90 days compass goal

Install RHEL/Atomic host from ISO

• making installation USB media
  • Find usb device name by dmsg or something like this.
    • connect usb device and see the dmsg last message.
• login as root
• make sure the usb device is not mounted.
  • findmnt /dev/sdb: if no output, it’s not mounted.
  • if it’s mounted, use unmount $target_name to unmount.
• use dd command to write iso to usb
  • dd if=/path/to/image.iso of=/dev/sdb bs=521k
• Reboot and enter boot menu, then select and use anaconda to install.

Install Atomic host with qcow2 image.

All below steps has to be done under /var/lib/libvirt/images

• use qemu-img command to create a snapshot for the qcow2 file, since after your use, you can’t start another one instance.
  • qemu-img create -f qcow2 -o backing_file=oringinal.qcow2 new.qcow2

• create pair of cloud-init files.

  • meta-data

    instance-id: Atomic0
    local-hostname: atomic-00

  • user-data

    #cloud-config
    password: atomic
    chpasswd: {expire: False}
    ssh_pwauth: True
    ssh_authorized_keys:
    \- ssh-rsa AAA...SDvz user1@yourdomain.com

  • package both files to a iso image.

    • genisoimage -output atomic0-cidata.iso -volid cidata -joliet -rock user-data meta-data
• Start Atomic host:

  virt-install --import --name Atomic0 --ram 4096  -vcpus 2 --disk path=/path/to/image.qcow2,format=qcow2,bus=virtio --disk path=/path/to/atomic0-cidata.iso,device=cdrom --network bridge=yourbridge -graphic vnc

subscription-manager

• register and auto attach
  subscription-manager register --username <username> --password <password> --auto-attach
• after add or change attached suscription, you have to run:
  subscription-manager refresh
• auto-attach:
  subscription-manager attach --auto
• attach a specific pool:
  subscription-manager attach --pool=<pool_id>
• view all available pools and subscriptions:
  subscription-manager list --available --all
• check all the installed subscription:
  subscription-manager list
• see repos info:
  subscription-manager repos --list
• enable a repo:
  subscription-manager repos --enable xxxxxxx

yum

• check update:
  yum check-update
• update a package:
  yum update package_name
• search packages:
  yum search vim emac
• list all the packages
  yum list all
• list all installed packages
  yum list installed
• list enabled repos:
  yum repolist
• list all the repos:
  yum repolist all

adding channels and installing optional rpms, and review what is in rhel-7-server-extras-rpms

• Adding channels/repos:
  subscription-manager repos --enable xxxxxxx
• installing optional rpms:
  yum install xxxxxx
• reviewing what is in rhel-7-server-extras-rpms:
  yum list all | grep -i rhel-7-server-extras-rpms
  • total: 64
  • docker related: 17
  • cockpit related: 9
  • python related: 13

Atomic host manageability

• upgrade:
  sudo atomic host upgrade
sudo systemctl reboot
• rollback:
  sudo atomic host rollback
sudo systemctl reboot
• check which version is running:
  sudo atomic host status

what other cloud images and what 3rd-party hypervisor it runs on

• Atomic Host can run on RHEV/RHEL OpenStack/VMware/Microsoft Hyper-V etc. hypervisor.
• Atomic Host cloud images include OVA and QCOW2 formats.

Docker:

Basic tutorial

• run the docker hub image
  docker run docker/whalesay cowsay boo
• build image from Dockerfile

  FROM docker/whalesay:latest
  RUN apt-get -y update && apt-get install -y fortunesCMD /usr/games/fortune -a | cowsay

after this, you will see the images built by docker image

• tag and push image to docker hub.
  docker tag image_id dockerhub_name/docker-whale:latest
docker login --username=hubusername --email=youremail@company.com
docker push dockerhub_name/docker-whale

Run hello world in a container

• Run a hello world container.
  docker run ubuntu /bin/echo 'Hello World'
• Run a interactive container.
  docker run -t -i ubuntu /bin/bash
-t: open a terminal.
  -i: grab the standard input.
• Start a deamonized hello world.
  docker run -d /bin/sh -c "while true; do echo hello world; sleep 1; done"
• see docker deamon’s info
  docker ps: container id and name will show
• see output of docker deamon:
  docker logs container_id/container_name
• stop a detached container:
  docker stop container_id/container_name

