Merge pull request #1 from openshift/master

Changed parameter names in Audit Configuration

Author: Sebastian Dehn

README.adoc

@@ -38,6 +38,6 @@ The following table provides quick links to help you get started.
 
 For questions or comments about OpenShift documentation:
 
-* OpenShift team members can be found on the http://webchat.freenode.net/?randomnick=1&channels=openshift&uio=d4[#openshift] and http://webchat.freenode.net/?randomnick=1&channels=openshift-dev&uio=d4[#openshift-dev channels] on http://www.freenode.net/[FreeNode].
+* OpenShift team members can be found on the http://webchat.freenode.net/?randomnick=1&channels=openshift&uio=d4[#openshift] and http://webchat.freenode.net/?randomnick=1&channels=openshift-dev&uio=d4[#openshift-dev] channels on http://www.freenode.net/[FreeNode].
 * You can also join the http://lists.openshift.redhat.com/openshiftmm/listinfo/users[Users] or http://lists.openshift.redhat.com/openshiftmm/listinfo/dev[Developers] mailing list.
 * Send an email to the OpenShift documentation team at [email protected].

_topic_map.yml

@@ -375,8 +375,10 @@ Topics:
         File: ceph_example
       - Name: Complete Example Using GlusterFS
         File: gluster_example
-      - Name: Dynamic Provisioning Example Using GlusterFS
+      - Name: Dynamic Provisioning Example Using Containerized GlusterFS
         File: gluster_dynamic_example
+      - Name: Dynamic Provisioning Example Using Dedicated GlusterFS
+        File: dedicated_gluster_dynamic_example
       - Name: Mounting Volumes To Privileged Pods
         File: privileged_pod_storage
       - Name: Backing Docker Registry with GlusterFS Storage
@@ -714,6 +716,8 @@ Topics:
     File: jobs
   - Name: Cron Jobs
     File: cron_jobs
+  - Name: Create from URL
+    File: create_from_url
   - Name: Revision History
     File: revhistory_dev_guide
     Distros: openshift-enterprise,openshift-dedicated

admin_guide/ipsec.adoc

@@ -18,7 +18,7 @@ Internet Protocol (IP).
 
 This topic shows how to secure communication of an entire IP subnet from which
 the {product-title} hosts receive their IP addresses, including all cluster
-management and pod data traffic. 
+management and pod data traffic.
 
 [NOTE]
 ====
@@ -46,11 +46,11 @@ xref:../admin_guide/ipsec.adoc#admin-guide-ipsec-opportunistic-group-configurati
 group functionality] is required, then *libreswan* version 3.19 or later is
 required.
 
-link:../install_config/configuring_sdn.html[Configure the SDN] MTU to allow
-space for the IPSec header. In the configuration described here IPSec requires
-62 bytes. If the cluster is operating on an ethernet network with an MTU of
-1500 then the SDN MTU should be 1388, to allow for the overhead of IPSec and
-the SDN encapsulation.
+xref:../install_config/configuring_sdn.adoc#install-config-configuring-sdn[Configure the SDN]
+MTU to allow space for the IPSec header. In the configuration described here
+IPSec requires 62 bytes. If the cluster is operating on an ethernet network with
+an MTU of 1500 then the SDN MTU should be 1388, to allow for the overhead of
+IPSec and the SDN encapsulation.
 
 [[admin-guide-ipsec-certificates]]
 === Step 2: Certificates
@@ -83,7 +83,7 @@ key files into a *_PKCS#12_* file, which is a common file format for multiple
 certificates and keys:
 +
 ----
-openssl pkcs12 -export \
+# openssl pkcs12 -export \
   -in /path/to/client-certificate \
   -inkey /path/to/private-key \
   -certfile /path/to/certificate-authority \
@@ -220,13 +220,13 @@ conn <other_node_hostname>
 All nodes within the cluster need to allow IPSec related network traffic. This
 includes IP protocol numbers 50 and 51 as well as UDP port 500.
 
