OPENSHIFT

Sync Red Hat Container Images on OpenShift 3.9

#sync , #Red Hat , #container , #imagestream

Sync Red Hat Container Images on OpenShift 3.9

If using the default Advanced Installer, and setting the flag to deploy openshift_install_examples [1] in your cluster (or using the default which is true), you will find that the ansible installer adds some nice stuff to your local registry from the openshift_examples [2] folder.

$ oc get is -n openshift
NAME                                               DOCKER REPO                                                                      TAGS                           UPDATED
imagestreams/eap71-openshift                       docker-registry.default.svc:5000/openshift/eap71-openshift                       latest                         3 months ago
imagestreams/httpd                                 docker-registry.default.svc:5000/openshift/httpd                                 2.4,latest                     4 months ago
imagestreams/jboss-amq-62                          docker-registry.default.svc:5000/openshift/jboss-amq-62                          1.1,1.2,1.3 + 4 more...        3 months ago
imagestreams/jboss-amq-63                          docker-registry.default.svc:5000/openshift/jboss-amq-63                          1.2,1.3,1.0 + 1 more...        3 months ago
imagestreams/jboss-datagrid65-client-openshift     docker-registry.default.svc:5000/openshift/jboss-datagrid65-client-openshift     1.1,1.0                        3 months ago
imagestreams/jboss-datagrid65-openshift            docker-registry.default.svc:5000/openshift/jboss-datagrid65-openshift            1.2,1.3,1.4 + 2 more...        3 months ago
imagestreams/jboss-datagrid71-client-openshift     docker-registry.default.svc:5000/openshift/jboss-datagrid71-client-openshift     1.0                            3 months ago
imagestreams/jboss-datagrid71-openshift            docker-registry.default.svc:5000/openshift/jboss-datagrid71-openshift            1.0,1.1,1.2                    3 months ago
imagestreams/jboss-datavirt63-driver-openshift     docker-registry.default.svc:5000/openshift/jboss-datavirt63-driver-openshift     1.0,1.1                        3 months ago
imagestreams/jboss-datavirt63-openshift            docker-registry.default.svc:5000/openshift/jboss-datavirt63-openshift            1.3,1.4,1.0 + 2 more...        3 months ago
imagestreams/jboss-decisionserver62-openshift      docker-registry.default.svc:5000/openshift/jboss-decisionserver62-openshift      1.2                            3 months ago
imagestreams/jboss-decisionserver63-openshift      docker-registry.default.svc:5000/openshift/jboss-decisionserver63-openshift      1.3,1.4                        3 months ago
imagestreams/jboss-decisionserver64-openshift      docker-registry.default.svc:5000/openshift/jboss-decisionserver64-openshift      1.0,1.1,1.2                    3 months ago
imagestreams/jboss-eap64-openshift                 docker-registry.default.svc:5000/openshift/jboss-eap64-openshift                 1.6,1.7,1.1 + 4 more...        3 months ago
imagestreams/jboss-eap70-openshift                 docker-registry.default.svc:5000/openshift/jboss-eap70-openshift                 1.4,1.5,1.6 + 2 more...        3 months ago
imagestreams/jboss-eap71-openshift                 docker-registry.default.svc:5000/openshift/jboss-eap71-openshift                 1.1,TP,1.0-TP                  3 months ago
imagestreams/jboss-processserver63-openshift       docker-registry.default.svc:5000/openshift/jboss-processserver63-openshift       1.3,1.4                        3 months ago
imagestreams/jboss-processserver64-openshift       docker-registry.default.svc:5000/openshift/jboss-processserver64-openshift       1.1,1.2,1.0                    3 months ago
imagestreams/jboss-webserver30-tomcat7-openshift   docker-registry.default.svc:5000/openshift/jboss-webserver30-tomcat7-openshift   1.3,1.1,1.2                    3 months ago
imagestreams/jboss-webserver30-tomcat8-openshift   docker-registry.default.svc:5000/openshift/jboss-webserver30-tomcat8-openshift   1.1,1.2,1.3                    3 months ago
imagestreams/jboss-webserver31-tomcat7-openshift   docker-registry.default.svc:5000/openshift/jboss-webserver31-tomcat7-openshift   1.0,1.1                        3 months ago
imagestreams/jboss-webserver31-tomcat8-openshift   docker-registry.default.svc:5000/openshift/jboss-webserver31-tomcat8-openshift   1.0,1.1                        3 months ago
imagestreams/jenkins                               docker-registry.default.svc:5000/openshift/jenkins                               v3.5,v3.6,v3.7 + 2 more...     4 months ago
imagestreams/jenkins-slave-base-rhel7              registry.access.redhat.com/openshift3/jenkins-slave-base-rhel7                   latest,v3.4,v3.5 + 2 more...   4 months ago
imagestreams/jenkins-slave-image-mgmt              docker-registry.default.svc:5000/openshift/jenkins-slave-image-mgmt              latest                         4 months ago
imagestreams/jenkins2-s2i                          docker-registry.default.svc:5000/openshift/jenkins2-s2i                          latest                         4 months ago
imagestreams/mariadb                               docker-registry.default.svc:5000/openshift/mariadb                               10.1,latest                    4 months ago
imagestreams/mongodb                               docker-registry.default.svc:5000/openshift/mongodb                               3.2,latest,2.4 + 1 more...     4 months ago
imagestreams/mysql                                 docker-registry.default.svc:5000/openshift/mysql                                 5.5,5.6,5.7 + 1 more...        4 months ago
imagestreams/nodejs                                docker-registry.default.svc:5000/openshift/nodejs                                0.10,4,6 + 1 more...           4 months ago
imagestreams/perl                                  docker-registry.default.svc:5000/openshift/perl                                  5.16,5.20,5.24 + 1 more...     4 months ago
imagestreams/php                                   docker-registry.default.svc:5000/openshift/php                                   7.0,latest,5.5 + 1 more...     18 hours ago
imagestreams/postgresql                            docker-registry.default.svc:5000/openshift/postgresql                            latest,9.2,9.4 + 1 more...     4 months ago
imagestreams/python                                docker-registry.default.svc:5000/openshift/python                                3.4,3.5,latest + 2 more...     19 hours ago
imagestreams/redhat-openjdk18-openshift            docker-registry.default.svc:5000/openshift/redhat-openjdk18-openshift            1.0,1.1,1.2                    3 months ago
imagestreams/redhat-sso70-openshift                docker-registry.default.svc:5000/openshift/redhat-sso70-openshift                1.3,1.4                        3 months ago
imagestreams/redhat-sso71-openshift                docker-registry.default.svc:5000/openshift/redhat-sso71-openshift                1.0,1.1,1.2 + 1 more...        3 months ago
imagestreams/redhat-sso72-openshift                docker-registry.default.svc:5000/openshift/redhat-sso72-openshift                1.0                            3 months ago
imagestreams/redis                                 docker-registry.default.svc:5000/openshift/redis                                 3.2,latest                     21 hours ago
imagestreams/ruby                                  docker-registry.default.svc:5000/openshift/ruby                                  latest,2.2,2.3 + 2 more...     21 hours ago

