From e507c7e5c404bfdf78ec82bb497b4d7e08438cea Mon Sep 17 00:00:00 2001 From: Rafael Jardim Date: Fri, 5 Mar 2021 09:23:14 -0300 Subject: [PATCH] Update admin tasks folder There are some minor modifications in the content of the files Signed-off-by: Rafael Jardim Change-Id: If315582a3213d121712c45f2ed5817899b76ded9 --- ...pplication-commands-and-helm-overrides.rst | 52 +++++++++---------- ...ing-space-in-the-local-docker-registry.rst | 8 +-- ...dating-the-docker-registry-certificate.rst | 52 +++++++++++-------- ...rials-authentication-and-authorization.rst | 30 +++++++++-- ...s-admin-tutorials-helm-package-manager.rst | 2 +- ...-starlingx-application-package-manager.rst | 2 + .../setting-up-a-public-repository.rst | 14 ++--- ...ing-cpu-manager-for-kubernetes-on-ipv6.rst | 6 +-- doc/source/shared/abbrevs.txt | 2 + 9 files changed, 101 insertions(+), 67 deletions(-) diff --git a/doc/source/admintasks/admin-application-commands-and-helm-overrides.rst b/doc/source/admintasks/admin-application-commands-and-helm-overrides.rst index bf8b9dad9..63fc3e03d 100644 --- a/doc/source/admintasks/admin-application-commands-and-helm-overrides.rst +++ b/doc/source/admintasks/admin-application-commands-and-helm-overrides.rst @@ -16,7 +16,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-list [--nowrap] + ~(keystone_admin)]$ system application-list [--nowrap] where: @@ -27,7 +27,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-list --nowrap + ~(keystone_admin)]$ system application-list --nowrap +-------------+---------+---------------+---------------+----------+-----------+ | application | version | manifest name | manifest file | status | progress | @@ -43,7 +43,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-show + ~(keystone_admin)]$ system application-show where: @@ -54,7 +54,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-show stx-openstack + ~(keystone_admin)]$ system application-show stx-openstack +---------------+----------------------------------+ | Property | Value | @@ -75,7 +75,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-upload [-n | --app-name] [-v | --version] + ~(keystone_admin)]$ system application-upload [-n | --app-name] [-v | --version] where the following are optional arguments: @@ -95,7 +95,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-upload stx-openstack-1.0-18.tgz + ~(keystone_admin)]$ system application-upload stx-openstack-1.0-18.tgz +---------------+----------------------------------+ | Property | Value | +---------------+----------------------------------+ @@ -117,7 +117,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system helm-override-list + ~(keystone_admin)]$ system helm-override-list usage: system helm-override-list [--nowrap] [-l | --long] where the following is a positional argument: @@ -137,7 +137,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system helm-override-list stx-openstack --long + ~(keystone_admin)]$ system helm-override-list stx-openstack --long +---------------------+--------------------------------+---------------+ | chart name | overrides namespaces | chart enabled | +---------------------+--------------------------------+---------------+ @@ -176,7 +176,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system helm-override-show + ~(keystone_admin)]$ system helm-override-show usage: system helm-override-show where the following are positional arguments: @@ -194,7 +194,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system helm-override-show stx-openstack glance openstack + ~(keystone_admin)]$ system helm-override-show stx-openstack glance openstack - To modify service configuration parameters using user-specified overrides, use the following command. To update a single configuration parameter, you @@ -203,7 +203,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system helm-override-update + ~(keystone_admin)]$ system helm-override-update usage: system helm-override-update --reuse-values --reset-values --values --set where the following are positional arguments: @@ -241,7 +241,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system helm-override-update stx-openstack glance openstack --set conf.glance.DEFAULT.DEBUG=true + ~(keystone_admin)]$ system