Using JBoss EAP on OpenShift Container Platform
Guide to developing with Red Hat JBoss Enterprise Application Platform for OpenShift
Abstract
Providing feedback on Red Hat documentation
We appreciate your feedback on our documentation. To provide feedback, you can highlight the text in a document and add comments. Follow the steps in the procedure to learn about submitting feedback on Red Hat documentation.
Prerequisites
- Log in to the Red Hat Customer Portal.
- In the Red Hat Customer Portal, view the document in Multi-page HTML format.
Procedure
Click Feedback to see existing reader comments.
NoteThe feedback feature is enabled only in the Multi-page HTML format.
- Highlight the section of the document where you want to provide feedback.
In the prompt menu that displays near the text you selected, click Add Feedback.
A text box opens in the feedback section on the right side of the page.
Enter your feedback in the text box and click Submit.
You have created a documentation issue.
- To view the issue, click the issue tracker link in the feedback view.
- Highlight the section of the document where you want to provide feedback.
In the prompt menu that displays near the text you selected, click Add Feedback.
A text box opens in the feedback section on the right side of the page.
Enter your feedback in the text box and click Submit.
You have created a documentation issue.
- To view the issue, click the issue tracker link in the feedback view.
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Chapter 1. What is Red Hat JBoss Enterprise Application Platform
Red Hat JBoss Enterprise Application Platform 8.0 Beta (JBoss EAP) is a middleware platform built on open standards and compliant with the Jakarta EE 10 specification. It provides preconfigured options for features such as high-availability clustering, messaging, and distributed caching. It includes a modular structure that allows you to enable services only when required, which results in improved startup speed.
The web-based management console and management command line interface (CLI) make editing XML configuration files unnecessary and add the ability to script and automate tasks. In addition, JBoss EAP includes APIs and development frameworks that allow you to quickly develop, deploy, and run secure and scalable Jakarta EE applications. JBoss EAP 8.0 Beta is a Jakarta EE 10 compatible implementation for both Web Profile and Full Platform specifications.
1.1. How does JBoss EAP work on OpenShift?
Red Hat offers container images to build and run application images with JBoss EAP on OpenShift.
Red Hat no longer offers images that contain JBoss EAP.
1.2. Comparison: JBoss EAP and JBoss EAP for OpenShift
There are some notable differences when comparing the JBoss EAP product with the JBoss EAP for OpenShift image. The following table describes these differences and notes which features are included or supported in the current version of JBoss EAP for OpenShift.
JBoss EAP Feature | Status in JBoss EAP for OpenShift | Description |
---|---|---|
JBoss EAP management console | Not included | The JBoss EAP management console is not included in this release of JBoss EAP for OpenShift. |
JBoss EAP management CLI | Not recommended | The JBoss EAP management CLI is not recommended for use with JBoss EAP running in a containerized environment. Any configuration changes made using the management CLI in a running container will be lost when the container restarts. The management CLI is accessible from within a pod for troubleshooting purposes. |
Managed domain | Not supported | Although a JBoss EAP managed domain is not supported, creation and distribution of applications are managed in the containers on OpenShift. |
Default root page | Disabled |
The default root page is disabled, but you can deploy your own application to the root context as |
Remote messaging | Supported | Red Hat AMQ for inter-pod and remote messaging is supported. ActiveMQ Artemis is only supported for messaging within a single pod with JBoss EAP instances and is only enabled when Red Hat AMQ is absent. |
Transaction recovery | Supported | The EAP operator is the only tested and supported option of transaction recovery in OpenShift 4. For more information about recovering transactions using the EAP operator, see EAP Operator for Safe Transaction Recovery. |
1.3. Version compatibility and support
JBoss EAP for OpenShift provides images for OpenJDK 11 and OpenJDK 17.
Two variants of each image are available: an S2I builder image and a runtime image. The S2I Builder image contains all the required tools that will enable you provision a complete JBoss EAP Server during S2I build. The runtime image contains dependencies needed to run JBoss EAP but does not contain a server. The server is installed in the runtime image during a chained build.
The following modifications were applied to the images in JBoss EAP 8.0 Beta for OpenShift.
- S2I builder image does not contain an installed JBoss EAP server and installs the JBoss EAP 8.0 Beta server during S2I build.
-
Configure the eap-maven-plugin in the application
pom
file during S2I build. -
Use existing JBoss EAP 7.4 application without any changes by setting
GALLEON_PROVISION_FEATURE_PACKS
,GALLEON_PROVISION_LAYERS
, andGALLEON_PROVISION_CHANNELS
environment variables during S2I build. The JBoss EAP provisioned server during S2I build contains a
standalone.xml
server configuration file customized for OpenShift.ImportantThe sever contains a
standalone.xml
configuration file, not thestandalone-openshift.xml
configuration file that was used with JBoss EAP 7.4.-
Inside the image,
JBOSS_HOME
value is/opt/server
. The value ofJBOSS_HOME
was/opt/eap
for JBoss EAP 7.4. -
Jolokia agent
is no longer present in the image. -
Prometheus agent
is not installed. -
Python probes
are no more present. -
SSO
adapters are no longer present in the image. -
activemq.rar
is no more present.
The following discovery mechanism protocols were deprecated and are replaced by other protocols:
-
The
openshift.DNS_PING
protocol was deprecated and is replaced with thedns.DNS_PING
protocol. If you referenced theopenshift.DNS_PING
protocol in acustomized standalone.xml
file, replace the protocol with thedns.DNS_PING
protocol. -
The
openshift.KUBE_PING
discovery mechanism protocol was deprecated and is replaced with thekubernetes.KUBE_PING
protocol.
1.3.1. OpenShift 4.x support
Changes in OpenShift 4.1 affect access to Jolokia, and the Open Java Console is no longer available in the OpenShift 4.x web console.
In previous releases of OpenShift, certain kube-apiserver proxied requests were authenticated and passed through to the cluster. This behavior is now considered insecure, and so, accessing Jolokia in this manner is no longer supported.
Due to changes in codebase for the OpenShift console, the link to the Open Java Console is no longer available.
1.3.2. IBM Z Support
The s390x variant of libartemis-native
is not included in the image. Thus, any settings related to AIO will not be taken into account.
-
journal-type
: Setting thejournal-type
toASYNCIO
has no effect. The value of this attribute defaults toNIO
at runtime. -
journal-max-io
: This attribute has no effect. -
journal-store-enable-async-io
: This attribute has no effect.
1.3.2.1. Upgrades from JBoss EAP 7.4 to JBoss EAP 8.0 on OpenShift
The file standalone.xml
installed with JBoss EAP 7.4 on OpenShift is not compatible with JBoss EAP 8.0 and later. You must modify and rename the file to standalone.xml
before starting a JBoss EAP 8.0 or later container for OpenShift.
1.3.3. Deployment options
You can deploy the JBoss EAP Java applications on OpenShift using the EAP operator, a JBoss EAP-specific controller that extends the OpenShift API to create, configure, and manage instances of complex stateful applications on behalf of an OpenShift user.
Additional resources
- For more information about the EAP operator, see EAP Operator for Automating Application Deployment on OpenShift.
Chapter 2. Building and running JBoss EAP applications on OpenShift Container Platform
You can follow the source-to-image (S2I) process to build and run a Java application on the JBoss EAP for OpenShift image.
