DO180 - ch07s02

Bookmark this page

Guided Exercise: Container Image Identity and Tags

Update an application by changing its deployment to reference a newer image tag, and find the hashes of the old and new application images.

Outcomes

You should be able to inspect container images, list images of containers that run on compute nodes, and deploy applications by using image tags or SHA IDs.

As the student user on the workstation machine, use the lab command to prepare your system for this exercise.

This command ensures that all resources are available for this exercise. It also creates the updates-ids project and the /home/student/DO180/labs/updates-ids/resources.txt file. The resources.txt file contains the name of the images and some commands that you use during the exercise. You can use the file to copy and paste these image names and commands.

[student@workstation ~]$ lab start updates-ids

Instructions

[student@workstation ~]$ oc login -u developer -p developer \
  https://api.ocp4.example.com:6443
Login successful.
...output omitted...

Set the updates-ids project as the active project.

[student@workstation ~]$ oc project updates-ids
...output omitted...

Inspect the two versions of the registry.ocp4.example.com:8443/ubi8/httpd-24 image from the classroom container registry. The classroom setup copied that image from the Red Hat Ecosystem Catalog. The original image is registry.access.redhat.com/ubi8/httpd-24.
1. Use the oc image info command to inspect the image version that the 1-209 tag references. Notice the unique SHA ID that identifies the image version.
  Note
  To improve readability, the instructions truncate the SHA-256 strings.
  On your system, the commands return the full SHA-256 strings. Also, you must type the full SHA-256 string, to provide such a parameter to a command.
```
[student@workstation ~]$ oc image info \
  registry.ocp4.example.com:8443/ubi8/httpd-24:1-209
Name:          registry.ocp4.example.com:8443/ubi8/httpd-24:1-209
Digest:        sha256:b1e3...f876
...output omitted...
```
2. Inspect the image version that the 1-215 tag references. Notice that the SHA ID, or digest, differs from the preceding image version.
```
[student@workstation ~]$ oc image info \
  registry.ocp4.example.com:8443/ubi8/httpd-24:1-215
Name:          registry.ocp4.example.com:8443/ubi8/httpd-24:1-215
Digest:        sha256:91ad...fd83
...output omitted...
```
3. For inspecting images, you can also use the skopeo inspect command. The output format differs from the oc image info command, although both commands report similar data.
  Log in to the registry as the developer user with the developer password by using the skopeo login command. Then, use the skopeo inspect command to inspect the 1-215 image tag.
```
[student@workstation ~]$ skopeo login registry.ocp4.example.com:8443 -u developer
Password: developer
Login Succeeded!
```
```
[student@workstation ~]$ skopeo inspect \
  docker://registry.ocp4.example.com:8443/ubi8/httpd-24:1-215
{
    "Name": "registry.ocp4.example.com:8443/ubi8/httpd-24",
    "Digest": "sha256:91ad...fd83",
    "RepoTags": [
        "1-209",
        "1-215"
    ],
...output omitted...
}
```
  The skopeo inspect command also shows other existing image tags.

Deploy an application from the image version that the 1-209 tag references.

Use the oc create deployment command to deploy the application. Set the name of the deployment to httpd1.

[student@workstation ~]$ oc create deployment httpd1 \
  --image registry.ocp4.example.com:8443/ubi8/httpd-24:1-209
deployment.apps/httpd1 created

Wait for the pod to start, and then retrieve the name of the cluster node that runs it. You might have to rerun the command several times for the pod to report a Running status. The name of the pod on your system probably differs.
```
[student@workstation ~]$ oc get pods -o wide
NAME                     READY  STATUS   RESTARTS  AGE  IP          NODE     ...
httpd1-6dff796d99-pm2x6  1/1    Running  0         19s  10.8.0.104  master01 ...
```

Retrieve the name of the container that is running inside the pod. The crictl ps command that you run in a following step takes the container name as an argument.

