diff --git a/OpenShift-On-The-Rocks/OpenShift-Exposing-Application.md b/OpenShift-On-The-Rocks/OpenShift-Exposing-Application.md index 6380ff0..436c266 100644 --- a/OpenShift-On-The-Rocks/OpenShift-Exposing-Application.md +++ b/OpenShift-On-The-Rocks/OpenShift-Exposing-Application.md @@ -27,12 +27,16 @@ In this lab you will: Create the two applications: ```console - $ oc new-app mariadb MYSQL_USER=user MYSQL_PASSWORD=pass MYSQL_DATABASE=testdb -l db=mariadb - --> Found image bde1f31 (3 weeks old) in image stream "openshift/mariadb" under tag "10.3-el8" for "mariadb" + $ oc new-app --name=mariadb --image=docker.io/mariadb \ + MARIADB_RANDOM_ROOT_PASSWORD=True \ + MARIADB_USER=user \ + MARIADB_PASSWORD=pass \ + MARIADB_DATABASE=testdb + --> Found container image 2bb31c7 (2 weeks old) from docker.io for "docker.io/mariadb" ... - $ oc new-app tomcat - --> Found container image 36ef696 (12 days old) from Docker Hub for "tomcat" + $ oc new-app --name=tomcat --image=docker.io/tomcat + --> Found container image a76ed56 (2 weeks old) from docker.io for "docker.io/tomcat" ... ``` @@ -131,19 +135,25 @@ In this lab you will: $ oc get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE mariadb ClusterIP 10.217.5.79 3306/TCP 8m5s - mariadbnp NodePort 10.217.4.190 3306:31384/TCP 3s + mariadbnp NodePort 10.217.4.190 3306:30493/TCP 3s tomcat ClusterIP 10.217.5.9 8080/TCP 7m57s ``` - This will expose the upper port 31384 on all the OpenShift nodes, in this + This will expose the upper port `30493` on all the OpenShift nodes, in this case only one, the crc host. - The crc ip can be obtained by using the `crc ip` command, and the `mysql` - client is part of the `mariab` package (`sudo yum -y install mariadb` on RHEL - based systems or `sudo apt install -y mariadb-client-core`): + The crc ip can be obtained by using the `crc ip` command, and the the port + (which is dynamically assigned) can be discovered by using this command: + `oc get service mariadbnp -o jsonpath='{.spec.ports[0].nodePort}'`. + + Everything can be used with the `mysql` client is part of the `mariab` + package (`sudo yum -y install mariadb` on RHEL based systems or `sudo apt + install -y mariadb-client-core`): ```console - $ mysql --host=$(crc ip) --port=31384 --user=user --password=pass --database=testdb + $ mysql --host=$(crc ip) \ + --port=$(oc get service mariadbnp -o jsonpath='{.spec.ports[0].nodePort}') \ + --user=user --password=pass --database=testdb Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 12 Server version: 10.3.28-MariaDB MariaDB Server @@ -151,4 +161,13 @@ In this lab you will: Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type ' + + MariaDB [testdb]> SHOW DATABASES; + +--------------------+ + | Database | + +--------------------+ + | information_schema | + | testdb | + +--------------------+ + 2 rows in set (0.004 sec) ``` diff --git a/OpenShift-On-The-Rocks/OpenShift-Images-Streams.md b/OpenShift-On-The-Rocks/OpenShift-Images-Streams.md index af7d70c..820139f 100644 --- a/OpenShift-On-The-Rocks/OpenShift-Images-Streams.md +++ b/OpenShift-On-The-Rocks/OpenShift-Images-Streams.md @@ -2,10 +2,10 @@ In this lab you will: -1. As developer create a new project named `testdeploy`. +1. As developer create a new project named `is-test`. 2. Create an ImageStream named `webserver`, and import as `webserver:1.19-perl` - the image coming from `nginxinc/nginx-unprivileged:1.19-perl` into it, - tagging it also `latest`. + the image coming from `docker.io/nginxinc/nginx-unprivileged:1.19-perl` into + it, tagging it also `latest`. 3. Create and expose a `Deployment` by using `oc new-app` naming it `webserver` and getting the image from the image stream `webserver:latest`. 