OpenShift Cheatsheet: Difference between revisions
No edit summary |
|||
| Line 18: | Line 18: | ||
'''Get console URL:''' |
'''Get console URL:''' |
||
$ oc whoami --show-console |
$ oc whoami --show-console |
||
= Registries = |
|||
* registry.access.redhat.com (login only) |
|||
* registry.redhat.io |
|||
* quay.io |
|||
= Creating = |
= Creating = |
||
Revision as of 14:25, 24 April 2024
Here some helpful OpenShift commands which work (at least) since version >= 4.11
Login
How to get a token: https://oauth-openshift.apps.ocp.example.com/oauth/token/display
You might need it for login or automatization.
$ oc login --token=... --server=https://api.ocp.example.com:6443
Use the token directly against the API:
$ curl -H "Authorization: Bearer $TOKEN" https://api.ocp.example.com:6443/apis/user.openshift.io/v1/users/~"
Login with username/password:
$ oc login -u admin -p password https://api.ocp.example.com:6443
Get console URL:
$ oc whoami --show-console
Registries
- registry.access.redhat.com (login only)
- registry.redhat.io
- quay.io
Creating
$ skopeo login -u user -p password registry.redhat.io $ skopeo list-tags docker://docker.io/nginx $ oc run <mypod-nginx> --image docker://docker.io/nginx:stable-alpine (--env NGINX_VERSION=1.24.1)
$ skopeo inspect (--config) docker://registry.redhat.io/rhel8/httpd-24
Search Images by help of podman:
$podman search <wordpress>
Create new app
with label and parameters
from template
$ oc new-app -l team=red --template=mysql-persistent -p MYSQL_USER=developer -p MYSQL_PASSWORD=topsecret
from image
$ oc new-app -l team=blue --image registry.redhat.com/rhel9/mysql-80:1 -e MYSQL_ROOT_PASSWORD=redhat -e MYSQL_USER=developer -e MYSQL_PASSWORD=evenmoresecret
Make new app available
Create service:
$ oc expose deployment <mydeployment> --name <service-mynewapp> --port 8080 --target-port 8080
Create route:
$ oc expose service <service-mynewapp> --name <route-to-mynewapp>
Afterwards the app is reachable from outside. Alernative ingress:
$ oc create ingress <ingress-mynewapp> --rule="mynewapp.ocp4.example.de/*=service-mynewapp:8080"
Create Deployment from image
$ oc create deployment demo-pod --port 3306 --image registry.ocp.example.de:8443/rhel9/mysql-80
Create Job from image
$ oc create job testjob --image registry.ocp.example.de:8443/rhel9/mysql-80 -- /bin/bash -c "create database events; mysql events -e 'source /tmp/dump.sql;'"
Cronjob:
$oc create cronjob mynewjob --image registry.ocp4.example.de:8443/ubi8/ubi:latest --schedule='* * * * 5' -- /bin/bash -c "if [ $(date +%H) -gt 15 ]; then echo 'Hands up, weekend!'; fi"
Check output of job:
$ oc logs job/<name>
Create Secret from String
$ oc create secret generic test --from-literal=foo=bar
Running
General cluster info:
$ oc cluster-info
Which resources are there?
