SSO integration - Red Hat Container Tools

Author: nitinsy

subsystems-container-internals-lab-2-0-part-7/01-01-overview-container-tools/assignment.md

@@ -0,0 +1,62 @@
+---
+slug: 01-overview-container-tools
+id: g5dgkjdlk4js
+type: challenge
+title: An Overview of Container Tools
+notes:
+- type: text
+  contents: |
+    ## Background
+    This lab will help give you a basic understanding of how to use some other OCI compliant tools such as Podman, Buildah, and Skopeo.
+
+    By the end of this lab you should be able to:
+    - FIND, RUN, BUILD, and SHARE containers using OCI compliant tools
+    - Solve real technical problems by using a small set of daemonless tools
+    - Be comfortable using with the basics of an alternative set of tools to Docker
+
+    ## Outline
+    - Understanding the difference between RHEL Server and CoreOS, as well as the difference between the fast and stable streams provided in RHEL Server
+    - Understanding how to install the fast and stable streams
+    - Podman: Familiar Territory: Learning the basics of how to use podman
+    - Buildah: Granularity & Control: Understanding how a container image is really built
+    - Skopeo: Moving & Sharing: Simplicity in inspecting, and moving container images around
+    - CRIU: Checkpoint and restore the memory contents of containers
+    - Udica: Build and deploy custom SELinux policies for containers
+    - OSCAP-Podman: verify patched or unpatched vulnerabilities in container images produced by Red Hat
+
+    ## Other Material
+    - [Presentation](https://goo.gl/h4VK7j)
+    - [Lab GitHub Repository](https://github.com/openshift-instruqt/instruqt/tree/3ccc0f45269f895a19406e833392dc9fbc7948d8/instruqt-tracks/subsystems-container-internals-lab-2-0-part-7)
+
+    ## Start Scenario
+    Once you have gone through the presentation, continue to the exercises
+tabs:
+- title: Terminal 1
+  type: terminal
+  hostname: rhel
+- title: Visual Editor
+  type: code
+  hostname: rhel
+  path: /root
+difficulty: intermediate
+timelimit: 500
+---
+In this lab we're going to cover a plethora of container tools available in Red Hat Enterprise Linux (RHEL), including Podman, Buildah, Skopeo, CRIU and Udica. Before we get into the specific tools, it's important to understand how these are tools are provided to the end user in the Red Hat ecosystem.
+
+The RHEL kernel, systemd, and the container tools, centered around github.com/containers and github.com/cri-o/cri-o, serve as the foundation for both RHEL Server as well as RHEL CoreOS. RHEL Server is a flexible, general purpose operating system which can be customized for many different use cases. On the other hand, RHEL CoreOS is a minimal, purpose built operating system intended to be consumed within automated environments like OpenShift. This lab will specifically cover the tools available in RHEL Server, but much of what you learn is useful with CoreOS which is built from the same bits, but packaged specifically for OpenShift and Edge use cases.
+
+Here's a quick overview of how to think about RHEL Server versus RHEL CoreOS:
+
+1. General Purpose: User -> Podman -> RHEL Server
+2. OpenShift: User -> Kubernetes API -> Kubelet -> CRI-O -> RHEL CoreOS
+
+In a RHEL Server environment, the end user will create containers directly on the container host with Podman. In an OpenShift environment, the end user will create containers through the Kubernetes API - users generally do not interact directly with CRI-O on individual hosts in the cluster. Stated another way, Podman is the primary container interface in RHEL, while Kubernetes is the primary interface in OpenShift.
+
+For the rest of this lab, we will focus on the container tools provided in RHEL Server. The launch of RHEL8 introduced the concept of [Application Streams](https://www.redhat.com/en/blog/introduction-appstreams-and-modules-red-hat-enterprise-linux), which provide users with access to the latest versions of software like Python, Ruby, and Podman. These Application Streams have different, and often shorter life cycles than RHEL (10+ years). Specifically, RHEL8 Server provides users with two types of Application Streams for Container tools:
+
+1. Fast: Rolling stream which is updated with new versions of Podman and other tools up to every 12 weeks, and only supported until the next version is released. This stream is for users looking for the latest features in Podman.
+2. Stable: Traditional streams released once per year, and supported for 24 months. Once released these streams do not update versions of Podman and other tools, and only provide security fixes. This stream is for users looking to put Podman into production depending on stability.
+
+With either stream, the underlying RHEL kernel, systemd, and other packages are treated as a rolling stream. The only choice is is whether to use the fast stream or one of the stable streams. Since RHEL provides a very stable [ABI/API Policy](https://access.redhat.com/articles/rhel8-abi-compatibility) the vast majority of container users will not notice and should not be concerned with kernel, systemd, glibc, etc updates on the container host. If the users selects one of the stable streams, the API to Podman will remains stable and updated for security.
+
+For a deeper dive, check out [RHEL 8 enables containers with the tools of software craftsmanship](https://www.redhat.com/en/blog/rhel-8-enables-containers-tools-software-craftsmanship-0). Now, let's move on to installing and using these different streams of software.

