IBM Security Verify

 View Only

Build your own: Verify Access on OpenShift

By Jon Harry posted Thu December 05, 2019 03:11 AM

  

Introduction

In my previous post, I described how to build your own Centos 7 system, with Docker (and docker-compose) installed, so that you could run an IBM Security Verify Access system using containers.

This post extends that system so that you can explore deployment of Verify Access on Red Hat OpenShift.  Actually this post installs OKD (a.k.a OpenShift Origin) which is the Open Source upstream version of OpenShift 3.11.

OpenShift is an orchestration technology which provides a common container management layer, and a set of common services, that are consistent no matter where it is installed.  OpenShift can be deployed in any cloud or private data center infrastructure where Linux VMs can be deployed.  Some cloud providers (such as IBM and Red Hat) also offer OpenShift clusters as a service.

This post provides step-by-step instructions for installing and starting a single node OKD cluster on your test system using the built-in capabilities of the OKD v3.11 "oc" tool.  Once you have completed the steps in this post, you’ll be able to use my Verify Access with OpenShift cookbook.

Pre-requisites

This post assumes that you already have a Centos 7 system set up.  Instructions for this are in my previous post.  For my environment, I used a virtual machine running under VMWare but you could use a different hypervisor or a physical machine.  For my virtual machine I used these settings:

  • Minimum 8GB Memory
  • Minimum 30GB Disk
  • Minimum 4 CPUs

This blog assumes you have a standard user account.  I created a standard user with username of demouser but you can choose your own name.  You will also need root access for the installation steps.

Install oc command-line client

OpenShift clusters are managed using a REST API. The  oc utility provides a command-line client for this REST API.

As root, enter the following command to install the oc utility and set up command completion:

curl -L https://github.com/openshift/origin/releases/download/v3.11.0/openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz | tar -xzC /usr/local/share && ln -s /usr/local/share/openshift*/oc /usr/local/bin

echo "source <(oc completion bash)" >> /etc/bashrc

Configure Docker for local (insecure) Registry

An OpenShift cluster includes a local registry where images are staged for deployment.  In order for the underlying Docker system to be able to use this registry, it must be specified as an allowed insecure registry.

As root, enter the following commands to allow the insecure local registry and restart the Docker daemon:

cat <<EOF > /etc/docker/daemon.json
{
"insecure-registries" : ["172.30.0.0/16"]
}
EOF

systemctl restart docker.service

Configure Firewall

In order for services within the OpenShift cluster to be able to communicate, the Firewall must be configured to permit the necessary traffic.

As root, enter the following commands:

DOCKER_BRIDGE=`docker network inspect -f "{{range .IPAM.Config }}{{ .Subnet }}{{end}}" bridge`
sudo firewall-cmd --permanent --new-zone dockerc
sudo firewall-cmd --permanent --zone dockerc --add-source $DOCKER_BRIDGE
sudo firewall-cmd --permanent --zone dockerc --add-port={80,443,8443}/tcp
sudo firewall-cmd --permanent --zone dockerc --add-port={53,8053}/udp
sudo firewall-cmd --reload

Start OKD cluster for the first time

As the standard user, enter the following command to start OKD cluster for the first time.  It's a good idea to specify the base-dir during startup otherwise the cluster working directory will be created in current directory:

oc cluster up --base-dir ~/openshift.local.clusterup

This first start can take several minutes as assets are downloaded from the internet to initialize the OKD cluster.

If start is successful, the following message is shown:

Login to server ...
Creating initial project "myproject" ...
Server Information ...
OpenShift server started.

The server is accessible via web console at:
https://127.0.0.1:8443

You are logged in as:
User: developer
Password: <any value>

To login as administrator:
oc login -u system:admin

The OKD cluster is now ready for use.

Stop cluster to release memory

If you're not going to use it right away, you can now stop the cluster to reduce CPU and memory usage:

oc cluster down

Add entries to /etc/hosts

If you haven't added these entries already, as root, enter the following command to add a couple of static host mappings:

cat <<EOF >> /etc/hosts
127.0.0.2 lmi.iamlab.ibm.com
127.0.0.3 www.iamlab.ibm.com
EOF

Congratulations! You now have a working OKD environment in which you can explore installation of IBM Security Verify Access using OpenShift.

0 comments
44 views

Permalink