Highlighted
Flight Engineer Flight Engineer
Flight Engineer
  • 1,249 Views

[DO425] Typos, errors and bugs

Hi,

I've completed DO425 and I'm ready to report the typos, errors and bugs I have noticed in it. As I suggested here, it would be cool to be able to report them directly in the course (wiki-style). An other suggestion I made would be to systematically have a dedicated RHLC thread be created for each course, similarly to what was done for the Red Hat Summit Power Trainings.

Sadly, I started taking note of them close to the end of my preparation for EX425, so I probably missed many.

 

1.5 Describing Least-Privilege Technology

"In UNIX systems, a process with UID 0 can change itself to a more restricted configuration, but any other process can only demote itself to a more restrictive configuration."

-> less?

1.8 Summary

"Model Linux kernels"

-> Modern?

2.3 Identifying Trusted Images

"The following except stores new signatures under the filesystem"

-> excerpt

3.1 Reviewing the OpenShift Automated Build Process

[user@demo ~]$ oc set build-hook bc/build-config-name \
--post-commit \
--command \
--command

-> here a critical space is missing at the last line which should read: -- command

3.1 Reviewing the OpenShift Automated Build Process

[user@demo ~]$ oc set triggers bc build-config-name \
--from-image="imagestream"

"NOTE
The command syntax is misleading. You should monitor for images stream changes, not container image changes."

-> the actual syntax is: --from-image="imagestream:tag" ; what is actually monitored is an image stream tag (thanks @oldbenko for having taught me that !)

3.2 Guided Exercise: Performing a Source-to-Image Build Process

At section 1.2:

 <profile>
    <id>openshift</id>
 </profile>

-> those 3 lines are actually not in security.txt

At section 2.2:

"From the terminal window, run the following command to build the image:"

-> the following command actually creates the project

In this guided exercise, the image trigger that is added to the bc at step 4.1 is misleadingly not the one that actually triggers the re-build, as clearly explained here by @oldbenko 

4.4 Guided Exercise: Integrating Red Hat Identity Management and 4.7 Lab: Managing User Access Control

IDM labs are broken when IDM admin password has expired, as I previously mentioned here.

4.6 Guided Exercise: Installing Single Sign-on Authentication

for f in ~/sso72-dev; do oc delete -f $f; done
for f in ~/sso72-dev; do oc create -f $f; done

-> This accidentally works, but only because the -f flag also accepts a directory ; each loop actually iterates only once and therefore is needless

4.7 Lab: Managing User Access Control

"This file already contains the oc adm group sync"

-> oc adm groups sync

5.1 Automating Policy-Based Deployments

"On master nodes, define the experimental-encryption-provider-config experimental-encryption-provider-config in the /etc/origin/master/master-config.yaml file."

-> "experimental-encryption-provider-config" is repeated

10.2 Lab: Securing Single Container Applications and 10.3 Lab: Securing Multiple Container Applications

-> Those 2 comprehensive review labs'solutions are not hidden, as previously mentioned here.

10.2 Lab: Securing Single Container Applications

"The jrdevs group has the edit and jruser1 users as members of that group. The password for jruser1 is redhat."

-> 'edit' is actually not an user but a role

-> Both the solution and the grading script refer to a jrdev1 user instead of jruser1

"create an Apache HTTP Server pod named testhttpd [...]  Leave the testhttpd pod running..."

-> testhttp (not testhttpd) is the name used in all the rest of the course and in the grading script

"Application pods run with resource limits set to 200 millicores of CPU and 384 Mi of memory."

-> Such limits can only be set to containers, not to pods ; both the lab solution and the grading script rely on 'type=Container' for those limits

"Deploy the compreview-singe/customapp container image from Quay"

-> "compreview-single/customapp"

At section 2.6:

"You should see a subdirectory named from the httpd-24-rhel7 image."

-> It's actually named compreview-single

At section 6.1:

    requests.cpu: "1000m"
    requests.memory: "1536Mi"

-> Such global requests quotas for the project are not requested by the lab instructions and not checked by the grading script either

Sections 7.10 to 7.17 erroneously repeat section 7.2 to 7.8.

The whole section 9 erroneously repeats section 8.

10.3 Lab: Securing Multiple Container Applications

"Access Jenkins at htps://jenkins-cicd.apps.lab.example.com and log in to Jenkins as the developer user from OpenShift."

-> https

"Deploy the egress router pod using the egress-router-pod.yaml file [...]

Edit these files as required to provide access to the external database [...]

The stage environment accesses an external MariaDB database server on the services VM to best mimic the production environment for load testing. [...]"

-> The third (introductory) stanza should be put first here

"To allow secure storage access from compreview-multiple-dev and other development projects, create the devdb-scc security context constraint. This SCC allows containers to run with the GID range from 10000 to 20000."