[student@workstation ~]$ oc get deployment httpd1 -o wide
NAME     READY   UP-TO-DATE   AVAILABLE   AGE     CONTAINERS  ...
httpd1   1/1     1            1           1m10s   httpd-24    ...

Access the cluster node and then retrieve the image that the container is using.
1. You must log in as the admin user to access the cluster node. Use the redhatocp password.
```
[student@workstation ~]$ oc login -u admin -p redhatocp
Login successful.
...output omitted...
```
2. Use the oc debug node command to access the cluster node.
```
[student@workstation ~]$ oc debug node/master01
Temporary namespace openshift-debug-flz4d is created for debugging node...
Starting pod/master01-debug ...
To use host binaries, run `chroot /host`
Pod IP: 192.168.50.10
If you don't see a command prompt, try pressing enter.
```
3. In the remote shell, run the chroot /host command.
```
sh-4.4# chroot /host
sh-4.4#
```
4. Use the crictl ps command to confirm that the httpd-24 container is running. Add the -o yaml option to display the container details in YAML format.
```
sh-4.4# crictl ps --name httpd-24 -o yaml
containers:
- annotations:
...output omitted...
  image:
    annotations: {}
    image: registry.ocp4.example.com:8443/ubi8/httpd-24@sha256:b1e3...f876
  imageRef: registry.ocp4.example.com:8443/ubi8/httpd-24@sha256:b1e3...f876
  labels:
...output omitted...
  state: CONTAINER_RUNNING
```
  Notice that the command refers to the image by its SHA ID, and not by the tag that you specified when you created the deployment resource.
5. Use the crictl images command to list the locally available images on the node. The registry.ocp4.example.com:8443/ubi8/httpd-24:1-209 is in that list, because the local container engine pulled it when you deployed the httpd1 application.
  Note
  The IMAGE ID column displays the local image identifier that the container engine assigns to the image. This identifier is not related to the SHA image ID that the container registry assigned to the image.
  Most crictl commands, such as crictl images or crictl rmi, accept a local image identifier instead of the full image name. For example, you can run the crictl images 8ee59251acc93 command as a short version of the crictl images registry.ocp4.example.com:8443/ubi8/httpd-24:1-209 command.
```
sh-4.4# crictl images
IMAGE                                           TAG     IMAGE ID           SIZE
quay.io/openshift-release-dev/ocp-release       <none>  d52324cb88017      444MB
quay.io/openshift-release-dev/ocp-v4.0-art-dev  <none>  22e6e45df32af      468MB
quay.io/openshift-release-dev/ocp-v4.0-art-dev  <none>  e798432938c49      503MB
quay.io/openshift-release-dev/ocp-v4.0-art-dev  <none>  3ca084e53b321      873MB
...output omitted...
registry.ocp4.example.com:8443/ubi8/httpd-24    1-209   8ee59251acc93      461MB
...output omitted...
```
6. The preceding crictl images command does not display the SHA image IDs by default. Rerun the command and add the --digests option to display the SHA IDs. Also add the local image ID to the command to limit the output to the registry.ocp4.example.com:8443/ubi8/httpd-24:1-209 image.
  The command reports only the first characters of the SHA image ID. These characters match the SHA ID of the image that the httpd-24 container is using. Therefore, the httpd-24 container is using the expected image.
```
sh-4.4# crictl images --digests 8ee59251acc93
IMAGE                                        TAG   DIGEST        IMAGE ID      ...
registry.ocp4.example.com:8443/ubi8/httpd-24 1-209 b1e3c572516d1 8ee59251acc93 ...
```
7. Disconnect from the cluster node.
```
sh-4.4# exit
exit
sh-4.4# exit
exit

Removing debug pod ...
Temporary namespace openshift-debug-flz4d was removed.
[student@workstation ~]$
```

[student@workstation ~]$ oc login -u developer -p developer
Login successful.
...output omitted...

