• How does the deployment look like using Docker Compose / Swarm? • How did we move from Docker to OpenShift? • What were the main challenges and how did we deal with them?
2 IT-Power Services Bridging the gap between operations and applications
• Operations experts • Power-house with high expertise IBM i and Linux systems Operations
• Private cloud provider with
multiple data centres in Austria • Services around public cloud DevOps • Data Science and Software MLOps Engineering Data • DevOps / MLOps Science
10 Tech stack: high level overview Django application with PosgreSQL database behind Nginx
• Django • Python based web framework • Model-template-view pattern • PosgreSQL DB • Stores all relevant information for event • Managed by Django • Nginx • Webserver • UWSGI • Web Server Gateway Interface • Link between webserver and python 11 Containerisation and Orchestration Docker Compose / Swarm
• 4 Services • Application init • Postgres • Eventman (Python Django Application) • Nginx • 1 Network • Some services expose ports on the host • Some services read / write data on disk 12 The deployment in OpenShift Topology view from OpenShift
• 3 deployments • Init deployment • Should have been a pod • See details later • NGINX exposes service via route
13 Moving from Docker to OpenShift
14 Kompose Moving from yml to yml
• Kompose is a tool to help users Basic usage:
who are familiar with docker- compose move to Kubernetes • OpenShift can be selected as provider • Provides a great starting point to generate yml for all components
15 Single service example Code samples
• All code samples can be found
in our GitHub • https://github.com/it-power- services/docker-to-openshift
16 Single service example Python Flask API
• Docker Compose includes
instructions to • Create a service called "web" • Image is built from "app" context • Exposes port 5000 • The Flask API exposes one Endpoint that returns the string "Hello World!"
17 Single service example Python Flask API
• Kompose translates that to
• Build config • Imagestream • Deployment config • Service • If you want to expose the service outside the cluster this has to be configured manually by creating a route • The application can be deployed using oc apply 18 Single service example Python Flask API
• The topology of the application
is very simple
• The example returns the
expected "Hello World!" string
19 Disadvantages of using Kompose
• K8s or minikube required
• Translation is tricky, especially when concepts don't map 1:1 • Kubernetes not opinionated, many ways to do one thing • Docker Compose files have to be very explicit • e.g. restart policy determines type • The way image streams are created leads to unresolved images 20 Using the OpenShift GUI A very good starting point
• Many options • Deploy an image from a registry • Import repo, build and deploy •…
21 Using the OpenShift GUI Import from Git
• Select the repo url
• Specify the build context • Select a build image
22 Using the OpenShift GUI Import from Git
• Provide names for the
application • Choose deployment of deployment config • Optionally create route to service
23 Using the OpenShift GUI Resulting topology
• Results are similar
• But: service and route needed to be configured to change the port from 8080 to 5000
24 Using the OpenShift GUI Advantages and disadvantages
Advantages Disadvantages • Easier to get familiar with • Hard to reproduce concepts • Easier to get overview of where things go wrong • Many obstacles more ironed out • e.g. insecure registries
25 Challenges and possible solutions
26 Challenges in the process New concepts in Kubernetes
• In Docker: Services and containers (tasks)
• In OpenShift more concepts and they don't map 1:1 to Docker concepts • Getting the head around not straight forward
• Tools like kompose or the OpenShift GUI can help to get familiar with them
27 Challenges in the process Image build using Buildah
• Images in OpenShift are built
using Buildah • Not all Dockerfiles can be built
• Podman build can help to debug
the build process locally
28 Challenges in the process File permissions
• In Docker, usually everything is run as root
• In entrypoints of DB containers, often there is a chown of the data directory • The OpenShift user will not have permissions to do so • Solution: with PostgreSQL, specify env variable PGDATA to not point to /var/lib/postgresql/data
• Using official OpenShift images is the better option
29 Challenges in the process Exposing port(s) in container
• Ports below 1024 are privileged ports
• Many Docker images (e.g. wordpress, apache, nginx) use port 80 by default • Since the container is running with the OpenShift user, this will lead to a permission denied error • Adapting the image / config is necessary to run them
• Using official OpenShift images is the better option
30 Challenges in the process TLS termination and SSL certificates
• 3 ways of serving a certificate to clients
• Re-encrypt: ingress serves certificate and re-encrypts traffic to pod • Edge: ingress serves certificate but does not re-encrypt • Passthrough: traffic is passed to pod which handles certificates • Our NGINX deployment handles letsencrypt certificates automatically • Requirement: make /admin page accessible only via VPN • Problem: x-forwarded-for headers do not get passed on to nodes, nginx sees IP of ingress controller • Workaround: edge termination without automatic certificate renewal
31 Challenges in the process TLS termination and SSL certificates
• My question on stackoverflow is still not fully answered • https://stackoverflow.com/que stions/66473285/x-forwarded- for-headers-lost-when- changing-openshift-route- from-http-to-https
32 Summary
• Getting started can feel
overwhelming • There are tools that make the transition easier • Using the GUI first and trying
Photo by Valentín Betancur from Unsplash
the same at the CLI afterwards is a good way to learn • Creating a minimal, reproducible example helps to iron out bugs 33 Clemens Zauchner Senior Data Scientist