helm-override-update stx-openstack glance openstack --set conf.glance.DEFAULT.DEBUG=true +----------------+-------------------+ | Property | Value | +----------------+-------------------+ @@ -267,7 +267,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system helm-chart-attribute-modify [--enabled ] + ~(keystone_admin)]$ system helm-chart-attribute-modify [--enabled ] where the following is an optional argument: @@ -293,7 +293,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system helm-override-delete + ~(keystone_admin)]$ system helm-override-delete usage: system helm-override-delete where the following are positional arguments: @@ -311,7 +311,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system helm-override-delete stx-openstack glance openstack + ~(keystone_admin)]$ system helm-override-delete stx-openstack glance openstack Deleted chart overrides glance:openstack for application stx-openstack - Use the following command to apply or reapply an application, making it @@ -319,7 +319,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-apply [-m | --mode] + ~(keystone_admin)]$ system application-apply [-m | --mode] where the following is an optional argument: @@ -337,7 +337,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-apply stx-openstack + ~(keystone_admin)]$ system application-apply stx-openstack +---------------+----------------------------------+ | Property | Value | +---------------+----------------------------------+ @@ -358,7 +358,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-abort + ~(keystone_admin)]$ system application-abort where: @@ -369,7 +369,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-abort stx-openstack + ~(keystone_admin)]$ system application-abort stx-openstack Application abort request has been accepted. If the previous operation has not completed/failed, it will be cancelled shortly. @@ -381,7 +381,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-update [-n | --app-name] [-v | --app-version] + ~(keystone_admin)]$ system application-update [-n | --app-name] [-v | --app-version] where the following are optional arguments: @@ -393,7 +393,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-list + ~(keystone_admin)]$ system application-list +--------------------------+----------+-------------------------------+---------------------------+----------+-----------+ | application | version | manifest name | manifest file | status | progress | +--------------------------+----------+-------------------------------+---------------------------+----------+-----------+ @@ -402,7 +402,7 @@ commands to manage containerized applications provided as part of |prod|. | | | -manifest | _manifest.yaml | | | | oidc-auth-apps | 20.06-26 | oidc-auth-manifest | manifest.yaml | uploaded | completed | | platform-integ-apps | 20.06-9 | platform-integration-manifest | manifest.yaml | applied | completed | - | wr-analytics | 20.06-2 | analytics-armada-manifest | wr-analytics.yaml | applied | completed | + | wr-analytics | 20.06-2 | analytics-armada-manifest | wr-analytics.yaml | applied | completed | +--------------------------+----------+-------------------------------+---------------------------+----------+-----------+ The output indicates that the currently installed version of @@ -423,7 +423,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-remove + ~(keystone_admin)]$ system application-remove where: @@ -434,7 +434,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-remove stx-openstack + ~(keystone_admin)]$ system application-remove stx-openstack +---------------+----------------------------------+ | Property | Value | +---------------+----------------------------------+ @@ -458,7 +458,7 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-delete + ~(keystone_admin)]$ system application-delete where: @@ -471,5 +471,5 @@ commands to manage containerized applications provided as part of |prod|. .. code-block:: none - ~(keystone_admin)$ system application-delete stx-openstack + ~(keystone_admin)]$ system application-delete stx-openstack Application stx-openstack deleted. \ No newline at end of file diff --git a/doc/source/admintasks/freeing-space-in-the-local-docker-registry.rst