Linuxwiki - User contributions [en]

OpenShift Cheatsheet

2026-04-27T14:30:05Z

Sunflower: /* pvc */

Some helpful OpenShift commands which work (at least) since version >= 4.11

updated for version: 4.19

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Resources =
(in common)

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(--api-group='')
(in|without namespace)(openshift specific) (core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)
Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

= Nodes =

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Draining nodes ==
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary when you drain it s. below - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Machines =

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Machinesets ==

Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

== Delete and re-create machines/nodes ==
oc get machines -A | grep worker-<XY> | wc -l
-> MACHINECOUNT
oc annotate machine/<machine-name> -n openshift-machine-api machine.openshift.io/delete-machine="true"
oc scale --replicas=<$MACHINECOUNT+1> machineset <machineset> n openshift-machine-api
oc scale --replicas=$MACHINECOUNT machineset <machineset> -n openshift-machine-api

= Projects/Namespaces =

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

= Registries =
* registry.access.redhat.com
* registry.redhat.io (with login only)
* quay.io
* docker.io

= Images =

Search Images by help of podman:
$ podman search <wordpress>

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
skopeo inspect --config docker://registry.redhat.io/rhel8/httpd-24

Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

== Create pod from image ==

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

= Apps =

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

= Deployments =

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

== Environment variables ==
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

oc set env deployment/mariadb --from=secret/my-secret (--prefix=MYSQL_)

== Restart deployment after change ==

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path < /var/www/html >

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode rwm|rwo --claim-size 1G )

== Remove volume from deployment ==
$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make deployment available from inside/outside ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

== Add probes ==
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

== Autoscale Pods ==
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

== Reduce/Upgrade cpu/mem requests ==
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

== Security ==
=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

= Pods =

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

= Jobs and Cronjobs =
== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

= Secrets =
== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic <sshkeys> --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls <secret-tls> --cert /tmp/mydomain.crt --key /tmp/mydomain.key

=== Update Secret ===
$ oc set data secret/<mysecret> --from-file /tmp/root-password

=== Extract secret ===
$ oc extract secret /<mysecret> --to /tmp/mysecret (--confirm)

= Configmaps =
== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets (REVIEW!)
$ oc get egressips

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Changes with '''patch''' command =

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

== Examples ==
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

Emailserver mit Postfix und Dovecot

2026-03-18T22:50:09Z

Sunflower: /* IMAP konfigurieren */

= Postfix =

Postfix ist ein MTA (Mail Transfer Agent), der eine gute Alternative zu anderen gängigen MTAs (Sendmail, Exim) darstellt, da seine Konfiguration gut lesbar ist.
In unserem Beispiel soll der MTA mit einem IMAPd (Dovecot) verknüpft werden, so dass Benutzer eine Mailbox direkt auf dem System haben. Das Abholen der Mails erfolgt per IMAPs.

== Installation ==

Zunächst muss das Paket „postfix“ installiert werden.
Dabei sind noch ein paar Fragen zu beantworten: 
* '''Art des Servers: '''Internet Site 
* '''Root and postmaster mail recipient:''' ein Postfach eintragen, z.B.postmaster@example.de 
* '''Other destinations to accept mail for (blank for none):''' z.B. mail.example.de, localhost, $mydomain (kann man erstmal die defaults belassen)
* '''Force synchronous updates on mail queue:''' no'''
* '''Local subnets:''' 127.0.0.1/8, 192.168.63.0/24 (hier das eigene Netz ergänzen)
* '''Mailbox size limit:''' 0 (unbegrenzt)
* '''Local address extension character:''' + (i.a. als default ausreichend)
* '''Internet protocols to use:''' all (wenn man nicht explizit ipv4 oder ipv6 sprechen will)

Diese Einstellungen lassen sich jederzeit mit
<console>
# dpkg-reconfigure postfix</console>
ändern.

Alle relevanten Dateien befinden sich im Verzeichnis ''/etc/postfix''.

== Konfiguration ==

Bevor wir zur Postfixconfig kommen, überprüfen wir den Inhalt der Datei /etc/mailname:
<pre>
$ cat /etc/mailname
</pre>
Dort darf '''nur der Domainname''' stehen, nicht der Hostname (e.g. example.com). Andernfalls kann das Auswirkungen auf den Emailversand haben, v.a. wenn in der main.cf (s.u.) auf die Datei referenziert wird.

Die wichtigeste Datei zum Anpassen ist zunächst die '''main.cf'''. Hier ein Beispiel für den Server „mx“ in der Domain example.de. Folgende Parameter sollten konfiguriert sein (exemplarisch):
<pre>
myhostname
mydomain
myorigin
mydestination
</pre>

Meistens gibt es schon ein paar brauchbare defaults. Der Parameter ''mynetworks'' erlaubt es bestimmten Netzen, Emails ohne weitere Einschränkungen einzuliefern.

Beispielconfig:

<pre>
myhostname = mx01.example.de
mydomain = example.de
myorigin = $mydomain
mydestination = $myhostname, localhost, localhost.$mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.99.0/24 [2001:780:11b::/48] 214.94.24.154 [2004:780:8:0:5ff0:c5ff:fe09:98f9]
</pre>

Vor allem der Parameter '''mynetworks''' sollte mit Bedacht gewählt werden, denn dies sind alle Hosts und Netze, von denen jegliche Emails angenommen werden (auch von ''und'' nach Fremddomains). Fehlkonfigurationen führen hier schnell zum [https://practical365.com/what-is-an-open-relay OpenRelay].

'''Beachte:''' ipv6-Adressen müssen in [eckigen Klammern] geschrieben werden, sonst werden keine Emails ausgeliefert!
Fehler im Logfile:
<pre>
postfix/smtpd[21928]: warning: smtpd_client_event_limit_exceptions: 2a01:40f8:c013:5050::0/64: table lookup problem
</pre>

Nach jeder Änderung ist der Dienst zu reloaden mit dem Befehl
<console>
# postfix reload
</console>

Ob der Restart ordentlich funktioniert hat, kann man z.B. anhand des Logs überprüfen:
<console>
# tail /var/log/mail.log
</console>

=== master.cf ===
Das Kernstück des Postfixdaemons. Hier werden die Transports festgelegt
Bedeutung der Spalten:
* service-Feld: Name des Dienstes (smtp, local, procmail, ...) (str)
* typ-Feld: Verbindungstyp (inet, fifo, unix) (str)
* Zugriffsrecht: Zugriff auch für externe Programme (default: y) (bool)
* unpriv-Feld: Start als unprivilegierter Benutzer (default: y) oder root (n) (bool)
* chroot: Soll der Dienst in einer chroot-Umgebung gestartet werden (default: y) (bool)
* wakeup-Feld: Sekunden zwischen 2 Aufrufen (default: 0) (int)
* Prozessmaximum: Wie viele Prozesse maximal gleichzeitig (default: 50) (int)
Danach erfolgt ein Kommando mit Flags und Parametern (optional).

== TLS ==
Optional kann man mit Zertifikaten verschlüsselte Übertragung von Emails konfigurieren. das funktioniert aber nur dann, wenn der Mailserver der Gegenstelle das Zertifikat auch einbindet. Man kann das Zertifikat auch in einen Mailclient einbinden (s. später).
Die Zertifikatserzeugung kann mit mit [https://letsencrypt.org letsencrypt] erfolgen. Clients zur Zertifikatserzeugung sind [[Webserver_mit_Apache#Alternative_letsencrypt | certbot ]] oder [[Webserver_mit_Apache#Dehydrated | dehydrated]].

=== Zertifikatsgenerierung in Kürze ===
# echo $HOSTNAME > /etc/dehydrated/domains.txt
# dehydrated –register –accept-terms
# dehydrated -c

Dies setzt allerdings einen [[Webserver_mit_Apache | Webserver]] voraus, der auf Port 80 lauscht. Gibt es diesen nicht, kann mal alternativ letsencrypt via DNS verwenden (https://letsencrypt.org/docs/challenge-types).

=== Alternative eigene CA (nicht empfohlen) ===

Wer unbedingt eine eigene CA betreiben will, kann das mit folgender Anleitung tun. Achtung: Das Vorgehen sollte nur gewählt werden, wenn ein zwingender Grund dafür besteht. Viele Browser und MUAs haben Probleme damit, erzeugen hässliche Warnings oder lassen die Seite nicht zu.

==== CA erstellen ====
Wenn noch kein Zertifikat vorhanden ist, kann man sich selbst eines erstellen oder einen CSR (Certificate Signing Request) erstellen und diesen an eine offizielle CA schicken. Soll ein kommerziell genutzter Mailserver entstehen, ist dies der realistische Weg.

Achtung: Dieser Schritt wird nicht gebraucht, wenn es schon eine CA gibt.

Schritte: 
Key erstellen (+Passwort dafür vergeben), Zertifkatsrequest für die CA erstellen, CA erstellen

$ openssl genrsa -out ca.key -des3 4096

$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Nuernberg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.de
Organizational Unit Name (eg, section) []:Hostmaster
Common Name (e.g. server FQDN or YOUR name) []:*.example.de
Email Address []:postmaster@example.de

==== Zertifikat mit der neuen CA erstellen ====
Schritte:
• Key erstellen
• Request erstellen
• Zertifikat erstellen und signen

$ openssl genrsa -out mx.example.de.key 4096
(kein Passwort festlegen)

$ openssl req -new -key mx.example.de.key -out mx.example.de.csr
(wieder das Formular ausfüllen as usual)

$ openssl x509 -req -days 365 -in mx.example.de.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out mx.example.de.crt

Beim Erneuern des Zertifikats fallen die Schritte „Erstellen der CA“ und Erzeugen des Keys weg. Ferner muss man auch keine Serial mehr angeben.
Der Renew-Befehl lautet also folgendermaßen:
$ openssl x509 -req -days 730 -in mx.example.de.csr -CA ca.crt -CAkey ca.key -out mx.example.de.crt

=== Einbinden in die Config-Datei ===
Dieser Schritt gilt wieder für alle Zertifikate, egal wie sie erzeugt wurden. Die Pfade müssen natürlich entsprechend angepasst werden,

Zertifikate an die entsprechende Stelle kopieren und in der Konfig einbinden:

smtpd_tls_cert_file=/etc/ssl/certs/mx.example.de.crt
smtpd_tls_key_file=/etc/ssl/private/mx.example.de.key
smtpd_tls_CAfile=/etc/postfix/ca.crt
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:
${data_directory}/smtpd_cache
smtp_tls_session_cache_database = btree:
${data_directory}/smtp_scache

Der Parameter smtpd_tls_Cafile entfällt, wenn eine offizielle CA vorhanden ist (z.B. letsencrypt). 
Die Pfade zu den Zertifikaten können abweichen, bei letsencrypt liegen diese z.B. unter ''/var/lib/dehydrated/certs/''.
Überprüfung:
$ openssl s_client -connect mx.example.de:25 -starttls smtp
oder https://www.checktls.com/

Ergänzung:
Manche MTAs wollen ein Zertifikat in pfx-Form. Dieses kann man aus dem cert file wie folgt erzeugen:
$ openssl pkcs12 -export -out mx.example.de.pfx -inkey mx.example.de.key -in mx.example.de.crt
pfx-File und Passwort dem User zukommen lassen.

'''Spoiler:''' 
[[ Emailserver_mit_Postfix_und_Dovecot#Dovecot | Dovecot ]] „vergisst“ manchmal das neue Zertifikat und behält die alte Version, d.h. die meisten Mailclients spoolen dann keine neuen Emails mehr. In diesem Fall den Dovecot Service neu starten.

== SASL ==

Zur Vermeidung eines Open Relays ist dringend anzuraten, per default nur das Einliefern mit dem Absender @example.de von bestimmten Netzen zu erlauben. Dieses passiert mit dem Parameter ''mynetworks'' (s.o.).
Nun kann es natürlich passieren, dass Benutzer von einem Mailclient irgendwo im Internet Mails verschicken wollen. Diese wären laut Konfig nicht berechtigt. Da die meisten PCs mit dynamischen Adressen im Internet unterwegs sind, macht es hier auch keinen Sinn, die jeweilige IP-Adresse in der Konfig zu ergänzen. 
Das Problem kann umgangen werden, indem Emails versenden dann erlaubt wird, wenn sich der Benutzer einmal erfolgreich am IMAP-Server authentifiziert hat.
Hierfür gibt es SASL. Die entsprechenden Eintragungen in der main.cf sind:
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth

Im Mailclient äußert sich das Verhalten so, dass man beim ersten Senden einer Nachricht sein Mailbox-Passwort angeben muss.
Bevor dieses Feature aktiviert wird, muss es einen IMAP-Server geben (s. [[#Dovecot|nächstes Kapitel]] ).

== Maps ==

Um besser unterscheiden zu können, was mit welchen Absender-/Zieladressen passiert, wird die Konfiguration in sogenannte „Maps“ aufgeteilt. Diese können als Klartext-File oder als Berkley DB vorliegen. In letzterem Fall müssen diese mit dem Kommando '''postmap''' nach jeder Bearbeitung umgewandelt werden. 
Ausnahme: Die Datei /etc/aliases.db (nur relevant für lokale Emailauslieferung) wird mit dem Kommando '''postalias''' oder '''newaliases''' generiert.
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
Hier werden aliase eingerichtet, die auf eine andere Mailbox mappen. Beispiel:
postmaster: root

=== Access ===
smtpd_sender_restrictions = hash:/etc/postfix/access
Hier können für Aktionen für spezielle Absenderadressen eingerichtet werden. Beispiel:
example.com DISCARD

=== Relocated ===
relocated_maps = hash:/etc/postfix/relocated

Abweisen der Mail mit einem Hinweis. Beispiel:
testy.test "Mails bitte statt an diese Adresse an ich@hier.de senden"

Ergebnis:
<testy.test@example.de>: Recipient address rejected: User has
moved to "Mails bitte statt an diese Adresse an ich@hier.de
senden"

=== Canonical ===
==== Sender ====
sender_canonical_maps = hash:/etc/postfix/sender_canonical

Bestimmte Adressen werden auf ein übliches Standardformat umgeschrieben:

sunflower@example.de petra.sonne@example.de
phun@work.de peter.hun@example.de

==== Recipient ====
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
Arbeitet genauso wie sender_canonical, nur für Empfängeradressen.

=== Virtual Mailbox ===
virtual_mailbox_maps = hash:/etc/postfix/virtual
Locations der Mailboxen des imap-Servers (näheres unter [[ Emailserver_mit_Postfix_und_Dovecot#Dovecot | Dovecot ]])

sunflower@example.de example.de/sunflower/
testy@example.de example.de/testy
test@example.de example.de/test
lmaa@ihr-koennt-mich-alle.de ihr-koennt-mich-alle.de/lmaa

=== Virtual Aliases ===
virtual_alias_maps = hash:/etc/postfix/virtual_maps

Adressen die auf andere Adressen umgebogen werden (ähnlich wie die aliases), kann auch domainübergreifend passieren.
So können mehrere Empfängeradressen in dieselbe Mailbox laufen.

anrufbeantworter@example.de sunflower@example.de,H.Hirsch@gmx.de,harry1999@yahoo.de
info@example.de sunflower@example.de
postmaster root
webmaster root
administrator root
root sunflower
fortune: fortune
Letzteres ist eine Pipe. Dazu später mehr.

Umwandeln von Text in DB-File und in Postfix einlesen:
postmap <aliases|access|canonical|...>
postfix reload

=== Einfaches Beispiel: Emails von einer Domain auf eine andere weiterleiten ===
Nehmen wir an, wir haben einen Emailserver1 in der Domain example.com. Dieser soll alle Email die an <userXY>@example.com eintreffen, an <userXY>@example.de weiterleiten. Auch hier ist eine Eintrag in der o.g. ''virtual_maps'' Datei nötig:
@example.com @example.de
Nun werden alle example.com-Emails zum zuständigen Emailserver für example.de weitergeleitet. Der user part bleibt unverändert.

=== Transports ===
Transports sind die Art und Weise, wie eine eingehende Mail behandelt wird, z.B. lokal in eine Datei speichern, an einen imap-Server weiterreichen oder ein Script ausführen.

Hier ein Beispiel: 
Wenn auf eine bestimmte Adresse geschickt wird, soll ein Script ausgeführt werden, das dem Absender einen Zufallsspruch zurücksendet '''und''' die Mail gleichzeitig in ein Postfach einliefert.
Schritte:

1. Alias definieren (virtual_maps):

fortune@example.de fortune

2. Alias auf einen Transport mappen (transports):

fortune@example.de randomphrase:

3. Transport definieren (master.cf):

<pre>
randomphrase unix - n n - - pipe
flags=h user=vmail:vmail argv=/usr/local/bin/randomphrase.pl ${sender}
</pre>

(Den User vmail muss es natürlich in der passwd geben, z.B. so:
vmail:x:4000:4000::/home/vmail:/user/sbin/nologin
)

4. Script hinterlegen:
/usr/local/bin/randomphrase.pl
für alle ausführbar machen

Mit dem Script [[ randomphrase.pl ]] wird ein Zufallsspruch erzeugt. Dafür muss das Paket ''fortune-mod'' installiert sein.
Zum Weiterschicken der Email wird das Script /usr/local/bin/deliver_mail.sh aufgerufen. ([[File:Deliver_mail.sh]])
 Hierfür muss der User vmail in der Datei ''/etc/sudoers.d/vmail'' berechtigt werden:
vmail ALL=(root) NOPASSWD: /usr/local/bin/deliver_mail

Eine Email an die Adresse fortune@example.de erzeugt nun eine Antwort an die Absenderadresse mit einem Zufallsspruch.

== Multidomain ==

Natürlich kann Postfix auch Emails für mehrere Domains annehmen. Dafür gibt es den Parameter „virtual_mailbox_domains“:

virtual_mailbox_domains = example.de example.com ihr-koennt-mich-alle.de
Die Variable $mydomain sollte dann aus mydestination entfernt werden.

== Special DNS Records ==
=== SPF (Sender Policy Framework) ===
Mit einem RR-Type TXT kann man eine Liste von Emailservern definieren, die als Absender die Emaildomain verwenden dürfen. Generiert jemand eine Fakeemail von einem anderen System aus, kann diese abgewiesen werden.

Beispiel für einen DNS TXT Record:
IN TXT "v=spf1 mx:example.de a:foo.example.de ip4:8.15.47.11/32 ip6:2008:15:5:47::11/48 ip6:2008:15:5:47::12/48 -all"

Howto: 
https://dmarcian.com/create-spf-record/ 
http://www.open-spf.org/SPF_Record_Syntax/

SPF in Postfix integrieren:

Nun ist die Domain vor Missbrauch vor Fakeeemails geschützt. Jetzt gibt es aber noch die andere Seite zu beachten. Postfix soll ebenfalls die SPF-Records anderer Emaildomains prüfen und die Email ggf ablehnen.
https://makeityourway.de/enabling-spf-sender-policy-framework-checking-on-postfix/

Hier in Kürze zusammengefasst, was es zu beachten gibt:
# apt install postfix-policyd-spf-python
Die Config-Datei ''/etc/postfix-policyd-spf-python/policyd-spf.conf'' liefert bereits brauchbare Defaults, optional kann man noch eine Whitelist ergänzen z.B.

Domain_Whitelist = example.com
In der master.cf ergänzen:
<pre>
policyd-spf unix - n n - - spawn
user=policyd-spf argv=/usr/bin/policyd-spf
</pre>

In der main.cf ergänzen:
smtpd_recipient_restrictions =
(...)
check_policy_service unix:private/policyd-spf
(…)
'''Achtung:''' Wenn es schon einen check_policy_service Eintrag gibt, '''keinesfalls''' einen weiteren Eintrag anhängen, sondern eine neue Zeile aufmachen!
policy-spf_time_limit = 3600s

# postfix reload

Ein paar Testemails einkippen und mail.log gucken.

=== DMARC (Domain based Message Authentication, Reporting and Conformance) ===
https://dmarcian.com/dmarc-record/

Beispiel für einen DNS TXT Record:
_dmarc IN TXT "v=DMARC1;p=quarantine;rua=mailto:postmaster@example.de"

In dem Fall werden verdächtige Emails in einen Quarantäne-Ordner verschoben und ein Report an den postmaster versandt.
Für die Integration in Postfix gibt es das Paket opendmarc.
Implementierung von SPF, DKIM und DMARC in Postfix:

https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
(untested)

== Nützliche Commands ==
Erzeugen eines database files aus einer Textdatei:
postmap <filename>
Alle Configparameter anzeigen:
postconf
Konfigprüfung:
postfix check
Mailqueue anschauen:
mailq
Alle Messages in der Queue ausliefern:
postqueue -f
Nur eine bestimmte Message ausliefern:
postqueue -i <ID>
Message löschen:
postsuper -d <ID>
Alle Messages löschen (!):
postsuper -d ALL
Inhalt einer Message anschauen:
postcat -vq <ID>

== Logfile ==

Geloggt wird nach ''/var/log/mail.log'' (alles) bzw. Errors nach ''/var/log/mail.err'' und Warnings nach ''/var/log/mail.warn''.
 Protipp: Alias anlegen:
maillog='tail -f /var/log/mail.log'

== Greylisting und Antispam ==

Zur Bekämpfung der Spamflut gibt es das praktische Programm '''„Postgrey“'''. Unter Debian kann dieses als Paket installiert werden. Dieses wird in die main.cf im Abschnitt smtpd_recipient_restrictions eingebunden.
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_unauth_destination
'''reject_non_fqdn_sender'''
'''reject_non_fqdn_recipient'''
'''reject_rbl_client bl.spamcop.net'''
'''check_policy_service inet:127.0.0.1:10023'''

(Die Blacklist ''dnsbl.sorbs.net'' wurde hier außen vor gelassen, da diese so ziemlich alles blockt, z.B. alle yahoo- oder gmx-Adressen.)
Damit das funktioniert, muss natürlich noch Postgrey selbst an den Start gebracht werden.
Hierfür wird die Datei ''/etc/default/postgrey'' bearbeitet. Hier ein Beispiel:
POSTGREY_OPTS="--inet=10023 --auto-whitelist-clients=8
POSTGREY_TEXT="Busy. Come back in 5 minutes."

Der Service lauscht also auf Port 10023. Im obigen Beispiel wird ein Absender beim 8. erfolgreichen Zustellversuch automatisch gewhitelistet (optionaler Parameter ''--auto-whitelist-clients'', evtl. Zahl erhöhen oder Parameter ganz weglassen).

Anschließend wechselt man ins Verzeichnis ''/etc/postgrey''. Dort gibt es 2 Whitelistings. Die Absender stehen in '''whitelist_clients'''. Dort stehen bereits IPs und Domains diverser Provider. Man kann dort selbst Einträge hinzufügen (z.B. example.ch).

In der Datei '''whitelist_recipients''' kann man alle Empfänger der eigenen Domain eintragen, die auf jeden Fall immer Emails bekommen sollen. z.B. postmaster@, abuse@. 
Beachte: '''Die Dateien müssen explizit eingesourcet werden''', passiert nicht automatisch. Das macht man mit den POSTGREY_OPTS:
POSTGREY_OPTS="$POSTGREY_OPTS --whitelist-clients=whitelist_clients --whitelist-recipients=/etc/postgrey/whitelist_recipients"

Nach getaner Anpassung, den postgrey-Service (neu)starten.
# service postgrey restart
Überprüfen, ob der Dienst läuft z.B. mit:
# lsof -i :10023
Anschließend Postfix reloaden
# postfix reload
und die Mailbox(en) beobachten, hinsichtlich Spamaufkommen.

''(Quelle: Artikel „Postzusteller“, Admin-Magazin, Ausgabe 03-2013)''

= Dovecot =

Open Source IMAP-Server zum Einliefern der Emails in Postfächer mittels POP3 oder IMAP bzw. IMAPs. Im folgenden wird nur auf IMAPs eingegangen.

== Installation ==

Es empfiehlt sich, den Dovecot auf demselben System zu installieren wie Postfix. Andere Fälle werden hier nicht berücksichtigt.

Installation des imapd mittels
# apt install dovecot-imapd

Dies reicht für alle Grundfunktionen der Emailauslieferung. Für erweiterte Optionen wie z.B. Filterfunktion können weiter dovecot-Pakete wie '''dovecot-antispam, dovecot-sieve''' installiert werden.

User (i.d.F. ''vmail'') als Owner für die Mailboxen anlegen:

useradd -u 4000 -m -d /home/vmail -s /user/sbin/nologin vmail

== Konfiguration ==

Configdateien in ''/etc/dovecot/conf.d'' anpassen.
Die Datei ''/etc/dovecot/dovecot.conf'' inkludiert per Default alle Dateien unter conf.d/*.conf.

=== Usermanagement ===

Hier ein Beispiel, wo User in einer separaten Datei abgelegt werden.

''10-auth.conf:''
<pre>
disable_plaintext_auth = no
auth_username_format = %n
auth_master_user_separator = *
auth_mechanisms = plain login
!include auth-master.conf.ext
</pre>
Wenn kein auth über pam:
#!include auth-system.conf.ext

Plaintext Auth kann man erlauben, weil die User-Passwörter als gehashter String übertragen werden. Für die Kommunikation zwischen Postfix und Dovecot spielt das ohnehin keine Rolle, da sich beide Dienste auf einem Server befinden. Der Zugriff von einem MUA aus wird über TLS/SSL erfolgen (s.u.).

master user anlegen (optional):
<pre>
doveadm pw -p supergeheim -s SHA512-CRYPT -u administrator@example.de
</pre>
Den Output zusammen mit dem Usernamen in die Datei master-users pasten.
<pre>
cat ../master-users
administrator@example.de:{SHA256-CRYPT}$5$9zrt7/e2CDkPmSuA$SNEkm/L4XZcYFAbYkJp5ESl9u35fVBSd4ukO0dm5yp3
</pre>

Sonstige User anlegen:
<pre>
doveadm pw -p strenggeheim -s SHA512-CRYPT -u sunflower@example.de
</pre>
→ /etc/dovecot/users:
<pre>
sunflower:{SHA256-CRYPT}$5$D3PhhtqUhRXT7cmZ$E5244BpvNafb.9FtbhF9AUfbvw8XpnOJhPyM/q/rRN2:::Sun Flo,,,:/var/mail/example.de/sunflower:/bin/false
</pre>
Hier sollten keine Abkürzungen wie ''%d'' oder ''%n'' stehen, weil diese nicht (von sieve, s.u.) bzw. nur teilweise (von dovecot) interpretiert werden.

Damit der Account auch Email bekomemn kann, ergänzt man die virtual table im Postfix directory:
cat sunflower@example.de example.de/spambucket >> /etc/postfix/virtual
Aktivieren mit
postmap virtual
postfix reload

=== Dateirechte ===

Die Files master-users, users sollten nur von dovecot gelesen werden können!
<pre>
# chgrp dovecot /etc/dovecot/*users
# chmod o-r /etc/dovecot/*users
</pre>
Mailbox anlegen und User berechtigen:
<pre>
# maildirmake.dovecot /var/mail/<domain>/<username>
# chown -R vmail.vmail /var/mail/<domain>/<username>
</pre>

User im Postfix anlegen, in den virtual maps, s. o.

Kontrolle:
<pre>
# doveadm user <username>
</pre>

=== IMAP konfigurieren ===
Protipp: erstmal conf.d wegsichern:
<pre>
rsync -av /etc/doveconf/conf.d /etc/doveconf/conf.d.orig
</pre>
Folgende Konfigurationsdateien in conf.d entsprechend anpassen:
* '''10-auth.conf'''
<pre>
auth_allow_cleartext = yes
auth_username_format = %{user|username|lower}
auth_master_user_separator = *
auth_mechanisms = plain login

!include auth-master.conf.ext
!include auth-system.conf.ext
!include auth-passwdfile.conf.ext
</pre>
* '''10-mail.conf'''
<pre>
# den parameter mail_location gibt es nicht mehr
mail_driver = maildir
mail_home = /var/mail/%{user | domain}/%{user}
mail_path = %{home}
namespace inbox {
inbox = yes
}
mail_uid = 4000
mail_gid = 4000
mail_privileged_group = mail
protocol !indexer-worker {
}
</pre>
* '''10-master.conf'''
<pre>
service imap-login {
 inet_listener imaps {
 port = 993
 ssl = yes
}
}
service auth {
unix_listener auth-userdb {
 user = vmail
 group = vmail
}
unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix
}
}
service stats {
unix_listener stats-reader {
 user = vmail
 group = vmail
 mode = 0660
 }

unix_listener stats-writer {
 user = vmail
 group = vmail
 mode = 0660
 }
}
</pre>
* '''10-ssl.conf'''
<pre>
# (z.B. Postfix certs verwenden)
ssl = yes
ssl_server_cert_file = /etc/dovecot/private/dovecot.pem
ssl_server_key_file = /etc/dovecot/private/dovecot.key
ssl_min_protocol = TLSv1.2

#ssl_client_ca_dir = /etc/ssl/certs
#ssl_dh = </usr/share/dovecot/dh.pem
</pre>

Zertifikate generieren: s. https://wiki.nomorebluescreen.de/index.php?title=Webserver_mit_Apache#Alternative_letsencrypt

'''Spoiler:''' 
Jedes Mal, wenn das Zertifikat ausgetauscht wird, muss der dovecot-Service neu gestartet werden, damit das neue Zertifikat auch eingelesen wird.

'''Überprüfen, welche Dateien angefasst wurden:'''
<pre>
diff -quw conf.d.orig conf.d
Files conf.d.orig/10-ssl.conf and conf.d/10-ssl.conf differ
Files conf.d.orig/15-lda.conf and conf.d/15-lda.conf differ
Files conf.d.orig/20-imap.conf and conf.d/20-imap.conf differ
Files conf.d.orig/20-managesieve.conf and conf.d/20-managesieve.conf differ
Files conf.d.orig/90-sieve.conf and conf.d/90-sieve.conf differ
Files conf.d.orig/auth-passwdfile.conf.ext and conf.d/auth-passwdfile.conf.ext differ
</pre>

'''Ausgabe der gesamten Config'''

# doveconf -n

https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html

==== Sieve ====
Engine zum Filtern von Emails

dovecot-sieve und dovecot-managesieved installieren

'''15-lda.conf:'''
<pre>
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
protocol lda {
mail_plugins = $mail_plugins sieve
}
</pre>

'''20-managesieve.conf:'''
<pre>
protocols = $protocols sieve
</pre>

'''90-sieve.conf:'''
<pre>
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_default = /var/lib/dovecot/sieve/default.sieve
sieve_global_dir = /var/lib/dovecot/sieve
}
</pre>
Kontrolle, ob der sieve-Service läuft und auf Port 4190 lauscht.
<pre>
# service dovecot restart
# ss -plnt | grep 4190
</pre>

Nun sollte im Mailhome des Users ein Verzeichnis namens "sieve" sichtbar sein.

=== Transport von Postfix zu Dovecot ===

Dem Postfix muss noch beigebracht werden, dass die Emails zum Dovecot gehen. 
'''master.cf''' im Postfix anpassen (die Einträge in den {} gehören so, nicht ersetzen!):
<pre>
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail
argv=/usr/lib/dovecot/deliver -a ${recipient} -f ${sender} -d $
{user} @${nexthop} -m ${extension}
</pre>
und einen mailbox_command Eintrag in der main.cf vornehmen:
<pre>
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
</pre>
(https://doc.dovecot.org/configuration_manual/howto/dovecot_lda_postfix/#howto-dovecot-lda-postfix)

Danach noch postfix und dovecot service restarten.

== Logging ==

Logfiles gehen ebenfalls (wie postfix) nach /var/log/mail.log 
Nützlicher Alias:
<pre>
maillog='tail -f /var/log/maillog'
</pre>

Debugging einschalten:
mail_debug = yes
in der Datei
''10-logging.conf''.

'''Protipp:'''
Wenn im Log folgender Fehler erscheint:

Mar 27 08:03:56 aphantopus postfix/pipe[2317]: 521066005D: to=<sunflower@example.de>, relay=dovecot, delay=0.3, delays=0.19/0.04/0/0.07, dsn=2.0.0, status=sent (delivered via dovecot service (lda(sunflower@example.de,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied))

=> In der ''10-master.conf'' '''stats''' für User vmail erlauben (s.o.)

= Roundcube =

Praktisches Webfrontend zum Abholen und Verschicken von Emails

Erst mysql-server installieren, sonst bricht die Installation mit einem Fehler ab
# apt install mariadb-server roundcube
Die dbconfig-common Frage mit „yes“ beantworten, mysql-Passwort setzen.
Config Datei anpassen (''/etc/roundcube/config.inc.php''):
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 25;

== Plugins ==

Standard-Plugings installieren
# apt install roundcube-plugins

Weitere Plugins installieren:
# apt install roundcube-plugins-extra git curl composer
(composer braucht man für die Installation von Plugins, git, weil die meisten aus github kommen) 
Die, die man haben will, in der Datei ''/etc/roundcube/config.inc.php'' enablen

$config['plugins'] = array(
 'compose-addressbook',
'markasjunk2',
 'fail2ban'
);

Übersicht über die offiziellen Plugins:

https://plugins.roundcube.net/

Plugins, die es nicht als Paket gibt: 
Schritte: 
* README lesen
* Plugin als zip herunterladen, nach ''/usr/share/roundcube/plugins'' entpacken
* (evtl. umbenennen)
* ''/etc/roundcube/config.inc.php'' bearbeiten:
Abschnitt
$config['plugins'] = array(
suchen und fehlendes Plugin ergänzen

== Filter Plugin for Sieve ==

Achtung, nicht das Plugin „filter“ verwenden, sondern '''managesieve''' (ist Bestandteil des roundcube-plugins Paketes)

Eine Anleitung gibt es hier: 
https://www.pair.com/support/kb/how-to-add-sieve-filtering-code-in-roundcube/
 
https://www.pair.com/support/kb/how-to-add-sieve-filtering-in-roundcube/


Anmerkung: Den protocols Parameter nicht in der dovecot.conf editieren, sondern in
''20-managesieve.conf'' (s.o.):

protocols = $protocols sieve

Nun kann man über das Webfrontend Sieve-Filterregeln generieren

Achtung Bug: 
Sieve legt ein sieve-Verzeichnis unter dem Verzeichnis an, das in mail_location definiert ist. Wenn man die emails der User unter ''/var/mail/<domain>/<username>'' ablegen möchte, wird man folgendes konfigurieren:

mail_location = maildir:/var/mail/%d/%n

Da dovecot aber %d nicht interpretiert (s.o.), liegt das User maildirectory unter /var/mail/<username>. Sieve interpretiert dagegen %n nicht und legt ein Directory /var/mail/<domain>/%n/sieve an, unter der die roundcube.sieve Datei liegt. Somit greifen alle User auf dieselbe Datei zu, was technisch möglich, securitytechnisch aber fatal ist. Leider keine gute Idee zur Abhilfe bekannt.

== Passwort ändern ==
Um den Usern die Möglichkeit zu geben, ihr Passwort selbst zu ändern, wird in der ''config.inc.php'' das Plugin enabled:

<pre>
$config['plugins'] = array(
(...)
'password'
);
</pre>

Weitere Einstellungen, wenn die User in einem Passwortfile gepflegt werden wie im Kapitel '''Dovecot''' beschrieben: 
(wir gehen davon aus, dass die Userpasswörter mit sha512 verschlüsselt werden, s.o.)

# https://stackoverflow.com/questions/62655236/how-to-enable-password-plugin-on-roundcube
$config['password_algorithm'] = 'ssha512';
$config['password_algorithm_prefix'] = '{SSHA512}';
$config['password_driver'] = 'dovecot_passwdfile';
$config['password_dovecot_passwdfile_path'] = '/etc/dovecot/users';

Die users Datei vom dovecot muss dann entsprechend für www-data les- und schreibbar sein:
-rw-rw---- 1 dovecot www-data 1240 Dec 2 23:20 /etc/dovecot/users

(Achtung, riskant bei eventueller Kompromittierung des Webservers! Als Alternative überlegen, die dovecot-Passwörter in eine [mysql-]DB auszulagern)

== Identities ändern ==

Normalerweise kann ein User nur mit seiner Absenderadresse senden. Das ist eine sinnvolle Einstellung, aber wer das Feature zu Testzwecken abschalten will, kann folgende Einstellung vornehmen:
$config['identities_level'] = 0;
Nun kann der User über "Einstellungen" weitere Absender hinzufügen (https://www.servercake.blog/multiple-identities-roundcube/)

(Leider bisher keine Möglichkeit gefunden, dies nur auf (einen) bestimmte(n) User einzuschränken)

== Apache Integration ==

Hier eine Beispielkonfiguration für einen Virtual Host, um die Roundcube-Seite unter https://mail.example.de zu erreichen.
Weiteres im Kapitel [[Webserver mit Apache|apache]]
<pre>
<VirtualHost *:443>
ServerName mail.example.de
ServerAdmin postmaster@example.de

SSLEngine on
SSLCertificateFile /var/lib/dehydrated/certs/mail.example.de/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/mail.example.de/privkey.pem

DocumentRoot /usr/share/roundcube

# Includes
Include /etc/apache2/conf-available/ssl-encryption.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
CustomLog /var/log/apache2/mail-ssl.log combined
ErrorLog /var/log/apache2/mail-ssl-error.log
</VirtualHost>
</pre>

Das roundcube-Paket bringt zudem noch eine roundcube.conf mit, die unter /etc/apache2/conf-available/roundcube.conf installiert und aktiviert wird.

=== PHP ===
Damit der Roundcube überhaupt läuft, muss das php Plugin installiert und aktiviert sein. Passiert unter Debian mittels:
# apt install libapache2-mod-php

Etwas performanter ist die Verwendung von '''php-fpm''' (https://www.zend.com/blog/apache-phpfpm-modphp).
# apt install php-fpm

Der default Upload bei PHP sind dürftige 2 MB. Um diesen z.B. auf 50MB raufzudrehen, muss folgende Datei angefasst werden:
<pre>VERSION=$(php -v| head -n 1 | awk '{ print $2 }' | sed -e 's|.[[:digit:]]*$||')</pre>
* modphp:
/etc/php/${VERSION}/apache2/php.ini
upload_max_filesize = 50M
* php-fpm:
/etc/php/${VERSION}/fpm/php.ini
upload_max_filesize = 50M

= Integration in einen MUA =
Wer nicht über den (langsamen) Webmailer gehen will, kann natürlich auch einen MUA seiner Wahl verwenden. Hier ein Beispiel.

== Thunderbird==

Einstellungen für Outgoing Server (SMTP)
<pre>
Servername: FQDN des Email-Servers
Port: 25
Connection Security: STARTTLS
Authentication Method: Normal Password
Username: Name des Mailbox-Users
</pre>

Beim 1. Mal wird man nach seinem Mailbox-Passwort gefragt. Dieses eingeben und speichern.

