operating system through application services.
This document provides an overview of how APIs are defined and served in the Kubernetes API server (kube-apiserver). It describes:
- How API types are defined using Golang types and registered with the API server's scheme
- How the generic API server handles requests and calls back to installed API groups
- How custom resource definitions (CRDs) are supported via the CRD and aggregator APIs
- Key components like conversion, defaulting, storage, and filters that process each request
- Live debugging techniques for the API server using tools like mux routers and request tracing
In 3 sentences or less, it outlines the architecture of the Kubernetes API server for defining, registering, and serving custom
Red Hat OpenShift on Bare Metal and Containerized StorageGreg Hoelzer
OpenShift Hyper-Converged Infrastructure allows building a container application platform from bare metal using containerized Gluster storage without virtualization. The document discusses building a "Kontainer Garden" test environment using OpenShift on RHEL Atomic hosts with containerized GlusterFS storage. It describes configuring and testing the environment, including deploying PHP/MySQL and .NET applications using persistent storage. The observations are that RHEL Atomic is mature enough to evaluate for containers, and Docker/Kubernetes with containerized storage provide an alternative to virtualization for density and scale.
Minishift allows users to run OpenShift locally by downloading the Minishift binary from GitHub and executing "./minishift start" in their terminal to launch a single-node OpenShift cluster using a hypervisor like xhyve, providing access to the web console. Users can then log in and interact with the local OpenShift deployment, getting support via the Minishift IRC channel or mailing list.
OpenShift v3 uses an overlay VXLAN network to connect pods within a project. Traffic between pods on a node uses Linux bridges, while inter-node communication uses the VXLAN overlay network. Services are exposed using a service IP and iptables rules to redirect traffic to backend pods. For external access, services are associated with router pods using a DNS name, and traffic is load balanced to backend pods by HAProxy in the router pod.
OpenShift is Red Hat's container application platform that provides a full-stack platform for deploying and managing containerized applications. It is based on Docker and Kubernetes and provides additional capabilities for self-service, automation, multi-language support, and enterprise features like authentication, centralized logging, and integration with Red Hat's JBoss middleware. OpenShift handles building, deploying, and scaling applications in a clustered environment with capabilities for continuous integration/delivery, persistent storage, routing, and monitoring.
Red Hat OpenShift V3 Overview and Deep DiveGreg Hoelzer
OpenShift is a platform as a service product from Red Hat that allows developers to easily deploy and manage applications using containers. It provides developers with a common platform to build, deploy and update applications quickly using containers. For IT operations, OpenShift improves efficiency and infrastructure utilization through automated provisioning and management of application services. Some key customers highlighted include a large enterprise software company, a major online travel agency, and a leading financial analytics software provider.
Containers for the Enterprise: Delivering OpenShift on OpenStack for Performa...Stephen Gordon
Imagine being able to stand up thousands of tenants with thousands of apps, running thousands of Docker-formatted container images and routes, all on a self-healing cluster. Now, take that one step further with all of those images being updatable through a single upload to the registry, and with zero downtime. In this session, Steve Gordon of the Red Hat OpenStack Platform team will show you just that. Steve will walk through a recent benchmarking deployment using the Cloud Native Computing Foundation’s (CNCF) new 1,000 node cluster with OpenStack and Red Hat’s OpenShift Container Platform, the enterprise-ready Kubernetes for developers.
Ultimate DevOps - Jenkins Enterprise & Red Hat OpenShiftAndy Pemberton
This document discusses using OpenShift and CloudBees Jenkins Platform together for DevOps. OpenShift is a PaaS built on Docker and Kubernetes that allows deploying applications and services. Jenkins can be easily started and integrated with OpenShift to use it as an elastic runtime or deployment target. Jenkins Pipeline allows defining CI/CD pipelines as code. A live demo shows using OpenShift from a Jenkins Pipeline to build and deploy an application. Additional resources are provided to learn more about the OpenShift and CloudBees integration.
OpenShift In a Nutshell - Episode 03 - Infrastructure part IBehnam Loghmani
Episode 03 of "OpenShift in a nutshell" presentations in Iran OpenStack community group
This episode is about master's components and high availability masters.
I hope you will find it useful.