subsystems-container-internals-lab-2-0-part-7/02-join-red-hat-developer-portal/assignment.md

@@ -0,0 +1,17 @@
+---
+slug: join-red-hat-developer-portal
+id: pyxffunx1js2
+type: challenge
+title: Join Red Hat Developer at no cost
+teaser: Join Red Hat Developer at no cost
+tabs:
+- title: Red Hat Login
+  type: browser
+  hostname: rhd-login
+difficulty: ""
+---
+Before you proceed with the next challenge, please take a moment to register for Red Hat Developer. If you already have a Red Hat account, you can use the same login credentials.
+
+This will help us assess user satisfaction and enable us to provide more curated content.
+
+Click on the `Check` button at the bottom once you have registered or logged in.

subsystems-container-internals-lab-2-0-part-7/02-join-red-hat-developer-portal/check-rhd-login

@@ -0,0 +1,41 @@
+#!/bin/bash
+set -euxo pipefail
+echo 'logincheck'
+if [ "${LOGGEDIN-0}" = "1" ]; then
+    echo 'loggedin'
+    exit 0
+fi
+ 
+rm -f /home/user/checkResult.json
+rm -f /home/user/checkAssets.json
+rm -f /home/user/checkError.txt
+
+
+echo 'dropdown check'
+echo '{"location":{"conditions":[{"url":"redhat.com","condition":"contains"}]},"innerText":[{"selector":"html \u003e body","value":"Please click on Check button in the bottom right of your screen to continue with the Lab."}]}' > /home/user/checkAssets.json
+until [ -f /home/user/checkResult.json ]; do
+    sleep 1
+done
+if grep "SUCCESS" /home/user/checkResult.json; then
+    echo 'account dropdown'
+    exit 0
+fi
+
+
+rm -f /home/user/checkResult.json
+rm -f /home/user/checkAssets.json
+rm -f /home/user/checkError.txt
+
+
+echo 'email check'
+echo '{"location":{"conditions":[]},"innerText":[{"selector":"html \u003e body","value":"Email address verification"}]}' > /home/user/checkAssets.json
+until [ -f /home/user/checkResult.json ]; do
+    sleep 1
+done
+cat /home/user/checkResult.json
+if grep "SUCCESS" /home/user/checkResult.json; then
+    echo 'email validation'
+    exit 0
+fi
+fail-message "Please login and click 'Check' button."
+exit 1

subsystems-container-internals-lab-2-0-part-7/03-02-different-streams/assignment.md