$ oc api-resources (--namespaced=false)(--api-group=config.openshift.io)
(in|without namespace)(openshift specific)
Explain resources:
$ oc explain service
Switch namespace:
$ oc project <namespace>
quit namespace:
$ oc project -n default
Get all resources:
$ oc get all
(Attention: imagestreams, secrets, services, and pvcs will be shown outside resources)
$ oc get secret,svc,pvc,dc
List resources in context of another user/serviceaccount:
$ oc get persistentvolumeclaims -n openshift-monitoring --as=system:serviceaccount:openshift-monitoring:default
Get status of all nodes:
$ oc get nodes
Get all pods on a specific node:
$ oc get pods --field-selector spec.nodeName=ocp-abcd1-worker-0 (-l myawesomelabel)
Get only pods from deployment mysql:
$ oc get pods -l deploymentconfig=mysql
Get pods' readinessProbe:
$ oc get pods -o jsonpath='{item[0].spec.containers[0].readinessProbe}' | jq
Show Uptime:
$ oc get machines -A
Sort Events by time:
$ oc get events --sort-by=lastTimestamp
Show egress IPs:
$ oc get hostsubnets
Show/edit initial configuration:
$ oc get cm cluster-config-v1 -o yaml -n kube-system (edit)
Compare allocatable resources vs limits:
$ oc get nodes <nodename> -o jsonpath='{"Allocatable:\n"}{.status.allocatable}{"\n\n"}{"Capacity:\n"}{.status.capacity}{"\n"}'
Connect to pod and open a shell:
$ oc exec -it <podname> -- /bin/bash
Copy file(s) to pod:
$ oc cp mysqldump.sql mysql-server:/tmp
List alerts:
$ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool alert --alertmanager.url=http://localhost:9093 -o extended List silences: $ oc -n openshift-monitoring exec -ti alertmanager-main-0 -c alertmanager -- amtool silence query [alertname=ClusterNotUpgradable] --alertmanager.url=http://localhost:9093
User rights to resources:
$ oc adm policy who-can <verb> <resource> $ oc adm policy who-can patch machineconfigs
Create service from deployment:
$ oc expose deployment/helloworld
Set environment variables on running deployment:
$ oc set env deployment/helloworld MYSQL_USER=user1 MYSQL_PASSWORD=f00bar MYSQL_DATABASE=testdb
Patch resource:
$ oc patch installplan install-defgh -n openshift-operators-redhat --type merge --patch '{"spec":{"approved":true}}'
Restart deployment after change:
the deployment resource has no rollout option -> You must patch something before it restarts e.g.:
$ oc patch deployment testdeploy --patch "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"last-restart\":\"`date +'%s'`\"}}}}}"
Get state paused/not paused of machineconfigpool:
$ oc get mcp worker -o jsonpath='{.spec.paused}'
Set master/worker to (un)paused:
$ oc patch --type=merge --patch='{"spec":{"paused":false}}' machineconfigpool/{master,worker}
Scale number of machines/nodes up/down:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api
Empty node and put it into maintenance mode (e.g. before booting)
$ oc adm cordon <node1> $ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true
After reboot:
$ oc adm uncordon <node1>
Logging
Watch logs of a certain pod (or container)
$ oc logs <podname> (-c <container>)
Debug pod (e.g. if crashloopbacked):
$ oc debug pod/<podname>
Liveness/Readiness Probes of all pods in certain timestamp:
$ oc adm node-logs --role worker -u kubelet | egrep -E 'Liveness|Readiness' | grep "Aug 21 11:22"
Space allocation of logging:
$ POD=elasticsearch-cdm-<ID> $ oc -n openshift-logging exec $POD -c elasticsearch -- es_util --query=_cat/allocation?v\&pretty=true
Watch audit logs:
$ oc adm node-logs --role=master --path=openshift-apiserver/
Watch audit.log from certain node:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log
Search string:
$ oc adm node-logs ocp-abcdf-master-0 --path=openshift-apiserver/audit-2023-09-26T14-11-04.448.log | jq 'select(.verb == "delete")'
Source:
https://docs.openshift.com/container-platform/4.12/security/audit-log-view.html
Information gathering
Must-gather
$ oc adm must-gather
-> create must-gather.local.XXXXXX
https://docs.openshift.com/container-platform/4.12/cli_reference/openshift_cli/administrator-cli-commands.html#oc-adm-inspect (evtl. delete secrets!)
Inspect
Get information resource-wise and for a certain period:
$ oc adm inspect clusteroperator/kube-apiserver --dest-dir /tmp/kube-apiserver --since 1m
App URLs
Kibana
https://kibana-openshift-logging.apps.ocp.example.com/
ArgoCD
https://openshift-gitops-server-openshift-gitops.apps.ocp.example.com
Useful terms
IPI Installer-provisioned infrastructure cluster
Cluster installed by install command; user must only provide some information (which platform, cluster name, network, storage, ...)
UPI User provisioned infrastructure cluster
- DNS and Loadbalancing must already be there
- Installation manually, download ova file (in case of vSphere)
- master created manually
- workers recommended
- *no* keepalived
Advantages:
IPI: installation more simple, using preconfigured features
UPI: more flexibility, no loadbalancer outage during update
Change from IPI -> UPI not possible
You can get more shortcuts by typing:
$ oc api-resources
| cm | config map |
| csv | cluster service version |
| dc | deploymentconfig |
| ds | deploymentsetting |
| ip | installplan |
| mcp | machineconfigpool |
| pv | persistent volume |
| sa | service account |
| scc | security context constraints |
| svc | service |