Author Archives: Adam Young

About Adam Young

Once upon a time I was an Army Officer, but that was long ago. Now I work as a Software Engineer. I climb rocks, play saxophone, and spend way too much time in front of a computer.

Running a Container Registry Behind Apache HTTPD

Posted on by
2

I had originally run my container registry using a self signed certificate like this:

podman run --name mirror-registry -p 4000:5000     -v /opt/registry/data:/var/lib/registry:z      -v /opt/registry/auth:/auth:z      -e "REGISTRY_AUTH=htpasswd"      -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm"      -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd      -v /opt/registry/certs:/certs:z      -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt      -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key      -e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true -d docker.io/library/registry:2

But now that I am using FreeIPA for my Bastion host, I want to use the IPA CA cert for signing the HTTPS request. The easiest thing to do is to run the registry in the container still, but then to front it with mod_proxy.

Continue reading

Syncing and Serving Yum Repos on RHEL 8

Posted on by
6

My Lab machines do not have direct access to the internet. This mirrors how my customers tend to run their environments. Instead, I run a single bastion host that can connect to the internet, and use that to perform all operations on my lab machines.

While it is great to be able to use the Install media to add packlages to PXE booted systems, after some time, the set of packages available is older than you want. For example, I hit a bug that required an update of Network Manager. So, I want to make a local yum repo from my RHEL 8 subscription. RHEL 8 makes this fairly easy.

Continue reading

Talking to FreeIPA with python-requests

Posted on by
Reply

The code that Rich M gave me a while back has bit rotted. At some point, I need to get an updated version, but until then, I can continue to talk to the FreeIPA server using Python and the Requests library. In the future, I can get a session cookie, but for now, python3-request-gssapi will work to authenticate me, provided I have a valid TGT.

I pulled the requests-gssapi library from Koji, as it does not currently ship in any of the RHEL8 repos. Here is the one I installed.

https://koji.fedoraproject.org/koji/buildinfo?buildID=1371255

Note that this quick-and-dirty code runs on the IPA server itself. A better approach would be to read the Server name out of /etc/ipa/default.conf. 

#!/bin/python3
import requests
from requests_gssapi import HTTPSPNEGOAuth
import socket
hostname = socket.gethostname()
url = "https://%s/ipa/json" % hostname
referer =  "https://%s/ipa" % hostname
body = {"method":"user_find","params":[[""],{}],"id":0}
 
r = requests.post(url,
                  json = body,
                  auth=HTTPSPNEGOAuth(),
                  headers = {
                    'Content-Type': 'application/json',
                    'Accept': 'applicaton/json',
                    'referer': referer})
print(r.status_code)
if r.status_code  == 200:
    print(r.text)

Network Policy to Explicitly Allow access from all Namespaces

Posted on by
Reply

The Default network policy in OpenShift allows all access from all pods in all namespaces via the cluster IP. However, once you start enforcing policy on a project, all policy decision need to be made explicit. If you want to still allow access from all projects, you can use the following policy file.

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: allow-all-namespaces
spec:
  ingress:
  - from:
    - namespaceSelector: {}

Deploying a Minimalistic Flask Application to OpenShift

Posted on by
Reply

Some colleagues and I were discussing the network access policy of OpenShift. I realized it would be very helpful to have a trivial app that I could deploy to OpenShift that would then try to make a call to another service. So I wrote it using Python3 and Flask. Now that I have it working, I want to deploy it in OpenShift, again, in a trivial manner.

I would not deploy a Flask App into production without a Web server to front it. But that is what I am going to do for this test app.

Continue reading