Server Settings (IMAP)
<pre>
Server Type: IMAP Mail Server
Server Name: FQDN des Email-Servers
Port: 993
Username: Name des Mailbox-Users
Connection Security: SSL/TLS
Authentication Method: Normal Password
(Die restlichen Defaults so belassen oder bei Bedarf anpassen)
</pre>

[[File:Screenshot thunderbird1.png|900px]]
[[File:Screenshot thunderbird2.png|900px]]

Emailserver mit Postfix und Dovecot

2026-03-18T22:46:52Z

Sunflower: /* Sieve */

= Postfix =

Postfix ist ein MTA (Mail Transfer Agent), der eine gute Alternative zu anderen gängigen MTAs (Sendmail, Exim) darstellt, da seine Konfiguration gut lesbar ist.
In unserem Beispiel soll der MTA mit einem IMAPd (Dovecot) verknüpft werden, so dass Benutzer eine Mailbox direkt auf dem System haben. Das Abholen der Mails erfolgt per IMAPs.

== Installation ==

Zunächst muss das Paket „postfix“ installiert werden.
Dabei sind noch ein paar Fragen zu beantworten: 
* '''Art des Servers: '''Internet Site 
* '''Root and postmaster mail recipient:''' ein Postfach eintragen, z.B.postmaster@example.de 
* '''Other destinations to accept mail for (blank for none):''' z.B. mail.example.de, localhost, $mydomain (kann man erstmal die defaults belassen)
* '''Force synchronous updates on mail queue:''' no'''
* '''Local subnets:''' 127.0.0.1/8, 192.168.63.0/24 (hier das eigene Netz ergänzen)
* '''Mailbox size limit:''' 0 (unbegrenzt)
* '''Local address extension character:''' + (i.a. als default ausreichend)
* '''Internet protocols to use:''' all (wenn man nicht explizit ipv4 oder ipv6 sprechen will)

Diese Einstellungen lassen sich jederzeit mit
<console>
# dpkg-reconfigure postfix</console>
ändern.

Alle relevanten Dateien befinden sich im Verzeichnis ''/etc/postfix''.

== Konfiguration ==

Bevor wir zur Postfixconfig kommen, überprüfen wir den Inhalt der Datei /etc/mailname:
<pre>
$ cat /etc/mailname
</pre>
Dort darf '''nur der Domainname''' stehen, nicht der Hostname (e.g. example.com). Andernfalls kann das Auswirkungen auf den Emailversand haben, v.a. wenn in der main.cf (s.u.) auf die Datei referenziert wird.

Die wichtigeste Datei zum Anpassen ist zunächst die '''main.cf'''. Hier ein Beispiel für den Server „mx“ in der Domain example.de. Folgende Parameter sollten konfiguriert sein (exemplarisch):
<pre>
myhostname
mydomain
myorigin
mydestination
</pre>

Meistens gibt es schon ein paar brauchbare defaults. Der Parameter ''mynetworks'' erlaubt es bestimmten Netzen, Emails ohne weitere Einschränkungen einzuliefern.

Beispielconfig:

<pre>
myhostname = mx01.example.de
mydomain = example.de
myorigin = $mydomain
mydestination = $myhostname, localhost, localhost.$mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.99.0/24 [2001:780:11b::/48] 214.94.24.154 [2004:780:8:0:5ff0:c5ff:fe09:98f9]
</pre>

Vor allem der Parameter '''mynetworks''' sollte mit Bedacht gewählt werden, denn dies sind alle Hosts und Netze, von denen jegliche Emails angenommen werden (auch von ''und'' nach Fremddomains). Fehlkonfigurationen führen hier schnell zum [https://practical365.com/what-is-an-open-relay OpenRelay].

'''Beachte:''' ipv6-Adressen müssen in [eckigen Klammern] geschrieben werden, sonst werden keine Emails ausgeliefert!
Fehler im Logfile:
<pre>
postfix/smtpd[21928]: warning: smtpd_client_event_limit_exceptions: 2a01:40f8:c013:5050::0/64: table lookup problem
</pre>

Nach jeder Änderung ist der Dienst zu reloaden mit dem Befehl
<console>
# postfix reload
</console>

Ob der Restart ordentlich funktioniert hat, kann man z.B. anhand des Logs überprüfen:
<console>
# tail /var/log/mail.log
</console>

=== master.cf ===
Das Kernstück des Postfixdaemons. Hier werden die Transports festgelegt
Bedeutung der Spalten:
* service-Feld: Name des Dienstes (smtp, local, procmail, ...) (str)
* typ-Feld: Verbindungstyp (inet, fifo, unix) (str)
* Zugriffsrecht: Zugriff auch für externe Programme (default: y) (bool)
* unpriv-Feld: Start als unprivilegierter Benutzer (default: y) oder root (n) (bool)
* chroot: Soll der Dienst in einer chroot-Umgebung gestartet werden (default: y) (bool)
* wakeup-Feld: Sekunden zwischen 2 Aufrufen (default: 0) (int)
* Prozessmaximum: Wie viele Prozesse maximal gleichzeitig (default: 50) (int)
Danach erfolgt ein Kommando mit Flags und Parametern (optional).

== TLS ==
Optional kann man mit Zertifikaten verschlüsselte Übertragung von Emails konfigurieren. das funktioniert aber nur dann, wenn der Mailserver der Gegenstelle das Zertifikat auch einbindet. Man kann das Zertifikat auch in einen Mailclient einbinden (s. später).
Die Zertifikatserzeugung kann mit mit [https://letsencrypt.org letsencrypt] erfolgen. Clients zur Zertifikatserzeugung sind [[Webserver_mit_Apache#Alternative_letsencrypt | certbot ]] oder [[Webserver_mit_Apache#Dehydrated | dehydrated]].

=== Zertifikatsgenerierung in Kürze ===
# echo $HOSTNAME > /etc/dehydrated/domains.txt
# dehydrated –register –accept-terms
# dehydrated -c

Dies setzt allerdings einen [[Webserver_mit_Apache | Webserver]] voraus, der auf Port 80 lauscht. Gibt es diesen nicht, kann mal alternativ letsencrypt via DNS verwenden (https://letsencrypt.org/docs/challenge-types).

=== Alternative eigene CA (nicht empfohlen) ===

Wer unbedingt eine eigene CA betreiben will, kann das mit folgender Anleitung tun. Achtung: Das Vorgehen sollte nur gewählt werden, wenn ein zwingender Grund dafür besteht. Viele Browser und MUAs haben Probleme damit, erzeugen hässliche Warnings oder lassen die Seite nicht zu.

==== CA erstellen ====
Wenn noch kein Zertifikat vorhanden ist, kann man sich selbst eines erstellen oder einen CSR (Certificate Signing Request) erstellen und diesen an eine offizielle CA schicken. Soll ein kommerziell genutzter Mailserver entstehen, ist dies der realistische Weg.

Achtung: Dieser Schritt wird nicht gebraucht, wenn es schon eine CA gibt.

Schritte: 
Key erstellen (+Passwort dafür vergeben), Zertifkatsrequest für die CA erstellen, CA erstellen

$ openssl genrsa -out ca.key -des3 4096

$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Nuernberg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.de
Organizational Unit Name (eg, section) []:Hostmaster
Common Name (e.g. server FQDN or YOUR name) []:*.example.de
Email Address []:postmaster@example.de

==== Zertifikat mit der neuen CA erstellen ====
Schritte:
• Key erstellen
• Request erstellen
• Zertifikat erstellen und signen

$ openssl genrsa -out mx.example.de.key 4096
(kein Passwort festlegen)

$ openssl req -new -key mx.example.de.key -out mx.example.de.csr
(wieder das Formular ausfüllen as usual)

$ openssl x509 -req -days 365 -in mx.example.de.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out mx.example.de.crt

Beim Erneuern des Zertifikats fallen die Schritte „Erstellen der CA“ und Erzeugen des Keys weg. Ferner muss man auch keine Serial mehr angeben.
Der Renew-Befehl lautet also folgendermaßen:
$ openssl x509 -req -days 730 -in mx.example.de.csr -CA ca.crt -CAkey ca.key -out mx.example.de.crt

=== Einbinden in die Config-Datei ===
Dieser Schritt gilt wieder für alle Zertifikate, egal wie sie erzeugt wurden. Die Pfade müssen natürlich entsprechend angepasst werden,

Zertifikate an die entsprechende Stelle kopieren und in der Konfig einbinden:

smtpd_tls_cert_file=/etc/ssl/certs/mx.example.de.crt
smtpd_tls_key_file=/etc/ssl/private/mx.example.de.key
smtpd_tls_CAfile=/etc/postfix/ca.crt
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:
${data_directory}/smtpd_cache
smtp_tls_session_cache_database = btree:
${data_directory}/smtp_scache

Der Parameter smtpd_tls_Cafile entfällt, wenn eine offizielle CA vorhanden ist (z.B. letsencrypt). 
Die Pfade zu den Zertifikaten können abweichen, bei letsencrypt liegen diese z.B. unter ''/var/lib/dehydrated/certs/''.
Überprüfung:
$ openssl s_client -connect mx.example.de:25 -starttls smtp
oder https://www.checktls.com/

Ergänzung:
Manche MTAs wollen ein Zertifikat in pfx-Form. Dieses kann man aus dem cert file wie folgt erzeugen:
$ openssl pkcs12 -export -out mx.example.de.pfx -inkey mx.example.de.key -in mx.example.de.crt
pfx-File und Passwort dem User zukommen lassen.

'''Spoiler:''' 
[[ Emailserver_mit_Postfix_und_Dovecot#Dovecot | Dovecot ]] „vergisst“ manchmal das neue Zertifikat und behält die alte Version, d.h. die meisten Mailclients spoolen dann keine neuen Emails mehr. In diesem Fall den Dovecot Service neu starten.

== SASL ==

Zur Vermeidung eines Open Relays ist dringend anzuraten, per default nur das Einliefern mit dem Absender @example.de von bestimmten Netzen zu erlauben. Dieses passiert mit dem Parameter ''mynetworks'' (s.o.).
Nun kann es natürlich passieren, dass Benutzer von einem Mailclient irgendwo im Internet Mails verschicken wollen. Diese wären laut Konfig nicht berechtigt. Da die meisten PCs mit dynamischen Adressen im Internet unterwegs sind, macht es hier auch keinen Sinn, die jeweilige IP-Adresse in der Konfig zu ergänzen. 
Das Problem kann umgangen werden, indem Emails versenden dann erlaubt wird, wenn sich der Benutzer einmal erfolgreich am IMAP-Server authentifiziert hat.
Hierfür gibt es SASL. Die entsprechenden Eintragungen in der main.cf sind:
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth

Im Mailclient äußert sich das Verhalten so, dass man beim ersten Senden einer Nachricht sein Mailbox-Passwort angeben muss.
Bevor dieses Feature aktiviert wird, muss es einen IMAP-Server geben (s. [[#Dovecot|nächstes Kapitel]] ).

== Maps ==

Um besser unterscheiden zu können, was mit welchen Absender-/Zieladressen passiert, wird die Konfiguration in sogenannte „Maps“ aufgeteilt. Diese können als Klartext-File oder als Berkley DB vorliegen. In letzterem Fall müssen diese mit dem Kommando '''postmap''' nach jeder Bearbeitung umgewandelt werden. 
Ausnahme: Die Datei /etc/aliases.db (nur relevant für lokale Emailauslieferung) wird mit dem Kommando '''postalias''' oder '''newaliases''' generiert.
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
Hier werden aliase eingerichtet, die auf eine andere Mailbox mappen. Beispiel:
postmaster: root

=== Access ===
smtpd_sender_restrictions = hash:/etc/postfix/access
Hier können für Aktionen für spezielle Absenderadressen eingerichtet werden. Beispiel:
example.com DISCARD

=== Relocated ===
relocated_maps = hash:/etc/postfix/relocated

Abweisen der Mail mit einem Hinweis. Beispiel:
testy.test "Mails bitte statt an diese Adresse an ich@hier.de senden"

Ergebnis:
<testy.test@example.de>: Recipient address rejected: User has
moved to "Mails bitte statt an diese Adresse an ich@hier.de
senden"

=== Canonical ===
==== Sender ====
sender_canonical_maps = hash:/etc/postfix/sender_canonical

Bestimmte Adressen werden auf ein übliches Standardformat umgeschrieben:

sunflower@example.de petra.sonne@example.de
phun@work.de peter.hun@example.de

==== Recipient ====
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
Arbeitet genauso wie sender_canonical, nur für Empfängeradressen.

=== Virtual Mailbox ===
virtual_mailbox_maps = hash:/etc/postfix/virtual
Locations der Mailboxen des imap-Servers (näheres unter [[ Emailserver_mit_Postfix_und_Dovecot#Dovecot | Dovecot ]])

sunflower@example.de example.de/sunflower/
testy@example.de example.de/testy
test@example.de example.de/test
lmaa@ihr-koennt-mich-alle.de ihr-koennt-mich-alle.de/lmaa

=== Virtual Aliases ===
virtual_alias_maps = hash:/etc/postfix/virtual_maps

Adressen die auf andere Adressen umgebogen werden (ähnlich wie die aliases), kann auch domainübergreifend passieren.
So können mehrere Empfängeradressen in dieselbe Mailbox laufen.

anrufbeantworter@example.de sunflower@example.de,H.Hirsch@gmx.de,harry1999@yahoo.de
info@example.de sunflower@example.de
postmaster root
webmaster root
administrator root
root sunflower
fortune: fortune
Letzteres ist eine Pipe. Dazu später mehr.

Umwandeln von Text in DB-File und in Postfix einlesen:
postmap <aliases|access|canonical|...>
postfix reload

=== Einfaches Beispiel: Emails von einer Domain auf eine andere weiterleiten ===
Nehmen wir an, wir haben einen Emailserver1 in der Domain example.com. Dieser soll alle Email die an <userXY>@example.com eintreffen, an <userXY>@example.de weiterleiten. Auch hier ist eine Eintrag in der o.g. ''virtual_maps'' Datei nötig:
@example.com @example.de
Nun werden alle example.com-Emails zum zuständigen Emailserver für example.de weitergeleitet. Der user part bleibt unverändert.

=== Transports ===
Transports sind die Art und Weise, wie eine eingehende Mail behandelt wird, z.B. lokal in eine Datei speichern, an einen imap-Server weiterreichen oder ein Script ausführen.

Hier ein Beispiel: 
Wenn auf eine bestimmte Adresse geschickt wird, soll ein Script ausgeführt werden, das dem Absender einen Zufallsspruch zurücksendet '''und''' die Mail gleichzeitig in ein Postfach einliefert.
Schritte:

1. Alias definieren (virtual_maps):

fortune@example.de fortune

2. Alias auf einen Transport mappen (transports):

fortune@example.de randomphrase:

3. Transport definieren (master.cf):

<pre>
randomphrase unix - n n - - pipe
flags=h user=vmail:vmail argv=/usr/local/bin/randomphrase.pl ${sender}
</pre>

(Den User vmail muss es natürlich in der passwd geben, z.B. so:
vmail:x:4000:4000::/home/vmail:/user/sbin/nologin
)

4. Script hinterlegen:
/usr/local/bin/randomphrase.pl
für alle ausführbar machen

Mit dem Script [[ randomphrase.pl ]] wird ein Zufallsspruch erzeugt. Dafür muss das Paket ''fortune-mod'' installiert sein.
Zum Weiterschicken der Email wird das Script /usr/local/bin/deliver_mail.sh aufgerufen. ([[File:Deliver_mail.sh]])
 Hierfür muss der User vmail in der Datei ''/etc/sudoers.d/vmail'' berechtigt werden:
vmail ALL=(root) NOPASSWD: /usr/local/bin/deliver_mail

Eine Email an die Adresse fortune@example.de erzeugt nun eine Antwort an die Absenderadresse mit einem Zufallsspruch.

== Multidomain ==

Natürlich kann Postfix auch Emails für mehrere Domains annehmen. Dafür gibt es den Parameter „virtual_mailbox_domains“:

virtual_mailbox_domains = example.de example.com ihr-koennt-mich-alle.de
Die Variable $mydomain sollte dann aus mydestination entfernt werden.

== Special DNS Records ==
=== SPF (Sender Policy Framework) ===
Mit einem RR-Type TXT kann man eine Liste von Emailservern definieren, die als Absender die Emaildomain verwenden dürfen. Generiert jemand eine Fakeemail von einem anderen System aus, kann diese abgewiesen werden.

Beispiel für einen DNS TXT Record:
IN TXT "v=spf1 mx:example.de a:foo.example.de ip4:8.15.47.11/32 ip6:2008:15:5:47::11/48 ip6:2008:15:5:47::12/48 -all"

Howto: 
https://dmarcian.com/create-spf-record/ 
http://www.open-spf.org/SPF_Record_Syntax/

SPF in Postfix integrieren:

Nun ist die Domain vor Missbrauch vor Fakeeemails geschützt. Jetzt gibt es aber noch die andere Seite zu beachten. Postfix soll ebenfalls die SPF-Records anderer Emaildomains prüfen und die Email ggf ablehnen.
https://makeityourway.de/enabling-spf-sender-policy-framework-checking-on-postfix/

Hier in Kürze zusammengefasst, was es zu beachten gibt:
# apt install postfix-policyd-spf-python
Die Config-Datei ''/etc/postfix-policyd-spf-python/policyd-spf.conf'' liefert bereits brauchbare Defaults, optional kann man noch eine Whitelist ergänzen z.B.

Domain_Whitelist = example.com
In der master.cf ergänzen:
<pre>
policyd-spf unix - n n - - spawn
user=policyd-spf argv=/usr/bin/policyd-spf
</pre>

In der main.cf ergänzen:
smtpd_recipient_restrictions =
(...)
check_policy_service unix:private/policyd-spf
(…)
'''Achtung:''' Wenn es schon einen check_policy_service Eintrag gibt, '''keinesfalls''' einen weiteren Eintrag anhängen, sondern eine neue Zeile aufmachen!
policy-spf_time_limit = 3600s

# postfix reload

Ein paar Testemails einkippen und mail.log gucken.

=== DMARC (Domain based Message Authentication, Reporting and Conformance) ===
https://dmarcian.com/dmarc-record/

Beispiel für einen DNS TXT Record:
_dmarc IN TXT "v=DMARC1;p=quarantine;rua=mailto:postmaster@example.de"

In dem Fall werden verdächtige Emails in einen Quarantäne-Ordner verschoben und ein Report an den postmaster versandt.
Für die Integration in Postfix gibt es das Paket opendmarc.
Implementierung von SPF, DKIM und DMARC in Postfix:

https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
(untested)

== Nützliche Commands ==
Erzeugen eines database files aus einer Textdatei:
postmap <filename>
Alle Configparameter anzeigen:
postconf
Konfigprüfung:
postfix check
Mailqueue anschauen:
mailq
Alle Messages in der Queue ausliefern:
postqueue -f
Nur eine bestimmte Message ausliefern:
postqueue -i <ID>
Message löschen:
postsuper -d <ID>
Alle Messages löschen (!):
postsuper -d ALL
Inhalt einer Message anschauen:
postcat -vq <ID>

== Logfile ==

Geloggt wird nach ''/var/log/mail.log'' (alles) bzw. Errors nach ''/var/log/mail.err'' und Warnings nach ''/var/log/mail.warn''.
 Protipp: Alias anlegen:
maillog='tail -f /var/log/mail.log'

== Greylisting und Antispam ==

Zur Bekämpfung der Spamflut gibt es das praktische Programm '''„Postgrey“'''. Unter Debian kann dieses als Paket installiert werden. Dieses wird in die main.cf im Abschnitt smtpd_recipient_restrictions eingebunden.
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_unauth_destination
'''reject_non_fqdn_sender'''
'''reject_non_fqdn_recipient'''
'''reject_rbl_client bl.spamcop.net'''
'''check_policy_service inet:127.0.0.1:10023'''

(Die Blacklist ''dnsbl.sorbs.net'' wurde hier außen vor gelassen, da diese so ziemlich alles blockt, z.B. alle yahoo- oder gmx-Adressen.)
Damit das funktioniert, muss natürlich noch Postgrey selbst an den Start gebracht werden.
Hierfür wird die Datei ''/etc/default/postgrey'' bearbeitet. Hier ein Beispiel:
POSTGREY_OPTS="--inet=10023 --auto-whitelist-clients=8
POSTGREY_TEXT="Busy. Come back in 5 minutes."

Der Service lauscht also auf Port 10023. Im obigen Beispiel wird ein Absender beim 8. erfolgreichen Zustellversuch automatisch gewhitelistet (optionaler Parameter ''--auto-whitelist-clients'', evtl. Zahl erhöhen oder Parameter ganz weglassen).

Anschließend wechselt man ins Verzeichnis ''/etc/postgrey''. Dort gibt es 2 Whitelistings. Die Absender stehen in '''whitelist_clients'''. Dort stehen bereits IPs und Domains diverser Provider. Man kann dort selbst Einträge hinzufügen (z.B. example.ch).

In der Datei '''whitelist_recipients''' kann man alle Empfänger der eigenen Domain eintragen, die auf jeden Fall immer Emails bekommen sollen. z.B. postmaster@, abuse@. 
Beachte: '''Die Dateien müssen explizit eingesourcet werden''', passiert nicht automatisch. Das macht man mit den POSTGREY_OPTS:
POSTGREY_OPTS="$POSTGREY_OPTS --whitelist-clients=whitelist_clients --whitelist-recipients=/etc/postgrey/whitelist_recipients"

Nach getaner Anpassung, den postgrey-Service (neu)starten.
# service postgrey restart
Überprüfen, ob der Dienst läuft z.B. mit:
# lsof -i :10023
Anschließend Postfix reloaden
# postfix reload
und die Mailbox(en) beobachten, hinsichtlich Spamaufkommen.

''(Quelle: Artikel „Postzusteller“, Admin-Magazin, Ausgabe 03-2013)''

= Dovecot =

Open Source IMAP-Server zum Einliefern der Emails in Postfächer mittels POP3 oder IMAP bzw. IMAPs. Im folgenden wird nur auf IMAPs eingegangen.

== Installation ==

Es empfiehlt sich, den Dovecot auf demselben System zu installieren wie Postfix. Andere Fälle werden hier nicht berücksichtigt.

Installation des imapd mittels
# apt install dovecot-imapd

Dies reicht für alle Grundfunktionen der Emailauslieferung. Für erweiterte Optionen wie z.B. Filterfunktion können weiter dovecot-Pakete wie '''dovecot-antispam, dovecot-sieve''' installiert werden.

User (i.d.F. ''vmail'') als Owner für die Mailboxen anlegen:

useradd -u 4000 -m -d /home/vmail -s /user/sbin/nologin vmail

== Konfiguration ==

Configdateien in ''/etc/dovecot/conf.d'' anpassen.
Die Datei ''/etc/dovecot/dovecot.conf'' inkludiert per Default alle Dateien unter conf.d/*.conf.

=== Usermanagement ===

Hier ein Beispiel, wo User in einer separaten Datei abgelegt werden.

''10-auth.conf:''
<pre>
disable_plaintext_auth = no
auth_username_format = %n
auth_master_user_separator = *
auth_mechanisms = plain login
!include auth-master.conf.ext
</pre>
Wenn kein auth über pam:
#!include auth-system.conf.ext

Plaintext Auth kann man erlauben, weil die User-Passwörter als gehashter String übertragen werden. Für die Kommunikation zwischen Postfix und Dovecot spielt das ohnehin keine Rolle, da sich beide Dienste auf einem Server befinden. Der Zugriff von einem MUA aus wird über TLS/SSL erfolgen (s.u.).

master user anlegen (optional):
<pre>
doveadm pw -p supergeheim -s SHA512-CRYPT -u administrator@example.de
</pre>
Den Output zusammen mit dem Usernamen in die Datei master-users pasten.
<pre>
cat ../master-users
administrator@example.de:{SHA256-CRYPT}$5$9zrt7/e2CDkPmSuA$SNEkm/L4XZcYFAbYkJp5ESl9u35fVBSd4ukO0dm5yp3
</pre>

Sonstige User anlegen:
<pre>
doveadm pw -p strenggeheim -s SHA512-CRYPT -u sunflower@example.de
</pre>
→ /etc/dovecot/users:
<pre>
sunflower:{SHA256-CRYPT}$5$D3PhhtqUhRXT7cmZ$E5244BpvNafb.9FtbhF9AUfbvw8XpnOJhPyM/q/rRN2:::Sun Flo,,,:/var/mail/example.de/sunflower:/bin/false
</pre>
Hier sollten keine Abkürzungen wie ''%d'' oder ''%n'' stehen, weil diese nicht (von sieve, s.u.) bzw. nur teilweise (von dovecot) interpretiert werden.

Damit der Account auch Email bekomemn kann, ergänzt man die virtual table im Postfix directory:
cat sunflower@example.de example.de/spambucket >> /etc/postfix/virtual
Aktivieren mit
postmap virtual
postfix reload

=== Dateirechte ===

Die Files master-users, users sollten nur von dovecot gelesen werden können!
<pre>
# chgrp dovecot /etc/dovecot/*users
# chmod o-r /etc/dovecot/*users
</pre>
Mailbox anlegen und User berechtigen:
<pre>
# maildirmake.dovecot /var/mail/<domain>/<username>
# chown -R vmail.vmail /var/mail/<domain>/<username>
</pre>

User im Postfix anlegen, in den virtual maps, s. o.

Kontrolle:
<pre>
# doveadm user <username>
</pre>

=== IMAP konfigurieren ===
Protipp: erstmal conf.d wegsichern:
<pre>
rsync -av /etc/doveconf/conf.d /etc/doveconf/conf.d.orig
</pre>
Folgende Konfigurationsdateien in conf.d entsprechend anpassen:
* '''10-auth.conf'''
<pre>
auth_allow_cleartext = yes
auth_username_format = %{user|username|lower}
auth_master_user_separator = *
auth_mechanisms = plain login

!include auth-master.conf.ext
!include auth-system.conf.ext
!include auth-passwdfile.conf.ext
</pre>
* '''10-mail.conf'''
<pre>
# den parameter mail_location gibt es nicht mehr
mail_driver = maildir
mail_home = /var/mail/%{user | domain}/%{user}
mail_path = %{home}
namespace inbox {
inbox = yes
}
mail_uid = 4000
mail_gid = 4000
mail_privileged_group = mail
protocol !indexer-worker {
}
</pre>
* '''10-master.conf'''
<pre>
service imap-login {
 inet_listener imaps {
 port = 993
 ssl = yes
}
}
service auth {
unix_listener auth-userdb {
 user = vmail
 group = vmail
}
unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix
}
}
service stats {
unix_listener stats-reader {
 user = vmail
 group = vmail
 mode = 0660
 }

unix_listener stats-writer {
 user = vmail
 group = vmail
 mode = 0660
 }
}
</pre>
* '''10-ssl.conf'''
<pre>
# (z.B. Postfix certs verwenden)
ssl = yes
ssl_server_cert_file = /etc/dovecot/private/dovecot.pem
ssl_server_key_file = /etc/dovecot/private/dovecot.key
ssl_min_protocol = TLSv1.2

#ssl_client_ca_dir = /etc/ssl/certs
#ssl_dh = </usr/share/dovecot/dh.pem
</pre>

Zertifikate generieren: s. https://wiki.nomorebluescreen.de/index.php?title=Webserver_mit_Apache#Alternative_letsencrypt

'''Spoiler:''' 
Jedes Mal, wenn das Zertifikat ausgetauscht wird, muss der dovecot-Service neu gestartet werden, damit das neue Zertifikat auch eingelesen wird.

'''Überprüfen, welche Dateien angefasst wurden:'''
<pre>
diff -quw conf.d.orig conf.d
Files conf.d.orig/10-ssl.conf and conf.d/10-ssl.conf differ
Files conf.d.orig/15-lda.conf and conf.d/15-lda.conf differ
Files conf.d.orig/20-imap.conf and conf.d/20-imap.conf differ
Files conf.d.orig/20-managesieve.conf and conf.d/20-managesieve.conf differ
Files conf.d.orig/90-sieve.conf and conf.d/90-sieve.conf differ
Files conf.d.orig/auth-passwdfile.conf.ext and conf.d/auth-passwdfile.conf.ext differ
</pre>

'''Ausgabe der gesamten Config'''

# doveconf -n

==== Sieve ====
Engine zum Filtern von Emails

dovecot-sieve und dovecot-managesieved installieren

'''15-lda.conf:'''
<pre>
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
protocol lda {
mail_plugins = $mail_plugins sieve
}
</pre>

'''20-managesieve.conf:'''
<pre>
protocols = $protocols sieve
</pre>

'''90-sieve.conf:'''
<pre>
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_default = /var/lib/dovecot/sieve/default.sieve
sieve_global_dir = /var/lib/dovecot/sieve
}
</pre>
Kontrolle, ob der sieve-Service läuft und auf Port 4190 lauscht.
<pre>
# service dovecot restart
# ss -plnt | grep 4190
</pre>

Nun sollte im Mailhome des Users ein Verzeichnis namens "sieve" sichtbar sein.

=== Transport von Postfix zu Dovecot ===

Dem Postfix muss noch beigebracht werden, dass die Emails zum Dovecot gehen. 
'''master.cf''' im Postfix anpassen (die Einträge in den {} gehören so, nicht ersetzen!):
<pre>
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail
argv=/usr/lib/dovecot/deliver -a ${recipient} -f ${sender} -d $
{user} @${nexthop} -m ${extension}
</pre>
und einen mailbox_command Eintrag in der main.cf vornehmen:
<pre>
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
</pre>
(https://doc.dovecot.org/configuration_manual/howto/dovecot_lda_postfix/#howto-dovecot-lda-postfix)

Danach noch postfix und dovecot service restarten.

== Logging ==

Logfiles gehen ebenfalls (wie postfix) nach /var/log/mail.log 
Nützlicher Alias:
<pre>
maillog='tail -f /var/log/maillog'
</pre>

Debugging einschalten:
mail_debug = yes
in der Datei
''10-logging.conf''.

'''Protipp:'''
Wenn im Log folgender Fehler erscheint:

Mar 27 08:03:56 aphantopus postfix/pipe[2317]: 521066005D: to=<sunflower@example.de>, relay=dovecot, delay=0.3, delays=0.19/0.04/0/0.07, dsn=2.0.0, status=sent (delivered via dovecot service (lda(sunflower@example.de,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied))

=> In der ''10-master.conf'' '''stats''' für User vmail erlauben (s.o.)

= Roundcube =

Praktisches Webfrontend zum Abholen und Verschicken von Emails

Erst mysql-server installieren, sonst bricht die Installation mit einem Fehler ab
# apt install mariadb-server roundcube
Die dbconfig-common Frage mit „yes“ beantworten, mysql-Passwort setzen.
Config Datei anpassen (''/etc/roundcube/config.inc.php''):
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 25;

== Plugins ==

Standard-Plugings installieren
# apt install roundcube-plugins

Weitere Plugins installieren:
# apt install roundcube-plugins-extra git curl composer
(composer braucht man für die Installation von Plugins, git, weil die meisten aus github kommen) 
Die, die man haben will, in der Datei ''/etc/roundcube/config.inc.php'' enablen

$config['plugins'] = array(
 'compose-addressbook',
'markasjunk2',
 'fail2ban'
);

Übersicht über die offiziellen Plugins:

https://plugins.roundcube.net/

Plugins, die es nicht als Paket gibt: 
Schritte: 
* README lesen
* Plugin als zip herunterladen, nach ''/usr/share/roundcube/plugins'' entpacken
* (evtl. umbenennen)
* ''/etc/roundcube/config.inc.php'' bearbeiten:
Abschnitt
$config['plugins'] = array(
suchen und fehlendes Plugin ergänzen

== Filter Plugin for Sieve ==

Achtung, nicht das Plugin „filter“ verwenden, sondern '''managesieve''' (ist Bestandteil des roundcube-plugins Paketes)

Eine Anleitung gibt es hier: 
https://www.pair.com/support/kb/how-to-add-sieve-filtering-code-in-roundcube/
 
https://www.pair.com/support/kb/how-to-add-sieve-filtering-in-roundcube/


Anmerkung: Den protocols Parameter nicht in der dovecot.conf editieren, sondern in
''20-managesieve.conf'' (s.o.):

protocols = $protocols sieve

Nun kann man über das Webfrontend Sieve-Filterregeln generieren

Achtung Bug: 
Sieve legt ein sieve-Verzeichnis unter dem Verzeichnis an, das in mail_location definiert ist. Wenn man die emails der User unter ''/var/mail/<domain>/<username>'' ablegen möchte, wird man folgendes konfigurieren:

mail_location = maildir:/var/mail/%d/%n

Da dovecot aber %d nicht interpretiert (s.o.), liegt das User maildirectory unter /var/mail/<username>. Sieve interpretiert dagegen %n nicht und legt ein Directory /var/mail/<domain>/%n/sieve an, unter der die roundcube.sieve Datei liegt. Somit greifen alle User auf dieselbe Datei zu, was technisch möglich, securitytechnisch aber fatal ist. Leider keine gute Idee zur Abhilfe bekannt.

== Passwort ändern ==
Um den Usern die Möglichkeit zu geben, ihr Passwort selbst zu ändern, wird in der ''config.inc.php'' das Plugin enabled:

<pre>
$config['plugins'] = array(
(...)
'password'
);
</pre>

Weitere Einstellungen, wenn die User in einem Passwortfile gepflegt werden wie im Kapitel '''Dovecot''' beschrieben: 
(wir gehen davon aus, dass die Userpasswörter mit sha512 verschlüsselt werden, s.o.)

# https://stackoverflow.com/questions/62655236/how-to-enable-password-plugin-on-roundcube
$config['password_algorithm'] = 'ssha512';
$config['password_algorithm_prefix'] = '{SSHA512}';
$config['password_driver'] = 'dovecot_passwdfile';
$config['password_dovecot_passwdfile_path'] = '/etc/dovecot/users';

Die users Datei vom dovecot muss dann entsprechend für www-data les- und schreibbar sein:
-rw-rw---- 1 dovecot www-data 1240 Dec 2 23:20 /etc/dovecot/users

(Achtung, riskant bei eventueller Kompromittierung des Webservers! Als Alternative überlegen, die dovecot-Passwörter in eine [mysql-]DB auszulagern)

== Identities ändern ==

Normalerweise kann ein User nur mit seiner Absenderadresse senden. Das ist eine sinnvolle Einstellung, aber wer das Feature zu Testzwecken abschalten will, kann folgende Einstellung vornehmen:
$config['identities_level'] = 0;
Nun kann der User über "Einstellungen" weitere Absender hinzufügen (https://www.servercake.blog/multiple-identities-roundcube/)

(Leider bisher keine Möglichkeit gefunden, dies nur auf (einen) bestimmte(n) User einzuschränken)

== Apache Integration ==

Hier eine Beispielkonfiguration für einen Virtual Host, um die Roundcube-Seite unter https://mail.example.de zu erreichen.
Weiteres im Kapitel [[Webserver mit Apache|apache]]
<pre>
<VirtualHost *:443>
ServerName mail.example.de
ServerAdmin postmaster@example.de

SSLEngine on
SSLCertificateFile /var/lib/dehydrated/certs/mail.example.de/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/mail.example.de/privkey.pem

DocumentRoot /usr/share/roundcube

# Includes
Include /etc/apache2/conf-available/ssl-encryption.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
CustomLog /var/log/apache2/mail-ssl.log combined
ErrorLog /var/log/apache2/mail-ssl-error.log
</VirtualHost>
</pre>

Das roundcube-Paket bringt zudem noch eine roundcube.conf mit, die unter /etc/apache2/conf-available/roundcube.conf installiert und aktiviert wird.

=== PHP ===
Damit der Roundcube überhaupt läuft, muss das php Plugin installiert und aktiviert sein. Passiert unter Debian mittels:
# apt install libapache2-mod-php

Etwas performanter ist die Verwendung von '''php-fpm''' (https://www.zend.com/blog/apache-phpfpm-modphp).
# apt install php-fpm

Der default Upload bei PHP sind dürftige 2 MB. Um diesen z.B. auf 50MB raufzudrehen, muss folgende Datei angefasst werden:
<pre>VERSION=$(php -v| head -n 1 | awk '{ print $2 }' | sed -e 's|.[[:digit:]]*$||')</pre>
* modphp:
/etc/php/${VERSION}/apache2/php.ini
upload_max_filesize = 50M
* php-fpm:
/etc/php/${VERSION}/fpm/php.ini
upload_max_filesize = 50M

= Integration in einen MUA =
Wer nicht über den (langsamen) Webmailer gehen will, kann natürlich auch einen MUA seiner Wahl verwenden. Hier ein Beispiel.

== Thunderbird==

Einstellungen für Outgoing Server (SMTP)
<pre>
Servername: FQDN des Email-Servers
Port: 25
Connection Security: STARTTLS
Authentication Method: Normal Password
Username: Name des Mailbox-Users
</pre>

Beim 1. Mal wird man nach seinem Mailbox-Passwort gefragt. Dieses eingeben und speichern.

Server Settings (IMAP)
<pre>
Server Type: IMAP Mail Server
Server Name: FQDN des Email-Servers
Port: 993
Username: Name des Mailbox-Users
Connection Security: SSL/TLS
Authentication Method: Normal Password
(Die restlichen Defaults so belassen oder bei Bedarf anpassen)
</pre>

[[File:Screenshot thunderbird1.png|900px]]
[[File:Screenshot thunderbird2.png|900px]]

Emailserver mit Postfix und Dovecot

2026-03-18T22:43:04Z

Sunflower: /* IMAP konfigurieren */

= Postfix =

Postfix ist ein MTA (Mail Transfer Agent), der eine gute Alternative zu anderen gängigen MTAs (Sendmail, Exim) darstellt, da seine Konfiguration gut lesbar ist.
In unserem Beispiel soll der MTA mit einem IMAPd (Dovecot) verknüpft werden, so dass Benutzer eine Mailbox direkt auf dem System haben. Das Abholen der Mails erfolgt per IMAPs.

== Installation ==

Zunächst muss das Paket „postfix“ installiert werden.
Dabei sind noch ein paar Fragen zu beantworten: 
* '''Art des Servers: '''Internet Site 
* '''Root and postmaster mail recipient:''' ein Postfach eintragen, z.B.postmaster@example.de 
* '''Other destinations to accept mail for (blank for none):''' z.B. mail.example.de, localhost, $mydomain (kann man erstmal die defaults belassen)
* '''Force synchronous updates on mail queue:''' no'''
* '''Local subnets:''' 127.0.0.1/8, 192.168.63.0/24 (hier das eigene Netz ergänzen)
* '''Mailbox size limit:''' 0 (unbegrenzt)
* '''Local address extension character:''' + (i.a. als default ausreichend)
* '''Internet protocols to use:''' all (wenn man nicht explizit ipv4 oder ipv6 sprechen will)

Diese Einstellungen lassen sich jederzeit mit
<console>
# dpkg-reconfigure postfix</console>
ändern.

Alle relevanten Dateien befinden sich im Verzeichnis ''/etc/postfix''.

== Konfiguration ==

Bevor wir zur Postfixconfig kommen, überprüfen wir den Inhalt der Datei /etc/mailname:
<pre>
$ cat /etc/mailname
</pre>
Dort darf '''nur der Domainname''' stehen, nicht der Hostname (e.g. example.com). Andernfalls kann das Auswirkungen auf den Emailversand haben, v.a. wenn in der main.cf (s.u.) auf die Datei referenziert wird.

