diff --git a/doc/source/managing.rst b/doc/source/managing.rst index fc9acc1..cf409f3 100644 --- a/doc/source/managing.rst +++ b/doc/source/managing.rst @@ -1,33 +1,55 @@ Managing the registry ===================== -.. warning:: Fleshing out this documentation is a work in progress. +.. warning:: This should eventually be automated, see + https://github.com/rdo-infra/rdo-container-registry/issues/1 .. note:: These operations are done directly on the master :: - # Grant superuser privileges to a user once he has logged in at least once - # https://docs.openshift.com/container-platform/3.5/admin_guide/manage_authorization_policy.html - oc policy add-role-to-user cluster-admin dmsimard + # Grant superuser privileges to a user (doesn't require the user to login before applying) + oadm policy add-cluster-role-to-user cluster-admin dmsimard - # Create project - oc new-project tripleo \ - --description="TripleO container images for trunk and continuous integration" \ - --display-name="TripleO container images" + # Create projects + oc new-project master \ + --description="TripleO container images for trunk and continuous integration for OpenStack 'master'" \ + --display-name="TripleO container images for 'master'" - # Create service account, make it admin of the project - oc create serviceaccount tripleo.service -n tripleo - oc policy add-role-to-user admin system:serviceaccount:tripleo:tripleo.service -n tripleo + oc new-project pike \ + --description="TripleO container images for trunk and continuous integration for OpenStack 'pike'" \ + --display-name="TripleO container images for 'pike'" - # Retrieve service account token for image pushes (for CI and things like that) - oc describe serviceaccount tripleo.service -n tripleo - oc describe secret tripleo.service-token- -n tripleo + # Allow authenticated users to browse the projects + # Note: + # - https://github.com/cockpit-project/cockpit/issues/6711 + # - https://github.com/openshift/origin/issues/14381 + oc policy add-role-to-group registry-viewer system:authenticated -n master + oc policy add-role-to-group registry-viewer system:authenticated -n pike - # Allow authenticated users to browse the TripleO project - # Note: https://github.com/cockpit-project/cockpit/issues/6711 - oc policy add-role-to-group registry-viewer system:authenticated -n tripleo - - # Allow unauthenticated users to pull images from the TripleO project + # Allow unauthenticated users to pull images from the projects # (Anonymous, public access to registry, not the actual console) - oc policy add-role-to-group registry-viewer system:unauthenticated -n tripleo + oc policy add-role-to-group registry-viewer system:unauthenticated -n master + oc policy add-role-to-group registry-viewer system:unauthenticated -n pike + + # Create service account, make it admin of the projects + oc create serviceaccount tripleo.service -n default + + # Add permissions for the service account to push and pull images + oc policy add-role-to-user system:image-builder system:serviceaccount:default:tripleo.service -n master + oc policy add-role-to-user system:image-builder system:serviceaccount:default:tripleo.service -n pike + + # Retrieve service account token for image pushes, for example when doing CI + oc describe serviceaccount tripleo.service -n default + oc describe secret tripleo.service-token- -n default + + # Create a service account with exclusive rights to image pruning + oc create serviceaccount rdo.pruner -n default + oadm policy add-cluster-role-to-user system:image-pruner system:serviceaccount:default:rdo.pruner -n default + +More reading +~~~~~~~~~~~~ + +- https://docs.openshift.com/container-platform/latest/admin_guide/manage_authorization_policy.html +- https://docs.openshift.com/container-platform/latest/dev_guide/projects.html +- https://docs.openshift.com/container-platform/latest/admin_guide/service_accounts.html diff --git a/doc/source/troubleshooting.rst b/doc/source/troubleshooting.rst index 7be688b..6d848dc 100644 --- a/doc/source/troubleshooting.rst +++ b/doc/source/troubleshooting.rst @@ -5,20 +5,24 @@ Troubleshooting the registry :: - # Logs for the origin-master process - journalctl -u origin-master --follow + # Logs for the OpenShift processes + journalctl -u origin-master-api --follow + journalctl -u origin-master-controllers --follow + journalctl -u origin-node --follow # Note, commands using -n default is to select from the default namespace - # List routes, pods and services + # List routes, pods, services and deployment configurations oc get routes -n default oc get pods -n default oc get svc -n default + oc get dc -n deault # Dump configuration of things oc export routes -n default -o yaml |less oc export pods -n default -o yaml |less oc export svc -n default -o yaml |less + oc export dc -n default -o yaml |less # Follow logs from running pods oc get pods -n default @@ -28,5 +32,16 @@ Troubleshooting the registry oc get pods -n default oc exec -n default (ex: oc exec -n default docker-registry-1-xgxqb ls) + # Get a shell on a running pod + oc get pods -n default + oc rsh -n default (ex: oc rsh docker-registry-1-xgxqb -n default) + # Look at policies and permissions for a project oc get rolebindings -n project + + # If authentication on the master node doesn't seem right + # You might be logged on as a different user + oc whoami + oc login -u system:admin --config=/etc/origin/master/admin.kubeconfig + oadm config get-contexts + oadm config use-context default/192-168-1-17:8443/system:admin