2.1. Prerequisites
- You have an OpenShift instance installed and operational.
2.2. Preparing OpenShift to deploy an application
As a JBoss EAP application developer, you can deploy your applications on OpenShift. In the following example, note that the kitchensink
quickstart demonstrates a Jakarta EE web-enabled database application using Jakarta Server Faces, Jakarta Contexts and Dependency Injection, Jakarta Enterprise Beans, Jakarta Persistence, and Jakarta Bean Validation. See the JBoss EAP 8-beta kitchensink
quickstart for more information. Deploy your application by following the procedures below.
Procedure
-
Log in to your OpenShift instance using the
oc login
command. Create a project in OpenShift.
Create a project using the following command. With a project, you can organize and manage content separately from other groups.
$ oc new-project <project_name>
For example, for the
kitchensink
quickstart, create a project namedeap-demo
using the following command:$ oc new-project eap-demo
Optional: Create a keystore and a secret.
NoteYou must create a keystore and a secret if you use any HTTPS-enabled features in your OpenShift project; for example, the
eap74-https-s2i
template. The kitchensink quickstart example does not use an HTTPS template, so it doesn’t require a keystore and secret.Use the Java
keytool
command to generate a keystore:WarningThe following commands generate a self-signed certificate, but for production environments, use your own SSL certificate from a verified certificate authority (CA) for SSL-encrypted connections (HTTPS).
$ keytool -genkey -keyalg RSA -alias <alias_name> -keystore <keystore_filename.jks> -validity 360 -keysize 2048
For example, for the
kitchensink
quickstart, use the following command to generate a keystore:$ keytool -genkey -keyalg RSA -alias eapdemo-selfsigned -keystore keystore.jks -validity 360 -keysize 2048
Use the following command to create a secret from your new keystore:
$ oc create secret generic <secret_name> --from-file=<keystore_filename.jks>
For example, for the
kitchensink
quickstart, use the following command to create a secret:$ oc create secret generic eap-app-secret --from-file=keystore.jks
2.3. Configure authentication to the Red Hat Container Registry
Before you can import and use the JBoss EAP for OpenShift image, you must first configure authentication to the Red Hat Container Registry.
Red Hat recommends that you create an authentication token using a registry service account to configure access to the Red Hat Container Registry. This means that you don’t have to use or store your Red Hat account’s username and password in your OpenShift configuration.
Procedure
- Follow the instructions on Red Hat Customer Portal to create an authentication token using a registry service account.
- Download the YAML file containing the OpenShift secret for the token. You can download the YAML file from the OpenShift Secret tab on your token’s Token Information page.
Create the authentication token secret for your OpenShift project using the YAML file that you downloaded:
oc create -f 1234567_myserviceaccount-secret.yaml
Configure the secret for your OpenShift project using the following commands, replacing the secret name in the example with the name of your secret created in the previous step.
oc secrets link default 1234567-myserviceaccount-pull-secret --for=pull oc secrets link builder 1234567-myserviceaccount-pull-secret --for=pull
If your OCP cluster is managed by Red Hat, For example, dev-sandbox
the authentication secret is setup automatically.
See the OpenShift documentation for more information on other methods for configuring access to secured registries.
See the Red Hat Customer Portal for more information on configuring authentication to the Red Hat Container Registry.
2.4. Building application images using source-to-image in OpenShift
Follow the source-to-image (S2I) workflow to build reproducible container images for a JBoss EAP application. These generated container images include the application deployment and ready-to-run JBoss EAP servers.
The S2I workflow takes source code from a Git repository and injects it into a container that’s based on the language and framework you want to use. After the S2I workflow is completed, the src
code is compiled, the application is packaged and is deployed to the JBoss EAP server.
For more information, see Legacy server provisioning for JBoss EAP S2I.
In JBoss EAP, you can use S2I images only if you develop your application using Jakarta EE 10.
Prerequisites
- You have an active Red Hat customer account.
- You have a Registry Service Account. Follow the instructions on the Red Hat Customer Portal to create an authentication token using a registry service account.
- You have downloaded the OpenShift secret YAML file, which you can use to pull images from Red Hat Ecosystem Catalog. For more information, see OpenShift Secret.
-
You used the
oc login
command to log in to OpenShift. - You have installed Helm. For more information, see Installing Helm.
You have installed the repository for the JBoss EAP Helm charts by entering this command in the management CLI:
$ helm repo add jboss-eap https://jbossas.github.io/eap-charts/
Procedure
Create a file named
helm.yaml
using the following YAML content:build: url: https://github.com/jboss-developer/jboss-eap-quickstarts.git ref: EAP_8.0.0.Beta contextDir: helloworld deploy: replicas: 1
Use the following command to deploy your JBoss EAP application on OpenShift.
$ helm install helloworld -f helm.yaml jboss-eap/eap8
Verification
Access the application using
curl
.$ curl https://$(oc get route helloworld --template='{{ .spec.host }}')/HelloWorld
You get the output
Hello World!
confirming that the application is deployed.
2.5. Using OpenID Connect to secure JBoss EAP applications on OpenShift
Use the JBoss EAP native OpenID Connect (OIDC) client to delegate authentication using an external OpenID provider. OIDC is an identity layer that enables clients, such as JBoss EAP, to verify a user’s identity based on the authentication performed by an OpenID provider.
The elytron-oidc-client
subsystem and elytron-oidc-client
Galleon layer provides a native OIDC client in JBoss EAP to connect with OpenID providers. JBoss EAP automatically creates a virtual security domain for your application, based on your OpenID provider configurations.
You can configure the elytron-oidc-client
subsystem in three different ways:
-
Adding an
oidc.json
into your deployment. -
Running a CLI script to configure the
elytron-oidc-client
subsystem. -
Defining environment variables to configure an
elytron-oidc-client
subsystem on start of JBoss EAP server on OpenShift.
This procedure explains how you can configure an elytron-oidc-client
subsystem using the environment variables to secure application with OIDC.
2.5.1. OpenID Connect configuration in JBoss EAP
When you secure your applications using an OpenID provider, you do not need to configure any security domain resources locally. The elytron-oidc-client
subsystem provides a native OpenID Connect (OIDC) client in JBoss EAP to connect with OpenID providers. JBoss EAP automatically creates a virtual security domain for your application, based on your OpenID provider configurations.
Use the OIDC client with Red Hat Single Sign-On. You can use other OpenID providers if they can be configured to use access tokens that are JSON Web Tokens (JWTs) and can be configured to use the RS256, RS384, RS512, ES256, ES384, or ES512 signature algorithm.
To enable the use of OIDC, you can configure either the elytron-oidc-client
subsystem or an application itself. JBoss EAP activates the OIDC authentication as follows:
-
When you deploy an application to JBoss EAP, the
elytron-oidc-client
subsystem scans the deployment to detect if the OIDC authentication mechanism is required. -
If the subsystem detects OIDC configuration for the deployment in either the
elytron-oidc-client
subsystem or the application deployment descriptor, JBoss EAP enables the OIDC authentication mechanism for the application. -
If the subsystem detects OIDC configuration in both places, the configuration in the
elytron-oidc-client
subsystemsecure-deployment
attribute takes precedence over the configuration in the application deployment descriptor.
