Managing Virtual Machines with Red Hat OpenShift Virtualization

Instructions

1. From the command line on the workstation machine, use the oc command to log in to the Red Hat OpenShift cluster as the admin user with redhatocp as the password.

   Open a web browser and log in to the Red Hat OpenShift web console at https://console-openshift-console.apps.ocp4.example.com.

   Confirm that the mariadb-server and the front-web VMs are running in the network-review project.

   1. From the command line, log in to your OpenShift cluster as the admin user with redhatocp as the password.

      [student@workstation ~]$ oc login -u admin -p redhatocp \
        https://api.ocp4.example.com:6443
      Login Successful
      ...output omitted...

   2. Set the network-review project as the active project.

      [student@workstation ~]$ oc project network-review
      Now using project "network-review" on server "https://api.ocp4.example.com:6443".

   3. Open a web browser and navigate to the https://console-openshift-console.apps.ocp4.example.com URL. Select htpasswd_provider and log in as the admin user with redhatocp as the password.

   4. Navigate to Virtualization → VirtualMachines and then select the network-review project. Confirm that the mariadb-server and the front-web VMs are running.

   Hide Solution

2. From the web console, create the database service with the ClusterIP type, which enables access to the database that is running inside the mariadb-server VM. Add the tier: backend label to the mariadb-server VM.

   This service must listen on TCP port 3306 and forward the traffic to port 3306 of the tier: backend pod.

   The lab command prepared some examples of resource files in the ~/DO316/labs/network-review/solutions directory.

   To verify your work, run the ~/DO316/labs/network-review/solutions/testdb.sh script. The script tries to connect to the database through the database service.

   1. Navigate to the YAML tab of the mariadb-server VM, add the tier: backend label to the .spec.template.metadata.labels path, and click Save.

      ...output omitted...
      spec:
        dataVolumeTemplates:
        ...output omitted...
        template:
          metadata:
            creationTimestamp: null
            labels:
              tier: backend
              flavor.template.kubevirt.io/small: "true"
              kubevirt.io/domain: mariadb-server
              kubevirt.io/size: small
              ...output omitted...

   2. Restart the VM to re-create the VMI that includes the new label. From the web console, click Actions → Restart.

   3. Click Overview, and confirm that the VM is running.

   4. Navigate to Networking → Services, ensure that the network-review project is selected, and then click Create Service. Complete the YAML file with the following content and then click Create.

      The lab command prepared the ~/DO316/labs/network-review/solutions/mariadb-service.yaml file so that you can compare it with your version.

      apiVersion: v1
      kind: Service
      metadata:
        name: database
        namespace: network-review
      spec:
        type: ClusterIP
        selector:
          tier: backend
        ports:
          - protocol: TCP
            port: 3306
            targetPort: 3306

   5. Change to the command-line window and confirm that the database service has an active endpoint.

      [student@workstation ~]$ oc get endpoints
      NAME       ENDPOINTS         AGE
      database   10.11.0.41:3306   9s

   6. Run the testdb.sh script to verify your work.

      [student@workstation ~]$ ~/DO316/labs/network-review/solutions/testdb.sh
      Testing database connection from network-review (be patient)...
        Connection successful

   Hide Solution

3. Add the allowed: database label to the network-review namespace, and create a network policy for the mariadb-server VM. The policy must allow only the ingress connections to TCP port 3306 from the network-review namespace.

   Create a network policy named allow-database. It must target the pods with the tier: backend label and allow ingress connections to TCP port 3306 from the namespaces with the allowed: database label.

   To test the database connection, run the ~/DO316/labs/network-review/solutions/testdb.sh script. The script accepts a namespace as a parameter. The script must succeed when you run ~/DO316/labs/network-review/solutions/testdb.sh network-review and it must fail when you run ~/DO316/labs/network-review/solutions/testdb.sh default.

   1. From the command line, add the allowed: database label to the network-review namespace.

      [student@workstation ~]$ oc label namespace network-review allowed=database
      namespace/network-review labeled

   2. From the web console, navigate to Networking → NetworkPolicies, ensure that the network-review project is selected, click Create NetworkPolicy, and then click YAML view. Complete the file with the following content and then click Create.