@@ -0,0 +1,93 @@
+---
+slug: 02-different-streams
+id: ecpztuba19lq
+type: challenge
+title: Using the Fast and Stable Streams
+tabs:
+- title: Terminal 1
+  type: terminal
+  hostname: rhel
+- title: Visual Editor
+  type: code
+  hostname: rhel
+  path: /root
+difficulty: intermediate
+timelimit: 600
+---
+As mentioned in the previous step, there are two main types of streams. To view them, run the following command:
+
+```
+yum module list | grep container-tools
+```
+
+Notice there are two types:
+1. container-tools:rhel8 - this is the fast moving stream, it's updated once every 12 weeks and generally fixes bugs by rolling to new versions
+2. container-tools:1.0 - this was released with RHEL 8.0 and supported for 24 months, and receives bug fixes with back ports that keep the API and CLI interfaces stable
+3. container-tools:2.0 - this was released with RHEL 8.2 and supported for 24 months, and receives bug fixes with back ports that keep the API and CLI interfaces stable
+
+Now, let's pretend we are developer looking for access to the latest features in RHEL. Let's inspect the description of the fast moving stream. Notice that there are multiple versions of the rhel8 application stream. Every time a package is updated the entire group of packages is version controlled and tested together:
+
+```
+yum module info container-tools:rhel8
+```
+
+Now, let's install the fast moving container-tools:rhel8 Application Stream like this:
+
+```
+yum module install -y container-tools:rhel8
+```
+
+We should have a whole set of tools installed:
+
+```
+yum module list --installed
+```
+
+Look at the packages that were installed as part of this Application Stream:
+
+```
+yum module repoquery --installed container-tools
+```
+
+Look at the version of Podman that was installed. It should be fairly new, probably within a few months of what's latest upstream:
+
+```
+podman -v
+```
+
+Let's clean up the environment, and start from scratch:
+
+```
+yum module remove -y container-tools
+yum module reset -y container-tools
+```
+
+OK, now let's pretend we are a systems administrator or SRE that wants a set of stable tools which are supported for 24 months. First, inspect the stable stream that was released in RHEL 8.0. Notice that there are several versions of this Application Stream. Every time a package is updated a new stream version is generated to snapshot the exact versions of each package together as a stream:
+
+```
+yum module info container-tools:1.0
+```
+
+Now, install it:
+
+```
+yum module install -y --allowerasing container-tools:1.0
+```
+
+Check the version of Podman again:
+
+```
+podman -v
+```
+
+Notice that it's an older version of Podman. This version only gets back ports and will never move beyond Podman 1.0.2. Note, there is no connection between the container-tools version number and the Podman version number. It is purely coincidence that these numbers coincide. The container-tools version number is an arbitrary number representing all of the tools tested together in the Application Stream. This includes, Podman, Buildah, Skopeo, CRIU, etc.
+
+Now, let's go back to the latest version of the container-tools for the rest of this module:
+
+```
+yum module remove -y container-tools
+yum module reset -y container-tools
+yum module install -y container-tools:rhel8
+```
+
+Notice how easy it was to move between the stable streams and the fast moving stream. This is the power of modularity. Now, let's move on to using the actual tools.