OpenShift In a Nutshell - Episode 04 - Infrastructure part IIBehnam Loghmani
Episode 04 of "OpenShift in a nutshell" presentations in Iran OpenStack community group
This episode is about Nodes, Kublet, Image registry and web console of OpenShift.
I hope you will find it useful.
OpenShift In a Nutshell - Episode 05 - Core Concepts Part IBehnam Loghmani
Episode 05 of "OpenShift in a nutshell" presentations in Iran OpenStack community group
This episode is about core concepts in openshift.
Part 1 include concepts of Containers, Images, Pods and services
I hope you will find it useful.
OpenShift In a Nutshell - Episode 06 - Core Concepts Part IIBehnam Loghmani
Episode 06 of "OpenShift in a nutshell" presentations in Iran OpenStack community group
This episode is about core concepts in OpenShift.
Part 2 includes concepts of Users, Projects, Builds and Image streams
At the end of presentation you can find a link that helps you to setup OpenShift in your local system ( this setup is not a enterprise setup and it's only for creating a small test environment ).
I hope you will find it useful.
1) The document describes an Azure Resource Manager (ARM) template for deploying OpenShift Enterprise on Azure. It provisions masters, infra nodes, and worker nodes with load balancing and storage.
2) The ARM template automates the entire deployment process through nested templates for each resource and Bash scripts for configuration. It handles naming, load balancing, storage, networking, and more.
3) The goal is to create a production-ready reference architecture for OpenShift on Azure and automate the deployment process through the ARM template. Current work focuses on deployment, storage, authentication, and documentation. Future work includes additional features and integrations.
This document discusses DevOps workflows using OpenShift and ManageIQ. It describes using GitLab for source code management, CI/CD, and collaboration. OpenShift is used as a platform for deploying and managing containerized applications. ManageIQ orchestrates provisioning of the DevOps tools including FreeIPA for authentication, GitLab, and OpenShift. The ecosystem is integrated through a CI/CD pipeline that builds, tests, reviews, and deploys code changes from a Git repository to OpenShift.
OpenShift In a Nutshell - Episode 02 - ArchitectureBehnam Loghmani
Episode 02 of "OpenShift in a nutshell" presentations in Iran OpenStack community group
This episode is about different layers, architecture, security in OpenShift.
I hope you will find it useful.
Developing microservices with wildfly swarm and deploying on openshiftandreas kuncoro
The document discusses developing microservices with WildFly Swarm and deploying them on OpenShift. It covers how WildFly Swarm allows Java EE components to be packaged independently as microservices. It also explains how OpenShift provides the prerequisites for managing microservices like automated deployment, service discovery, and containers. The key takeaways are that Java EE is still relevant through projects like WildFly Swarm, which enable microservices, and that OpenShift's PaaS capabilities complement a microservices architecture.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Kubernetes Story - Day 1: Build and Manage Containers with PodmanMihai Criveti
OpenShift Workshop Day 1: https://www.youtube.com/watch?v=3IuaZu8-fsY - Build and Manage Containers with Podman
In this workshop you'll learn how to build and manage containers, publish images to Quay, then install and deploy containers onto OpenShift.
Do any VM's contain a particular indicator of compromise? E.g. Run a YARA signature over all executables on my virtual machines and tell me which ones match.
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
The document discusses running Docker in development and production. It covers:
- Using Docker containers to run individual services like Elasticsearch or web applications
- Creating Dockerfiles to build custom images
- Linking containers together and using environment variables for service discovery
- Scaling with Docker Compose, load balancing with Nginx, and service discovery with Consul
- Clustering containers together using Docker Swarm for high availability
Deploying Windows Containers on Windows Server 2016Ben Hall
This document discusses deploying Docker containers on Windows Server 2016. It provides an introduction to Docker and containers, explains how containers work on Windows, and demonstrates how to deploy common applications like IIS and ASP.NET within Windows containers. It also covers building Windows-based Docker images, running containers in production, and the future of containers on Windows platforms.
Automate drupal deployments with linux containers, docker and vagrant Ricardo Amaro
This document discusses strategies for automating Drupal deployments using Linux containers, Vagrant, and Docker. It begins with an overview of virtual machines and their disadvantages compared to containers. It then covers using Linux containers (LXC), Vagrant, and Docker to build and deploy containerized Drupal environments that can be easily reproduced and deployed across different systems. The document provides examples of building Drupal containers using LXC, Vagrant, and Docker that take advantage of their portability and reproducibility.