4. Check the automatically created trigger inside the `Deployment` named @@ -14,21 +14,21 @@ In this lab you will: `latest`, and look if the trigger is executed. 6. Import into the `webserver` Image Stream the `1.24-perl` image, tagging also this new one as `latest`, and look if the trigger is executed. -7. Look at the rollout history understand why a rollback to a previous - deployment will not have results, and instead play with tags to move back to - the `1.19-perl` image release. +7. Look at the rollout history and understand why a rollback to the previous 2 + revision will have no results. Fix things so that a rollback to revision 2 + will get the deployment exactly to the `1.19-perl` image release. ## Solution -1. Login as `developer` and create the new `testdeploy` project: +1. Login as `developer` and create the new `is-test` project: ```console $ oc login -u developer Logged into "https://api.crc.testing:6443" as "developer" using existing credentials. ... - $ oc new-project testdeploy - Now using project "testdeploy" on server "https://api.crc.testing:6443". + $ oc new-project is-test + Now using project "is-test" on server "https://api.crc.testing:6443". ... ``` @@ -41,20 +41,20 @@ In this lab you will: $ oc get is NAME IMAGE REPOSITORY TAGS UPDATED - webserver default-route-openshift-image-registry.apps-crc.testing/testdeploy/webserver + webserver default-route-openshift-image-registry.apps-crc.testing/is-test/webserver ``` Now import into the newly created image stream the specific `1.19-perl` - image from the public registry `nginxinc/nginx-unprivileged:1.19-perl`: + image from the public registry `docker.io/nginxinc/nginx-unprivileged:1.19-perl`: ```console - $ oc import-image webserver:1.19-perl --from=nginxinc/nginx-unprivileged:1.19-perl --confirm + $ oc import-image webserver:1.19-perl --from=docker.io/nginxinc/nginx-unprivileged:1.19-perl --confirm imagestream.image.openshift.io/webserver imported ... $ oc get is NAME IMAGE REPOSITORY TAGS UPDATED - webserver default-route-openshift-image-registry.apps-crc.testing/testdeploy/webserver 1.19-perl 5 seconds ago + webserver default-route-openshift-image-registry.apps-crc.testing/is-test/webserver 1.19-perl 5 seconds ago ``` Now add the tag `latest` to the imported image so that it will be possible to @@ -66,7 +66,7 @@ In this lab you will: $ oc get is NAME IMAGE REPOSITORY TAGS UPDATED - webserver default-route-openshift-image-registry.apps-crc.testing/testdeploy/webserver latest,1.19-perl 3 seconds ago + webserver default-route-openshift-image-registry.apps-crc.testing/is-test/webserver latest,1.19-perl 3 seconds ago ``` 3. By creating and exposing the new app we're going to get a deployment @@ -76,12 +76,12 @@ In this lab you will: ```console $ oc new-app --name=webserver --image-stream=webserver:latest - --> Found image ee54951 (3 months old) in image stream "testdeploy/webserver" under tag "latest" for "webserver:latest" + --> Found image ee54951 (3 months old) in image stream "is-test/webserver" under tag "latest" for "webserver:latest" $ oc expose service webserver route.route.openshift.io/webserver exposed - $ curl -s http://webserver-testdeploy.apps-crc.testing/unavailable | grep nginx + $ curl -s http://webserver-is-test.apps-crc.testing/unavailable | grep nginx
nginx/1.19.10