Die wichtigeste Datei zum Anpassen ist zunächst die '''main.cf'''. Hier ein Beispiel für den Server „mx“ in der Domain example.de. Folgende Parameter sollten konfiguriert sein (exemplarisch):
<pre>
myhostname
mydomain
myorigin
mydestination
</pre>

Meistens gibt es schon ein paar brauchbare defaults. Der Parameter ''mynetworks'' erlaubt es bestimmten Netzen, Emails ohne weitere Einschränkungen einzuliefern.

Beispielconfig:

<pre>
myhostname = mx01.example.de
mydomain = example.de
myorigin = $mydomain
mydestination = $myhostname, localhost, localhost.$mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.99.0/24 [2001:780:11b::/48] 214.94.24.154 [2004:780:8:0:5ff0:c5ff:fe09:98f9]
</pre>

Vor allem der Parameter '''mynetworks''' sollte mit Bedacht gewählt werden, denn dies sind alle Hosts und Netze, von denen jegliche Emails angenommen werden (auch von ''und'' nach Fremddomains). Fehlkonfigurationen führen hier schnell zum [https://practical365.com/what-is-an-open-relay OpenRelay].

'''Beachte:''' ipv6-Adressen müssen in [eckigen Klammern] geschrieben werden, sonst werden keine Emails ausgeliefert!
Fehler im Logfile:
<pre>
postfix/smtpd[21928]: warning: smtpd_client_event_limit_exceptions: 2a01:40f8:c013:5050::0/64: table lookup problem
</pre>

Nach jeder Änderung ist der Dienst zu reloaden mit dem Befehl
<console>
# postfix reload
</console>

Ob der Restart ordentlich funktioniert hat, kann man z.B. anhand des Logs überprüfen:
<console>
# tail /var/log/mail.log
</console>

=== master.cf ===
Das Kernstück des Postfixdaemons. Hier werden die Transports festgelegt
Bedeutung der Spalten:
* service-Feld: Name des Dienstes (smtp, local, procmail, ...) (str)
* typ-Feld: Verbindungstyp (inet, fifo, unix) (str)
* Zugriffsrecht: Zugriff auch für externe Programme (default: y) (bool)
* unpriv-Feld: Start als unprivilegierter Benutzer (default: y) oder root (n) (bool)
* chroot: Soll der Dienst in einer chroot-Umgebung gestartet werden (default: y) (bool)
* wakeup-Feld: Sekunden zwischen 2 Aufrufen (default: 0) (int)
* Prozessmaximum: Wie viele Prozesse maximal gleichzeitig (default: 50) (int)
Danach erfolgt ein Kommando mit Flags und Parametern (optional).

== TLS ==
Optional kann man mit Zertifikaten verschlüsselte Übertragung von Emails konfigurieren. das funktioniert aber nur dann, wenn der Mailserver der Gegenstelle das Zertifikat auch einbindet. Man kann das Zertifikat auch in einen Mailclient einbinden (s. später).
Die Zertifikatserzeugung kann mit mit [https://letsencrypt.org letsencrypt] erfolgen. Clients zur Zertifikatserzeugung sind [[Webserver_mit_Apache#Alternative_letsencrypt | certbot ]] oder [[Webserver_mit_Apache#Dehydrated | dehydrated]].

=== Zertifikatsgenerierung in Kürze ===
# echo $HOSTNAME > /etc/dehydrated/domains.txt
# dehydrated –register –accept-terms
# dehydrated -c

Dies setzt allerdings einen [[Webserver_mit_Apache | Webserver]] voraus, der auf Port 80 lauscht. Gibt es diesen nicht, kann mal alternativ letsencrypt via DNS verwenden (https://letsencrypt.org/docs/challenge-types).

=== Alternative eigene CA (nicht empfohlen) ===

Wer unbedingt eine eigene CA betreiben will, kann das mit folgender Anleitung tun. Achtung: Das Vorgehen sollte nur gewählt werden, wenn ein zwingender Grund dafür besteht. Viele Browser und MUAs haben Probleme damit, erzeugen hässliche Warnings oder lassen die Seite nicht zu.

==== CA erstellen ====
Wenn noch kein Zertifikat vorhanden ist, kann man sich selbst eines erstellen oder einen CSR (Certificate Signing Request) erstellen und diesen an eine offizielle CA schicken. Soll ein kommerziell genutzter Mailserver entstehen, ist dies der realistische Weg.

Achtung: Dieser Schritt wird nicht gebraucht, wenn es schon eine CA gibt.

Schritte: 
Key erstellen (+Passwort dafür vergeben), Zertifkatsrequest für die CA erstellen, CA erstellen

$ openssl genrsa -out ca.key -des3 4096

$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Nuernberg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.de
Organizational Unit Name (eg, section) []:Hostmaster
Common Name (e.g. server FQDN or YOUR name) []:*.example.de
Email Address []:postmaster@example.de

==== Zertifikat mit der neuen CA erstellen ====
Schritte:
• Key erstellen
• Request erstellen
• Zertifikat erstellen und signen

$ openssl genrsa -out mx.example.de.key 4096
(kein Passwort festlegen)

$ openssl req -new -key mx.example.de.key -out mx.example.de.csr
(wieder das Formular ausfüllen as usual)

$ openssl x509 -req -days 365 -in mx.example.de.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out mx.example.de.crt

Beim Erneuern des Zertifikats fallen die Schritte „Erstellen der CA“ und Erzeugen des Keys weg. Ferner muss man auch keine Serial mehr angeben.
Der Renew-Befehl lautet also folgendermaßen:
$ openssl x509 -req -days 730 -in mx.example.de.csr -CA ca.crt -CAkey ca.key -out mx.example.de.crt

=== Einbinden in die Config-Datei ===
Dieser Schritt gilt wieder für alle Zertifikate, egal wie sie erzeugt wurden. Die Pfade müssen natürlich entsprechend angepasst werden,

Zertifikate an die entsprechende Stelle kopieren und in der Konfig einbinden:

smtpd_tls_cert_file=/etc/ssl/certs/mx.example.de.crt
smtpd_tls_key_file=/etc/ssl/private/mx.example.de.key
smtpd_tls_CAfile=/etc/postfix/ca.crt
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:
${data_directory}/smtpd_cache
smtp_tls_session_cache_database = btree:
${data_directory}/smtp_scache

Der Parameter smtpd_tls_Cafile entfällt, wenn eine offizielle CA vorhanden ist (z.B. letsencrypt). 
Die Pfade zu den Zertifikaten können abweichen, bei letsencrypt liegen diese z.B. unter ''/var/lib/dehydrated/certs/''.
Überprüfung:
$ openssl s_client -connect mx.example.de:25 -starttls smtp
oder https://www.checktls.com/

Ergänzung:
Manche MTAs wollen ein Zertifikat in pfx-Form. Dieses kann man aus dem cert file wie folgt erzeugen:
$ openssl pkcs12 -export -out mx.example.de.pfx -inkey mx.example.de.key -in mx.example.de.crt
pfx-File und Passwort dem User zukommen lassen.

'''Spoiler:''' 
[[ Emailserver_mit_Postfix_und_Dovecot#Dovecot | Dovecot ]] „vergisst“ manchmal das neue Zertifikat und behält die alte Version, d.h. die meisten Mailclients spoolen dann keine neuen Emails mehr. In diesem Fall den Dovecot Service neu starten.

== SASL ==

Zur Vermeidung eines Open Relays ist dringend anzuraten, per default nur das Einliefern mit dem Absender @example.de von bestimmten Netzen zu erlauben. Dieses passiert mit dem Parameter ''mynetworks'' (s.o.).
Nun kann es natürlich passieren, dass Benutzer von einem Mailclient irgendwo im Internet Mails verschicken wollen. Diese wären laut Konfig nicht berechtigt. Da die meisten PCs mit dynamischen Adressen im Internet unterwegs sind, macht es hier auch keinen Sinn, die jeweilige IP-Adresse in der Konfig zu ergänzen. 
Das Problem kann umgangen werden, indem Emails versenden dann erlaubt wird, wenn sich der Benutzer einmal erfolgreich am IMAP-Server authentifiziert hat.
Hierfür gibt es SASL. Die entsprechenden Eintragungen in der main.cf sind:
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth

Im Mailclient äußert sich das Verhalten so, dass man beim ersten Senden einer Nachricht sein Mailbox-Passwort angeben muss.
Bevor dieses Feature aktiviert wird, muss es einen IMAP-Server geben (s. [[#Dovecot|nächstes Kapitel]] ).

== Maps ==

Um besser unterscheiden zu können, was mit welchen Absender-/Zieladressen passiert, wird die Konfiguration in sogenannte „Maps“ aufgeteilt. Diese können als Klartext-File oder als Berkley DB vorliegen. In letzterem Fall müssen diese mit dem Kommando '''postmap''' nach jeder Bearbeitung umgewandelt werden. 
Ausnahme: Die Datei /etc/aliases.db (nur relevant für lokale Emailauslieferung) wird mit dem Kommando '''postalias''' oder '''newaliases''' generiert.
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
Hier werden aliase eingerichtet, die auf eine andere Mailbox mappen. Beispiel:
postmaster: root

=== Access ===
smtpd_sender_restrictions = hash:/etc/postfix/access
Hier können für Aktionen für spezielle Absenderadressen eingerichtet werden. Beispiel:
example.com DISCARD

=== Relocated ===
relocated_maps = hash:/etc/postfix/relocated

Abweisen der Mail mit einem Hinweis. Beispiel:
testy.test "Mails bitte statt an diese Adresse an ich@hier.de senden"

Ergebnis:
<testy.test@example.de>: Recipient address rejected: User has
moved to "Mails bitte statt an diese Adresse an ich@hier.de
senden"

=== Canonical ===
==== Sender ====
sender_canonical_maps = hash:/etc/postfix/sender_canonical

Bestimmte Adressen werden auf ein übliches Standardformat umgeschrieben:

sunflower@example.de petra.sonne@example.de
phun@work.de peter.hun@example.de

==== Recipient ====
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
Arbeitet genauso wie sender_canonical, nur für Empfängeradressen.

=== Virtual Mailbox ===
virtual_mailbox_maps = hash:/etc/postfix/virtual
Locations der Mailboxen des imap-Servers (näheres unter [[ Emailserver_mit_Postfix_und_Dovecot#Dovecot | Dovecot ]])

sunflower@example.de example.de/sunflower/
testy@example.de example.de/testy
test@example.de example.de/test
lmaa@ihr-koennt-mich-alle.de ihr-koennt-mich-alle.de/lmaa

=== Virtual Aliases ===
virtual_alias_maps = hash:/etc/postfix/virtual_maps

Adressen die auf andere Adressen umgebogen werden (ähnlich wie die aliases), kann auch domainübergreifend passieren.
So können mehrere Empfängeradressen in dieselbe Mailbox laufen.

anrufbeantworter@example.de sunflower@example.de,H.Hirsch@gmx.de,harry1999@yahoo.de
info@example.de sunflower@example.de
postmaster root
webmaster root
administrator root
root sunflower
fortune: fortune
Letzteres ist eine Pipe. Dazu später mehr.

Umwandeln von Text in DB-File und in Postfix einlesen:
postmap <aliases|access|canonical|...>
postfix reload

=== Einfaches Beispiel: Emails von einer Domain auf eine andere weiterleiten ===
Nehmen wir an, wir haben einen Emailserver1 in der Domain example.com. Dieser soll alle Email die an <userXY>@example.com eintreffen, an <userXY>@example.de weiterleiten. Auch hier ist eine Eintrag in der o.g. ''virtual_maps'' Datei nötig:
@example.com @example.de
Nun werden alle example.com-Emails zum zuständigen Emailserver für example.de weitergeleitet. Der user part bleibt unverändert.

=== Transports ===
Transports sind die Art und Weise, wie eine eingehende Mail behandelt wird, z.B. lokal in eine Datei speichern, an einen imap-Server weiterreichen oder ein Script ausführen.

Hier ein Beispiel: 
Wenn auf eine bestimmte Adresse geschickt wird, soll ein Script ausgeführt werden, das dem Absender einen Zufallsspruch zurücksendet '''und''' die Mail gleichzeitig in ein Postfach einliefert.
Schritte:

1. Alias definieren (virtual_maps):

fortune@example.de fortune

2. Alias auf einen Transport mappen (transports):

fortune@example.de randomphrase:

3. Transport definieren (master.cf):

<pre>
randomphrase unix - n n - - pipe
flags=h user=vmail:vmail argv=/usr/local/bin/randomphrase.pl ${sender}
</pre>

(Den User vmail muss es natürlich in der passwd geben, z.B. so:
vmail:x:4000:4000::/home/vmail:/user/sbin/nologin
)

4. Script hinterlegen:
/usr/local/bin/randomphrase.pl
für alle ausführbar machen

Mit dem Script [[ randomphrase.pl ]] wird ein Zufallsspruch erzeugt. Dafür muss das Paket ''fortune-mod'' installiert sein.
Zum Weiterschicken der Email wird das Script /usr/local/bin/deliver_mail.sh aufgerufen. ([[File:Deliver_mail.sh]])
 Hierfür muss der User vmail in der Datei ''/etc/sudoers.d/vmail'' berechtigt werden:
vmail ALL=(root) NOPASSWD: /usr/local/bin/deliver_mail

Eine Email an die Adresse fortune@example.de erzeugt nun eine Antwort an die Absenderadresse mit einem Zufallsspruch.

== Multidomain ==

Natürlich kann Postfix auch Emails für mehrere Domains annehmen. Dafür gibt es den Parameter „virtual_mailbox_domains“:

virtual_mailbox_domains = example.de example.com ihr-koennt-mich-alle.de
Die Variable $mydomain sollte dann aus mydestination entfernt werden.

== Special DNS Records ==
=== SPF (Sender Policy Framework) ===
Mit einem RR-Type TXT kann man eine Liste von Emailservern definieren, die als Absender die Emaildomain verwenden dürfen. Generiert jemand eine Fakeemail von einem anderen System aus, kann diese abgewiesen werden.

Beispiel für einen DNS TXT Record:
IN TXT "v=spf1 mx:example.de a:foo.example.de ip4:8.15.47.11/32 ip6:2008:15:5:47::11/48 ip6:2008:15:5:47::12/48 -all"

Howto: 
https://dmarcian.com/create-spf-record/ 
http://www.open-spf.org/SPF_Record_Syntax/

SPF in Postfix integrieren:

Nun ist die Domain vor Missbrauch vor Fakeeemails geschützt. Jetzt gibt es aber noch die andere Seite zu beachten. Postfix soll ebenfalls die SPF-Records anderer Emaildomains prüfen und die Email ggf ablehnen.
https://makeityourway.de/enabling-spf-sender-policy-framework-checking-on-postfix/

Hier in Kürze zusammengefasst, was es zu beachten gibt:
# apt install postfix-policyd-spf-python
Die Config-Datei ''/etc/postfix-policyd-spf-python/policyd-spf.conf'' liefert bereits brauchbare Defaults, optional kann man noch eine Whitelist ergänzen z.B.

Domain_Whitelist = example.com
In der master.cf ergänzen:
<pre>
policyd-spf unix - n n - - spawn
user=policyd-spf argv=/usr/bin/policyd-spf
</pre>

In der main.cf ergänzen:
smtpd_recipient_restrictions =
(...)
check_policy_service unix:private/policyd-spf
(…)
'''Achtung:''' Wenn es schon einen check_policy_service Eintrag gibt, '''keinesfalls''' einen weiteren Eintrag anhängen, sondern eine neue Zeile aufmachen!
policy-spf_time_limit = 3600s

# postfix reload

Ein paar Testemails einkippen und mail.log gucken.

=== DMARC (Domain based Message Authentication, Reporting and Conformance) ===
https://dmarcian.com/dmarc-record/

Beispiel für einen DNS TXT Record:
_dmarc IN TXT "v=DMARC1;p=quarantine;rua=mailto:postmaster@example.de"

In dem Fall werden verdächtige Emails in einen Quarantäne-Ordner verschoben und ein Report an den postmaster versandt.
Für die Integration in Postfix gibt es das Paket opendmarc.
Implementierung von SPF, DKIM und DMARC in Postfix:

https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
(untested)

== Nützliche Commands ==
Erzeugen eines database files aus einer Textdatei:
postmap <filename>
Alle Configparameter anzeigen:
postconf
Konfigprüfung:
postfix check
Mailqueue anschauen:
mailq
Alle Messages in der Queue ausliefern:
postqueue -f
Nur eine bestimmte Message ausliefern:
postqueue -i <ID>
Message löschen:
postsuper -d <ID>
Alle Messages löschen (!):
postsuper -d ALL
Inhalt einer Message anschauen:
postcat -vq <ID>

== Logfile ==

Geloggt wird nach ''/var/log/mail.log'' (alles) bzw. Errors nach ''/var/log/mail.err'' und Warnings nach ''/var/log/mail.warn''.
 Protipp: Alias anlegen:
maillog='tail -f /var/log/mail.log'

== Greylisting und Antispam ==

Zur Bekämpfung der Spamflut gibt es das praktische Programm '''„Postgrey“'''. Unter Debian kann dieses als Paket installiert werden. Dieses wird in die main.cf im Abschnitt smtpd_recipient_restrictions eingebunden.
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_unauth_destination
'''reject_non_fqdn_sender'''
'''reject_non_fqdn_recipient'''
'''reject_rbl_client bl.spamcop.net'''
'''check_policy_service inet:127.0.0.1:10023'''

(Die Blacklist ''dnsbl.sorbs.net'' wurde hier außen vor gelassen, da diese so ziemlich alles blockt, z.B. alle yahoo- oder gmx-Adressen.)
Damit das funktioniert, muss natürlich noch Postgrey selbst an den Start gebracht werden.
Hierfür wird die Datei ''/etc/default/postgrey'' bearbeitet. Hier ein Beispiel:
POSTGREY_OPTS="--inet=10023 --auto-whitelist-clients=8
POSTGREY_TEXT="Busy. Come back in 5 minutes."

Der Service lauscht also auf Port 10023. Im obigen Beispiel wird ein Absender beim 8. erfolgreichen Zustellversuch automatisch gewhitelistet (optionaler Parameter ''--auto-whitelist-clients'', evtl. Zahl erhöhen oder Parameter ganz weglassen).

Anschließend wechselt man ins Verzeichnis ''/etc/postgrey''. Dort gibt es 2 Whitelistings. Die Absender stehen in '''whitelist_clients'''. Dort stehen bereits IPs und Domains diverser Provider. Man kann dort selbst Einträge hinzufügen (z.B. example.ch).

In der Datei '''whitelist_recipients''' kann man alle Empfänger der eigenen Domain eintragen, die auf jeden Fall immer Emails bekommen sollen. z.B. postmaster@, abuse@. 
Beachte: '''Die Dateien müssen explizit eingesourcet werden''', passiert nicht automatisch. Das macht man mit den POSTGREY_OPTS:
POSTGREY_OPTS="$POSTGREY_OPTS --whitelist-clients=whitelist_clients --whitelist-recipients=/etc/postgrey/whitelist_recipients"

Nach getaner Anpassung, den postgrey-Service (neu)starten.
# service postgrey restart
Überprüfen, ob der Dienst läuft z.B. mit:
# lsof -i :10023
Anschließend Postfix reloaden
# postfix reload
und die Mailbox(en) beobachten, hinsichtlich Spamaufkommen.

''(Quelle: Artikel „Postzusteller“, Admin-Magazin, Ausgabe 03-2013)''

= Dovecot =

Open Source IMAP-Server zum Einliefern der Emails in Postfächer mittels POP3 oder IMAP bzw. IMAPs. Im folgenden wird nur auf IMAPs eingegangen.

== Installation ==

Es empfiehlt sich, den Dovecot auf demselben System zu installieren wie Postfix. Andere Fälle werden hier nicht berücksichtigt.

Installation des imapd mittels
# apt install dovecot-imapd

Dies reicht für alle Grundfunktionen der Emailauslieferung. Für erweiterte Optionen wie z.B. Filterfunktion können weiter dovecot-Pakete wie '''dovecot-antispam, dovecot-sieve''' installiert werden.

User (i.d.F. ''vmail'') als Owner für die Mailboxen anlegen:

useradd -u 4000 -m -d /home/vmail -s /user/sbin/nologin vmail

== Konfiguration ==

Configdateien in ''/etc/dovecot/conf.d'' anpassen.
Die Datei ''/etc/dovecot/dovecot.conf'' inkludiert per Default alle Dateien unter conf.d/*.conf.

=== Usermanagement ===

Hier ein Beispiel, wo User in einer separaten Datei abgelegt werden.

''10-auth.conf:''
<pre>
disable_plaintext_auth = no
auth_username_format = %n
auth_master_user_separator = *
auth_mechanisms = plain login
!include auth-master.conf.ext
</pre>
Wenn kein auth über pam:
#!include auth-system.conf.ext

Plaintext Auth kann man erlauben, weil die User-Passwörter als gehashter String übertragen werden. Für die Kommunikation zwischen Postfix und Dovecot spielt das ohnehin keine Rolle, da sich beide Dienste auf einem Server befinden. Der Zugriff von einem MUA aus wird über TLS/SSL erfolgen (s.u.).

master user anlegen (optional):
<pre>
doveadm pw -p supergeheim -s SHA512-CRYPT -u administrator@example.de
</pre>
Den Output zusammen mit dem Usernamen in die Datei master-users pasten.
<pre>
cat ../master-users
administrator@example.de:{SHA256-CRYPT}$5$9zrt7/e2CDkPmSuA$SNEkm/L4XZcYFAbYkJp5ESl9u35fVBSd4ukO0dm5yp3
</pre>

Sonstige User anlegen:
<pre>
doveadm pw -p strenggeheim -s SHA512-CRYPT -u sunflower@example.de
</pre>
→ /etc/dovecot/users:
<pre>
sunflower:{SHA256-CRYPT}$5$D3PhhtqUhRXT7cmZ$E5244BpvNafb.9FtbhF9AUfbvw8XpnOJhPyM/q/rRN2:::Sun Flo,,,:/var/mail/example.de/sunflower:/bin/false
</pre>
Hier sollten keine Abkürzungen wie ''%d'' oder ''%n'' stehen, weil diese nicht (von sieve, s.u.) bzw. nur teilweise (von dovecot) interpretiert werden.

Damit der Account auch Email bekomemn kann, ergänzt man die virtual table im Postfix directory:
cat sunflower@example.de example.de/spambucket >> /etc/postfix/virtual
Aktivieren mit
postmap virtual
postfix reload

=== Dateirechte ===

Die Files master-users, users sollten nur von dovecot gelesen werden können!
<pre>
# chgrp dovecot /etc/dovecot/*users
# chmod o-r /etc/dovecot/*users
</pre>
Mailbox anlegen und User berechtigen:
<pre>
# maildirmake.dovecot /var/mail/<domain>/<username>
# chown -R vmail.vmail /var/mail/<domain>/<username>
</pre>

User im Postfix anlegen, in den virtual maps, s. o.

Kontrolle:
<pre>
# doveadm user <username>
</pre>

=== IMAP konfigurieren ===
Protipp: erstmal conf.d wegsichern:
<pre>
rsync -av /etc/doveconf/conf.d /etc/doveconf/conf.d.orig
</pre>
Folgende Konfigurationsdateien in conf.d entsprechend anpassen:
* '''10-auth.conf'''
<pre>
auth_allow_cleartext = yes
auth_username_format = %{user|username|lower}
auth_master_user_separator = *
auth_mechanisms = plain login

!include auth-master.conf.ext
!include auth-system.conf.ext
!include auth-passwdfile.conf.ext
</pre>
* '''10-mail.conf'''
<pre>
# den parameter mail_location gibt es nicht mehr
mail_driver = maildir
mail_home = /var/mail/%{user | domain}/%{user}
mail_path = %{home}
namespace inbox {
inbox = yes
}
mail_uid = 4000
mail_gid = 4000
mail_privileged_group = mail
protocol !indexer-worker {
}
</pre>
* '''10-master.conf'''
<pre>
service imap-login {
 inet_listener imaps {
 port = 993
 ssl = yes
}
}
service auth {
unix_listener auth-userdb {
 user = vmail
 group = vmail
}
unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix
}
}
service stats {
unix_listener stats-reader {
 user = vmail
 group = vmail
 mode = 0660
 }

unix_listener stats-writer {
 user = vmail
 group = vmail
 mode = 0660
 }
}
</pre>
* '''10-ssl.conf'''
<pre>
# (z.B. Postfix certs verwenden)
ssl = yes
ssl_server_cert_file = /etc/dovecot/private/dovecot.pem
ssl_server_key_file = /etc/dovecot/private/dovecot.key
ssl_min_protocol = TLSv1.2

#ssl_client_ca_dir = /etc/ssl/certs
#ssl_dh = </usr/share/dovecot/dh.pem
</pre>

Zertifikate generieren: s. https://wiki.nomorebluescreen.de/index.php?title=Webserver_mit_Apache#Alternative_letsencrypt

'''Spoiler:''' 
Jedes Mal, wenn das Zertifikat ausgetauscht wird, muss der dovecot-Service neu gestartet werden, damit das neue Zertifikat auch eingelesen wird.

'''Überprüfen, welche Dateien angefasst wurden:'''
<pre>
diff -quw conf.d.orig conf.d
Files conf.d.orig/10-ssl.conf and conf.d/10-ssl.conf differ
Files conf.d.orig/15-lda.conf and conf.d/15-lda.conf differ
Files conf.d.orig/20-imap.conf and conf.d/20-imap.conf differ
Files conf.d.orig/20-managesieve.conf and conf.d/20-managesieve.conf differ
Files conf.d.orig/90-sieve.conf and conf.d/90-sieve.conf differ
Files conf.d.orig/auth-passwdfile.conf.ext and conf.d/auth-passwdfile.conf.ext differ
</pre>

'''Ausgabe der gesamten Config'''

# doveconf -n

==== Sieve ====
Engine zum Filtern von Emails

dovecot-sieve und dovecot-managesieved installieren

'''15-lda.conf:'''
<pre>
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
protocol lda {
mail_plugins = $mail_plugins sieve
}
</pre>

'''20-managesieve.conf:'''
<pre>
protocols = $protocols sieve
</pre>

'''90-sieve.conf:'''
<pre>
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_default = /var/lib/dovecot/sieve/default.sieve
sieve_global_dir = /var/lib/dovecot/sieve
}
</pre>
Kontrolle, ob der sieve-Service läuft und auf Port 4190 lauscht.
<pre>
# service dovecot restart
# ss -plnt | grep 4190
</pre>
Da der User i.a. nicht direkt auf dem Emailserver sein /home mit den Sieve-Regeln editieren kann, erfolgt die weitere Konfiguration im Email-Client (s.u.).

Achtung Bug: 
Da sieve/dovecot die Variable %n in der users-Datei nicht interpretiert, sollte man diese dort nicht verwenden. Somit kann es passieren, dass von roundcube ein Verzeichnis ''%n'' angelegt wird, in dem sich eine gemeinsame sieve config für '''alle''' User befindet.

=== Transport von Postfix zu Dovecot ===

Dem Postfix muss noch beigebracht werden, dass die Emails zum Dovecot gehen. 
'''master.cf''' im Postfix anpassen (die Einträge in den {} gehören so, nicht ersetzen!):
<pre>
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail
argv=/usr/lib/dovecot/deliver -a ${recipient} -f ${sender} -d $
{user} @${nexthop} -m ${extension}
</pre>
und einen mailbox_command Eintrag in der main.cf vornehmen:
<pre>
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
</pre>
(https://doc.dovecot.org/configuration_manual/howto/dovecot_lda_postfix/#howto-dovecot-lda-postfix)

Danach noch postfix und dovecot service restarten.

== Logging ==

Logfiles gehen ebenfalls (wie postfix) nach /var/log/mail.log 
Nützlicher Alias:
<pre>
maillog='tail -f /var/log/maillog'
</pre>

Debugging einschalten:
mail_debug = yes
in der Datei
''10-logging.conf''.

'''Protipp:'''
Wenn im Log folgender Fehler erscheint:

Mar 27 08:03:56 aphantopus postfix/pipe[2317]: 521066005D: to=<sunflower@example.de>, relay=dovecot, delay=0.3, delays=0.19/0.04/0/0.07, dsn=2.0.0, status=sent (delivered via dovecot service (lda(sunflower@example.de,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied))

=> In der ''10-master.conf'' '''stats''' für User vmail erlauben (s.o.)

= Roundcube =

Praktisches Webfrontend zum Abholen und Verschicken von Emails

Erst mysql-server installieren, sonst bricht die Installation mit einem Fehler ab
# apt install mariadb-server roundcube
Die dbconfig-common Frage mit „yes“ beantworten, mysql-Passwort setzen.
Config Datei anpassen (''/etc/roundcube/config.inc.php''):
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 25;

== Plugins ==

Standard-Plugings installieren
# apt install roundcube-plugins

Weitere Plugins installieren:
# apt install roundcube-plugins-extra git curl composer
(composer braucht man für die Installation von Plugins, git, weil die meisten aus github kommen) 
Die, die man haben will, in der Datei ''/etc/roundcube/config.inc.php'' enablen

$config['plugins'] = array(
 'compose-addressbook',
'markasjunk2',
 'fail2ban'
);

Übersicht über die offiziellen Plugins:

https://plugins.roundcube.net/

Plugins, die es nicht als Paket gibt: 
Schritte: 
* README lesen
* Plugin als zip herunterladen, nach ''/usr/share/roundcube/plugins'' entpacken
* (evtl. umbenennen)
* ''/etc/roundcube/config.inc.php'' bearbeiten:
Abschnitt
$config['plugins'] = array(
suchen und fehlendes Plugin ergänzen

== Filter Plugin for Sieve ==

Achtung, nicht das Plugin „filter“ verwenden, sondern '''managesieve''' (ist Bestandteil des roundcube-plugins Paketes)

Eine Anleitung gibt es hier: 
https://www.pair.com/support/kb/how-to-add-sieve-filtering-code-in-roundcube/
 
https://www.pair.com/support/kb/how-to-add-sieve-filtering-in-roundcube/


Anmerkung: Den protocols Parameter nicht in der dovecot.conf editieren, sondern in
''20-managesieve.conf'' (s.o.):

protocols = $protocols sieve

Nun kann man über das Webfrontend Sieve-Filterregeln generieren

Achtung Bug: 
Sieve legt ein sieve-Verzeichnis unter dem Verzeichnis an, das in mail_location definiert ist. Wenn man die emails der User unter ''/var/mail/<domain>/<username>'' ablegen möchte, wird man folgendes konfigurieren:

mail_location = maildir:/var/mail/%d/%n

Da dovecot aber %d nicht interpretiert (s.o.), liegt das User maildirectory unter /var/mail/<username>. Sieve interpretiert dagegen %n nicht und legt ein Directory /var/mail/<domain>/%n/sieve an, unter der die roundcube.sieve Datei liegt. Somit greifen alle User auf dieselbe Datei zu, was technisch möglich, securitytechnisch aber fatal ist. Leider keine gute Idee zur Abhilfe bekannt.

== Passwort ändern ==
Um den Usern die Möglichkeit zu geben, ihr Passwort selbst zu ändern, wird in der ''config.inc.php'' das Plugin enabled:

<pre>
$config['plugins'] = array(
(...)
'password'
);
</pre>

Weitere Einstellungen, wenn die User in einem Passwortfile gepflegt werden wie im Kapitel '''Dovecot''' beschrieben: 
(wir gehen davon aus, dass die Userpasswörter mit sha512 verschlüsselt werden, s.o.)

# https://stackoverflow.com/questions/62655236/how-to-enable-password-plugin-on-roundcube
$config['password_algorithm'] = 'ssha512';
$config['password_algorithm_prefix'] = '{SSHA512}';
$config['password_driver'] = 'dovecot_passwdfile';
$config['password_dovecot_passwdfile_path'] = '/etc/dovecot/users';

Die users Datei vom dovecot muss dann entsprechend für www-data les- und schreibbar sein:
-rw-rw---- 1 dovecot www-data 1240 Dec 2 23:20 /etc/dovecot/users

(Achtung, riskant bei eventueller Kompromittierung des Webservers! Als Alternative überlegen, die dovecot-Passwörter in eine [mysql-]DB auszulagern)

== Identities ändern ==

Normalerweise kann ein User nur mit seiner Absenderadresse senden. Das ist eine sinnvolle Einstellung, aber wer das Feature zu Testzwecken abschalten will, kann folgende Einstellung vornehmen:
$config['identities_level'] = 0;
Nun kann der User über "Einstellungen" weitere Absender hinzufügen (https://www.servercake.blog/multiple-identities-roundcube/)

(Leider bisher keine Möglichkeit gefunden, dies nur auf (einen) bestimmte(n) User einzuschränken)

== Apache Integration ==

Hier eine Beispielkonfiguration für einen Virtual Host, um die Roundcube-Seite unter https://mail.example.de zu erreichen.
Weiteres im Kapitel [[Webserver mit Apache|apache]]
<pre>
<VirtualHost *:443>
ServerName mail.example.de
ServerAdmin postmaster@example.de

SSLEngine on
SSLCertificateFile /var/lib/dehydrated/certs/mail.example.de/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/mail.example.de/privkey.pem

DocumentRoot /usr/share/roundcube

# Includes
Include /etc/apache2/conf-available/ssl-encryption.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
CustomLog /var/log/apache2/mail-ssl.log combined
ErrorLog /var/log/apache2/mail-ssl-error.log
</VirtualHost>
</pre>

Das roundcube-Paket bringt zudem noch eine roundcube.conf mit, die unter /etc/apache2/conf-available/roundcube.conf installiert und aktiviert wird.

=== PHP ===
Damit der Roundcube überhaupt läuft, muss das php Plugin installiert und aktiviert sein. Passiert unter Debian mittels:
# apt install libapache2-mod-php

Etwas performanter ist die Verwendung von '''php-fpm''' (https://www.zend.com/blog/apache-phpfpm-modphp).
# apt install php-fpm

Der default Upload bei PHP sind dürftige 2 MB. Um diesen z.B. auf 50MB raufzudrehen, muss folgende Datei angefasst werden:
<pre>VERSION=$(php -v| head -n 1 | awk '{ print $2 }' | sed -e 's|.[[:digit:]]*$||')</pre>
* modphp:
/etc/php/${VERSION}/apache2/php.ini
upload_max_filesize = 50M
* php-fpm:
/etc/php/${VERSION}/fpm/php.ini
upload_max_filesize = 50M

= Integration in einen MUA =
Wer nicht über den (langsamen) Webmailer gehen will, kann natürlich auch einen MUA seiner Wahl verwenden. Hier ein Beispiel.

== Thunderbird==

Einstellungen für Outgoing Server (SMTP)
<pre>
Servername: FQDN des Email-Servers
Port: 25
Connection Security: STARTTLS
Authentication Method: Normal Password
Username: Name des Mailbox-Users
</pre>

Beim 1. Mal wird man nach seinem Mailbox-Passwort gefragt. Dieses eingeben und speichern.

Server Settings (IMAP)
<pre>
Server Type: IMAP Mail Server
Server Name: FQDN des Email-Servers
Port: 993
Username: Name des Mailbox-Users
Connection Security: SSL/TLS
Authentication Method: Normal Password
(Die restlichen Defaults so belassen oder bei Bedarf anpassen)
</pre>

[[File:Screenshot thunderbird1.png|900px]]
[[File:Screenshot thunderbird2.png|900px]]

Emailserver mit Postfix und Dovecot

2026-03-18T22:20:26Z

Sunflower: /* Dateirechte */

= Postfix =

Postfix ist ein MTA (Mail Transfer Agent), der eine gute Alternative zu anderen gängigen MTAs (Sendmail, Exim) darstellt, da seine Konfiguration gut lesbar ist.
In unserem Beispiel soll der MTA mit einem IMAPd (Dovecot) verknüpft werden, so dass Benutzer eine Mailbox direkt auf dem System haben. Das Abholen der Mails erfolgt per IMAPs.

== Installation ==

Zunächst muss das Paket „postfix“ installiert werden.
Dabei sind noch ein paar Fragen zu beantworten: 
* '''Art des Servers: '''Internet Site 
* '''Root and postmaster mail recipient:''' ein Postfach eintragen, z.B.postmaster@example.de 
* '''Other destinations to accept mail for (blank for none):''' z.B. mail.example.de, localhost, $mydomain (kann man erstmal die defaults belassen)
* '''Force synchronous updates on mail queue:''' no'''
* '''Local subnets:''' 127.0.0.1/8, 192.168.63.0/24 (hier das eigene Netz ergänzen)
* '''Mailbox size limit:''' 0 (unbegrenzt)
* '''Local address extension character:''' + (i.a. als default ausreichend)
* '''Internet protocols to use:''' all (wenn man nicht explizit ipv4 oder ipv6 sprechen will)

Diese Einstellungen lassen sich jederzeit mit
<console>
# dpkg-reconfigure postfix</console>
ändern.

Alle relevanten Dateien befinden sich im Verzeichnis ''/etc/postfix''.

== Konfiguration ==

Bevor wir zur Postfixconfig kommen, überprüfen wir den Inhalt der Datei /etc/mailname:
<pre>
$ cat /etc/mailname
</pre>
Dort darf '''nur der Domainname''' stehen, nicht der Hostname (e.g. example.com). Andernfalls kann das Auswirkungen auf den Emailversand haben, v.a. wenn in der main.cf (s.u.) auf die Datei referenziert wird.

Die wichtigeste Datei zum Anpassen ist zunächst die '''main.cf'''. Hier ein Beispiel für den Server „mx“ in der Domain example.de. Folgende Parameter sollten konfiguriert sein (exemplarisch):
<pre>
myhostname
mydomain
myorigin
mydestination
</pre>

Meistens gibt es schon ein paar brauchbare defaults. Der Parameter ''mynetworks'' erlaubt es bestimmten Netzen, Emails ohne weitere Einschränkungen einzuliefern.

Beispielconfig:

<pre>
myhostname = mx01.example.de
mydomain = example.de
myorigin = $mydomain
mydestination = $myhostname, localhost, localhost.$mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.99.0/24 [2001:780:11b::/48] 214.94.24.154 [2004:780:8:0:5ff0:c5ff:fe09:98f9]
</pre>

Vor allem der Parameter '''mynetworks''' sollte mit Bedacht gewählt werden, denn dies sind alle Hosts und Netze, von denen jegliche Emails angenommen werden (auch von ''und'' nach Fremddomains). Fehlkonfigurationen führen hier schnell zum [https://practical365.com/what-is-an-open-relay OpenRelay].