-For example, if the cluster nodes communicate over interface eth0:
-+
----
+For example, if the cluster nodes communicate over interface `eth0`:
+
+----
 -A OS_FIREWALL_ALLOW -i eth0 -p 50 -j ACCEPT
 -A OS_FIREWALL_ALLOW -i eth0 -p 51 -j ACCEPT
 -A OS_FIREWALL_ALLOW -i eth0 -p udp --dport 500 -j ACCEPT
----
+----
 
 [NOTE]
 ====
@@ -241,21 +241,21 @@ to normal cluster deployments.
 and begin encrypting:
 +
 ----
-systemctl start ipsec
+# systemctl start ipsec
 ----
 
 . Enable the *ipsec* service to start on boot:
 +
 ----
-systemctl enable ipsec
+# systemctl enable ipsec
 ----
 
 [[admin-guide-ipsec-troubleshooting]]
 == Troubleshooting
 When authentication cannot be completed between two hosts, you will not be able
 to ping between them, because all IP traffic will be rejected. If the `clear`
 policy is not configured correctly, you will also not be able to SSH to the host
-from another host in the cluster. 
+from another host in the cluster.
 
 You can use the `ipsec status` command to check that the `clear` and `private`
 policies have been loaded.

admin_guide/manage_nodes.adoc

@@ -402,7 +402,7 @@ kubeletArguments:
     - "80"
 ----
 
-<1> Number of pods that can run on this kubelet.
+<1> xref:../admin_guide/manage_nodes.adoc#admin-guide-max-pods-per-node[Maximum number of pods that can run on this kubelet].
 <2> Resolver configuration file used as the basis for the container DNS
 resolution configuration.
 <3> The percent of disk usage after which image garbage collection is always run.
@@ -427,6 +427,42 @@ openshift_node_kubelet_args={'max-pods': ['40'], 'resolv-conf': ['/etc/resolv.co
 ----
 ====
 
+[[admin-guide-max-pods-per-node]]
+=== Setting Maximum Pods Per Node
+
+In the *_/etc/origin/node/node-config.yaml_* file, two parameters control the
+maximum number of pods that can be scheduled to a node: `pods-per-core` and
+`max-pods`. When both options are in use, the lower of the two limits the number
+of pods on a node.
+
+`pods-per-core` sets the number of pods the node can run based on the number of
+processor cores on the node. For example, if `pods-per-core` is set to `10` on
+a node with 4 processor cores, the maxiumum number of pods allowed on the node
+will be 40.
+
+====
+----
+kubeletArguments:
+  pods-per-core:
+    - 10
+----
+====
+
+`max-pods` sets the number of pods the node can run to a fixed value, regardless
+of the properties of the node.
+
+====
+----
+kubeletArguments:
+  max-pods:
+    - 250
+----
+====
+
+Using the above example, the default value for `pods-per-core` is `10` and the
+default value for `max-pods` is `250`. This means that unless the node has 25
+cores or more, by default, `pods-per-core` will be the limiting factor.
+
 [[manage-node-change-node-traffic-interface]]
 == Changing Node Traffic Interface
 
@@ -445,17 +481,17 @@ where:
 - {product-title} is installed in a cloud provider where internal hostnames are not configured/resolvable by all hosts.
 - The node's IP from the master's perspective is not the same as the node's IP from its own perspective.
 
-Configuring the `*openshift_node_set_node_ip*` Ansible variable
+Configuring the `*openshift_set_node_ip*` Ansible variable
 forces node traffic through an interface other than the default network
 interface.
 
 To change the node traffic interface:
 
-. Set the `*openshift_node_set_node_ip*` Ansible variable to `true`.
+. Set the `*openshift_set_node_ip*` Ansible variable to `true`.
 . Set the `*openshift_ip*` to the IP address for the node you want to configure.
 [NOTE]
 ====
-Although  `*openshift_node_set_node_ip*` can be useful as a workaround for the
+Although  `*openshift_set_node_ip*` can be useful as a workaround for the
 cases stated in this section, it is generally not suited for production
 environments. This is because the node will no longer function properly if it
 receives a new IP address.

admin_guide/seccomp.adoc

@@ -66,7 +66,7 @@ the security constraints of an individual system.
 To create your own custom profile, create a file on every node in the
 `seccomp-profile-root` directory.
 +
-If you are using the default *runtime/default* profile, you do not need to
+If you are using the default *docker/default* profile, you do not need to
 create one.
 