2.5.2. Creating an application secured with OpenID Connect
For creating a web-application, create a Maven project with the required dependencies and the directory structure. Create a web application containing a servlet that returns the user name obtained from the logged-in user’s principal and attributes. If there is no logged-in user, the servlet returns the text "NO AUTHENTICATED USER".
Prerequisites
- You have installed Maven. For more information, see Downloading Apache Maven.
Procedure
Set up a Maven project using the
mvn
command. The command creates the directory structure for the project and thepom.xml
configuration file.Syntax
$ mvn archetype:generate \ -DgroupId=${group-to-which-your-application-belongs} \ -DartifactId=${name-of-your-application} \ -DarchetypeGroupId=org.apache.maven.archetypes \ -DarchetypeArtifactId=maven-archetype-webapp \ -DinteractiveMode=false
Example
$ mvn archetype:generate \ -DgroupId=com.example.app \ -DartifactId=simple-webapp-example \ -DarchetypeGroupId=org.apache.maven.archetypes \ -DarchetypeArtifactId=maven-archetype-webapp \ -DinteractiveMode=false
Navigate to the application root directory:
Syntax
$ cd <name-of-your-application>
Example
$ cd simple-webapp-example
Replace the content of the generated
pom.xml
file with the following text:<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>com.example.app</groupId> <artifactId>simple-webapp-example</artifactId> <version>1.0-SNAPSHOT</version> <packaging>war</packaging> <name>simple-webapp-example Maven Webapp</name> <!-- FIXME change it to the project's website --> <url>http://www.example.com</url> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <version.maven.war.plugin>3.3.2</version.maven.war.plugin> <version.eap.plugin>1.0.0.Beta-redhat-00001</version.eap.plugin> </properties> <repositories> <repository> <id>jboss</id> <url>https://maven.repository.redhat.com/earlyaccess/all/</url> <snapshots> <enabled>false</enabled> </snapshots> </repository> </repositories> <pluginRepositories> <pluginRepository> <id>jboss</id> <url>https://maven.repository.redhat.com/earlyaccess/all/</url> <snapshots> <enabled>false</enabled> </snapshots> </pluginRepository> </pluginRepositories> <dependencies> <dependency> <groupId>jakarta.servlet</groupId> <artifactId>jakarta.servlet-api</artifactId> <version>6.0.0</version> <scope>provided</scope> </dependency> <dependency> <groupId>org.wildfly.security</groupId> <artifactId>wildfly-elytron-auth-server</artifactId> <version>1.19.0.Final</version> </dependency> </dependencies> <build> <finalName>${project.artifactId}</finalName> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-war-plugin</artifactId> <version>${version.maven.war.plugin}</version> </plugin> <plugin> <groupId>org.jboss.eap.plugins</groupId> <artifactId>eap-maven-plugin</artifactId> <version>${version.eap.plugin}</version> <configuration> <channels> <channel> <groupId>org.jboss.eap.channels</groupId> <artifactId>eap-8.0-beta</artifactId> </channel> </channels> <feature-packs> <feature-pack> <location>org.jboss.eap:wildfly-ee-galleon-pack</location> </feature-pack> <feature-pack> <location>org.jboss.eap.cloud:eap-cloud-galleon-pack</location> </feature-pack> </feature-packs> <layers> <layer>cloud-server</layer> <layer>elytron-oidc-client</layer> </layers> <galleon-options> <jboss-fork-embedded>true</jboss-fork-embedded> </galleon-options> </configuration> <executions> <execution> <goals> <goal>package</goal> </goals> </execution> </executions> </plugin> </plugins> </build> </project>
Create a directory to store the Java files.
Syntax
$ mkdir -p src/main/java/<path_based_on_artifactID>
Example
$ mkdir -p src/main/java/com/example/app
Navigate to the new directory.
Syntax
$ cd src/main/java/<path_based_on_artifactID>
Example
$ cd src/main/java/com/example/app
Create a file
SecuredServlet.java
with the following content:package com.example.app; import java.io.IOException; import java.io.PrintWriter; import java.security.Principal; import java.util.ArrayList; import java.util.Collection; import java.util.Iterator; import java.util.List; import java.util.Set; import jakarta.servlet.ServletException; import jakarta.servlet.annotation.WebServlet; import jakarta.servlet.http.HttpServlet; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import org.wildfly.security.auth.server.SecurityDomain; import org.wildfly.security.auth.server.SecurityIdentity; import org.wildfly.security.authz.Attributes; import org.wildfly.security.authz.Attributes.Entry; /** * A simple secured HTTP servlet. It returns the user name and * attributes obtained from the logged-in user's Principal. If * there is no logged-in user, it returns the text * "NO AUTHENTICATED USER". */ @WebServlet("/secured") public class SecuredServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { try (PrintWriter writer = resp.getWriter()) { Principal user = req.getUserPrincipal(); SecurityIdentity identity = SecurityDomain.getCurrent().getCurrentSecurityIdentity(); Attributes identityAttributes = identity.getAttributes(); Set <String> keys = identityAttributes.keySet(); String attributes = "<ul>"; for (String attr : keys) { attributes += "<li> " + attr + " : " + identityAttributes.get(attr).toString() + "</li>"; } attributes+="</ul>"; writer.println("<html>"); writer.println(" <head><title>Secured Servlet</title></head>"); writer.println(" <body>"); writer.println(" <h1>Secured Servlet</h1>"); writer.println(" <p>"); writer.print(" Current Principal '"); writer.print(user != null ? user.getName() : "NO AUTHENTICATED USER"); writer.print("'"); writer.print(user != null ? "\n" + attributes : ""); writer.println(" </p>"); writer.println(" </body>"); writer.println("</html>"); } } }
Configure the application’s
web.xml
to protect the application resources.Example
<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" metadata-complete="false"> <security-constraint> <web-resource-collection> <web-resource-name>secured</web-resource-name> <url-pattern>/secured</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Users</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>OIDC</auth-method> </login-config> <security-role> <role-name>*</role-name> </security-role> </web-app>
In this example, only the users with the role
Users
can access the application.
2.5.3. Deploying the application on OpenShift
As a JBoss EAP application developer, you can deploy your applications on OpenShift that uses the OpenID Connect subsystem and integrate it with a Red Hat Single Sign-On server. Deploy your application by following the procedures below.
Prerequisites
You have configured the Red Hat Single Sign-On server in your OpenShift with the following configuration. For more information, see Red Hat Single Sign-On Operator.
- Create a realm called JBossEAP.
- Create a user called demo.
- Set a password for the user called demo. Toggle Temporary to OFF and click Set Password. In the confirmation prompt, click Set password.
- Create a role called Users.
- Assign the role Users to the user demo.
- In the Client Roles field, select the realm-management you configured for JBoss EAP.
- Assign the role create-client to the client realm-management.
Procedure
- Deploy your application code to Git Repository.
Create a secret containing the OIDC configuration.
