Google Git
Sign in
eclipse / gerrit / www.eclipse.org / che / refs/heads/foo / . / docs / openshift-config.html
blob: 57358226b4f9d1cf5139611f8becfd65b74d7d32 [file] [log] [blame]
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="">
<meta name="keywords" content="installationopenshift, openshift, configuration">
<title>Configuration: OpenShift | Eclipse Che Documentation</title>
<link rel="stylesheet" href="css/syntax.css">
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" crossorigin="anonymous">
<!--<link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">-->
<link rel="stylesheet" href="css/modern-business.css">
<!-- Latest compiled and minified CSS -->
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<link rel="stylesheet" href="css/customstyles.css">
<link rel="stylesheet" href="css/boxshadowproperties.css">
<!-- most color styles are extracted out to here -->
<link rel="stylesheet" href="css/theme-che.css">
<link rel="stylesheet" href="/css/coderay.css" media="screen" type="text/css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js" crossorigin="anonymous"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-cookie/1.4.1/jquery.cookie.min.js" crossorigin="anonymous"></script>
<script src="js/jquery.navgoco.min.js"></script>
<!-- Latest compiled and minified JavaScript -->
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>
<!-- Anchor.js -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/anchor-js/2.0.0/anchor.min.js" crossorigin="anonymous"></script>
<script src="js/toc.js"></script>
<script src="js/customscripts.js"></script>
<link rel="shortcut icon" href="che/docs/images/favicon.ico">
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.4.2/respond.min.js"></script>
<![endif]-->
<link rel="alternate" type="application/rss+xml" title="che" href="http://0.0.0.0:4000/feed.xml">
<script>
$(document).ready(function() {
// Initialize navgoco with default options
$("#mysidebar").navgoco({
caretHtml: '',
accordion: true,
openClass: 'active', // open
save: false, // leave false or nav highlighting doesn't work right
cookie: {
name: 'navgoco',
expires: false,
path: '/'
},
slide: {
duration: 400,
easing: 'swing'
}
});
$("#collapseAll").click(function(e) {
e.preventDefault();
$("#mysidebar").navgoco('toggle', false);
});
$("#expandAll").click(function(e) {
e.preventDefault();
$("#mysidebar").navgoco('toggle', true);
});
});
</script>
<script>
$(function () {
$('[data-toggle="tooltip"]').tooltip()
})
</script>
<script>
$(document).ready(function() {
$("#tg-sb-link").click(function() {
$("#tg-sb-sidebar").toggle();
$("#tg-sb-content").toggleClass('col-md-9');
$("#tg-sb-content").toggleClass('col-md-12');
$("#tg-sb-icon").toggleClass('fa-toggle-on');
$("#tg-sb-icon").toggleClass('fa-toggle-off');
});
});
</script>
</head>
<body>
<!-- Navigation -->
<nav class="navbar navbar-inverse navbar-static-top">
<div class="container topnavlinks">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="fa fa-home fa-lg navbar-brand" href="index.html">&nbsp;<span class="projectTitle"> Eclipse Che Documentation</span></a>
</div>
<div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
<ul class="nav navbar-nav navbar-right">
<!-- toggle sidebar button -->
<li><a id="tg-sb-link" href="#"><i id="tg-sb-icon" class="fa fa-toggle-on"></i> Nav</a></li>
<!-- entries without drop-downs appear here -->
<li><a href="https://medium.com/eclipse-che-blog/" target="_blank">Blog</a></li>
<li><a href="https://github.com/eclipse/che" target="_blank">Source Code</a></li>
<!-- entries with drop-downs appear here -->
<!-- conditional logic to control which topnav appears for the audience defined in the configuration file.-->
<li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Get Support<b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="https://github.com/eclipse/che/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3Akind%2Fbug" target="_blank">Known Bugs</a></li>
