aizuddin85

1. Start mirror registry
podman run --name mirror-registry -p 5000:5000 \
-v /opt/registry/data:/var/lib/registry:z \
-v /opt/registry/auth:/auth:z \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /opt/registry/certs:/certs:z \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \

aizuddin85

We have a requirement to convert baremetal VM OCS deployment to physical baremetal deployment.

We are using node replacement official guide as our reference: https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/4.4/html/managing_openshift_container_storage/replacing-storage-nodes_rhocs#replacing-failed-storage-nodes-on-bare-metal-infrastructure_rhocs

In this case we have three OCS VM that will get converted into physical baremetal(currently running as CentOS 8 KVM guest): 
ocs1.example.com
ocs2.example.com
ocs3.example.com

aizuddin85

oc get deploymentconfigs.apps.openshift.io -o template --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{.spec.template.spec.volumes}}{{"\n"}}{{end}}'

aizuddin85

POD=`oc get pods -n openshift-etcd -o=jsonpath='{.items[0].metadata.name}'`
oc rsh -n openshift-etcd $POD -- ${ETCDCTL_COMMAND}
export ETCDCTL_ENDPOINTS=$(etcdctl member list | awk '{printf "%s%s",sep,$5; sep=","}')
export ETCDCTL_API=3 ETCDCTL_CACERT=/etc/ssl/etcd/ca.crt ETCDCTL_CERT=$(find /etc/ssl/ -name *peer*crt) ETCDCTL_KEY=$(find /etc/ssl/ -name *peer*key)
etcdctl get --keys-only --from-key / | grep $PROJECT_NAME

aizuddin85

Thanks to https://blog.openshift.com/enabling-openshift-4-clusters-to-stop-and-resume-cluster-vms/.

Quick and dirty if we want to skip creating daemonset and has SSH capability to RHCOS:

1. Run this on all master nodes:

echo "----------------------------------------------------------------------"
echo "Gather info..."
echo "----------------------------------------------------------------------"
# context

aizuddin85

Create Root CA (Done once)

Create Root Key

Attention: this is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!

openssl genrsa -des3 -out rootCA.key 4096

aizuddin85

During VA scan, some cipher considered as not safe and need to be disabled. This easily can be done by configuring /etc/origin/master/master-config.yaml.


servingInfo:
  ...
  minTLSVersion: VersionTLS12
  cipherSuites:
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_RSA_WITH_AES_256_CBC_SHA
  - TLS_RSA_WITH_AES_128_CBC_SHA

aizuddin85

1. Create DR project.
2. Patch namespace to use same SELinux, supplementalID and GroupID as production project. (oc describe project <namespace>)

[root@ocpmaster01 ~]# oc patch namespace eapapp-dr -p "{\"metadata\":{\"annotations\":{\"openshift.io/sa.scc.uid-range\":\"1000140000/10000\"}}}"
namespace "eapapp-dr" patched
[root@ocpmaster01 ~]# oc patch namespace eapapp-dr -p "{\"metadata\":{\"annotations\":{\"openshift.io/sa.scc.supplemental-groups\":\"1000140000/10000\"}}}"
namespace "eapapp-dr" patched
[root@ocpmaster01 ~]# oc patch namespace eapapp-dr -p "{\"metadata\":{\"annotations\":{\"openshift.io/sa.scc.mcs\":\"s0:c12,c4\"}}}"
namespace "eapapp-dr" patched

aizuddin85

##TCP FLAGS##

Unskilled Attackers Pester Real Security Folks
==============================================
                     TCPDUMP FLAGS
Unskilled =  URG  =  (Not Displayed in Flag Field, Displayed elsewhere) 
Attackers =  ACK  =  (Not Displayed in Flag Field, Displayed elsewhere)
Pester    =  PSH  =  [P] (Push Data)
Real      =  RST  =  [R] (Reset Connection)
Security  =  SYN  =  [S] (Start Connection)

aizuddin85

This guide satisfied below RHEL environment:

Bastion node.
a. jump.example.com - RHEL 7.4, ansible-host

OCP Node list.
a. ocp-master01.example.com - atomic
b. ocp-node01.example.com - atomic
c. ocp-node02.example.com - atomic