Your list may look a little different, and this list may include more than the default from openshift_examples.

Along the way, you may notice that those images never update. Months go by, and you realize that you are on old containers. Note on the right hand side of the output above that most of these images have not been updated in 3-4 months! A couple of them have been updated manually in a more recent time frame. One day you ask yourself, why? Well, by default we don’t want to push people into making changes they aren’t thinking about. Ideally you have a security pipeline to push base images to production as quickly as possible, separate from any development pipelines. Hopefully that’s a fully automated pipeline. Why not? After all that’s the whole purpose of the platform!

Here are a few steps to get you going toward automatic updates.

Configure imagePolicyConfig in the Master Config to Run a Scheduled Import Process

First, you need to set your ImagePolicyConfig on your masters to handle an update schedule. In your /etc/origin/master/master-config.yaml file it should look like this:

imagePolicyConfig:
  MaxScheduledImageImportsPerMinute: 10
  ScheduledImageImportMinimumIntervalSeconds: 1800
  disableScheduledImport: false
  maxImagesBulkImportedPerRepository: 3

Be sure to restart services on each master after your update:

# systemctl restart atomic-openshift-master-api

If you are setting these variables in your Advanced Installer inventory file [3] it would look like this:

# Configure imagePolicyConfig in the master config
# See: https://godoc.org/github.com/openshift/origin/pkg/cmd/server/api#ImagePolicyConfig
#openshift_master_image_policy_config={"maxImagesBulkImportedPerRepository": 3, "disableScheduledImport": true}
openshift_master_image_policy_config={"maxImagesBulkImportedPerRepository": 3, "disableScheduledImport": false, "MaxScheduledImageImportsPerMinute": 10, "ScheduledImageImportMinimumIntervalSeconds": 1800}

Then run the playbook to just update your master configs:

# ansible-playbook -i /etc/ansible/hosts /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-master/config.yml

Note that the default setting does not have the scheduled import on!