'''Beachte:''' ipv6-Adressen müssen in [eckigen Klammern] geschrieben werden, sonst werden keine Emails ausgeliefert!
Fehler im Logfile:
<pre>
postfix/smtpd[21928]: warning: smtpd_client_event_limit_exceptions: 2a01:40f8:c013:5050::0/64: table lookup problem
</pre>

Nach jeder Änderung ist der Dienst zu reloaden mit dem Befehl
<console>
# postfix reload
</console>

Ob der Restart ordentlich funktioniert hat, kann man z.B. anhand des Logs überprüfen:
<console>
# tail /var/log/mail.log
</console>

=== master.cf ===
Das Kernstück des Postfixdaemons. Hier werden die Transports festgelegt
Bedeutung der Spalten:
* service-Feld: Name des Dienstes (smtp, local, procmail, ...) (str)
* typ-Feld: Verbindungstyp (inet, fifo, unix) (str)
* Zugriffsrecht: Zugriff auch für externe Programme (default: y) (bool)
* unpriv-Feld: Start als unprivilegierter Benutzer (default: y) oder root (n) (bool)
* chroot: Soll der Dienst in einer chroot-Umgebung gestartet werden (default: y) (bool)
* wakeup-Feld: Sekunden zwischen 2 Aufrufen (default: 0) (int)
* Prozessmaximum: Wie viele Prozesse maximal gleichzeitig (default: 50) (int)
Danach erfolgt ein Kommando mit Flags und Parametern (optional).

== TLS ==
Optional kann man mit Zertifikaten verschlüsselte Übertragung von Emails konfigurieren. das funktioniert aber nur dann, wenn der Mailserver der Gegenstelle das Zertifikat auch einbindet. Man kann das Zertifikat auch in einen Mailclient einbinden (s. später).
Die Zertifikatserzeugung kann mit mit [https://letsencrypt.org letsencrypt] erfolgen. Clients zur Zertifikatserzeugung sind [[Webserver_mit_Apache#Alternative_letsencrypt | certbot ]] oder [[Webserver_mit_Apache#Dehydrated | dehydrated]].

=== Zertifikatsgenerierung in Kürze ===
# echo $HOSTNAME > /etc/dehydrated/domains.txt
# dehydrated –register –accept-terms
# dehydrated -c

Dies setzt allerdings einen [[Webserver_mit_Apache | Webserver]] voraus, der auf Port 80 lauscht. Gibt es diesen nicht, kann mal alternativ letsencrypt via DNS verwenden (https://letsencrypt.org/docs/challenge-types).

=== Alternative eigene CA (nicht empfohlen) ===

Wer unbedingt eine eigene CA betreiben will, kann das mit folgender Anleitung tun. Achtung: Das Vorgehen sollte nur gewählt werden, wenn ein zwingender Grund dafür besteht. Viele Browser und MUAs haben Probleme damit, erzeugen hässliche Warnings oder lassen die Seite nicht zu.

==== CA erstellen ====
Wenn noch kein Zertifikat vorhanden ist, kann man sich selbst eines erstellen oder einen CSR (Certificate Signing Request) erstellen und diesen an eine offizielle CA schicken. Soll ein kommerziell genutzter Mailserver entstehen, ist dies der realistische Weg.

Achtung: Dieser Schritt wird nicht gebraucht, wenn es schon eine CA gibt.

Schritte: 
Key erstellen (+Passwort dafür vergeben), Zertifkatsrequest für die CA erstellen, CA erstellen

$ openssl genrsa -out ca.key -des3 4096

$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Nuernberg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.de
Organizational Unit Name (eg, section) []:Hostmaster
Common Name (e.g. server FQDN or YOUR name) []:*.example.de
Email Address []:postmaster@example.de

==== Zertifikat mit der neuen CA erstellen ====
Schritte:
• Key erstellen
• Request erstellen
• Zertifikat erstellen und signen

$ openssl genrsa -out mx.example.de.key 4096
(kein Passwort festlegen)

$ openssl req -new -key mx.example.de.key -out mx.example.de.csr
(wieder das Formular ausfüllen as usual)

$ openssl x509 -req -days 365 -in mx.example.de.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out mx.example.de.crt

Beim Erneuern des Zertifikats fallen die Schritte „Erstellen der CA“ und Erzeugen des Keys weg. Ferner muss man auch keine Serial mehr angeben.
Der Renew-Befehl lautet also folgendermaßen:
$ openssl x509 -req -days 730 -in mx.example.de.csr -CA ca.crt -CAkey ca.key -out mx.example.de.crt

=== Einbinden in die Config-Datei ===
Dieser Schritt gilt wieder für alle Zertifikate, egal wie sie erzeugt wurden. Die Pfade müssen natürlich entsprechend angepasst werden,

Zertifikate an die entsprechende Stelle kopieren und in der Konfig einbinden:

smtpd_tls_cert_file=/etc/ssl/certs/mx.example.de.crt
smtpd_tls_key_file=/etc/ssl/private/mx.example.de.key
smtpd_tls_CAfile=/etc/postfix/ca.crt
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:
${data_directory}/smtpd_cache
smtp_tls_session_cache_database = btree:
${data_directory}/smtp_scache

Der Parameter smtpd_tls_Cafile entfällt, wenn eine offizielle CA vorhanden ist (z.B. letsencrypt). 
Die Pfade zu den Zertifikaten können abweichen, bei letsencrypt liegen diese z.B. unter ''/var/lib/dehydrated/certs/''.
Überprüfung:
$ openssl s_client -connect mx.example.de:25 -starttls smtp
oder https://www.checktls.com/

Ergänzung:
Manche MTAs wollen ein Zertifikat in pfx-Form. Dieses kann man aus dem cert file wie folgt erzeugen:
$ openssl pkcs12 -export -out mx.example.de.pfx -inkey mx.example.de.key -in mx.example.de.crt
pfx-File und Passwort dem User zukommen lassen.

'''Spoiler:''' 
[[ Emailserver_mit_Postfix_und_Dovecot#Dovecot | Dovecot ]] „vergisst“ manchmal das neue Zertifikat und behält die alte Version, d.h. die meisten Mailclients spoolen dann keine neuen Emails mehr. In diesem Fall den Dovecot Service neu starten.

== SASL ==

Zur Vermeidung eines Open Relays ist dringend anzuraten, per default nur das Einliefern mit dem Absender @example.de von bestimmten Netzen zu erlauben. Dieses passiert mit dem Parameter ''mynetworks'' (s.o.).
Nun kann es natürlich passieren, dass Benutzer von einem Mailclient irgendwo im Internet Mails verschicken wollen. Diese wären laut Konfig nicht berechtigt. Da die meisten PCs mit dynamischen Adressen im Internet unterwegs sind, macht es hier auch keinen Sinn, die jeweilige IP-Adresse in der Konfig zu ergänzen. 
Das Problem kann umgangen werden, indem Emails versenden dann erlaubt wird, wenn sich der Benutzer einmal erfolgreich am IMAP-Server authentifiziert hat.
Hierfür gibt es SASL. Die entsprechenden Eintragungen in der main.cf sind:
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth

Im Mailclient äußert sich das Verhalten so, dass man beim ersten Senden einer Nachricht sein Mailbox-Passwort angeben muss.
Bevor dieses Feature aktiviert wird, muss es einen IMAP-Server geben (s. [[#Dovecot|nächstes Kapitel]] ).

== Maps ==

Um besser unterscheiden zu können, was mit welchen Absender-/Zieladressen passiert, wird die Konfiguration in sogenannte „Maps“ aufgeteilt. Diese können als Klartext-File oder als Berkley DB vorliegen. In letzterem Fall müssen diese mit dem Kommando '''postmap''' nach jeder Bearbeitung umgewandelt werden. 
Ausnahme: Die Datei /etc/aliases.db (nur relevant für lokale Emailauslieferung) wird mit dem Kommando '''postalias''' oder '''newaliases''' generiert.
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
Hier werden aliase eingerichtet, die auf eine andere Mailbox mappen. Beispiel:
postmaster: root

=== Access ===
smtpd_sender_restrictions = hash:/etc/postfix/access
Hier können für Aktionen für spezielle Absenderadressen eingerichtet werden. Beispiel:
example.com DISCARD

=== Relocated ===
relocated_maps = hash:/etc/postfix/relocated

Abweisen der Mail mit einem Hinweis. Beispiel:
testy.test "Mails bitte statt an diese Adresse an ich@hier.de senden"

Ergebnis:
<testy.test@example.de>: Recipient address rejected: User has
moved to "Mails bitte statt an diese Adresse an ich@hier.de
senden"

=== Canonical ===
==== Sender ====
sender_canonical_maps = hash:/etc/postfix/sender_canonical

Bestimmte Adressen werden auf ein übliches Standardformat umgeschrieben:

sunflower@example.de petra.sonne@example.de
phun@work.de peter.hun@example.de

==== Recipient ====
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
Arbeitet genauso wie sender_canonical, nur für Empfängeradressen.

=== Virtual Mailbox ===
virtual_mailbox_maps = hash:/etc/postfix/virtual
Locations der Mailboxen des imap-Servers (näheres unter [[ Emailserver_mit_Postfix_und_Dovecot#Dovecot | Dovecot ]])

sunflower@example.de example.de/sunflower/
testy@example.de example.de/testy
test@example.de example.de/test
lmaa@ihr-koennt-mich-alle.de ihr-koennt-mich-alle.de/lmaa

=== Virtual Aliases ===
virtual_alias_maps = hash:/etc/postfix/virtual_maps

Adressen die auf andere Adressen umgebogen werden (ähnlich wie die aliases), kann auch domainübergreifend passieren.
So können mehrere Empfängeradressen in dieselbe Mailbox laufen.

anrufbeantworter@example.de sunflower@example.de,H.Hirsch@gmx.de,harry1999@yahoo.de
info@example.de sunflower@example.de
postmaster root
webmaster root
administrator root
root sunflower
fortune: fortune
Letzteres ist eine Pipe. Dazu später mehr.

Umwandeln von Text in DB-File und in Postfix einlesen:
postmap <aliases|access|canonical|...>
postfix reload

=== Einfaches Beispiel: Emails von einer Domain auf eine andere weiterleiten ===
Nehmen wir an, wir haben einen Emailserver1 in der Domain example.com. Dieser soll alle Email die an <userXY>@example.com eintreffen, an <userXY>@example.de weiterleiten. Auch hier ist eine Eintrag in der o.g. ''virtual_maps'' Datei nötig:
@example.com @example.de
Nun werden alle example.com-Emails zum zuständigen Emailserver für example.de weitergeleitet. Der user part bleibt unverändert.

=== Transports ===
Transports sind die Art und Weise, wie eine eingehende Mail behandelt wird, z.B. lokal in eine Datei speichern, an einen imap-Server weiterreichen oder ein Script ausführen.

Hier ein Beispiel: 
Wenn auf eine bestimmte Adresse geschickt wird, soll ein Script ausgeführt werden, das dem Absender einen Zufallsspruch zurücksendet '''und''' die Mail gleichzeitig in ein Postfach einliefert.
Schritte:

1. Alias definieren (virtual_maps):

fortune@example.de fortune

2. Alias auf einen Transport mappen (transports):

fortune@example.de randomphrase:

3. Transport definieren (master.cf):

<pre>
randomphrase unix - n n - - pipe
flags=h user=vmail:vmail argv=/usr/local/bin/randomphrase.pl ${sender}
</pre>

(Den User vmail muss es natürlich in der passwd geben, z.B. so:
vmail:x:4000:4000::/home/vmail:/user/sbin/nologin
)

4. Script hinterlegen:
/usr/local/bin/randomphrase.pl
für alle ausführbar machen

Mit dem Script [[ randomphrase.pl ]] wird ein Zufallsspruch erzeugt. Dafür muss das Paket ''fortune-mod'' installiert sein.
Zum Weiterschicken der Email wird das Script /usr/local/bin/deliver_mail.sh aufgerufen. ([[File:Deliver_mail.sh]])
 Hierfür muss der User vmail in der Datei ''/etc/sudoers.d/vmail'' berechtigt werden:
vmail ALL=(root) NOPASSWD: /usr/local/bin/deliver_mail

Eine Email an die Adresse fortune@example.de erzeugt nun eine Antwort an die Absenderadresse mit einem Zufallsspruch.

== Multidomain ==

Natürlich kann Postfix auch Emails für mehrere Domains annehmen. Dafür gibt es den Parameter „virtual_mailbox_domains“:

virtual_mailbox_domains = example.de example.com ihr-koennt-mich-alle.de
Die Variable $mydomain sollte dann aus mydestination entfernt werden.

== Special DNS Records ==
=== SPF (Sender Policy Framework) ===
Mit einem RR-Type TXT kann man eine Liste von Emailservern definieren, die als Absender die Emaildomain verwenden dürfen. Generiert jemand eine Fakeemail von einem anderen System aus, kann diese abgewiesen werden.

Beispiel für einen DNS TXT Record:
IN TXT "v=spf1 mx:example.de a:foo.example.de ip4:8.15.47.11/32 ip6:2008:15:5:47::11/48 ip6:2008:15:5:47::12/48 -all"

Howto: 
https://dmarcian.com/create-spf-record/ 
http://www.open-spf.org/SPF_Record_Syntax/

SPF in Postfix integrieren:

Nun ist die Domain vor Missbrauch vor Fakeeemails geschützt. Jetzt gibt es aber noch die andere Seite zu beachten. Postfix soll ebenfalls die SPF-Records anderer Emaildomains prüfen und die Email ggf ablehnen.
https://makeityourway.de/enabling-spf-sender-policy-framework-checking-on-postfix/

Hier in Kürze zusammengefasst, was es zu beachten gibt:
# apt install postfix-policyd-spf-python
Die Config-Datei ''/etc/postfix-policyd-spf-python/policyd-spf.conf'' liefert bereits brauchbare Defaults, optional kann man noch eine Whitelist ergänzen z.B.

Domain_Whitelist = example.com
In der master.cf ergänzen:
<pre>
policyd-spf unix - n n - - spawn
user=policyd-spf argv=/usr/bin/policyd-spf
</pre>

In der main.cf ergänzen:
smtpd_recipient_restrictions =
(...)
check_policy_service unix:private/policyd-spf
(…)
'''Achtung:''' Wenn es schon einen check_policy_service Eintrag gibt, '''keinesfalls''' einen weiteren Eintrag anhängen, sondern eine neue Zeile aufmachen!
policy-spf_time_limit = 3600s

# postfix reload

Ein paar Testemails einkippen und mail.log gucken.

=== DMARC (Domain based Message Authentication, Reporting and Conformance) ===
https://dmarcian.com/dmarc-record/

Beispiel für einen DNS TXT Record:
_dmarc IN TXT "v=DMARC1;p=quarantine;rua=mailto:postmaster@example.de"

In dem Fall werden verdächtige Emails in einen Quarantäne-Ordner verschoben und ein Report an den postmaster versandt.
Für die Integration in Postfix gibt es das Paket opendmarc.
Implementierung von SPF, DKIM und DMARC in Postfix:

https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
(untested)

== Nützliche Commands ==
Erzeugen eines database files aus einer Textdatei:
postmap <filename>
Alle Configparameter anzeigen:
postconf
Konfigprüfung:
postfix check
Mailqueue anschauen:
mailq
Alle Messages in der Queue ausliefern:
postqueue -f
Nur eine bestimmte Message ausliefern:
postqueue -i <ID>
Message löschen:
postsuper -d <ID>
Alle Messages löschen (!):
postsuper -d ALL
Inhalt einer Message anschauen:
postcat -vq <ID>

== Logfile ==

Geloggt wird nach ''/var/log/mail.log'' (alles) bzw. Errors nach ''/var/log/mail.err'' und Warnings nach ''/var/log/mail.warn''.
 Protipp: Alias anlegen:
maillog='tail -f /var/log/mail.log'

== Greylisting und Antispam ==

Zur Bekämpfung der Spamflut gibt es das praktische Programm '''„Postgrey“'''. Unter Debian kann dieses als Paket installiert werden. Dieses wird in die main.cf im Abschnitt smtpd_recipient_restrictions eingebunden.
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_unauth_destination
'''reject_non_fqdn_sender'''
'''reject_non_fqdn_recipient'''
'''reject_rbl_client bl.spamcop.net'''
'''check_policy_service inet:127.0.0.1:10023'''

(Die Blacklist ''dnsbl.sorbs.net'' wurde hier außen vor gelassen, da diese so ziemlich alles blockt, z.B. alle yahoo- oder gmx-Adressen.)
Damit das funktioniert, muss natürlich noch Postgrey selbst an den Start gebracht werden.
Hierfür wird die Datei ''/etc/default/postgrey'' bearbeitet. Hier ein Beispiel:
POSTGREY_OPTS="--inet=10023 --auto-whitelist-clients=8
POSTGREY_TEXT="Busy. Come back in 5 minutes."

Der Service lauscht also auf Port 10023. Im obigen Beispiel wird ein Absender beim 8. erfolgreichen Zustellversuch automatisch gewhitelistet (optionaler Parameter ''--auto-whitelist-clients'', evtl. Zahl erhöhen oder Parameter ganz weglassen).

Anschließend wechselt man ins Verzeichnis ''/etc/postgrey''. Dort gibt es 2 Whitelistings. Die Absender stehen in '''whitelist_clients'''. Dort stehen bereits IPs und Domains diverser Provider. Man kann dort selbst Einträge hinzufügen (z.B. example.ch).

In der Datei '''whitelist_recipients''' kann man alle Empfänger der eigenen Domain eintragen, die auf jeden Fall immer Emails bekommen sollen. z.B. postmaster@, abuse@. 
Beachte: '''Die Dateien müssen explizit eingesourcet werden''', passiert nicht automatisch. Das macht man mit den POSTGREY_OPTS:
POSTGREY_OPTS="$POSTGREY_OPTS --whitelist-clients=whitelist_clients --whitelist-recipients=/etc/postgrey/whitelist_recipients"

Nach getaner Anpassung, den postgrey-Service (neu)starten.
# service postgrey restart
Überprüfen, ob der Dienst läuft z.B. mit:
# lsof -i :10023
Anschließend Postfix reloaden
# postfix reload
und die Mailbox(en) beobachten, hinsichtlich Spamaufkommen.

''(Quelle: Artikel „Postzusteller“, Admin-Magazin, Ausgabe 03-2013)''

= Dovecot =

Open Source IMAP-Server zum Einliefern der Emails in Postfächer mittels POP3 oder IMAP bzw. IMAPs. Im folgenden wird nur auf IMAPs eingegangen.

== Installation ==

Es empfiehlt sich, den Dovecot auf demselben System zu installieren wie Postfix. Andere Fälle werden hier nicht berücksichtigt.

Installation des imapd mittels
# apt install dovecot-imapd

Dies reicht für alle Grundfunktionen der Emailauslieferung. Für erweiterte Optionen wie z.B. Filterfunktion können weiter dovecot-Pakete wie '''dovecot-antispam, dovecot-sieve''' installiert werden.

User (i.d.F. ''vmail'') als Owner für die Mailboxen anlegen:

useradd -u 4000 -m -d /home/vmail -s /user/sbin/nologin vmail

== Konfiguration ==

Configdateien in ''/etc/dovecot/conf.d'' anpassen.
Die Datei ''/etc/dovecot/dovecot.conf'' inkludiert per Default alle Dateien unter conf.d/*.conf.

=== Usermanagement ===

Hier ein Beispiel, wo User in einer separaten Datei abgelegt werden.

''10-auth.conf:''
<pre>
disable_plaintext_auth = no
auth_username_format = %n
auth_master_user_separator = *
auth_mechanisms = plain login
!include auth-master.conf.ext
</pre>
Wenn kein auth über pam:
#!include auth-system.conf.ext

Plaintext Auth kann man erlauben, weil die User-Passwörter als gehashter String übertragen werden. Für die Kommunikation zwischen Postfix und Dovecot spielt das ohnehin keine Rolle, da sich beide Dienste auf einem Server befinden. Der Zugriff von einem MUA aus wird über TLS/SSL erfolgen (s.u.).

master user anlegen (optional):
<pre>
doveadm pw -p supergeheim -s SHA512-CRYPT -u administrator@example.de
</pre>
Den Output zusammen mit dem Usernamen in die Datei master-users pasten.
<pre>
cat ../master-users
administrator@example.de:{SHA256-CRYPT}$5$9zrt7/e2CDkPmSuA$SNEkm/L4XZcYFAbYkJp5ESl9u35fVBSd4ukO0dm5yp3
</pre>

Sonstige User anlegen:
<pre>
doveadm pw -p strenggeheim -s SHA512-CRYPT -u sunflower@example.de
</pre>
→ /etc/dovecot/users:
<pre>
sunflower:{SHA256-CRYPT}$5$D3PhhtqUhRXT7cmZ$E5244BpvNafb.9FtbhF9AUfbvw8XpnOJhPyM/q/rRN2:::Sun Flo,,,:/var/mail/example.de/sunflower:/bin/false
</pre>
Hier sollten keine Abkürzungen wie ''%d'' oder ''%n'' stehen, weil diese nicht (von sieve, s.u.) bzw. nur teilweise (von dovecot) interpretiert werden.

Damit der Account auch Email bekomemn kann, ergänzt man die virtual table im Postfix directory:
cat sunflower@example.de example.de/spambucket >> /etc/postfix/virtual
Aktivieren mit
postmap virtual
postfix reload

=== Dateirechte ===

Die Files master-users, users sollten nur von dovecot gelesen werden können!
<pre>
# chgrp dovecot /etc/dovecot/*users
# chmod o-r /etc/dovecot/*users
</pre>
Mailbox anlegen und User berechtigen:
<pre>
# maildirmake.dovecot /var/mail/<domain>/<username>
# chown -R vmail.vmail /var/mail/<domain>/<username>
</pre>

User im Postfix anlegen, in den virtual maps, s. o.

Kontrolle:
<pre>
# doveadm user <username>
</pre>

=== IMAP konfigurieren ===
Protipp: erstmal conf.d wegsichern:
<pre>
rsync -av /etc/doveconf/conf.d /etc/doveconf/conf.d.orig
</pre>
Folgende Konfigurationsdateien in conf.d entsprechend anpassen:
* '''10-auth.conf'''
<pre>
disable_plaintext_auth = no
auth_username_format = %n
auth_master_user_separator = *
auth_mechanisms = plain login

!include auth-master.conf.ext
!include auth-system.conf.ext
!include auth-passwdfile.conf.ext
</pre>
* '''10-mail.conf'''
<pre>
mail_location = maildir:/var/mail/%d/%n
namespace inbox {
inbox = yes
}
mail_uid = 4000
mail_gid = 4000
mail_privileged_group = mail
</pre>
* '''10-master.conf'''
<pre>
service imap-login {
 inet_listener imaps {
 port = 993
 ssl = yes
}
}
service auth {
unix_listener auth-userdb {
 user = vmail
 group = vmail
}
unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix
}
}
service stats {
unix_listener stats-reader {
 user = vmail
 group = vmail
 mode = 0660
 }

unix_listener stats-writer {
 user = vmail
 group = vmail
 mode = 0660
 }
}
</pre>
* '''10-ssl.conf'''
<pre>
# (z.B. Postfix certs verwenden)
ssl = yes
ssl_cert = </etc/ssl/certs/mx.example.de.crt
ssl_key = </etc/ssl/private/mx.example.de.key
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem
</pre>

Zertifikate generieren: s. https://wiki.nomorebluescreen.de/index.php?title=Webserver_mit_Apache#Alternative_letsencrypt

'''Spoiler:''' 
Jedes Mal, wenn das Zertifikat ausgetauscht wird, muss der dovecot-Service neu gestartet werden, damit das neue Zertifikat auch eingelesen wird.

'''Überprüfen, welche Dateien angefasst wurden:'''
<pre>
diff -quw conf.d.orig conf.d
Files conf.d.orig/10-ssl.conf and conf.d/10-ssl.conf differ
Files conf.d.orig/15-lda.conf and conf.d/15-lda.conf differ
Files conf.d.orig/20-imap.conf and conf.d/20-imap.conf differ
Files conf.d.orig/20-managesieve.conf and conf.d/20-managesieve.conf differ
Files conf.d.orig/90-sieve.conf and conf.d/90-sieve.conf differ
Files conf.d.orig/auth-passwdfile.conf.ext and conf.d/auth-passwdfile.conf.ext differ
</pre>

'''Ausgabe der gesamten Config'''

# doveconf -n

==== Sieve ====
Engine zum Filtern von Emails

dovecot-sieve und dovecot-managesieved installieren

'''15-lda.conf:'''
<pre>
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
protocol lda {
mail_plugins = $mail_plugins sieve
}
</pre>

'''20-managesieve.conf:'''
<pre>
protocols = $protocols sieve
</pre>

'''90-sieve.conf:'''
<pre>
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_default = /var/lib/dovecot/sieve/default.sieve
sieve_global_dir = /var/lib/dovecot/sieve
}
</pre>
Kontrolle, ob der sieve-Service läuft und auf Port 4190 lauscht.
<pre>
# service dovecot restart
# ss -plnt | grep 4190
</pre>
Da der User i.a. nicht direkt auf dem Emailserver sein /home mit den Sieve-Regeln editieren kann, erfolgt die weitere Konfiguration im Email-Client (s.u.).

Achtung Bug: 
Da sieve/dovecot die Variable %n in der users-Datei nicht interpretiert, sollte man diese dort nicht verwenden. Somit kann es passieren, dass von roundcube ein Verzeichnis ''%n'' angelegt wird, in dem sich eine gemeinsame sieve config für '''alle''' User befindet.

=== Transport von Postfix zu Dovecot ===

Dem Postfix muss noch beigebracht werden, dass die Emails zum Dovecot gehen. 
'''master.cf''' im Postfix anpassen (die Einträge in den {} gehören so, nicht ersetzen!):
<pre>
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail
argv=/usr/lib/dovecot/deliver -a ${recipient} -f ${sender} -d $
{user} @${nexthop} -m ${extension}
</pre>
und einen mailbox_command Eintrag in der main.cf vornehmen:
<pre>
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
</pre>
(https://doc.dovecot.org/configuration_manual/howto/dovecot_lda_postfix/#howto-dovecot-lda-postfix)

Danach noch postfix und dovecot service restarten.

== Logging ==

Logfiles gehen ebenfalls (wie postfix) nach /var/log/mail.log 
Nützlicher Alias:
<pre>
maillog='tail -f /var/log/maillog'
</pre>

Debugging einschalten:
mail_debug = yes
in der Datei
''10-logging.conf''.

'''Protipp:'''
Wenn im Log folgender Fehler erscheint:

Mar 27 08:03:56 aphantopus postfix/pipe[2317]: 521066005D: to=<sunflower@example.de>, relay=dovecot, delay=0.3, delays=0.19/0.04/0/0.07, dsn=2.0.0, status=sent (delivered via dovecot service (lda(sunflower@example.de,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied))

=> In der ''10-master.conf'' '''stats''' für User vmail erlauben (s.o.)

= Roundcube =

Praktisches Webfrontend zum Abholen und Verschicken von Emails

Erst mysql-server installieren, sonst bricht die Installation mit einem Fehler ab
# apt install mariadb-server roundcube
Die dbconfig-common Frage mit „yes“ beantworten, mysql-Passwort setzen.
Config Datei anpassen (''/etc/roundcube/config.inc.php''):
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 25;

== Plugins ==

Standard-Plugings installieren
# apt install roundcube-plugins

Weitere Plugins installieren:
# apt install roundcube-plugins-extra git curl composer
(composer braucht man für die Installation von Plugins, git, weil die meisten aus github kommen) 
Die, die man haben will, in der Datei ''/etc/roundcube/config.inc.php'' enablen

$config['plugins'] = array(
 'compose-addressbook',
'markasjunk2',
 'fail2ban'
);

Übersicht über die offiziellen Plugins:

https://plugins.roundcube.net/

Plugins, die es nicht als Paket gibt: 
Schritte: 
* README lesen
* Plugin als zip herunterladen, nach ''/usr/share/roundcube/plugins'' entpacken
* (evtl. umbenennen)
* ''/etc/roundcube/config.inc.php'' bearbeiten:
Abschnitt
$config['plugins'] = array(
suchen und fehlendes Plugin ergänzen

== Filter Plugin for Sieve ==

Achtung, nicht das Plugin „filter“ verwenden, sondern '''managesieve''' (ist Bestandteil des roundcube-plugins Paketes)

Eine Anleitung gibt es hier: 
https://www.pair.com/support/kb/how-to-add-sieve-filtering-code-in-roundcube/
 
https://www.pair.com/support/kb/how-to-add-sieve-filtering-in-roundcube/


Anmerkung: Den protocols Parameter nicht in der dovecot.conf editieren, sondern in
''20-managesieve.conf'' (s.o.):

protocols = $protocols sieve

Nun kann man über das Webfrontend Sieve-Filterregeln generieren

Achtung Bug: 
Sieve legt ein sieve-Verzeichnis unter dem Verzeichnis an, das in mail_location definiert ist. Wenn man die emails der User unter ''/var/mail/<domain>/<username>'' ablegen möchte, wird man folgendes konfigurieren:

mail_location = maildir:/var/mail/%d/%n

Da dovecot aber %d nicht interpretiert (s.o.), liegt das User maildirectory unter /var/mail/<username>. Sieve interpretiert dagegen %n nicht und legt ein Directory /var/mail/<domain>/%n/sieve an, unter der die roundcube.sieve Datei liegt. Somit greifen alle User auf dieselbe Datei zu, was technisch möglich, securitytechnisch aber fatal ist. Leider keine gute Idee zur Abhilfe bekannt.

== Passwort ändern ==
Um den Usern die Möglichkeit zu geben, ihr Passwort selbst zu ändern, wird in der ''config.inc.php'' das Plugin enabled:

<pre>
$config['plugins'] = array(
(...)
'password'
);
</pre>

Weitere Einstellungen, wenn die User in einem Passwortfile gepflegt werden wie im Kapitel '''Dovecot''' beschrieben: 
(wir gehen davon aus, dass die Userpasswörter mit sha512 verschlüsselt werden, s.o.)

# https://stackoverflow.com/questions/62655236/how-to-enable-password-plugin-on-roundcube
$config['password_algorithm'] = 'ssha512';
$config['password_algorithm_prefix'] = '{SSHA512}';
$config['password_driver'] = 'dovecot_passwdfile';
$config['password_dovecot_passwdfile_path'] = '/etc/dovecot/users';

Die users Datei vom dovecot muss dann entsprechend für www-data les- und schreibbar sein:
-rw-rw---- 1 dovecot www-data 1240 Dec 2 23:20 /etc/dovecot/users

(Achtung, riskant bei eventueller Kompromittierung des Webservers! Als Alternative überlegen, die dovecot-Passwörter in eine [mysql-]DB auszulagern)

== Identities ändern ==

Normalerweise kann ein User nur mit seiner Absenderadresse senden. Das ist eine sinnvolle Einstellung, aber wer das Feature zu Testzwecken abschalten will, kann folgende Einstellung vornehmen:
$config['identities_level'] = 0;
Nun kann der User über "Einstellungen" weitere Absender hinzufügen (https://www.servercake.blog/multiple-identities-roundcube/)

(Leider bisher keine Möglichkeit gefunden, dies nur auf (einen) bestimmte(n) User einzuschränken)

== Apache Integration ==

Hier eine Beispielkonfiguration für einen Virtual Host, um die Roundcube-Seite unter https://mail.example.de zu erreichen.
Weiteres im Kapitel [[Webserver mit Apache|apache]]
<pre>
<VirtualHost *:443>
ServerName mail.example.de
ServerAdmin postmaster@example.de

SSLEngine on
SSLCertificateFile /var/lib/dehydrated/certs/mail.example.de/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/mail.example.de/privkey.pem

DocumentRoot /usr/share/roundcube

# Includes
Include /etc/apache2/conf-available/ssl-encryption.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
CustomLog /var/log/apache2/mail-ssl.log combined
ErrorLog /var/log/apache2/mail-ssl-error.log
</VirtualHost>
</pre>

Das roundcube-Paket bringt zudem noch eine roundcube.conf mit, die unter /etc/apache2/conf-available/roundcube.conf installiert und aktiviert wird.

=== PHP ===
Damit der Roundcube überhaupt läuft, muss das php Plugin installiert und aktiviert sein. Passiert unter Debian mittels:
# apt install libapache2-mod-php

Etwas performanter ist die Verwendung von '''php-fpm''' (https://www.zend.com/blog/apache-phpfpm-modphp).
# apt install php-fpm

Der default Upload bei PHP sind dürftige 2 MB. Um diesen z.B. auf 50MB raufzudrehen, muss folgende Datei angefasst werden:
<pre>VERSION=$(php -v| head -n 1 | awk '{ print $2 }' | sed -e 's|.[[:digit:]]*$||')</pre>
* modphp:
/etc/php/${VERSION}/apache2/php.ini
upload_max_filesize = 50M
* php-fpm:
/etc/php/${VERSION}/fpm/php.ini
upload_max_filesize = 50M

= Integration in einen MUA =
Wer nicht über den (langsamen) Webmailer gehen will, kann natürlich auch einen MUA seiner Wahl verwenden. Hier ein Beispiel.

== Thunderbird==

Einstellungen für Outgoing Server (SMTP)
<pre>
Servername: FQDN des Email-Servers
Port: 25
Connection Security: STARTTLS
Authentication Method: Normal Password
Username: Name des Mailbox-Users
</pre>

Beim 1. Mal wird man nach seinem Mailbox-Passwort gefragt. Dieses eingeben und speichern.

Server Settings (IMAP)
<pre>
Server Type: IMAP Mail Server
Server Name: FQDN des Email-Servers
Port: 993
Username: Name des Mailbox-Users
Connection Security: SSL/TLS
Authentication Method: Normal Password
(Die restlichen Defaults so belassen oder bei Bedarf anpassen)
</pre>

[[File:Screenshot thunderbird1.png|900px]]
[[File:Screenshot thunderbird2.png|900px]]

Webserver mit Apache

2026-03-10T21:23:34Z

Sunflower: /* php einbinden */

Einer der häufigsten genutzten Webserver ist [https://httpd.apache.org Apache]. Abgesehen davon, dass man bereits mit der Standardkonfiguration relativ schnell zu einer einfachen Website kommt, bringt er den Vorteil, dass viele Module bereits eingebunden oder schnell nachzuinstallieren sind (z.B. libapache2.php). Zudem werden regelmäßig Updates gegen mögliche Exploits auf diesen weit verbreiteten Webdienst geliefert, also Versionsstand aktuell halten!
Zum Entstehungszeitpunkt dieses Dokuments war die aktuellste Version der apache2. Wir verlassen uns aber nicht auf diese Aussage, sondern prüfen den Versionsstand selbst nach mit
# apt search apache
Danach installieren wir die aktuellste Version:
# apt install apache2
Nach der Installation läuft der Dienst auch schon. Überprüfung mit
# service apache2 status

==Konfigurationsdateien==
Diese befinden sich im Verzeichnis /etc/apache2. Die wichtigste Datei ist die apache2.conf. Diese verweist auf weitere Dateien und Unterverzeichnisse. 
In einem Standard /etc/apache2-Verzeichnis wird man folgende Dateien und Ordner vorfinden:


apache2.conf 
conf-enabled 
magic 
mods-enabled 
sites-available 
conf-available 
envvars 
mods-available 
ports.conf 
sites-enabled


Dies ist die Verzeichnisstruktur für Debian. Andere Distributionen können sich anders verhalten, z.B. werden unter CentOS keine sites-available/sites-enabled verwendet.
Wie gesagt, handelt es sich bei der ''apache2.conf'' um die Hauptkonfigurationsdatei. Diese nur mit Vorsicht anfassen, weil Gefahr besteht, dass die Änderungen mit dem nächsten Update überschrieben werden.

Die eigentliche Konfigurationsdateien befinden sich in ''sites-available'' bzw. ''conf-available''. Meistens wird ''sites-available'' für Virtualhosts (s.u.) benützt und ''conf-available'' für Konfig, die für bestimmte Services gelten soll. Hier speichern i.d.R. auch webservice-related Software-Pakete ihre Konfig (z.B. Nagios oder Mediawiki).
Die Dateien, die hier abgelegt werden, sind aber noch nicht aktiv. Dies passiert per Symlink in den Verzeichnissen ''conf-enabled'' und ''sites-enabled''. '''Darauf achten, dass die Symlinks immer mit .conf enden !'''

== Module ==

Module sind kleine Codestücke oder Konfigschnipsel, die die Funktionalität des Webservers erweitern. Es gibt z.B. welche für andere Scriptsprachen (php, cgi), für Verschlüsselung, Authentifizierung u.v.m.
Im Verzeichnis ''mods-available'' sind bereits einige Standardmodule abgelegt. Diese lassen sich durch einen Symlink im ''mods-enabled'' Verzeichnis aktivieren oder durch das a2enmod Kommando, z.B.
# a2enmod ssl

==Wohin mit den Webseiten==
Der Standardordner für Webseiten ist das Verzeichnis /var/www/. Wer weitere/andere Verzeichnisse festlegen will, kann das in der Datei sites-available/<filename> im Abschnitt '''DocumentRoot''' tun.

Falls der Index nicht automatisch geladen werden sollte, lässt sich das mittels Option "DirectoryIndex" bewirken, z.B.
DirectoryIndex index.php
oder
DirectoryIndex index.html

Neustart des Apache nach Konfigurationsänderungen erfolgt mittels
# systemctl reload apache2

==Virtual Hosting==
Mal angenommen, ihr entschließt euch, mehrere Domains auf einem Webserver zu hosten. Dafür gibt es die Virtual-Host-Einträge in der Datei sites-available/<domain>.conf (Im Grunde kann die Datei heißen wie sie will, aber der Übersicht halber wird man domainnamen vergeben). In unserem Fall wollen wir 2 Domains hosten, example.de unter /var/www/example und nomorebluescreen.com unter /var/www/nmbs. Zu diesem Zweck werden unter /etc/apache2/sites-available 2 Dateien angelegt, z.B. example.conf und nmbs.conf.

1. Datei:

<VirtualHost *:80>
ServerName www.example.de
ServerAlias ...
ServerAdmin webmaster@example.de
(...)
</VirtualHost>

2. Datei:

<VirtualHost *:80>
ServerName www.nomorebluescreen.com
(...)
</Virtual Host>

Sollte es für eine Domain einen IP-Eintrag, aber noch keine config-Datei geben, wird beim Aufruf der Seite per default die Domain genommen, die im Alphabet als 1. kommt. 
Um die Änderung wirksam zu machen, müssen diese Seiten noch nach sites-enabled verlinkt sein. Hierbei darauf achten, dass die Dateiendung .conf ist, sonst wird die Datei ignoriert.

Die entsprechenden Namen müssen natürlich im DNS (oder zu Testzwecken auch in der /etc/hosts) hinterlegt sein!

==Test==
Standardeinstellungen: Ein Connect mit dem Browser auf die IP des Webservers sollte die eingestellte Indexseite oder den Apache-Default „It works!“ zeigen.
Virtual Hosting: Nach Eingabe der unterschiedlichen Servernamen sollten die entsprechenden Webseiten zu sehen sein.

Ein einfacher Configcheck geht mit
apache2ctl -t
Hier sollte "Syntax OK" zurückkommen.

