Wednesday, 25 April 2018

Hmm, SPNEGO not playing nicely THIS TIME

So I'm seeing a blank screen where I should be seeing a BPM Process Portal, and am seeing this in the AppCluster logs: -


...
[25/04/18 13:53:12:228 BST] 00000194 ServerCache   I   DYNA1001I: WebSphere Dynamic Cache instance named ws/WSSecureMapNotShared initialized successfully.
[25/04/18 13:53:12:230 BST] 00000194 ServerCache   I   DYNA1071I: The cache provider "default" is being used.
[25/04/18 13:53:12:617 BST] 00000194 ServletWrappe I com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0242I: [IBM_BPM_Repository_AppCluster] [/ProcessCenter] [/login.jsp]: Initialization successful.
[25/04/18 13:53:12:983 BST] 00000194 WebContainer  E com.ibm.ws.webcontainer.internal.WebContainer handleRequest SRVE0255E: A WebGroup/Virtual Host to handle /favicon.ico has not been defined.
[25/04/18 13:56:25:739 BST] 00000194 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/ibm/WebSphereProfiles/AppSrv01/logs/ffdc/AppClusterMember1_a6b879bd_18.04.25_13.56.25.7281859129348691234731.txt com.ibm.ws.ssl.channel.impl.SSLReadServiceContext 192
[25/04/18 13:56:35:615 BST] 00000194 ServletWrappe I com.ibm.ws.webcontainer.servlet.ServletWrapper init SRVE0242I: [IBM_BPM_Repository_AppCluster] [/ProcessCenter] [/welcome.jsp]: Initialization successful.
[25/04/18 13:56:35:941 BST] 00000194 ServerCredent I com.ibm.ws.security.spnego.ServerCredentialsFactory initializeServer CWSPN0016I: Ready to process host: bpm857.uk.ibm.com.
[25/04/18 13:56:35:942 BST] 00000194 TrustAssociat I com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl initialize CWSPN0006I: SPNEGO Trust Association Interceptor initialization is complete. Configuration follows:
        SPNEGO Web Authentication:
        enabled = true
        dynamically update = true
        allowAppAuthMethodFallback = false
        krb5Config = /opt/ibm/WebSphere/AppServer/java/jre/lib/security/krb5.conf
        krb5Keytab = /home/wasadmin/bpm857.keytab
        Server configuration:
        Kerberos ServicePrincipalName=HTTP/bpm857.uk.ibm.com@UK
        com.ibm.ws.security.spnego.SPN.filter=null
        com.ibm.ws.security.spnego.SPN.filterClass=com.ibm.ws.security.spnego.HTTPHeaderFilter@f1c79289
        com.ibm.ws.security.spnego.SPN.NTLMTokenReceivedPage=null
        com.ibm.ws.security.spnego.SPN.spnegoNotSupportedPage=null
        cannonicalSupport=true
[25/04/18 13:56:36:062 BST] 00000194 Context       E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648    ..0. .... .... .*.H
0010:  82f71201 0202                          .... ..

[25/04/18 13:56:36:135 BST] 00000194 WebContainer  E com.ibm.ws.webcontainer.internal.WebContainer handleRequest SRVE0255E: A WebGroup/Virtual Host to handle /favicon.ico has not been defined.
[25/04/18 13:57:07:953 BST] 00000194 Context       E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648    ..0. .... .... .*.H
0010:  82f71201 0202                          .... ..

[25/04/18 13:58:23:688 BST] 00000194 Context       E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648    ..0. .... .... .*.H
0010:  82f71201 0202                          .... ..

[25/04/18 13:58:23:745 BST] 00000194 WebContainer  E com.ibm.ws.webcontainer.internal.WebContainer handleRequest SRVE0255E: A WebGroup/Virtual Host to handle /favicon.ico has not been defined.
[25/04/18 14:16:39:148 BST] 00000194 Context       E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648    ..0. .... .... .*.H
0010:  82f71201 0202                          .... ..
...