<li><a href="https://github.com/eclipse/che/issues/new" target="_blank">File an Issue</a></li>
<li><a href="https://stackoverflow.com/questions/tagged/eclipse-che" target="_blank">Che on StackOverflow</a></li>
</ul>
</li>
<!--
<li>
<a class="email" title="Submit feedback" href="#" onclick="javascript:window.location='mailto:?subject= feedback&body=I have some feedback about the Configuration: OpenShift page: ' + window.location.href;"><i class="fa fa-envelope-o"></i> Feedback</a>
</li>
-->
<!--comment out this block if you want to hide search-->
<li>
<!--start search-->
<div id="search-demo-container">
<input type="text" id="search-input" placeholder="search...">
<ul id="results-container"></ul>
</div>
<script src="js/jekyll-search.js" type="text/javascript"></script>
<script type="text/javascript">
SimpleJekyllSearch.init({
searchInput: document.getElementById('search-input'),
resultsContainer: document.getElementById('results-container'),
dataSource: 'search.json',
searchResultTemplate: '<li><a href="{url}" title="Configuration: OpenShift">{title}</a></li>',
noResultsText: 'No results found.',
limit: 10,
fuzzy: true,
})
</script>
<!--end search-->
</li>
</ul>
</div>
</div>
<!-- /.container -->
</nav>
<!-- Page Content -->
<div class="container">
<div id="main">
<!-- Content Row -->
<div class="row">
<!-- Sidebar Column -->
<div class="col-md-3" id="tg-sb-sidebar">
<ul id="mysidebar" class="nav">
<li class="sidebarTitle"> </li>
<li>
<a href="#">Overview</a>
<ul>
<li><a href="index.html">Introduction</a></li>
<li><a href="quick-start.html">Getting Started</a></li>
<li><a href="single-multi-user.html">Single and Multi-User Flavors</a></li>
<li><a href="infra-support.html">Supported Infrastructures</a></li>
</ul>
</li>
<li>
<a href="#">Che on Docker</a>
<ul>
<li><a href="docker-single-user.html">Docker - Single User</a></li>
<li><a href="docker-multi-user.html">Docker - Multi User</a></li>
<li><a href="docker-config.html">Docker - Configuration</a></li>
<li><a href="docker-cli.html">Docker - CLI Reference</a></li>
</ul>
</li>
<li>
<a href="#">Che on Kubernetes</a>
<ul>
<li><a href="kubernetes-single-user.html">Kubernetes - Single User</a></li>
<li><a href="kubernetes-multi-user.html">Kubernetes - Multi User</a></li>
<li><a href="kubernetes-config.html">Kubernetes - Configuration</a></li>
<li><a href="kubernetes-admin-guide.html">Kubernetes - Admin Guide</a></li>
</ul>
</li>
<li>
<a href="#">Che on OpenShift</a>
<ul>
<li><a href="openshift-single-user.html">OpenShift - Single User</a></li>
<li><a href="openshift-multi-user.html">OpenShift - Multi User</a></li>
<li class="active"><a href="openshift-config.html">OpenShift - Configuration</a></li>
<li><a href="openshift-admin-guide.html">OpenShift - Admin Guide</a></li>
</ul>
</li>
<li>
<a href="#">User Management</a>
<ul>
<li><a href="user-management.html">Authentication and Authorization</a></li>
<li><a href="authentication.html">Security Model</a></li>
<li><a href="permissions.html">Permissions</a></li>
<li><a href="organizations.html">Organizations in UD</a></li>
<li><a href="resource-management.html">Resource Management</a></li>
</ul>
</li>
<li>
<a href="#">User Guides</a>
<ul>
<li><a href="creating-starting-workspaces.html">Creating and starting Workspaces</a></li>
<li><a href="ide-projects.html">Projects</a></li>
<li><a href="editor-code-assistance.html">Editor and Code-Assistance</a></li>
<li><a href="dependency-management.html">Dependency Management</a></li>
<li><a href="commands-ide-macro.html">Commands and IDE Macros</a></li>
<li><a href="version-control.html">Version Control</a></li>
<li><a href="debug.html">Debug</a></li>
</ul>
</li>
<li>
<a href="#">Workspace Administration</a>
<ul>
<li><a href="what-are-workspaces.html">Workspace Overview</a></li>
<li><a href="stacks.html">Workspace - Stacks</a></li>
<li><a href="recipes.html">Workspace - Recipes</a></li>
<li><a href="servers.html">Workspace - Servers</a></li>
<li><a href="installers.html">Workspace - Installers</a></li>
<li><a href="volumes.html">Workspace - Volumes Mount</a></li>
<li><a href="env-variables.html">Workspace - Environment Variables</a></li>
<li><a href="projects.html">Workspace - Projects</a></li>
<li><a href="workspaces-troubleshooting.html">Workspace - Troubleshooting</a></li>
<li><a href="workspace-data-model.html">Workspace Data Model</a></li>
</ul>
</li>
<li>
<a href="#">Portable Workspaces</a>
<ul>
<li><a href="chedir-getting-started.html">Chedir - Getting Started</a></li>
<li><a href="why-chedir.html">Chedir - Why Chedir?</a></li>
<li><a href="chedir-installation.html">Chedir - Installation</a></li>
<li><a href="chedir-project-setup.html">Chedir - Project Setup</a></li>
<li><a href="chedir-up-and-down.html">Chedir - Up and Down</a></li>
<li><a href="chefile.html">Chedir - Chefile</a></li>
<li><a href="chedir-ssh.html">Chedir - SSH</a></li>
<li><a href="factories-getting-started.html">Factory - Getting Started</a></li>
<li><a href="creating-factories.html">Factory - Creating</a></li>
<li><a href="factories_json_reference.html">Factory - JSON Reference</a></li>
</ul>
</li>
<li>
<a href="#">Developer Guides</a>
<ul>
<li><a href="framework-overview.html">Overview</a></li>
<li><a href="rest-api.html">SDK - REST API</a></li>
<li><a href="che-in-che-quickstart.html">SDK - Your First Plugin</a></li>
<li><a href="build-reqs.html">SDK - Building Che</a></li>
<li><a href="assemblies.html">SDK - Assemblies</a></li>
<li><a href="logging.html">SDK - Logging</a></li>
<li><a href="ide-extensions-gwt.html">SDK - GWT IDE Extensions</a></li>
<li><a href="server-side-extensions.html">SDK - Server Side Extensions</a></li>
<li><a href="custom-installers.html">SDK - Installers</a></li>
<li><a href="project-types.html">SDK - Project Types</a></li>
<li><a href="language-servers.html">SDK - Language Support</a></li>
<li><a href="parts.html">IDE UI&#58 Parts</a></li>
<li><a href="actions.html">IDE UI&#58 Actions</a></li>
</ul>
</li>
<li>
<a href="#">Dev Essentials</a>
<ul>
<li><a href="guice.html">Dependency Injection</a></li>
<li><a href="dto.html">Transport&#58 DTO</a></li>
<li><a href="json-rpc.html">Communication&#58 JSON-RPC</a></li>
<li><a href="handling-projects-in-plugins.html">Handling Projects in Plugins</a></li>
<li><a href="dao.html">Persistence, DAO</a></li>
<li><a href="properties.html">Properties</a></li>
</ul>
</li>
<li>
<a href="#">Infrastructure and SPI</a>
<ul>
<li><a href="spi_overview.html">Overview</a></li>
<li><a href="spi-implementation.html">Implementation Notes</a></li>
</ul>
</li>
<!-- if you aren't using the accordion, uncomment this block:
<p class="external">
<a href="#" id="collapseAll">Collapse All</a> | <a href="#" id="expandAll">Expand All</a>
</p>
-->
</ul>
<!-- this highlights the active parent class in the navgoco sidebar. this is critical so that the parent expands when you're viewing a page. This must appear below the sidebar code above. Otherwise, if placed inside customscripts.js, the script runs before the sidebar code runs and the class never gets inserted.-->
<script>$("li.active").parents('li').toggleClass("active");</script>
</div>
<!-- Content Column -->
<div class="col-md-9" id="tg-sb-content">
<div class="post-header">
<h1 class="post-title-main">Configuration: OpenShift</h1>
</div>
<div class="post-content">
<!-- this handles the automatic toc. use ## for subheads to auto-generate the on-page minitoc. if you use html tags, you must supply an ID for the heading element in order for it to appear in the minitoc. -->
<script>
$( document ).ready(function() {
// Handler for .ready() called.