==Logfiles==
Diese befinden sich im Verzeichnis /var/log/apache2

Mit der Direktive
CustomLog
bzw.
ErrorLog
in der entsprechenden Konfigdatei kann (auch für VirtualHosts getrennt) der Pfad zur Logdatei angegeben werden.

Es gibt die Möglichkeit, die geloggten Parameter selbst zu definieren: https://httpd.apache.org/docs/2.4/logs.html#accesslog

Hier ein paar Beispiele, wie man in den Logfiles suchen kann:

<pre>
request per hour
cat access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c

request per hour by date
grep "23/Jan" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c

request per hour by IP
grep "XX.XX.XX.XX" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":00"}' | sort -n | uniq -c

requests per minute:
cat access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c

requests per minute for date:
grep "02/Nov/2017" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c

requests per minute for url:
grep "[url]" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c

per IP per minute
grep "XX.XX.XX.XX" access.log | cut -d[ -f2 | cut -d] -f1 | awk -F: '{print $2":"$3}' | sort -nk1 -nk2 | uniq -c

</pre>

s.a. http://www.inmotionhosting.com/support/website/server-usage/view-level-of-traffic-with-apache-access-log

==php einbinden==
Dies ist zumindest unter Debian sehr trivial, weil nur das Paket php und das entsprechende Modul installiert werden muss.

Mit
# aptitude search php
informieren wir uns über die aktuelle Version. Mit "aptitude install php<version>" wird diese installiert.

Um den apache php-fähig zu bekommen, muss außerdem das php-Modul installiert werden (wird u.U. schon bei der apache-Installation mitgeliefert):
# aptitude install libapache2-mod-php

Kontrollieren, ob das Modul bereits geladen ist:
# ls /etc/apache2/mods-enabled/|grep php
Hier sollte (je nach Version) zu sehen sein:
php7.0.conf
php7.0.load

Wenn nicht, gibt es den Befehl '''a2enmod''', um Module zu installieren:
# a2enmod php7

Der Neustart des apache wird während der php-Installation übernommen.

Eine bessere Alternative ist das modernere '''php-fpm'''. Auch dieses kann als Paket installiert werden.
Achtung: php-fpm muss für jede Version extra aktiviert werden, e.g.:
# a2enconf php8.2-fpm
Danach muss der Webserver neu gestartet werden.

https://www.simplified.guide/apache/configure-php-fpm

Hier ein Beispiel für ein schlichtes Testscript:
<?php
phpinfo();
?>

Bei Ausführung desselben ist im Browser folgende Auflistung zu sehen

[[File:Phpinfo2.jpeg|500px|center|phpinfo]]

== Directory Listing erlauben ==
Wenn in einem Unterverzeichnis von DocumentRoot eine Index-Datei (index.html, index.php, ... ) fehlt, bekommt der Benutzer normalerweise eine Fehlermeldung

Forbidden
You don't have permission to access /images/ on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Wenn man stattdessen möchte, dass der Benutzer alle Dateien aufgelistet bekommt, muss man folgendes einrichten
<Directory /var/www/images>
Option +Indexes
</Directory>

Falls die Option auf alle Verzeichnisse zutreffen soll, die den String „images“ enthalten, macht man besser einen DirectoryMatch
<DirectoryMatch images>
Option +Indexes
</DirectoryMatch>

== Security ==
=== .htaccess und .htpasswd ===

Zum Passwortschutz einzelner Ordner bieten sich o.g. Dateien an. Die .htaccess beinhaltet, wer sich überhaupt wie anmelden darf, die .htpasswd beinhaltet die Passwörter

Beispiel für eine .htaccess:
AuthType basic
AuthName "Access limited"
AuthUserFile /var/www/download/.htpasswd
Require valid-user

Die .htpasswd wird mit folgendem Command erzeugt
htpasswd -c <dateiname> <username>
Dann erfolgt eine Eingabeaufforderung für das Passwort. Vorhandene User in einer htpasswd ändert man durch Weglassen der Option -c

Weitere nützliche Optionen:
<pre>
$ htpasswd -n <username>
</pre>
(erzeugt nur eine Ausgabe, die man irgendwohin pasten kann)
<pre>
$ htpasswd -B .htpasswd <username>
</pre>
Use bcrypt instead of md5. Sicherer Algorithmus.

Die .htaccess schützt automatisch auch alle Unterverzeichnisse durch ein Passwort. Wenn man das nicht will, muss man in seiner Config für jedes der Verzeichnisse eine Ausnahme generieren, z.B.

<DirectoryMatch "/fotos/fotoclub/example/images/">
Satisfy any
</DirectoryMatch>

=== DOS Attacken ===

Zum Abwehren von (D)DOS-Attacken gibt es das Modul '''mod-evasive'''.
Das zugehörige Paket heißt '''libapache2-mod-evasive'''. 
Protipp: Die Parameter ''DOSPageCount'' und ''DOSSiteCount'' nicht zu niedrig wählen, sonst blockt man möglicherweise auch normale Webrequests.

Configbeispiel: 
https://github.com/kdx99/apache-role/blob/main/vars/main.yaml 
(Abschnitt # mod_evasive)

Weiteres hier: 
* https://phoenixnap.com/kb/apache-mod-evasive
* https://www.howtogeek.com/devops/how-to-configure-mod_evasive-for-apache-ddos-protection/

=== Fail2ban ===
Zum Ausbremsen von Brute-Force-Angriffen hilft fail2ban, ein Tool, das zu häufige Fehlversuche beim Anmelden mit einer IP-Tables-Regel auf die zugehörige Source IP quittiert.

==== Beispiel ====

Erstmal das Paket „fail2ban" installieren, dann ins Verzeichnis /etc/fail2ban wechseln.

Die Optionen in der ''fail2ban.conf'' sind normal bereits auf sinnvolle Werte gesetzt. Gegebenenfalls lässt sich bei Problemen noch das Loglevel raufsetzen

loglevel = 4 # default=3
Achtung: nach dem Debuggen wieder auf default (=3) setzen. Die Logfiles werden sonst sehr schnell sehr groß! 
Nun kann man in der ''jail.conf'' die unterschiedlichen jails für die einzelnen Dienste einrichten. Für mache gibt es auch Subsections, z.B. für apache:

[apache-auth]

enabled = true
port = http,https
filter = apache-auth
logpath = %(apache_error_log)s
maxretry = 10
bantime = 5m

Bei den allgemeinen Optionen kann man Excludes für einzelne IPs oder Netze angeben
ignoreip = 127.0.0.1/8 192.168.99.0/24
Achtung: Als Trenner ein Space benutzen. Kommas o.ä. werden zwar akzeptiert, danach funktioniert aber die Banaction nicht.
Bei „banaction“ sollte im allgemeinen Teil „iptables-multiport" oder "nftables-multiport" eingestellt sein. Dienst neu starten, fertig.

Erfolgskontrolle 
n- mal falsch anmelden und „iptables -L -n -v“ ausführen (zum testen evtl. eine etwas kürzere bantime wählen)

Anmerkung: Seit bullseye ist per Default nicht mehr iptables, sondern nftables am Start. fail2ban schert sich da wenig drum, versucht iptables-Regeln zu generieren und wirft einen Fehler. 
Abhilfe: In der jail.conf alles, was mit ''iptables-'' zu tun hat, durch ''nftables-'' ersetzen, e.g. nftables-multiport, nftables-allports, nftables-multiport-log

Nach n Fehlversuchen, folgendes Kommando absetzen:
<pre>
# nft list table inet f2b-table
</pre>

==== Debugging ====
Bei Problemen kann man den Dienst auch im Vordergrund starten:
# fail2ban-server -f
und in einer anderen Shell
# fail2ban-client reload

===Verschlüsselte Webseiten===
Feind hört mit (Gerüchten zufolge zuweilen auch Freund). Also am besten nichts im Klartext übers Netz schicken. Verschlüsselt wird bei apache üblicherweise mit TLS, die Echtheit (Authentizität) der Webseite wird durch ein Zertifikat überprüft.
Wer geschäftlich eine Seite (Webshop o.ä.) betreibt, wird sein Zertifikat höchstwahrscheinlich durch eine offizielle Zertifizierungsstelle (Certificate Authority) signieren lassen. Privatanwender signieren u.U. selbst (nicht empfohlen).

==== Alternative Zertifikat selbst erzeugen ====
Von dieser Möglichkeit wird abgeraten, da es hier keine offizielle CA für das Zertifikat gibt, d.h. die Clients wissen nicht, ob die Website vertrauenswürdig ist. Hässliche Warnings sind die Folge bzw. im worst case wird die Seite gar nicht ausgeliefert. Besser eine offizielle CA verwenden (2 Alternativen gibt es weiter unten).

Schritte von der Zertifikatserstellung zur verschlüsselten Webseite:

1. Verzeichnis für Zertifikate anlegen
mkdir /etc/apache2/ssl/
2. Request, Key und gleichzeitig Zertifikat erstellen
openssl req -x509 -nodes -days 720 -newkey rsa:4096 -keyout /etc/apache2/ssl/www.example.de.key -out /etc/apache/ssl/www.example.de.crt

Darauf achten, dass bei FQDN unbedingt der Servername eingetragen wird, unter dem der Webserver erreichbar ist (i.d.R. identisch mit dem Wert für ServerName im apache)

==== Alternative Cert Request für offizielle CA erstellen ====
1. Key erstellen
openssl genrsa -out www.example.de.key 4096
2. Zertifikats-Request erstellen
openssl req -new -key www.example.de.key -out www.example.de.csr
3. Das .csr file an die Zertifizierungsstelle schicken 
in der Regel kommt z.B. ein File namens www.example.de.crt zurück 
4. Überprüfen des Zertifikats:
openssl x509 -in www.example.de.crt -text -noout

Alternativ bietet sich das im Paket openssl enthaltene Tool '''CA.pl''' an (hier nicht weiter ausgeführt, da ungetestet).

==== Konfguration des Webservers ====
Die folgende Schritte sind wieder identisch, unabhängig davon, wie das Zertifikat erzeugt wurde.

1. mod_ssl aktivieren
cd /etc/apache2/sites-enabled/
ln -s ../mods-available/ssl.conf
ln -s ../mods-available/ssl.load

2. Virtual-Host auf Port 443 einrichten 
<VirtualHost *:443>
ServerAdmin webmaster@example.de
ServerName www.example.de:443
ServerAlias mail.example.de:443
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/www.example.de.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.example.de.key
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite \ EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
</VirtualHost>

Letztere Parameter lassen nur sichere Protokolle (TLS>=2) und Cipher-Suites mit starker Verschlüsselung zu. 
Ein Beispiel für geeignete Cipher-Suites gibt es auf https://cipherlist.eu/.

3. Redirects 
Wer es nicht dem Zufall überlassen will, ob der Benutzer im Browser http:// oder https:// eingibt, kann eine automatische Weiterleitung zur verschlüsselten Seite einrichten:
a2enmod rewrite

Dann im VirtualHost:80-Abschnitt folgendes eintragen (z.B. wenn „download“ im URL-Name dann auf https umleiten)

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?download(.*) https://%{SERVER_NAME}/download/$1 [R,L]

=====Error=====

Sollten beim Erneuern Fehlermeldungen auftauchen aka
<console>
An unexpected error occurred:
OpenSSL.SSL.Error: [('x509 certificate routines', 'X509_load_cert_crl_file', 'no certificate or crl found')]
Please see the logfiles in /var/log/letsencrypt for more details.
</console>
gibt es ein Problem mit den default ca-certificates. In dem Fall hilft ein:
<console>
># update-ca-certificates
</console>

====Alternative [https://letsencrypt.com/ letsencrypt]====

Hier sind keine openssl-Commands nötig. Man verwendet als Root CA letsencrypt. Geholt werden die Zertifikate über einen sogenannten „certbot“, der einmalig eingerichtet wird und dann als Cron weiterläuft.

# apt install python3-certbot-apache

Eine Art Manpage erhält man mit dem Command
# certbot (--help)

===== Initial Zertifikate erzeugen =====
<console>
# certbot --apache certonly
</console>
(interaktive Abfragen z.B. fqdn, evtl. config file)

Anschließend hat man im Verzeichnis /etc/letsencrypt haufenweise neue Dateien. Die eigentlichen Zertifikate findet man im Verzeichnis „live“.
* archive: Alte Zertifikate
* options-ssl-apache.conf: Configschnipsel
* accounts: private Key fürs Erzeugen der nonce (don't lose!)
Die Zertifikate, die automatisch erzeugt werden, landen im '''renewal''' Verzeichnis.

Die entstandenen Zertifikate können entweder ins entsprechende Verzeichnis (/etc/ssl/...) kopiert werden (dann muss man aber dafür sorgen, dass das ggf. automatisch passiert) oder man verwendet den direkten Pfad in der Konfig, z.B.:

SSLCertificateFile /etc/letsencrypt/live/mail.example.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.example.de/privkey.pem

Wobei fullchain.pem sowohl das Zwischenzertifikat als auch das eigentliche Zertifikat enthält. 
Natürlich lässt sich der Certbot auf alle Virtual Hosts anwenden.

In der Datei /etc/cron.d/certbot sollte sich der Cronjob befinden, der alle 12h prüft, ob ein Zertifikat < 30 Tage gültig ist und ggf. erneuert.

=====Manuell erneuern=====
<console>
# cerbot renew
</console>

==== Dehydrated ====
Eine Alternative zum certbot ist dehydrated. Hierfür braucht es einen offenen Port 80, den es bei einem Webserver i.a. gibt. Einfach das Paket '''dehydrated-apache2''' installieren. Danach den benötigten Hostname in die Datei domains.txt einfügen.
<pre>
# echo $HOSTNAME >> /etc/dehydrated/domains.txt
</pre>
Dort können auch mehrere Hostnames stehen.

Zertifikat generieren:
<pre>
# dehydrated --register --accept-terms
</pre>

<pre>
# dehydrated -c
</pre>

Die Zertifikate liegen dann im Verzeichnis /var/lib/dehydrated/

Auch hierfür wird per Default ein Cronjob angelegt.

=== Immer verschlüsseln ===

Wer immer von http auf https umleiten will, kann in seine Config folgendes eintragen:

RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]

Alternativ geht auch folgendes:
<IfModule mod_ssl.c>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}$1 [R,L]
</IfModule>
</IfModule>

Das waren die ersten Schritte mit Apache. Viel Spaß beim Konfigurieren und Probieren!

OpenShift Cheatsheet

2026-03-10T13:51:04Z

Sunflower:

Some helpful OpenShift commands which work (at least) since version >= 4.11

updated for version: 4.19

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Resources =
(in common)

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(--api-group='')
(in|without namespace)(openshift specific) (core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)
Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

= Nodes =

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Draining nodes ==
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary when you drain it s. below - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Machines =

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Machinesets ==

Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

== Delete and re-create machines/nodes ==
oc get machines -A | grep worker-<XY> | wc -l
-> MACHINECOUNT
oc annotate machine/<machine-name> -n openshift-machine-api machine.openshift.io/delete-machine="true"
oc scale --replicas=<$MACHINECOUNT+1> machineset <machineset> n openshift-machine-api
oc scale --replicas=$MACHINECOUNT machineset <machineset> -n openshift-machine-api

= Projects/Namespaces =

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

= Registries =
* registry.access.redhat.com
* registry.redhat.io (with login only)
* quay.io
* docker.io

= Images =

Search Images by help of podman:
$ podman search <wordpress>

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
skopeo inspect --config docker://registry.redhat.io/rhel8/httpd-24

Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

== Create pod from image ==

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

= Apps =

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

= Deployments =

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

== Environment variables ==
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

oc set env deployment/mariadb --from=secret/my-secret (--prefix=MYSQL_)

== Restart deployment after change ==

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path < /var/www/html >

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==
$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make deployment available from inside/outside ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

== Add probes ==
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

== Autoscale Pods ==
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

== Reduce/Upgrade cpu/mem requests ==
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

== Security ==
=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

= Pods =

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

= Jobs and Cronjobs =
== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

= Secrets =
== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic <sshkeys> --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls <secret-tls> --cert /tmp/mydomain.crt --key /tmp/mydomain.key

=== Update Secret ===
$ oc set data secret/<mysecret> --from-file /tmp/root-password

=== Extract secret ===
$ oc extract secret /<mysecret> --to /tmp/mysecret (--confirm)

= Configmaps =
== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets (REVIEW!)
$ oc get egressips

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Changes with '''patch''' command =

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

== Examples ==
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

Emailserver mit Postfix und Dovecot

2026-02-22T21:28:22Z

Sunflower: /* Greylisting und Antispam */

= Postfix =

Postfix ist ein MTA (Mail Transfer Agent), der eine gute Alternative zu anderen gängigen MTAs (Sendmail, Exim) darstellt, da seine Konfiguration gut lesbar ist.
In unserem Beispiel soll der MTA mit einem IMAPd (Dovecot) verknüpft werden, so dass Benutzer eine Mailbox direkt auf dem System haben. Das Abholen der Mails erfolgt per IMAPs.

== Installation ==

Zunächst muss das Paket „postfix“ installiert werden.
Dabei sind noch ein paar Fragen zu beantworten: 
* '''Art des Servers: '''Internet Site 
* '''Root and postmaster mail recipient:''' ein Postfach eintragen, z.B.postmaster@example.de 
* '''Other destinations to accept mail for (blank for none):''' z.B. mail.example.de, localhost, $mydomain (kann man erstmal die defaults belassen)
* '''Force synchronous updates on mail queue:''' no'''
* '''Local subnets:''' 127.0.0.1/8, 192.168.63.0/24 (hier das eigene Netz ergänzen)
* '''Mailbox size limit:''' 0 (unbegrenzt)
* '''Local address extension character:''' + (i.a. als default ausreichend)
* '''Internet protocols to use:''' all (wenn man nicht explizit ipv4 oder ipv6 sprechen will)

Diese Einstellungen lassen sich jederzeit mit
<console>
# dpkg-reconfigure postfix</console>
ändern.

Alle relevanten Dateien befinden sich im Verzeichnis ''/etc/postfix''.

== Konfiguration ==

Bevor wir zur Postfixconfig kommen, überprüfen wir den Inhalt der Datei /etc/mailname:
<pre>
$ cat /etc/mailname
</pre>
Dort darf '''nur der Domainname''' stehen, nicht der Hostname (e.g. example.com). Andernfalls kann das Auswirkungen auf den Emailversand haben, v.a. wenn in der main.cf (s.u.) auf die Datei referenziert wird.

Die wichtigeste Datei zum Anpassen ist zunächst die '''main.cf'''. Hier ein Beispiel für den Server „mx“ in der Domain example.de. Folgende Parameter sollten konfiguriert sein (exemplarisch):
<pre>
myhostname
mydomain
myorigin
mydestination
</pre>

Meistens gibt es schon ein paar brauchbare defaults. Der Parameter ''mynetworks'' erlaubt es bestimmten Netzen, Emails ohne weitere Einschränkungen einzuliefern.

Beispielconfig:

<pre>
myhostname = mx01.example.de
mydomain = example.de
myorigin = $mydomain
mydestination = $myhostname, localhost, localhost.$mydomain
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.99.0/24 [2001:780:11b::/48] 214.94.24.154 [2004:780:8:0:5ff0:c5ff:fe09:98f9]
</pre>

Vor allem der Parameter '''mynetworks''' sollte mit Bedacht gewählt werden, denn dies sind alle Hosts und Netze, von denen jegliche Emails angenommen werden (auch von ''und'' nach Fremddomains). Fehlkonfigurationen führen hier schnell zum [https://practical365.com/what-is-an-open-relay OpenRelay].

'''Beachte:''' ipv6-Adressen müssen in [eckigen Klammern] geschrieben werden, sonst werden keine Emails ausgeliefert!
Fehler im Logfile:
<pre>
postfix/smtpd[21928]: warning: smtpd_client_event_limit_exceptions: 2a01:40f8:c013:5050::0/64: table lookup problem
</pre>

Nach jeder Änderung ist der Dienst zu reloaden mit dem Befehl
<console>
# postfix reload
</console>

Ob der Restart ordentlich funktioniert hat, kann man z.B. anhand des Logs überprüfen:
<console>
# tail /var/log/mail.log
</console>

=== master.cf ===
Das Kernstück des Postfixdaemons. Hier werden die Transports festgelegt
Bedeutung der Spalten:
* service-Feld: Name des Dienstes (smtp, local, procmail, ...) (str)
* typ-Feld: Verbindungstyp (inet, fifo, unix) (str)
* Zugriffsrecht: Zugriff auch für externe Programme (default: y) (bool)
* unpriv-Feld: Start als unprivilegierter Benutzer (default: y) oder root (n) (bool)
* chroot: Soll der Dienst in einer chroot-Umgebung gestartet werden (default: y) (bool)
* wakeup-Feld: Sekunden zwischen 2 Aufrufen (default: 0) (int)
* Prozessmaximum: Wie viele Prozesse maximal gleichzeitig (default: 50) (int)
Danach erfolgt ein Kommando mit Flags und Parametern (optional).

== TLS ==
Optional kann man mit Zertifikaten verschlüsselte Übertragung von Emails konfigurieren. das funktioniert aber nur dann, wenn der Mailserver der Gegenstelle das Zertifikat auch einbindet. Man kann das Zertifikat auch in einen Mailclient einbinden (s. später).
Die Zertifikatserzeugung kann mit mit [https://letsencrypt.org letsencrypt] erfolgen. Clients zur Zertifikatserzeugung sind [[Webserver_mit_Apache#Alternative_letsencrypt | certbot ]] oder [[Webserver_mit_Apache#Dehydrated | dehydrated]].

=== Zertifikatsgenerierung in Kürze ===
# echo $HOSTNAME > /etc/dehydrated/domains.txt
# dehydrated –register –accept-terms
# dehydrated -c

Dies setzt allerdings einen [[Webserver_mit_Apache | Webserver]] voraus, der auf Port 80 lauscht. Gibt es diesen nicht, kann mal alternativ letsencrypt via DNS verwenden (https://letsencrypt.org/docs/challenge-types).

=== Alternative eigene CA (nicht empfohlen) ===

Wer unbedingt eine eigene CA betreiben will, kann das mit folgender Anleitung tun. Achtung: Das Vorgehen sollte nur gewählt werden, wenn ein zwingender Grund dafür besteht. Viele Browser und MUAs haben Probleme damit, erzeugen hässliche Warnings oder lassen die Seite nicht zu.

==== CA erstellen ====
Wenn noch kein Zertifikat vorhanden ist, kann man sich selbst eines erstellen oder einen CSR (Certificate Signing Request) erstellen und diesen an eine offizielle CA schicken. Soll ein kommerziell genutzter Mailserver entstehen, ist dies der realistische Weg.

Achtung: Dieser Schritt wird nicht gebraucht, wenn es schon eine CA gibt.

Schritte: 
Key erstellen (+Passwort dafür vergeben), Zertifkatsrequest für die CA erstellen, CA erstellen

$ openssl genrsa -out ca.key -des3 4096

$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Nuernberg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.de
Organizational Unit Name (eg, section) []:Hostmaster
Common Name (e.g. server FQDN or YOUR name) []:*.example.de
Email Address []:postmaster@example.de

==== Zertifikat mit der neuen CA erstellen ====
Schritte:
• Key erstellen
• Request erstellen
• Zertifikat erstellen und signen

$ openssl genrsa -out mx.example.de.key 4096
(kein Passwort festlegen)

$ openssl req -new -key mx.example.de.key -out mx.example.de.csr
(wieder das Formular ausfüllen as usual)

$ openssl x509 -req -days 365 -in mx.example.de.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out mx.example.de.crt

Beim Erneuern des Zertifikats fallen die Schritte „Erstellen der CA“ und Erzeugen des Keys weg. Ferner muss man auch keine Serial mehr angeben.
Der Renew-Befehl lautet also folgendermaßen:
$ openssl x509 -req -days 730 -in mx.example.de.csr -CA ca.crt -CAkey ca.key -out mx.example.de.crt

=== Einbinden in die Config-Datei ===
Dieser Schritt gilt wieder für alle Zertifikate, egal wie sie erzeugt wurden. Die Pfade müssen natürlich entsprechend angepasst werden,

Zertifikate an die entsprechende Stelle kopieren und in der Konfig einbinden:

smtpd_tls_cert_file=/etc/ssl/certs/mx.example.de.crt
smtpd_tls_key_file=/etc/ssl/private/mx.example.de.key
smtpd_tls_CAfile=/etc/postfix/ca.crt
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:
${data_directory}/smtpd_cache
smtp_tls_session_cache_database = btree:
${data_directory}/smtp_scache

Der Parameter smtpd_tls_Cafile entfällt, wenn eine offizielle CA vorhanden ist (z.B. letsencrypt). 
Die Pfade zu den Zertifikaten können abweichen, bei letsencrypt liegen diese z.B. unter ''/var/lib/dehydrated/certs/''.
Überprüfung:
$ openssl s_client -connect mx.example.de:25 -starttls smtp
oder https://www.checktls.com/

Ergänzung:
Manche MTAs wollen ein Zertifikat in pfx-Form. Dieses kann man aus dem cert file wie folgt erzeugen:
$ openssl pkcs12 -export -out mx.example.de.pfx -inkey mx.example.de.key -in mx.example.de.crt
pfx-File und Passwort dem User zukommen lassen.

'''Spoiler:''' 
[[ Emailserver_mit_Postfix_und_Dovecot#Dovecot | Dovecot ]] „vergisst“ manchmal das neue Zertifikat und behält die alte Version, d.h. die meisten Mailclients spoolen dann keine neuen Emails mehr. In diesem Fall den Dovecot Service neu starten.

== SASL ==

Zur Vermeidung eines Open Relays ist dringend anzuraten, per default nur das Einliefern mit dem Absender @example.de von bestimmten Netzen zu erlauben. Dieses passiert mit dem Parameter ''mynetworks'' (s.o.).
Nun kann es natürlich passieren, dass Benutzer von einem Mailclient irgendwo im Internet Mails verschicken wollen. Diese wären laut Konfig nicht berechtigt. Da die meisten PCs mit dynamischen Adressen im Internet unterwegs sind, macht es hier auch keinen Sinn, die jeweilige IP-Adresse in der Konfig zu ergänzen. 
Das Problem kann umgangen werden, indem Emails versenden dann erlaubt wird, wenn sich der Benutzer einmal erfolgreich am IMAP-Server authentifiziert hat.
Hierfür gibt es SASL. Die entsprechenden Eintragungen in der main.cf sind:
smtpd_relay_restrictions = permit_mynetworks
permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = private/auth

Im Mailclient äußert sich das Verhalten so, dass man beim ersten Senden einer Nachricht sein Mailbox-Passwort angeben muss.
Bevor dieses Feature aktiviert wird, muss es einen IMAP-Server geben (s. [[#Dovecot|nächstes Kapitel]] ).

== Maps ==

Um besser unterscheiden zu können, was mit welchen Absender-/Zieladressen passiert, wird die Konfiguration in sogenannte „Maps“ aufgeteilt. Diese können als Klartext-File oder als Berkley DB vorliegen. In letzterem Fall müssen diese mit dem Kommando '''postmap''' nach jeder Bearbeitung umgewandelt werden. 
Ausnahme: Die Datei /etc/aliases.db (nur relevant für lokale Emailauslieferung) wird mit dem Kommando '''postalias''' oder '''newaliases''' generiert.
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
Hier werden aliase eingerichtet, die auf eine andere Mailbox mappen. Beispiel:
postmaster: root

=== Access ===
smtpd_sender_restrictions = hash:/etc/postfix/access
Hier können für Aktionen für spezielle Absenderadressen eingerichtet werden. Beispiel:
example.com DISCARD

=== Relocated ===
relocated_maps = hash:/etc/postfix/relocated

Abweisen der Mail mit einem Hinweis. Beispiel:
testy.test "Mails bitte statt an diese Adresse an ich@hier.de senden"

Ergebnis:
<testy.test@example.de>: Recipient address rejected: User has
moved to "Mails bitte statt an diese Adresse an ich@hier.de
senden"

=== Canonical ===
==== Sender ====
sender_canonical_maps = hash:/etc/postfix/sender_canonical

Bestimmte Adressen werden auf ein übliches Standardformat umgeschrieben:

sunflower@example.de petra.sonne@example.de
phun@work.de peter.hun@example.de

==== Recipient ====
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
Arbeitet genauso wie sender_canonical, nur für Empfängeradressen.

=== Virtual Mailbox ===
virtual_mailbox_maps = hash:/etc/postfix/virtual
Locations der Mailboxen des imap-Servers (näheres unter [[ Emailserver_mit_Postfix_und_Dovecot#Dovecot | Dovecot ]])

sunflower@example.de example.de/sunflower/
testy@example.de example.de/testy
test@example.de example.de/test
lmaa@ihr-koennt-mich-alle.de ihr-koennt-mich-alle.de/lmaa

=== Virtual Aliases ===
virtual_alias_maps = hash:/etc/postfix/virtual_maps

Adressen die auf andere Adressen umgebogen werden (ähnlich wie die aliases), kann auch domainübergreifend passieren.
So können mehrere Empfängeradressen in dieselbe Mailbox laufen.

anrufbeantworter@example.de sunflower@example.de,H.Hirsch@gmx.de,harry1999@yahoo.de
info@example.de sunflower@example.de
postmaster root
webmaster root
administrator root
root sunflower
fortune: fortune
Letzteres ist eine Pipe. Dazu später mehr.

Umwandeln von Text in DB-File und in Postfix einlesen:
postmap <aliases|access|canonical|...>
postfix reload

=== Einfaches Beispiel: Emails von einer Domain auf eine andere weiterleiten ===
Nehmen wir an, wir haben einen Emailserver1 in der Domain example.com. Dieser soll alle Email die an <userXY>@example.com eintreffen, an <userXY>@example.de weiterleiten. Auch hier ist eine Eintrag in der o.g. ''virtual_maps'' Datei nötig:
@example.com @example.de
Nun werden alle example.com-Emails zum zuständigen Emailserver für example.de weitergeleitet. Der user part bleibt unverändert.

=== Transports ===
Transports sind die Art und Weise, wie eine eingehende Mail behandelt wird, z.B. lokal in eine Datei speichern, an einen imap-Server weiterreichen oder ein Script ausführen.

Hier ein Beispiel: 
Wenn auf eine bestimmte Adresse geschickt wird, soll ein Script ausgeführt werden, das dem Absender einen Zufallsspruch zurücksendet '''und''' die Mail gleichzeitig in ein Postfach einliefert.
Schritte:

1. Alias definieren (virtual_maps):

fortune@example.de fortune

2. Alias auf einen Transport mappen (transports):

fortune@example.de randomphrase:

3. Transport definieren (master.cf):

<pre>
randomphrase unix - n n - - pipe
flags=h user=vmail:vmail argv=/usr/local/bin/randomphrase.pl ${sender}
</pre>

(Den User vmail muss es natürlich in der passwd geben, z.B. so:
vmail:x:4000:4000::/home/vmail:/user/sbin/nologin
)

4. Script hinterlegen:
/usr/local/bin/randomphrase.pl
für alle ausführbar machen

Mit dem Script [[ randomphrase.pl ]] wird ein Zufallsspruch erzeugt. Dafür muss das Paket ''fortune-mod'' installiert sein.
Zum Weiterschicken der Email wird das Script /usr/local/bin/deliver_mail.sh aufgerufen. ([[File:Deliver_mail.sh]])
 Hierfür muss der User vmail in der Datei ''/etc/sudoers.d/vmail'' berechtigt werden:
vmail ALL=(root) NOPASSWD: /usr/local/bin/deliver_mail

Eine Email an die Adresse fortune@example.de erzeugt nun eine Antwort an die Absenderadresse mit einem Zufallsspruch.

== Multidomain ==

Natürlich kann Postfix auch Emails für mehrere Domains annehmen. Dafür gibt es den Parameter „virtual_mailbox_domains“:

virtual_mailbox_domains = example.de example.com ihr-koennt-mich-alle.de
Die Variable $mydomain sollte dann aus mydestination entfernt werden.

== Special DNS Records ==
=== SPF (Sender Policy Framework) ===
Mit einem RR-Type TXT kann man eine Liste von Emailservern definieren, die als Absender die Emaildomain verwenden dürfen. Generiert jemand eine Fakeemail von einem anderen System aus, kann diese abgewiesen werden.

Beispiel für einen DNS TXT Record:
IN TXT "v=spf1 mx:example.de a:foo.example.de ip4:8.15.47.11/32 ip6:2008:15:5:47::11/48 ip6:2008:15:5:47::12/48 -all"

Howto: 
https://dmarcian.com/create-spf-record/ 
http://www.open-spf.org/SPF_Record_Syntax/

SPF in Postfix integrieren:

Nun ist die Domain vor Missbrauch vor Fakeeemails geschützt. Jetzt gibt es aber noch die andere Seite zu beachten. Postfix soll ebenfalls die SPF-Records anderer Emaildomains prüfen und die Email ggf ablehnen.
https://makeityourway.de/enabling-spf-sender-policy-framework-checking-on-postfix/

Hier in Kürze zusammengefasst, was es zu beachten gibt:
# apt install postfix-policyd-spf-python
Die Config-Datei ''/etc/postfix-policyd-spf-python/policyd-spf.conf'' liefert bereits brauchbare Defaults, optional kann man noch eine Whitelist ergänzen z.B.

Domain_Whitelist = example.com
In der master.cf ergänzen:
<pre>
policyd-spf unix - n n - - spawn
user=policyd-spf argv=/usr/bin/policyd-spf
</pre>

In der main.cf ergänzen:
smtpd_recipient_restrictions =
(...)
check_policy_service unix:private/policyd-spf
(…)
'''Achtung:''' Wenn es schon einen check_policy_service Eintrag gibt, '''keinesfalls''' einen weiteren Eintrag anhängen, sondern eine neue Zeile aufmachen!
policy-spf_time_limit = 3600s

# postfix reload

Ein paar Testemails einkippen und mail.log gucken.

=== DMARC (Domain based Message Authentication, Reporting and Conformance) ===
https://dmarcian.com/dmarc-record/

Beispiel für einen DNS TXT Record:
_dmarc IN TXT "v=DMARC1;p=quarantine;rua=mailto:postmaster@example.de"

In dem Fall werden verdächtige Emails in einen Quarantäne-Ordner verschoben und ein Report an den postmaster versandt.
Für die Integration in Postfix gibt es das Paket opendmarc.
Implementierung von SPF, DKIM und DMARC in Postfix:

https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
(untested)

== Nützliche Commands ==
Erzeugen eines database files aus einer Textdatei:
postmap <filename>
Alle Configparameter anzeigen:
postconf
Konfigprüfung:
postfix check
Mailqueue anschauen:
mailq
Alle Messages in der Queue ausliefern:
postqueue -f
Nur eine bestimmte Message ausliefern:
postqueue -i <ID>
Message löschen:
postsuper -d <ID>
Alle Messages löschen (!):
postsuper -d ALL
Inhalt einer Message anschauen:
postcat -vq <ID>

== Logfile ==

Geloggt wird nach ''/var/log/mail.log'' (alles) bzw. Errors nach ''/var/log/mail.err'' und Warnings nach ''/var/log/mail.warn''.
 Protipp: Alias anlegen:
maillog='tail -f /var/log/mail.log'

== Greylisting und Antispam ==

Zur Bekämpfung der Spamflut gibt es das praktische Programm '''„Postgrey“'''. Unter Debian kann dieses als Paket installiert werden. Dieses wird in die main.cf im Abschnitt smtpd_recipient_restrictions eingebunden.
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
reject_unauth_destination
'''reject_non_fqdn_sender'''
'''reject_non_fqdn_recipient'''
'''reject_rbl_client bl.spamcop.net'''
'''check_policy_service inet:127.0.0.1:10023'''

(Die Blacklist ''dnsbl.sorbs.net'' wurde hier außen vor gelassen, da diese so ziemlich alles blockt, z.B. alle yahoo- oder gmx-Adressen.)
Damit das funktioniert, muss natürlich noch Postgrey selbst an den Start gebracht werden.
Hierfür wird die Datei ''/etc/default/postgrey'' bearbeitet. Hier ein Beispiel:
POSTGREY_OPTS="--inet=10023 --auto-whitelist-clients=8
POSTGREY_TEXT="Busy. Come back in 5 minutes."

Der Service lauscht also auf Port 10023. Im obigen Beispiel wird ein Absender beim 8. erfolgreichen Zustellversuch automatisch gewhitelistet (optionaler Parameter ''--auto-whitelist-clients'', evtl. Zahl erhöhen oder Parameter ganz weglassen).

Anschließend wechselt man ins Verzeichnis ''/etc/postgrey''. Dort gibt es 2 Whitelistings. Die Absender stehen in '''whitelist_clients'''. Dort stehen bereits IPs und Domains diverser Provider. Man kann dort selbst Einträge hinzufügen (z.B. example.ch).

In der Datei '''whitelist_recipients''' kann man alle Empfänger der eigenen Domain eintragen, die auf jeden Fall immer Emails bekommen sollen. z.B. postmaster@, abuse@. 
Beachte: '''Die Dateien müssen explizit eingesourcet werden''', passiert nicht automatisch. Das macht man mit den POSTGREY_OPTS:
POSTGREY_OPTS="$POSTGREY_OPTS --whitelist-clients=whitelist_clients --whitelist-recipients=/etc/postgrey/whitelist_recipients"

Nach getaner Anpassung, den postgrey-Service (neu)starten.
# service postgrey restart
Überprüfen, ob der Dienst läuft z.B. mit:
# lsof -i :10023
Anschließend Postfix reloaden
# postfix reload
und die Mailbox(en) beobachten, hinsichtlich Spamaufkommen.

''(Quelle: Artikel „Postzusteller“, Admin-Magazin, Ausgabe 03-2013)''

= Dovecot =

Open Source IMAP-Server zum Einliefern der Emails in Postfächer mittels POP3 oder IMAP bzw. IMAPs. Im folgenden wird nur auf IMAPs eingegangen.

== Installation ==

Es empfiehlt sich, den Dovecot auf demselben System zu installieren wie Postfix. Andere Fälle werden hier nicht berücksichtigt.

Installation des imapd mittels
# apt install dovecot-imapd

Dies reicht für alle Grundfunktionen der Emailauslieferung. Für erweiterte Optionen wie z.B. Filterfunktion können weiter dovecot-Pakete wie '''dovecot-antispam, dovecot-sieve''' installiert werden.

User (i.d.F. ''vmail'') als Owner für die Mailboxen anlegen:

useradd -u 4000 -m -d /home/vmail -s /user/sbin/nologin vmail

== Konfiguration ==

Configdateien in ''/etc/dovecot/conf.d'' anpassen.
Die Datei ''/etc/dovecot/dovecot.conf'' inkludiert per Default alle Dateien unter conf.d/*.conf.

=== Usermanagement ===

Hier ein Beispiel, wo User in einer separaten Datei abgelegt werden.