b/doc/source/admintasks/freeing-space-in-the-local-docker-registry.rst index c43d310cc..76418742e 100644 --- a/doc/source/admintasks/freeing-space-in-the-local-docker-registry.rst +++ b/doc/source/admintasks/freeing-space-in-the-local-docker-registry.rst @@ -21,7 +21,7 @@ associated space from the file system. To do so, you must also run the .. code-block:: none - ~(keystone_admin)$ system registry-image-list + ~(keystone_admin)]$ system registry-image-list +------------------------------------------------------+ | Image Name | +------------------------------------------------------+ @@ -46,13 +46,13 @@ associated space from the file system. To do so, you must also run the .. code-block:: none - ~(keystone_admin)$ system registry-image-tags + ~(keystone_admin)]$ system registry-image-tags #. Free file system space. .. code-block:: none - ~(keystone_admin)$ system registry-image-delete : + ~(keystone_admin)]$ system registry-image-delete : This step only removes the registry's reference to the **image:tag**. @@ -75,7 +75,7 @@ associated space from the file system. To do so, you must also run the .. code-block:: none - ~(keystone_admin)$ system registry-garbage-collect + ~(keystone_admin)]$ system registry-garbage-collect Running docker registry garbage collect .. note:: diff --git a/doc/source/admintasks/installing-updating-the-docker-registry-certificate.rst b/doc/source/admintasks/installing-updating-the-docker-registry-certificate.rst index 40f9c533c..d63b41895 100644 --- a/doc/source/admintasks/installing-updating-the-docker-registry-certificate.rst +++ b/doc/source/admintasks/installing-updating-the-docker-registry-certificate.rst @@ -11,50 +11,58 @@ The local Docker registry provides secure HTTPS access using the registry API. .. rubric:: |context| By default a self-signed certificate is generated at installation time for the -registry API. For more secure access, a Root CA-signed certificate is strongly -recommended. +registry API. For more secure access, an intermediate or Root CA-signed +certificate is strongly recommended. -The Root CA-signed certificate for the registry must have at least the -following |SANs|: DNS:registry.local,DNS:registry.central, -IP Address:, IP Address:. -Use the :command:`system addrpool-list` command to get the |OAM| floating IP +The intermediate or Root CA-signed certificate for the registry must have at +least the following |SANs|: DNS:registry.local, DNS:registry.central, IP +Address:, IP Address:. Use +the :command:`system addrpool-list` command to get the |OAM| floating IP Address and management floating IP Address for your system. You can add any -additional DNS entry\(s\) that you have set up for your OAM floating IP Address. +additional |DNS| entry\(s\) that you have set up for your |OAM| floating IP +Address. -Use the following procedure to install a Root CA-signed certificate to either -replace the default self-signed certificate or to replace an expired or soon to -expire certificate. +Use the following procedure to install an intermediate or Root CA-signed +certificate to either replace the default self-signed certificate or to replace +an expired or soon to expire certificate. .. rubric:: |prereq| -Obtain a Root CA-signed certificate and key from a trusted Root Certificate -Authority \(CA\). Refer to the documentation for the external Root CA that you -are using, on how to create public certificate and private key pairs, signed by -a Root CA, for HTTPS. +Obtain an intermediate or Root CA-signed certificate and key from a trusted +intermediate or Root Certificate Authority \(CA\). Refer to the documentation +for the external Root CA that you are using, on how to create public +certificate and private key pairs, signed by an intermediate or Root CA, for +HTTPS. -.. xreflink For lab purposes, see |sec-doc|: :ref:`Locally Creating Certificates ` to create a test Root CA certificate and key, and use it to sign test certificates. +.. xreflink For lab purposes, see |sec-doc|: :ref:`Locally Creating + Certificates ` to create a + Intermediate or test Root CA certificate and key, and use it to sign test + certificates. Put the Privacy Enhanced Mail \(PEM\) encoded versions of the certificate and key in a single file, and copy the file to the