      The lab command prepared the ~/DO316/labs/network-review/solutions/policy-example1.yaml file so that you can compare it with your version.

      kind: NetworkPolicy
      apiVersion: networking.k8s.io/v1
      metadata:
        name: allow-database
        namespace: network-review
      spec:
        podSelector:
          matchLabels:
            tier: backend
        ingress:
        - from:
          - namespaceSelector:
              matchLabels:
                allowed: database
          ports:
          - port: 3306
            protocol: TCP

   3. Change to the command line, and run the testdb.sh script with the network-review parameter to test that the database connection is successful.

      [student@workstation ~]$ ~/DO316/labs/network-review/solutions/testdb.sh \
        network-review
      Testing database connection from network-review (be patient)...
        Connection successful

   4. Run the testdb.sh script with the network-review parameter to test that the database connection fails.

      [student@workstation ~]$ ~/DO316/labs/network-review/solutions/testdb.sh default
      Testing database connection from default (be patient)...
        Cannot connect

   Hide Solution

4. From the web console, create a service with the ClusterIP type, which enables access to the web application that is running inside the front-web VM.

   To create this service, add the tier: frontend label to the front-web VM.

   Create the service named web. The service must listen on TCP port 8080 and forward the traffic to port 80 to the pod with the tier: frontend label.

   To verify your work, run the ~/DO316/labs/network-review/solutions/testweb.sh script. The script tries to connect to the web application through the service.

   1. Navigate to the YAML tab, and add the tier: frontend label to the .spec.template.metadata.labels path of the front-web VM.

      ...output omitted...
      spec:
        dataVolumeTemplates:
        ...output omitted...
        template:
          metadata:
            creationTimestamp: null
            labels:
              tier: frontend
              flavor.template.kubevirt.io/small: "true"
              kubevirt.io/domain: front-web
              kubevirt.io/size: small
              ...output omitted...

   2. Restart the VM to re-create the VMI that includes the new label. From the web console, click Actions → Restart.

   3. Click Overview, and confirm that the VM is running.

   4. Navigate to Networking → Services, and then click Create Service. Complete the YAML file with the following content and then click Create.

      The lab command prepared the ~/DO316/labs/network-review/solutions/web-service.yaml file so that you can compare it with your version.

      apiVersion: v1
      kind: Service
      metadata:
        name: web
        namespace: network-review
      spec:
        type: ClusterIP
        selector:
          tier: frontend
        ports:
          - protocol: TCP
            port: 8080
            targetPort: 80

   5. Change to the command line and confirm that the web service has an active endpoint.

      [student@workstation ~]$ oc get endpoints
      NAME       ENDPOINTS         AGE
      database   10.11.0.41:3306   44m
      web        10.8.2.33:80      22s

   6. Run the testdb.sh script to test that the database connection is successful.

      [student@workstation ~]$ ~/DO316/labs/network-review/solutions/testweb.sh
      Testing web application from network-review (be patient)...
        Connection successful

   Hide Solution

5. From the web console, create a route to access the web application that is running inside the front-web VM by using the http://intranet-dev.apps.ocp4.example.com URL.

   Complete the form by using the following information:

   Field	Value
   Name	web
   Hostname	intranet-dev.apps.ocp4.example.com
   Service	web
   Target port	8080 → 80(TCP)

   To confirm that the web application can connect to the database, access http://intranet-dev.apps.ocp4.example.com/cgi-bin/dbtest. The page displays a PASS message when the connection is successful.

   1. From the web console, navigate to Networking → Routes. Select the network-review project and then click Create Route. Complete the form, and click Create.

   2. From the command line, use the curl command, and confirm that you can access the web application from outside the cluster.

      [student@workstation ~]$ curl http://intranet-dev.apps.ocp4.example.com
      <!DOCTYPE html>
      <html>
          <head>
              <title>Hello, World!</title>
          </head>
          <body>
              <p>Hello, World! Welcome to Red{nbsp}Hat Training.</p>
          </body>
      </html>

   3. Use the curl command with the http://intranet-dev.apps.ocp4.example.com/cgi-bin/dbtest URL to confirm that the web application can access the database.

      [student@workstation ~]$ curl \
        http://intranet-dev.apps.ocp4.example.com/cgi-bin/dbtest
      <html><head><title>Database Test</title></head><body>
      <p style="color:green;">`PASS`</p>
      </body></html>

   Hide Solution