$('#toc').toc({ minimumHeaders: 0, listType: 'ul', showSpeed: 0, headers: 'h2' });
/* this offset helps account for the space taken up by the floating toolbar. */
$('#toc').on('click', 'a', function() {
var target = $(this.getAttribute('href'))
, scroll_target = target.offset().top
$(window).scrollTop(scroll_target - 10);
return false
})
});
</script>
<div id="toc"></div>
<!--
-->
<div class="sect1">
<h2 id="admin-guide">Admin Guide</h2>
<div class="sectionbody">
<div class="paragraph">
<p>See: <a href="openshift-admin-guide.html">OpenShift Admin Guide</a> to general information that works both for OS and K8S.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configure-che-server">Configure Che Server</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Che server is configured by updating environment variables passed to Che deployment. You can configure Che Server when initially deploying Che (See: <a href="openshift-single-user.html">Installation Single User</a>, <a href="openshift-multi-user.html">Multi-User</a>) or afterwards, by modifying Che deployment.</p>
</div>
<div class="paragraph">
<p>There are multiple ways to modify Che deployment to add new or modify existing environment variables. You can either:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><strong>Option 1: Update Che deployment yaml.</strong> To update Che deployment yaml and update in nano editor (VIM is used by default), run this command: <code>$ OC_EDITOR="nano" oc edit dc/che</code></p>
</li>
<li>
<p><strong>Option 2: Update manually in OpenShift web console.</strong> To update manually in OpenShift web console &gt; deployments &gt; Che &gt; Environment</p>
</li>
<li>
<p><strong>Option 3: Modify environment variables.</strong> To update Che deployment with new environment variables or modify existing variables, run this command: <code>$ oc set env dc/che KEY=VALUE KEY1=VALUE1</code></p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="what-can-be-configured">What Can Be Configured?</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You can find deployment env or config map in yaml files.</p>
</div>
<div class="paragraph">
<p>Here is a <a href="https://github.com/eclipse/che/tree/master/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/che">complete</a> list of all properties that are configurable for Che server.</p>
</div>
<div class="paragraph">
<p>You can manually convert properties into envs, just make sure to follow <a href="properties.html#properties-and-environment-variables">instructions on properties page</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="https-mode">HTTPS Mode</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To enable https for server and workspace routes, follow instructions in <a href="openshift-single-user.html">setup docs single user</a> and <a href="openshift-multi-user.html">multi-user</a>.</p>
</div>
<div class="paragraph">
<p>To migrate an existing Che deployment to https, do the following:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>Update Che deployment with <code>PROTOCOL=https, WS_PROTOCOL=wss, TLS=true</code></p>
</li>
<li>
<p>Manually edit or recreate routes for Che and Keycloak <code>oc apply -f https</code></p>
</li>
<li>
<p>Once done, go to <code><a href="https://keycloak-${NAMESPACE}.${ROUTING_SUFFIX}" class="bare">https://keycloak-${NAMESPACE}.${ROUTING_SUFFIX}</a></code>, log in to admin console. Default credentials are <code>admin:admin</code>. Go to Clients, <code>che-public</code> client and edit <strong>Valid Redirect URIs</strong> and <strong>Web Origins</strong> URLs so that they use <strong>https</strong> protocol. You do not need to do that if you initially deploy Che with https support.</p>
</li>
</ol>
</div>
</div>
</div>
<div class="sect1">
<h2 id="https-mode---self-signed-certs">HTTPS Mode - Self-Signed Certs</h2>
<div class="sectionbody">
<div class="paragraph">
<p>If you enable HTTPS mode for multi-user Che on an OpenShift installation that does not have certificates signed by a public authority, it won’t be possible to start workspaces or even login.</p>
</div>
<div class="paragraph">
<p>There is a lot of communication between Che server and workspace agents, Che server and Keycloak. Therefore, self signed certs should be added to Java trust store of Che server and Keycloak (only for a multi user Che deployment) pods, as well as workspace images. While there is automation for Che server and Keycloak, certs should be manually added to workspace images, since adding a root certificate requires sudo privileges which an arbitrary OpenShift user may not have.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Export certificate:</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>This has to be the certificate that your OpenShift <strong>router</strong> uses since OpenShift Web Console may use a different cert or even use a different (sub)domain. If you are not certain where to find the cert, you may export it:</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/che/docs/images/workspaces/chrome_cert.png" alt="chrome cert">
</div>
</div>
<div class="paragraph">
<p>Choose the top certificate hierarchy and export a single certificate.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Create a secret with certificate:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>CERTIFICATE=$(cat /path/to/openshift/ca.crt)
oc new-app -f deploy/openshift/templates/multi/openshift-certificate-secret.yaml -p CERTIFICATE="${CERTIFICATE}"</pre>
</div>
</div>
<div class="paragraph">
<p>Once created, <code>OPENSHIFT_IDENTITY_PROVIDER_CERTIFICATE</code> env takes cert file content as a value and is then used in entrypoints of Che server and Keycloak images.</p>
</div>
<div class="imageblock">
<div class="content">
<img src="/che/docs/images/workspaces/ca_secret.png" alt="ca secret">
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Deploy Che in https mode: <a href="openshift-single-user.html#https-mode">single user</a>, <a href="openshift-multi-user.html#openshift-container-platform">multi-user</a></p>
</li>
<li>
<p>Build an image with your certificate and push it to a registry. Example of a Dockerfile:</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre>FROM eclipse/ubuntu_jdk8
ADD ca.crt /usr/local/share/ca-certificates/ca.crt
RUN sudo update-ca-certificates
RUN cd ${HOME} &amp;&amp; \
echo yes | keytool -keystore minishift.jks -importcert -alias HOSTDOMAIN -file /usr/local/share/ca-certificates/ca.crt -storepass minishift</pre>
</div>
</div>
<div class="paragraph">
<p>Then run <code>docker build -t yourOrg/yourImage:yourTag .</code> You need to have OpenShift self signed cert (<code>ca.crt</code> in this example) in the same directory with a Dockerfile.</p>
</div>
<div class="paragraph">
<p>If you inherit from Fedora, CentOS or RHEL image, the Dockerfile will look a bit different:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>ADD ca.crt /etc/pki/ca-trust/source/anchors/ca.crt
RUN sudo update-ca-trust</pre>
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Add self signed cert to your browser. In Chrome, go to <code>chrome://settings/certificates &gt; Authorities &gt; Import</code></p>
</li>
</ul>
</div>
<div class="imageblock">
<div class="content">
<img src="/che/docs/images/workspaces/chrome_certs.png" alt="chrome certs">
</div>
</div>
<div class="ulist">
<ul>
<li>
<p>Create a <a href="creating-starting-workspaces.html#creating%20workspaces">custom stack</a> (or update existing one) with the newly built image.</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="https-mode---letsencrypt">HTTPS Mode - Letsencrypt</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Letsencrypt can issue wildcard certificates. There’s only one pre-requisite - your OpenShift installation should be under a <strong>public DNS name</strong>. The best way to solve TLS issue with Eclipse Che is to get Letsencrypt certs for <code>*.${OPENSHIFT_ROUTING_SUFFIX}</code> domain and then configure OpenShift router to use those certs. Once done, it will automatically make all secure routes that your OpenShift cluster generates trusted by all clients.</p>
</div>
<div class="paragraph">
<p>To obtain a wildcard Letsencrypt certificate for your OpenShift router visit <a href="https://certbot.eff.org/">Certbot</a> page and follow instructions for your OS. Once done and key are generated, there are a few things you should do (requires OpenShift admin privileges) in default OpenShift namespace where router is deployed:</p>
</div>
<div class="listingblock">
<div class="content">
<pre># add the key to the cert
cat fullchain.pem privkey.pem &gt; both.pem
# Backup the old config
oc export secret router-certs &gt; ~/old-router-certs-secret.yaml
# Replace the router certificate
oc secrets new router-certs tls.crt=both.pem tls.key=privkey.pem -o json --type='kubernetes.io/tls' --confirm | oc replace -f -
# Rollout the latest DC for the router
oc rollout latest router</pre>
</div>
</div>
<div class="paragraph">
<p>You may also find the following docs/blog posts helpful:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="https://docs.openshift.org/latest/install_config/redeploying_certificates.html#redeploying-custom-registry-or-router-certificates">OpenShift Docs</a></p>
</li>
<li>
<p><a href="https://blog.openshift.com/lets-encrypt-acme-v2-api/">OpenShift Blog</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>After a router restarts, all secure routes in the cluster should be trusted, and you can deploy Che in https mode: <a href="openshift-single-user.html#https-mode">single user</a> or <a href="openshift-multi-user.html#openshift-container-platform">multi-user</a> or update your http Che installation.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="private-docker-registries">Private Docker Registries</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Refer to <a href="https://docs.openshift.com/container-platform/3.7/security/registries.html">OpenShift documentation</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="enable-ssh-and-sudo">Enable ssh and sudo</h2>
<div class="sectionbody">
<div class="paragraph">
<p>By default, pods are run with an arbitrary user that has a randomly generated UID (the range is defined in OpenShift config file). This security constrain has several consequences for Eclipse Che users:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>installers for language servers will fail since most of them require <code>sudo</code></p>
</li>
<li>
<p>no way to run any sudo commands in a running workspace</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>It is possible to allow root access which in its turn allows running system services and change file/directory <a href="#filesystem-permissions">permissions</a>. You can change this behavior. See <a href="https://docs.openshift.com/container-platform/3.6/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile">OpenShift Documentation for details</a>.</p>
</div>
<div class="paragraph">
<p>You may also configure some services to bind to ports below <code>1024</code>, say, apache2. Here’s an example of enabling it for <a href="https://github.com/eclipse/che-dockerfiles/blob/master/recipes/php/Dockerfile#L49">Apache2</a> in a PHP image.</p>
</div>
<div class="paragraph">
<p><strong>How to Get a Shell in a Pod?</strong></p>
</div>
<div class="paragraph">
<p>Since OpenShift routes do not support ssh protocol, once cannot run sshd (or equivalent) in a pod and ssh into it. However, OpenShift itself provides a few alternatives (only for users who can authenticate as a user that has deployed Che):</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>oc rsh ${POD_NAME}</code> (you can get running pods with <code>oc</code>). Note that this is a remote shell, not an ssh connection</p>
</li>
<li>
<p>in an OpenShift <strong>web console, projects &gt; ws-namespace &gt; pods &gt; pod details &gt; Terminal</strong>.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>Once Che server is able to create OpenShift objects on behalf of a current user, rsh will be available for all users. You may follow GitHub <a href="https://github.com/eclipse/che/issues/8178">issue</a> to get updates.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="filesystem-permissions">Filesystem Permissions</h2>
<div class="sectionbody">
<div class="paragraph">
<p>As said above, pods in OpenShift are started with an arbitrary user with a dynamic UID that is generated for each namespace individually. As a result, a user in an OpenShift pod does not have write permissions for files and directories unless root group (UID - <code>0</code>) has write permissions for those (an arbitrary user in OpenShift belongs to root group). All Che ready to go stacks are optimized to run well on OpenShift. See an example from a <a href="https://github.com/eclipse/che-dockerfiles/blob/master/recipes/stack-base/centos/Dockerfile#L45-L48">base image</a>. What happens there is that a root group has write permissions for <code>/projects</code> (where workspace projects are located), a user home directory and some other dirs.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="multi-user-using-own-keycloak-and-psql">Multi-User: Using Own Keycloak and PSQL</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Out of the box Che is deployed together with Keycloak and Postgres pods, and all three services are properly configured to be able to communicate. However, it does not matter for Che what Keycloak server and Postgres DB to use, as long as those have compatible versions and meet certain requirements.</p>
</div>
<div class="paragraph">
<p>Follow instructions on deploying multi-user <a href="openshift-multi-user.html">Che without Keycloak or Postgres or both</a>.</p>
</div>
<div class="paragraph">
<p><strong><em>Che Server and Keycloak</em></strong></p>
</div>
<div class="paragraph">
<p>Keycloak server URL is retrieved from the <code>CHE_KEYCLOAK_AUTH<em>SERVER</em>URL</code> environment variable. A new installation of Che will use its own Keycloak server running in a Docker container pre-configured to communicate with Che server. Realm and client are mandatory environment variables. By default Keycloak environment variables are:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>CHE_KEYCLOAK_AUTH__SERVER__URL=http://${KC_ROUTE}:5050/auth
CHE_KEYCLOAK_REALM=che
CHE_KEYCLOAK_CLIENT__ID=che-public</pre>
</div>
</div>
<div class="paragraph">
<p>You can use your own Keycloak server. Create a new realm and a public client. A few things to keep in mind:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>It must be a public client</p>
</li>
<li>
<p><code>redirectUris</code> should be <code>${CHE_SERVER_ROUTE}/*</code>. If no or incorrect <code>redirectUris</code> are provided or the one used is not in the list of <code>redirectUris</code>, Keycloak will display an error saying that redirect_uri param is invalid.</p>
</li>
<li>
<p><code>webOrigins</code> should be either`${CHE_SERVER_ROUTE}` or <code>*</code>. If no or incorrect <code>webOrigins</code> are provided, Keycloak script won’t be injected into a page because of CORS error.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p><strong><em>Using an alternate OIDC provider instead of Keycloak</em></strong></p>
</div>
<div class="paragraph">
<p>Instead using a Keycloak server, Che now provides a limited support for alternate authentication servers compatible with the <a href="http://openid.net/specs/openid-connect-core-1_0.html">OpenId Connect specification</a>.</p>
</div>
<div class="paragraph">
<p>Some limitations restrict the alternate OIDC providers that can be used with Eclipse Che. Supported providers should:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>implement access tokens as JWT tokens including at least the following claims:</p>
<div class="ulist">
<ul>
<li>
<p><code>exp</code>: the expiration time (<a href="https://tools.ietf.org/html/rfc7519#section-4.1.4" class="bare">https://tools.ietf.org/html/rfc7519#section-4.1.4</a>)</p>
</li>
<li>
<p><code>sub</code>: the subject (<a href="https://tools.ietf.org/html/rfc7519#section-4.1.2" class="bare">https://tools.ietf.org/html/rfc7519#section-4.1.2</a>)</p>
</li>
</ul>
</div>
</li>
<li>
<p>allow redirect Urls with wildcards at the end</p>
</li>
<li>
<p>provide an endpoint that returns the <a href="http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig">OpenID Provider Configuration information</a>. According to the specification, this endpoint should end with sub-path <code>/.well-known/openid-configuration</code>.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>When using an alternate OIDC provider, the following Keycloak environment variables should be set to <code>NULL</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>CHE_KEYCLOAK_AUTH__SERVER__URL=NULL
CHE_KEYCLOAK_REALM=NULL</pre>
</div>
</div>
<div class="paragraph">
<p>Instead, you should set the folowing environement variables:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>CHE_KEYCLOAK_CLIENT__ID=&lt;client id provided by the OIDC provider&gt;
CHE_KEYCLOAK_OIDC__PROVIDER=&lt;base URL of the OIDC provider that provides a configuration endpoint at `/.well-known/openid-configuration` sub-path&gt;</pre>
</div>
</div>
<div class="paragraph">
<p>If the optional <a href="http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest"><code>nonce</code> OpenId request parameter</a> is not supported, the following environment variable should be added:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>CHE_KEYCLOAK.USE__NONCE=FALSE</pre>
</div>
</div>
<div class="paragraph">
<p><strong><em>Che Server and PostgreSQL</em></strong></p>
</div>
<div class="paragraph">
<p>Che server uses the below defaults to connect to PostgreSQL to store info related to users, user preferences and workspaces:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>CHE_JDBC_USERNAME=pgche
CHE_JDBC_PASSWORD=pgchepassword
CHE_JDBC_DATABASE=dbche
CHE_JDBC_URL=jdbc:postgresql://postgres:5432/dbche
CHE_JDBC_DRIVER__CLASS__NAME=org.postgresql.Driver
CHE_JDBC_MAX__TOTAL=20
CHE_JDBC_MAX__IDLE=10
CHE_JDBC_MAX__WAIT__MILLIS=-1</pre>
</div>
</div>
<div class="paragraph">
<p>Che currently uses version 9.6.</p>
</div>
<div class="paragraph">
<p><strong><em>Keycloak and PostgreSQL</em></strong></p>
</div>
<div class="paragraph">
<p>Database URL, port, database name, user and password are defined as environment variables in Keycloak pod. Defaults are:</p>
</div>
<div class="listingblock">
<div class="content">
<pre>POSTGRES_PORT_5432_TCP_ADDR=postgres
POSTGRES_PORT_5432_TCP_PORT=5432
POSTGRES_DATABASE=keycloak
POSTGRES_USER=keycloak
POSTGRES_PASSWORD=keycloak</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="development-mode">Development Mode</h2>
<div class="sectionbody">
<div class="paragraph">
<p>After you have built your <a href="assemblies.html">custom assembly</a>, execute <code>build.sh</code> <a href="https://github.com/eclipse/che/tree/master/dockerfiles/che">script</a>. You can then tag it, either push to MiniShift or a public Docker registry, and reference in your Che deployment as <code>CHE_IMAGE_REPO</code> and <code>CHE_IMAGE_TAG</code>. Alternatively, you may make sure the image is available locally and change pull policy to <code>IfNotPresent</code> in che deployment.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="che-workspace-termination-grace-period">Che Workspace Termination Grace Period</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Info about changing workspace termination grace period can be found in the following <a href="kubernetes-config.html#che-workspace-termination-grace-period">section</a> of the Che Kubernetes config document.</p>
</div>
</div>
</div>
<div class="tags">
<b>Tags: </b>
<a href="tag_installation.html" class="btn btn-default navbar-btn cursorNorm" role="button">installation</a>
<a href="tag_openshift.html" class="btn btn-default navbar-btn cursorNorm" role="button">openshift</a>
</div>
<!--
-->
</div>
<hr class="shaded"/>
<footer>
<div class="row">
<div class="col-lg-12 footer">
Eclipse Che - Documentation <br/>
Site last generated: Sep 13, 2018 <br/>
<hr>
<a href="http://www.eclipse.org" target="_blank">Eclipse Foundation</a><br/>
<a href="http://www.eclipse.org/legal/privacy.php" target="_blank">Privacy Policy</a><br/>
<a href="http://www.eclipse.org/legal/termsofuse.php" target="_blank">Terms of Use</a><br/>
<a href="https://www.eclipse.org/legal/epl-2.0/" target="_blank">Eclipse Public License</a><br/>
<a href="http://www.eclipse.org/legal" target="_blank">Legal Resources</a><br/>
</div>
</div>
</footer>
<!-- /.row -->
</div>
<!-- /.container -->
</div>
<!-- /#main -->
</div>
</body>
</html>