ContainerD is a daemon that controls the runC runtime to execute and manage containers according to the OCI specification. It has a gRPC API and a low-level CLI (ctr) for debugging. ContainerD is designed to be embedded in larger systems rather than directly used by end-users. It focuses on container execution, images, storage, and networking.
This document summarizes a Docker workshop that covers:
1. Running Docker containers, including starting containers interactively or detached, checking statuses, port forwarding, linking containers, and mounting volumes.
2. Building Docker images, including committing existing containers or building from a Dockerfile, and using Docker build context.
3. The official Docker Hub for finding and using common Docker images like Redis, MySQL, and Jenkins. It also covers tagging and pushing images to private Docker registries.
This document summarizes the key topics covered in Day 2 of a Docker and container technology introduction and hands-on course, including:
1) An overview of Docker Hub and how it relates to GitHub for automatically building images
2) Basic Git commands
3) Configuring automatic builds on Docker Hub by linking a GitHub repository
4) Docker network and volume commands, and exercises using these commands
5) Using Docker Compose to run multiple connected containers defined in a compose file
6) A demonstration of running TensorFlow using Docker
Docker is an open-source container platform that allows applications to run in isolated containers. It provides lightweight virtualization that is portable and can run anywhere. Fig is a developer-friendly tool that builds upon Docker by providing isolated development environments and allowing applications to be shipped with their configuration through a simple YAML file format. Reconnix uses Docker and Fig to develop and deploy applications in a standardized and portable way.
Wordpress y Docker, de desarrollo a produccionSysdig
This document summarizes a presentation about using Docker for WordPress development and deployment. It discusses using Docker to create development environments for WordPress, building Docker images, and deploying WordPress containers to production using Docker Compose or Kubernetes. It also covers customizing configurations, using Traefik for proxy and SSL termination, backup strategies, and notes that Kubernetes is more complex than Docker for simple use cases.
Introduction to Docker - Learning containerization XP conference 2016XP Conference India
Docker containers package applications and their dependencies to run consistently regardless of environment. Containers are more lightweight than virtual machines and use fewer resources. Docker images define the components of containers. The Dockerfile defines how to build images. Docker Compose defines multi-container applications through a YAML file specifying images, networking, volumes etc.
This document provides an introduction to Docker and containerization. It covers:
1. The differences between virtual machines and containers, and the container lifecycle.
2. An overview of the Docker ecosystem tools.
3. Instructions for installing and using the Docker Engine and Docker CLI to build, run, and manage containers.
4. A demonstration of using Docker Hub to build and store container images.
5. An introduction to Docker networking and volumes.
6. A demonstration of using Docker Compose to define and run multi-container applications.
7. Suggestions for further learning resources about Docker.
Тарас Кирилюк — Docker basics. How-to for Drupal developersLEDC 2016
Docker для чайників. Просто про складне. Використання для локальної розробки. Як Docker може спростити автоматизацію CI Workflow. Досвід використання на реальних Drupal проектах.
This document provides step-by-step instructions for dockerizing a WordPress installation. It describes downloading Docker, creating a Dockerfile to install Apache, MySQL, PHP and WordPress, building a Docker image from the Dockerfile, running the image as a container and configuring WordPress. The summary commits the container changes to an image, tags it, and pushes it to the Docker registry so others can use it.
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
This document discusses Docker networking components and common issues. It covers Docker networking drivers like bridge, host, overlay, topics around Docker daemon access and configuration behind firewalls. It also discusses container networking best practices like using user-defined networks instead of links, connecting containers to multiple networks, and connecting managed services to unmanaged containers. The document is intended to help troubleshoot Docker networking issues.
The document discusses Docker containers and Docker Compose. It begins with definitions of containers and images. It then covers using Docker Compose to define and run multi-container applications with a compose file. It shows commands for starting, stopping, and viewing containers. The document also introduces Portainer as a tool for visually managing Docker containers and provides installation instructions for Portainer.