Run a simple application

1) Apache web server

• docker pull rhel7:latest
• get action and Dockerfile
• modify both files as your need
• docker build -t webwithdb .
• docker run -d -p 80 --name=mywebwithdb webwithdb
• mount from local host, use -v option:
  docker run -d -p 80 -v /var/www/html:/var/www/html --name mywebwithdb webwithdb

2) mariadb container

• docker pull rhel7:latest
• get gss_db.sql and Dockerfile
• modify Dockerfile for your need
• docker build -t dbforweb .
• docker run -d -p 3306:3306 --name=mydbforweb dbforweb

docs in custom portal

docker pull:

docker pull <registry>[:<port>]/[<namespace>/]<name>:<tag>

Namespaces	Examples(<namespace>/<name>)
organization	redhat/kubernetes, google/kubernetes
login (user name)	alice/application, bob/application
role	devel/database, test/database, prod/database

inspect images:

docker inspect image_name

mount an image:

atomic mount image_name /mnt

check images installed in the container

rpm -qa --root /mnt | less

unmount the image:

atomic unmount /mnt

scan images can also use:

atomic scan image_name

when run a docker run command:

• the file system provided by the docker image
• a new process table from inside the container(no process can be seen from the host can be seen)
• new network interface(by default, a separate docker network interface provides a private IP address to each container via DHCP)

run a binary which doesn’t exist in container but in host:

docker run -v /usr/sbin:/usr/sbin --rm rhel7 /usr/sbin/ip addr show eth0
-v: mount host working directory to container
--rm: after running this container, it’s stopped and removed.

if the container wants to be kept around and used again, assign a name to it.

docker run -v /usr/sbin:/usr/sbin --name=mytest rhel /usr/sbin/ip addr show eth0
start the container again: -i is necessary
docker start -i mytest
start a container interactive -a is mandatory.(to attach the sdout/sderr)

view docker file name in a container(redhat registry):

docker run --rm rhel7 ls /root/buildinfo

check the content in Dockerfile:

docker run --rm rhel cat /root/buildinfo/docker_file_name

bind mounting log files:

docker run -v /dev/log:/dev/log --rm rhel7 logger "Testing logging to the host"

pull out particular info from a container:

docker inspect --format='.NetworkSettings.IPAddress' mytest

• command run with the container: .Path
• arguments with the container:.Args
• TCP/UDP ports exposed from container:.Config.ExposedPorts
• process id of the container:.State.Pid
• port mapping from container to host:.HostConfig.PortBindings

investigating within a running docker container

• docker ps to get the running container name
• docker exec -it con_name /bin/bash

docker stop container_name/id

• stop option sends a SIGTERM signal to terminate the container. if container doesn’t stop then after 10s, docker sends a SIGKILL signal.
• send other signal:
  docker kill --signal="SIGNUP" con_id/name

remove containers:

• docker rm con_id/name
• docker rm con1 con2 con3
• rm all the containers:
  docker rm $(docker ps -a -q)

creating a image from a container

• docker run -i rhel:latest /bin/bash -c "yum ...."
• docker ps -l to get latest container id
• docker commit -m "xxxxx" -a "author name" con_id new_name

docker tag

• format: registryhost/username/NAME:tag
• can use just the username or with tag name or all of them

save docker image as tarball

docker save -o myrhel7.tar myrhel7:latest

reuse saved docker image

cat myrhel7.tar | docker import - cnegus/myrhel7

remove docker images

• docker rmi img_name
• docker rmi img1 img2 img3
• docker rmi $(docker images -a -q)

private docker registry(with firewall):

• start your registry:
  docker run -d -p 5000:5000 --name registry registry:2
• pull some image from hub:
  docker pull ubuntu
• tag the image to point to your registry:
  docker tag ubuntu localhost:5000/myfirstimage
• push it
  docker push localhost:5000/myfirstimage
• pull it
  docker pull localhost:5000/myfirstimage
• stop your registry and remove all data
  docker stop registry && docker rm -v registry

private docker registry:

• install docker-distribution:
  yum install -y docker-distribution
• enable and start docker-distribution:
  systemctl enable docker-distribution systemctl start docker-distribution systemctl status docker-distribution
• figure out firewall isuue:
  firewall-cmd --zone=public --add-port=5000/tcp firewall-cmd --zone=public --add-port=5000/tcp --permanent firewall-cmd --zone=public --list-ports 5000/tcp
• if using iptables firewall, run follow at each boot:
  iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5000 -j ACCEPT

managing storage with docker formatted containers

overview

• default installation of rhel use loopback devices
• rhel atomic host has LVM thin pools created during installation.
• make sure following things in planning phase:
  1. you are running direct-lvm and have LVM thin pools set up. this can be done using docker-storage-setup utility.
  2. allocate enough free space during installation or plan for an external storage to be attached to the system.

