Skip to content

Instantly share code, notes, and snippets.

@maxamillion

maxamillion/osbs_notes.md

Last active September 1, 2015 16:49
Show Gist options
  • Save maxamillion/7e71f252830d08da4e3a to your computer and use it in GitHub Desktop.
Save maxamillion/7e71f252830d08da4e3a to your computer and use it in GitHub Desktop.
Download ZIP
OSBS + OpenShift notes (dedicated OpenShift to build system)
Raw
osbs_notes.md

#NOTES:

  • atomic-reactor and osbs from my COPR my COPR (latest from upstream git)
  • openshift-ansible upstream for installation of OpenShift
  • for "lab environment" DNS setup, use dnsmasq OpenShift docs
    • The example here is a single-node deployment named lsobs.example.com with the *.cloudapps.example.com configured as in the doc
  • Turns out you don't need a fully functional OpenShift environment to run OSBS
    • Can work without openshift-router and openshift-docker-registry
    • Probably not best

#STEPS:

USING RHEL/CENTOS 7

Install OpenShift using openshift-ansbile

For my installation the steps were the following (vary based on deployment environment)

$ git clone https://github.com/openshift/openshift-ansible.git
	
# Create inventory.txt based on openshift-ansible docs
	
$ ansible-playbook playbooks/byo/config.yml -i inventory.txt

# Setup service account for the router
# https://docs.openshift.org/latest/admin_guide/install/deploy_router.html
$ echo \
'{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"router"}}' \
| oc create -f -

# Add a line under users with the user name system:serviceaccount:default:router
$  oc edit scc privileged

# Create the router
$ oadm router --create=true \
		--credentials=/etc/openshift/master/openshift-router.kubeconfig \
		--service-account=router

# Create mountpoint for docker-registry persistant storage
$ mkdir /var/lib/openshift/docker-registry

# Setup service account for the registry
# https://docs.openshift.org/latest/admin_guide/install/docker_registry.html
$ echo \
	'{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"registry"}}' \
	| oc create -f -

# Add a line under users with the user name system:serviceaccount:default:registry
$  oc edit scc privileged

$ oadm registry \
	--create=true \
	--credentials=/etc/openshift/master/openshift-registry.kubeconfig \
	--mount-host=/var/lib/openshift/docker-registry --service-account=registry

OR

Install OpenShift using install.openshift.com

Follow OpenShift Enterprise install guide

Install docker-registry

This can optionally be on a dedicated machine elsewhere, but for the sake of testing/demo just run on localhost.

$ yum -y install docker-registry
$ systemctl start docker-registry
$ systemctl enable docker-registry

Install atomic-reactor and osbs

Setup COPR

$ cd /etc/yum.repos.d/
$ wget -c https://copr.fedoraproject.org/coprs/maxamillion/atomic-reactor/repo/epel-7/maxamillion-atomic-reactor-epel-7.repo
$ yum -y install atomic-reactor osbs-client
	
# Make sure to have an updated version of python-six
## https://github.com/projectatomic/atomic-reactor/issues/286
#
# python-six-1.9.0-1.el7 is available in the COPR
# https://copr.fedoraproject.org/coprs/maxamillion/epel7-python-six/

Setup CentOS docker candidate yum repo

There is an issue with docker 1.7, need to downgrade to 1.6.2
Bug report here: https://github.com/docker/docker/issues/12487#issuecomment-135550256
Can't upgrade to 1.8 because of https://bugzilla.redhat.com/show_bug.cgi?id=1258037

Prep the atomic-reactor build environment

$ atomic-reactor create-build-image --reactor-tarball-path /usr/share/atomic-reactor/atomic-reactor.tar.gz /usr/share/atomic-reactor/images/dockerhost-builder buildroot

# Edit the docker config located at /etc/sysconfig/docker to include the following (merge with existing OPTION line if needed)
OPTIONS='--insecure-registry=localhost:5000 --selinux-enabled'

# This is needed to pre-stage our docker registry that osbs will use in it's
# configuration in order to pull and push images to pre/post build
$ docker tag buildroot localhost:5000/buildroot
$ docker push localhost:5000/buildroot
$ docker pull fedora
$ docker tag fedora localhost:5000/fedora
$ docker push localhost:5000/fedora

Set authorization policies to allow builder (this might be wide open, need to investigate authorization more)

$ oadm policy add-role-to-group edit system:unauthenticated system:authenticated
$ oadm policy add-role-to-group edit system:authenticated

Configure OSBS client (/etc/osbs.conf)

[general]
build_json_dir = /usr/share/osbs/

[default]
openshift_uri = https://losbs.example.com:8443/
# if you want to get packages from koji (koji plugin in dock)
# you need to setup koji hub and root
# this sample is for fedora
koji_root = http://koji.fedoraproject.org/
koji_hub = http://koji.fedoraproject.org/kojihub
# in case of using artifacts plugin, you should provide a command
# how to fetch artifacts
sources_command = fedpkg sources
# from where should be images pulled and where should be pushed?
#registry_uri = localhost:5000
registry_uri = losbs.example.com:5000
verify_ssl = false
build_type = simple
use_auth = false

## NOTE: This option will not be needed in future versions but is needed in
##       version osbs-0.14-1
metadata_plugin_use_auth=false

Build

$ osbs build -g https://github.com/maxamillion/atomic-reactor-dockerfile-test.git -b master -c test-image -u builder

$ osbs list-builds

Deploy koji-containerbuild plugin

https://github.com/release-engineering/koji-containerbuild

Install koji-containerbuild from my COPR

$ yum -y install koji-containerbuild koji-containerbuild-{builder,cli,hub}

# All hub machines need koji-containerbuild-hub and all builders that will be
# enabled for building containers need koji-containerbuild-builder

Enabled the plugins for hub and builder (kojid) on respective hosts

In /etc/kojid/kojid.conf add builder_containerbuild to the plugins line:

    plugins = builder_container

In /etc/koji-hub/hub.conf add hub_containerbuild to the plugins line:

    plugins = hub_containerbuild

On for the client stuff you'll need to add the following to /etc/koji.conf (changing the needed bits)

    [koji-containerbuild]
    
    ;configuration for koji cli tool
    
    ;url of XMLRPC server
    server = http://devops.example.com/kojihub
    
    ;url of web interface
    weburl = http://devops.example.com/koji
    
    ;url of package download site
    topurl = https://kojipkgs.localdomain/
    
    ;path to the koji top directory
    ;topdir = /mnt/koji
    
    ;configuration for Kerberos authentication
    
    ;the service name of the principal being used by the hub
    ;krbservice = host
    
    ;configuration for SSL authentication
    
    ;client certificate
    cert = ~/.koji/client.crt
    
    ;certificate of the CA that issued the client certificate
    ca = ~/.koji/serverca.crt
    
    ;certificate of the CA that issued the HTTP server certificate
    serverca = ~/.koji/serverca.crt

As the kojiadmin user (normally the koji *nix user), add the container channel to koji

    $ psql 
    psql (8.4.20)
    Type "help" for help.
    
    koji=# INSERT INTO channels (name) VALUES ('container');

As the kojiadmin, add builder(s) to the channel and add a package

    $ koji add-host-to-channel kojibuilder1 container
    $ koji add-pkg --owner admiller CENTOS6-6 testing
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment