This guide steps you through the process to deploy a simple Open Liberty InstantOn app to OpenShift Local running on your PC.
I have completed this guide on my desktop PC plus my laptop so hopefully all works. Let me know if you have any problems.
45 minutes reading time. Much longer to complete.
Audience
The audience of this guide is anyone having an interest to deploy an Open Liberty InstantOn app to OpenShift Local.
This guide contains the steps to install a simple Open Liberty InstantOn app to OpenShift Local.
You can happily complete this guide with no development experience. It is most suitable for an admin wanting to learn the basics of deploying an InstantOn app, and more specifically for a developer who wants to convert their Open Liberty app to InstantOn for faster startup.
Pre-requisites
For this exercise you need to:
- Install OpenShift Local to your PC.
- While not mandatory, it is recommended to download git and github desktop. You can happily complete this guide by ignoring this step.
- Ensure your firewall is opened to icr.io. This guide pulls a ‘thin’ image from icr.io. During the build process, the required Open Liberty features are installed. This minimizes the image size.
- Refer to the pre-requisites for using Open Liberty InstantOn.
- Optionally, have a read of the Deploy your first Open Liberty app to OpenShift Local post. This covers the steps to install a non-InstantOn app to OpenShift Local. It is much simpler and is good practice for the beginner starting out with OpenShift Local.
- Install WSL. While this is not required to run OpenShift Local, it is required to use podman.
- Initialize the podman environment.
Environment
To complete this guide, ensure the below, or its equivalent, has been installed.
| Category | Version | URL |
| OpenShift Local | crc version CRC version: 2.33.0+c43b17 OpenShift version: 4.14.12 Podman version: 4.4.4 | https://thechalkboards.com/deploy-your-first-liberty-app-easily-to-openshift/ |
| Open Liberty | 24.0.0.2 All GA features: openliberty-24.0.0.2.zip | https://openliberty.io/start/ |
| Java | IBM Semeru Java 17 ibm-semeru-open-jdk_x64_windows_17.0.8.1_1_openj9-0.40.0.zip | https://developer.ibm.com/languages/java/semeru-runtimes/downloads/ |
Sample app
For this exercise, I wrote a basic servlet to deploy to OpenShift Local. The goal being to learn about deploying apps to OpenShift Local, rather than developing apps for running in OpenShift Local.
To complete this guide you need to download this sample app.
Download the sample project
Download the sample project from github.
You can clone the project using git or github desktop.
Alternatively, you can download the zip file. Unzip to a location of your choice. For the non-developers, or those not experienced with git and github, I have followed this approach.
Unzip the sample project
Open a command prompt and navigate to the project directory.
cd /d c:\
mkdir c:\ocp
mkdir c:\ocp\LibertyToOpenShiftInstantOn
cd /d c:\ocp\LibertyToOpenShiftInstantOnUnzip LibertyToOpenShiftInstantOn-main.zip using a tool of your choice. Ensure to unzip into the same directory
Rearrange the extracted files into the following directory structure.
You can use robocopy. Ensure you are in the directory c:\ocp\LibertyToOpenShiftInstantOn.
robocopy LibertyToOpenShiftInstantOn-main\LibertyToOpenShiftInstantOn c:\ocp\LibertyToOpenShiftInstantOn /move /EI must apologize for this manual activity – caused by the way github builds the downloadable zip file.
c:\ocp\LibertyToOpenShiftInstantOn>dir
Directory of c:\ocp\LibertyToOpenShiftInstantOn
08/18/2024 09:52 PM <DIR> .
08/18/2024 09:52 PM <DIR> ..
08/18/2024 09:52 PM 896 .classpath
08/18/2024 09:52 PM 494 .factorypath
08/18/2024 09:52 PM 896 .project
08/18/2024 09:52 PM <DIR> .settings
08/18/2024 09:52 PM 751 Containerfile.olp.slim.java17
08/18/2024 09:52 PM 1,275 deploy.yaml
08/18/2024 09:52 PM 1,709 deploy_incorrectly_placed_in_spec.yaml
08/18/2024 09:52 PM 1,530 deploy_incorrectly_placed_SA_in_spec.yaml
08/18/2024 09:52 PM 958 scc-cap-cr-full-details-dont-use-1.yaml
08/18/2024 09:52 PM 1,059 scc-cap-cr-full-details-dont-use-2.yaml
08/18/2024 09:52 PM 541 scc-cap-cr-minmal.yaml
08/18/2024 09:52 PM <DIR> src
08/18/2024 09:52 PM <DIR> targetStart OpenShift Local
Issue the following command to start OpenShift Local
crc startCommand output
C:\ocp/LibertyToOpenShift>crc start
WARN A new version (2.38.0) has been published on https://developers.redhat.com/content-gateway/file/pub/openshift-v4/clients/crc/2.38.0/crc-windows-installer.zip
INFO Using bundle path C:\Users\sean\.crc\cache\crc_hyperv_4.14.12_amd64.crcbundle
INFO Checking minimum RAM requirements
INFO Checking if running in a shell with administrator rights
INFO Checking Windows release
INFO Checking Windows edition
INFO Checking if Hyper-V is installed and operational
INFO Checking if Hyper-V service is enabled
INFO Checking if crc-users group exists
INFO Checking if current user is in crc-users and Hyper-V admins group
INFO Checking if vsock is correctly configured
INFO Checking if the win32 background launcher is installed
INFO Checking if the daemon task is installed
INFO Checking if the daemon task is running
INFO Checking admin helper service is running
INFO Checking SSH port availability
INFO Loading bundle: crc_hyperv_4.14.12_amd64...
INFO Starting CRC VM for openshift 4.14.12...
INFO CRC instance is running with IP 127.0.0.1
INFO CRC VM is running
INFO Updating authorized keys...
INFO Check internal and public DNS query...
INFO Check DNS query from host...
INFO Verifying validity of the kubelet certificates...
INFO Starting kubelet service
INFO Waiting for kube-apiserver availability... [takes around 2min]
INFO Waiting until the user's pull secret is written to the instance disk...
INFO Enabling cluster monitoring operator...
INFO Starting openshift instance... [waiting for the cluster to stabilize]
INFO Operator network is progressing
INFO 4 operators are progressing: console, image-registry, ingress, network
INFO All operators are available. Ensuring stability...
INFO Operators are stable (2/3)...
INFO Operators are stable (3/3)...
INFO Adding crc-admin and crc-developer contexts to kubeconfig...
Started the OpenShift cluster.
The server is accessible via web console at:
https://console-openshift-console.apps-crc.testing
Log in as administrator:
Username: kubeadmin
Password:
Log in as user:
Username: developer
Password: developer
Use the 'oc' command line interface:
> @FOR /f "tokens=*" %i IN ('crc oc-env') DO @call %i
> oc login -u developer https://api.crc.testing:6443If you receive the error “Error starting machine: Error in driver during machine start: exit status 1“, follow the instructions found here to solve the issue.
Take a copy of the following output. You’ll need these details later in the guide.
The server is accessible via web console at:
https://console-openshift-console.apps-crc.testing
Log in as administrator:
Username: kubeadmin
Password:
Log in as user:
Username: developer
Password: developer
Use the 'oc' command line interface:
> @FOR /f "tokens=*" %i IN ('crc oc-env') DO @call %i
> oc login -u developer https://api.crc.testing:6443Prepare the oc CLI and podman
This guide uses the OpenShift “oc” CLI command together with the “podman” command.
To properly use these commands, you’ll need to set some variables. If you fail to do this, get ready for some frustrating times later on, where commands don’t work as expected.
After issuing the “crc start” command, you’ll see the output states to set “crc oc-env” for the oc CLI. While this may work fine to use the oc CLI for OpenShift Local, I have found this doesn’t work properly when using podman to build and push images.
To follow this guide and to ensure you can use the oc plus podman commands successfully with OpenShift Local, I used the โcrc podman-envโ settings. This sets the required variables to use podman that comes with Open Shift Local and not any other podman you may have installed.
Do you have podman installed as a separate installation?
First, check whether you have podman installed on your machine. This may be a separate installation (you have done), that is not part of the OpenShift Local installation.
Open a command window and issue the following command.
podmanIf you don’t see an error message, and see output similar to the below, you have podman installed. There are a few more checks you need to make to ensure you don’t face issues when using podman that comes with OpenShift Local.
Command output
C:\Users\sean>podman
Manage pods, containers and images
Usage:
podman [options] [command]
Available Commands:
attach Attach to a running container
build Build an image using instructions from Containerfiles
commit Create new image based on the changed container
compose Run compose workloads via an external provider such as docker-compose or podman-compose
container Manage containers
cp Copy files/folders between a container and the local filesystem
create Create but do not start a container
diff Display the changes to the object's file system
events Show podman system events
exec Run a process in a running container
export Export container's filesystem contents as a tar archive
farm Farm out builds to remote machines
generate Generate structured data based on containers, pods or volumes
healthcheck Manage health checks on containers
help Help about any command
history Show history of a specified image
image Manage images
images List images in local storage
import Import a tarball to create a filesystem image
info Display podman system information
init Initialize one or more containers
inspect Display the configuration of object denoted by ID
kill Kill one or more running containers with a specific signal
kube Play containers, pods or volumes from a structured file
load Load image(s) from a tar archive
login Log in to a container registry
logout Log out of a container registry
logs Fetch the logs of one or more containers
machine Manage a virtual machine
manifest Manipulate manifest lists and image indexes
network Manage networks
pause Pause all the processes in one or more containers
pod Manage pods
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image from a registry
push Push an image to a specified destination
rename Rename an existing container
restart Restart one or more containers
rm Remove one or more containers
rmi Remove one or more images from local storage
run Run a command in a new container
save Save image(s) to an archive
search Search registry for image
secret Manage secrets
start Start one or more containers
stats Display a live stream of container resource usage statistics
stop Stop one or more containers
system Manage podman
tag Add an additional name to a local image
top Display the running processes of a container
unpause Unpause the processes in one or more containers
untag Remove a name from a local image
update Update an existing container
version Display the Podman version information
volume Manage volumes
wait Block on one or more containers
Options:
-c, --connection string Connection to use for remote Podman service (default "podman-machine-default")
--help Help for podman
--identity string path to SSH identity file, (CONTAINER_SSHKEY) (default "C:\\Users\\bdsae\\.ssh\\podman-machine-default")
--log-level string Log messages above specified level (trace, debug, info, warn, warning, error, fatal, panic) (default "warn")
--out string Send output (stdout) from podman to a file
--ssh string define the ssh mode (default "golang")
--storage-opt stringArray Used to pass an option to the storage driver
--url string URL to access Podman service (CONTAINER_HOST) (default "ssh://user@127.0.0.1:3104/run/user/1000/podman/podman.sock")
-v, --version version for podman
Error: missing command 'podman COMMAND'If you see any error similar to the below, podman is not installed. This is ok – you don’t need to install podman separately.
c:\Users\sean>podman
'podman' is not recognized as an internal or external command,
operable program or batch file.Yes, you have a separate podman installation
I have encountered problems when the version of podman that comes with OpenShift Local is of a lower version than the separate podman installation. Specifically the podman version with OpenShift Local was 4.x while the separate version was 5.x. There have been some changes with the config file structure that causes podman to not work properly. In my case, the solution was to uninstall the separate podman version 5.x and install podman 4.x – I didn’t need to have the exact same version, just to have both at 4.x
Before issuing the command to set “crc podman-env”, issue the following commands to check your seprate version details.
Check the version.
podman --versionThe output should be similar to the following. Note that the version is 4.x. This is good, as the OpenShift Local version is also 4.x (refer later in this post for these details).
C:\Users\sean>podman --version
podman version 4.9.5While not essential to check, you may want to determine which podman you are using. Doing so helps ensure you are working with the correct settings.
where podmanThe output should be similar to the following. As can be seen, this is the separate podman installation.
C:\Users\sean>where podman
C:\Program Files\RedHat\Podman\podman.exeSet the podman environment for working with OpenShift Local
As previously mentioned, to successfully use podman with OpenShift Local, I issued the below commands to set the required environment settings. If you manage to follow this guide without doing this, please let me know what you did.
crc podman-env
@FOR /f "tokens=*" %i IN ('crc podman-env') DO @call %iCommand output
c:\ocp>cd LibertyToOpenShiftInstantOn
c:\ocp\LibertyToOpenShiftInstantOn>crc podman-env
SET PATH=C:\Users\sean\.crc\bin\oc;%PATH%
SET CONTAINER_SSHKEY=C:\Users\sean\.crc\machines\crc\id_ecdsa
SET CONTAINER_HOST=ssh://core@127.0.0.1:2222/run/user/1000/podman/podman.sock
SET DOCKER_HOST=npipe:////./pipe/crc-podman
REM Run this command to configure your shell:
REM @FOR /f "tokens=*" %i IN ('crc podman-env') DO @call %i
c:\ocp\LibertyToOpenShiftInstantOn>@FOR /f "tokens=*" %i IN ('crc podman-env') DO @call %iI just realised the sample output directory path is inconsistent in this post. Just ignore this inconsistency.
Check the version.
podman --versionNotice that the version is slightly different (in my case – your situation may be different). The important consideration is that the version is also at 4.x. This is good, as the OpenShift Local version and separate podman installation are at the same major version.
C:\Users\sean>podman --version
podman version 4.4.1Now check where the podman exe is located.
where podmanAs can be seen, there are multiple installations of podman in the path. The significance is that the OpenShift Local podman appears before the separate installation file.
C:\Users\sean>where podman
C:\Users\bdsae\.crc\bin\oc\podman.exe
C:\Program Files\RedHat\Podman\podman.exeIf required, start or initialize the podman machine
If you receive the below error, follow the instructions found in the error message.
c:\ocp\LibertyToOpenShiftInstantOn>podman ps
Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM
Error: unable to connect to Podman socket: failed to connect: ssh: handshake failed: open C:\Users\sean\.ssh\known_hosts: The system cannot find the path specified.(Optionally) Remove old podman images
Optionally delete any old podman images you no longer required.
| Command | Help |
| podman images | Display all the podman images |
| podman rmi IMAGE_ID | Delete the podman image with image id IMAGE_ID |
| podman rmi REPOSITORY:TAG | Delete the podman image matching the combination of REPOSITORY name and TAG |
| podman rmi IMAGE_ID โforce | This deletes all images including any tagged images |
Issue the following command to display the podman image.
podman imagesCommand output – you will see a list of images
c:\ocp\LibertyToOpenShiftInstantOn>podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton olp-java17-1.0 dea88bde62d4 5 days ago 798 MB
localhost/liberty-to-openshift-instanton olp-java17-1.0 dea88bde62d4 5 days ago 798 MB
icr.io/appcafe/open-liberty The following examples show slightly different commands used to delete the old images. [I must apologize in that the details below don’t fully match the details above.]
podman rmi 385d889567ef
podman rmi icr.io/appcafe/open-liberty:kernel-slim-java17-openj9-ubi
podman rmi dea88bde62d4 --forceCommand output of the above 3 commands
c:\ocp\LibertyToOpenShiftInstantOn>podman rmi 385d889567ef
Untagged: icr.io/appcafe/open-liberty:kernel-slim-java17-openj9-ubi
Deleted: 385d889567ef799ddf8daa3e3c071462c598a96aeb5f59cf8f57d0fed9179b14
c:\ocp\LibertyToOpenShiftInstantOn>podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton olp-java17-1.0 dea88bde62d4 5 days ago 798 MB
localhost/liberty-to-openshift-instanton olp-java17-1.0 dea88bde62d4 5 days ago 798 MB
c:\ocp\LibertyToOpenShiftInstantOn>podman rmi dea88bde62d4 --force
Untagged: default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton:olp-java17-1.0
Untagged: localhost/liberty-to-openshift-instanton:olp-java17-1.0
Deleted: dea88bde62d4daa1a8fdfa5a25ebf5564cc2961aac258f21e75ab974c22cc3b2
c:\ocp\LibertyToOpenShiftInstantOn>podman images
REPOSITORY TAG IMAGE ID CREATED SIZEBuild the image on Linux
It is not possible to build the Open Liberty InstantOn image on Windows. It needs access to the criu (Checkpoint/Restore in Userspace) feature found in Linux.
Refer to Build on Linux and not Windows for additional details including showing the error you’ll encounter if building on Windows.
Use VMware to build the Open Liberty InstantOn image
To build my test image I used a RHEL 9.2 installation running under VMWARE Player 16. These can be downloaded and used for free from the following URLs.
Depending on the RAM you have, you may have to stop OpenShift Local while building the image on your PC.
| Software | URL |
| RHEL 9.2 | https://developers.redhat.com/products/rhel/download#publicandprivatecloudreadyrhelimages7522 |
| VMware player 16 | https://www.vmware.com/info/workstation-player/evaluation |
| VMware Workstation Pro for Personal Use (For Windows) 17.5.2 (1) | Desktop Hypervisor Solutions | VMware |
(1) 30-Aug-2024: VMware player has been discontinued. WMware Workstation Pro can be used for free for personal use. Further details can be found here.
Of course, if you are using Linux rather than Windows, you can proceed without needing to use VMware.
Build the Open Liberty InstantOn image using podman
Follow the guide How to build and Open Liberty InstantOn app using podman to build the Open Liberty InstantOn app.
Copy the image from VMware to your PC
You need to FTP the image you build on WMware to your PC.
The steps to do this are:
- Save the image (on VMware) using the podman save command
- FTP the file from VMware to your PC. I used WinSCP for this.
- Load the image (on your PC) using the podman load command
When using VMware on Windows
In my test lab I am running OpenShift Local on my Windows PC while building the Open Liberty InstantOn image on RHEL 9 running under VMware.
To push the image to OpenShift Local I needed to save the podman image, FTP from the VM to my PC, and load the image using podman on Windows.
If you are using Linux and OpenShift, you can skip this step.
Ensure you are logged into Linux and switched to the root account. This is where you created your Open Liberty InstantOn image.
Display the images.
podman imagesCommand output
[root@localhost LibertyToOpenShiftInstantOn]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/liberty-to-openshift-instanton olp-java17-1.0 dea88bde62d4 23 minutes ago 798 MB
localhost/libertytoopenshift 1.0-SNAPSHOT 015675eb1c03 4 months ago 741 MB
icr.io/appcafe/open-liberty kernel-slim-java17-openj9-ubi 385d889567ef 5 months ago 688 MBCreate a location to save the image. In my case I am using “/home/sean/images”. Change the below command to the directory you are using.
cd /home/sean
mkdir images
cd /home/sean/imagesSave the image. The option “dea88bde62d4” is the IMAGE ID from the “podman images” command. Change the below value to the one returned from your command,
podman save --output liberty-to-openshift-instanton_olp-java17-1.0.tar dea88bde62d4List the tar files to confirm your image has been saved.
ls -lCommand output
[root@localhost LibertyToOpenShiftInstantOn]# podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/liberty-to-openshift-instanton olp-java17-1.0 dea88bde62d4 23 minutes ago 798 MB
localhost/libertytoopenshift 1.0-SNAPSHOT 015675eb1c03 4 months ago 741 MB
icr.io/appcafe/open-liberty kernel-slim-java17-openj9-ubi 385d889567ef 5 months ago 688 MB
[root@localhost LibertyToOpenShiftInstantOn]# pwd
/home/sean/LibertyToOpenShiftInstantOn
[root@localhost LibertyToOpenShiftInstantOn]#
[root@localhost LibertyToOpenShiftInstantOn]#
[root@localhost LibertyToOpenShiftInstantOn]#
[root@localhost LibertyToOpenShiftInstantOn]# cd /home/sean
[root@localhost sean]# mkdir images
[root@localhost sean]# cd images/
[root@localhost images]# podman save --output liberty-to-openshift-instanton_olp-java17-1.0.tar dea88bde62d4
Copying blob ecf6a89969f5 done
Copying blob 38fbe8c222cd done
Copying blob 28514f1c36df done
Copying blob a0395d30313e done
Copying blob 5072c9ed8ec7 done
Copying blob 3fe103da66fa done
Copying blob b81c520caa50 done
Copying blob 9d2028e22db0 done
Copying blob 74a1e6f67ecb done
Copying blob 78d820be1a24 done
Copying blob a037803dd8e9 done
Copying blob 89d6feb548fc done
Copying blob 715790d78398 done
Copying blob 2c39fedc4e1e done
Copying blob b90f8f8be268 done
Copying blob c7430cd06acc done
Copying blob 663d6c6c1533 done
Copying blob c65df4ffdbfd done
Copying blob 2db68336d1b7 done
Copying blob 1d4516f97732 done
Copying blob a5a133c1a5fc done
Copying blob 56e3ad214bcd done
Copying config dea88bde62 done
Writing manifest to image destination
Storing signatures
[root@localhost images]# ls -l
total 779708
-rw-r--r--. 1 root root 798417408 Aug 13 22:35 liberty-to-openshift-instanton_olp-java17-1.0.tarFTP the image to your PC in the directory of your choice.
Open a Windows command window.
c:
cd /
mkdir c:/ocp
cd /d c:/ocp/
mkdir images
cd /d c:\ocp\imagesFTP the file to c:\ocp\images.
Command output
c:\ocp\LibertyToOpenShiftInstantOn>cd /d c:/ocp/
c:\ocp>mkdir images
c:\ocp>cd /d c:\ocp\images
c:\ocp\images>dir
Volume in drive C is Windows
Directory of c:\ocp\images
08/13/2024 10:38 PM <DIR> .
08/13/2024 10:37 PM <DIR> ..
08/13/2024 10:35 PM 798,417,408 liberty-to-openshift-instanton_olp-java17-1.0.tarCheck the images – this time issue the command on your Windows PC and not the Linux server.
If you stopped OpenShift Local earlier due to limited RAM, re-start OpenShift Local. Ensue the “crc podman-env” variables are still set. Refer to the earlier section in this post for details.
You may have to stop VMware now to free up RAM.
podman imagesDuring my testing I had no old images.
c:\ocp\images>podman images
REPOSITORY TAG IMAGE ID CREATED SIZELoad the image from your Windows command window.
podman load --input liberty-to-openshift-instanton_olp-java17-1.0.tarNow check the images again.
podman imagesYou should see the new loaded image. Notice that the REPOSITORY and TAG fields are “<none>”. We need to tag the image.
c:\ocp\images>podman load --input liberty-to-openshift-instanton_olp-java17-1.0.tar
Loaded image: sha256:dea88bde62d4daa1a8fdfa5a25ebf5564cc2961aac258f21e75ab974c22cc3b2
c:\ocp\images>podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
<none> <none> dea88bde62d4 38 minutes ago 798 MBTag the image. Change the IMAGE ID (dea88bde62d4) to the value from your “podman ps” command.
podman tag dea88bde62d4 liberty-to-openshift-instanton:olp-java17-1.0Display the images.
podman imagesYou should see the new tagged image.
c:\ocp\images>podman tag dea88bde62d4 liberty-to-openshift-instanton:olp-java17-1.0
c:\ocp\images>podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/liberty-to-openshift-instanton olp-java17-1.0 dea88bde62d4 42 minutes ago 798 MBNow you are ready to push the image to OpenShift Local.
Push the image to OpenShift Local
Push the image to the OpenShift internal registry.
Set OC CLI variables
Before proceeding, ensure you have set the OC CLI variables. You donโt know how many times I missed this only to encounter frustrating problems. You can skip this step if you have already set the values.
crc podman-env
@FOR /f "tokens=*" %i IN ('crc podman-env') DO @call %iCommand output
c:\ocp\images>crc podman-env
SET PATH=C:\Users\bdsae\.crc\bin\oc;%PATH%
SET CONTAINER_SSHKEY=C:\Users\bdsae\.crc\machines\crc\id_ecdsa
SET CONTAINER_HOST=ssh://core@127.0.0.1:2222/run/user/1000/podman/podman.sock
SET DOCKER_HOST=npipe:////./pipe/crc-podman
REM Run this command to configure your shell:
REM @FOR /f "tokens=*" %i IN ('crc podman-env') DO @call %i
c:\ocp\images>@FOR /f "tokens=*" %i IN ('crc podman-env') DO @call %iLogin to OpenShift
Change back to the InstantOn directory.
cd /d C:\ocp\LibertyToOpenShiftInstantOnLog into OpenShift using the developer user. The password is developer. You may find the password is already cached.
oc login -u developer https://api.crc.testing:6443Command output
c:\ocp\images>oc login -u developer https://api.crc.testing:6443
Logged into "https://api.crc.testing:6443" as "developer" using existing credentials.
You have access to the following projects and can switch between them with 'oc project <projectname>':
guide
* liberty-to-openshift-instanton
Using project "liberty-to-openshift-instanton".Connect to the appropriate project
After logging in, view which projects you have access to. You’ll notice that one of the projects will be selected.
If the liberty-to-openshift-instanton project exists, select it. If not, follow the next section to create the project.
When working in an enterprise environment with full OpenShift, you’ll need to contact your OpenShift admins to create the project for you.
| Command | Help |
| oc projects | List all projects you have access to, including the project you are connected to |
| oc project | Display the project you are connected to |
| oc project PROJECT_NAME | Select the project named PROJECT_NAME |
Use the following command to display all projects you have access to.
oc projectsUse the following command to display the current project.
oc projectIf the current project is not liberty-to-openshift-instanton, use the following command to switch the project.
oc project liberty-to-openshift-instantonCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc projects
You have access to the following projects and can switch between them with ' project <projectname>':
* guide
liberty-to-openshift
liberty-to-openshift-instanton
Using project "guide" on server "https://api.crc.testing:6443".
c:\ocp\LibertyToOpenShiftInstantOn>oc project
Using project "guide" on server "https://api.crc.testing:6443".
c:\ocp\LibertyToOpenShiftInstantOn>oc project liberty-to-openshift-instanton
Now using project "lliberty-to-openshift-instanton" on server "https://api.crc.testing:6443".
c:\ocp\LibertyToOpenShiftInstantOn>oc project
Using project "liberty-to-openshift-instanton" on server "https://api.crc.testing:6443".Create the project
Create the project if it does not exist.
| Command | Help |
| oc new-project NEW_PROJECT_NAME | Create a new project named NEW_PROJECT_NAME |
| oc project | Display the project you are connected to |
| oc project PROJECT_NAME | Switch to the project named PROJECT_NAME |
| oc projects | Display all projects you have access to |
Issue the following command to create the project.
oc new-project liberty-to-openshift-instantonOutput from the commands.
c:\ocp\LibertyToOpenShiftInstantOn>oc new-project liberty-to-openshift-instanton
Now using project "liberty-to-openshift-instanton" on server "https://api.crc.testing:6443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app rails-postgresql-example
to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:
kubectl create deployment hello-node --image=registry.k8s.io/e2e-test-images/agnhost:2.43 -- /agnhost serve-hostname
c:\ocp\LibertyToOpenShiftInstantOn>oc project
Using project "liberty-to-openshift-instanton" on server "https://api.crc.testing:6443".Ensure you are on the selected project. if not, enter the command to switch to the correct project.
oc project liberty-to-openshift-instanton
oc projectsCommand output
c:\ocp\images>oc project liberty-to-openshift-instanton
Already on project "liberty-to-openshift-instanton" on server "https://api.crc.testing:6443".
c:\ocp\images>oc projects
You have access to the following projects and can switch between them with ' project <projectname>':
guide
liberty-to-openshift
* liberty-to-openshift-instanton
Using project "liberty-to-openshift-instanton" on server "https://api.crc.testing:6443".(Optional read) Problems if you donโt set the crc podman-env now
Optional read
You can optionally read or skip this section. Your choice. This section covers a problem Iโve faced on numerous occasions while I was learning – this led to much frustration.
It is important that you set the โcrc podman-envโ properly before continuing. Not doing so may lead to problems when pushing the image to the OpenShift Local internal registry.
Refer to the following URL to see full details of the problem.
Log into the OpenShift registry
If you skipped the optional section, you should continue from here.
Ensure you are logged into the registry.
oc registry login --insecure=trueCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc registry login --insecure=true
info: Using registry public hostname default-route-openshift-image-registry.apps-crc.testing
Saved credentials for default-route-openshift-image-registry.apps-crc.testing into C:\Users\sean\.config\containers\auth.jsonSet the crc podman-env
If not already done, set the crc podman-env settings.
Sorry for continually mentioning this – I repeatedly had problems with, especially when I opened multiple command windows, or completed this activity over multiple days.
crc podman-env
@FOR /f "tokens=*" %i IN ('crc podman-env') DO @call %iCommand output
c:\ocp\LibertyToOpenShiftInstantOn>crc podman-env
SET PATH=C:\Users\sean\.crc\bin\oc;%PATH%
SET CONTAINER_SSHKEY=C:\Users\sean\.crc\machines\crc\id_ecdsa
SET CONTAINER_HOST=ssh://core@127.0.0.1:2222/run/user/1000/podman/podman.sock
SET DOCKER_HOST=npipe:////./pipe/crc-podman
REM Run this command to configure your shell:
REM @FOR /f "tokens=*" %i IN ('crc podman-env') DO @call %i
c:\ocp\LibertyToOpenShiftInstantOn>@FOR /f "tokens=*" %i IN ('crc podman-env') DO @call %iTag the image to the OpenShift Local internal registry
| Command | Help |
| oc registry info | Retrieve the OpenShift registry details where the image will be pushed |
| podman tag REPOSITORY:TAG OC_REGISTRY_INFO/PROJECT_NAME/REPOSITORY:TAG | Tag the image to the OpenShift registry |
Identify the registry where the image will be pushed.
oc registry infoCommand output
c:\ocp\images>oc registry info
default-route-openshift-image-registry.apps-crc.testingTag the image pointing to the registry.
podman tag liberty-to-openshift-instanton:olp-java17-1.0 default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton:olp-java17-1.0View the tagged image.
podman imagesCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc registry info
default-route-openshift-image-registry.apps-crc.testing
c:\ocp\images>podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/liberty-to-openshift-instanton olp-java17-1.0 dea88bde62d4 2 days ago 798 MB
localhost/liberty-to-openshift olp-java17-1.0 e03048676c90 5 weeks ago 740 MB
icr.io/appcafe/open-liberty kernel-slim-java17-openj9-ubi b5cc5094dd1f 7 weeks ago 690 MB
c:\ocp\images>podman tag liberty-to-openshift-instanton:olp-java17-1.0 default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton:olp-java17-1.0
c:\ocp\images>podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost/liberty-to-openshift-instanton olp-java17-1.0 dea88bde62d4 2 days ago 798 MB
default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton olp-java17-1.0 dea88bde62d4 2 days ago 798 MB
localhost/liberty-to-openshift olp-java17-1.0 e03048676c90 5 weeks ago 740 MB
icr.io/appcafe/open-liberty kernel-slim-java17-openj9-ubi b5cc5094dd1f 7 weeks ago 690 MBNote that there are two images with the same IMAGE ID: the original image build using podman; plus the newly tagged image specifying the OpenShift registry details.
Push the image to OpenShift
| Command | Help |
| oc registry login โinsecure=true | Log into the OpenShift registry |
| podman push OC_REGISTRY_INFO/PROJECT_NAME/REPOSITORY:TAG | Push the image to the OpenShift internal image stream |
Issue the following command to push the image to the OpenShift Local internal registry.
podman push default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton:olp-java17-1.0Command output
C:\Users\bdsae>podman push default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton:olp-java17-1.0
Getting image source signatures
Copying blob sha256:3fe103da66fa70dba2988aeee5622af89f139b9dc25f56264a23f265d6b963b9
Copying blob sha256:38fbe8c222cd3c5bf55c0f4e58bbb09beca4c1b87586b40953d697995a05b608
Copying blob sha256:ecf6a89969f55913ddb3946ec16ae6f081ea6da1bbbdd9405acc637c25409b91
Copying blob sha256:a0395d30313e17d544847ae4cef4328527ee69acaa49ce9b392278cd7f993195
Copying blob sha256:5072c9ed8ec7c16b80e415f16abf0b3e2790f56a9b2fd056a7f1fdc57d890484
Copying blob sha256:28514f1c36dfaab17b64bafe50b81674eb26d1bd4d3a77b3e41fa845aaa6de47
Copying blob sha256:b81c520caa506161480e54309c78d231316ef7d8d9f678f9156dffb6a29dc6f2
Copying blob sha256:9d2028e22db09545171d5e599b1783a20bffb0f111951ad7c3b28fd406a99c93
Copying blob sha256:74a1e6f67ecb6df52be3a1bb0171c02a3ae877ece96fc8fa29569bcfafd2a7eb
Copying blob sha256:78d820be1a244529c6168f3aceaf86bfff3b7b7b70298cfc38e1035cb3ccfcb6
Copying blob sha256:a037803dd8e9658a1dde19a4912df955f04c5cbff5edfc6a00a72897c54a9f32
Copying blob sha256:89d6feb548fc2d8a0944d2520aa8b4dde3133e600f2b83791972a29f898727c8
Copying blob sha256:715790d78398c7eeddcc5ba1a63a81a2afbcbf56e1f56ebeef159a9614a17fe3
Copying blob sha256:2c39fedc4e1e5004c6f279d7a08ac1d9df8d1e3a873af9fd89f0ddd70d15ad9c
Copying blob sha256:b90f8f8be268b24e0d9551aacf17025a9e5efa2283c23f5e741edbf1cf06fd37
Copying blob sha256:c7430cd06acc6fd0bb2e2e07079ad589b82f8c6d4921d1a05d4c7a97723b211e
Copying blob sha256:663d6c6c1533ec21d318030d64f347237b5f4c94b8fdc09d8e87fa1ce77961fb
Copying blob sha256:c65df4ffdbfd663bef1dee404651465c96a78e04516a06320d207577a7e4ac56
Copying blob sha256:2db68336d1b7d07f8e00774fe81a89d6c91327c43c141c4af5e119869c41d41f
Copying blob sha256:1d4516f977329d6cd15482f25c26c4079d35404b6a20d34f532b579e0ff2642b
Copying blob sha256:a5a133c1a5fc6e3f4c73c2857ddcb7b52cb3857134667b6d839046aed76c8f51
Copying blob sha256:56e3ad214bcdca7ebc7d8c62d8d2926b45546ba3a85b74ae47d4682f3baeb1f7
Copying config sha256:dea88bde62d4daa1a8fdfa5a25ebf5564cc2961aac258f21e75ab974c22cc3b2
Writing manifest to image destination
Storing signaturesPossible problems pushing the image to OpenShift
During my testing I encountered the following problems.
| Problem | Solution |
| Error: trying to reuse blob sha256:ecf6a89969f55913ddb3946ec16ae6f081ea6da1bbbdd9405acc637c25409b91 at destination: unable to retrieve auth token: invalid username/password: authentication required | I encountered this problem often, mostly due to opening new command windows. Issue the following to resolve the problem. crc podman-env @FOR /f “tokens=*” %i IN (‘crc podman-env’) DO @call %i |
| Error: trying to reuse blob sha256:ecf6a89969f55913ddb3946ec16ae6f081ea6da1bbbdd9405acc637c25409b91 at destination: unable to retrieve auth token: invalid username/password: authentication required | This problem can appear if you didn’t log into the OpenShift registry or when the login timed out. Issue the following to resolve the problem. oc registry login –insecure=true |
Check the image in OpenShift
| Command | Help |
| oc get imagestream oc get is | Display the images in the OpenShift registry |
| podman pull OC_REGISTRY_INFO/PROJECT_NAME/REPOSITORY:TAG | Pull the image from OpenShift to podman |
Find the pushed image
Either issue the following OC CLI command or log into OpenShift to verify the image has been pushed successfully.
oc get imagestreamCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc get imagestream
NAME IMAGE REPOSITORY TAGS UPDATED
liberty-to-openshift-instanton default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton olp-java17-1.0 9 seconds ago— OR —
oc get isCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc get is
NAME IMAGE REPOSITORY TAGS UPDATED
liberty-to-openshift-instanton default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton olp-java17-1.0 9 seconds ago— OR —
Login into the OpenShift console (https://console-openshift-console.apps-crc.testing) using the developer user.
- Select the appropriate project
- Switch from the Developer role to the Administrator role
- Expand Builds
- Select ImageStreams – you should see your image here
(Optionally) Pull the image from OpenShift Local to podman
Optionally, to verify the image was successfully pushed to the Open Shift Local internal registry, pull it from OpenShift.
| Command | Help |
| podman pull OC_REGISTRY_INFO/PROJECT_NAME/REPOSITORY:TAG | Pull the image from OpenShift to podman |
Issue the command to pull the image from OpenShift.
podman pull default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton:olp-java17-1.0Command output
c:\ocp\LibertyToOpenShift>podman pull default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton:olp-java17-1.0
Trying to pull default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton:olp-java17-1.0...
Getting image source signatures
Copying blob sha256:19580bd631ab6ee8ed1f47416e094b849c1d0c1260c8fd2f1cde47c892669129
Copying blob sha256:77590358b45b84caafe5ecd361bd9337ac3319cb0fcfaa581e1c7d3efdad75ce
Copying blob sha256:c24702af7a76136c090fc91245eb7ce805e53cc786f5810a57e3d9b65385dc5d
Copying blob sha256:8f935604158f23174be2299afb9463d20940039de707c2466dcc0734bc152fa1
Copying blob sha256:d66a972c08964d487e0b43062210ac00ce3dca3fe569ac665c4324ea6522507d
Copying blob sha256:77aa5edef061d0cc9eb8868e9c94fa1f415dc6d5f6f6852fd0b163e684f2bc83
Copying blob sha256:94a481cb41b6c8ef49caf6ee7311a625463557f65600e92e42b578b033928830
Copying blob sha256:092bf0984951efbeae6fe45d1e6c72c0ffd3d3ec5ccb124c0677f6d75696f826
Copying blob sha256:412d8924673992313cf26622c40c3a21bad3ce0056b48eb555081febd9fd9d49
Copying blob sha256:6d15ab97294d6e59539f04b37d4754e82d4768c73c445c5a55451d7cf93df782
Copying blob sha256:92a53db242f82ce48443a4fd55c5132e2aa02338a68508048f8c9b2f5de0ae2d
Copying blob sha256:3dd1916c1c6b125aed548cd0de43b94237349a5aa2c6113cf2abeb24d3e67b4b
Copying blob sha256:255c33f808df935686dd1116328b89b8b15453951d3cc4d259861a2cbd7e16f3
Copying blob sha256:8eff0be5f172d635d552914290d1234800129f9b7e976c6d07e14a36ee73bac6
Copying blob sha256:f8ac83ba3f93f24cdbd7f5fb89c66a47b22f4896a407860077ad4427162c2094
Copying blob sha256:15b973b7e658692708aa4705857afc18bcf7bfcc3da6abc8b4731bc0fdc12640
Copying blob sha256:afa615b17d2f5174b31afe1510f40c07186be05fece770df91180286691ba87a
Copying blob sha256:26f544582b0deefe9b360c5802261c87f5192528403c566f1c89d92af2b2117c
Copying blob sha256:8e3000e019338cb0e036021761086f515f7ce8f5ef9412b060c10dddc9b184dd
Copying blob sha256:fd1b7871dd73094afe0bd2f2bc0ef69d8fff444644d4fe8beab1879f1e4ac356
Copying blob sha256:2bac988494112099c3836fbd246aa7707f4d1c7d428fcac4f8c35293ccd7efc9
Copying blob sha256:db759ac130a181c129c5331f54376ae1e4a9f1f5c2f3f3e2d9c0bee6e0092c82
Copying config sha256:dea88bde62d4daa1a8fdfa5a25ebf5564cc2961aac258f21e75ab974c22cc3b2
Writing manifest to image destination
Storing signatures
dea88bde62d4daa1a8fdfa5a25ebf5564cc2961aac258f21e75ab974c22cc3b2Deploy an application
Security Context (SC) and Security Context Constraint (SCC)
One concept I struggled with, and in many respects still struggle with, surrounds Security Context Constraints.
To deploy my first Open Liberty InstantOn app, I blindly followed the instructions I found, without fully understanding what I was doing, much to my detriment.
Since then, I have found a couple articles that describe in clear language what these are.
In essence,
| Component | What it is |
| Security Context (SC) | Specifies the protected functions the application needs. You specify this in the “securityContext” section in your OpenShift deploy.yaml file. |
| Security Context Constraint (SCC) | Specifies the protected functions the cluster allows. This is created when applying a yaml file such as “scc-cap-cr-minmal.yaml”. |
| Service Account (SA) | This is a special type of user account. The “serviceAccountName” (SA) is specified in the deploy.yaml file, alongside the securityContext (also in the deploy.yaml file). The SA essentially connects the SC in the deploy.yaml file with the SCC. |
Using the above the above table,
The pod says,
- I need the protected functions specified in the “securityContext” section of the deploy.yaml file.
- I will use service account name as specified by the “serviceAccountName” in the deploy.yaml.
The cluster says,
- I will allow the “serviceAccountName” access to the protected functions as specified in the SCC.
For a great read about Security Context (SC) and Security Context Constraints (SCC) refer to the article “Overview of security context constraints“.
I found a tutorial “Use SCCs to restrict and empower OpenShift workloads” that looks very handy. I will admit that I am yet to follow the tutorial, but plan on doing so.
I actually wish I found and read these articles much sooner than I did. It would have saved much time, effort and confusion.
Create a service account
Create a service account using the โdeveloperโ user. This service account will be mapped to the SCC in the following section.
The service account name must match the โserviceAccountNameโ field in the deploy.yaml file.
First, ensure you are in the correct project. If you are not on the correct project, switch to it.
oc projectCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc project
Using project "liberty-to-openshift-instanton" on server "https://api.crc.testing:6443".Create the service account.
Note that I added the ‘-sa’ suffix. While this is not needed, for the sake of the guide I added it so that it is easy to distinguish between the SCC and SA when viewing the configurations. Early on I didn’t do this and is caused me confusion, especially during problem investigations.
oc create serviceaccount liberty-to-openshift-instanton-saCommand output
c\ocp\LibertyToOpenShiftInstantOn>oc create serviceaccount liberty-to-openshift-instanton
serviceaccount/liberty-to-openshift-instanton createdCheck that it has been created.
oc get sa liberty-to-openshift-instanton-saCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc get sa liberty-to-openshift-instanton
NAME SECRETS AGE
liberty-to-openshift-instanton 1 15s
c:\ocp\LibertyToOpenShiftInstantOn>oc get sa
NAME SECRETS AGE
builder 1 2d21h
default 1 2d21h
deployer 1 2d21h
liberty-to-openshift-instanton 1 6sOptionally display the service account details. There is nothing you need to check here other than to practice the command.
oc describe sa liberty-to-openshift-instanton-saCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc describe sa liberty-to-openshift-instanton
Name: liberty-to-openshift-instanton
Namespace: liberty-to-openshift-instanton
Labels: <none>
Annotations: <none>
Image pull secrets: liberty-to-openshift-instanton-dockercfg-wjdhg
Mountable secrets: liberty-to-openshift-instanton-dockercfg-wjdhg
Tokens: liberty-to-openshift-instanton-token-bljpd
Events: <none>Create the Security Context Constraint (SCC)
To run an Open liberty InstantOn app in OpenShift Local a Security Context Constraint (SCC) needs to be created. The service account will be mapped to the SCC giving the service account the necessary privileges to start an Open Liberty InstantOn app.
This needs to be created with a privileged account such as a cluster admin account of on the case of OpenShift Local with the โkubeadminโ account.
If you issue the following command with the โdeveloperโ account, you’ll get an error as shown below. Further details can be found here.
oc apply -f scc-cap-cr-minmal.yamlc:\ocp\LibertyToOpenShiftInstantOn>oc apply -f scc-cap-cr-minmal.yaml
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "security.openshift.io/v1, Resource=securitycontextconstraints", GroupVersionKind: "security.openshift.io/v1, Kind=SecurityContextConstraints"
Name: "liberty-to-openshift-instanton-scc", Namespace: ""
from server for: "scc-cap-cr-minmal.yaml": securitycontextconstraints.security.openshift.io "liberty-to-openshift-instanton-scc" is forbidden: User "developer" cannot get resource "securitycontextconstraints" in API group "security.openshift.io" at the cluster scopeSwitch to the kubeadmin user.
oc login -u kubeadmin https://api.crc.testing:6443Command output
c:\ocp\LibertyToOpenShiftInstantOn>oc login -u kubeadmin https://api.crc.testing:6443
Logged into "https://api.crc.testing:6443" as "kubeadmin" using existing credentials.
You have access to 71 projects, the list has been suppressed. You can list all projects with 'oc projects'
Using project "liberty-to-openshift-instanton".Ensure you are connected to the correct project. It is a good habit to check this each time you switch users, or before you issue commands that make changes.
oc project liberty-to-openshift-instantonCommand output
C:\ocp\LibertyToOpenShiftInstantOn>oc project liberty-to-openshift-instanton
Already on project "liberty-to-openshift-instanton" on server "https://api.crc.testing:6443".Now create the SCC.
oc apply -f scc-cap-cr-minmal.yamlCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc apply -f scc-cap-cr-minmal.yaml
securitycontextconstraints.security.openshift.io/liberty-to-openshift-instanton createdVerify the SCC was created. Similar to the Service Account (SA), I have added a ‘-scc’ suffix to help distinguish between the SA.
oc get scc liberty-to-openshift-instanton-sccCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc get scc liberty-to-openshift-instanton
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES
liberty-to-openshift-instanton false <no value> MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <no value> false ["awsElasticBlockStore","azureDisk","azureFile","cephFS","cinder","configMap","csi","downwardAPI","emptyDir","ephemeral","fc","flexVolume","flocker","gcePersistentDisk","gitRepo","glusterfs","iscsi","nfs","persistentVolumeClaim","photonPersistentDisk","portworxVolume","projected","quobyte","rbd","scaleIO","secret","storageOS","vsphere"]Display all the SCC details.
oc describe scc liberty-to-openshift-instanton-sccCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc describe scc liberty-to-openshift-instanton
Name: liberty-to-openshift-instanton
Priority: <none>
Access:
Users: <none>
Groups: <none>
Settings:
Allow Privileged: false
Allow Privilege Escalation: true
Default Add Capabilities: CHECKPOINT_RESTORE,SETPCAP
Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID
Allowed Capabilities: <none>
Allowed Seccomp Profiles: <none>
Allowed Volume Types: awsElasticBlockStore,azureDisk,azureFile,cephFS,cinder,configMap,csi,downwardAPI,emptyDir,ephemeral,fc,flexVolume,flocker,gcePesistentDisk,gitRepo,glusterfs,iscsi,nfs,persistentVolumeClaim,photonPersistentDisk,portworxVolume,projected,quobyte,rbd,scaleIO,secret,storageOS,vsphere
Allowed Flexvolumes: <all>
Allowed Unsafe Sysctls: <none>
Forbidden Sysctls: <none>
Allow Host Network: false
Allow Host Ports: false
Allow Host PID: false
Allow Host IPC: false
Read Only Root Filesystem: false
Run As User Strategy: MustRunAsNonRoot
UID: 1001
UID Range Min: <none>
UID Range Max: <none>
SELinux Context Strategy: MustRunAs
User: <none>
Role: <none>
Type: <none>
Level: <none>
FSGroup Strategy: RunAsAny
Ranges: <none>
Supplemental Groups Strategy: RunAsAny
Ranges: <none>Take particular note of the following values. These are the capabilities required for the checkpoint restore. The values can be found in the scc-cap-cr-minmal.yaml file.
Default Add Capabilities: CHECKPOINT_RESTORE,SETPCAP
Required Drop Capabilities: KILL,MKNOD,SETUID,SETGIDCreate the role-based mapping between the SCC and the service account.
| Command | Help | Example |
| oc adm policy add-scc-to-user SCC_NAME -z SERVICE_ACCOUNT_NAME | SCC_NAME is the SCC created using the kubeadmin account SERVICE_ACCOUNT_NAME is the service account name created using the developer account | oc adm policy add-scc-to-user liberty-to-openshift-instanton -z liberty-to-openshift-instanton |
Issue the command.
oc adm policy add-scc-to-user liberty-to-openshift-instanton-scc -z liberty-to-openshift-instanton-saCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc adm policy add-scc-to-user liberty-to-openshift-instanton -z liberty-to-openshift-instanton
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:liberty-to-openshift-instanton added: "liberty-to-openshift-instanton"Enter the below to see more details on this command.
oc adm policy --help
oc adm policy add-scc-to-user --helpTo read more details on SCC, refer to the blog Managing SCCs in OpenShift.
Switch back to the developer account. All remaining steps should be created under this account.
oc login -u developer https://api.crc.testing:6443Command output
c:\ocp\LibertyToOpenShiftInstantOn>oc login -u developer https://api.crc.testing:6443
Logged into "https://api.crc.testing:6443" as "developer" using existing credentials.
You have access to the following projects and can switch between them with 'oc project <projectname>':
guide
liberty-to-openshift
* liberty-to-openshift-instanton
Using project "liberty-to-openshift-instanton".Ensure you are still on the correct project.
oc project liberty-to-openshift-instantonCommand output
C:\ocp\LibertyToOpenShiftInstantOn>oc project liberty-to-openshift-instanton
Already on project "liberty-to-openshift-instanton" on server "https://api.crc.testing:6443".Deploy an application to OpenShift using the pushed image
Once the service account and security context constraint have been created, the Open Liberty InstantOn application can be deployed.
| Command | Help |
| oc apply -f file DEPLOY_YAML | Deploy the app using the contents of the DEPLOY_YAML file |
If not already done, open a Windows command window and switch to the following directory.
cd /d c:\ocp\LibertyToOpenShiftInstantOnDeploy the application.
oc apply -f deploy.yamlCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc apply -f deploy.yaml
deployment.apps/liberty-to-openshift-instanton created
service/liberty-to-openshift-instanton created
route.route.openshift.io/liberty-to-openshift-instanton createdCheck whether the pod is running
Issue the following command to check whether the pod is running in OpenShift.
oc get podsCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc get po
NAME READY STATUS RESTARTS AGE
liberty-to-openshift-instanton-85fbc954dd-zmsfs 1/1 Running 0 31sCheck the logs
| Command | Help |
| oc logs NAME | Display the logs for the NAME from the โoc get poโ command |
Issue the following command to display the logs. Change the name below with the one from your “oc get pods” command.
oc logs liberty-to-openshift-instanton-85fbc954dd-zmsfsHopefully the Open Liberty InstantOn pod started successfully using aq checkpoint restart. In the below output it can be seen the server resumed from a checkpoint and it also started quickly.
c:\ocp\LibertyToOpenShiftInstantOn>oc logs liberty-to-openshift-instanton-85fbc954dd-zmsfs
[AUDIT ] Launching defaultServer (Open Liberty 24.0.0.2/wlp-1.0.86.cl240220240212-1928) on Eclipse OpenJ9 VM, version 17.0.10+7 (en_US)
[AUDIT ] CWWKT0016I: Web application available (default_host): http://liberty-to-openshift-instanton-85fbc954dd-zmsfs:9080/
[AUDIT ] CWWKC0452I: The Liberty server process resumed operation from a checkpoint in 0.053 seconds.
[AUDIT ] CWWKZ0001I: Application LibertyToOpenShiftInstantOn started in 0.053 seconds.
[AUDIT ] CWWKF0012I: The server installed the following features: [el-3.0, jsp-2.3, localConnector-1.0, servlet-4.0].
[AUDIT ] CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 0.124 seconds.You will see the message โThe Liberty server process resumed operation from a checkpointโ. And you should see the server start considerably faster.
If the pod is not running, check the events.
oc get eventsIf you see an error message “Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox“, refer to the following URL for a possible solution.
You can optionally connect to the running container and check the log details.
| Command | Help |
| oc rsh NAME | Connect to the running container. This is similar to the podman โpodman exec -tiโ command. |
Issue the following command, using the name from the “oc get pods” to establish an ssh session to the running pod.
oc rsh liberty-to-openshift-instanton-85fbc954dd-zmsfsCommand output – check the logs for a successful checkpoint restart
c:\ocp\LibertyToOpenShiftInstantOn>oc rsh liberty-to-openshift-instanton-85fbc954dd-zmsfs
sh-4.4$ cd logs
sh-4.4$ ls -l
total 16
drwxrwx---. 1 default root 25 Aug 18 17:58 checkpoint
-rw-rw----. 1 default root 757 Aug 13 19:09 checkpoint-console.log
-rw-r-----. 1 default root 710 Aug 18 17:58 console.log
-rw-rw----. 1 default root 3233 Aug 13 19:09 messages_24.08.18_17.58.42.0.log
-rw-r-----. 1 default root 2272 Aug 18 17:58 messages.log
sh-4.4$ cat console.log
[AUDIT ] Launching defaultServer (Open Liberty 24.0.0.2/wlp-1.0.86.cl240220240212-1928) on Eclipse OpenJ9 VM, version 17.0.10+7 (en_US)
[AUDIT ] CWWKT0016I: Web application available (default_host): http://liberty-to-openshift-instanton-85fbc954dd-zmsfs:9080/
[AUDIT ] CWWKC0452I: The Liberty server process resumed operation from a checkpoint in 0.053 seconds.
[AUDIT ] CWWKZ0001I: Application LibertyToOpenShiftInstantOn started in 0.053 seconds.
[AUDIT ] CWWKF0012I: The server installed the following features: [el-3.0, jsp-2.3, localConnector-1.0, servlet-4.0].
[AUDIT ] CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 0.124 seconds.
sh-4.4$ cd checkpoint
sh-4.4$ ls -l
total 12
-rw-rw----. 1 default root 1489 Aug 13 19:09 checkpoint.log
-rw-------. 1 default root 528 Aug 18 17:58 restore.log
-rw-rw----. 1 default root 53 Aug 13 19:09 stats-dump
sh-4.4$ cat restore.log
Warn (criu/kerndat.c:1103): $XDG_RUNTIME_DIR not set. Cannot find location for kerndat file
Warn (criu/libnetlink.c:84): Can't send request message
Warn (criu/libnetlink.c:84): Can't send request message
Warn (criu/libnetlink.c:84): Can't send request message
Warn (criu/libnetlink.c:84): Can't send request message
Warn (criu/libnetlink.c:84): Can't send request message
Warn (criu/libnetlink.c:84): Can't send request message
Warn (criu/kerndat.c:1103): $XDG_RUNTIME_DIR not set. Cannot find location for kerndat file
sh-4.4$ exit
exitWhen done, exit from the shell.
exitUse curl to access the app – wrong way
If you try the same URL as used with podman, youโll see the below error.
curl -vk http://localhost:9080Command output
c:\ocp\LibertyToOpenShiftInstantOn>curl -vk http://localhost:9080
* Host localhost:9080 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:9080...
* Trying 127.0.0.1:9080...
* connect to ::1 port 9080 from :: port 55624 failed: Connection refused
* connect to 127.0.0.1 port 9080 from 0.0.0.0 port 55625 failed: Connection refused
* Failed to connect to localhost port 9080 after 2268 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to localhost port 9080 after 2268 ms: Couldn't connect to serverTake note of the following error.
* connect to ::1 port 9080 from :: port 55624 failed: Connection refused
* connect to 127.0.0.1 port 9080 from 0.0.0.0 port 55625 failed: Connection refused
* Failed to connect to localhost port 9080 after 2268 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to localhost port 9080 after 2268 ms: Couldn't connect to serverUse curl to access the app – correct way
For OpenShift you need to access the URL using the OpenShift route.
The command โoc apply -f deploy.yamlโ creates the OpenShift route and service. These are used to access the application.
Find the route to the running pod.
oc get routesCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc get routes
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
liberty-to-openshift-instanton liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing liberty-to-openshift-instanton <all> NoneNow curl to the route. I have found when testing on my PC the curl can take a little while to return a response.
curl -vk liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testingCommand output – you should see a successful output
c:\ocp\LibertyToOpenShiftInstantOn>curl -vk liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing
* Host liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing:80 was resolved.
* IPv6: (none)
* IPv4: 127.0.0.1
* Trying 127.0.0.1:80...
* Connected to liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing (127.0.0.1) port 80
> GET / HTTP/1.1
> Host: liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< x-powered-by: Servlet/4.0
< content-type: text/html;charset=UTF-8
< content-language: en-US
< transfer-encoding: chunked
< date: Sun, 18 Aug 2024 18:05:37 GMT
< set-cookie: 9770bdb7ac95d5c38cd6578dd5259673=cb927f2ae7b71bfc109d527360f594ca; path=/; HttpOnly
<
<html>
<head><title>Servlet Settings</title></head>
<body>
<h1>LibertyToOpenShift Testing - InstantOn</h1>
<table border='1'>
<tr><th>Name</th><th>Value</th></tr>
<tr>
<td>Request URL</td>
<td>http://liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing/</td>
</tr>
<tr>
<td>Local Name/td>
<td>liberty-to-openshift-instanton-85fbc954dd-zmsfs</td>
</tr>
<tr>
<td>Remote Host/td>
:
:
* Connection #0 to host liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing left intactBrowse the app using a browser
Open a browser of your choice and paste the below URL:
http://liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing/
or if you have enables HTTPS from a later step, use:
https://liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing
Access the app from OpenShift
A third option is to access the URL from within the OpenShift console.
