OpenShift Sandbox Build
Issues: Servers 004, 005 cannot reach internet Solution: HPAS working on issue
Storage distribution: -003: 50g Master -004: 50g -005: 50g -006: 50g -007: 100g NFS (80g vol and 4 X 5g vol)
Host authentication with key to self access root, root auth was turned off completely
-003 inbound port 8443 on 142.34.217.42 connection refused caused Ansible script to fail. This seemed to be a false error? Retried, failed again
-policykit causing issue?? Not sure seems like->
-we have a ip conflict with the private network Solution: alter the RHOS private network Not 172, now 182. Not 10, now 11.
So 182.30.0.0 And 11.1.0.0
- Control of Libraries: that can be accesses (Docker hub is setup by default [baked in] and needs to be blocked after setup)
- Docker Storage Setup: Option A: use an additional block device
- Key auth set to "yes" for self access of root
-003 we are keeping going. Problems with user add and group add. Change Se-linux permissive so user add works, once install completed and new users were crated then SE-linux was re set to enforcing. Edited ip: 172.16.0.0/16 10.16.0.0/16
Make sure we have private and public IP's to protect the VM (only router should be exposed through software defined network)
Those measures allowed the complete install on OCIOPF-D-003
There was some discussion around mounted storage and some confusion
We hit some inconsistencies with the servers that we were using for the install of Open Shift. We are now going back to the standard minimal RHEL 7.2 iso for the pathfinder servers. Servers to be rebuilt: OCIOPF-D-004 OCIOPF-D-005 OCIOPF-D-006 We understand this will not be backed up or monitored. Also we will configure another server that will be configured with the HPAS management tools. Call it: OCIOPF-D-008
We completed deployment of 3 test applications: Welcome.pathfinder.gov.bc.ca Time.pathfinder.gov.bc.ca BCA-API
Issues: Needed to escalate opening of port 8443 issue was resolved and now able to access OS console. https://ociopf-d-003.dmz:8443
DDOS attack filter shut down our deployment to nodes - needed to add node server IP to white-list. Security branch contact was Dale Land
Started the day working on servers 004, 005, 006 node setup.
For some reason server 006 cannot reach port 443 (others are fine) So we are setting up on 004 and 005 to have 2 nodes rather than 3
Setting up console @ Console.pathfinder.gov.bc.ca
Deployment to node successful
Ephemeral set up of Jenkins completed
DNS service passing - mapped a different domain to the master, resolved to a container running on one of our nodes
Setting up SSL cert on Master (003) for console.pathfinder.gov.bc.ca Not finished: Moved this to Day4
Take aways: We can build default constraints for when a new project is started it can apply pre-set limits.
Setting up SSL cert on Master (003) for console.pathfinder.gov.bc.ca
Re-try setting up a node on server -006
Working with persistent storage volume
Issues: Ran into some friction between private and public ip addresses
Focused in on setting up project templates with pod and container constraints Fixed ssl cert chain Set up metrics Requested more storage for ociopf-d-001 for ajax mine Deployed app with ssl
Issues: Metrics deployer was having trouble with the wildcard dns ssl cert.