Create a file named
oidc-secret.yaml
using the following content:apiVersion: v1 kind: Secret metadata: name: oidc-secret type: Opaque stringData: OIDC_PROVIDER_NAME: rh-sso OIDC_USER_NAME: demo OIDC_USER_PASSWORD: demo OIDC_SECURE_DEPLOYMENT_SECRET: mysecret
Use the following command to create a secret:
$ oc apply -f oidc-secret.yaml
Create a file named
helm.yaml
using the following content:build: uri: [URL TO YOUR GIT REPOSITORY] deploy: envFrom: - secretRef: name: oidc-secret
Deploy the example application using JBoss EAP Helm charts:
$ helm install eap-oidc-test-app -f helm.yaml jboss-eap/eap8
Add the environment variables to the
oidc-secret.yaml
file to configure the OIDC provider URL and application hostname.yaml stringData: ... OIDC_HOSTNAME_HTTPS: <host of the application> OIDC_PROVIDER_URL: https://<host of the SSO provider>/auths/realms/JBossEAP
The value for
OIDC_HOSTNAME_HTTPS
corresponds to the following output:echo $(oc get route eap-oidc-test-app --template='{{ .spec.host }}')
The value for
OIDC_PROVIDER_URL
corresponds to the following output:echo https://$(oc get route sso --template='{{ .spec.host }}')/auth/realms/JBossEAP
A route discovery attempt is made if
OIDC_HOSTNAME_HTTP(S)
is not set. To enable route discovery, the OpenShift user must be able to list theroute
resources. For example, to create and associate therouteview
role with theview
user, use the followingoc
command:$ oc create role <role-name> --verb=list --resource=route $ oc adm policy add-role-to-user <role-name> <user-name> --role-namespace=<your namespace>
-
Update the secret with
oc apply -f oidc-secret.yaml
. Deploy the application again to ensure OpenShift uses the new environment variables:
$ oc rollout restart deploy eap-oidc-test-app
Verification
In your browser, navigate to
https://<eap-oidc-test-app route>/
.You will be redirected to Red Hat Single Sign-On login page.
- Access the secured servlet.
Log in with the following credentials:
username: demo password: demo
A page appears that contains the Principal ID.
Additional resources
2.5.4. Environment variable based configuration
Use these environment variables to configure JBoss EAP OIDC support on OpenShift image.
Environment variable | Legacy SSO environment variable | Description | Required | Default Value |
---|---|---|---|---|
OIDC_PROVIDER_NAME |
NONE. When |
You must set to | Yes | |
OIDC_PROVIDER_URL |
| The URL of the provider. | Yes | |
OIDC_USER_NAME | SSO_USERNAME | Dynamic client registration requires the username to receive a token. | Yes | |
OIDC_USER_PASSWORD | SSO_PASSWORD | Dynamic client registration requires the user password to receive a token. | Yes | |
OIDC_SECURE_DEPLOYMENT_SECRET | SSO_SECRET | It is known to both the secure-deployment subsystem and the authentication server client. | No | |
OIDC_SECURE_DEPLOYMENT_PRINCIPAL_ATTRIBUTE | SSO_PRINCIPAL_ATTRIBUTE | Configure the value of the principal name. | No |
Defaults to Typical value: preferred_username. |
OIDC_SECURE_DEPLOYMENT_ENABLE_CORS | SSO_ENABLE_CORS | Enable CORS for Single Sign-On applications. | No |
Defaults to |
OIDC_SECURE_DEPLOYMENT_BEARER_ONLY | SSO_BEARER_ONLY | Deployment that accepts only bearer token and does not support logging. | No |
Defaults to |
OIDC_PROVIDER_SSL_REQUIRED | NONE | Defaults to external, such as private and local address, but does not support https. | No | External |
OIDC_PROVIDER_TRUSTSTORE | SSO_TRUSTSTORE |
Specify the realm | No | |
OIDC_PROVIDER_TRUSTSTORE_DIR | SSO_TRUSTSTORE_DIR |
Directory to find the realm | No | |
OIDC_PROVIDER_TRUSTSTORE_PASSWORD | SSO_TRUSTSTORE_PASSWORD |
Specify the realm | No | |
OIDC_PROVIDER_TRUSTSTORE_CERTIFICATE_ALIAS | SSO_TRUSTSTORE_CERTIFICATE_ALIAS |
Specify the realm | No | |
OIDC_DISABLE_SSL_CERTIFICATE_VALIDATION | SSO_DISABLE_SSL_CERTIFICATE_VALIDATION | Disable certificate validation when interacting with the authentication server to register a client. | No | |
OIDC_HOSTNAME_HTTP | HOSTNAME_HTTP | Hostname used for unsecure routes. | No | Routes are discovered. |
OIDC_HOSTNAME_HTTPS | HOSTNAME_HTTPS | Hostname used for secured routes. | No | Secured routes are discovered. |
NONE | SSO_PUBLIC_KEY | Public key of the Single Sign-On realm. This option is not used, public key is automatically retrieved by the OIDC subsystem. | No | If set, a warning is displayed that this option is being ignored. |
2.6. Additional resources
Chapter 3. Environment variables and model expression resolution
3.1. Prerequisites
- You have some basic knowledge of how to configure environment variables on an operating system.
For configuring environment variables on the OpenShift Container Platform, you must meet the following prerequisites:
- You have already installed OpenShift and set up the OpenShift CLI ("oc"). For more information about the oc, see Getting Started with the OpenShift CLI.
- You have deployed your application to OpenShift using a Helm chart. For more information about Helm charts, see Helm Charts for JBoss EAP.
3.2. Environment variables for resolving management model expressions
To resolve management model expressions and to start your JBoss EAP 8.0 Beta server on the OpenShift Container Platform, you can either add environment variables or set Java system properties in the management command-line interface (CLI). If you use both, JBoss EAP observes and uses the Java system property rather than the environment variable to resolve the management model expression.
System property to environment variable mapping
Imagine that you have this management expression: ${my.example-expr}
. When your JBoss EAP server tries to resolve it, it checks for a system property named my.example-expr
.
- If your server finds this property, it uses its value to resolve the expression.
- If it doesn’t find this property, your server continues searching.
Next, assuming that your server does not find system property my.example-expr
, it automatically changes my.example-expr
to all uppercase letters and replaces all characters that aren’t alphanumeric with underscores (_): MY_EXAMPLE_EXPR
. JBoss EAP then checks for an environment variable with that name.
- If your server finds this variable, it uses its value to resolve the expression.
- If it doesn’t find this variable, your server continues searching.
If your original expression starts with the prefix env.
, JBoss EAP resolves the environment variable by removing the prefix, then looking for only the environment variable name. For example, for the expression env.example
, JBoss EAP looks for an example
environment variable.
If none of these checks finds a property or variable to resolve your original expression, JBoss EAP looks for whether the expression has a default value. If it does, that default value resolves the expression. If not, then JBoss EAP can’t resolve the expression.
Example with two servers
Suppose that, on one server, JBoss EAP defines this management resource: <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
. To run a second server with a different port offset, instead of editing the configuration file, do one of the following:
-
Set the
jboss.socket.binding.port-offset
Java system property to resolve the value on the second server:./standalone.sh -Djboss.socket.binding.port-offset=100
. -
Set the
JBOSS_SOCKET_BINDING_PORT_OFFSET
environment variable to resolve the value on the second server:JBOSS_SOCKET_BINDING_PORT_OFFSET=100 ./standalone.sh
.