subsystems-container-internals-lab-2-0-part-7/04-03-podman/assignment.md

@@ -0,0 +1,144 @@
+---
+slug: 03-podman
+id: poot9tf6vot4
+type: challenge
+title: 'Podman: Familiar Territory'
+tabs:
+- title: Terminal 1
+  type: terminal
+  hostname: rhel
+- title: Visual Editor
+  type: code
+  hostname: rhel
+  path: /root
+difficulty: intermediate
+timelimit: 500
+---
+The goal of this lab is to introduce you to Podman and some of the features that make it interesting. If you have ever used Docker, the basics should be pretty familiar. Lets start with some simple commands.
+
+Pull an image:
+
+```
+podman pull ubi8
+```
+
+List locally cached images:
+
+```
+podman images
+```
+
+Start a container and run bash interactively in the local terminal. When ready, exit:
+
+```
+podman run -it ubi8 bash
+```
+
+```
+exit
+```
+
+List running containers:
+
+```
+podman ps -a
+```
+
+Now, let's move on to some features that differentiates Podman from Docker. Specifically, let's cover the two most popular reasons - Podman runs with a daemon (daemonless) and without root (rootless). Podman does not have a daemon, it's an interactive command more like bash, and like bash it can be run as a regular user (aka. rootless).
+
+The container host we are working with already has a user called RHEL, so let's switch over to it. Note, we set a couple of environment variables manually because we're using the switch user command. These would normally be set at login:
+
+```
+su - rhel
+export XDG_RUNTIME_DIR=/home/rhel
+```
+
+Now, fire up a simple container in the background:
+
+```
+podman run -id ubi8 bash
+```
+
+Now, lets analyze a couple of interesting things that makes Podman different than Docker - it doesn't use a client server model, which is useful for wiring it into CI/CD systems, and other schedulers like Yarn:
+
+Inspect the process tree on the system:
+
+```
+pstree -Slnc
+```
+
+You should see something similar to:
+
+```
+└─conmon─┬─{conmon}
+         └─bash(ipc,mnt,net,pid,uts)
+```
+
+There's no Podman process, which might be confusing. Lets explain this a bit. What many people don't know is that containers disconnect from Podman after they are started. Podman keeps track of meta-data in ~/.local/share/containers (/var/lib/containers is only used for containers started by root) which tracks which containers are created, running, and stopped (killed). The meta-data that Podman tracks is what enables a "podman ps" command to work.
+
+In the case of Podman, containers disconnect from their parent processes so that they don't die when Podman exit exits. In the case of Docker and CRI-O which are daemons, containers disconnect from the parent process so that they don't die when the daemon is restarted. For Podman and CRI-O, there is utility which runs before runc called conmon (Container Monitor). The conmon utility disconnects the container from the engine by doing forking twice (called a double fork). That means, the execution chain looks something like this with Podman:
+
+`bash -> podman -> conmon -> conmon -> runc -> bash`
+
+Or like this with CRI-O:
+
+`systemd -> crio -> conmon -> conmon -> runc -> bash`
+
+Or like this with Docker engine:
+
+`systemd -> dockerd -> containerd -> docker-shim -> runc -> bash`
+
+Conmon is a very small C program that monitors the standard in, standard error, and standard out of the containerized process. The conmon utility and docker-shim both serve the same purpose. When the first conmon finishes calling the second, it exits. This disconnects the second conmon and all of its child processes from the container engine. The second conmon then inherits init system (systemd) as its new parent process. This daemonless and simplified model which Podman uses can be quite useful when wiring it into other larger systems, like CI/CD, scripts, etc.
+
+Podman doesn't require a daemon and it doesn't require root. These two features really set Podman apart from Docker. Even when you use the Docker CLI as a user, it connects to a daemon running as root, so the user always has the ability escalate a process to root and do whatever they want on the system. Worse, it bypasses sudo rules so it's not easy to track down who did it.
+
+Now, let's move on to some other really interesting features. Rootless containers use a kernel feature called User Namespaces. This maps the one or more user IDs in the container to one or more user IDs outside of the container. This includes the root user ID in the container as well as any others which might be used by programs like Nginx or Apache.
+
+Podman makes it super easy to see this mapping. Start an nginx container to see the user and group mapping in action:
+
+
+```
+podman run -id registry.access.redhat.com/rhscl/nginx-114-rhel7 nginx -g 'daemon off;'
+```
+
+Now, execute the Podman bash command:
+
+```
+podman top -l args huser hgroup hpid user group pid seccomp label
+```
+
+Notice that the host user, group and process ID  ''in'' the container all map to different and real IDs on the host system. The container thinks that nginx is running as the user ''default'' and the group ''root'' but really it's running as an arbitrary user and group. This user and group are selected from a range configured for the ''rhel'' user account on this system. This list can easily be inspected with the following commands:
+
+```
+cat /etc/subuid
+```
+
+You will see something similar to this:
+
+```
+rhel:165536:65536
+```
+
+The first number represents the starting user ID, and the second number represents the number of user IDs which can be used from the starting number. So, in this example, our RHEL user can use 65,535 user IDs starting with user ID 165536. The Podman bash command should show you that nginx is running in this range of UIDs.
+
+The user ID mappings on your system might be different because shadow utilities (useradd, usderdel, usermod, groupadd, etc) automatically creates these mappings when a user is added. As a side note, if you've updated from an older version of RHEL, you might need to add entries to /etc/subuid and /etc/subgid manually.
+
+OK, now stop all of the running containers. No more one liners like with Docker, it's just built in with Podman:
+
+```
+podman kill --all
+```
+
+Remove all of the actively defined containers. It should be noted that this might be described as deleting the copy-on-write layer, config.json (commonly referred to as the Config Bundle) as well as any state data (whether the container is defined, running, etc):
+
+```
+podman rm --all
+```
+
+We can even delete all of the locally cached images with a single command:
+
+```
+podman rmi --all
+```
+
+The above commands show how easy and elegant Podman is to use. Podman is like a Chef's knife. It can be used for pretty much anything that you used Docker for, but let's move on to Builah and show some advanced use cases when building container images.