OCP Random Notes.md

OCP RANDOM NOTES

• Import all sample images

IMAGES=`oc get is -o go-template --template="{{range .items}}{{.metadata.name}} {{end}}"`

for i in ${IMAGES}; do
  echo "Pulling: $i"
  ./oc import-image $i --all
done

• list cluster operators and their state

oc get co

• show cluster version and error messages

oc get clusterversion
oc get clusterversion -o jsonpath='{.items[*].status}'

• show node types (MachineConfigPools)

oc get mcp
oc get mcp -o jsonpath='{range .items[*]}{"\n\n"}{@.metadata.name}:{.status.conditions}'

• Update stuck due to a previous partial update

# erase the pending status entry on masters
journalctl --vacuum-time=1m

# identify the MCD of the node
oc get pods -o wide -n openshift-machine-config-operator | grep machine-config-daemon
# delete the MCD of the node
oc delete pod machine-config-daemon-<id>

# Alternative, force an update by creating a /run/machine-config-daemon-force file on each failing node
touch /run/machine-config-daemon-force

• Mirroring releases to local directory

oc adm release mirror RELEASE --to-dir=DIR

• Mirroring releases from local directory to local registry

oc image mirror --from-dir=DIR file://openshift/release MYREGISTRY/MYREPO

• To use the OCP internal registry as a regular container registry it must have a route associated to it. Follow Exposing the internal registry

• If pulling images from an external registry with a self-signed certificate, the CA needs to be added to the cluster. For that see Adding certificate authorities to the cluster

• External images can be referenced and configured as ImageStream and setup periodic or trigger-based imports of new versions with Configuring periodic importing of imagestreamtags

• The way to override an image so it first the Node will look in the internal registry is using the configuration for having a local container registry doing mirroring. See Configuring image registry repository mirroring

• Importing insecure registries and blocking registries

• Allowing Pods to reference images from other secured registries

• Serve mirrored images from dir using oc

Usage:
  oc image serve IMAGE [flags]

Options:
      --dir='': The directory to serve images from.
      --listen=':5000': A host:port to listen on. Defaults to *:5000
      --tls-crt='': Path to a TLS certificate to secure this server with.
      --tls-key='': Path to a TLS private key to secure this server with.

• Extract certificate of MachineConfigServer (MCS)

# Cert
oc get secret machine-config-server-tls  -n openshift-machine-config-operator -o jsonpath='{.data.tls\.crt}' | base64 -d

# Key
oc get secret machine-config-server-tls  -n openshift-machine-config-operator -o jsonpath='{.data.tls\.key}' | base64 -d

Note: During install, the bootstrap node hold those certificates at:

# From bootstrap.ign
  "path": "/opt/openshift/tls/machine-config-server.key"
  "path": "/opt/openshift/tls/machine-config-server.crt"

• Extract openshift-installer from local registry

# Downloading openshift-install
oc adm release extract --command='openshift-install' ${AIRGAP_REG}/${AIRGAP_REPO}:${OCP_RELEASE}

• Adding global credentials about external registries

oc edit secrets pull-secret -n openshift-config -o yaml

• Using kustomize to modify manifests with bash environment

oc kustomize <path> | envsubst | oc apply -f -

• List all namespaced resource in the cluster

kubectl api-resources --verbs=list --namespaced -o name

• List all resources on a particular namespace

oc api-resources --verbs=list --namespaced -o name | xargs -n 1 oc get --show-kind --ignore-not-found -n your-namespace

• Display events sorted by time

oc get events --sort-by '.lastTimestamp'

• Checking the numbr of VFs supported vs the number of VFs enabled

[root@ran-cu ~]# cat /sys/class/net/ens7f1/device/sriov_totalvfs
64
[root@ran-cu ~]# cat /sys/class/net/ens7f1/device/sriov_numvfs
0
[root@ran-cu ~]# ls -l /sys/bus/pci/devices/ | less
...

• Copy kernel rpms for compiling custom kmods for OCP

RELEASE_IMAGE=$( oc adm release info --image-for=machine-os-content  quay.io/openshift-release-dev/ocp-release:4.6.16-x86_64 )

echo $RELEASE_IMAGE
quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:09e3228d294d07940efebc06301179cf376f50ca16efe21ba0e343ab12ffa131

podman pull --authfile pull-secret.json $RELEASE_IMAGE
# run and login into the container
podman run -it --entrypoint /bin/bash $RELEASE_IMAGE
# run container and detach
podman run -dit --entrypoint /bin/bash $RELEASE_IMAGE

# Find the container ID
podman ps | grep $RELEASE_IMAGE
# List available kernels 
podman exec -ti <container-id> bash -c "ls /extensions/kernel*"

podman cp <container-id>:/extensions/kernel-rt-core-4.18.0-193.41.1.rt13.91.el8_2.x86_64.rpm   .
podman cp <container-id>:/extensions/kernel-rt-devel-4.18.0-193.41.1.rt13.91.el8_2.x86_64.rpm  .

• Syntax highlighting for yaml outputs

alias vaml="vim -R -c 'set syntax=yaml' -"
oc get <resource-type> <resource-name> -o yaml | vaml

• Syntax highlighting for json outputs

oc get <resource-type> <resource-name> -o json | jq .

• External Gateway with BFD enabled

---
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    k8s.ovn.org/bfd-enabled: '*'
    k8s.ovn.org/routing-external-gws: 172.18.0..5, 172.18.0.6

• Accessing cluster after loosing kubeadmin

# Log into a master node and go
cd /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs

# The directory should contain kubeconfig for various access modes 
[root@master-0 node-kubeconfigs]# ls -l
total 48
-rw-------. 1 root root 10704 Apr 12 13:39 lb-ext.kubeconfig
-rw-------. 1 root root 10708 Apr 12 13:39 lb-int.kubeconfig
-rw-------. 1 root root 10693 Apr 12 13:39 localhost.kubeconfig
-rw-------. 1 root root 10751 Apr 12 13:39 localhost-recovery.kubeconfig

# Using any of the kubeconfig should allow the interaction with K8s API

[root@master-0 node-kubeconfigs]# export KUBECONFIG=localhost-recovery.kubeconfig
[root@master-0 node-kubeconfigs]# oc get nodes
NAME       STATUS   ROLES           AGE   VERSION
master-0   Ready    master,worker   44d   v1.20.0+bafe72f
master-1   Ready    master,worker   44d   v1.20.0+bafe72f
master-2   Ready    master,worker   44d   v1.20.0+bafe72f
worker-0   Ready    worker          44d   v1.20.0+bafe72f
worker-1   Ready    worker          44d   v1.20.0+bafe72f
worker-2   Ready    worker          44d   v1.20.0+bafe72f
[root@master-0 node-kubeconfigs]# oc whoami
system:admin

• OpenShift build with SSH keys

oc create secret generic user-example-com \
    --from-file=ssh-privatekey=/root/buildkeys/ocp_rsa \
    --type=kubernetes.io/ssh-auth
   
oc secrets link builder user-example-com

oc annotate secret user-example-com \
    'build.openshift.io/source-secret-match-uri-1=ssh://github.com/<your-repos>/*'

• Find the latest stable

export ARCH="x86_64"
export CHANNEL="stable-4.8"

echo VERSION=$(echo -n `curl -sH 'Accept:application/json' "https://api.openshift.com/api/upgrades_info/v1/graph?channel=${CHANNEL}" | jq -r '.nodes[] | .version' | sort -V | tail -1`-${ARCH})

• Find the NUMA location for a particular NIC

cat /sys/class/net/<interface>/device/numa_node