''10-auth.conf:''
<pre>
disable_plaintext_auth = no
auth_username_format = %n
auth_master_user_separator = *
auth_mechanisms = plain login
!include auth-master.conf.ext
</pre>
Wenn kein auth über pam:
#!include auth-system.conf.ext

Plaintext Auth kann man erlauben, weil die User-Passwörter als gehashter String übertragen werden. Für die Kommunikation zwischen Postfix und Dovecot spielt das ohnehin keine Rolle, da sich beide Dienste auf einem Server befinden. Der Zugriff von einem MUA aus wird über TLS/SSL erfolgen (s.u.).

master user anlegen (optional):
<pre>
doveadm pw -p supergeheim -s SHA512-CRYPT -u administrator@example.de
</pre>
Den Output zusammen mit dem Usernamen in die Datei master-users pasten.
<pre>
cat ../master-users
administrator@example.de:{SHA256-CRYPT}$5$9zrt7/e2CDkPmSuA$SNEkm/L4XZcYFAbYkJp5ESl9u35fVBSd4ukO0dm5yp3
</pre>

Sonstige User anlegen:
<pre>
doveadm pw -p strenggeheim -s SHA512-CRYPT -u sunflower@example.de
</pre>
→ /etc/dovecot/users:
<pre>
sunflower:{SHA256-CRYPT}$5$D3PhhtqUhRXT7cmZ$E5244BpvNafb.9FtbhF9AUfbvw8XpnOJhPyM/q/rRN2:::Sun Flo,,,:/var/mail/example.de/sunflower:/bin/false
</pre>
Hier sollten keine Abkürzungen wie ''%d'' oder ''%n'' stehen, weil diese nicht (von sieve, s.u.) bzw. nur teilweise (von dovecot) interpretiert werden.

Damit der Account auch Email bekomemn kann, ergänzt man die virtual table im Postfix directory:
cat sunflower@example.de example.de/spambucket >> /etc/postfix/virtual
Aktivieren mit
postmap virtual
postfix reload

=== Dateirechte ===

Die Files master-users, users sollten nur von dovecot gelesen werden können!
<pre>
# chgrp dovecot /etc/dovecot/*users
# chmod o-r /etc/dovecot/*users
</pre>
Mailbox anlegen und User berechtigen:
<pre>
# maildirmake.dovecot /var/mail/<username>
# chown -R vmail.vmail /var/mail/<username>
</pre>
Achtung, der Parameter %d wird nicht als Domain gelesen, sondern bleibt leer! 
=> mail_location = maildir:/var/mail/%d/%n 
bedeutet, dass die Emails in /var/mail/<username> liegen. D.h. die Postfächer müssen direkt unter /var/mail angelegt werden.

User im Postfix anlegen, in den virtual maps, s. o.

Kontrolle:
<pre>
# doveadm user <username>
</pre>

=== IMAP konfigurieren ===
Protipp: erstmal conf.d wegsichern:
<pre>
rsync -av /etc/doveconf/conf.d /etc/doveconf/conf.d.orig
</pre>
Folgende Konfigurationsdateien in conf.d entsprechend anpassen:
* '''10-auth.conf'''
<pre>
disable_plaintext_auth = no
auth_username_format = %n
auth_master_user_separator = *
auth_mechanisms = plain login

!include auth-master.conf.ext
!include auth-system.conf.ext
!include auth-passwdfile.conf.ext
</pre>
* '''10-mail.conf'''
<pre>
mail_location = maildir:/var/mail/%d/%n
namespace inbox {
inbox = yes
}
mail_uid = 4000
mail_gid = 4000
mail_privileged_group = mail
</pre>
* '''10-master.conf'''
<pre>
service imap-login {
 inet_listener imaps {
 port = 993
 ssl = yes
}
}
service auth {
unix_listener auth-userdb {
 user = vmail
 group = vmail
}
unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix
}
}
service stats {
unix_listener stats-reader {
 user = vmail
 group = vmail
 mode = 0660
 }

unix_listener stats-writer {
 user = vmail
 group = vmail
 mode = 0660
 }
}
</pre>
* '''10-ssl.conf'''
<pre>
# (z.B. Postfix certs verwenden)
ssl = yes
ssl_cert = </etc/ssl/certs/mx.example.de.crt
ssl_key = </etc/ssl/private/mx.example.de.key
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = </usr/share/dovecot/dh.pem
</pre>

Zertifikate generieren: s. https://wiki.nomorebluescreen.de/index.php?title=Webserver_mit_Apache#Alternative_letsencrypt

'''Spoiler:''' 
Jedes Mal, wenn das Zertifikat ausgetauscht wird, muss der dovecot-Service neu gestartet werden, damit das neue Zertifikat auch eingelesen wird.

'''Überprüfen, welche Dateien angefasst wurden:'''
<pre>
diff -quw conf.d.orig conf.d
Files conf.d.orig/10-ssl.conf and conf.d/10-ssl.conf differ
Files conf.d.orig/15-lda.conf and conf.d/15-lda.conf differ
Files conf.d.orig/20-imap.conf and conf.d/20-imap.conf differ
Files conf.d.orig/20-managesieve.conf and conf.d/20-managesieve.conf differ
Files conf.d.orig/90-sieve.conf and conf.d/90-sieve.conf differ
Files conf.d.orig/auth-passwdfile.conf.ext and conf.d/auth-passwdfile.conf.ext differ
</pre>

'''Ausgabe der gesamten Config'''

# doveconf -n

==== Sieve ====
Engine zum Filtern von Emails

dovecot-sieve und dovecot-managesieved installieren

'''15-lda.conf:'''
<pre>
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
protocol lda {
mail_plugins = $mail_plugins sieve
}
</pre>

'''20-managesieve.conf:'''
<pre>
protocols = $protocols sieve
</pre>

'''90-sieve.conf:'''
<pre>
plugin {
sieve = file:~/sieve;active=~/.dovecot.sieve
sieve_default = /var/lib/dovecot/sieve/default.sieve
sieve_global_dir = /var/lib/dovecot/sieve
}
</pre>
Kontrolle, ob der sieve-Service läuft und auf Port 4190 lauscht.
<pre>
# service dovecot restart
# ss -plnt | grep 4190
</pre>
Da der User i.a. nicht direkt auf dem Emailserver sein /home mit den Sieve-Regeln editieren kann, erfolgt die weitere Konfiguration im Email-Client (s.u.).

Achtung Bug: 
Da sieve/dovecot die Variable %n in der users-Datei nicht interpretiert, sollte man diese dort nicht verwenden. Somit kann es passieren, dass von roundcube ein Verzeichnis ''%n'' angelegt wird, in dem sich eine gemeinsame sieve config für '''alle''' User befindet.

=== Transport von Postfix zu Dovecot ===

Dem Postfix muss noch beigebracht werden, dass die Emails zum Dovecot gehen. 
'''master.cf''' im Postfix anpassen (die Einträge in den {} gehören so, nicht ersetzen!):
<pre>
dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail
argv=/usr/lib/dovecot/deliver -a ${recipient} -f ${sender} -d $
{user} @${nexthop} -m ${extension}
</pre>
und einen mailbox_command Eintrag in der main.cf vornehmen:
<pre>
mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
</pre>
(https://doc.dovecot.org/configuration_manual/howto/dovecot_lda_postfix/#howto-dovecot-lda-postfix)

Danach noch postfix und dovecot service restarten.

== Logging ==

Logfiles gehen ebenfalls (wie postfix) nach /var/log/mail.log 
Nützlicher Alias:
<pre>
maillog='tail -f /var/log/maillog'
</pre>

Debugging einschalten:
mail_debug = yes
in der Datei
''10-logging.conf''.

'''Protipp:'''
Wenn im Log folgender Fehler erscheint:

Mar 27 08:03:56 aphantopus postfix/pipe[2317]: 521066005D: to=<sunflower@example.de>, relay=dovecot, delay=0.3, delays=0.19/0.04/0/0.07, dsn=2.0.0, status=sent (delivered via dovecot service (lda(sunflower@example.de,)Error: net_connect_unix(/var/run/dovecot/stats-writer) failed: Permission denied))

=> In der ''10-master.conf'' '''stats''' für User vmail erlauben (s.o.)

= Roundcube =

Praktisches Webfrontend zum Abholen und Verschicken von Emails

Erst mysql-server installieren, sonst bricht die Installation mit einem Fehler ab
# apt install mariadb-server roundcube
Die dbconfig-common Frage mit „yes“ beantworten, mysql-Passwort setzen.
Config Datei anpassen (''/etc/roundcube/config.inc.php''):
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 25;

== Plugins ==

Standard-Plugings installieren
# apt install roundcube-plugins

Weitere Plugins installieren:
# apt install roundcube-plugins-extra git curl composer
(composer braucht man für die Installation von Plugins, git, weil die meisten aus github kommen) 
Die, die man haben will, in der Datei ''/etc/roundcube/config.inc.php'' enablen

$config['plugins'] = array(
 'compose-addressbook',
'markasjunk2',
 'fail2ban'
);

Übersicht über die offiziellen Plugins:

https://plugins.roundcube.net/

Plugins, die es nicht als Paket gibt: 
Schritte: 
* README lesen
* Plugin als zip herunterladen, nach ''/usr/share/roundcube/plugins'' entpacken
* (evtl. umbenennen)
* ''/etc/roundcube/config.inc.php'' bearbeiten:
Abschnitt
$config['plugins'] = array(
suchen und fehlendes Plugin ergänzen

== Filter Plugin for Sieve ==

Achtung, nicht das Plugin „filter“ verwenden, sondern '''managesieve''' (ist Bestandteil des roundcube-plugins Paketes)

Eine Anleitung gibt es hier: 
https://www.pair.com/support/kb/how-to-add-sieve-filtering-code-in-roundcube/
 
https://www.pair.com/support/kb/how-to-add-sieve-filtering-in-roundcube/


Anmerkung: Den protocols Parameter nicht in der dovecot.conf editieren, sondern in
''20-managesieve.conf'' (s.o.):

protocols = $protocols sieve

Nun kann man über das Webfrontend Sieve-Filterregeln generieren

Achtung Bug: 
Sieve legt ein sieve-Verzeichnis unter dem Verzeichnis an, das in mail_location definiert ist. Wenn man die emails der User unter ''/var/mail/<domain>/<username>'' ablegen möchte, wird man folgendes konfigurieren:

mail_location = maildir:/var/mail/%d/%n

Da dovecot aber %d nicht interpretiert (s.o.), liegt das User maildirectory unter /var/mail/<username>. Sieve interpretiert dagegen %n nicht und legt ein Directory /var/mail/<domain>/%n/sieve an, unter der die roundcube.sieve Datei liegt. Somit greifen alle User auf dieselbe Datei zu, was technisch möglich, securitytechnisch aber fatal ist. Leider keine gute Idee zur Abhilfe bekannt.

== Passwort ändern ==
Um den Usern die Möglichkeit zu geben, ihr Passwort selbst zu ändern, wird in der ''config.inc.php'' das Plugin enabled:

<pre>
$config['plugins'] = array(
(...)
'password'
);
</pre>

Weitere Einstellungen, wenn die User in einem Passwortfile gepflegt werden wie im Kapitel '''Dovecot''' beschrieben: 
(wir gehen davon aus, dass die Userpasswörter mit sha512 verschlüsselt werden, s.o.)

# https://stackoverflow.com/questions/62655236/how-to-enable-password-plugin-on-roundcube
$config['password_algorithm'] = 'ssha512';
$config['password_algorithm_prefix'] = '{SSHA512}';
$config['password_driver'] = 'dovecot_passwdfile';
$config['password_dovecot_passwdfile_path'] = '/etc/dovecot/users';

Die users Datei vom dovecot muss dann entsprechend für www-data les- und schreibbar sein:
-rw-rw---- 1 dovecot www-data 1240 Dec 2 23:20 /etc/dovecot/users

(Achtung, riskant bei eventueller Kompromittierung des Webservers! Als Alternative überlegen, die dovecot-Passwörter in eine [mysql-]DB auszulagern)

== Identities ändern ==

Normalerweise kann ein User nur mit seiner Absenderadresse senden. Das ist eine sinnvolle Einstellung, aber wer das Feature zu Testzwecken abschalten will, kann folgende Einstellung vornehmen:
$config['identities_level'] = 0;
Nun kann der User über "Einstellungen" weitere Absender hinzufügen (https://www.servercake.blog/multiple-identities-roundcube/)

(Leider bisher keine Möglichkeit gefunden, dies nur auf (einen) bestimmte(n) User einzuschränken)

== Apache Integration ==

Hier eine Beispielkonfiguration für einen Virtual Host, um die Roundcube-Seite unter https://mail.example.de zu erreichen.
Weiteres im Kapitel [[Webserver mit Apache|apache]]
<pre>
<VirtualHost *:443>
ServerName mail.example.de
ServerAdmin postmaster@example.de

SSLEngine on
SSLCertificateFile /var/lib/dehydrated/certs/mail.example.de/fullchain.pem
SSLCertificateKeyFile /var/lib/dehydrated/certs/mail.example.de/privkey.pem

DocumentRoot /usr/share/roundcube

# Includes
Include /etc/apache2/conf-available/ssl-encryption.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
CustomLog /var/log/apache2/mail-ssl.log combined
ErrorLog /var/log/apache2/mail-ssl-error.log
</VirtualHost>
</pre>

Das roundcube-Paket bringt zudem noch eine roundcube.conf mit, die unter /etc/apache2/conf-available/roundcube.conf installiert und aktiviert wird.

=== PHP ===
Damit der Roundcube überhaupt läuft, muss das php Plugin installiert und aktiviert sein. Passiert unter Debian mittels:
# apt install libapache2-mod-php

Etwas performanter ist die Verwendung von '''php-fpm''' (https://www.zend.com/blog/apache-phpfpm-modphp).
# apt install php-fpm

Der default Upload bei PHP sind dürftige 2 MB. Um diesen z.B. auf 50MB raufzudrehen, muss folgende Datei angefasst werden:
<pre>VERSION=$(php -v| head -n 1 | awk '{ print $2 }' | sed -e 's|.[[:digit:]]*$||')</pre>
* modphp:
/etc/php/${VERSION}/apache2/php.ini
upload_max_filesize = 50M
* php-fpm:
/etc/php/${VERSION}/fpm/php.ini
upload_max_filesize = 50M

= Integration in einen MUA =
Wer nicht über den (langsamen) Webmailer gehen will, kann natürlich auch einen MUA seiner Wahl verwenden. Hier ein Beispiel.

== Thunderbird==

Einstellungen für Outgoing Server (SMTP)
<pre>
Servername: FQDN des Email-Servers
Port: 25
Connection Security: STARTTLS
Authentication Method: Normal Password
Username: Name des Mailbox-Users
</pre>

Beim 1. Mal wird man nach seinem Mailbox-Passwort gefragt. Dieses eingeben und speichern.

Server Settings (IMAP)
<pre>
Server Type: IMAP Mail Server
Server Name: FQDN des Email-Servers
Port: 993
Username: Name des Mailbox-Users
Connection Security: SSL/TLS
Authentication Method: Normal Password
(Die restlichen Defaults so belassen oder bei Bedarf anpassen)
</pre>

[[File:Screenshot thunderbird1.png|900px]]
[[File:Screenshot thunderbird2.png|900px]]

OpenShift Cheatsheet

2026-02-16T17:12:39Z

Sunflower: /* Deployments */

Some helpful OpenShift commands which work (at least) since version >= 4.11

updated for version: 4.19

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Resources =
(in common)

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)
Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

= Nodes =

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Draining nodes ==
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary when you drain it s. below - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Machines =

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Machinesets ==

Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

== Delete and re-create machines/nodes ==
oc get machines -A | grep worker-<XY> | wc -l
-> MACHINECOUNT
oc annotate machine/<machine-name> -n openshift-machine-api machine.openshift.io/delete-machine="true"
oc scale --replicas=<$MACHINECOUNT+1> machineset <machineset> n openshift-machine-api
oc scale --replicas=$MACHINECOUNT machineset <machineset> -n openshift-machine-api

= Projects/Namespaces =

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

= Registries =
* registry.access.redhat.com
* registry.redhat.io (with login only)
* quay.io
* docker.io

= Images =

Search Images by help of podman:
$ podman search <wordpress>

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
skopeo inspect --config docker://registry.redhat.io/rhel8/httpd-24

Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

== Create pod from image ==

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

= Apps =

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

= Deployments =

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

== Environment variables ==
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

oc set env deployment/mariadb --from=secret/my-secret (--prefix=MYSQL_)

== Restart deployment after change ==

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path < /var/www/html >

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==
$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make deployment available from inside/outside ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

== Add probes ==
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

== Autoscale Pods ==
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

== Reduce/Upgrade cpu/mem requests ==
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

== Security ==
=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

= Pods =

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

= Jobs and Cronjobs =
== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

= Secrets =
== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic <sshkeys> --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls <secret-tls> --cert /tmp/mydomain.crt --key /tmp/mydomain.key

=== Update Secret ===
$ oc set data secret/<mysecret> --from-file /tmp/root-password

=== Extract secret ===
$ oc extract secret /<mysecret> --to /tmp/mysecret (--confirm)

= Configmaps =
== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets (REVIEW!)
$ oc get egressips

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Changes with '''patch''' command =

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

== Examples ==
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2026-02-14T09:20:06Z

Sunflower:

Some helpful OpenShift commands which work (at least) since version >= 4.11

updated for version: 4.19

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Resources =
(in common)

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)
Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

= Nodes =

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Draining nodes ==
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary when you drain it s. below - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Machines =

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Machinesets ==

Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

== Delete and re-create machines/nodes ==
oc get machines -A | grep worker-<XY> | wc -l
-> MACHINECOUNT
oc annotate machine/<machine-name> -n openshift-machine-api machine.openshift.io/delete-machine="true"
oc scale --replicas=<$MACHINECOUNT+1> machineset <machineset> n openshift-machine-api
oc scale --replicas=$MACHINECOUNT machineset <machineset> -n openshift-machine-api

= Projects/Namespaces =

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

= Registries =
* registry.access.redhat.com
* registry.redhat.io (with login only)
* quay.io
* docker.io

= Images =

Search Images by help of podman:
$ podman search <wordpress>

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
skopeo inspect --config docker://registry.redhat.io/rhel8/httpd-24

Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

== Create pod from image ==

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

= Apps =

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

= Deployments =

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

== Environment variables ==
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

oc set env deployment/mariadb --from=secret/my-secret (--prefix=MYSQL_)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path < /var/www/html >

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==
$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make deployment available from inside/outside ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

== Add probes ==
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

== Autoscale Pods ==
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

== Reduce/Upgrade cpu/mem requests ==
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

== Security ==
=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

= Pods =

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

= Jobs and Cronjobs =
== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

= Secrets =
== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic <sshkeys> --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls <secret-tls> --cert /tmp/mydomain.crt --key /tmp/mydomain.key

=== Update Secret ===
$ oc set data secret/<mysecret> --from-file /tmp/root-password

=== Extract secret ===
$ oc extract secret /<mysecret> --to /tmp/mysecret (--confirm)

= Configmaps =
== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets (REVIEW!)
$ oc get egressips

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Changes with '''patch''' command =

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

== Examples ==
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2026-02-06T21:17:54Z

Sunflower: /* Set environment variables afterwards */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Image handling =

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

oc set env deployment/mariadb --from=secret/my-secret (--prefix=MYSQL_)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic <sshkeys> --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls <secret-tls> --cert /tmp/mydomain.crt --key /tmp/mydomain.key

=== Update Secret ===
$ oc set data secret/<mysecret> --from-file /tmp/root-password

=== Extract secret ===
$ oc extract secret /<mysecret> --to /tmp/mysecret (--confirm)

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path < /var/www/html >

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2026-02-06T20:31:12Z

Sunflower: /* Set environment variables afterwards */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Image handling =

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

oc set env deployment/mariadb --from=secret/my-secret

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic <sshkeys> --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls <secret-tls> --cert /tmp/mydomain.crt --key /tmp/mydomain.key

=== Update Secret ===
$ oc set data secret/<mysecret> --from-file /tmp/root-password

=== Extract secret ===
$ oc extract secret /<mysecret> --to /tmp/mysecret (--confirm)

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path < /var/www/html >

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2026-02-06T11:39:23Z

Sunflower: /* configmap */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Image handling =

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic <sshkeys> --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls <secret-tls> --cert /tmp/mydomain.crt --key /tmp/mydomain.key

=== Update Secret ===
$ oc set data secret/<mysecret> --from-file /tmp/root-password

=== Extract secret ===
$ oc extract secret /<mysecret> --to /tmp/mysecret (--confirm)

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path < /var/www/html >

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2026-01-25T09:50:17Z

Sunflower: /* Create Secret */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Image handling =

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic <sshkeys> --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls <secret-tls> --cert /tmp/mydomain.crt --key /tmp/mydomain.key

=== Update Secret ===
$ oc set data secret/<mysecret> --from-file /tmp/root-password

=== Extract secret ===
$ oc extract secret /<mysecret> --to /tmp/mysecret (--confirm)

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2026-01-25T09:32:41Z

Sunflower: /* from file */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Image handling =

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic <sshkeys> --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls <secret-tls> --cert /tmp/mydomain.crt --key /tmp/mydomain.key

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2026-01-25T09:32:01Z

Sunflower: /* Create Secret */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Image handling =

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic <mysecret> --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls <secret-tls> --cert /tmp/mydomain.crt --key /tmp/mydomain.key

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2026-01-25T09:31:07Z

Sunflower: /* from String */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Image handling =

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret ==
=== from String ===
$ oc create secret generic <test> --from-literal=foo=bar

=== from file ===
$ oc create secret generic --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls secret-tls --cert /tmp/mydomain.crt --key /tmp/mydomain.key

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2026-01-25T09:29:36Z

Sunflower: /* Create Secret from String */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Image handling =

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret ==
=== from String ===
$ oc create secret generic test --from-literal=foo=bar

=== from file ===
$ oc create secret generic --from-file id_rsa=/path-to/id_rsa --from-file id_rsa.pub=/path-to/id_rsa.pub

=== as TLS secret ===
$ oc create secret tls secret-tls --cert /tmp/mydomain.crt --key /tmp/mydomain.key

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

Misc (multimedia)

2025-12-19T21:31:39Z

Sunflower: /* Musik-CD brennen */

== Fotos vom Smartphone übertragen ==
* Geht schnell und stressfrei mit '''jmtpfs'''. Dieses lässt sich als Paket installieren. 
* Das Smartphone an den Micro-USB-Port anschließen und die Art der Datenübertragung wählen:
"Daten übertragen (mtp)"
* Daten z.B. nach /mnt mounten:
jmtpfs /mnt
und von dort kopieren

Anmerkung: Sollte unter KDE folgender Fehler auftreten

<pre>
Listing raw device(s)
Device 0 (VID=...) is a Samsung Galaxy models (MTP).
Found 1 device(s):
Samsung: Galaxy models (MTP) (...) @ bus 1, dev 10
Attempting to connect device(s)
libusb_claim_interface() reports device is busy, likely in use by GVFS or KDE MTP device handling already
LIBMTP PANIC: Unable to initialize device
Unable to open raw device 0
</pre>

Kann man folgendes versuchen:
<pre>
killall kiod5
</pre>
bzw.
<pre>
killall gvfs-udisk2
</pre>
unter xfce.

Leider ist es unter xfce offenbar nicht mehr möglich mit o.g. Tools ein Smartphone zu mounten. Eine andere Möglichkeit ist der Android Debugger '''adb'''. 
Installieren und sich den Inhalt der Speicherkarte ansehen:
<pre>
sudo apt install adb
adb devices
</pre>
(Es sollte mindestens ein Device angezeigt werden)
<pre>
adb shell
ls /sdcard/DCIM
strg+d
</pre>

Außerdem muss man an seinem Android Gerät noch ein paar Einstellungen vornehmen:
* Developer Mode einschalten (7x auf die Serial tippen)
* USB Debugging einschalten (unter den Developer Options)
* Nach dem Einstecken des USB-Kabels Data Transfer wählen (anstatt nur Aufladen)

Eine ausführliche Anleitung für diese Schritte gibt es hier: 
https://droidwin.com/fix-adb-device-not-found-error/

Mit
<pre>
adb pull <source> <destination>
</pre>
lassen sich die Dateien nun herunterziehen.

Man kann der adb Shell auch Argumente mitgeben z.B.
<pre>
adb shell ls /sdcard/DCIM/Camera
</pre>

=== Annotations ===
* Unter xfce4 kann man Fotos am besten mit jmtpfs herunterladen. Davor muss man konkurierende Prozesse mit Zugriff auf die Kamera in einer Endlosschleife abschießen
<pre>
while sleep 0.1; do pkill kiod5; pkill gvfs-udisks2; done
</pre>
und in einer anderen Shell das Device mounten:
<pre>
mkdir /tmp/cam
jmtpfs /tmp/cam
Device 0 (VID=18d1 and PID=4ee2) is a Google Inc Nexus/Pixel (MTP+ADB).
Android device detected, assigning default bug flags
ls /tmp/cam/Interner\ gemeinsamer\ Speicher/DCIM/
Camera PeakLens
</pre>

* Unter kde kann man sich mir dem adb (s.o.) behelfen, indem man kiod+gvfs in einer Endlosschleife abschießt (s.o.):
<pre>
while sleep 0.1; do pkill kiod5; pkill gvfs-udisks2; done
</pre>
* Zu viele Fotos auf einmal herunterladen, bricht irgendwann ab. Hier ein paar Commands, wie man eine Auswahl heruntergeladen bekommt (e.g. Jan. 2024):
<pre>
adb shell ls /sdcard/DCIM/Camera|grep IMG_2024 >/tmp/img.txt
for IMG in $(grep 202401 /tmp/img.txt) ; do adb pull /sdcard/DCIM/Camera/$IMG CAM/; done
</pre>

== Bootbaren USB-Stick erstellen ==

'''Voraussetzung:''' Ein Ordner namens ''ISO'', in dem sich bootbare Dateien (z.B. für ein Windows-Image) befinden

Ein ISO-Image lässt sich sehr einfach mit dem Tool '''xorrisofs''' erstellen.
 Zunächst muss dieses installiert werden
$ sudo apt install xorriso

Das Erzeugen des ISO geht dann wie folgt:
$ xorrisofs -r -J -o ./windows10.iso ./ISO

Das ISO-Image kann man dann mit "dd" auf den USB-Stick kopiert werden. Je nachdem, um welches Device es sich handelt, kann das dann so aussehen:
# dd if=windows.iso of=/dev/sde
Achtung: '''Keine''' Partition erstellen/angeben !

==Tracks aus Musik-CD extrahieren==

$ icedax -D <devicename> -t 1 song1.wav
also z.B.
$ icedax -D /dev/cdrom -t 2 song2.wav
$ icedax -D /dev/cdrom0 -t 3+4 mixed.wav
(macht aus Nr. 3 u. 4 eine große Datei)

Wer lieber mp3s hat, kann '''cdda2mp3''' verwenden.

==Musik-CD brennen==
Für eine Musik-CD wird KEIN Isoimge erzeugt! 
Stattdessen alle wav-Dateien in einem Ordner speichen, dort hineinwechseln und
ausführen:
# cdrecord -dao *.wav

cdrecord wird in neueren Debian-Releases durch ''wodim'' ersetzt. Beispiel:

Daten:
$ /usr/bin/wodim -v gracetime=2 dev=/dev/sr0 speed=4 -sao driveropts=burnfree -data
Musik:
$ wodim -v gracetime=2 dev=/dev/cdrom speed=8 -dao -pad driveropts=burnfree *

Leider ist wodim etwas heikel mit den Frequenzen. Wenn eine wav Datei nicht 44100 Hz hat, wird sie nicht gebrannt. Ein Beispiel, wie man sie umwandeln kann:
$ ffmpeg -i "INFILE" -vn -ac 2 -ar 44100 <OUTFILE.wav>

==DVD brennen==
# growisofs -R -J -Z /dev/dvd /path/to/file-or-directory

wobei -R=Rockridge, -J=Joliet und -Z=device (kann von System zu System variieren). Wer sich nicht sicher ist, kann mit -dry-run den Brennvorgang erstmal simulieren. 
Eine sehr schöne Übersicht über DVDs allg. und unter Linux gibt es hier 
http://www.rakekniven.de/linux/k-base/dvd-brennen.php

== Von DVD extrahieren ==
Als brauchbar für die Erstellung eines mp4 von DVD hat sich im Test handbrake herausgestellt. Lässt sich als Paket installieren. Nur der Sound kommt etwas leise. Dieser lässt sich mit [[#ffmpeg|ffmpeg]] aufbessern (s.u.).

== Monitor kalibrieren ==

Sehr empfehlenswert ist das Tool DisplayCAL [https://displaycal.net/], das gängige Kalibrierungsgeräte wie z.B. Spyder, unterstützt. 
Verwendete Hardware: 
[https://www.dpreview.com/articles/3856869836/spyder3 Spyder 3]

Hier gibt es eine umfassende Anleitung:

https://www.reallinuxuser.com/how-to-color-calibrate-your-monitor-in-linux/

=== Anmerkung ===

Die Originalversion benutzt Python2 und wird daher auf den gängigen Linux-Distributionen nicht mehr unterstützt. Es gibt aber ein Nachfolgeprojekt: https://github.com/eoyilmaz/displaycal-py3
und darauf basierend ein Debianpaket:
$ sudo apt install displaycal

Unten genanntes wurde mit der alten Version und python2 getestet.

=== Protipp ===

* Wer keine guten/farbstichige Ergebnisse erzielt, kann als Whitepoint 5300K versuchen.

[[File:Screenshot 2021-02-23 19-55-44.png|800px]]

* Am Ende wird ein '''Profil''' (.icc Datei) erzeugt. Laden lässt sich dieses mit xcalib:

$ xcalib <profilname>

(und ein bisschen Theorie zu den konfigurierbaren Parametern:

https://displaycal.net/#colorimeter-corrections )

== ffmpeg ==
'''Das''' Tool zum Filme (und Sound) bearbeiten. Hier ein paar Beispiele:

* Film um 180° drehen:
$ ffmpeg -i input.mp4 -vf "transpose=2,transpose=2" output.mp4

* Sound entfernen:
$ ffmpeg -i MVI_1747.MOV -vcodec copy -an MVI_1747_mute.MOV
* Sound extrahieren (als mp3 abspeichern):
# ffmpeg -i MVI_1751.MOV MVI_1751.mp3
* Lautstärke verändern (z.B. 1.5fach)
# ffmpeg -i input.wav -af "volume=1.5" output.wav

* Ab Position n den Rest abschneiden:
# ffmpeg -i MVI_1752.mp3 -to 00:00:27 MVI_1752_short.mp3

* Ausschnitt rausschneiden und gleichzeitig als mp3 abspeichern
# ffmpeg -i Buena_Vista_Social_Club.mp4 -ss 00:04:16 -to 00:09:16 bvsc2.mp3

* Audio zu Video zufügen:
# ffmpeg -i MVI_1747_mute.MOV -i MVI_1752a.mp3 -codec copy -shortest MVI_1747_sound.MOV

* 2 Sounddateien mergen:
# ffmpeg -i "concat:MVI_1751.mp3|MVI_1753.mp3" -c copy MVI_1752.mp3
(Bei größeren Dateimengen ist sox eine gute Alternative: 
# sox file1.wav file2.wav ... filen.wav newfile.wav
)
* 2 Videodateien mergen
Falls auf Grund unterschiedlicher Codierung sich das obige Beispiel nicht aus Videos übertragen lässt:
$ ffmpeg -ifile1.mp4 -i file2.mp4 -filter_complex "[0:v][0:a][1:v][1:a] concat=n=2:v=1:a=1 [outv] [outa]" -map "[outv]" -map "[outa]" out.mp4

Beispiel für das Zusammenmergen von 3 Videos incl. Sound:
$ ffmpeg -i VID_20241225_part1.mp4 -i VID_20241225_part2.mp4 -i VID_20241225_142603~2.mp4 -filter_complex "[0:v:0][0:a:0][1:v:0][1:a:0][2:v:0][2:a:0] concat=n=3 :v=1:a=1[outv][outa]" -map "[outv]" -map "[outa]" output.mp4

Beispiel für das Zusammenmergen von 4 Videos zu 1 großen:
$ ffmpeg -i part1.mp4 -i part2.mp4 -i MVI_0309.MP4 -i MVI_0310.MP4 -filter_complex "[0:v:0][0:a:0][1:v:0][1:a:0][2:v:0][2:a:0][3:v:0][3:a:0]concat=n=4:v=1:a=1[outv][outa]" -map "[outv]" -map "[outa]" bigmovie.mp4

Alternative: 
Datei erstellen mit dem Inhalt der Videodateien:
cat > myfile.txt<<EOF
file 'MVI_1547.mp4'
file 'MVI_1610.mp4'
EOF

$ ffmpeg -f concat -i myfile.txt -c copy output.mp4

Sollte das Video nicht sauber durchlaufen, mit avidemux öffnen und die Schnittstelle rausschneiden.

(wer noch immer nicht genug hat: https://trac.ffmpeg.org/wiki/Concatenate )

* Beispiel für 2 Videodateien zusammenmergen:

#!/bin/bash

F1=MVI_1869.MOV
F2=MVI_1870.MOV
RESULT=MVI_1871.mp4

# sound
#ffmpeg -i $F1 intermediate.mp3
#ffmpeg -i $F2 intermediate.mp3

# movie ohne sound
# ffmpeg -i $F1 -c copy -bsf:v h264_mp4toannexb -f mpegts intermediate1.ts
# ffmpeg -i $F2 -c copy -bsf:v h264_mp4toannexb -f mpegts intermediate2.ts
# ffmpeg -f mpegts -i "concat:intermediate1.ts|intermediate2.ts" -c copy -bsf:a aac_adtstoasc $RESULT
# rm intermediate{1,2}.ts

# movie mit Sound
ffmpeg -i $F1 -i $F2 \
-filter_complex "[0:v:0] [0:a:0] [1:v:0] [1:a:0] concat=n=2:v=1:a=1 [v] [a]" \
-map "[v]" -map "[a]" $RESULT

* Zeitraffer/Zeitlupe

Beispiel doppelte Geschwindigkeit:
ffmpeg -i input.mp4 -filter:v "setpts=0.5*PTS" output.mp4
(Der Sound sollte dann rausgeschnitten werden, weil er sonst nicht zur Filmlänge passt, s.o.)

https://medium.com/@sekhar.rahul/creating-a-time-lapse-video-on-the-command-line-with-ffmpeg-1a7566caf877

* Untertitel zufügen

Wenn die Untertitel als srt Datei vorliegen , muss man sie erst ins ass Format umwandeln:

$ ffmpeg -i subtitles.srt subtitles.ass

[[Subtitles_example.srt | Hier]] gibt es ein Beispiel für ein .srt file im Format
<fortlaufende nr.>
<time range HH:MM:SS,mmm --> HH:MM:SS,mmm>
<text>

Video mit Untertiteln erzeugen:

$ ffmpeg -i input.mp4 -vf ass=subtitles.ass output.mp4

Wer immer noch nicht genug hat:

https://img.ly/blog/ultimate-guide-to-ffmpeg/

==Soundtest mit arecord ==
Manchmal ist es hilfreich, Headset und Lautsprecher zu testen. So geht das:

$ arecord -f S16_LE -r 3000 | aplay -vvv

== avidemux ==
Nettes Videoschnitttool. Leider nicht mehr als Debianpaket verfügbar. Kann aber hier heruntergeladen werden: 
https://www.fosshub.com/Avidemux.html

Am besten das Appimage herunterladen und verlinken z.B.
# ln -s /usr/local/bin/3rdparty/avidemux_2.8.1.appImage /usr/local/bin/avidemux

== Bildbetrachter ==

=== irfanview ===
https://www.irfanview.net/faq.htm

Gibt es generisch nur für Windows. Lässt sich aber auf (mindestens) 2 Arten auch für Linux installieren:

==== 1. Snap ====
https://snapcraft.io/install/irfanview/debian
$ sudo apt install snapd
$ sudo snap install irfanview
$ type -a irfanview
irfanview is /snap/bin/irfanview

==== 2. Wine ====
Unbedingt darauf achten, die 64bit-Version herunterzuladen!
$ wine iview460_x64_setup.exe
Danach kommt ein Windows-Installer-Fenster.
$ type -a irfanview
irfanview is aliased to `wine /home/kathrin/.wine/drive_c/Program\ Files/IrfanView/i_view64.exe'

=== gwenview ===
Hat ein paar nette Eigenschaften, z.B. mehrere Bilder gleichzeitig anzeigen lassen zum Vergleich. Kommt mit KDE oder als gleichnamiges Paket.

== .wav Dateien mit xine abspielen ==
Wenn eine Fehlermeldung missing plugin kommt...

* libxine2-misc-plugins installieren

==Image::Magick==
Perlmodul, mit dem man Massenbearbeitung von Bildern (verkleinern, vergrößern,
...) durchführen kann. 
Beispielscript [[resizeXpercent.pl]]: 
Alle Bilder eines bestimmten Ordners werden um X Prozent verkleinert und in
einen anderen Ordner gespeichert.

==Image Magick mit jpeg-Support benutzen==
libjpeg-dev installieren

Main Page

2025-11-23T09:25:38Z

Sunflower:

'''Sammlung von Linux-Topics''' 
 

[[Image:Pingo.png|120px|right|Tux]]
Dies ist eine - zugegebenermaßen ziemlich unsortierte - Sammlung von
praktischen Tools und HowTos für Linux zum Zweck einer
Online-Gedächtnisstütze und Einstiegshilfe für Anfänger. 

Wer schon etwas weiter fortgeschritten ist, kann sich die [[Advanced Topics]] zu Gemüte führen.

 Getestet und erstellt wurden diese Mini-HowTos - sofern nicht anders
angegeben -
unter Debian [http://www.debian.org], Ubuntu [http://www.ubuntu.com] und
Knoppix [http://www.knoppix.org].

* [[Dateien verschlüsseln mit gpg]]
* [[Debianpakete installieren]]
* [[Digicam einbinden]]
* [[Drucker einrichten mit CUPS]]
* [[Festplatte hinzufügen]]
* [[Filesystem verschlüsseln]]
* [[GPM]]
* [[Grub]]
* [[Interfacenamen umbiegen mit udev]]
* [[iptables-Beispiel]]
* [[KDE-Shortcuts]]
* [[Misc (multimedia)]]
* [[PDF Bearbeitung]]
* [[Rechnen auf der Shell]]
* [[rpm]]
* [[tar/gzip]]
* [[VirtualBox installieren]]
* [[VMware-Tools installieren]]
* [[weitere Links]]

[[Advanced Topics]]

'''Legacy Topics'''

Archiv von Themen, die nicht mehr so aktuell sind:

* [[32 to 64 bit Migration]]
* [[ Browser-Anpassungen ]]
* [[Kernel kompilieren]]
* [[MAC OS - CD unter Linux kopieren]]
* [[Mandriva - Software installieren]]
* [[mtools]]
* [[WLAN einrichten]]

Misc (multimedia)

2025-11-01T19:17:06Z

Sunflower: /* ffmpeg */

== Fotos vom Smartphone übertragen ==
* Geht schnell und stressfrei mit '''jmtpfs'''. Dieses lässt sich als Paket installieren. 
* Das Smartphone an den Micro-USB-Port anschließen und die Art der Datenübertragung wählen:
"Daten übertragen (mtp)"
* Daten z.B. nach /mnt mounten:
jmtpfs /mnt
und von dort kopieren

Anmerkung: Sollte unter KDE folgender Fehler auftreten

<pre>
Listing raw device(s)
Device 0 (VID=...) is a Samsung Galaxy models (MTP).
Found 1 device(s):
Samsung: Galaxy models (MTP) (...) @ bus 1, dev 10
Attempting to connect device(s)
libusb_claim_interface() reports device is busy, likely in use by GVFS or KDE MTP device handling already
LIBMTP PANIC: Unable to initialize device
Unable to open raw device 0
</pre>

Kann man folgendes versuchen:
<pre>
killall kiod5
</pre>
bzw.
<pre>
killall gvfs-udisk2
</pre>
unter xfce.