``` @@ -109,7 +109,7 @@ In this lab you will: "from": { "kind": "ImageStreamTag", "name": "webserver:latest", - "namespace": "testdeploy" + "namespace": "is-test" }, "fieldPath": "spec.template.spec.containers[?(@.name==\"webserver\")].image" } @@ -123,7 +123,7 @@ In this lab you will: command can be used as before: ```console - $ oc import-image webserver:1.21-perl --from=nginxinc/nginx-unprivileged:1.21-perl --confirm + $ oc import-image webserver:1.21-perl --from=docker.io/nginxinc/nginx-unprivileged:1.21-perl --confirm imagestream.image.openshift.io/webserver imported ... ``` @@ -136,15 +136,15 @@ In this lab you will: Tag webserver:latest set to webserver@sha256:a6915075a63fc9da232500402f03268efb3b159e5882190a65090fe24510b3a3. $ oc status - In project testdeploy on server https://api.crc.testing:6443 + In project is-test on server https://api.crc.testing:6443 - http://webserver-testdeploy.apps-crc.testing to pod port 8080-tcp (svc/webserver) + http://webserver-is-test.apps-crc.testing to pod port 8080-tcp (svc/webserver) dc/webserver deploys istag/webserver:latest deployment #2 running for 9 seconds - 1 pod deployment #1 deployed 2 minutes ago 4 infos identified, use 'oc status --suggest' to see details. - $ curl -s http://webserver-testdeploy.apps-crc.testing/unavailable | grep nginx + $ curl -s http://webserver-is-test.apps-crc.testing/unavailable | grep nginx
nginx/1.21.6
``` @@ -165,23 +165,23 @@ In this lab you will: 6. Apply the same process for the `1.24-perl` release: ```console - $ oc import-image webserver:1.24-perl --from=nginxinc/nginx-unprivileged:1.24-perl --confirm + $ oc import-image webserver:1.24-perl --from=docker.io/nginxinc/nginx-unprivileged:1.24-perl --confirm imagestream.image.openshift.io/webserver imported $ oc tag webserver:1.24-perl webserver:latest Tag webserver:latest set to webserver@sha256:33aa22ba83302a9fb73b19a9fca8a4a143084e990e7340c6b88b7318e6a72853. $ oc status - In project testdeploy on server https://api.crc.testing:6443 + In project is-test on server https://api.crc.testing:6443 - http://webserver-testdeploy.apps-crc.testing to pod port 8080-tcp (svc/webserver) + http://webserver-is-test.apps-crc.testing to pod port 8080-tcp (svc/webserver) dc/webserver deploys istag/webserver:latest deployment #3 deployed 14 seconds ago - 1 pod deployment #2 deployed about a minute ago deployment #1 deployed 3 minutes ago 5 infos identified, use 'oc status --suggest' to see details. - $ curl -s http://webserver-testdeploy.apps-crc.testing/unavailable | grep nginx + $ curl -s http://webserver-is-test.apps-crc.testing/unavailable | grep nginx
nginx/1.24.0
``` @@ -231,21 +231,85 @@ In this lab you will: 5 ImageStream 'webserver' set to 1.19-perl 6 ImageStream 'webserver' set to 1.19-perl - $ curl -s http://webserver-testdeploy.apps-crc.testing/unavailable | grep nginx + $ curl -s http://webserver-is-test.apps-crc.testing/unavailable | grep nginx
nginx/1.24.0
``` - The correct approach would be to change back the `latest` tag to point to the - `1.19-perl` image, as was done at the beginning: + The reason for this is simple and is dictated by the deployment trigger, + which looks like this: ```console - $ oc tag webserver:1.19-perl webserver:latest - Tag webserver:latest set to webserver@sha256:8974116f08df4cbeb69bee35437675b225e745e67e6075f43523d9f8230a1191. + $ oc get deployment webserver -o jsonpath='{.metadata.annotations.image\.openshift\.io/triggers}' | jq + [ + { + "from": { + "kind": "ImageStreamTag", + "name": "webserver:latest", + "namespace": "is-test" + }, + "fieldPath": "spec.template.spec.containers[?(@.name==\"webserver\")].image" + } + ] ``` - This will produce the new deployment: - - ```console - $ curl -s http://webserver-testdeploy.apps-crc.testing/unavailable | grep nginx -
nginx/1.19.10
