The templates part of this github project can be used to install JFrog Xray on OpenShift Container Platform.
These templates have been tested with OpenShift Container Platform 3.6 (single node) and latest version of oc cli (3.7.14).
4 step process to install JFrog Xray -
- Setup persistent volumes
- Create a project, service account and assign a SCC policy to the service account that will allow RW operations to the PV.
- Deploy templates (ConfigMaps, PersistentVolumeClaims, ImageStreams, DeploymentConfig)
- Create Routes to access JFrog Xray
There are at least two ways to setup persistent volume -
As part of this architecture, all Xray and third party microservices uses NFS as persistent volume.
The files below can be used as a reference:
Note: It is recommended to use an NFS server where the ulimit can be set (or is already set) to a higher number. Example - in EFS, the number of open files is only 37k and is not configurable.
As part of this architecture, all Xray microservices uses NFS and each third party microservice can use EBS or persistent disks.
The files below can be used as a reference:
It is recommended to setup a high nofile limit by updating /etc/security/limits.conf file. At the docker daemon and node level, this number is set to a higher value. But make sure that this value is set to a high number on the file system side.
For more information about ulimits, refer here.
Make sure that Xray user (UID 1035) is the owner of the root path used to create xray-data-pv volume.
oc new-project test-proj-2
oc create serviceaccount xray-user
This service account will be referred in the DeploymentConfig of Xray microservices.
Xray docker images require root access.
One way to achieve this in OpenShift is to assign a scc that has 'RUNASUSER' policy set as 'RunAsAny'.
OpenShift has builtin scc called 'anyuid' that can be used.
To assign scc to the service account use following command -
oc adm policy add-scc-to-user $POLICY_NAME -z $SERVICE_ACCOUNT
Example for 'anyuid' scc will be as follows:
oc adm policy add-scc-to-user anyuid -z xray-user
Also, ssc linked to the service account should have ReadWrite access to the persistent volume type being used. Example persistent volume types are 'nfs', 'awsElasticBlockStore'.
-
Update PARAMETERS_FILE. This file includes key value pairs required to install Xray.
-
The templates are configured with base requirements. It is recommended to increase CPU, memory, disk limits based on your scale.
-
Make sure that the project (namespace) exists and the username has the right SCC policy to be able to do RW operations on the PVs.
-
Once the templates are updated, run the xray-wrapper script. The xray-wrapper.sh script creates ConfigMaps, PersistentVolumeClaims, ImageStreams and the DeploymentConfig templates of Xray and third party microservices.
./xray-wrapper.sh $USERNAME $PARAMETERS_FILE
- Create a route to access JFrog Xray UI by selecting 'server' as a 'Service' -
JFrog Xray UI can be accessed using this route. During the first login, there will be an onboarding wizard.
- Create a route to access RabbitMQ console (to troubleshoot any issue) -
# Login
oc login -u username
# Switch to the correct project or namespace
oc project $NAMESPACE
# Add ImageStreamTag that corresponds to new Xray version.
oc process -f xray-imagestream.yaml -p NAMESPACE=$NAMESPACE -p XRAY_VERSION=$XRAY_TO_VERSION | oc replace -f -
# Update xray-upgrade.sh
Set XRAY_TO_VERSION to point to a newer version
# Execute the upgrade script
./xray-upgrade.sh
The upgrade script stops all Xray microservices, update ImageTrigger to point to the new version of Xray and then starts all Xray microservices.
The new Xray version is set in xray-upgrade.sh script.
Note that the value of automatic in ConfigTrigger will be set to false after running the upgrade script.
*Note: event microservice has been deprecated in version 2.0.0. If you are upgrading from a previous version, delete the xray-event DeploymentConfig before running the upgrade script.
oc logs podName -c init-xray
Update etc/security/limits.conf file and add following two lines
0:1040 hard nofile 100000
0:1040 soft nofile 100000
- JFrog Xray supports offline DB sync
- The offline DB sync command downloads files from jxray and bintray. These files can be copied to the PV.
- The best approach will be the usage of a sidecar container pattern that shares the same PVC as Xray microservice and copies the data directly to volume.
Update DOCKER_REGISTRY value in PARAMETERS_FILE to point to Artifactory's docker registry
Credentials of MongoDB, RabbitMQ and PostGres can be modified by following these instructions