Now last time I saw this, the two boxes ( BPM on Linux and Active Directory on Windows ) were out-of-sync.

This time, Windows says this: -


and Linux says this: -

date

Wed 25 Apr 14:18:31 BST 2018

which is pretty close.

However, given that this all worked before I suspended/reawakened my VMs, I restart the AppCluster.

Alas, this made no difference.

So I then rebooted the Windows VM …

Alas, this made no difference.

So I then rebooted the Linux VM …

And then restarted the Deployment Environment….

But still this …

...
[25/04/18 14:56:20:090 BST] 00000172 ServerCredent I com.ibm.ws.security.spnego.ServerCredentialsFactory initializeServer CWSPN0016I: Ready to process host: bpm857.uk.ibm.com.
[25/04/18 14:56:20:091 BST] 00000172 TrustAssociat I com.ibm.ws.security.spnego.TrustAssociationInterceptorImpl initialize CWSPN0006I: SPNEGO Trust Association Interceptor initialization is complete. Configuration follows:
SPNEGO Web Authentication:
enabled = true
dynamically update = true
allowAppAuthMethodFallback = false
krb5Config = /opt/ibm/WebSphere/AppServer/java/jre/lib/security/krb5.conf
krb5Keytab = /home/wasadmin/bpm857.keytab
Server configuration:
Kerberos ServicePrincipalName=HTTP/bpm857.uk.ibm.com@UK
com.ibm.ws.security.spnego.SPN.filter=null
com.ibm.ws.security.spnego.SPN.filterClass=com.ibm.ws.security.spnego.HTTPHeaderFilter@becc3490
com.ibm.ws.security.spnego.SPN.NTLMTokenReceivedPage=null
com.ibm.ws.security.spnego.SPN.spnegoNotSupportedPage=null
cannonicalSupport=true
[25/04/18 14:56:20:168 BST] 00000172 Context       E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648    ..0. .... .... .*.H
0010:  82f71201 0202                          .... ..

...

So, rather than trialling and erring, I switched on some debugging, via these two JVM Custom Properties: -

com.ibm.security.jgss.debug = all
com.ibm.security.krb5.Krb5Debug = all

for the AppCluster JVM, and saw this: -

...
[25/04/18 16:32:55:885 BST] 0000014b SystemOut     O [KRB_DBG_CRYP] Rc4HMac:WebContainer : 0:   Checksum arrays = [B@ce870b1e newchecksum:[B@600dad29
[25/04/18 16:32:55:917 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 Error authenticating request. Reporting to client
Major code = 11, Minor code = 0
org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0
message: Checksum error; received checksum does not match computed checksum
[25/04/18 16:32:55:918 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 >>SPNEGO: wrap the response data to a gss token
[25/04/18 16:32:55:918 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 >>SPNEGO: no response token
[25/04/18 16:32:55:918 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 >>SPNEGO: target accept incomplete
[25/04/18 16:32:55:922 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 >>SPNEGO: target select preferred mechanism
[25/04/18 16:32:55:923 BST] 0000014b SystemOut     O [JGSS_DBG_CTX]  WebContainer : 0 com.ibm.security.jgss.spnego2478 = false
[25/04/18 16:32:55:924 BST] 0000014b Context       E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000:  a1143012 a0030a01 01a10b06 092a8648    ..0. .... .... .*.H
0010:  82f71201 0202                          .... ..


I dug around and around and around, and then found this: -


which said, in part: -

The password used when generating the keytab file with ktpass does not match the password assigned to the service account. When the password changes you should regenerate and redistribute the keys., even if it is reset to the same password.

In addition, the ktpass tool might generate a keytab file with a non-matching password as in the following cases:
• If the password entered to ktpass matches the password for the service account, then the produced keytab file does work.
• If the password entered to ktpass does not match the password for the service account, and is less than 7 characters in length, ktpass stops and does not produce a keytab file.
• If the password entered to ktpass does not match the password for the service account, and is greater than 6 characters in length, ktpass does not stop. Instead, it produces a keytab file containing an invalid key. Use of this key to decrypt a SPNEGO token produces the checksum error previously listed.

Use a non-null password for the service account, and then use that password when invoking ktpass.

which reminded me of this post FROM MY OWN DARN BLOG: -


where I wrote about how using ktpass with the WRONG password had broken my WAS -> LDAP bind account.

Which made me think ….

So I regenerated the keytab WITH THE RIGHT PASSWORD: -

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass Qp455w0rd -ptype KRB5_NT_PRINCIPAL

and then placed the new keytab back into WAS: -

as referenced in the krb5.conf file: -

cat /opt/ibm/WebSphere/AppServer/java/jre/lib/security/krb5.conf

[libdefaults]
default_realm = UK.IBM.COM
default_keytab_name = FILE:/home/wasadmin/bpm857.keytab
default_tkt_enctypes = des3-cbc-sha1
default_tgs_enctypes = des3-cbc-sha1
forwardable  = true
renewable  = true
noaddresses = true
clockskew  = 300
[realms]
UK.IBM.COM = {
kdc = ad2012.uk.ibm.com.com:88
default_domain = uk.ibm.com
}
[domain_realm]
.uk.ibm.com = UK.IBM.COM


So that was fun.

In solving one problem, I caused another.

But I learned yet more about the way that SPNEGO works, and how to debug it when things go wrong  ( cough ).

As ever, every day is a school day.

Monday, 23 April 2018

WAS and AD and SPNEGO - Oops, I broke my LDAP

In the process of setting up Single Sign-On (SSO) between Microsoft Active Directory 2012 and WebSphere Application Server, I inadvertently broke my directory ….

Having run this command: -

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass P455w0rd -ptype KRB5_NT_PRINCIPAL

I then saw this: -

[23/04/18 15:29:16:636 BST] 00000104 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]; resolved object com.sun.jndi.ldap.LdapCtx@d088f31d' naming exception occurred during processing.
[23/04/18 15:29:16:637 BST] 00000104 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext
                                 com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000]; resolved object com.sun.jndi.ldap.LdapCtx@d088f31d' naming exception occurred during processing.

...
[23/04/18 15:53:02:425 BST] 00000166 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580]; resolved object com.sun.jndi.ldap.LdapCtx@8633793e' naming exception occurred during processing.
[23/04/18 15:53:02:426 BST] 00000166 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext 
                                 com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000]; resolved object com.sun.jndi.ldap.LdapCtx@8633793e' naming exception occurred during processing.

...

and this in the browser: -


What did I do wrong ?

Well, when I ran this command: -

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass P455w0rd -ptype KRB5_NT_PRINCIPAL

to generate the Kerberos keytab, I used the WRONG password :-(

This meant that, when Kerberos attempted to kick in and log me, using the Service Account UK\bpmbind, it did so with the wrong password, causing Windows to lock the account.

Once I reset the password back to the PROPER password, things proceeded more smoothly ….

In other words, I reset the password in Windows back to the same password that WAS was using to bind to AD via LDAP.

I did then go and regenerate the key tab using the CORRECT password :-)

List the Service Principle Names

setspn -l bpmbind

Registered ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com:
        HTTP/bpm857.uk.ibm.com


Delete the "bad" one

setspn -d HTTP/bpm857.uk.ibm.com bpmbind

Unregistering ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com
        HTTP/bpm857.uk.ibm.com
Updated object


Recreate the keytab AND create a new SPN

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass Qp455w0rd -ptype KRB5_NT_PRINCIPAL

Targeting domain controller: was90box.uk.ibm.com
Successfully mapped HTTP/bpm857.uk.ibm.com to bpmbind.
Password successfully set!
Key created.
Output keytab to bpm857.keytab:
Keytab version: 0x502
keysize 60 HTTP/bpm857.uk.ibm.com@UK ptype 1 (KRB5_NT_PRINCIPAL) vno 9 etype 0x17 (RC4-HMAC) keylength 16 (0xd35a1de683986444c22c35127a44b349)

List the Service Principle Names

setspn -l bpmbind

Registered ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com:
        HTTP/bpm857.uk.ibm.com

Nice :-)

Kerberos Key Distribution Centre (KDC) Encryption Types

I'm tinkering with Kerberos and SPNEGO again, in the context of integrating WebSphere Application Server (WAS) and Active Directory together.

This time I'm using WAS 8.5.5.13 and AD 2012.

Looking at the command that generates the Kerberos configuration within WAS: -

AdminTask.createKrbConfigFile("[-krbPath /opt/ibm/WebSphere/AppServer/java/jre/lib/security/krb5.conf -realm UK.IBM.COM -kdcHost ad2012.uk.ibm.com.com -dns uk.ibm.com -keytabPath /home/wasadmin/bpm857.keytab -encryption des3-cbc-sha1]")

I started to wonder about the -encryption switch: -



Looking here: -


prompted me to dig into Windows a bit more.

As per the above link, one place to check the supported Encryption Types is the User Account: -


so, if I so choose, I can lock down the encryption types in one of many ways ...

Thursday, 12 April 2018

IBM Cloud Private and IBM Cloud Automation Manager - Some videos

On IBM developerWorks here: -


Use CAM to deploy Websphere Liberty into AWS

Deploy MQ topologies into IBM Cloud Private using Cloud Automation Manager

Add UCD application components to an existing CAM library template

Service composition in IBM's Cloud Automation Manager

Edit, publish, and deploy a template using Template Designer

Edit existing templates using Template Designer

Create and publish a new template using IBM CAM Template Designer

Installing IBM Cloud Automation Manager Community Edition


IBM Cloud Private - More on using Helm and Kubectl to create, upload, install and use applications

Following my earlier post: -


here's some more about using Helm and Kubectl to drive IBM Cloud Private 2.1.0.2.

Enjoy :-)

Install and Use IBM Cloud CLI / Helm / Kube on iceboat Ubuntu box ( as root )

Download the required ICP Plugin for the IBM Cloud CLI


Resolving icpboot.uk.ibm.com (icpboot.uk.ibm.com)... 192.168.1.100
Connecting to icpboot.uk.ibm.com (icpboot.uk.ibm.com)|192.168.1.100|:8443... connected.
WARNING: cannot verify icpboot.uk.ibm.com's certificate, issued by 'CN=mycluster.icp':
  Self-signed certificate encountered.
    WARNING: certificate common name 'mycluster.icp' doesn't match requested host name 'icpboot.uk.ibm.com'.
HTTP request sent, awaiting response... 200 OK
Length: 20746952 (20M) [application/octet-stream]
Saving to: 'icp-linux-amd64'

icp-linux-amd64                                                     100%[===================================================================================================================================================================>]  19.79M  43.1MB/s    in 0.5s

2018-04-12 02:20:55 (43.1 MB/s) - 'icp-linux-amd64' saved [20746952/20746952]

Install the Plugin

bx plugin install icp-linux-amd64

Installing binary...
OK
Plug-in 'icp 2.1.182' was successfully installed into /root/.bluemix/plugins/icp. Use 'bx plugin show icp' to show its details.

Validate plugins

bx plugin list

Listing installed plug-ins...

Plugin Name   Version
icp           2.1.182

Download the required version of Helm from ICP


Resolving icpboot.uk.ibm.com (icpboot.uk.ibm.com)... 192.168.1.100
Connecting to icpboot.uk.ibm.com (icpboot.uk.ibm.com)|192.168.1.100|:8443... connected.
WARNING: cannot verify icpboot.uk.ibm.com's certificate, issued by 'CN=mycluster.icp':
  Self-signed certificate encountered.
    WARNING: certificate common name 'mycluster.icp' doesn't match requested host name 'icpboot.uk.ibm.com'.
HTTP request sent, awaiting response... 200 OK
Length: 68393980 (65M) [application/octet-stream]
Saving to: 'helm'

helm                                                                100%[=================================================================================================================================================================>]  65.22M  11.8MB/s    in 5.3s

2018-04-10 02:10:08 (12.2 MB/s) - 'helm' saved [68393980/68393980]

Validate the download

ls -al helm

-rw-r--r-- 1 root root 68393980 Mar  5 15:01 helm

Set exec permission

chmod a+x helm

Move into local path

mv ./helm /usr/local/bin/

Log into ICP via the IBM Cloud CLI

bx pr login -a https://mycluster.icp:8443 --skip-ssl-validation -c id-mycluster-account -u admin -p admin

Authenticating...
OK

Targeted account: mycluster Account (id-mycluster-account)

List Clusters

bx pr clusters

Name        ID                                 State      Created                    Masters   Workers   Datacenter
mycluster   00000000000000000000000000000001   deployed   2018-04-10T15:18:16+0000   1         2         default

Configure Cluster ( this creates necessary TLS configuration for Helm )

bx pr cluster-config mycluster

Configuring kubectl: /root/.bluemix/plugins/icp/clusters/mycluster/kube-config
Cluster "mycluster" set.
Cluster "mycluster" set.
User "mycluster-user" set.
Context "mycluster-context" created.
Context "mycluster-context" modified.
Switched to context "mycluster-context".

OK
Cluster mycluster configured successfully.

Check Helm version ( with TLS )

helm version --tls

Client: &version.Version{SemVer:"v2.7.2+icp", GitCommit:"d41a5c2da480efc555ddca57d3972bcad3351801", GitTreeState:"dirty"}
Server: &version.Version{SemVer:"v2.7.2+icp", GitCommit:"d41a5c2da480efc555ddca57d3972bcad3351801", GitTreeState:"dirty"}

Create a Sample Helm Chart

helm create demoapp

- Creates demoapp in home directory e.g. ~/demoapp

Add required values to values.yaml

vi ~/demoapp/values.yaml 

Append: -

fullnameOverride: ""
nameOverride: ""


Validate the new Helm Chart's format

helm lint --strict demoapp

==> Linting demoapp
[INFO] Chart.yaml: icon is recommended

1 chart(s) linted, no failures

Package the Chart

helm package demoapp ; ls -l d*.tgz

Successfully packaged chart and saved it to: /home/hayd/demoapp-0.1.0.tgz
-rw-r--r-- 1 root root 2581 Apr 10 09:14 demoapp-0.1.0.tgz

Log into ICP via the IBM Cloud CLI

bx pr login -a https://mycluster.icp:8443 --skip-ssl-validation -c id-mycluster-account -u admin -p admin

Upload the new Chart

bx pr load-helm-chart --archive demoapp-0.1.0.tgz --clustername mycluster.icp

Loading helm chart
OK

Synch charts
  {"message":"synch started"}
OK

Check Helm Repo


Resolving icpboot.uk.ibm.com (icpboot.uk.ibm.com)... 192.168.1.100
Connecting to icpboot.uk.ibm.com (icpboot.uk.ibm.com)|192.168.1.100|:8443... connected.
WARNING: cannot verify icpboot.uk.ibm.com's certificate, issued by 'CN=mycluster.icp':
  Self-signed certificate encountered.
    WARNING: certificate common name 'mycluster.icp' doesn't match requested host name 'icpboot.uk.ibm.com'.
HTTP request sent, awaiting response... 200 OK
Length: 354 [application/x-yaml]
Saving to: 'index.yaml'

index.yaml                                         100%[================================================================================================================>]     354  --.-KB/s    in 0s

2018-04-10 09:29:52 (72.6 MB/s) - 'index.yaml' saved [354/354]

cat index.yaml

apiVersion: v1
entries:
  demoapp:
    -
      apiVersion: v1
      created: '2018-04-10T16:24:55.459Z'
      description: 'A Helm chart for Kubernetes'
      digest: '-1'
      name: demoapp
      urls:
      version: 0.1.0
generated: '2018-04-10T16:24:55.459Z'