Developing and Deploying PHP with DockerPatrick Mizer
The document discusses using Docker for developing and deploying PHP applications. It begins with an introduction to Docker, explaining that Docker allows applications to be assembled from components and eliminates friction between development, testing and production environments. It then covers some key Docker concepts like containers, images and the Docker daemon. The document demonstrates building a simple PHP application as a Docker container, including creating a Dockerfile and building/running the container. It also discusses some benefits of Docker like portability, separation of concerns between developers and DevOps, and immutable build artifacts.
Kubernetes Story - Day 2: Quay.io Container Registry for Publishing, Building...Mihai Criveti
Friday Brunch - a Kubernetes Story - Day 2: Build containers with Buildah, Skopeo and Quay.io https://www.youtube.com/watch?v=ygJrzMIZiWQ
In this workshop you'll learn how to build and manage containers, publish images to Quay, then install and deploy containers onto OpenShift.
Experience new tools to build, manage and deploy containerized applications following best practices. Learn how to build containers locally with podman, skopeo and buildah, publish and scan containers for vulnerabilities - and deploy containerized applications locally or on cloud using Kubernetes and OpenShift!
Mihai will take you through the process of:
Day 1 = Build: Building and running container images locally with podman, skopeo and buildah. Building containers for years or just getting started? Check out these new tools that help you build and run containers locally, and how they can help you get started with Kubernetes and OpenShift.
Learn some of the best practices on how you can build containers that run as regular users and how to automate the container build process using buildah. Learn about the Universal Base Image and how you can start your image builds from a known, trusted source.
and then over the next two Fridays the story will evolve as follows...
Day 2 = Publish: Publishing container images to quay.io and scanning containers for vulnerabilities and container best practices
Day 3 = Deploy: Getting started with OpenShift using CodeReady Containers or OKD and deploying containers on a Kubernetes Platform (Red Hat OpenShift / OKD / CRC)
Similar to [Devconf.cz][2017] Understanding OpenShift Security Context Constraints (20)
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Things to Consider When Choosing a Website Developer for your Website | FODUUFODUU
Choosing the right website developer is crucial for your business. This article covers essential factors to consider, including experience, portfolio, technical skills, communication, pricing, reputation & reviews, cost and budget considerations and post-launch support. Make an informed decision to ensure your website meets your business goals.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
3. What is OpenShift?
● Platform as a Service
● Open Source
● Container based
● Kubernetes based
● Development oriented
● Multitenant
● Web-based interface
● Integrated Registries
● HA configurable
● Integrated metrics
● git lover
★ You care about service and its technologies
★ Github hosted code
★ Docker and more
★ Do you know Google? :)
★ Automated builds and much more
★ Many users, grants, policies and isolation
★ Who cares? :)
★ Who needs internet? Local Registries!
★ Set the replicas and Origin will care
★ Do you like graphs?
★ Yeah, we love git!
4. All cool but..
Where is the start button?
$ oc cluster up
-- Checking OpenShift client ... OK
-- Checking Docker client ... OK
-- Checking Docker version ... OK
-- Checking for existing OpenShift container ... OK
-- Checking for openshift/origin:v1.3.1 image ... OK
-- Checking Docker daemon configuration ... OK
-- Checking for available ports ... OK
-- Checking type of volume mount ...
Using nsenter mounter for OpenShift volumes
-- Creating host directories ... OK
-- Finding server IP ...
Using public hostname IP 192.168.123.1 as the host IP
Using 192.168.123.1 as the server IP
-- Starting OpenShift container ...
Starting OpenShift using container 'origin'
Waiting for API server to start listening
OpenShift server started
-- Installing registry ... OK
-- Installing router ... OK
-- Importing image streams ... OK
-- Importing templates ... OK
-- Login to server ... OK
-- Creating initial project "myproject" ...
Now using project "myproject" on server
"https://192.168.123.1:8443".
-- Server Information ...
OpenShift server started.
The server is accessible via web console at:
https://192.168.123.1:8443
5. What are Security Context Constraints?
● OpenShift gives its administrators
the ability to manage a set of
security context constraints
(SCCs) for limiting and securing
their cluster.
● Security context constraints allow
administrators to control
permissions for pods.