 . Configure your nodes to use the *seccomp-profile-root* where your profiles
@@ -98,15 +98,15 @@ default.
 +
 The allowable formats of the *seccompProfiles* field include:
 +
-* *runtime/default*: the default profile for the container runtime (no profile required)
+* *docker/default*: the default profile for the container runtime (no profile required)
 * *unconfined*: unconfined profile, and disables seccomp
 * *localhost/<profile-name>*: the profile installed to the node's local seccomp profile root
 +
-For example, if you are using the default *runtime/default* profile, configure the *restricted* SCC with:
+For example, if you are using the default *docker/default* profile, configure the *restricted* SCC with:
 +
 ----
 seccompProfiles:
-- runtime/default
+- docker/default
 ----
 
 [[seccomp-configuring-openshift-with-custom-seccomp]]

architecture/core_concepts/routes.adoc

@@ -229,17 +229,18 @@ $ oc set env dc/router HAPROXY_ROUTER_SYSLOG_ADDRESS=127.0.0.1 HAPROXY_ROUTER_LO
 |`*ROUTER_SERVICE_NAMESPACE*` |  | The namespace the router identifies itself in the in route status. Required if `ROUTER_SERVICE_NAME` is used.
 |`*ROUTER_SERVICE_NO_SNI_PORT*` | 10443 | Internal port for some front-end to back-end communication (see note below).
 |`*ROUTER_SERVICE_SNI_PORT*` | 10444 | Internal port for some front-end to back-end communication (see note below).
+|`*ROUTER_SLOWLORIS_HTTP_KEEPALIVE*` | 300s | Set the maximum time to wait for a new HTTP request to appear. If this is set too low, it can confuse browsers and applications not expecting a small `keepalive` value.
 |`*ROUTER_SLOWLORIS_TIMEOUT*` | 10s | Length of time the transmission of an HTTP request can take.
-|`*ROUTER_SUBDOMAIN*`|  | The template that should be used to generate the hostname for a route without spec.host (e.g. `${name}-${namespace}.myapps.mycompany.com`).
+|`*ROUTER_SUBDOMAIN*`|  | The template that should be used to generate the host name for a route without spec.host (e.g. `${name}-${namespace}.myapps.mycompany.com`).
 |`*ROUTER_SYSLOG_ADDRESS*` |  | Address to send log messages. Disabled if empty.
 |`*ROUTER_TCP_BALANCE_SCHEME*` | source | Load-balancing strategy for multiple endpoints for pass-through routes. Available options are `source`, `roundrobin`, or `leastconn`.
 |`*ROUTER_LOAD_BALANCE_ALGORITHM*` | leastconn | Load-balancing strategy routes with multiple endpoints. Available options are `source`, `roundrobin`, and `leastconn`.
 //|`*ROUTE_FIELDS*` |  | A field selector to apply to routes to watch, empty means all.
 |`*ROUTE_LABELS*` |  | A label selector to apply to the routes to watch, empty means all.
 |`*STATS_PASSWORD*` |  | The password needed to access router stats (if the router implementation supports it).
 |`*STATS_PORT*` |  | Port to expose statistics on (if the router implementation supports it).  If not set, stats are not exposed.
-|`*STATS_USERNAME*` |  | The username needed to access router stats (if the router implementation supports it).
-|`*TEMPLATE_FILE*` | `/var/lib/haproxy/conf/custom/haproxy-config-custom.template` | The path to the haproxy template file (in the image).
+|`*STATS_USERNAME*` |  | The user name needed to access router stats (if the router implementation supports it).
+|`*TEMPLATE_FILE*` | `/var/lib/haproxy/conf/custom/haproxy-config-custom.template` | The path to the HAproxy template file (in the image).
 |`*RELOAD_INTERVAL*` | 12s | The minimum frequency the router is allowed to reload to accept new changes.
 |===
 
