Deploying Qinling in production<\/h2>\n
Our platforms are deployed and maintained by\u00a0Kolla<\/a>, an OpenStack project to deploy OpenStack within Docker and configured by\u00a0Ansible<\/a>. The first thing I checked was to see if Qinling integrated with Kolla, alas\u2026no.<\/p>\n When you have to manage production you don\u2019t want or like to deal with custom setups that are impossible to maintain or to upgrade (that little voice in your head knows what I mean), so I started working integrating Qinling in Kolla, namely the\u00a0Docker<\/a>\u00a0and\u00a0Ansible<\/a> parts.<\/p>\n The qinling_api and qinling_engine containers are now up and running, configured to communicate with RabbitMQ, MySQL\/Galera, memcached, Keystone and etcd. The final important step is to authenticate qinling-engine to the Kubernetes cluster \u2014 I must admit this was the most complex to set up and that the documentation is a bit confusing.<\/p>\n Our Kubernetes cluster has been provisioned by OpenStack Magnum, an OpenStack project used to deploy container orchestration engines (COE) such as Docker Swarm, Mesos and Kubernetes.<\/p>\n Basically, the communication between Qinling and Kubernetes is done by SSL certificates (the same ones used with kubectl), qinling-engine needs to be aware of the CA, the certificate and the key and the Kubernetes API endpoint.<\/p>\n Magnum provides a CLI which allows easily to retrieve the certificates, just make sure that you have python-magnumclient installed.<\/p>\n Four files should have been generated in ~\/k8s_configs\/goldyfruit-k8s-qinling directory:<\/p>\n Only ca.pem, cert.pem and key.pem will be useful in our case (config file will only be used to get the Kubernetes API), which from Qinling documentation will become these options:<\/p>\n At this point if qinling-engine has restarted, then you should see a network policy created on the Kubernetes cluster under the qinling namespace (yes, you should see that too).<\/p>\n The network policy mentioned above could block the incoming traffic to the pods inside the qinling namespace which result in a timeout from qinling-engine. A\u00a0bug has been opened<\/a>\u00a0about this issue and it should be solved soon, so right now the \u201cbest\u201d thing to do is to remove this policy (keep in mind that every time than qinling-engine will be restarted the policy will be re-created).<\/p>\n Just a quick word about the network policy created by Qinling. It has the objective to restrict the pod access to a trusted CIDR list (192.168.1.0\/24, 10.0.0.53\/32, etc\u2026) preventing connections from unknown sources.<\/p>\n One common issue is to forget to open the Qinling API port (7070), this will prevent the Kubernetes cluster to download the function code\/package (it\u2019s time to be nice with your dear network friend ^^).<\/p>\n One of Qinling pitfalls is the \u201clack\u201d of runtime, preventing Qinling to be widely adopted, the reason why there are not that much is because of security reasons (completely understandable).<\/p>\n Actually, in the production environment (especially in the public cloud), it\u2019s recommended that cloud providers supply their own runtime implementation for security reasons. Knowing how the runtime is implemented gives the malicious user the chance to attack the cloud environment.<\/p>\n So far, \u201conly\u201d Python 2.7, Python 3 and Node.JS runtimes are available, it\u2019s a good start but it would be nice to have it for Golang and PHP too (just saying, not asking).<\/p>\n My journey has just begun and I think Qinling has a huge potential, which is why I was a bit surprised to see the project isn\u2019t popular as it could be.<\/p>\n Having it in Kolla, improving the documentation for integration with Magnum, Microk8s, etc\u2026 and providing more runtimes would help the project to gain the popularity it deserves.<\/p>\n Thanks to\u00a0Lingxian Kong<\/a>\u00a0and the community for making this project happen!<\/p>\n This post has appeared on Superuser<\/a> and Medium<\/a>.<\/em><\/p>\nQinling and Magnum, for the win!<\/h2>\n
# Get Magnum cluster UUID<\/span>\r\n$ openstack coe cluster list -f value -c uuid -c name\r\n687<\/span>f7476\u20135604<\/span>\u20134<\/span>b44\u20138<\/span>b09-b7a4f3fdbd64 goldyfruit-k8s-qinling<\/code><\/pre>\n# Retrieve Kubernetes certificates<\/span>\r\n$ mkdir -p ~\/k8s_configs\/goldyfruit<\/span>-k8s-qinling\r\n$ cd ~\/k8s_configs\/goldyfruit<\/span>-k8s-qinling\r\n$ openstack coe cluster config --dir . 687<\/span>f7476-5604<\/span>-4<\/span>b44-8<\/span>b09-b7a4f3fdbd64 --output-certs<\/code><\/pre>\n# Get the Kubernetes API address<\/span>\r\n$ grep<\/span> server config | awk -F\"server:\"<\/span> '{ print $2 }'<\/span><\/code><\/pre>\nca<\/span>.pem<\/span>\u200a\u2014\u200aCA<\/span>\u200a\u2014\u200assl_ca_cert<\/span> (Qinling<\/span> option<\/span>)\r\ncert<\/span>.pem<\/span>\u200a\u2014\u200aCertificate<\/span>\u200a\u2014\u200acert_file<\/span> (Qinling<\/span> option<\/span>)\r\nkey<\/span>.pem<\/span>\u200a\u2014\u200aKey<\/span>\u200a\u2014\u200akey_file<\/span> (Qinling<\/span> option<\/span>)\r\nconfig<\/span>\u2014 Kubernetes<\/span> configuration<\/span><\/code><\/pre>\n[kubernetes]<\/span>\r\nkube_host<\/span> = https:\/\/192.168<\/span>.1.168<\/span>:6443<\/span>\r\nssl_ca_cert<\/span> = \/etc\/qinling\/pki\/kubernetes\/ca.crt\r\ncert_file<\/span> = \/etc\/qinling\/pki\/kubernetes\/qinling.crt\r\nkey_file<\/span> = \/etc\/qinling\/pki\/kubernetes\/qinling.key<\/code><\/pre>\n$ kubectl delete<\/span> netpol allow<\/span>-qinling-engine<\/span>-only<\/span> -n qinling<\/code><\/pre>\nRuntime, it\u2019s time to run!<\/h2>\n
Conclusion<\/h2>\n
![\"OpenStack](\"https:\/\/ormuco.com\/wp-content\/uploads\/2019\/07\/Qinling-CTA-1-1.png\")
<\/a><\/p>","protected":false},"excerpt":{"rendered":"