Search Repo

helm search -l|grep -i demo

local/demoapp                        0.1.0        1.0                         A Helm chart for Kubernetes

Install Helm Chart

helm install --name mydemoapp demoapp --tls

NAME:   mydemoapp
LAST DEPLOYED: Thu Apr 12 02:41:09 2018
NAMESPACE: default
STATUS: DEPLOYED

RESOURCES:
==> v1/Service
NAME       TYPE       CLUSTER-IP  EXTERNAL-IP  PORT(S)  AGE
mydemoapp  ClusterIP  10.0.0.17   <none>       80/TCP   0s

==> v1beta2/Deployment
NAME       DESIRED  CURRENT  UP-TO-DATE  AVAILABLE  AGE
mydemoapp  1        1        1           0          0s


NOTES:
1. Get the application URL by running these commands:
  export POD_NAME=$(kubectl get pods --namespace default -l "app=demoapp,release=mydemoapp" -o jsonpath="{.items[0].metadata.name}")
  echo "Visit http://127.0.0.1:8080 to use your application"
  kubectl port-forward $POD_NAME 8080:80

List Deployed Charts

helm list --tls

 NAME     REVISION UPDATED                 STATUS  CHART        NAMESPACE
 mydemoapp 1       Thu Apr 12 02:41:09 2018 DEPLOYED demoapp-0.1.0 default

Get the Deployment Details

kubectl get deployments mydemoapp

NAME        DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
mydemoapp   1         1         1            1           47m

kubectl describe deployment mydemoapp

Name:                   mydemoapp
Namespace:              default
CreationTimestamp:      Thu, 12 Apr 2018 02:41:09 -0700
Labels:                 app=demoapp
                        chart=demoapp-0.1.0
                        heritage=Tiller
                        release=mydemoapp
Annotations:            deployment.kubernetes.io/revision=1
Selector:               app=demoapp,release=mydemoapp
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:  app=demoapp
           release=mydemoapp
  Containers:
   demoapp:
    Image:        nginx:stable
    Port:         80/TCP
    Host Port:    0/TCP
    Liveness:     http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3
    Readiness:    http-get http://:http/ delay=0s timeout=1s period=10s #success=1 #failure=3
    Environment:  <none>
    Mounts:       <none>
  Volumes:        <none>
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Available      True    MinimumReplicasAvailable
  Progressing    True    NewReplicaSetAvailable
OldReplicaSets:  <none>
NewReplicaSet:   mydemoapp-84dcbdfbf4 (1/1 replicas created)
Events:
  Type    Reason             Age   From                   Message
  ----    ------             ----  ----                   -------
  Normal  ScalingReplicaSet  48m   deployment-controller  Scaled up replica set mydemoapp-84dcbdfbf4 to 1

Expose the Demo App via a NodePort service

kubectl expose deployment mydemoapp --type=NodePort --name=mydemoapp-service

service "mydemoapp-service" exposed

Describe the new NodePort Service

kubectl describe service mydemoapp-service

Name:                     mydemoapp-service
Namespace:                default
Labels:                   app=demoapp
                          chart=demoapp-0.1.0
                          heritage=Tiller
                          release=mydemoapp
Annotations:              <none>
Selector:                 app=demoapp,release=mydemoapp
Type:                     NodePort
IP:                       10.0.0.74
Port:                     <unset>  80/TCP
TargetPort:               80/TCP
NodePort:                 <unset>  30129/TCP
Endpoints:                10.1.28.131:80
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

Note the NodePort

Test the Service using curl ( using the ICPProxy and the exposed NodePort )