@@ -1070,3 +1071,112 @@ The routers do not clear the `route status` field. To remove the stale entries
 in the route status, use the
 link:https://github.com/openshift/origin/blob/master/images/router/clear-route-status.sh[clear-route-status
 script].
+
+
+[[architecture-core-concepts-routes-deny-allow]]
+== Denying or Allowing Certain Domains in Routes
+
+A router can be configured to deny or allow a specific subset of domains from
+the host names in a route using the `ROUTER_DENIED_DOMAINS` and
+`ROUTER_ALLOWED_DOMAINS` environment variables.
+
+[cols="2"]
+|===
+
+|`*ROUTER_DENIED_DOMAINS*` | Domains listed are not allowed in any indicated routes.
+|`*ROUTER_ALLOWED_DOMAINS*` | Only the domains listed are allowed in any indicated routes.
+
+|===
+
+The domains in the list of denied domains take precedence over the list of
+allowed domains. Meaning {product-title} first checks the deny list (if
+applicable), and if the host name is not in the list of denied domains, it then
+checks the list of allowed domains. However, the list of allowed domains is more
+restrictive, and ensures that the router only admits routes with hosts that
+belong to that list.
+
+For example, to deny the `[*.]open.header.test`, `[*.]openshift.org` and
+`[*.]block.it` routes for the `myrouter` route:
+
+----
+$ oadm router myrouter ...
+$ oc set env dc/myrouter ROUTER_DENIED_DOMAINS="open.header.test, openshift.org, block.it"
+----
+
+This means that `myrouter` will admit the following based on the route's name:
+
+----
+$ oc expose service/<name> --hostname="foo.header.test" 
+$ oc expose service/<name> --hostname="www.allow.it"
+$ oc expose service/<name> --hostname="www.openshift.test"
+----
+
+However, `myrouter` will deny the following:
+
+----
+$ oc expose service/<name> --hostname="open.header.test"
+$ oc expose service/<name> --hostname="www.open.header.test"
+$ oc expose service/<name> --hostname="block.it"
+$ oc expose service/<name> --hostname="franco.baresi.block.it"
+$ oc expose service/<name> --hostname="openshift.org"
+$ oc expose service/<name> --hostname="api.openshift.org"
+----
+
+Alternatively, to block any routes where the host name is _not_ set to `[*.]stickshift.org` or `[*.]kates.net`:
+
+----
+$ oadm router myrouter ...
+$ oc set env dc/myrouter ROUTER_ALLOWED_DOMAINS="stickshift.org, kates.net"
+----
+
+This means that the `myrouter` router will admit:
+
+----
+$ oc expose service/<name> --hostname="stickshift.org"
+$ oc expose service/<name> --hostname="www.stickshift.org" 
+$ oc expose service/<name> --hostname="kates.net" 
+$ oc expose service/<name> --hostname="api.kates.net"
+$ oc expose service/<name> --hostname="erno.r.kube.kates.net"
+----
+
+However, `myrouter` will deny the following:
+
+----
+$ oc expose service/<name> --hostname="www.open.header.test"
+$ oc expose service/<name> --hostname="drive.ottomatic.org"
+$ oc expose service/<name> --hostname="www.wayless.com"
+$ oc expose service/<name> --hostname="www.deny.it"
+----
+
+To implement both scenarios, run:
+
+----
+$ oadm router adrouter ...
+$ oc env dc/adrouter ROUTER_ALLOWED_DOMAINS="openshift.org, kates.net" \
+    ROUTER_DENIED_DOMAINS="ops.openshift.org, metrics.kates.net"
+----
+
+This will allow any routes where the host name is set to `[*.]openshift.org` or
+`[*.]kates.net`, and not allow any routes where the host name is set to
+`[*.]ops.openshift.org` or `[*.]metrics.kates.net`.
+
+Therefore, the following will be denied:
+
+----
+$ oc expose service/<name> --hostname="www.open.header.test"
+$ oc expose service/<name> --hostname="ops.openshift.org"
+$ oc expose service/<name> --hostname="log.ops.openshift.org"
+$ oc expose service/<name> --hostname="www.block.it"
+$ oc expose service/<name> --hostname="metrics.kates.net"
+$ oc expose service/<name> --hostname="int.metrics.kates.net"
+----
+
+However, the following will be allowed:
+
+----
+$ oc expose service/<name> --hostname="openshift.org"
+$ oc expose service/<name> --hostname="api.openshift.org"
+$ oc expose service/<name> --hostname="m.api.openshift.org"
+$ oc expose service/<name> --hostname="kates.net"
+$ oc expose service/<name> --hostname="api.kates.net"
+----

dev_guide/app_tutorials/maven_tutorial.adoc

@@ -30,7 +30,7 @@ to configure your build properly.
 
 Furthermore, make sure that you give each pod enough resources to function. You
 may have to
-xref:../../dev_guide/deployment#creating-a-deployment-configuration[edit the pod
+xref:../../dev_guide/deployments/how_deployments_work.adoc#creating-a-deployment-configuration[edit the pod
 template] in the Nexus deployment configuration to request more resources.
 
 [[nexus-setting-up-nexus]]
@@ -68,8 +68,8 @@ and the password is *admin123*.
 [NOTE]
 ====
 Nexus comes pre-configured for the Central Repository, but you may need others
-for your application. For many Red Hat images, it is recommended to link:https://books.sonatype.com/nexus-book/reference/config-maven.html[add the
-*jboss-ga* repository] at link:https://maven.repository.redhat.com/ga/[Maven repository].
+for your application. For many Red Hat images, it is recommended to link:https://maven.repository.redhat.com/ga/[add the
+*jboss-ga* repository] at link:https://books.sonatype.com/nexus-book/reference/config-maven.html[Maven repository].
 ====
 
 [[nexus-using-probes-to-check-for-success]]