3.3. Configuring environment variables on the OpenShift Container Platform
With JBoss EAP 8.0 Beta, you can configure environment variables to resolve management model expressions. You can also use environment variables to adapt the configuration of the JBoss EAP server you’re running on OpenShift.
Set environment variables and options on a resource that uses a pod template:
$ oc set env <object-selection> KEY_1=VAL_1 ... KEY_N=VAL_N [<set-env-options>] [<common-options>]
Option | Description |
---|---|
| Set given key-value pairs of environment variables. |
| Confirm update of existing environment variables. |
Kubernetes workload resources that use pod templates include the following:
-
Deployment
-
ReplicaSet
-
StatefulSet
-
DaemonSet
-
Job
-
CronJob
After you configure your environment variables, the JBoss EAP management console should display them in the details for their related pods.
Additional resources
3.4. Overriding management attributes with environment variables
You know that you can use a Java system property or an environment variable to resolve a management attribute that’s defined with an expression, but you can also modify other attributes, even if they don’t use expressions.
To more easily adapt your JBoss EAP server configuration to your server environment, you can use an environment variable to override the value of any management attribute, without ever having to edit your configuration file. This feature, which is available starting with the JBoss EAP version 8.0, is useful for the following reasons:
- JBoss EAP provides expressions for only its most common management attributes. Now, you can change the value of an attribute that has no defined expression.
- Some management attributes connect your JBoss EAP server with other services, such as a database, whose values you can’t know in advance, or whose values you can’t store in a configuration; for example, in database credentials. By using environment variables, you can defer the configuration of such attributes while your JBoss EAP server is running.
This feature is enabled by default, starting with JBoss EAP version 8.0 OpenShift runtime image. To enable it on other platforms, you must set the WILDFLY_OVERRIDING_ENV_VARS
environment variable to any value; for example, export WILDFLY_OVERRIDING_ENV_VARS=1
.
You can’t override management attributes whose type
is LIST
, OBJECT
, or PROPERTY
.
Prerequisites
- You must have defined a management attribute that you now want to override.
Procedure
To override a management attribute with an environment variable, complete the following steps:
-
Identify the path of the resource and attribute you want to change. For example, set the value of the
proxy-address-forwarding
attribute totrue
for the resource/subsystem=undertow/server=default-server/http-listener=default
. Create the name of the environment variable to override this attribute by mapping the resource address and the management attribute, as follows:
-
Remove the first slash (
/
) from the resource address:/subsystem=undertow/server=default-server/http-listener=default
becomessubsystem=undertow/server=default-server/http-listener=default
. -
Append two underscores (__) and the name of the attribute; for example:
subsystem=undertow/server=default-server/http-listener=default__proxy-address-forwarding
. -
Replace all non-alphanumeric characters with an underscore (_), and put the entire line of code in all capital letters:
SUBSYSTEM_UNDERTOW_SERVER_DEFAULT_SERVER_HTTP_LISTENER_DEFAULT__PROXY_ADDRESS_FORWARDING
.
-
Remove the first slash (
-
Set the environment value:
SUBSYSTEM_UNDERTOW_SERVER_DEFAULT_SERVER_HTTP_LISTENER_DEFAULT__PROXY_ADDRESS_FORWARDING=true
.
These values are examples that you must replace with your actual configuration values.
3.5. Provisioning a JBoss EAP server using the Maven plug-in
Using JBoss EAP Maven plug-in, you can configure a server according to your requirements by including only those Galleon layers that provide the capabilities that you need, in your server.
3.5.1. JBoss EAP Maven plug-in
The JBoss EAP Maven plug-in uses Galleon trimming capability to reduce the size and memory footprint of the server. The JBoss EAP Maven plug-in supports the execution of JBoss EAP CLI script files to customize your server configuration. A CLI script includes a list of CLI commands for configuring the server.
You can retrieve the latest Maven plug-in version from the Maven repository, which is available at Index of /ga/org/jboss/eap/plugins/eap-maven-plugin. In a Maven project, the pom.xml
file contains the configuration of the JBoss EAP Maven plug-in.
The JBoss EAP Maven plug-in provisions the server and deploys the packaged application, such as WAR, to the provisioned server during the Maven execution. The provisioned server on which your application is deployed is located in target/server
directory. The JBoss EAP Maven plug-in also provides the following functionality:
The server in target/server
is not supported and is available only for debugging or development purposes.
-
Uses the
org.jboss.eap:wildfly-ee-galleon-pack
andorg.jboss.eap.cloud:eap-cloud-galleon-pack
Galleonfeature-pack
and some of its layers for customizing the server configuration file. - Applies CLI script commands to the server.
-
Supports the addition of extra files into the server installation, such as a
keystore
file.
3.5.2. Creating a Jakarta EE 10 application with the Maven
Create an application that prints “Hello World!” when you access it.
Prerequisites
- You have installed JDK 11 or JDK 17.
- You have installed the Maven 3.6 or later version. For more information, see Downloading Apache Maven.
Procedure
Set up the Maven project.
$ mvn archetype:generate \ -DgroupId=GROUP_ID \ -DartifactId=ARTIFACT_ID \ -DarchetypeGroupId=org.apache.maven.archetypes \ -DarchetypeArtifactId=maven-archetype-webapp \ -DinteractiveMode=false
Where GROUP_ID is the
groupId
of your project and ARTIFACT_ID is theartifactId
of your project.To configure the Maven to automatically manage versions for the Jakarta EE artifacts in the
jboss-eap-ee
BOM, add the BOM to the<dependencyManagement>
section of the projectpom.xml
file. For example:<dependencyManagement> <dependencies> <dependency> <groupId>org.jboss.bom</groupId> <artifactId>jboss-eap-ee</artifactId> <version>8.0.0.Beta</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement>
Add the servlet API artifact, which is managed by the BOM, to the
<dependencies>
section of the projectpom.xml
file, as shown in the following example:<dependency> <groupId>jakarta.servlet</groupId> <artifactId>jakarta.servlet-api</artifactId> </dependency>
Create a Java file
TestServlet.java
with the following content and save the file in theAPPLICATION_ROOT/src/main/java/com/example/simple/
directory.package com.example.simple; import jakarta.servlet.annotation.WebServlet; import jakarta.servlet.http.HttpServlet; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.PrintWriter; @WebServlet(urlPatterns = "/hello") public class TestServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { PrintWriter writer = resp.getWriter(); writer.println("Hello World!"); writer.close(); } }
You can now deploy this application on JBoss EAP or update this application to package it with and deploy it on a custom provisioned JBoss EAP server using the Maven plug-in.
3.5.3. Using the Maven plug-in to provision a JBoss EAP server
Update the pom.xml
of an application to package it with and deploy on a custom provisioned JBoss EAP server using the Maven plug-in. You can then deploy the application running on the custom-provisioned JBoss EAP server on OpenShift.
Prerequisites
- Ensure that the JBoss EAP Maven plug-in and the JBoss EAP Maven artifact are accessible from either your local or remote Maven repositories.
- You have installed JDK 11 or JDK 17.
You have installed Maven. For more information, see Downloading Apache Maven.
NoteIf you are using JDK 17 and Maven 3.8.5 or previous Maven version, use the latest Maven WAR plugin.
- You have created a Maven project for Jakarta EE 10 application. For more information, see Creating a Jakarta EE 10 application with the Maven.