<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

Test the Service using a browser


If needed, validate upon what node(s) the application is running

kubectl get pods --selector="app=demoapp" --output=wide

NAME                         READY     STATUS    RESTARTS   AGE       IP            NODE
mydemoapp-84dcbdfbf4-gvnvp   1/1       Running   0          50m       10.1.28.131   192.168.1.101

Next to use a "real" Docker example ( Hello World ) from here …


Monday, 9 April 2018

More on the IBM Cloud Command Line - This time on macOS

So, when I tried to log in to my ICP 2.1.0.2 cluster from my Mac: -

bx pr login -a https://mycluster.icp:8443 --skip-ssl-validation -c id-mycluster-account -u admin -p admin

FAILED
'pr' is not a registered command. See 'bx help'.

bx help

NAME:
   bx - A command line tool to interact with IBM Cloud

USAGE:
   [environment variables] bx [global options] command [arguments...] [command options]

VERSION:
   0.6.6+d4d59ab5-2018-03-20T07:49:59+00:00

COMMANDS:
   api        Set or view target API endpoint
   login      Log user in
   logout     Log user out
   target     Set or view the targeted region, account, resource group, org or space
   info       View cloud information
   config     Write default values to the config
   update     Update CLI to the latest version
   regions    List all the regions
   account    Manage accounts, users, orgs and spaces
   catalog    Manage catalog
   resource   Manage resource groups and resources
   iam        Manage identities and access to resources
   app        Manage Cloud Foundry applications and application related domains, routes and certificates
   service    Manage Cloud Foundry services
   billing    Retrieve usage and billing information
   plugin     Manage plug-ins and plug-in repositories
   cf         Run Cloud Foundry CLI with IBM Cloud CLI context
   sl         Gen1 infrastructure Infrastructure services
   cr         Commands for interacting with IBM Bluemix Container Registry.
   cs         Plug-in for the IBM Bluemix Container Service.
   dev        A CLI plugin to create, manage, and run projects on Bluemix
   help       
   
Enter 'bx help [command]' for more information about a command.

ENVIRONMENT VARIABLES:
   BLUEMIX_COLOR=false                     Do not colorize output
   BLUEMIX_TRACE=true                      Print API request diagnostics to stdout
   BLUEMIX_TRACE=path/to/trace.log         Append API request diagnostics to a log file
   BLUEMIX_API_KEY=api_key_value           API key to use during login

GLOBAL OPTIONS:
   --version, -v                      Print the version
   --help, -h                         Show help

So I'd correctly downloaded / installed the IBM Cloud CLI: -



which gave me this: -

bx -version

bx version 0.6.6+d4d59ab5-2018-03-20T07:49:59+00:00

but I had neglected to download/install the relevant IBM Cloud Private (ICP) Plugin.

This helped: -


which directed me to the ICP admin UI itself: -



curl --insecure https://192.168.1.100:8443/api/cli/icp-darwin-amd64 > /tmp/icp-darwin-amd64

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 19.5M  100 19.5M    0     0  10.4M      0  0:00:01  0:00:01 --:--:-- 10.4M


ls -al /tmp/icp*

-rw-r--r--  1 davidhay  wheel  20524704  9 Apr 19:42 /tmp/icp-darwin-amd64

bx plugin list

Listing installed plug-ins...

Plugin Name          Version   
dev                  0.1.13   
container-registry   0.1.171   
container-service    0.1.328   


bx plugin install /tmp/icp-darwin-amd64

Installing binary...
OK
Plug-in 'icp 2.1.182' was successfully installed into /Users/davidhay/.bluemix/plugins/icp. Use 'bx plugin show icp' to show its details.


bx plugin list

Listing installed plug-ins...

Plugin Name          Version   
container-registry   0.1.171   
container-service    0.1.328   
dev                  0.1.13   
icp                  2.1.182   

API endpoint: https://mycluster.icp:8443
Authenticating...
OK

Targeted account: mycluster Account (id-mycluster-account)


Nice :-)

LinuxONE for Dummies

As more companies transform their infrastructures with hybrid cloud services, they require environments that protect the safety of their ...