- ``` + So when `latest` changes, a new deployment occurs. Each deployment records + the hash of the image used by the containers, which in our case is: + + - **TAG**: `1.19-perl` + - _DIGEST_: `sha256:8974116f08df4cbeb69bee35437675b225e745e67e6075f43523d9f8230a1191` + - _Revision_: `2` + - **TAG**: `1.21-perl` + - _DIGEST_: `sha256:76c6749c04e02d48a2427ffbe4ef5ff12ee7ad3522a8c009f4e003c0361db6cf` + - _Revision_: `3` + - **TAG**: `1.24-perl` + - _DIGEST_: `sha256:28f1ec6894009918189eee10bed493f1df920dd87f2c44739927004673b16e4c` + - _Revision_: `4` (and latest) + + When rollback occurs, the following sequence happens: + + 1. OpenShift creates a new deployment whose image points to the `1.19-perl` + hash (this becomes Revision 5). + 2. The deployment trigger detects that the current deployment's hash is + different from latest (which still points to `1.24-perl`) and therefore + triggers a new deployment (Revision 6) that points back to latest. + 3. Only by resetting the ImageStream's latest tag to point to `1.19-perl` + can we achieve a realistic rollback. + + The solution described above is impractical and difficult to implement in the + real world. That's why I've corrected the lab so that now the rollback + sequence (remember, this is a manual operation) follows this process: + + 1. Manually delete the latest tag: + + ```console + $ oc tag --delete webserver:latest + Deleted tag is-test/webserver:latest. + ``` + + 2. Perform the rollback operation: + + ```console + $ oc rollout undo deployment webserver --to-revision=2 + deployment.apps/webserver rolled back + ``` + + 3. OpenShift doesn't trigger anything since latest doesn't exist. It becomes + the user's choice to trigger manually, for example with: + + ```console + $ oc tag webserver:1.19-perl webserver:latest + Tag webserver:latest set to webserver@sha256:8974116f08df4cbeb69bee35437675b225e745e67e6075f43523d9f8230a1191. + ``` + + This approach makes the workflow much more comprehensible and applicable to + a production context because: + + - It's explicit: The user has full control over when and how the latest tag + is updated. + - It's predictable: No automatic triggers cause unexpected behavior. + - It mirrors real-world practices: In production, updating the "latest" tag + is typically a deliberate action, often part of a CI/CD pipeline. + + This manual workflow gives you true rollback capability—when you roll back to + revision 2, you actually stay with that version until you explicitly decide + to update the latest tag again. diff --git a/OpenShift-On-The-Rocks/OpenShift-S2I-And-Image-Deployments.md b/OpenShift-On-The-Rocks/OpenShift-S2I-And-Image-Deployments.md index cb868ae..dcf08e5 100644 --- a/OpenShift-On-The-Rocks/OpenShift-S2I-And-Image-Deployments.md +++ b/OpenShift-On-The-Rocks/OpenShift-S2I-And-Image-Deployments.md @@ -133,8 +133,8 @@ In this lab you will: to the ```oc new-app``` command: ```console - $ oc new-app --image=nginxinc/nginx-unprivileged --name=nginx - --> Found container image 9715b46 (2 weeks old) from Docker Hub for "nginxinc/nginx-unprivileged" + $ oc new-app --image=docker.io/nginxinc/nginx-unprivileged --name=nginx + --> Found container image 9715b46 (2 weeks old) from Docker Hub for "docker.io/nginxinc/nginx-unprivileged" ... --> Success ... diff --git a/OpenShift-On-The-Rocks/OpenShift-Secure-Route.md b/OpenShift-On-The-Rocks/OpenShift-Secure-Route.md index 41c11cf..3f6285b 100644 --- a/OpenShift-On-The-Rocks/OpenShift-Secure-Route.md +++ b/OpenShift-On-The-Rocks/OpenShift-Secure-Route.md @@ -31,7 +31,7 @@ In this lab you will: To specifically use the `nginx` image you'll need the '--image=' switch: ```console - $ oc new-app --name=testroute --image=nginxinc/nginx-unprivileged + $ oc new-app --name=testroute --image=docker.io/nginxinc/nginx-unprivileged --> Found container image 4cdc5dd (8 days old) from Docker Hub for "nginx" ... ```