Procedure
Configure Maven to retrieve the JBoss EAP BOM and JBoss EAP Maven plug-in from a remote repository by adding the following content to the
pom.xml
file:<repositories> <repository> <id>jboss</id> <url>https://maven.repository.redhat.com/earlyaccess/all/</url> <snapshots> <enabled>false</enabled> </snapshots> </repository> </repositories> <pluginRepositories> <pluginRepository> <id>jboss</id> <url>https://maven.repository.redhat.com/earlyaccess/all/</url> <snapshots> <enabled>false</enabled> </snapshots> </pluginRepository> </pluginRepositories>
Add the following content to the
<build>
element of thepom.xml
file. You must specify the latest version of the JBoss EAP Maven plug-in. For example:<plugins> <plugin> <groupId>org.jboss.eap.plugins</groupId> <artifactId>eap-maven-plugin</artifactId> <version>1.0.0.Beta-redhat-00001</version> <configuration> <channels> <channel> <groupId>org.jboss.eap.channels</groupid> 1 <artifactId>eap-8.0-beta</artifactId> </channel> </channels> <feature-packs> <feature-pack> <location>org.jboss.eap:wildfly-ee-galleon-pack</location> 2 </feature-pack> <feature-pack> <location>org.jboss.eap.cloud:eap-cloud-galleon-pack</location> 3 </feature-pack> </feature-packs> <layers> <layer>cloud-server</layer> 4 </layers> <runtime-name>ROOT.war</runtime-name> 5 </configuration> <executions> <execution> <goals> <goal>package</goal> 6 </goals> </execution> </executions> </plugin> </plugins>
- 1
- This specifies the JBoss EAP 8.0 Beta channel in which the JBoss EAP server artifacts are defined.
- 2
- You can retrieve the version of this feature pack from the JBoss EAP channel. The Galleon
feature-pack
includes Galleon layers such ascloud-server
for provisioning trimmed JBoss EAP servers. - 3
- This feature pack adjusts the server Galleon layers for the cloud. It is necessary to use this feature pack to build applications for OpenShift.
- 4
- This Galleon layer provisions a server with features that are necessary when running JBoss EAP applications in the cloud.
- 5
- With this configuration option, you can register your deployment in the HTTP root context.
- 6
- With this plug-in goal, you can provision the server, deploy your application, apply custom configured CLI scripts, and copy custom content into the server installation.
Package the application.
$ mvn package
The directory
target/server
contains a server and application that are ready for use for debugging or development purposes. In the JBoss EAP S2I build context, the server provisioned by the JBoss EAP maven-plugin is installed in the JBoss EAP image at the/opt/server
location. For more information see Building Applications Images using Source-to-Image (S2I) in OpenShift.
Verification
-
You can check the generated server configuration file
target/server/standalone/configuration/standalone.xml
that contains the provisioned subsystems and application deployment.
The JBoss EAP server that contains your deployment has been provisioned.
3.5.4. The Galleon provisioning file
Provisioning files are XML files with the name provisioning.xml
that you can store in the galleon
subdirectory. Using them is an alternative to configuring feature packs and layers in the JBoss EAP Maven plug-in. You can configure provisioning.xml
file to fine-tune the provisioning process.
The following code demonstrates a provisioning file content that you can use to provision JBoss EAP server based on the cloud-server
layer.
The JBoss EAP feature packs don’t have versions, versions are retrieved from the configured channel in the Maven plug-in.
<?xml version="1.0" ?> <installation xmlns="urn:jboss:galleon:provisioning:3.0"> <feature-pack location="org.jboss.eap:wildfly-ee-galleon-pack:">1 <default-configs inherit="false"/>2 <packages inherit="false"/>3 </feature-pack> <feature-pack location="org.jboss.eap.cloud:eap-cloud-galleon-pack: ">4 <default-configs inherit="false"/> <packages inherit="false"/> </feature-pack> <config model="standalone" name="standalone.xml">5 <layers> <include name="cloud-server"/> </layers> </config> <options>6 <option name="optional-packages" value="passive+"/> </options> </installation>
- 1
- This element instructs the provisioning process to provision the JBoss EAP feature pack retrieved from the JBoss EAP channel.
- 2
- This element instructs the provisioning process to exclude default configurations. You can retrieve default configurations in JBoss EAP server installation, such as
standalone.xml
andstandalone-ha.xml
. When you are provisioning JBoss EAP server from the JBoss EAP Maven plugin, generate a single server configuration based on the configured Galleon users. Setting the option tofalse
prevents the generation of any additional server configurations. Settinginherit=true
is not supported for bothdefault-configs
andpackages
. - 3
- This element instructs the provisioning process to exclude default packages.
- 4
- This element instructs the provisioning process to provision the JBoss EAP cloud feature pack. The child elements instruct the process to exclude default configurations and default packages.
- 5
- This element instructs the provisioning process to create a custom standalone configuration. The configuration includes the
cloud-server
base layer defined in the JBoss EAP feature pack and tuned for OpenShift by the JBoss EAP cloud feature pack. - 6
- This element instructs the provisioning process to optimize provisioning of JBoss EAP modules.
3.5.5. The Maven plug-in configuration attributes
You can configure the eap-maven-plugin
Maven plug-in by setting the following list of configuration parameters.
Name | Type | Description |
---|---|---|
channels | List | A list of channel YAML file references. A channel file contains the versions of the JBoss EAP server artifacts. There are two ways to identify a channel YAML file.
<channels> <channel> <groupId>org.jboss.eap.channels</groupId> <artifactId>eap-8.0-beta</artifactId> </channel> </channels>
<channels> <channel> <url>file:///path/to/channel.yaml</url> </channel> </channels> |
| List |
A list of Galleon layers to exclude. You can use it when |
| List | A list of directories from which content is copied to the provisioned server. You can use either the absolute path to the directory or the relative path. The relative path must be relative to the project base directory. |
| List |
A list of feature pack configurations to install, which you can combine with layers. Use the system property |
| String |
The file name of the application to deploy. The default value is |
| Map |
When provisioning the server, you can set specific Galleon options. If you are building a large number of servers in the same Maven session, you must set <galleon-options> <jboss-fork-embedded>true</jboss-fork-embedded> </galleon-options> |
| List |
A list of Galleon layers to provision. You can use it when |
| String |
A name of the configuration file generated from layers. The default value is |
| boolean |
Specifies whether to log the provisioning time at the end of the provisioning. The default value is |
| String | A name used for the deployment. |
| boolean |
Specifies whether to use offline mode when the plug-in resolves an artifact. In offline mode, the plug-in uses the local Maven repository for artifact resolution. The default value is |
| boolean |
If you want to delete the existing server referenced from the |
| List | A list of CLI scripts and commands to execute. If a script file is not absolute, it must be relative to the project base directory. Configure the CLI executions in the following way: <packaging-scripts> <packaging-script> <scripts> <script>../scripts/script1.cli</script> </scripts> <commands> <command>/system-property=foo:add(value=bar)</command> </commands> <properties-files> <property-file>my-properties.properties</property-file> </properties-files> <java-opts> <java-opt>-Xmx256m</java-opt> </java-opts> <!-- Expressions resolved during server execution --> <resolve-expressions>false</resolve-expressions> </packaging-script> </packaging-scripts> |
| String |
Path to the directory in which to provision the server. It can be an absolute path or a path relative to the |
| File |
The path to the |
| boolean |
Specifies whether to record the provisioning state in |
| String |
The runtime-name of the deployment. The default value is the deployment file name, such as |
| String |
The name of the server configuration to use during deployment. The deployment is deployed inside the configuration referenced from |
| boolean |
If you want the goal to be skipped, set it to |
| String |
Indicates how
|
Chapter 4. Configuring your JBoss EAP server and application
The JBoss EAP for OpenShift image is preconfigured for basic use with your Java applications. However, you can configure the JBoss EAP instance inside the image. The recommended method is to use the OpenShift S2I process, together with application template parameters and environment variables.