controller host. -Also obtain the certificate of the Root CA that signed the above certificate. +Also obtain the certificate of the intermediate or Root CA that signed the +above certificate. .. rubric:: |proc| +.. _installing-updating-the-docker-registry-certificate-d271e71: + #. In order to enable internal use of the Docker registry certificate, update the trusted CA list for this system with the Root CA associated with the Docker registry certificate. .. code-block:: none - ~(keystone_admin)$ system certificate-install --mode ssl_ca + ~(keystone_admin)]$ system certificate-install --mode ssl_ca where: **** - is the path to the Root CA certificate associated with the Docker - registry Root CA-signed certificate. + is the path to the intermediate or Root CA certificate associated with the + Docker registry's intermediate or Root CA-signed certificate. #. Update the Docker registry certificate using the :command:`certificate-install` command. @@ -63,11 +71,11 @@ Also obtain the certificate of the Root CA that signed the above certificate. .. code-block:: none - ~(keystone_admin)$ system certificate-install --mode docker_registry + ~(keystone_admin)]$ system certificate-install --mode docker_registry where: **** - is the path to the file containing both the Docker registry certificate - and private key to install. + is the path to the file containing both the Docker registry's Intermediate + or Root CA-signed certificate and private key to install. diff --git a/doc/source/admintasks/kubernetes-admin-tutorials-authentication-and-authorization.rst b/doc/source/admintasks/kubernetes-admin-tutorials-authentication-and-authorization.rst index c565f5776..2cb6e1d55 100644 --- a/doc/source/admintasks/kubernetes-admin-tutorials-authentication-and-authorization.rst +++ b/doc/source/admintasks/kubernetes-admin-tutorials-authentication-and-authorization.rst @@ -15,12 +15,26 @@ For example: $ docker login registry.local:9001 -u -p -An authorized administrator can perform any Docker action, while regular users -can only interact with their own repositories -\(i.e. registry.local:9001//\). For example, only -**admin** and **testuser** accounts can push to or pull from +An authorized administrator \('admin' and 'sysinv'\) can perform any Docker +action. Regular users can only interact with their own repositories \(i.e. +registry.local:9001//\). Any authenticated user can pull from +the following list of public images: + +.. _kubernetes-admin-tutorials-authentication-and-authorization-d383e50: + +- registry.local:9001:/public/\* + +- registry.local:9001:/k8s.gcr.io/pause + +- registry.local:9001:/quay.io/jetstack/cert-manager-acmesolver + +The **mtce** user can only pull public images, but cannot push any images. + +For example, only **admin** and **testuser** accounts can push to or pull from **registry.local:9001/testuser/busybox:latest** +.. _kubernetes-admin-tutorials-authentication-and-authorization-d383e87: + --------------------------------- Username and Docker compatibility --------------------------------- @@ -32,6 +46,14 @@ example, the user **testuser** is correct in the following URL, while **registry.local:9001/testuser/busybox:latest** +.. note:: + Use of the auto-generated self-signed certificate for the registry + certificate is not recommended. If you must do so, then from the central + cloud/systemController, access to the local registry can only be done using + registry.local:9001. registry.central:9001 will be inaccessible. Installing + a |CA|-signed certificate for the registry and the certificate of the |CA| as + an 'ssl\_ca' certificate will remove this restriction. + For more information about Docker commands, see `https://docs.docker.com/engine/reference/commandline/docker/ `__. diff --git a/doc/source/admintasks/kubernetes-admin-tutorials-helm-package-manager.rst b/doc/source/admintasks/kubernetes-admin-tutorials-helm-package-manager.rst index e6666de34..e94d46a7d 100644 --- a/doc/source/admintasks/kubernetes-admin-tutorials-helm-package-manager.rst +++ b/doc/source/admintasks/kubernetes-admin-tutorials-helm-package-manager.rst @@ -28,7 +28,7 @@ Use the following command to list the Helm repositories: .. code-block:: none - ~(keystone_admin)$ helm repo list + ~(keystone_admin)]$ helm repo list NAME URL stable `https://kubernetes-charts.storage.googleapis.com`__ local `http://127.0.0.1:8879/charts`__ diff --git a/doc/source/admintasks/kubernetes-admin-tutorials-starlingx-application-package-manager.rst b/doc/source/admintasks/kubernetes-admin-tutorials-starlingx-application-package-manager.rst index dc7f65361..e3e41353e 100644 --- a/doc/source/admintasks/kubernetes-admin-tutorials-starlingx-application-package-manager.rst +++ b/doc/source/admintasks/kubernetes-admin-tutorials-starlingx-application-package-manager.rst @@ -26,6 +26,8 @@ information. CLI commands for managing the lifecycle of an application, which includes managing overrides to the Helm charts within the application. +.. _kubernetes-admin-tutorials-tarlingx-application-package-manager-d463e61: + .. table:: Table 1. Application Package Manager Commands :widths: auto diff --git a/doc/source/admintasks/setting-up-a-public-repository.rst b/doc/source/admintasks/setting-up-a-public-repository.rst index 9cfb7bd78..60e17fff9 100644 --- a/doc/source/admintasks/setting-up-a-public-repository.rst +++ b/doc/source/admintasks/setting-up-a-public-repository.rst @@ -22,13 +22,13 @@ those images by sharing the registry/public user's credentials with other users. .. code-block:: none - ~(keystone_admin)$ openstack project create registry - ~(keystone_admin)$ TENANTNAME="registry" - ~(keystone_admin)$ TENANTID=`openstack project list | grep ${TENANTNAME} | awk '{print $2}'` - ~(keystone_admin)$ USERNAME="public" - ~(keystone_admin)$ USERPASSWORD="${USERNAME}K8*" - ~(keystone_admin)$ openstack user create --password ${USERPASSWORD} --project ${TENANTID} ${USERNAME} - ~(keystone_admin)$ openstack role add --project ${TENANTNAME} --user ${USERNAME} _member + ~(keystone_admin)]$ openstack project create registry + ~(keystone_admin)]$ TENANTNAME="registry" + ~(keystone_admin)]$ TENANTID=`openstack project list | grep ${TENANTNAME} | awk '{print $2}'` + ~(keystone_admin)]$ USERNAME="public" + ~(keystone_admin)]$ USERPASSWORD="${USERNAME}K8*" + ~(keystone_admin)]$ openstack user create --password ${USERPASSWORD} --project ${TENANTID} ${USERNAME} + ~(keystone_admin)]$ openstack role add --project ${TENANTNAME} --user ${USERNAME} _member #. Create a secret containing the credentials of the public repository in kube-system namespace. diff --git a/doc/source/admintasks/uninstalling-cpu-manager-for-kubernetes-on-ipv6.rst b/doc/source/admintasks/uninstalling-cpu-manager-for-kubernetes-on-ipv6.rst index 6e9be03e7..0c147680c 100644 --- a/doc/source/admintasks/uninstalling-cpu-manager-for-kubernetes-on-ipv6.rst +++ b/doc/source/admintasks/uninstalling-cpu-manager-for-kubernetes-on-ipv6.rst @@ -14,7 +14,7 @@ then run the following commands: .. code-block:: none - ~(keystone_admin)$ kubectl delete pod/cmk-uninstall-webhook -n kube-system - ~(keystone_admin)$ kubectl delete ds cmk-uninstall -n kube-system - ~(keystone_admin)$ kubectl delete pod delete-uninstall -n kube-system + ~(keystone_admin)]$ kubectl delete pod/cmk-uninstall-webhook -n kube-system + ~(keystone_admin)]$ kubectl delete ds cmk-uninstall -n kube-system + ~(keystone_admin)]$ kubectl delete pod delete-uninstall -n kube-system diff --git a/doc/source/shared/abbrevs.txt b/doc/source/shared/abbrevs.txt index 5fe411a9b..55d4ab285 100755 --- a/doc/source/shared/abbrevs.txt +++ b/doc/source/shared/abbrevs.txt @@ -19,11 +19,13 @@ .. |CAs| replace:: :abbr:`CAs (Certificate Authorities)` .. |CLI| replace:: :abbr:`CLI (Command Line Interface)` .. |CNI| replace:: :abbr:`CNI (Container Networking Interface)` +.. |CMK| replace:: :abbr:`CMK (CPU Manager for Kubernetes)` .. |CoW| replace:: :abbr:`CoW (Copy on Write)` .. |CSK| replace:: :abbr:`CSK (Code Signing Key)` .. |CSKs| replace:: :abbr:`CSKs (Code Signing Keys)` .. |CVE| replace:: :abbr:`CVE (Common Vulnerabilities and Exposures)` .. |DHCP| replace:: :abbr:`DHCP (Dynamic Host Configuration Protocol)` +.. |DNS| replace:: :abbr:`DNS (Domain Name System)` .. |DPDK| replace:: :abbr:`DPDK (Data Plane Development Kit)` .. |DRBD| replace:: :abbr:`DRBD (Distributed Replicated Block Device)` .. |DSCP| replace:: :abbr:`DSCP (Differentiated Services Code Point)`