Leider ist es unter xfce offenbar nicht mehr möglich mit o.g. Tools ein Smartphone zu mounten. Eine andere Möglichkeit ist der Android Debugger '''adb'''. 
Installieren und sich den Inhalt der Speicherkarte ansehen:
<pre>
sudo apt install adb
adb devices
</pre>
(Es sollte mindestens ein Device angezeigt werden)
<pre>
adb shell
ls /sdcard/DCIM
strg+d
</pre>

Außerdem muss man an seinem Android Gerät noch ein paar Einstellungen vornehmen:
* Developer Mode einschalten (7x auf die Serial tippen)
* USB Debugging einschalten (unter den Developer Options)
* Nach dem Einstecken des USB-Kabels Data Transfer wählen (anstatt nur Aufladen)

Eine ausführliche Anleitung für diese Schritte gibt es hier: 
https://droidwin.com/fix-adb-device-not-found-error/

Mit
<pre>
adb pull <source> <destination>
</pre>
lassen sich die Dateien nun herunterziehen.

Man kann der adb Shell auch Argumente mitgeben z.B.
<pre>
adb shell ls /sdcard/DCIM/Camera
</pre>

=== Annotations ===
* Unter xfce4 kann man Fotos am besten mit jmtpfs herunterladen. Davor muss man konkurierende Prozesse mit Zugriff auf die Kamera in einer Endlosschleife abschießen
<pre>
while sleep 0.1; do pkill kiod5; pkill gvfs-udisks2; done
</pre>
und in einer anderen Shell das Device mounten:
<pre>
mkdir /tmp/cam
jmtpfs /tmp/cam
Device 0 (VID=18d1 and PID=4ee2) is a Google Inc Nexus/Pixel (MTP+ADB).
Android device detected, assigning default bug flags
ls /tmp/cam/Interner\ gemeinsamer\ Speicher/DCIM/
Camera PeakLens
</pre>

* Unter kde kann man sich mir dem adb (s.o.) behelfen, indem man kiod+gvfs in einer Endlosschleife abschießt (s.o.):
<pre>
while sleep 0.1; do pkill kiod5; pkill gvfs-udisks2; done
</pre>
* Zu viele Fotos auf einmal herunterladen, bricht irgendwann ab. Hier ein paar Commands, wie man eine Auswahl heruntergeladen bekommt (e.g. Jan. 2024):
<pre>
adb shell ls /sdcard/DCIM/Camera|grep IMG_2024 >/tmp/img.txt
for IMG in $(grep 202401 /tmp/img.txt) ; do adb pull /sdcard/DCIM/Camera/$IMG CAM/; done
</pre>

== Bootbaren USB-Stick erstellen ==

'''Voraussetzung:''' Ein Ordner namens ''ISO'', in dem sich bootbare Dateien (z.B. für ein Windows-Image) befinden

Ein ISO-Image lässt sich sehr einfach mit dem Tool '''xorrisofs''' erstellen.
 Zunächst muss dieses installiert werden
$ sudo apt install xorriso

Das Erzeugen des ISO geht dann wie folgt:
$ xorrisofs -r -J -o ./windows10.iso ./ISO

Das ISO-Image kann man dann mit "dd" auf den USB-Stick kopiert werden. Je nachdem, um welches Device es sich handelt, kann das dann so aussehen:
# dd if=windows.iso of=/dev/sde
Achtung: '''Keine''' Partition erstellen/angeben !

==Tracks aus Musik-CD extrahieren==

$ icedax -D <devicename> -t 1 song1.wav
also z.B.
$ icedax -D /dev/cdrom -t 2 song2.wav
$ icedax -D /dev/cdrom0 -t 3+4 mixed.wav
(macht aus Nr. 3 u. 4 eine große Datei)

Wer lieber mp3s hat, kann '''cdda2mp3''' verwenden.

==Musik-CD brennen==
Für eine Musik-CD wird KEIN Isoimge erzeugt! 
Stattdessen alle wav-Dateien in einem Ordner speichen, dort hineinwechseln und
ausführen:
# cdrecord -dao *.wav

cdrecord wird in neueren Debian-Releases durch ''wodim'' ersetzt. Beispiel:

$ /usr/bin/wodim -v gracetime=2 dev=/dev/sr0 speed=4 -sao driveropts=burnfree -data

==DVD brennen==
# growisofs -R -J -Z /dev/dvd /path/to/file-or-directory

wobei -R=Rockridge, -J=Joliet und -Z=device (kann von System zu System variieren). Wer sich nicht sicher ist, kann mit -dry-run den Brennvorgang erstmal simulieren. 
Eine sehr schöne Übersicht über DVDs allg. und unter Linux gibt es hier 
http://www.rakekniven.de/linux/k-base/dvd-brennen.php

== Von DVD extrahieren ==
Als brauchbar für die Erstellung eines mp4 von DVD hat sich im Test handbrake herausgestellt. Lässt sich als Paket installieren. Nur der Sound kommt etwas leise. Dieser lässt sich mit [[#ffmpeg|ffmpeg]] aufbessern (s.u.).

== Monitor kalibrieren ==

Sehr empfehlenswert ist das Tool DisplayCAL [https://displaycal.net/], das gängige Kalibrierungsgeräte wie z.B. Spyder, unterstützt. 
Verwendete Hardware: 
[https://www.dpreview.com/articles/3856869836/spyder3 Spyder 3]

Hier gibt es eine umfassende Anleitung:

https://www.reallinuxuser.com/how-to-color-calibrate-your-monitor-in-linux/

=== Anmerkung ===

Die Originalversion benutzt Python2 und wird daher auf den gängigen Linux-Distributionen nicht mehr unterstützt. Es gibt aber ein Nachfolgeprojekt: https://github.com/eoyilmaz/displaycal-py3
und darauf basierend ein Debianpaket:
$ sudo apt install displaycal

Unten genanntes wurde mit der alten Version und python2 getestet.

=== Protipp ===

* Wer keine guten/farbstichige Ergebnisse erzielt, kann als Whitepoint 5300K versuchen.

[[File:Screenshot 2021-02-23 19-55-44.png|800px]]

* Am Ende wird ein '''Profil''' (.icc Datei) erzeugt. Laden lässt sich dieses mit xcalib:

$ xcalib <profilname>

(und ein bisschen Theorie zu den konfigurierbaren Parametern:

https://displaycal.net/#colorimeter-corrections )

== ffmpeg ==
'''Das''' Tool zum Filme (und Sound) bearbeiten. Hier ein paar Beispiele:

* Film um 180° drehen:
$ ffmpeg -i input.mp4 -vf "transpose=2,transpose=2" output.mp4

* Sound entfernen:
$ ffmpeg -i MVI_1747.MOV -vcodec copy -an MVI_1747_mute.MOV
* Sound extrahieren (als mp3 abspeichern):
# ffmpeg -i MVI_1751.MOV MVI_1751.mp3
* Lautstärke verändern (z.B. 1.5fach)
# ffmpeg -i input.wav -af "volume=1.5" output.wav

* Ab Position n den Rest abschneiden:
# ffmpeg -i MVI_1752.mp3 -to 00:00:27 MVI_1752_short.mp3

* Ausschnitt rausschneiden und gleichzeitig als mp3 abspeichern
# ffmpeg -i Buena_Vista_Social_Club.mp4 -ss 00:04:16 -to 00:09:16 bvsc2.mp3

* Audio zu Video zufügen:
# ffmpeg -i MVI_1747_mute.MOV -i MVI_1752a.mp3 -codec copy -shortest MVI_1747_sound.MOV

* 2 Sounddateien mergen:
# ffmpeg -i "concat:MVI_1751.mp3|MVI_1753.mp3" -c copy MVI_1752.mp3
(Bei größeren Dateimengen ist sox eine gute Alternative: 
# sox file1.wav file2.wav ... filen.wav newfile.wav
)
* 2 Videodateien mergen
Falls auf Grund unterschiedlicher Codierung sich das obige Beispiel nicht aus Videos übertragen lässt:
$ ffmpeg -ifile1.mp4 -i file2.mp4 -filter_complex "[0:v][0:a][1:v][1:a] concat=n=2:v=1:a=1 [outv] [outa]" -map "[outv]" -map "[outa]" out.mp4

Beispiel für das Zusammenmergen von 3 Videos incl. Sound:
$ ffmpeg -i VID_20241225_part1.mp4 -i VID_20241225_part2.mp4 -i VID_20241225_142603~2.mp4 -filter_complex "[0:v:0][0:a:0][1:v:0][1:a:0][2:v:0][2:a:0] concat=n=3 :v=1:a=1[outv][outa]" -map "[outv]" -map "[outa]" output.mp4

Beispiel für das Zusammenmergen von 4 Videos zu 1 großen:
$ ffmpeg -i part1.mp4 -i part2.mp4 -i MVI_0309.MP4 -i MVI_0310.MP4 -filter_complex "[0:v:0][0:a:0][1:v:0][1:a:0][2:v:0][2:a:0][3:v:0][3:a:0]concat=n=4:v=1:a=1[outv][outa]" -map "[outv]" -map "[outa]" bigmovie.mp4

Alternative: 
Datei erstellen mit dem Inhalt der Videodateien:
cat > myfile.txt<<EOF
file 'MVI_1547.mp4'
file 'MVI_1610.mp4'
EOF

$ ffmpeg -f concat -i myfile.txt -c copy output.mp4

Sollte das Video nicht sauber durchlaufen, mit avidemux öffnen und die Schnittstelle rausschneiden.

(wer noch immer nicht genug hat: https://trac.ffmpeg.org/wiki/Concatenate )

* Beispiel für 2 Videodateien zusammenmergen:

#!/bin/bash

F1=MVI_1869.MOV
F2=MVI_1870.MOV
RESULT=MVI_1871.mp4

# sound
#ffmpeg -i $F1 intermediate.mp3
#ffmpeg -i $F2 intermediate.mp3

# movie ohne sound
# ffmpeg -i $F1 -c copy -bsf:v h264_mp4toannexb -f mpegts intermediate1.ts
# ffmpeg -i $F2 -c copy -bsf:v h264_mp4toannexb -f mpegts intermediate2.ts
# ffmpeg -f mpegts -i "concat:intermediate1.ts|intermediate2.ts" -c copy -bsf:a aac_adtstoasc $RESULT
# rm intermediate{1,2}.ts

# movie mit Sound
ffmpeg -i $F1 -i $F2 \
-filter_complex "[0:v:0] [0:a:0] [1:v:0] [1:a:0] concat=n=2:v=1:a=1 [v] [a]" \
-map "[v]" -map "[a]" $RESULT

* Zeitraffer/Zeitlupe

Beispiel doppelte Geschwindigkeit:
ffmpeg -i input.mp4 -filter:v "setpts=0.5*PTS" output.mp4
(Der Sound sollte dann rausgeschnitten werden, weil er sonst nicht zur Filmlänge passt, s.o.)

https://medium.com/@sekhar.rahul/creating-a-time-lapse-video-on-the-command-line-with-ffmpeg-1a7566caf877

* Untertitel zufügen

Wenn die Untertitel als srt Datei vorliegen , muss man sie erst ins ass Format umwandeln:

$ ffmpeg -i subtitles.srt subtitles.ass

[[Subtitles_example.srt | Hier]] gibt es ein Beispiel für ein .srt file im Format
<fortlaufende nr.>
<time range HH:MM:SS,mmm --> HH:MM:SS,mmm>
<text>

Video mit Untertiteln erzeugen:

$ ffmpeg -i input.mp4 -vf ass=subtitles.ass output.mp4

Wer immer noch nicht genug hat:

https://img.ly/blog/ultimate-guide-to-ffmpeg/

==Soundtest mit arecord ==
Manchmal ist es hilfreich, Headset und Lautsprecher zu testen. So geht das:

$ arecord -f S16_LE -r 3000 | aplay -vvv

== avidemux ==
Nettes Videoschnitttool. Leider nicht mehr als Debianpaket verfügbar. Kann aber hier heruntergeladen werden: 
https://www.fosshub.com/Avidemux.html

Am besten das Appimage herunterladen und verlinken z.B.
# ln -s /usr/local/bin/3rdparty/avidemux_2.8.1.appImage /usr/local/bin/avidemux

== Bildbetrachter ==

=== irfanview ===
https://www.irfanview.net/faq.htm

Gibt es generisch nur für Windows. Lässt sich aber auf (mindestens) 2 Arten auch für Linux installieren:

==== 1. Snap ====
https://snapcraft.io/install/irfanview/debian
$ sudo apt install snapd
$ sudo snap install irfanview
$ type -a irfanview
irfanview is /snap/bin/irfanview

==== 2. Wine ====
Unbedingt darauf achten, die 64bit-Version herunterzuladen!
$ wine iview460_x64_setup.exe
Danach kommt ein Windows-Installer-Fenster.
$ type -a irfanview
irfanview is aliased to `wine /home/kathrin/.wine/drive_c/Program\ Files/IrfanView/i_view64.exe'

=== gwenview ===
Hat ein paar nette Eigenschaften, z.B. mehrere Bilder gleichzeitig anzeigen lassen zum Vergleich. Kommt mit KDE oder als gleichnamiges Paket.

== .wav Dateien mit xine abspielen ==
Wenn eine Fehlermeldung missing plugin kommt...

* libxine2-misc-plugins installieren

==Image::Magick==
Perlmodul, mit dem man Massenbearbeitung von Bildern (verkleinern, vergrößern,
...) durchführen kann. 
Beispielscript [[resizeXpercent.pl]]: 
Alle Bilder eines bestimmten Ordners werden um X Prozent verkleinert und in
einen anderen Ordner gespeichert.

==Image Magick mit jpeg-Support benutzen==
libjpeg-dev installieren

OpenShift Cheatsheet

2025-09-26T15:07:28Z

Sunflower: /* Image handling */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Image handling =

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Update images on running deployment
oc set image deployment/mydb mariadb-80=docker.io/ubuntu18/mysql-80:1-228

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-09-26T14:05:50Z

Sunflower: /* Registries */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Image handling =

Look into images:
oc image info registry.redhat.io:8443/ubi8/httpd-24:1-209 (-o json | jq -r .digest)

Watching images directly on a node
crictl images
crictl ps --name httpd-24 -o yaml
crictl images --digests <shasum>

When you have account to a registry:

skopeo login <registry>:8443 -u <username>
skopeo inspect docker://registry.redhat.io:8443/ubi8/httpd-24:1-209
Add the "latest" tag to a dedicated image:
skopeo copy docker://registry.redhat.io:8443/ubi8/httpd-24:1-215 docker://registry.redhat.io:8443/ubi8/httpd-24:latest

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

PDF Bearbeitung

2025-09-18T19:02:41Z

Sunflower: Created page with "= PDFs bearbeiten = Ein sehr nützliches Tool hierfür ist pdftk == PDF splitten == pdftk <input.pdf> cat <range> output<output.pdf> Beispiele pdftk document.pdf cat 1-2 output first2pages.pdf pdftk document.pdf cat 3 output thirdpage.pdf == PDFs mergen == pdftk document1.pdf document2.pdf cat output document_merged.pdf"

= PDFs bearbeiten =

Ein sehr nützliches Tool hierfür ist pdftk

== PDF splitten ==

pdftk <input.pdf> cat <range> output<output.pdf>

Beispiele
pdftk document.pdf cat 1-2 output first2pages.pdf
pdftk document.pdf cat 3 output thirdpage.pdf

== PDFs mergen ==
pdftk document1.pdf document2.pdf cat output document_merged.pdf

OpenShift Cheatsheet

2025-09-17T15:22:57Z

Sunflower: /* Change resources */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Add probes ===
Configure readiness probe for deployment:
$ oc set probe deployment/<testdeploy> --readiness --failure-threshold 7 --get-url http://:3000/api/health

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-09-17T11:50:46Z

Sunflower: /* Scaling resources */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

Autoscale Pods
$ oc autoscale deployment/test --min 2 --max 10 --cpu-percent 80

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-09-16T06:23:56Z

Sunflower: /* Reduce memory requests */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Reduce/Upgrade cpu/mem requests ===
Reduce memory requests:
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-09-15T19:07:11Z

Sunflower: /* Change resources */

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

== Reduce memory requests ==
$ oc set resources deployment/huge-mem --requests memory=250Mi

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-08-27T12:43:22Z

Sunflower:

Some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-08-25T17:38:54Z

Sunflower: /* pvc */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path < /var/lib/mysql> (--claim-class <storage class> --claim-mode RWX|RWO --claim-size 1G )

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-08-25T17:35:46Z

Sunflower: /* Add volume to deployment */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path <//var/lib/mysql> (--claim-class ... --claim-mode RWX|RWO --claim-size 1G)

== Remove volume from deployment ==

$ oc set volume deployment/file-sharing --remove --name=<vol-name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

Drucker einrichten mit CUPS

2025-08-18T15:22:20Z

Sunflower: /* Alternative KDE */

= Ausgangssituation=
OS: Debian >= buster 
Drucker: 
  Canon Pixma iP4300 
  HP Deskjet 1000 
Server: Cups 

= Arbeitsschritte =
== Im Vorfeld ==
Bevor man sich einen Drucker zulegt, will man vielleicht unter
http://www.openprinting.org/printers
überprüfen, ob das gute Stück auch von Linux unterstützt wird.
== Treiber holen ==
Canon bietet dankenswerterweise generische Treiber: 
http://de.software.canon-europe.com/ 
tar.gz runterladen und auspacken.

Für hp gibt es unter der Sammelbezeichnung '''hplip''' eine große Menge Treiber für alle gängigen Modelle

http://sourceforge.net/projects/hplip/files/hplip/

== Treiber installieren ==
=== Canon===
Da es nur rpms gibt, müssen die Treiber erst in Debianpakete verwandelt werden.
Dafür gibt es das praktische Tool 'alien':
# alien --script cnijfilter-common-2.70-2.i386.rpm
# alien --script cnijfilter-ip4300-2.70-2.i386.rpm
Nun die Treiber nach altbekannter Manier installieren:
# dpkg -i cnijfilter-common-2.70-3.i386.deb
# dpkg -i cnijfilter-ip4300-2.70-3.i386.deb
Cups (bzw. das Paket '''cups''') installieren und Daemon starten. Cups lauscht per
default auf Port 631, also im Browser
http://localhost:631
eingeben. Unter "Administration -> add printer" bekommt man eine Auswahlmaske (s.u.)

===HP===
Mittlerweile gibt es für hp das Debianpaket '''hplip'''. Dort sich alle gängigen Modelle enthalten.

# apt install hplip

(Wer sich im o.g. Link die neueste Version heruntergeladen hat, muss diese mittels
hplip-<version>.run installieren.)

Falls im laufenden Betrieb Schwierigkeiten entstehen sollten, sollte man überprüfen, ob folgende Pakete vorhanden sind.
* libcups2-dev
* libcupsimage2-dev

Für Debugging / manuelle Einstellungen gibt es eine Reihe hp-* commands, auf die hier aber nicht näher eingegangen wird, da wir den Drucker direkt im CUPS einrichten.

Für das Auswählen von weiteren Optionen (scan, fax,...) sollten auch folgende Pakete installiert sein:
* xsane
* libsane-dev
* python-imaging
* python3-pyqt4
* python-notify

Drucker im CUPS einrichten. Die Web-GUI lauscht auf Port 631, also in Browser http://localhost:631 eingeben.
Unter "Administration" Add Printer auswählen.

== Cups konfigurieren ==
Name:
Location:
Description:
Hier ist es ziemlich egal, was man einträgt, ich würde aber keinen zu langen
Namen wählen.
Continue -> Device:
Hier sollte im Drop-Down-Menü bereits der richtige Name erscheinen, in dem Fall
"Canon iP4300 USB #1 (Canon iP4300)" Ist das nicht der Fall, überprüfen, ob man
den richtigen Treiber erwischt hat!
Continue -> Model (oder Make):
Dort sollte 'Canon', 'HP' usw. erscheinen 
Alternativ den Punkt 'Provide a PPD File' wählen: 
Diese Dateien befinden sich bei Canon unter /usr/share/cups/model

Wer den genauen Namen seines Druckers angeben will, kann diesen per USB anschliessen und mit
lsusb
ermitteln.

Fertig. Unter "Printers" kann man sich den Drucker anschauen u. gegebenenfalls
per "modify" Änderungen vornehmen. Der Punkt "Set default printer" ermöglicht
ein Drucken per 'lpr' ohne Setzen einer -P-Option.
'''Achtung:''' Falls z.B. nach einem versuchten Probedruck folgende Meldung
erscheint:
"Unable to start filter "pstocanonij" - No such file or directory."
muss diese im Verzeichnis
/usr/lib/cups/filter hinterlegt werden. Danach den Drucker nochmal neu einrichten und sich mit
einer Testseite davon überzeugen, dass alles geklappt hat.

Es besteht auch die Möglichkeit, das ppd File manuell nachzubearbeiten, z.B. Default Size von letter auf A4 umstellen.
Die vorhin von CUPS generierte Datei befindet sich unter
/etc/cups/ppd/

==Debugging==
Wenn nicht alles so läuft, wie es soll, kann man über die Web-GUI Debugging einschalten (Administration -> server -> Save debugging information for troubleshooting)
Dann nochmal drucken und in die Logfiles schauen. Nicht vergessen, diese Option später wieder rauszunehmen, da diese ein Vielfaches an Output erzeugt.

==Known Bugs==

=== Drucker stoppt selbständig ===
Manchmal "hängt" ein Drucker einfach bzw. liefert keinen Output. In der Übersicht im Webfrontend sieht man dann
''Paused - "File "/usr/lib/cups/filter/hpcups" not available: No such file or directory"''

In diesem Fall geht man auf die Printer-Übersicht und klickt bei Maintenance den Punkt "Resume Printer" an.

=== Fehlende Library ===

Wenn im Debug Output (s.o.) das Fehlen einer Datei libpng.so.3 angemeckert wird oder ein Output erscheint wie
''/usr/local/bin/cifip4300: error while loading shared libraries: /usr/lib/libpng.so.3: invalid ELF header''
muss diese Datei richtig verlinkt werden -> Mit dpkg ermitteln, welche libpng gerade installiert ist und den entsprechenden Link ins /lib-Verzeichnis setzen:
# ln -s /lib/libpng12.so.0 libpng.so.3

== Alternative KDE ==
Sobald man den Drcuker per USB angeschlossen hat, erscheint ein Pop-Up-Fenster, in dem man die Druckereinstellungen modifizieren kann falls nötig.

[[File:Screenshot kdeprinting.png|500px]]

Wenn es später nochmal nötig wird, Veränderungen vorzunehmen, kann man dies mithilfe
configure-printer <printername>
tun.
Den Druckernamen erfährt man per
lsusb
Wer nur einen Drcuker angeschlossen hat, kann auch
configure-printer default
versuchen.

== Alternative Gutenprint ==
Falls die Treiber des Herstellers Probleme machen, kann man auch (den in cups enthaltenen) Gutenprint-Treiber verwenden. Dazu im Webfrontend (localhost:631) den Drucker anwählen und unter "Administration->modify" das Modell des Herstellers + gutenprint wählen, also z.B. "Canon Pixma iP4300 - CUPS+Gutenprint v5.2.9"

== Alternative Turpoprint ==
Dieses ist ein kommerzielles Programm für Linux-Druckertreiber. Kostenpunkt: ca. 30
€ (Stand März 2011): (http://www.turboprint.de/)

Hier ist nur die Demoversion beschrieben. Diese hat den Nachteil, dass auf jedem
Ausdruck ein hässliches Turboprint-Label erscheint. 
turboprint herunterladen, auspacken, installieren (./setup-Befehl ausführen),
danach gibt es die Möglichkeit, eine Testseite zu drucken. 
In den Ordner /usr/share/turboprint/ppd wechseln, dort das zum Drucker passende
file auswählen und in den Cups-Ordner kopieren, also in meinem Fall:
# cd /usr/share/turboprint/ppd
# cp Canon_PIXMA_iP4300.ppd /usr/share/cups/model/
Dann im Cups ebendiese Datei auswählen
-> Add printer
Das ist natürlich ein sehr spezifisches Beispiel, aber das Funktionsprinzip ist
ähnlich für fast alle Drucker.

Zuguterletzt noch ein paar Tipps zum Finetuning des Druckers: 
http://wiki.ubuntuusers.de/Canon-Drucker

File:Screenshot kdeprinting.png

2025-08-18T15:20:39Z

Sunflower:

Drucker einrichten mit CUPS

2025-08-18T15:19:51Z

Sunflower:

= Ausgangssituation=
OS: Debian >= buster 
Drucker: 
  Canon Pixma iP4300 
  HP Deskjet 1000 
Server: Cups 

= Arbeitsschritte =
== Im Vorfeld ==
Bevor man sich einen Drucker zulegt, will man vielleicht unter
http://www.openprinting.org/printers
überprüfen, ob das gute Stück auch von Linux unterstützt wird.
== Treiber holen ==
Canon bietet dankenswerterweise generische Treiber: 
http://de.software.canon-europe.com/ 
tar.gz runterladen und auspacken.

Für hp gibt es unter der Sammelbezeichnung '''hplip''' eine große Menge Treiber für alle gängigen Modelle

http://sourceforge.net/projects/hplip/files/hplip/

== Treiber installieren ==
=== Canon===
Da es nur rpms gibt, müssen die Treiber erst in Debianpakete verwandelt werden.
Dafür gibt es das praktische Tool 'alien':
# alien --script cnijfilter-common-2.70-2.i386.rpm
# alien --script cnijfilter-ip4300-2.70-2.i386.rpm
Nun die Treiber nach altbekannter Manier installieren:
# dpkg -i cnijfilter-common-2.70-3.i386.deb
# dpkg -i cnijfilter-ip4300-2.70-3.i386.deb
Cups (bzw. das Paket '''cups''') installieren und Daemon starten. Cups lauscht per
default auf Port 631, also im Browser
http://localhost:631
eingeben. Unter "Administration -> add printer" bekommt man eine Auswahlmaske (s.u.)

===HP===
Mittlerweile gibt es für hp das Debianpaket '''hplip'''. Dort sich alle gängigen Modelle enthalten.

# apt install hplip

(Wer sich im o.g. Link die neueste Version heruntergeladen hat, muss diese mittels
hplip-<version>.run installieren.)

Falls im laufenden Betrieb Schwierigkeiten entstehen sollten, sollte man überprüfen, ob folgende Pakete vorhanden sind.
* libcups2-dev
* libcupsimage2-dev

Für Debugging / manuelle Einstellungen gibt es eine Reihe hp-* commands, auf die hier aber nicht näher eingegangen wird, da wir den Drucker direkt im CUPS einrichten.

Für das Auswählen von weiteren Optionen (scan, fax,...) sollten auch folgende Pakete installiert sein:
* xsane
* libsane-dev
* python-imaging
* python3-pyqt4
* python-notify

Drucker im CUPS einrichten. Die Web-GUI lauscht auf Port 631, also in Browser http://localhost:631 eingeben.
Unter "Administration" Add Printer auswählen.

== Cups konfigurieren ==
Name:
Location:
Description:
Hier ist es ziemlich egal, was man einträgt, ich würde aber keinen zu langen
Namen wählen.
Continue -> Device:
Hier sollte im Drop-Down-Menü bereits der richtige Name erscheinen, in dem Fall
"Canon iP4300 USB #1 (Canon iP4300)" Ist das nicht der Fall, überprüfen, ob man
den richtigen Treiber erwischt hat!
Continue -> Model (oder Make):
Dort sollte 'Canon', 'HP' usw. erscheinen 
Alternativ den Punkt 'Provide a PPD File' wählen: 
Diese Dateien befinden sich bei Canon unter /usr/share/cups/model

Wer den genauen Namen seines Druckers angeben will, kann diesen per USB anschliessen und mit
lsusb
ermitteln.

Fertig. Unter "Printers" kann man sich den Drucker anschauen u. gegebenenfalls
per "modify" Änderungen vornehmen. Der Punkt "Set default printer" ermöglicht
ein Drucken per 'lpr' ohne Setzen einer -P-Option.
'''Achtung:''' Falls z.B. nach einem versuchten Probedruck folgende Meldung
erscheint:
"Unable to start filter "pstocanonij" - No such file or directory."
muss diese im Verzeichnis
/usr/lib/cups/filter hinterlegt werden. Danach den Drucker nochmal neu einrichten und sich mit
einer Testseite davon überzeugen, dass alles geklappt hat.

Es besteht auch die Möglichkeit, das ppd File manuell nachzubearbeiten, z.B. Default Size von letter auf A4 umstellen.
Die vorhin von CUPS generierte Datei befindet sich unter
/etc/cups/ppd/

==Debugging==
Wenn nicht alles so läuft, wie es soll, kann man über die Web-GUI Debugging einschalten (Administration -> server -> Save debugging information for troubleshooting)
Dann nochmal drucken und in die Logfiles schauen. Nicht vergessen, diese Option später wieder rauszunehmen, da diese ein Vielfaches an Output erzeugt.

==Known Bugs==

=== Drucker stoppt selbständig ===
Manchmal "hängt" ein Drucker einfach bzw. liefert keinen Output. In der Übersicht im Webfrontend sieht man dann
''Paused - "File "/usr/lib/cups/filter/hpcups" not available: No such file or directory"''

In diesem Fall geht man auf die Printer-Übersicht und klickt bei Maintenance den Punkt "Resume Printer" an.

=== Fehlende Library ===

Wenn im Debug Output (s.o.) das Fehlen einer Datei libpng.so.3 angemeckert wird oder ein Output erscheint wie
''/usr/local/bin/cifip4300: error while loading shared libraries: /usr/lib/libpng.so.3: invalid ELF header''
muss diese Datei richtig verlinkt werden -> Mit dpkg ermitteln, welche libpng gerade installiert ist und den entsprechenden Link ins /lib-Verzeichnis setzen:
# ln -s /lib/libpng12.so.0 libpng.so.3

== Alternative KDE ==
Sobald man den Drcuker per USB angeschlossen hat, erscheint ein POP-Up-Fenster, in dem man die Druckereinstellungen modifizieren kann falls nötig.

Wenn es später nochmal nötig wird, Veränderungen vorzunehmen, kann man dies mithilfe
configure-printer <printername>
tun.
Den Druckernamen erfährt man per
lsusb
Wer nur einen Drcuker angeschlossen hat, kann auch
configure-rpinter default
versuchen.

== Alternative Gutenprint ==
Falls die Treiber des Herstellers Probleme machen, kann man auch (den in cups enthaltenen) Gutenprint-Treiber verwenden. Dazu im Webfrontend (localhost:631) den Drucker anwählen und unter "Administration->modify" das Modell des Herstellers + gutenprint wählen, also z.B. "Canon Pixma iP4300 - CUPS+Gutenprint v5.2.9"

== Alternative Turpoprint ==
Dieses ist ein kommerzielles Programm für Linux-Druckertreiber. Kostenpunkt: ca. 30
€ (Stand März 2011): (http://www.turboprint.de/)

Hier ist nur die Demoversion beschrieben. Diese hat den Nachteil, dass auf jedem
Ausdruck ein hässliches Turboprint-Label erscheint. 
turboprint herunterladen, auspacken, installieren (./setup-Befehl ausführen),
danach gibt es die Möglichkeit, eine Testseite zu drucken. 
In den Ordner /usr/share/turboprint/ppd wechseln, dort das zum Drucker passende
file auswählen und in den Cups-Ordner kopieren, also in meinem Fall:
# cd /usr/share/turboprint/ppd
# cp Canon_PIXMA_iP4300.ppd /usr/share/cups/model/
Dann im Cups ebendiese Datei auswählen
-> Add printer
Das ist natürlich ein sehr spezifisches Beispiel, aber das Funktionsprinzip ist
ähnlich für fast alle Drucker.

Zuguterletzt noch ein paar Tipps zum Finetuning des Druckers: 
http://wiki.ubuntuusers.de/Canon-Drucker

File:Screenshot cups 2025-08-18.png

2025-08-18T15:12:15Z

Sunflower:

Drucker einrichten mit CUPS

2025-08-18T15:01:59Z

Sunflower: /* Cups konfigurieren */

= Ausgangssituation=
OS: Debian >= buster 
Drucker: 
  Canon Pixma iP4300 
  HP Deskjet 1000 
Server: Cups 

= Arbeitsschritte =
== Im Vorfeld ==
Bevor man sich einen Drucker zulegt, will man vielleicht unter
http://www.openprinting.org/printers
überprüfen, ob das gute Stück auch von Linux unterstützt wird.
== Treiber holen ==
Canon bietet dankenswerterweise generische Treiber: 
http://de.software.canon-europe.com/ 
tar.gz runterladen und auspacken.

Für hp gibt es unter der Sammelbezeichnung '''hplip''' eine große Menge Treiber für alle gängigen Modelle

http://sourceforge.net/projects/hplip/files/hplip/

== Treiber installieren ==
=== Canon===
Da es nur rpms gibt, müssen die Treiber erst in Debianpakete verwandelt werden.
Dafür gibt es das praktische Tool 'alien':
# alien --script cnijfilter-common-2.70-2.i386.rpm
# alien --script cnijfilter-ip4300-2.70-2.i386.rpm
Nun die Treiber nach altbekannter Manier installieren:
# dpkg -i cnijfilter-common-2.70-3.i386.deb
# dpkg -i cnijfilter-ip4300-2.70-3.i386.deb
Cups (bzw. das Paket '''cups''') installieren und Daemon starten. Cups lauscht per
default auf Port 631, also im Browser
http://localhost:631
eingeben. Unter "Administration -> add printer" bekommt man eine Auswahlmaske (s.u.)

===HP===
Mittlerweile gibt es für hp das Debianpaket '''hplip'''. Dort sich alle gängigen Modelle enthalten.

# apt install hplip

(Wer sich im o.g. Link die neueste Version heruntergeladen hat, muss diese mittels
hplip-<version>.run installieren.)

Falls im laufenden Betrieb Schwierigkeiten entstehen sollten, sollte man überprüfen, ob folgende Pakete vorhanden sind.
* libcups2-dev
* libcupsimage2-dev

Für Debugging / manuelle Einstellungen gibt es eine Reihe hp-* commands, auf die hier aber nicht näher eingegangen wird, da wir den Drucker direkt im CUPS einrichten.

Für das Auswählen von weiteren Optionen (scan, fax,...) sollten auch folgende Pakete installiert sein:
* xsane
* libsane-dev
* python-imaging
* python3-pyqt4
* python-notify

Drucker im CUPS einrichten. Die Web-GUI lauscht auf Port 631, also in Browser http://localhost:631 eingeben.
Unter "Administration" Add Printer auswählen.

== Cups konfigurieren ==
Name:
Location:
Description:
Hier ist es ziemlich egal, was man einträgt, ich würde aber keinen zu langen
Namen wählen.
Continue -> Device:
Hier sollte im Drop-Down-Menü bereits der richtige Name erscheinen, in dem Fall
"Canon iP4300 USB #1 (Canon iP4300)" Ist das nicht der Fall, überprüfen, ob man
den richtigen Treiber erwischt hat!
Continue -> Model (oder Make):
Dort sollte 'Canon', 'HP' usw. erscheinen 
Alternativ den Punkt 'Provide a PPD File' wählen: 
Diese Dateien befinden sich bei Canon unter /usr/share/cups/model

Wer den genauen Namen seines Druckers angeben will, kann diesen per USB anschliessen und mit
lsusb
ermitteln.

Fertig. Unter "Printers" kann man sich den Drucker anschauen u. gegebenenfalls
per "modify" Änderungen vornehmen. Der Punkt "Set default printer" ermöglicht
ein Drucken per 'lpr' ohne Setzen einer -P-Option.
'''Achtung:''' Falls z.B. nach einem versuchten Probedruck folgende Meldung
erscheint:
"Unable to start filter "pstocanonij" - No such file or directory."
muss diese im Verzeichnis
/usr/lib/cups/filter hinterlegt werden. Danach den Drucker nochmal neu einrichten und sich mit
einer Testseite davon überzeugen, dass alles geklappt hat.

Es besteht auch die Möglichkeit, das ppd File manuell nachzubearbeiten, z.B. Default Size von letter auf A4 umstellen.
Die vorhin von CUPS generierte Datei befindet sich unter
/etc/cups/ppd/

==Debugging==
Wenn nicht alles so läuft, wie es soll, kann man über die Web-GUI Debugging einschalten (Administration -> server -> Save debugging information for troubleshooting)
Dann nochmal drucken und in die Logfiles schauen. Nicht vergessen, diese Option später wieder rauszunehmen, da diese ein Vielfaches an Output erzeugt.

==Known Bugs==

=== Drucker stoppt selbständig ===
Manchmal "hängt" ein Drucker einfach bzw. liefert keinen Output. In der Übersicht im Webfrontend sieht man dann
''Paused - "File "/usr/lib/cups/filter/hpcups" not available: No such file or directory"''

In diesem Fall geht man auf die Printer-Übersicht und klickt bei Maintenance den Punkt "Resume Printer" an.

=== Fehlende Library ===

Wenn im Debug Output (s.o.) das Fehlen einer Datei libpng.so.3 angemeckert wird oder ein Output erscheint wie
''/usr/local/bin/cifip4300: error while loading shared libraries: /usr/lib/libpng.so.3: invalid ELF header''
muss diese Datei richtig verlinkt werden -> Mit dpkg ermitteln, welche libpng gerade installiert ist und den entsprechenden Link ins /lib-Verzeichnis setzen:
# ln -s /lib/libpng12.so.0 libpng.so.3

== Alternative Gutenprint ==
Falls die Treiber des Herstellers Probleme machen, kann man auch (den in cups enthaltenen) Gutenprint-Treiber verwenden. Dazu im Webfrontend (localhost:631) den Drucker anwählen und unter "Administration->modify" das Modell des Herstellers + gutenprint wählen, also z.B. "Canon Pixma iP4300 - CUPS+Gutenprint v5.2.9"

== Alternative Turpoprint ==
Dieses ist ein kommerzielles Programm für Linux-Druckertreiber. Kostenpunkt: ca. 30
€ (Stand März 2011): (http://www.turboprint.de/)

Hier ist nur die Demoversion beschrieben. Diese hat den Nachteil, dass auf jedem
Ausdruck ein hässliches Turboprint-Label erscheint. 
turboprint herunterladen, auspacken, installieren (./setup-Befehl ausführen),
danach gibt es die Möglichkeit, eine Testseite zu drucken. 
In den Ordner /usr/share/turboprint/ppd wechseln, dort das zum Drucker passende
file auswählen und in den Cups-Ordner kopieren, also in meinem Fall:
# cd /usr/share/turboprint/ppd
# cp Canon_PIXMA_iP4300.ppd /usr/share/cups/model/
Dann im Cups ebendiese Datei auswählen
-> Add printer
Das ist natürlich ein sehr spezifisches Beispiel, aber das Funktionsprinzip ist
ähnlich für fast alle Drucker.