Configure Existing ImageStreams to Update Automatically

Second, you need to update all your imagestreams to automatically update. Note that the openshift_examples installed by the Advanced Installer only install into your OpenShift environment ONCE. They never get updated. If new templates arrive in subsequent updates, they do get added, and some get removed. But they never get updated! [2] Here is how to change that.

To perform this operation on all imagestreams in the openshift namespace:

$ oc get is -n openshift > openshift-is.json
$ jq '.items[].spec.tags[]? |= if .from.kind == "DockerImage" then .importPolicy.scheduled |= true else . end' openshift-is.json > openshift-is-scheduled.json
$ oc apply -f openshift-is-scheduled.json -n openshift

To perform this operation on just one imagestream, in this example the Redis 3.2 image:

$ oc patch is redis -p '{"spec":{"tags":[{"name":"3.2","importPolicy":{"scheduled":true}}]}}'

Note that the tag "name" must be of kind "DockerImage" and not "ImageStreamTag"! Also note that once you apply the scheduled update to one tag, it will update all tags.

Configure New ImageStreams to Update Automatically

Third, every time a new imagestream is created, you should evaluate whether you want it to automatically update or not. Think of the build implications. Many BuildConfigs trigger on image update. This can be great in a development environment or an automated pipeline where validation tests run. You may not, however, want to trigger a new build and deploy directly on production.

When performing an import-image or oc tag into any namespace, be sure to specify the flag --scheduled=true :

$ oc new-project test
Now using project "test" on server "https://openshift.opencontainer.io:8443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

to build a new example application in Ruby.
$ oc import-image ruby --from=registry.access.redhat.com/rhscl/ruby-25-rhel7 --confirm --scheduled=true
The import completed successfully.

Name:			ruby
Namespace:		test
Created:		Less than a second ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2018-07-25T17:44:23Z
Docker Pull Spec:	docker-registry.default.svc:5000/test/ruby
Image Lookup:		local=false
Unique Images:		1
Tags:			1

latest
  updates automatically from registry registry.access.redhat.com/rhscl/ruby-25-rhel7

  * registry.access.redhat.com/rhscl/ruby-25-rhel7@sha256:0abd18c56a95d7bd181aa9945e44ff6c99e69d9241e61fa3efc5292a64d63850
      Less than a second ago