Rerun the oc image info command to retrieve the SHA ID of the image version that the 1-209 tag references. Specify the JSON format for the command output. Parse the JSON output with the jq -r command to retrieve the value of the .digest object. Export the SHA ID as the $IMAGE environment variable.
```
[student@workstation ~]$ oc image info \
  registry.ocp4.example.com:8443/ubi8/httpd-24:1-209 -o json | \
  jq -r .digest
sha256:b1e3...f876
```
```
[student@workstation ~]$ IMAGE=sha256:b1e3...f876
```

Use the oc create deployment command to deploy the application. Set the name of the deployment to httpd2.

[student@workstation ~]$ oc create deployment httpd2 \
  --image registry.ocp4.example.com:8443/ubi8/httpd-24@$IMAGE
deployment.apps/httpd2 created

Confirm that the new deployment refers to the image version by its SHA ID.

[student@workstation ~]$ oc get deployment httpd2 -o wide
NAME     READY  ...  CONTAINERS   IMAGES ...
httpd2   1/1    ...  httpd-24     registry.../ubi8/httpd-24@sha256:b1e3...f876 ...

Update the httpd2 application by using a more recent image version.

In the httpd2 deployment, update the httpd-24 container to use the image version that the 1-215 tag references.

[student@workstation ~]$ oc set image deployment/httpd2 \
  httpd-24=registry.ocp4.example.com:8443/ubi8/httpd-24:1-215
deployment.apps/httpd2 image updated

Confirm that the deployment refers to the new image version.

[student@workstation ~]$ oc get deployment httpd2 -o wide
NAME     READY   ...    IMAGES ...
httpd2   1/1     ...    registry.ocp4.example.com:8443/ubi8/httpd-24:1-215 ...

Confirm that the deployment finished redeploying the pod. You might have to rerun the command several times for the pod to report a Running status. The pod names probably differ on your system.

[student@workstation ~]$ oc get pods
NAME                      READY   STATUS    RESTARTS   AGE
httpd1-6dff796d99-pm2x6   1/1     Running   0          118m
httpd2-998d9b9b9-5859j    1/1     Running   0          21s

Inspect the pod to confirm that the container is using the new image. Replace the pod name with your own from the previous step.

[student@workstation ~]$ oc get pod httpd2-998d9b9b9-5859j \
  -o jsonpath='{.spec.containers[0].image}{"\n"}'
registry.ocp4.example.com:8443/ubi8/httpd-24:1-215

Add the latest tag to the image version that the 1-209 tag already references. Deploy an application from the image with the latest tag.

Use the skopeo login command to log in to the classroom container registry as the developer user. Use developer for the password.
```
[student@workstation ~]$ skopeo login -u developer -p developer \
  registry.ocp4.example.com:8443
Login Succeeded!
```

Use the skopeo copy command to add the latest tag to the image.

[student@workstation ~]$ skopeo copy \
  docker://registry.ocp4.example.com:8443/ubi8/httpd-24:1-209 \
  docker://registry.ocp4.example.com:8443/ubi8/httpd-24:latest
Getting image source signatures
...output omitted...
Writing manifest to image destination
Storing signatures

Use the oc image info command to confirm that both tags refer to the same image. The two commands report the same SHA image ID, which indicates that the tags point to the same image version.

[student@workstation ~]$ oc image info \
  registry.ocp4.example.com:8443/ubi8/httpd-24:1-209
Name:          registry.ocp4.example.com:8443/ubi8/httpd-24:1-209
Digest:        sha256:b1e3...f876
...output omitted...

[student@workstation ~]$ oc image info \
  registry.ocp4.example.com:8443/ubi8/httpd-24:latest
Name:          registry.ocp4.example.com:8443/ubi8/httpd-24:latest
Digest:        sha256:b1e3...f876
...output omitted...