SCCs allow an administrator:
1. Run privileged containers.
2. Set capabilities a container can request.
3. Use of host directories as volumes.
4. Set SELinux context of the container.
5. Set the user ID for the container.
6. The use of host namespaces and networking.
7. Define ‘FSGroup’ for the pod’s volumes
8. Configure allowable supplemental groups
9. Require the use of a read only file system
10. Control the usage of volume types
A pod is the smallest
OpenShift’s compute unit.
It’s one or more containers)
deployed together on one
host.
8. Setting up
prerequisites for the wordpress
container
The following environment variables are also honored
for configuring your WordPress instance:
-e WORDPRESS_DB_HOST=... (defaults to the IP and
port of the linked mysql container)
-e WORDPRESS_DB_USER=... (defaults to "root")
-e WORDPRESS_DB_PASSWORD=...
$ oc new-app mariadb -e MYSQL_ROOT_PASSWORD=mysecret
--> Found image 1dc122b (3 weeks old) in image stream "mariadb" in
project "openshift" under tag "10.1" for "mariadb"
MariaDB 10.1
------------
MariaDB is a multi-user, multi-threaded SQL database server
Tags: database, mysql, mariadb, mariadb101, rh-mariadb101,
galera
* This image will be deployed in deployment config "mariadb"
* Port 3306/tcp will be load balanced by service "mariadb"
* Other containers can access this service through the hostname
"mariadb"
* This image declares volumes and will default to use
non-persistent, host-local storage.
You can add persistent volumes later by running 'volume
dc/mariadb --add ...'
...
9. Stop talking: run my container!
$ oc new-app wordpress -e WORDPRESS_DB_HOST=mariadb -e WORDPRESS_DB_USER=root -e WORDPRESS_DB_PASSWORD=mysecret
--> Found Docker image ed69ee3 (6 days old) from Docker Hub for "wordpress"
* An image stream will be created as "wordpress:latest" that will track this image
* This image will be deployed in deployment config "wordpress"
* Port 80/tcp will be load balanced by service "wordpress"
* Other containers can access this service through the hostname "wordpress"
* This image declares volumes and will default to use non-persistent, host-local storage.
You can add persistent volumes later by running 'volume dc/wordpress --add ...'
* WARNING: Image "wordpress" runs as the 'root' user which may not be permitted by your cluster administrator
--> Creating resources with label app=wordpress
...
$ oc get pods
NAME READY STATUS RESTARTS AGE
wordpress-1-deploy 1/1 Running 0 17s
wordpress-1-072ui 0/1 Error 0 14s
$ oc logs wordpress-1-072ui
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.7. Set the
'ServerName' directive globally to suppress this message
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
10. Ok, fun but..
What happened to my container?
$ oc describe pod/wordpress-1-072ui | head
Name: wordpress-1-072ui
Namespace: myproject
Security Policy: restricted
Node: 192.168.123.1/192.168.123.1
Start Time: Thu, 12 Jan 2017 12:47:04
+0100
Labels: app=wordpress
deployment=wordpress-1
deploymentconfig=wordpress
Status: Running
IP: 172.17.0.7
$ oc debug wordpress-1-072ui
Debugging with pod/wordpress-1-072ui-debug,
original command: docker-entrypoint.sh
apache2-foreground
Waiting for pod to start ...
Pod IP: 172.17.0.4
If you don't see a command prompt, try pressing
enter.
$ id
uid=1000040000 gid=0(root)
groups=0(root),1000040000
11. Solutions
For your lovely container
● Edit the ‘restricted’ SCC
OR
● Use the ‘anyuid’ SCC
OR
● Rebuild through Dockerfile
14. Inspecting the ‘restricted’ SCC
$ oc get scc/restricted -o yaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: v1
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
groups:
- system:authenticated
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: restricted denies
access to all host features and requires
pods to be run with a UID, and SELinux context
that are allocated to the namespace. This
is the most restrictive SCC.
creationTimestamp: 2016-12-22T10:04:27Z
name: restricted
resourceVersion: "102"
selfLink:
/api/v1/securitycontextconstraints/restricted
uid: 05f68498-c82e-11e6-b2bd-68f7286606f4
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SYS_CHROOT
- SETUID
- SETGID
runAsUser:
type: MustRunAsRange
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- secret
15. Editing the ‘restricted’ SCC
$ oc get scc restricted -o yaml | grep runAsUser -A1
runAsUser:
type: MustRunAsRange
$ oc edit scc restricted
securitycontextconstraints "restricted" edited
$ oc get scc restricted -o yaml | grep runAsUser -A1
runAsUser:
type: RunAsAny
$ oc get pod
NAME READY STATUSRESTARTS AGE
mariadb-1-l4ycb 1/1 Running 0 2h
wordpress-1-ai3gj 1/1 Running 0 52s
16. Take a look to container’s logs
$ oc logs wordpress-1-ai3gj
WordPress not found in /var/www/html - copying now...