using docker-storage-setup

1.overview

• docker-storage-setup is installed with docker package
• when docker starts, docker-storage-setup is automatically started.
• it tries to find free space in volumn group containing the root logical volumn and tries to setup a lvm thin pool.
• it’s controlled by config file /usr/lib/docker-storage-setup/docker-storage-setup.
• override the options in the above config file by creating /etc/sysconfig/docker-storage-setup

2.volume group containing the root volume

• if you leave free space during system installation in the root volume group, starting docker will automatically set up a thin pool and use it.

3.lvm thin pool in a user specified volume group

echo VG=docker-vg >> /etc/sysconfig/docker-storage-setup
systemctl start docker

4.setting up a volume group and lvm thin pool on user specified block device

echo DEVS=/dev/vdb >> /etc/sysconfig/docker-storage-setup
systemctl start docker

manage storage in atomic host

• on rhel atomic host, the root volume is 3GB, and there’s free space in root volume group, and 60% in the rest space is used for creating lvm thin pool(docker-pool) by docker-storage-setup.
• the rest(40%) of space is free too, and can be used for extending the root volume or for creating a thin pool.
• lvs command to list the logical volumes on the system and the names.(root, docker-pool)
• root partition:
  • 3GB by default
  • /var and /etc directories
  • /ostree/repo which contains os tree versions
  • /var/lib/docker contains temporary data or docker volumes.
• docker-pool: store container images.
• if docker-pool is out of space, docker-storage-setup will automatically find free space in the volume group and extend.
  • /etc/sysconfig/docker: configured by user
  • /etc/sysconfig/docker-storage: configured by programs, but also can be edited by user(have to disable docker-storage-setup)
  • /etc/sysconfig/docker-storage-setup: configured by user, only exists in atomic host.
• change root partition during installation
• change the root partition after installation
  adding container images to docker-pool needs space in /var/lib/docker. for database server, image requests a docker-volume when it has data, which shouldn’t store in the container.
  • use free space in volume group:
    lvextend -r -L +3GB /dev/atomicos/root
  • add additional storage to host to extend(SAFE):
    systemctl stop docker docker-storage-setup
pvcreate /dev/sdb
vgextend atomicos /dev/sdb
lvextend -r -L +3GB /dev/atomicos/root
systemctl start docker docker-storage-setup
  • extend without adding more storage(destructive):
    systemctl stop docker docker-storage-setup
rm -rf /var/lib/docker/\*
lvremove atomicos/docker-pool
lvextend -L +3GB /dev/atomicos/root
systemctl start docker-storage-setup
systemctt start docker
• if docker conf files are changed:
  systemctl stop docker docker-storage-setup
rm /etc/sysconfig/docker-storage-setup
lvremove docker/docker-pool
rm -rf /var/lib/docker/
systemctl start docker
• overlay fs:
  more efficient and perfromant and less memory comparing to lvm thin pool, but can’t support selinux.
• increasing the base device size(can’t reduce):
  docker daemon --storage-opt --dm.basesize=20GB
  • after and include docker 1.10, docker base device size is 10.74GB
  • before 1.10, it’s 107.4GB

starting a container using systemd

create file /etc/systemd/system/redis-container.service

[Unit]
Description=Redis container
Author=Me
After=docker.service
[Service]
[Service]
Restart=always
ExecStart=/usr/bin/docker start -a redis_server
ExecStop=/usr/bin/docker stop -t 2 redis_server
[Install]
[Install]
WantedBy=local.target

running super-privileged containers

super-privileged containers are intended to access, monitor, and possibly change features on the host.
atomic command:

atomic run rhel7/rhel-tools

equals:

docker run -it --name rhel-tools --privileged                       \
      --ipc=host --net=host --pid=host -e HOST=/host                \
      -e NAME=rhel-tools -e IMAGE=rhel7/rhel-tools                  \
      -v /run:/run -v /var/log:/var/log                             \
      -v /etc/localtime:/etc/localtime -v /:/host rhel7/rhel-tools

• privileged containers run applications as root user in host.
• df and mount will see different info from running them directly from host. since they maintain their own mount table.
• ps -e can see every process on the host, and can kill them.

atomic tools container:

yum can’t be used in atomic, since atomic is designed to be light-weight.

docker pull rhel7/rhel-tools
atomic run rhel7/rhel-tools