Any configuration changes made on a running container will be lost when the container is restarted or terminated.
This includes any configuration changes made using scripts that are included with a traditional JBoss EAP installation, for example add-user.sh
or the management CLI.
It is strongly recommended that you use the OpenShift S2I process, together with application template parameters and environment variables, to make any configuration changes to the JBoss EAP instance inside the JBoss EAP for OpenShift image.
4.1. JVM default memory settings
You can use the following environment variables to modify the JVM settings calculated automatically. Note that these variables are only used when default memory size is calculated automatically when a valid container memory limit is defined.
Environment variables | Description |
---|---|
|
This environment variable is now deprecated. Corresponds to the JVM argument Note
You no longer need to set |
|
Environment variable to configure the |
|
Environment variable to provide additional options to the JVM, for example, Note
If you set a value for |
|
This environment variable is now deprecated. Use |
4.2. JVM garbage collection settings
The EAP image for OpenShift includes settings for both garbage collection and garbage collection logging
Garbage Collection Settings
-XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+ExitOnOutOfMemoryError
Garbage Collection Logging Settings
-Xlog:gc*:file=/opt/server/standalone/log/gc.log:time,uptimemillis:filecount=5,filesize=3M
4.3. Resource limits in default settings
If set, additional default settings are included in the image.
-XX:ParallelGCThreads={core-limit} -Djava.util.concurrent.ForkJoinPool.common.parallelism={core-limit} -XX:CICompilerCount=2
The value of CICompilerCount
is always fixed as 2.
The container limits are automatically computed by JVM
.
4.4. JVM environment variables
Use these environment variables to configure the JVM in the EAP for OpenShift image.
Variable Name | Example | Default Value | JVM Settings | Description |
---|---|---|---|---|
JAVA_OPTS | -verbose:class | No default | Multiple |
JVM options to pass to the
Use
Using
In addition, if automatic memory calculation is not enabled, the inital Java memory (-Xms) and maximum Java memory (-Xmx) are not defined.
Add these defaults if you use |
JAVA_OPTS_APPEND | -Dsome.property=value | No default | Multiple |
User-specified Java options to append to generated options in |
JAVA_MAX_MEM_RATIO | 50 | 80 | -Xmx |
Use this variable when the |
JAVA_INITIAL_MEM_RATIO | 25 | -Xms | -Xms |
Use this variable when the |
JAVA_MAX_INITIAL_MEM | 4096 | 4096 | -Xms |
|
JAVA_DIAGNOSTICS | true | false (disabled) |
|
Set the value of this variable to |
DEBUG | true | false | -agentlib:jdwp=transport=dt_socket,address=$DEBUG_PORT,server=y,suspend=n | Enables remote debugging. |
DEBUG_PORT | 8787 | 8787 | -agentlib:jdwp=transport=dt_socket,address=$DEBUG_PORT,server=y,suspend=n | Specifies the port used for debugging. |
GC_MIN_HEAP_FREE_RATIO | 20 | 10 | -XX:MinHeapFreeRatio | Minimum percentage of heap free after garbage collection to avoid expansion. |
GC_MAX_HEAP_FREE_RATIO | 40 | 20 | -XX:MaxHeapFreeRatio | Maximum percentage of heap free after garbage collection to avoid shrinking. |
GC_TIME_RATIO | 4 | 4 | -XX:GCTimeRatio | Specifies the ratio of the time spent outside of garbage collection (for example, time spent in application execution) to the time spent in garbage collection. |
GC_ADAPTIVE_SIZE_POLICY_WEIGHT | 90 | 90 | -XX:AdaptiveSizePolicyWeight | The weighting given to the current garbage collection time versus the previous garbage collection times. |
GC_METASPACE_SIZE | 20 | 96 | -XX:MetaspaceSize | The initial metaspace size. |
GC_MAX_METASPACE_SIZE | 100 | No default | -XX:MaxMetaspaceSize | The maximum metaspace size. |
GC_CONTAINER_OPTIONS | -XX:+UserG1GC | -XX:-UseParallelGC | -XX:-UseParallelGC | Specifies the Java garbage collection to use. The value of the variable is specified by using the Java Runtime Environment (JRE) command-line options. The specified JRE command overrides the default. |
The following environment variables are deprecated:
-
JAVA_OPTIONS
: UseJAVA_OPTS
. -
INITIAL_HEAP_PERCENT
: UseJAVA_INITIAL_MEM_RATIO
. -
CONTAINER_HEAP_PERCENT
: UseJAVA_MAX_MEM_RATIO
.
4.5. Default datasource
The datasource ExampleDS
is not available in JBoss EAP 8.0 Beta.
Some quickstarts require this datasource:
-
cmt
-
thread-racing
Applications developed by customers might also require the ExampleDS
datasource.
If you need the default datasource, use the ENABLE_GENERATE_DEFAULT_DATASOURCE
environment variable to include it when provisioning a JBoss EAP server.
ENABLE_GENERATE_DEFAULT_DATASOURCE=true
This environment variable works only when cloud-default-config
galleon layer is used.
Chapter 5. Capability trimming in JBoss EAP for OpenShift
When building an image that includes JBoss EAP, you can control the JBoss EAP features and subsystems to be included in the image. You can do this by either using the JBoss EAP maven plugin when you create a new application or using the environment variables below if you have an existing application.
- GALLEON_PROVISION_FEATURE_PACKS
- GALLEON_PROVISION_LAYERS
- GALLEON_PROVISION_CHANNELS
For example, you might want to reduce the security exposure of the provisioned server, or you might want to reduce the memory footprint so it is more appropriate for a microservice container.
5.1. Available JBoss EAP Layers
Red Hat provides base and decorator layers that allow you to customize provisioning your JBoss EAP server in OpenShift. The base layers provide core functionality, and the decorator layers enhance the base layers.
The following Jakarta EE specifications are not supported in any provisioning layer:
- Jakarta Server Faces 2.3
- Jakarta Enterprise Beans 3.2
- Jakarta XML Web Services 2.3
5.1.1. Base layers
Each base layer includes core functionality for a typical server user case.
datasources-web-server
This layer includes a servlet container and the ability to configure a datasource.
This layer does not include MicroProfile capabilities.