Complete! WordPress has been successfully copied to /var/www/html
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set
the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set
the 'ServerName' directive globally to suppress this message
[Thu Jan 12 13:47:46.849951 2017] [unixd:alert] [pid 170] (1)Operation not permitted: AH02156: setgid:
unable to set group id to Group 33
[Thu Jan 12 13:47:46.850406 2017] [unixd:alert] [pid 171] (1)Operation not permitted: AH02156: setgid:
unable to set group id to Group 33
[Thu Jan 12 13:47:46.850735 2017] [unixd:alert] [pid 172] (1)Operation not permitted: AH02156: setgid:
unable to set group id to Group 33
[Thu Jan 12 13:47:46.851119 2017] [unixd:alert] [pid 173] (1)Operation not permitted: AH02156: setgid:
unable to set group id to Group 33
[Thu Jan 12 13:47:46.851398 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/5.6.29
configured -- resuming normal operations
[Thu Jan 12 13:47:46.851458 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
[Thu Jan 12 13:47:46.851500 2017] [unixd:alert] [pid 174] (1)Operation not permitted: AH02156: setgid:
unable to set group id to Group 33
17. A step back to the ‘restricted’ SCC
$ oc get scc/restricted -o yaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: v1
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
groups:
- system:authenticated
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: restricted denies
access to all host features and requires
pods to be run with a UID, and SELinux context
that are allocated to the namespace. This
is the most restrictive SCC.
creationTimestamp: 2016-12-22T10:04:27Z
name: restricted
resourceVersion: "102"
selfLink:
/api/v1/securitycontextconstraints/restricted
uid: 05f68498-c82e-11e6-b2bd-68f7286606f4
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SYS_CHROOT
- SETUID
- SETGID
runAsUser:
type: MustRunAsRange
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- secret
Dropped Capabilities
18. Editing *AGAIN* the ‘restricted’ SCC
$ oc edit scc restricted
securitycontextconstraints "restricted" edited
$ oc get scc restricted -o yaml | grep DropCap -A5
requiredDropCapabilities:
- KILL
- MKNOD
- SYS_CHROOT
runAsUser:
type: RunAsAny
$ oc logs wordpress-1-0kz6o
WordPress not found in /var/www/html - copying now...
Complete! WordPress has been successfully copied to /var/www/html
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set
the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.4. Set
the 'ServerName' directive globally to suppress this message
[Thu Jan 12 14:13:12.437336 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/5.6.29
configured -- resuming normal operations
[Thu Jan 12 14:13:12.437365 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
22. Inspecting the ‘anyuid’ SCC
$ oc get scc/anyuid -o yaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: v1
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups:
- system:cluster-admins
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: anyuid provides all
features of the restricted SCC
but allows users to run with any UID and any
GID. This is the default SCC for
authenticated users.
creationTimestamp: 2016-12-22T10:04:27Z
name: anyuid
resourceVersion: "103"
selfLink:
/api/v1/securitycontextconstraints/anyuid
uid: 05f6bbdb-c82e-11e6-b2bd-68f7286606f4
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
- SYS_CHROOT
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- secret
23. Use the ‘anyuid’
How can I do it?
Using Service Accounts
Service accounts provide a flexible way to
control API access without sharing a regular
user’s credentials.
Every service account has an associated
username that can be granted roles, just like a
regular user. The username is derived from its
project and name:
system:serviceaccount:<project>:<name>
24. Service Account creation and configuration
$ oc project wpoption2
Already on project "wpoption2" on server "https://192.168.123.1:8443".