Login into the OpenShift console.
- Select the appropriate project
- Switch from the Developer role to the Administrator role
- Expand Networking
- Select Routes
- Click on the Location URL to access the app
(Optionally) Enable HTTPS
To enable HTTPS,
Login into the OpenShift console.
- Select the appropriate project
- Switch from the Developer role to the Administrator role
- Expand Networking
- Select Routes
- Click on the traffic light (three dots) on the right hand side of the route and select โEdit Routeโ
- Select the โTarget portโ
- Click on โSecure routeโ
- Select the โTLS terminationโ as โEdgeโ
- SAVE
Now click on the route and youโll see HTTPS enabled.
Additional commands
Some other useful OC CLI commands.
| Command | Help |
| oc get routes | List the OpenShift routes |
| oc describe route ROUTE_NAME | Display the details of the route named ROUTE_NAME |
| oc get services | List the OpenShift services |
| oc describe service SERVICE_NAME | Display the details of the service named SERVICE_NAME |
| oc get po | List the running pods |
| oc describe po POD_NAME | Display the details of the running pod named POD_NAME |
Try the following commands.
oc get routesoc describe route liberty-to-openshift-instantonCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc get routes
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
liberty-to-openshift-instanton liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing liberty-to-openshift-instanton 9080 edge None
c:\ocp\LibertyToOpenShiftInstantOn>oc describe route liberty-to-openshift-instanton
Name: liberty-to-openshift-instanton
Namespace: liberty-to-openshift-instanton
Created: 10 minutes ago
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"route.openshift.io/v1","kind":"Route","metadata":{"annotations":{},"name":"liberty-to-openshift-instanton","namespace":"liberty-to-openshift-instanton"},"spec":{"to":{"kind":"Service","name":"liberty-to-openshift-instanton"}}}
openshift.io/host.generated=true
Requested Host: liberty-to-openshift-instanton-liberty-to-openshift-instanton.apps-crc.testing
exposed on router default (host router-default.apps-crc.testing) 10 minutes ago
Path: <none>
TLS Termination: edge
Insecure Policy: <none>
Endpoint Port: 9080
Service: liberty-to-openshift-instanton
Weight: 100 (100%)
Endpoints: 10.217.0.107:9080oc get servicesoc describe service liberty-to-openshift-instantonCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc get services
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
liberty-to-openshift-instanton ClusterIP 10.217.4.60 <none> 9080/TCP 12m
c:\ocp\LibertyToOpenShiftInstantOn>oc describe service liberty-to-openshift-instanton
Name: liberty-to-openshift-instanton
Namespace: liberty-to-openshift-instanton
Labels: <none>
Annotations: <none>
Selector: app=liberty-to-openshift-instanton
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.217.4.60
IPs: 10.217.4.60
Port: <unset> 9080/TCP
TargetPort: 9080/TCP
Endpoints: 10.217.0.107:9080
Session Affinity: None
Events: <none>oc get pooc describe po liberty-to-openshift-instanton-85fbc954dd-zmsfsCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc get po
NAME READY STATUS RESTARTS AGE
liberty-to-openshift-instanton-85fbc954dd-zmsfs 1/1 Running 0 14m
c:\ocp\LibertyToOpenShiftInstantOn>oc describe po liberty-to-openshift-instanton-85fbc954dd-zmsfs
Name: liberty-to-openshift-instanton-85fbc954dd-zmsfs
Namespace: liberty-to-openshift-instanton
Priority: 0
Service Account: default
Node: crc-vlf7c-master-0/192.168.126.11
Start Time: Sun, 18 Aug 2024 20:58:40 +0300
Labels: app=liberty-to-openshift-instanton
pod-template-hash=85fbc954dd
Annotations: k8s.v1.cni.cncf.io/network-status:
[{
"name": "openshift-sdn",
"interface": "eth0",
"ips": [
"10.217.0.107"
],
"default": true,
"dns": {}
}]
openshift.io/scc: libertytoopenshiftinstanton-cap-cr-scc
Status: Running
IP: 10.217.0.107
IPs:
IP: 10.217.0.107
Controlled By: ReplicaSet/liberty-to-openshift-instanton-85fbc954dd
Containers:
liberty-to-openshift-instanton:
Container ID: cri-o://d0932c5d74ebffc4f42e8b3c61c83f4ae9ac8fcadca90474afb91f53c2e1c279
Image: image-registry.openshift-image-registry.svc:5000/liberty-to-openshift-instanton/liberty-to-openshift-instanton:olp-java17-1.0
Image ID: image-registry.openshift-image-registry.svc:5000/liberty-to-openshift-instanton/liberty-to-openshift-instanton@sha256:dd641bc9b3c4393f5a7d652e93a6d07f373fe9f15154ce8f6c580e54aa3e3d93
Port: 9080/TCP
Host Port: 0/TCP
State: Running
Started: Sun, 18 Aug 2024 20:58:42 +0300
Ready: True
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-xq6hb (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
kube-api-access-xq6hb:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
ConfigMapName: openshift-service-ca.crt
ConfigMapOptional: <nil>
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 14m default-scheduler Successfully assigned liberty-to-openshift-instanton/liberty-to-openshift-instanton-85fbc954dd-zmsfs to crc-vlf7c-master-0
Normal AddedInterface 14m multus Add eth0 [10.217.0.107/23] from openshift-sdn
Normal Pulled 14m kubelet Container image "image-registry.openshift-image-registry.svc:5000/liberty-to-openshift-instanton/liberty-to-openshift-instanton:olp-java17-1.0" already present on machine
Normal Created 14m kubelet Created container liberty-to-openshift-instanton
Normal Started 14m kubelet Started container liberty-to-openshift-instantonTear down the environment
To delete the environment, issue the following commands.
Delete the deployment including the service and route
If not already done, open a Windows command window and switch to the correct directory.
cd /d c:\ocp\LibertyToOpenShiftInstantOnIssue the command to delete the deployment.
oc delete -f deploy.yamlCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc delete -f deploy.yaml
deployment.apps "liberty-to-openshift-instanton" deleted
service "liberty-to-openshift-instanton" deleted
route.route.openshift.io "liberty-to-openshift-instanton" deletedDelete the pushed image
Display the OpenShift Local images.
oc get imagestreamsLocate the images you wish to delete, then issue the following command.
oc delete imagestream/liberty-to-openshift-instantonCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc get imagestreams
NAME IMAGE REPOSITORY TAGS UPDATED
liberty-to-openshift-instanton default-route-openshift-image-registry.apps-crc.testing/liberty-to-openshift-instanton/liberty-to-openshift-instanton olp-java17-1.0 2 days ago
c:\ocp\LibertyToOpenShiftInstantOn>oc delete imagestream/liberty-to-openshift-instanton
imagestream.image.openshift.io "liberty-to-openshift-instanton" deletedDelete the Security Context Constraint (SCC)
Switch to the kubeadmin account.
oc login -u kubeadmin https://api.crc.testing:6443Select the correct project.
oc project liberty-to-openshift-instantonRemove the Security Context Constraint to Service Account mapping.
oc adm policy add-scc-to-user liberty-to-openshift-instanton-scc -z liberty-to-openshift-instanton-saDelete the Security Context Constraint.
oc delete scc liberty-to-openshift-instanton-sccSelect the project
oc project liberty-to-openshift-instantonDelete the project
Switch back to the developer account.
oc login -u developer https://api.crc.testing:6443Issue the following command to delete the project.
oc delete project liberty-to-openshift-instantonDisplay all projects to confirm the project has been deleted successfully.
oc projectsCommand output
c:\ocp\LibertyToOpenShiftInstantOn>oc delete project liberty-to-openshift-instanton
project.project.openshift.io "liberty-to-openshift-instanton" deleted
c:\ocp\LibertyToOpenShiftInstantOn>oc projects
You have access to the following projects and can switch between them with ' project <projectname>':
guide
liberty-to-openshiftReferences
| Reference | URL |
| Faster startup with โฆ Open Liberty InstantOn | https://openliberty.io/docs/latest/instanton.html |
| Linux capabilities. Great read to understan the Linux capabilities. | https://man7.org/linux/man-pages/man7/capabilities.7.html |
| Hands-on Open Liberty InstantOn. A lab I found early on that helped me during this process. | https://github.com/Emily-Jiang/techxchange-instanton-lab?search=1 |
Leave a Reply