Use the oc create deployment command to deploy another application. Set the name of the deployment to httpd3. To confirm that by default the command selects the latest tag, do not provide the tag part in the image name.
```
[student@workstation ~]$ oc create deployment httpd3 \
  --image registry.ocp4.example.com:8443/ubi8/httpd-24
deployment.apps/httpd3 created
```

Confirm that the pod is running. You might have to rerun the command several times for the pod to report a Running status. The pod names probably differ on your system.

[student@workstation ~]$ oc get pods
NAME                      READY   STATUS    RESTARTS   AGE
httpd1-6dff796d99-pm2x6   1/1     Running   0          150m
httpd2-998d9b9b9-5859j    1/1     Running   0          32m
httpd3-85b978d758-fvqdr   1/1     Running   0          42s

Confirm that the pod is using the expected image. Notice that the SHA image ID corresponds to the image that the 1-209 tag references. You retrieved that SHA image ID in a preceding step when you ran the oc image info command.

[student@workstation ~]$ oc describe pod httpd3-85b978d758-fvqdr
...output omitted...
Containers:
  httpd-24:
    Container ID: cri-o://2cee...3a68
    Image:        registry.ocp4.example.com:8443/ubi8/httpd-24
    Image ID:     registry.ocp4.example.com:8443/ubi8/httpd-24@sha256:b1e3...f876
...output omitted...

Assign the latest tag to a different image version. This operation simulates a developer who pushes a new version of an image and assigns the latest tag to that new image version.
1. Use the skopeo copy command to add the latest tag to the image version that the 1-215 tag already references. The command automatically removes the latest tag from the earlier image.
```
[student@workstation ~]$ skopeo copy \
  docker://registry.ocp4.example.com:8443/ubi8/httpd-24:1-215 \
  docker://registry.ocp4.example.com:8443/ubi8/httpd-24:latest
Getting image source signatures
...output omitted...
Writing manifest to image destination
Storing signatures
```
2. Log out of the classroom container registry.
```
[student@workstation ~]$ skopeo logout registry.ocp4.example.com:8443
Removed login credentials for registry.ocp4.example.com:8443
```
  Note
  The skopeo logout command logs out of a specified registry server by deleting the cached credentials that are stored in the ${XDG_RUNTIME_DIR}/containers/auth.json file.
  Red Hat recommends removing cached credentials that are no longer required.
3. Even though the latest tag is now referencing a different image version, OpenShift does not redeploy the pods that are running with the previous image version.
  Rerun the oc describe pod command to confirm that the pod still uses the preceding image.
```
[student@workstation ~]$ oc describe pod httpd3-85b978d758-fvqdr
...output omitted...
Containers:
  httpd-24:
    Container ID: cri-o://2cee...3a68
    Image:        registry.ocp4.example.com:8443/ubi8/httpd-24
    Image ID:     registry.ocp4.example.com:8443/ubi8/httpd-24@sha256:b1e3...f876
...output omitted...
```

Scale the httpd3 deployment to two pods.

Use the oc scale command to add a new pod to the deployment.

[student@workstation ~]$ oc scale deployment/httpd3 --replicas 2
deployment.apps/httpd3 scaled

List the pods to confirm that two pods are running for the httpd3 deployment. The pod names probably differ on your system.

[student@workstation ~]$ oc get pods
httpd1-6dff796d99-pm2x6   1/1     Running   0          75m
httpd2-998d9b9b9-5859j    1/1     Running   0          30m
httpd3-85b978d758-f98jh   1/1     Running   0          54s
httpd3-85b978d758-fvqdr   1/1     Running   0          11m

Retrieve the SHA image ID for the pod that the deployment initially created. The ID did not change. The container is still using the original image version.

[student@workstation ~]$ oc describe pod httpd3-85b978d758-fvqdr
...output omitted...
Containers:
  httpd-24:
    Container ID: cri-o://2cee...3a68
    Image:        registry.ocp4.example.com:8443/ubi8/httpd-24
    Image ID:     registry.ocp4.example.com:8443/ubi8/httpd-24@sha256:b1e3...f876
...output omitted...

