OpenShift Origin is a distribution of Kubernetes optimized for continuous application development and multi-tenant deployment. OpenShift adds developer and operations-centric tools on top of Kubernetes to enable rapid application development, easy deployment and scaling, and long-term lifecycle maintenance for small and large teams.
Features:
Learn More:
For questions or feedback, reach us on IRC on #openshift-dev on Freenode or post to our mailing list.
If you have downloaded the client tools from the releases page, place the included binaries in your PATH.
oc cluster up
to get started immediately. Try it out now!OpenShift builds a developer-centric workflow around Docker containers and Kubernetes runtime concepts. An Image Stream lets you easily tag, import, and publish Docker images from the integrated registry. A Build Config allows you to launch Docker builds, build directly from source code, or trigger Jenkins Pipeline jobs whenever an image stream tag is updated. A Deployment Config allows you to redeploy whenever a new image becomes available. Routes make it trivial to expose your Kubernetes services via a public DNS name. As an administrator, you can enable your developers to request new Projects which come with predefined roles, quotas, and security controls to fairly divide access.
For more on the underlying concepts of OpenShift, please see the documentation site.
The OpenShift API is located on each server at https://<host>:8443/oapi/v1
. These APIs are described via Swagger v1.2 at https://<host>:8443/swaggerapi/oapi/v1
. For more, see the API documentation.
OpenShift embeds Kubernetes and extends it with security and other integrated concepts. An OpenShift Origin release corresponds to the Kubernetes distribution - for example, OpenShift 1.4 includes Kubernetes 1.4.
If you're looking for more information about using Kubernetes or the lower level concepts that Origin depends on, see the following:
OpenShift is designed to run any existing Docker images. Additionally, you can define builds that will produce new Docker images using a Dockerfile
.
For an easier experience running your source code, Source-to-Image (S2I) allows developers to simply provide an application source repository containing code to build and run. It works by combining an existing S2I-enabled Docker image with application source to produce a new runnable image for your application.
You can see the full list of Source-to-Image builder images and it's straightforward to create your own. Some of our available images include:
Your application image can be easily extended with a database service with our database images:
OpenShift runs with the following security policy by default:
builds/docker
and builds/custom
policy resource.Many Docker containers expect to run as root (and therefore edit all the contents of the filesystem). The Image Author's guide gives recommendations on making your image more secure by default:
* Don't run as root
* Make directories you want to write to group-writable and owned by group id 0
* Set the net-bind capability on your executables if they need to bind to ports <1024
If you are running your own cluster and want to run a container as root, you can grant that permission to the containers in your current project with the following command:
# Gives the default service account in the current project access to run as UID 0 (root)
oc adm add-scc-to-user anyuid -z default
See the security documentation more on confining applications.
Some features from upstream Kubernetes are not yet enabled in OpenShift, for reasons including supportability, security, or limitations in the upstream feature.
Kubernetes Definitions:
OpenShift uses these terms in the same fashion as Kubernetes, and adds four more:
The list of features that qualify under these labels is described below, along with additional context for why.