$ oc create serviceaccount wp-sa
serviceaccount "wp-sa" created
$ oc whoami
system:admin
$ oc adm policy add-scc-to-user anyuid system:serviceaccount:wpoption2:wp-sa
$ oc get scc/anyuid -o yaml | tail
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:wpoption2:wp-sa
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- secret
27. Check if it’s working...
$ oc logs wordpress-2-sqd8f
WordPress not found in /var/www/html - copying now...
Complete! WordPress has been successfully copied to /var/www/html
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.9. Set
the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.9. Set
the 'ServerName' directive globally to suppress this message
[Fri Jan 13 16:15:15.728548 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/5.6.29
configured -- resuming normal operations
[Fri Jan 13 16:15:15.728574 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
$ oc describe pod wordpress-2-sqd8f | head
Name: wordpress-2-sqd8f
Namespace: myproject
Security Policy: anyuid
Node: 192.168.123.1/192.168.123.1
Start Time: Fri, 13 Jan 2017 17:14:58 +0100
Labels: app=wordpress
deployment=wordpress-2
deploymentconfig=wordpress
Status: Running
IP: 172.17.0.9
29. Really?
Why rebuild the container image?
● You may not be OpenShift
cluster administrator
● All the previous solutions require
admin privileges
● You should not grant root on
thirdparty containers
30. First:
Locate the Dockerfile
● Search on
DockerHub/DockerStore:
https://store.docker.com/search?q
=wordpress&source=verified&ty
pe=image
● Download the Dockerfile:
https://github.com/docker-library
/wordpress/blob/7d40c4237f0189
2bb6dbc67d1a82f5b15f807ca1/ph
p5.6/apache/Dockerfile
● Make the edits and upload it
somewhere!
31. Inspecting default ‘wordpress’ Dockerfile
FROM php:5.6-apache
# install the PHP extensions we need
RUN set -ex;
apt-get update;
apt-get install -y
libjpeg-dev
libpng12-dev
;
rm -rf /var/lib/apt/lists/*;
docker-php-ext-configure gd --with-png-dir=/usr
--with-jpeg-dir=/usr;
docker-php-ext-install gd mysqli opcache
# TODO consider removing the *-dev deps and only keeping
the necessary lib* packages
# set recommended PHP.ini settings
# see
https://secure.php.net/manual/en/opcache.installation.php
RUN {
echo 'opcache.memory_consumption=128';
echo 'opcache.interned_strings_buffer=8';
echo 'opcache.max_accelerated_files=4000';
echo 'opcache.revalidate_freq=2';
echo 'opcache.fast_shutdown=1';
echo 'opcache.enable_cli=1';
} > /usr/local/etc/php/conf.d/opcache-recommended.ini
RUN a2enmod rewrite expires
VOLUME /var/www/html
ENV WORDPRESS_VERSION 4.7.1
ENV WORDPRESS_SHA1
8e56ba56c10a3f245c616b13e46bd996f63793d6
RUN set -ex;
curl -o wordpress.tar.gz -fSL
"https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar
.gz";
echo "$WORDPRESS_SHA1 *wordpress.tar.gz" | sha1sum -c
-;
# upstream tarballs include ./wordpress/ so this gives us
/usr/src/wordpress
tar -xzf wordpress.tar.gz -C /usr/src/;
rm wordpress.tar.gz;
chown -R www-data:www-data /usr/src/wordpress
COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["apache2-foreground"]
32. Editing ‘wordpress’ Dockerfile
FROM php:5.6-apache
# install the PHP extensions we need
RUN set -ex;
apt-get update;
apt-get install -y
libjpeg-dev
libpng12-dev
;
rm -rf /var/lib/apt/lists/*;
docker-php-ext-configure gd --with-png-dir=/usr
--with-jpeg-dir=/usr;
docker-php-ext-install gd mysqli opcache
# TODO consider removing the *-dev deps and only keeping
the necessary lib* packages
# set recommended PHP.ini settings
# see
https://secure.php.net/manual/en/opcache.installation.php
RUN {
echo 'opcache.memory_consumption=128';
echo 'opcache.interned_strings_buffer=8';
echo 'opcache.max_accelerated_files=4000';
echo 'opcache.revalidate_freq=2';