Zuguterletzt noch ein paar Tipps zum Finetuning des Druckers: 
http://wiki.ubuntuusers.de/Canon-Drucker

OpenShift Cheatsheet

2025-07-31T14:07:11Z

Sunflower: /* pvc */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path <//var/lib/mysql> (--claim-class ... --claim-mode RWX|RWO --claim-size 1G)

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-07-31T14:06:20Z

Sunflower: /* Add volume to deployment */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path </var/lib/mysql> (--claim-class ... --claim-mode RWX|RWO --claim-size 1G)

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-07-31T06:51:26Z

Sunflower: /* Create ingress for service */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path </var/lib/mysql>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

=== Create ingress for service ===

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-07-31T06:41:15Z

Sunflower: /* Creating */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

== Create configmap from file ==
$ oc create configmap <mymap> --from-file=/tmp/dump.sql

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path </var/lib/mysql>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

== Create ingress for service ==

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-07-25T13:08:51Z

Sunflower: /* Add volume to deployment */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

=== pvc ===
$ oc set volume deployment/<mydeployment> --add --type pvc --name <mypvc-vol> --claim-name <mypvc> --mount-path </var/lib/mysql>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

== Create ingress for service ==

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-07-25T11:54:47Z

Sunflower: /* configmap */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Add volume to deployment ==

=== configmap ===
$ oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

== Create ingress for service ==

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-07-25T11:54:33Z

Sunflower: /* Add volume to deployment */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Add volume to deployment ==

=== configmap ===
oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

== Create ingress for service ==

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-07-25T11:54:19Z

Sunflower: /* Create Job from image */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Add volume to deployment ==

=== configmap ===
oc set volume deployment/<mydeployment> --add --type configmap --name <myvol> --configmap-name <mymap> --mount-path </var/www/html>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

== Create ingress for service ==

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-07-25T11:13:23Z

Sunflower: /* Create service from deployment */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> (--selector app=<myapp>) --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

== Create ingress for service ==

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-07-23T13:26:37Z

Sunflower: /* Creating */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Make new app available ==

=== Create service from deployment ===
$ oc expose deployment <mydeployment> --name <service-mynewapp> --port 8080 --target-port 8080

=== Create route from service ===
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>

Alternative ingress:

== Create ingress for service ==

$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

Afterwards the app is reachable from outside.

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

WLAN einrichten

2025-07-15T19:09:04Z

Sunflower:

Auf Grund wochenlangen Ärgernisses mit WLAN, Linux (Kanotix), WPA und einem
Sitecom-USB-Stick (die Mischung macht's!) entstand dieser Wiki-Artikel.

* Mittlerweile gibt es komfortable Tools wie den [https://wiki.debian.org/NetworkManager Network-Manager] * , aber wer gerne selbst Hand anlegt, kann das hier tun.
 
* https://www.makeuseof.com/connect-to-wifi-with-nmcli/

== Schritt 1: Der richtige Treiber ==

Hierfür googelt ihr nach dem Chipsatz eures WLAN-Sticks - in meinem Fall handelt
es sich um "zydas". Anhand dieser Angabe sucht ihr nach einem passenden Treiber.
Fündig wird man in meinem konkreten Fall unter:

http://sourceforge.net/projects/zd1211/

== Schritt 2: Treiber installieren ==

=== Kernel >= 3.0 ===
Im allgemeinen sind die benötigten Treiber vorhanden. Mit
# ip a
lässt sich einfach überprüfen, ob eine neue Netzwerkkarte (i.a. wlan0) dazugekommen ist.
Falls nicht, mit den Schritten für die älteren Kernel weitermachen bzw. erstmal schauen, ob es den Treiber als fertiges Paket gibt.

=== Kernel >= 2.6.26 ===
zd1211-firmware-1.4.tar.bz2 von der sourceforge-Seite runterladen, die Firmware
auspacken, README lesen und Anweisungen befolgen, also alle zd1211*-files nach
/lib/firmware/zd1211 kopieren. Anschließend entsprechendes Modul neu laden:
# rmmod zd1211rw
# modprobe zd1211rw
Mittels Kommando "lsmod" kann man nachkontrollieren, ob das Treibmodul
(zd1211rw) geladen wurde. Im Notfall manuell (modprobe zd1211rw) nachholen
(dafür muss man allerdings wissen, wie das gute Stück heisst, im Notfall hilft
ein plumper Reboot :). Mittlerweile hat Sitecom ja auf Ralink umgestellt, habe
leider keine Erfahrung damit. 

Wer sich über einen komischen Interface-Namen "wmaster0" wundert: 
Dieser ist Teil des mac80211 Frameworks und wird bis Kernel 2.6.32 benötigt.
Im Standardkernel ist dieses Modul vorhanden und wird wie folgt angezeigt
(natürlich in Abhängigkeit vom Chipsatz der WLAN-Karte):
mac80211 139776 1 zd1211rw
Das wmaster-Interface ist nur ein Hilfskonstrukt und sollte manuell NICHT
angefasst werden. Konfiguriert wird nur das eigentliche Interface (z.B. wlan0).
Weitere Informationen sind hier
[http://linuxwireless.org/en/developers/Documentation/mac80211 ] nachzulesen.

=== Ältere Kernel (getestet am Beispiel 2.6.19.7)===
Meistens kommt der Treiber als .tar.gz oder .tgz-Datei daher: Runterladen und
Auspacken:
$ tar -xzvf zd1211-driver-r69.tar.gz

Ins entpackte Verzeichnis wechseln:
$ cd zd1211-driver-r69
und im README (sofern vorhanden) lesen, was zu tun ist. Meist läuft es auf
Kompilieren und Installieren raus:
$ make
# make install

Die übrigen Schritte sind dann (fast) unabhängig vom Treiber.

==Schritt 3: Netzwerkkartenbezeichner rausfinden und Interface aktivieren ==
# ifconfig -a
ausführen und schauen, was dazugekommen ist. Ein gängiger Interfacename ist
wlan0 oder eth[nächste freie Nummer].

Dann wird das Interface aktiviert. Der Einfachheit halber benenne ich dieses im
weiteren Verlauf mit "wlan0".
# ifconfig wlan0 up

==Schritt 4: SSID und Verschlüsselung konfigurieren ==
Danach gilt es, die SSID herauszufinden:
# iwlist wlan0 scan
Falls ihr den SSID-Broadcast auf eurem WLAN-Router deaktiviert habt, müsst ihr
die SSID später eben von Hand eintragen.

Anmerkung zu iwconfig/iwlist: Falls es diesen Befehl auf eurem System noch nicht
gibt, müsst ihr euch die wlan-tools besorgen: 
http://pcmcia-cs.sourceforge.net/ftp/contrib/wireless_tools.28.tar.gz 
(Gibts mittlerweile für Debian auch als Paket (wireless-tools)) 
Was die Verschlüsselung angeht, werde ich zunächst auf WEP, danach auf
WPA-PSK/TKIP und WPA2 eingehen.

===WEP-Verschlüsselung===
Falls ihr mehrere Access-Points gefunden habt, könnt ihr mit
# iwconfig wlan0 essid 'mein WLAN-Netz'
(dort kommt natürlich der String rein, den ihr mit "iwlist wlan0 scan"
ermittelt habt)
euer WLAN-Netz wählen. 
Danach wird der WEP-Key konfiguriert:
# iwconfig wlan0 key <schluessel_als_hexzahl> oder <s:schluessel_als_ascii>
z.B. iwconfig wlan0 key 46463153715A394E6741634652

===WPA-Verschlüsselung===
Zunächst mal rausfinden, um was für eine Verschlüsselung es sich handelt oder
sie bei völliger Ahnungslosigkeit experimentell ermitteln. Mögliche Algorithmen
sind TKIP oder AES. In diesem Fall handelt es sich um WPA-PSK (preshared
key) und TKIP.

Ich konfiguriere das ganze mit "wpa_supplicant". Mit iwpriv konnte ich nix
anfangen. Zunächst das Paket "wpasupplicant" installieren, falls noch nicht
vorhanden. Dann eine Passphrase erzeugen mit:
$ wpa_passphrase <ssid> <passphrase>
wobei ssid die oben ermittelte SSID ist und passphrase der WPA-Key des
Access-Points. Ein möglicher Eintrag könnte also lauten:
$ wpa_passphrase 'FRITZ!Box Fon WLAN 7170' 0123456789101112

Danach eine Datei /etc/wpa_supplicant.conf erzeugen. Dort werden die ganzen
Parameter eingetragen, die man vorher ermittelt hat (SSID, Verschlüsselung,
Passphrase). Hier eine Beispieldatei:
ctrl_interface=/var/run/wpa_supplicant eapol_version=1 ap_scan=2
network={
ssid="FRITZ!Box Fon WLAN 7170"
scan_ssid=1
proto=WPA
key_mgmt=WPA-PSK
pairwise=TKIP
group=TKIP
psk=a97ee0751b63fc7493fc6bfd40c6662910cba5669e9a2ea727eb78d86832d19d
}

===WPA2===
Nachdem WEP und WPA1 unsicher resp. entschlüsselbar sind, empfiehlt es sich, am
Router WPA2 zu aktivieren. Die wpa_supplicant.conf sieht in einem solchen Fall
so aus:
ctrl_interface=/var/run/wpa_supplicant eapol_version=1 ap_scan=1
network={ ssid="FRITZ!Box Fon WLAN 7170"
scan_ssid=1
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
group=TKIP CCMP
psk=a97ee0751b63fc7493fc6bfd40c6662910cba5669e9a2ea727eb78d86832d19d
}

Die nächsten Schritte sind dann wieder für '''WPA''' und '''WPA2''' gemeinsam:
Nach Anpassung der Cofigdateiden wpa_supplicant-Befehl auf der Shell ausführen:
# wpa_supplicant -B -i wlan0 -D wext -c /etc/wpa_supplicant.conf -d
Ein möglicher Output sieht so aus:
Initializing interface 'wlan0' conf '/etc/wpa_supplicant.conf' driver 'wext'
ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant eapol_version=1 ap_scan=2'
Priority group 0
id=0 ssid='Fritz!Box xyz123'
Initializing interface (2) 'wlan0'
SIOCGIWRANGE: WE(compiled)=22 WE(source)=21 enc_capa=0xf
capabilities: key_mgmt 0xf enc 0xf flags 0x0
WEXT: Operstate: linkmode=1, operstate=5
Own MAC address: 00:0c:f6:16:7a:bb
wpa_driver_wext_set_wpa
wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_countermeasures
wpa_driver_wext_set_drop_unencrypted
RSN: flushing PMKID list in the driver
Setting scan request: 0 sec 100000 usec
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
Using existing control interface directory.
Added interface wlan0

Bei eventuellen Fehlern und vor jedem Neustart das wpa_supplicant PID file
löschen und das Interface wieder hoch nehmen:
# rm /var/run/wpa_supplicant*/wlan0
# ifconfig wlan0 up

== Schritt 5: IP-Adresse bekommen==
Falls ihr auf dem WLAN-Router DHCP eingestellt habt, bekommt ihr so eine
IP-Adresse:
# dhclient wlan0
Ansonsten müsst ihr sie per "ifconfig" von Hand zuweisen.

Anmerkung: Unter Lenny/2.6.26.2-686 klappt das mit dem dhclient nicht so recht.
Stattdessen kommt die unerfreuliche Meldung:
wmaster0: unknown hardware address type 801
Eine Alternative stellt hier das Tool '''wicd''' dar. Zur Installation desselben
in die sources.list folgenden Eintrag machen (für Lenny, ansonsten entsprechend
anpassen):
deb http://www.backports.org/debian lenny-backports main contrib non-free
...gefolgt von den Install-Kommandos:
# aptitude update
# apt-get -t lenny-backports install wicd
Danach mit "wicd" den Daemon starten. Mit dem Aufruf "wicd-client" gelangt man
in ein Auswahlmenü, in dem man seine SSID wählen und sich mittels "Return" oder
"C"(onnect) verbinden kann. 
Größter Bug dieser Software ist wohl, dass man sie nach jedem Kernelupdate neu
installieren darf.

==Schritt 6: Browser starten u. ev. Namensauflösung anpassen==
Jetzt solltet ihr ins Internet kommen. Falls doch nicht, könnte es an der
Namensauflösung liegen. Eine Kontrollmöglichkeit ist, als URL eine IP-Adresse
einzugeben, beispielsweise http://216.34.181.60. Landet ihr nun auf der
Sourceforge-Seite, wurde die Datei "/etc/resolv.conf" nicht richtig generiert.
Datei öffnen und eintragen:
nameserver <IP des APs>
Die Access-Point-IP seht ihr z.B. nach einem erfolgreichen dhclient (Schritt 5).
Danach Browser neu starten.

==Problembehebung==
=== Meine wlan-Karte wird in "ifconfig" nicht angezeigt.===
Der zydas-Chipsatz des Sitecom-WLAN-Sticks scheint beim Booten von Debian nicht
immer sauber in den Kernel geladen zu werden. Wenn trotz richtiger Konfiguration
keine IP-Adresse vergeben wird (langer dhclient-Timeout), muss das
zydas-Kernelmodul entfernt und anschließend neu geladen werden:
# rmmod zd1211rw
# modprobe zd1211rw
# ifconfig wlan0 up
# ... (Konfigurationsschritte für WEP oder WPA)
# dhclient wlan0
(oder alternativ halt wicd-client, je nachdem...)

=== Meine SSID wird nicht gefunden ===
Manche älteren wlan-Stick-Modelle können in den höheren Frequenzbändern nicht
senden/empfangen. In dem Fall einen niedrigeren Kanal wählen. In der Fritzbox
geht das z.B. über das Menu Einstellungen -> WLAN -> Funkkanal.

Misc (multimedia)

2025-07-10T21:35:56Z

Sunflower: /* ffmpeg */

== Fotos vom Smartphone übertragen ==
* Geht schnell und stressfrei mit '''jmtpfs'''. Dieses lässt sich als Paket installieren. 
* Das Smartphone an den Micro-USB-Port anschließen und die Art der Datenübertragung wählen:
"Daten übertragen (mtp)"
* Daten z.B. nach /mnt mounten:
jmtpfs /mnt
und von dort kopieren

Anmerkung: Sollte unter KDE folgender Fehler auftreten

<pre>
Listing raw device(s)
Device 0 (VID=...) is a Samsung Galaxy models (MTP).
Found 1 device(s):
Samsung: Galaxy models (MTP) (...) @ bus 1, dev 10
Attempting to connect device(s)
libusb_claim_interface() reports device is busy, likely in use by GVFS or KDE MTP device handling already
LIBMTP PANIC: Unable to initialize device
Unable to open raw device 0
</pre>

Kann man folgendes versuchen:
<pre>
killall kiod5
</pre>
bzw.
<pre>
killall gvfs-udisk2
</pre>
unter xfce.

Leider ist es unter xfce offenbar nicht mehr möglich mit o.g. Tools ein Smartphone zu mounten. Eine andere Möglichkeit ist der Android Debugger '''adb'''. 
Installieren und sich den Inhalt der Speicherkarte ansehen:
<pre>
sudo apt install adb
adb devices
</pre>
(Es sollte mindestens ein Device angezeigt werden)
<pre>
adb shell
ls /sdcard/DCIM
strg+d
</pre>

Außerdem muss man an seinem Android Gerät noch ein paar Einstellungen vornehmen:
* Developer Mode einschalten (7x auf die Serial tippen)
* USB Debugging einschalten (unter den Developer Options)
* Nach dem Einstecken des USB-Kabels Data Transfer wählen (anstatt nur Aufladen)

Eine ausführliche Anleitung für diese Schritte gibt es hier: 
https://droidwin.com/fix-adb-device-not-found-error/

Mit
<pre>
adb pull <source> <destination>
</pre>
lassen sich die Dateien nun herunterziehen.

Man kann der adb Shell auch Argumente mitgeben z.B.
<pre>
adb shell ls /sdcard/DCIM/Camera
</pre>

=== Annotations ===
* Unter xfce4 kann man Fotos am besten mit jmtpfs herunterladen. Davor muss man konkurierende Prozesse mit Zugriff auf die Kamera in einer Endlosschleife abschießen
<pre>
while sleep 0.1; do pkill kiod5; pkill gvfs-udisks2; done
</pre>
und in einer anderen Shell das Device mounten:
<pre>
mkdir /tmp/cam
jmtpfs /tmp/cam
Device 0 (VID=18d1 and PID=4ee2) is a Google Inc Nexus/Pixel (MTP+ADB).
Android device detected, assigning default bug flags
ls /tmp/cam/Interner\ gemeinsamer\ Speicher/DCIM/
Camera PeakLens
</pre>

* Unter kde kann man sich mir dem adb (s.o.) behelfen, indem man kiod+gvfs in einer Endlosschleife abschießt (s.o.):
<pre>
while sleep 0.1; do pkill kiod5; pkill gvfs-udisks2; done
</pre>
* Zu viele Fotos auf einmal herunterladen, bricht irgendwann ab. Hier ein paar Commands, wie man eine Auswahl heruntergeladen bekommt (e.g. Jan. 2024):
<pre>
adb shell ls /sdcard/DCIM/Camera|grep IMG_2024 >/tmp/img.txt
for IMG in $(grep 202401 /tmp/img.txt) ; do adb pull /sdcard/DCIM/Camera/$IMG CAM/; done
</pre>

== Bootbaren USB-Stick erstellen ==

'''Voraussetzung:''' Ein Ordner namens ''ISO'', in dem sich bootbare Dateien (z.B. für ein Windows-Image) befinden

Ein ISO-Image lässt sich sehr einfach mit dem Tool '''xorrisofs''' erstellen.
 Zunächst muss dieses installiert werden
$ sudo apt install xorriso

Das Erzeugen des ISO geht dann wie folgt:
$ xorrisofs -r -J -o ./windows10.iso ./ISO

Das ISO-Image kann man dann mit "dd" auf den USB-Stick kopiert werden. Je nachdem, um welches Device es sich handelt, kann das dann so aussehen:
# dd if=windows.iso of=/dev/sde
Achtung: '''Keine''' Partition erstellen/angeben !

==Tracks aus Musik-CD extrahieren==

$ icedax -D <devicename> -t 1 song1.wav
also z.B.
$ icedax -D /dev/cdrom -t 2 song2.wav
$ icedax -D /dev/cdrom0 -t 3+4 mixed.wav
(macht aus Nr. 3 u. 4 eine große Datei)

Wer lieber mp3s hat, kann '''cdda2mp3''' verwenden.

==Musik-CD brennen==
Für eine Musik-CD wird KEIN Isoimge erzeugt! 
Stattdessen alle wav-Dateien in einem Ordner speichen, dort hineinwechseln und
ausführen:
# cdrecord -dao *.wav

cdrecord wird in neueren Debian-Releases durch ''wodim'' ersetzt. Beispiel:

$ /usr/bin/wodim -v gracetime=2 dev=/dev/sr0 speed=4 -sao driveropts=burnfree -data

==DVD brennen==
# growisofs -R -J -Z /dev/dvd /path/to/file-or-directory

wobei -R=Rockridge, -J=Joliet und -Z=device (kann von System zu System variieren). Wer sich nicht sicher ist, kann mit -dry-run den Brennvorgang erstmal simulieren. 
Eine sehr schöne Übersicht über DVDs allg. und unter Linux gibt es hier 
http://www.rakekniven.de/linux/k-base/dvd-brennen.php

== Von DVD extrahieren ==
Als brauchbar für die Erstellung eines mp4 von DVD hat sich im Test handbrake herausgestellt. Lässt sich als Paket installieren. Nur der Sound kommt etwas leise. Dieser lässt sich mit [[#ffmpeg|ffmpeg]] aufbessern (s.u.).

== Monitor kalibrieren ==

Sehr empfehlenswert ist das Tool DisplayCAL [https://displaycal.net/], das gängige Kalibrierungsgeräte wie z.B. Spyder, unterstützt. 
Verwendete Hardware: 
[https://www.dpreview.com/articles/3856869836/spyder3 Spyder 3]

Hier gibt es eine umfassende Anleitung:

https://www.reallinuxuser.com/how-to-color-calibrate-your-monitor-in-linux/

=== Anmerkung ===

Die Originalversion benutzt Python2 und wird daher auf den gängigen Linux-Distributionen nicht mehr unterstützt. Es gibt aber ein Nachfolgeprojekt: https://github.com/eoyilmaz/displaycal-py3
und darauf basierend ein Debianpaket:
$ sudo apt install displaycal

Unten genanntes wurde mit der alten Version und python2 getestet.

=== Protipp ===

* Wer keine guten/farbstichige Ergebnisse erzielt, kann als Whitepoint 5300K versuchen.

[[File:Screenshot 2021-02-23 19-55-44.png|800px]]

* Am Ende wird ein '''Profil''' (.icc Datei) erzeugt. Laden lässt sich dieses mit xcalib:

$ xcalib <profilname>

(und ein bisschen Theorie zu den konfigurierbaren Parametern:

https://displaycal.net/#colorimeter-corrections )

== ffmpeg ==
'''Das''' Tool zum Filme (und Sound) bearbeiten. Hier ein paar Beispiele:

* Film um 180° drehen:
$ ffmpeg -i input.mp4 -vf "transpose=2,transpose=2" output.mp4

* Sound entfernen:
$ ffmpeg -i MVI_1747.MOV -vcodec copy -an MVI_1747_mute.MOV
* Sound extrahieren (als mp3 abspeichern):
# ffmpeg -i MVI_1751.MOV MVI_1751.mp3
* Lautstärke verändern (z.B. 1.5fach)
# ffmpeg -i input.wav -af "volume=1.5" output.wav

* Ab Position n den Rest abschneiden:
# ffmpeg -i MVI_1752.mp3 -to 00:00:27 MVI_1752_short.mp3

* Ausschnitt rausschneiden und gleichzeitig als mp3 abspeichern
# ffmpeg -i Buena_Vista_Social_Club.mp4 -ss 00:04:16 -to 00:09:16 bvsc2.mp3

* Audio zu Video zufügen:
# ffmpeg -i MVI_1747_mute.MOV -i MVI_1752a.mp3 -codec copy -shortest MVI_1747_sound.MOV

* 2 Sounddateien mergen:
# ffmpeg -i "concat:MVI_1751.mp3|MVI_1753.mp3" -c copy MVI_1752.mp3
(Bei größeren Dateimengen ist sox eine gute Alternative: 
# sox file1.wav file2.wav ... filen.wav newfile.wav
)
* 2 Videodateien mergen
Falls auf Grund unterschiedlicher Codierung sich das obige Beispiel nicht aus Videos übertragen lässt:
$ ffmpeg -ifile1.mp4 -i file2.mp4 -filter_complex "[0:v][0:a][1:v][1:a] concat=n=2:v=1:a=1 [outv] [outa]" -map "[outv]" -map "[outa]" out.mp4

Beispiel für das Zusammenmergen von 3 Videos incl. Sound:
$ ffmpeg -i VID_20241225_part1.mp4 -i VID_20241225_part2.mp4 -i VID_20241225_142603~2.mp4 -filter_complex "[0:v:0][0:a:0][1:v:0][1:a:0][2:v:0][2:a:0] concat=n=3 :v=1:a=1[outv][outa]" -map "[outv]" -map "[outa]" output.mp4

Beispiel für das Zusammenmergen von 4 Videos zu 1 großen:
$ ffmpeg -i part1.mp4 -i part2.mp4 -i MVI_0309.MP4 -i MVI_0310.MP4 -filter_complex "[0:v:0][0:a:0][1:v:0][1:a:0][2:v:0][2:a:0][3:v:0][3:a:0]concat=n=4:v=1:a=1[outv][outa]" -map "[outv]" -map "[outa]" bigmovie.mp4

Alternative: 
Datei erstellen mit dem Inhalt der Videodateien:
cat > myfile.txt<<EOF
file 'MVI_1547.mp4'
file 'MVI_1610.mp4'
EOF

$ ffmpeg -f concat -i myfile.txt -c copy output.mp4

Sollte das Video nicht sauber durchlaufen, mit avidemux öffnen und die Schnittstelle rausschneiden.

(wer noch immer nicht genug hat: https://trac.ffmpeg.org/wiki/Concatenate )

* Beispiel für 2 Videodateien zusammenmergen:

#!/bin/bash

F1=MVI_1869.MOV
F2=MVI_1870.MOV
RESULT=MVI_1871.mp4

# sound
#ffmpeg -i $F1 intermediate.mp3
#ffmpeg -i $F2 intermediate.mp3

# movie ohne sound
# ffmpeg -i $F1 -c copy -bsf:v h264_mp4toannexb -f mpegts intermediate1.ts
# ffmpeg -i $F2 -c copy -bsf:v h264_mp4toannexb -f mpegts intermediate2.ts
# ffmpeg -f mpegts -i "concat:intermediate1.ts|intermediate2.ts" -c copy -bsf:a aac_adtstoasc $RESULT
# rm intermediate{1,2}.ts

# movie mit Sound
ffmpeg -i $F1 -i $F2 \
-filter_complex "[0:v:0] [0:a:0] [1:v:0] [1:a:0] concat=n=2:v=1:a=1 [v] [a]" \
-map "[v]" -map "[a]" $RESULT

* Zeitraffer/Zeitlupe

Beispiel doppelte Geschwindigkeit:
ffmpeg -i input.mp4 -filter:v "setpts=0.5*PTS" output.mp4

https://medium.com/@sekhar.rahul/creating-a-time-lapse-video-on-the-command-line-with-ffmpeg-1a7566caf877

* Untertitel zufügen

Wenn die Untertitel als srt Datei vorliegen , muss man sie erst ins ass Format umwandeln:

$ ffmpeg -i subtitles.srt subtitles.ass

[[Subtitles_example.srt | Hier]] gibt es ein Beispiel für ein .srt file im Format
<fortlaufende nr.>
<time range HH:MM:SS,mmm --> HH:MM:SS,mmm>
<text>

Video mit Untertiteln erzeugen:

$ ffmpeg -i input.mp4 -vf ass=subtitles.ass output.mp4

Wer immer noch nicht genug hat:

https://img.ly/blog/ultimate-guide-to-ffmpeg/

==Soundtest mit arecord ==
Manchmal ist es hilfreich, Headset und Lautsprecher zu testen. So geht das:

$ arecord -f S16_LE -r 3000 | aplay -vvv

== avidemux ==
Nettes Videoschnitttool. Leider nicht mehr als Debianpaket verfügbar. Kann aber hier heruntergeladen werden: 
https://www.fosshub.com/Avidemux.html

Am besten das Appimage herunterladen und verlinken z.B.
# ln -s /usr/local/bin/3rdparty/avidemux_2.8.1.appImage /usr/local/bin/avidemux

== Bildbetrachter ==

=== irfanview ===
https://www.irfanview.net/faq.htm

Gibt es generisch nur für Windows. Lässt sich aber auf (mindestens) 2 Arten auch für Linux installieren:

==== 1. Snap ====
https://snapcraft.io/install/irfanview/debian
$ sudo apt install snapd
$ sudo snap install irfanview
$ type -a irfanview
irfanview is /snap/bin/irfanview

==== 2. Wine ====
Unbedingt darauf achten, die 64bit-Version herunterzuladen!
$ wine iview460_x64_setup.exe
Danach kommt ein Windows-Installer-Fenster.
$ type -a irfanview
irfanview is aliased to `wine /home/kathrin/.wine/drive_c/Program\ Files/IrfanView/i_view64.exe'

=== gwenview ===
Hat ein paar nette Eigenschaften, z.B. mehrere Bilder gleichzeitig anzeigen lassen zum Vergleich. Kommt mit KDE oder als gleichnamiges Paket.

== .wav Dateien mit xine abspielen ==
Wenn eine Fehlermeldung missing plugin kommt...

* libxine2-misc-plugins installieren

==Image::Magick==
Perlmodul, mit dem man Massenbearbeitung von Bildern (verkleinern, vergrößern,
...) durchführen kann. 
Beispielscript [[resizeXpercent.pl]]: 
Alle Bilder eines bestimmten Ordners werden um X Prozent verkleinert und in
einen anderen Ordner gespeichert.

==Image Magick mit jpeg-Support benutzen==
libjpeg-dev installieren

OpenShift Cheatsheet

2025-07-04T08:40:56Z

Sunflower: /* Create new app */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red '''--template'''=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue '''--image''' registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Make new app available ==
Create service:
$ oc expose deployment <mydeployment> --name <service-mynewapp> --port 8080 --target-port 8080
Create route:
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>
Afterwards the app is reachable from outside.
Alernative ingress:
$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create service from deployment ==
$ oc expose deployment/helloworld

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}

OpenShift Cheatsheet

2025-05-28T09:15:20Z

Sunflower: /* Pods */

Here some helpful OpenShift commands which work (at least) since version >= 4.11

= Login =
'''How to get a token:'''
https://oauth-openshift.apps.ocp.example.com/oauth/token/display

You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443

Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"

'''Login with username/password:'''
$ oc login -u admin -p password https://api.ocp.example.com:6443

'''Get console URL:'''
$ oc whoami --show-console

= CLI tool =

'''Enable autocompletion'''

oc completion bash > /etc/profile.d/oc_completion_bash.sh

= Registries =
* registry.access.redhat.com (login only)
* registry.redhat.io
* quay.io

= Creating =

$ skopeo login -u user -p password registry.redhat.io
$ skopeo list-tags docker://docker.io/nginx
$ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)

$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24

Search Images by help of podman:
$ podman search <wordpress>

== Create new app ==
with label and parameters

from template
$ oc new-app (--name mysql-server) -l team=red --template=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret

from image
$ oc new-app -l team=blue --image registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret

=== Set environment variables afterwards ===
oc set env deployment/mariadb MARIADB_DATABASE=wikidb
oc set env deployment/mariadb MARIADB_USER=mediawiki
oc set env deployment/mariadb MARIADB_PASSWORD=wikitopsecret
oc set env deployment/mariadb MARIADB_ROOT_PASSWORD=gehheim

(Not recommended for passwords; you'd better set secrets and configmaps, s. below)

== Make new app available ==
Create service:
$ oc expose deployment <mydeployment> --name <service-mynewapp> --port 8080 --target-port 8080
Create route:
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>
Afterwards the app is reachable from outside.
Alernative ingress:
$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"

== Create Deployment from image ==
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80

=== Problem web server ===
In some images web servers run on port 80 which leads to permission problems in OpenShift as security context constraints do not allow to run apps on privileged ports

Error message:
<pre>
(13)Permission denied: AH00072: make_sock: could not bind to address [::]:80 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
</pre>

 -> either choose an image where port >= 1024 is used
 -> or add permissions to the corresponding service account

$ oc get pod <your pod name> -o yaml | grep -i serviceAccountName
serviceAccountName: default

$ oc adm policy add-scc-to-user anyuid -z default
(when you want to get rid of this setting again you have to edit the annotations field of the deployment and re-create the pod)

$ oc delete pod <your pod name>

== Create Job from image ==
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"

Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"

Check output of job:
$ oc logs job/<name>

== Create service from deployment ==
$ oc expose deployment/helloworld

== Create Secret from String ==
$ oc create secret generic test --from-literal=foo=bar

= Watching =

== Common info ==
General cluster/resource info:
$ oc cluster-info

Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)(00api-group='')
(in|without namespace)(openshift specific)(core-api-group only)

Explain resources:
$ oc explain service

Describe resources:
$ oc describe service

Inspect resources:
$ oc adm inspect deployment XYZ --dest-dir /home/student/inspection
(Attention: control resulting files for secrets, passwords, privatekeys etc. before sending somewhere)

Get all resources:
$ oc get all

('''Attention:''' templates, secrets, configmaps and pvcs will be shown outside resources)

$ oc get template,secret,cm,pvc

List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default

== Resources which are not shown with the "oc get all" command ==
$ oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n mynamespace

== Nodes ==

Get status of all nodes:
$ oc get nodes

Get Logs of a node (and special unit)
$ oc adm node-logs <nodename> -u crio

Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'

Get resource consumption:
$ oc adm top nodes

Be careful !
Only the free memory is shown, not the allocatable memory. For a more realistic presentation do:
$ oc adm top nodes --show-capacity

( https://www.redhat.com/en/blog/using-oc-adm-top-to-monitor-memory-usage )

== Machines ==

Show Uptime:
$ oc get machines -A

Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'

== Pods ==

Get resource consumption of all pods:
$ oc adm top pods -A --sum

Get resource consumption of pods and containers
$ oc adm top pods -n <openshift-etcd> --containers

Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)

Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql

Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq

Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash

Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp

== Other Information ==

Sort Events by time:
$ oc get events --sort-by=lastTimestamp

Show egress IPs:
$ oc get hostsubnets

Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system
(edit)

List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended
List silences:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093

https://cloud.redhat.com/blog/how-to-use-amtool-to-manage-red-hat-advanced-cluster-management-for-kubernetes-alerts

User rights to resources: 
$ oc adm policy who-can <verb> <resource>
$ oc adm policy who-can patch machineconfigs

= Running =

== Projects/Namespaces ==

Switch '''namespace''':
$ oc project <namespace>
quit namespace:
$ oc project -n default

== Change resources ==

=== Environment variables ===
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb

=== Change with '''patch''' command ===

'''Patch single value of resource:'''
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'

'''Patch resource by help of a file:'''
$ oc patch --type=merge mc 99-worker-ssh --patch-file=/tmp/patch_mc-worker-ssh.yaml

Content of ''patch_mc-worker-ssh.yaml'':
<pre>
spec:
config:
passwd:
users:
- name: core
sshAuthorizedKeys:
- |
ssh-rsa AAAAB3NzaZ1yc2EAAAADAQABAAABAQDOMsVGOvN3ap+MWr7eqZpBfDLTcmFdKhozJGStwXsTrP6QJYlxwP1ITZH7tPMfD0zkHu+y7XzcPqybwmnK4hPhuzxUl4qXqdTkTUUJjy3eVPk7n3RHHdsI2yS5YnlcySnTvkYAOuMStDDhN1MF6xOwxqXOq6xalzZzt7j/MtcceHxIdB19i0Fp4XYRTfv9p3UTFFkP9DoRnspNI0TtIg8YfzYcHJy/bDhEfi6+t0UBcksUqVWpVY2jX2Nco1qfC+/E2ooWalMzYUsB4ctU4OqiLd5qxmMevn9J+knPVhiWLE41d7dReVHkNyao2HZUH1r6E6B7/n/m0+XS0qJeA0Hh testy@pc01
ssh-rsa AAABBBCCC0815....QWertzu007Xx foobar@pc02
</pre>
Attention: former content of '''sshAuthorizedKeys''' will be overwritten !

'''Patch secret with base64 encoded data:'''
 Create yaml file with content:
$ head /tmp/alertmanager.yaml
global:
resolve_timeout: 5m
smtp_from: openshift-admin@example.de
smtp_smarthost: 'loghorst.example.de:25'
smtp_hello: localhost
(...)
$ tail /tmp/alertmanager.yaml
(...)
time_intervals:
- name: work_hours
time_intervals:
- weekdays: ["monday:friday"]
times:
- start_time: "07:00"
end_time: "17:00"
location: Europe/Zurich

$ oc patch secret alertmanager-main -p '{"data": {"config.yaml": "'$(base64 -w0 /tmp/alertmanager.yaml)'"}}'

==== Examples ====
'''Set master/worker to (un)paused:'''
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}

'''Set maximum number of unavailable workers to 2:'''
$ oc patch --type=merge --patch='{"spec":{"maxUnavailable":2}}' machineconfigpool/worker
(default=1)

=== Restart deployment after change ===

$ oc rollout restart deployment testdeploy

(obsolete:
 the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
)

=== Scaling resources ===
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api

=== Draining nodes ===
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> (not necessary wgen you drain it - will be emptied anyway)
$ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true

After reboot:
$ oc adm uncordon <node1>

= Logging =

Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)

Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>

Node logs of systemunit crio:
$ oc adm node-logs master01 -u crio --tail 2

The same of all masters:
$ oc adm node-logs --role master -u crio --tail 2

Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"

Space allocation of logging:
$ POD=elasticsearch-cdm-<ID>
$ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true

Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/

Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log

Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
$ oc adm node-logs ocp-46578-master-1 --path=openshift-apiserver/audit.log | jq 'select(.verb == "delete" and .objectRef.resource != "routes" and .objectRef.resource != "templateinstances" and .objectRef.resource != "rolebindings" )'

Source: 
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html

= Information gathering =
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html/support/gathering-cluster-data#support_gathering_data_gathering-cluster-data

== Must-gather ==
$ oc adm must-gather
-> create must-gather.local.XXXXXX

https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect
(evtl. delete secrets!)

== SOS Report ==
https://access.redhat.com/solutions/4387261

== Inspect ==
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m

= Special cases =

== Namespace not deletable ==
Namespace gets stuck in status terminating

Watch out for secrets that are left over and not deletable.
Set the finalizer to Null:
$ oc patch secrets $SECRET -n ocp-cluster-iam-entw -p '{"metadata":{"finalizers":[]}}' --type=merge

== Run containers as root ==
Should only be done as last instance or for temporary tests as attackers could theoretically break out of the containers and become root on the system.

In the deployment add following lines under the "spec" statement:
<pre>
spec:
containers:
securityContext:
runAsUser: 0
</pre>

You must give admin privileges to the serviceaccount under which the deployment runs. If nothing is configured it is normally the default user:
# oc project <myproject>
# oc adm policy add-scc-to-user anyuid -z default

= App URLs =
== Kibana ==
https://kibana-openshift-logging.apps.ocp.example.com/

== ArgoCD ==
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com

= Useful terms =

'''IPI''' Installer-provisioned infrastructure cluster 
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)

'''UPI''' User provisioned infrastructure cluster
* DNS and Loadbalancing must already be there
* Installation manually, download ova file (in case of vSphere)
* master created manually
* workers recommended
* *no* keepalived

Advantages: 
IPI: installation more simple, using preconfigured features 
UPI: more flexibility, no loadbalancer outage during update

Change from IPI -> UPI not possible

You can get more shortcuts by typing:
$ oc api-resources

{| class="wikitable"
|-
| cm || config map
|-
| csv || cluster service version
|-
| dc || deploymentconfig
|-
| ds || daemonset
|-
| ip ||installplan
|-
| mcp || machineconfigpool
|-
| pv || persistent volume
|-
| sa || service account
|-
| scc || security context constraints
|-
| svc || service
|}