Feature | Kubernetes | OpenShift | Justification |
---|---|---|---|
Third Party Resources | Alpha (1.4, 1.5) | Not Yet Secure | Third party resources are still under active development upstream. Known issues include failure to clean up resources in etcd, which may result in a denial of service attack against the cluster. We are considering enabling them for development environments only. |
Garbage Collection | Alpha (1.3) Beta (1.4, 1.5) |
Tech Preview (1.4, 1.5) | Garbage collection will automatically delete related resources on the server, and thus given the potential for data loss we are waiting for GC to graduate to beta and have a full release cycle of testing before enabling it in Origin. |
Stateful Sets | Alpha (1.3, 1.4) Beta (1.5) |
Tech Preview (1.3, 1.4, 1.5) | Stateful Sets are still being actively developed and no backwards compatibility is guaranteed until 1.5 is released. Starting in 1.5, Stateful Sets will be enabled by default and some backwards compatibility will be guaranteed. |
Init Containers | Alpha (1.3, 1.4) Beta(1.5) |
Tech Preview (1.3, 1.4, 1.5) | Init containers are properly secured, but will not be officially supported until 1.6. |
Federated Clusters | Alpha (1.3) Beta (1.4, 1.5) |
Tech Preview (1.3, 1.4, 1.5) | A Kubernetes federation server may be used against Origin clusters with the appropriate credentials today. Known issues include tenant support in federation and the ability to have consistent access control between federation and normal clusters. No Origin specific binary is being distributed for federation at this time. |
Deployment | Beta (1.3, 1.4, 1.5) | Tech Preview (1.3, 1.4, 1.5) | OpenShift launched with DeploymentConfigs, a more fully featured Deployment object. DeploymentConfigs are more appropriate for developer flows where you want to push code and have it automatically be deployed, and also provide more advanced hooks and custom deployments. Use Kubernetes Deployments when you are managing change outside of OpenShift. |
Replica Sets | Beta (1.3, 1.4, 1.5) | Tech Preview (1.3, 1.4, 1.5) | Replica Sets perform the same function as Replication Controllers, but have a more powerful label syntax. Both ReplicationControllers and ReplicaSets can be used. |
Ingress | Beta (1.2, 1.3, 1.4, 1.5) | Tech Preview (1.3, 1.4, 1.5) | OpenShift launched with Routes, a more full featured Ingress object. In 1.5, Ingress rules can be read by the router (disabled by default), but because Ingress objects reference secrets you must grant the routers a very level of access to your cluster to run with them. Future changes will likely reduce the security impact of enabling Ingress. |
PodSecurityPolicy | Beta (1.3, 1.4, 1.5) | Tech Preview (1.3, 1.4, 1.5) | OpenShift launched with SecurityContextConstraints, and then upstreamed them as PodSecurityPolicy. We plan to enable upstream PodSecurityPolicy so as to automatically migrate existing SecurityContextConstraints. PodSecurityPolicy has not yet completed a full security review, which will be part of the criteria for tech preview. SecurityContextConstraints are a superset of PodSecurityPolicy features. |
PodAntiAffinitySelectors | Beta (1.3, 1.4, 1.5) | Not Yet Secure (1.3) Tech Preview (1.4, 1.5) |
End users are not allowed to set PodAntiAffinitySelectors that are not the node name due to the possibility of attacking the scheduler via denial of service. |
NetworkPolicy | Beta (1.3, 1.4, 1.5) | Tech Preview (1.3, 1.4, 1.5) | Starting with 1.5, OpenShift SDN will expose an experimental mode that uses network policy to restrict access to pods. Future releases will expand this support. |
Please contact us if this list omits a feature supported in Kubernetes which does not run in Origin.
You can develop locally on your host or with a virtual machine, or if you want to just try out Origin download the latest Linux server, or Windows and Mac OS X client pre-built binaries.
First, get up and running with the Contributing Guide.
All contributions are welcome - Origin uses the Apache 2 license and does not require any contributor agreement to submit patches. Please open issues for any bugs or problems you encounter, ask questions on the OpenShift IRC channel (#openshift-dev on freenode), or get involved in the Kubernetes project at the container runtime layer.
See HACKING.md for more details on developing on Origin including how different tests are setup.
If you want to run the test suite, make sure you have your environment set up, and from the origin
directory run:
# run the verifiers, unit tests, and command tests
$ make check
# run a command-line integration test suite
$ hack/test-cmd.sh
# run the integration server test suite
$ hack/test-integration.sh
# run the end-to-end test suite
$ hack/test-end-to-end.sh
# run all of the tests above
$ make test
You'll need etcd installed and on your path for the integration and end-to-end tests to run, and Docker must be installed to run the end-to-end tests. To install etcd you should be able to run:
$ hack/install-etcd.sh
Some of the components of Origin run as Docker images, including the builders and deployment tools in images/builder/docker/*
and images/deploy/*
. To build them locally run
$ hack/build-images.sh
To hack on the web console, check out the assets/README.md file for instructions on testing the console and building your changes.
If you've found a security issue that you'd like to disclose confidentially please contact Red Hat's Product Security team. Details at https://access.redhat.com/security/team/contact
OpenShift is licensed under the Apache License, Version 2.0.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。