-> A runAsAny policy (with appropriate range) matches the requirement, but the grading script erroneously expects a mustRunAs policy

Tags (4)
15 Replies
Highlighted
Moderator
Moderator
  • 1,243 Views

Re: [DO425] Typos, errors and bugs

Hi @littlebigfab ,

Thank you for sharing your valuable feedback and bringing this to our notice.

I will ensure that they reach the team to take appropiate action.

Your valuable contribution to making the course better is really appreciated.

You may as well raise support request with the Learner Experience team and send such feedbacks or any issues you are facing while doing the courses.

Regards,

Ashish Lingayat

0 Kudos
Reply
Loading...
Highlighted
Moderator
Moderator
  • 1,231 Views

Re: [DO425] Typos, errors and bugs

I echo @Ashish_Lingayat  - this is really helpful, and will help us to improve the quality of our courses. Smiley Happy 

 

Reply
Loading...
Highlighted
  • 768 Views

Re: [DO425] Typos, errors and bugs

The Comprehensive review (chapter 10) - Lab: Securing Single Container Applications solution is actually not working - it seems like there is a problem with the CA certificate for Quay Enterprise:

  1. The folder /etc/docker/certs.d/quay.apps.lab.example.com/ already exists on all of the nodes and contains the correct ca.crt (the exact copy of /etc/pki/CA/cacert.pem from Workstation)
  2. When you follow the solution TO THE DOT (i tried 3 times - while resetting all the machines in the lab), you won't get pass step 4.4:

oc new-app --name=test --docker-image quay.apps.lab.example.com/compreview-single/customapp

Error:

[W0106 14:33:18.789889 6098 dockerimagelookup.go:233] Docker registry lookup failed: Get https://quay.apps.lab.example.com/v2/: x509: certificate signed by unknown authority

LUCIAN MALY, RHCA
SENIOR CONSULTANT, CUSTOMER SOLUTIONS GROUP
Red Hat Asia-Pacific Pty Ltd | http://people.redhat.com/lmaly
Level 35, 100 Miller Street
North Sydney, NSW 2060, Australia
0 Kudos
Reply
Loading...
Highlighted
Flight Engineer Flight Engineer
Flight Engineer
  • 737 Views

Re: [DO425] Typos, errors and bugs

I have the same problem... podman on node downloads image fine  from quay.

I suppose master api has a problem to validate cert as quay is exposiong externally (passtrough route)  certificate with it's internal URL ( quay...svc.cluster.local) not matching  HTTP request from master api

0 Kudos
Reply
Loading...
Highlighted
Flight Engineer
Flight Engineer
  • 705 Views

Re: [DO425] Typos, errors and bugs

Hey, @LucianMaly, @Jacek,

This is a fairly recent issue, it crept into the materials during the last update of the course.

The root cause for this is that there is a reference to an additional CA file in the ImageImportPolicy section of master-config.yaml, attribute AdditionalTrustedCA.

There are two possible solutions:

  1. remove the AdditionalTrustedCA attribute and restart the controllers
  2. append the Quay CA cert to that file and restart the controllers

Hope this helped.

Cheers,
Grega

A black cat crossing the street signifies that the animal is going somewhere.
[don't forget to kudo a helpful post or mark it as a solution!]
Reply
Loading...
Highlighted
Flight Engineer Flight Engineer
Flight Engineer
  • 689 Views

Re: [DO425] Typos, errors and bugs

Hey Grega,

added quay CA to additional_ca.crt ;  master-restart api  and all works fine.
thanks for quick response !

regards
jacek

Reply
Loading...
Highlighted
Moderator
Moderator
  • 679 Views

Re: [DO425] Typos, errors and bugs

Thanks for reporting this issue. I'll file a defect for that.

Reply
Loading...
Highlighted
Flight Engineer
Flight Engineer
  • 665 Views

Re: [DO425] Typos, errors and bugs

Hey, @Razique,

I've got another couple of minor ones for the latest release - I'll use the next week's delivery as an opportunity to gather the technical information needed for the tickets. I can add the AdditionalTrustedCA one for you as well if you want.

Cheers,
Grega

A black cat crossing the street signifies that the animal is going somewhere.
[don't forget to kudo a helpful post or mark it as a solution!]
0 Kudos
Reply
Loading...
Highlighted
  • 655 Views

Re: [DO425] Typos, errors and bugs

I have sent you feedback to certification@redhat.com after the exam i took today. It is related to this thread as well.

LUCIAN MALY, RHCA
SENIOR CONSULTANT, CUSTOMER SOLUTIONS GROUP
Red Hat Asia-Pacific Pty Ltd | http://people.redhat.com/lmaly
Level 35, 100 Miller Street
North Sydney, NSW 2060, Australia
0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.