Image Name:	ruby:latest
Docker Image:	registry.access.redhat.com/rhscl/ruby-25-rhel7@sha256:0abd18c56a95d7bd181aa9945e44ff6c99e69d9241e61fa3efc5292a64d63850
Name:		sha256:0abd18c56a95d7bd181aa9945e44ff6c99e69d9241e61fa3efc5292a64d63850
Created:	Less than a second ago
Annotations:	image.openshift.io/dockerLayersOrder=ascending
Image Size:	179.7 MB (first layer 74.92 MB, last binary layer 13.46 MB)
Image Created:	7 days ago
Author:		<none>
Arch:		amd64
Entrypoint:	container-entrypoint
Command:	/bin/sh -c $STI_SCRIPTS_PATH/usage
Working Dir:	/opt/app-root/src
User:		1001
Exposes Ports:	8080/tcp
Docker Labels:	architecture=x86_64
		authoritative-source-url=registry.access.redhat.com
		build-date=2018-07-17T20:14:40.471108
		com.redhat.build-host=osbs-cpt-007.ocp.osbs.upshift.eng.rdu2.redhat.com
		com.redhat.component=rh-ruby25-container
		description=Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.
		distribution-scope=public
		io.k8s.description=Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.
		io.k8s.display-name=Ruby 2.5
		io.openshift.expose-services=8080:http
		io.openshift.s2i.scripts-url=image:///usr/libexec/s2i
		io.openshift.tags=builder,ruby,ruby25,rh-ruby25
		io.s2i.scripts-url=image:///usr/libexec/s2i
		maintainer=SoftwareCollections.org <sclorg@redhat.com>
		name=rhscl/ruby-25-rhel7
		release=13
		summary=Platform for building and running Ruby 2.5 applications
		url=https://access.redhat.com/containers/#/registry.access.redhat.com/rhscl/ruby-25-rhel7/images/2.5-13
		usage=s2i build https://github.com/sclorg/s2i-ruby-container.git --context-dir=2.5/test/puma-test-app/ rhscl/ruby-25-rhel7 ruby-sample-app
		vcs-ref=d42ce6d49fe8f63d48e5f54c3e8ca9f64f9c0516
		vcs-type=git
		vendor=Red Hat, Inc.
		version=2.5
Environment:	PATH=/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
		container=oci
		SUMMARY=Platform for building and running Ruby 2.5 applications
		DESCRIPTION=Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.
		STI_SCRIPTS_URL=image:///usr/libexec/s2i
		STI_SCRIPTS_PATH=/usr/libexec/s2i
		APP_ROOT=/opt/app-root
		HOME=/opt/app-root/src
		BASH_ENV=/opt/app-root/etc/scl_enable
		ENV=/opt/app-root/etc/scl_enable
		PROMPT_COMMAND=. /opt/app-root/etc/scl_enable
		NODEJS_SCL=rh-nodejs8
		RUBY_MAJOR_VERSION=2
		RUBY_MINOR_VERSION=5
		RUBY_VERSION=2.5
		RUBY_SCL_NAME_VERSION=25
		RUBY_SCL=rh-ruby25
		IMAGE_NAME=rhscl/ruby-25-rhel7
$ oc get is
NAME      DOCKER REPO                                  TAGS      UPDATED
ruby      docker-registry.default.svc:5000/test/ruby   latest    35 seconds ago
$ oc describe is ruby
Name:			ruby
Namespace:		test
Created:		2 minutes ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2018-07-25T17:44:23Z
Docker Pull Spec:	docker-registry.default.svc:5000/test/ruby
Image Lookup:		local=false
Unique Images:		1
Tags:			1

latest
  updates automatically from registry registry.access.redhat.com/rhscl/ruby-25-rhel7

  * registry.access.redhat.com/rhscl/ruby-25-rhel7@sha256:0abd18c56a95d7bd181aa9945e44ff6c99e69d9241e61fa3efc5292a64d63850
      2 minutes ago
$ oc get is -o yaml
apiVersion: v1
items:
- apiVersion: v1
  kind: ImageStream
  metadata:
    annotations:
      openshift.io/image.dockerRepositoryCheck: 2018-07-25T17:44:23Z
    creationTimestamp: 2018-07-25T17:44:23Z
    generation: 1
    name: ruby
    namespace: test
    resourceVersion: "37153060"
    selfLink: /oapi/v1/namespaces/test/imagestreams/ruby
    uid: 5e0e659f-9032-11e8-a295-001a4a160161
  spec:
    lookupPolicy:
      local: false
    tags:
    - annotations: null
      from:
        kind: DockerImage
        name: registry.access.redhat.com/rhscl/ruby-25-rhel7
      generation: 1
      importPolicy:
        scheduled: true
      name: latest
      referencePolicy:
        type: Source
  status:
    dockerImageRepository: docker-registry.default.svc:5000/test/ruby
    tags:
    - items:
      - created: 2018-07-25T17:44:23Z
        dockerImageReference: registry.access.redhat.com/rhscl/ruby-25-rhel7@sha256:0abd18c56a95d7bd181aa9945e44ff6c99e69d9241e61fa3efc5292a64d63850
        generation: 1
        image: sha256:0abd18c56a95d7bd181aa9945e44ff6c99e69d9241e61fa3efc5292a64d63850
      tag: latest
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

For further reading:

Managing Automatic ImageStream Updates in OpenShift

https://docs.openshift.com/container-platform/3.9/install_config/install/advanced_install.html

Image Configuration Parameters https://docs.openshift.com/container-platform/3.9/install_config/master_node_configuration.html#master-config-image-config

https://docs.openshift.com/container-platform/3.9/admin_guide/image_policy.html

See imagePolicyConfig on https://docs.openshift.com/container-platform/3.9/admin_solutions/master_node_config.html

See --scheduled=true flag on https://docs.openshift.com/container-platform/3.9/dev_guide/managing_images.html#adding-tag https://docs.openshift.com/container-platform/3.9/dev_guide/managing_images.html#importing-tag-and-image-metadata