Retrieve the SHA image ID for the additional pod. Notice that the ID is different. The additional pod is using the image that the latest tag is currently referencing.
```
[student@workstation ~]$ oc describe pod httpd3-85b978d758-f98jh
...output omitted...
Containers:
  httpd-24:
    Container ID: cri-o://d254...c893
    Image:        registry.ocp4.example.com:8443/ubi8/httpd-24
    Image ID:     registry.ocp4.example.com:8443/ubi8/httpd-24@sha256:91ad...fd83
...output omitted...
```
The state of the deployment is inconsistent. The two replicated pods use a different image version. Consequently, the scaled application might not behave correctly. Red Hat recommends that you use a less volatile tag than latest in production environments, or that you tightly control the tag assignments in your container registry.

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish updates-ids

Discuss Red Hat OpenShift Administration I: Operating a Production Cluster

Go to community

Version 4.12.2 versus 4.12 of DO180 course?

DRobitaille

21 lis 2023

I just noticed that there is now a version 4.12.2 of the DO180. Currently without any new updated videos. Do we have access to some sort of changelog to judge how different the new version is compared to 4.12. I'm currently in the process of reviewing the content of DO180/DO280 in preparation for my upcoming EX280 exam (based on "4.12"), so I'm wondering if it's worth studying the 4.12.2 version instead of 4.12.

470

Red Hat OpenShift Administration I: Containers & Kubernetes (DO180)

Haley_Ruccio

20 lip 2023

Deploy, manage, and troubleshoot containerized applications running as Kubernetes workloads in OpenShift clusters.Course DescriptionRed Hat OpenShift Administration I: Managing Containers and Kubernetes (DO180) prepares OpenShift cluster administrators to manage Kubernetes workloads and to collaborate with developers, DevOps engineers, system administrators, and SREs to ensure the availability of application workloads. This course focuses on managing typical end-user applications that are often accessible from a web or mobile UI and that represent most cloud-native and containerized workloads. Managing applications also includes deploying and updating their dependencies, such as databases, messaging, and authentication systems.The skills that you learn in this course apply to all versions of OpenShift, including Red Hat OpenShift on AWS (ROSA), Azure Red Hat OpenShift, and OpenShift Container Platform.This course is based on Red Hat OpenShift 4.12.Course Content SummaryManaging OpenShift clusters from the command-line interface and from the web console.Troubleshooting network connectivity between applications inside and outside an OpenShift cluster.Connecting Kubernetes workloads to storage for application data.Configuring Kubernetes workloads for high availability and reliability.Managing updates to container images, settings, and Kubernetes manifests of an application.Target AudienceSystem administrators and platform operators who are interested in managing OpenShift clusters and containerized applications.Site Reliability Engineers who are interested in maintaining and troubleshooting containerized applications on Kubernetes.System and software architects who are interested in learning and using the features and functions of an OpenShift cluster.Developers and Site Reliability Engineers that are new to container technology should enroll in Red Hat OpenShift Development I: Introduction to Containers with Podman (DO188).Recommended trainingTake our free assessment to gauge whether this offering is the best fit for your skills.Prerequisite: Containers, Kubernetes and Red Hat OpenShift Technical Overview or equivalent knowledge of Linux containers.Technology considerationsThis course requires internet access to access the cloud-based classroom environment that provides an OpenShift cluster and a remote administrator’s workstation.

Welcome to the Red Hat OpenShift Administration (DO180) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration I - Containers & Kubernetes! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home screen.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO180.Read more about Red Hat OpenShift Administration I here.

114

Revision: do180-4.14-b6cd706

Red Hat OpenShift Administration I: Operating a Production Cluster

Guided Exercise: Container Image Identity and Tags

Note

Note

Note