echo 'opcache.fast_shutdown=1';
echo 'opcache.enable_cli=1';
} > /usr/local/etc/php/conf.d/opcache-recommended.ini
RUN a2enmod rewrite expires
VOLUME /var/www/html
RUN sed -i 's/Listen 80/Listen 8080/g'
/etc/apache2/ports.conf
EXPOSE 8080
RUN chmod g+w /var/log/apache2
RUN chmod g+w /var/lock/apache2
RUN chmod g+w /var/run/apache2
ENV WORDPRESS_VERSION 4.7
ENV WORDPRESS_SHA1
1e14144c4db71421dc4ed22f94c3914dfc3b7020
RUN set -ex;
curl -o wordpress.tar.gz -fSL
"https://wordpress.org/wordpress-${WORDPRESS_VERSION}.tar
.gz";
echo "$WORDPRESS_SHA1 *wordpress.tar.gz" | sha1sum -c
-;
# upstream tarballs include ./wordpress/ so this gives us
/usr/src/wordpress
tar -xzf wordpress.tar.gz -C /usr/src/;
rm wordpress.tar.gz;
chmod -R 777 /usr/src/wordpress
COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["apache2-foreground"]
33. Editing container’s entrypoint: docker-entrypoint.sh
#!/bin/bash
#set -euo pipefail
# usage: file_env VAR [DEFAULT]
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
export "$var"="$val"
unset "$fileVar"
}
Bash strict run
34. Creating a new-app with Dockerfile source
$ oc new-app https://github.com/alezzandro/wordpress-in-userspace -e WORDPRESS_DB_HOST=mariadb -e
WORDPRESS_DB_USER=root -e WORDPRESS_DB_PASSWORD=mysecret
--> Found Docker image 01b23de (18 hours old) from Docker Hub for "php:5.6-apache"
* An image stream will be created as "php:5.6-apache" that will track the source image
* A Docker build using source code from https://github.com/alezzandro/wordpress-in-userspace will be
created
* The resulting image will be pushed to image stream "wordpress-in-userspace:latest"
* Every time "php:5.6-apache" changes a new build will be triggered
* This image will be deployed in deployment config "wordpress-in-userspace"
* Port 8080/tcp will be load balanced by service "wordpress-in-userspace"
* Other containers can access this service through the hostname "wordpress-in-userspace"
* WARNING: Image "php:5.6-apache" runs as the 'root' user which may not be permitted by your cluster
administrator
--> Creating resources with label app=wordpress-in-userspace ...
imagestream "php" created
imagestream "wordpress-in-userspace" created
buildconfig "wordpress-in-userspace" created
deploymentconfig "wordpress-in-userspace" created
service "wordpress-in-userspace" created
--> Success
Build scheduled, use 'oc logs -f bc/wordpress-in-userspace' to track its progress.
Run 'oc status' to view your app.
35. Adding ‘emptyDir’ volume and the supplementalGroup
$ oc volume dc/wordpress-in-userspace --add --name=wordpress-volume-1 -t emptyDir --mount-path=/var/www/html
deploymentconfigs/wordpress-in-userspace
$ oc edit dc/wordpress-in-userspace
deploymentconfigs/wordpress-in-userspace
$ oc get dc wordpress-in-userspace -o yaml|grep -A2 security
securityContext:
supplementalGroups:
- 33
$ oc get pods
NAME READY STATUS RESTARTS AGE
mariadb-1-sscl5 1/1 Running 0 40m
wordpress-in-userspace-1-build 0/1 Completed 0 34m
wordpress-in-userspace-3-isov6 1/1 Running 0 15m
$ oc rsh wordpress-in-userspace-3-isov6
$ id
uid=1000140000 gid=0(root) groups=0(root),33(www-data),1000140000
$ ls -ld /var/run/apache2
drwxrwxr-x. 2 www-data www-data 4096 Jan 23 17:27 /var/run/apache2
36. Create a route and check the result
$ oc create -f wp-route.yml
route/wordpress-in-userspace
$ curl http://wpoption3.192.168.123.1.xip.io 2>/dev/null|head
<!DOCTYPE html>
<html lang="en-US" class="no-js no-svg">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="profile" href="http://gmpg.org/xfn/11">
<script>(function(html){html.className =
html.className.replace(/bno-jsb/,'js')})(document.documentElement);</script>
<title>Test website – Just another WordPress site</title>
<meta name='robots' content='noindex,follow' />