The following are the JBoss EAP subsystems included by default in the datasources-web-server
:
-
core-management
-
datasources
-
deployment-scanner
-
ee
-
elytron
-
io
-
jca
-
jmx
-
logging
-
naming
-
request-controller
-
security-manager
-
transactions
-
undertow
The following Jakarta EE specifications are supported in this layer:
- Jakarta JSON Processing 1.1
- Jakarta JSON Binding 1.0
- Jakarta Servlet 4.0
- Jakarta Expression Language 3.0
- Jakarta Server Pages 2.3
- Jakarta Standard Tag Library 1.2
- Jakarta Concurrency 1.1
- Jakarta Annotations 1.3
- Jakarta XML Binding 2.3
- Jakarta Debugging Support for Other Languages 1.0
- Jakarta Transactions 1.3
- Jakarta Connectors 1.7
jaxrs-server
This layer enhances the datasources-web-server
layer with the following JBoss EAP subsystems:
-
jaxrs
-
weld
-
jpa
This layer also adds Infinispan-based second-level entity caching locally in the container.
The following MicroProfile capability is included in this layer:
- MicroProfile REST Client
The following Jakarta EE specifications are supported in this layer in addition to those supported in the datasources-web-server
layer:
- Jakarta Contexts and Dependency Injection 2.0
- Jakarta Bean Validation 2.0
- Jakarta Interceptors 1.2
- Jakarta RESTful Web Services 2.1
- Jakarta Persistence 2.2
cloud-server
This layer enhances the jaxrs-server
layer with the following JBoss EAP subsystems:
-
resource-adapters
-
messaging-activemq
(remote broker messaging, not embedded messaging)
This layer also adds the following observability features to the jaxrs-server
layer:
- MicroProfile Health
- MicroProfile Metrics
- MicroProfile Config
- MicroProfile OpenTracing
The following Jakarta EE specification is supported in this layer in addition to those supported in the jaxrs-server
layer:
- Jakarta Security 1.0
cloud-default-config
This layer provisions a server with server configuration based on standalone-ha.xml
and includes the subsystem configuration messaging-activemq
. On the contrary, the modcluster
and core-management
subsystems configuration are not included. The whole setup is configured to be used in the cloud. Additionally, all JBoss EAP server JBoss modules will be installed.
5.1.2. Decorator layers
Decorator layers are not used alone. You can configure one or more decorator layers with a base layer to deliver additional functionality.
observability
This decorator layer adds the following observability features to the provisioned server:
- MicroProfile Health
- MicroProfile Metrics
- MicroProfile Config
- MicroProfile OpenTracing
This layer is built in to the cloud-server
layer. You do not need to add this layer to the cloud-server
layer.
web-clustering
This layer adds embedded Infinispan-based web session clustering to the provisioned server.
5.2. Provisioning user-developed layers in JBoss EAP
In addition to provisioning layers available from Red Hat, you can provision custom layers you develop.
Procedure
Build a custom layer using the Galleon Maven plugin.
For more information, see Preparing the Maven project.
- Deploy the custom layer to an accessible Maven repository.
You can use custom Galleon feature-pack environment variables to customize Galleon feature-packs and layers during the S2I image build process.
For more information about customizing Galleon feature-packs and layers, see Using the custom Galleon feature-pack during S2I build.
Optional: Create a custom provisioning file to reference the user-defined layer and supported JBoss EAP layers and store it in your application directory.
For more information about creating a custom provisioning file, see The Galleon provisioning file.
Run the S2I process to provision a JBoss EAP server in OpenShift.
For more information, see Using the custom Galleon feature-pack during S2I build.
5.2.1. Building and using custom Galleon layers for JBoss EAP
Custom Galleon layers are packaged inside a Galleon feature-pack that is designed to run with JBoss EAP 8.0 Beta.
In Openshift, you can build and use a Galleon feature-pack that contains layers to provision, for example, a MariaDB driver and data source for the JBoss EAP 8.0 Beta server. A layer contains the content that is installed in the server. A layer can update the server XML configuration file and add content to the server installation.
This section documents how to build and use a Galleon feature-pack containing layers to provision a MariaDB driver and data source for the JBoss EAP 8.0 Beta server in OpenShift.
5.2.1.1. Preparing the Maven project
Galleon feature-packs are created using Maven. This procedure includes the steps to create a new Maven project.
Procedure
Create a new Maven project by runing the following command:
mvn archetype:generate -DarchetypeGroupId=org.codehaus.mojo.archetypes -DarchetypeArtifactId=pom-root -DgroupId=org.jboss.eap.demo -DartifactId=mariadb-galleon-pack -DinteractiveMode=false
Navigate to
mariadb-galleon-pack
directory and update thepom.xml
file to include the Red Hat Maven repository:<repositories> <repository> <id>redhat-earlyaccess</id> <name>Redhat earlyaccess</name> <url>https://maven.repository.redhat.com/earlyaccess/all/</url> </repository> </repositories>
Update the
pom.xml
file to add dependencies on the JBoss EAP Galleon feature-pack and the MariaDB driver:<dependencies> <dependency> <groupId>org.jboss.eap</groupId> <artifactId>wildfly-ee-galleon-pack</artifactId> <version>8.0.0.Beta-redhat-XXXXX</version> <type>zip</type> </dependency> <dependency> <groupId>org.mariadb.jdbc</groupId> <artifactId>mariadb-java-client</artifactId> <version>2.7.2</version> </dependency> </dependencies>
Note-
<version>A.B.C-redhat-XXXXX</version>
WhereA.B.C
is the release number andXXXXX
is build number of your JBoss EAP instance. See the Red Hat Maven repository for version details about JBoss EAP releases. The release and build numbers are available for all JBoss EAP releases. https://maven.repository.redhat.com/earlyaccess/all/org/jboss/eap/wildfly-ee-galleon-pack/.
-
Update the
pom.xml
file to include the Maven plugin that is used to build the Galleon feature-pack:<build> <plugins> <plugin> <groupId>org.wildfly.galleon-plugins</groupId> <artifactId>wildfly-galleon-maven-plugin</artifactId> <version>6.2.0.Final-redhat-00001</version> <executions> <execution> <id>mariadb-galleon-pack-build</id> <goals> <goal>build-user-feature-pack</goal> </goals> <phase>compile</phase> </execution> </executions> </plugin> </plugins> </build>
5.2.1.2. Adding the feature-pack content
This procedure helps you add layers to a custom Galleon feature-pack, for example, the feature-pack including the MariaDB driver and datasource layers.
Prerequisites
- You have created a Maven project. For more details, see Preparing the Maven project.
Procedure
-
Create the directory,
src/main/resources
, within a custom feature-pack Maven project, for example, see Preparing the Maven project. This directory is the root directory containing the feature-pack content. -
Create the directory
src/main/resources/modules/org/mariadb/jdbc/main
. In the
main
directory, create a file namedmodule.xml
with the following content:<?xml version="1.0" encoding="UTF-8"?> <module name="org.mariadb.jdbc" xmlns="urn:jboss:module:1.8"> <resources> <artifact name="${org.mariadb.jdbc:mariadb-java-client}"/> 1 </resources> <dependencies> 2 <module name="javax.api"/> <module name="javax.transaction.api"/> </dependencies> </module>
-
Create the directory
src/main/resources/layers/standalone/
. This is the root directory of all the layers that the Galleon feature-pack is defining. -
Create the directory
src/main/resources/layers/standalone/mariadb-driver
. In the
mariadb-driver
directory, create thelayer-spec.xml
file with the following content:<?xml version="1.0" ?> <layer-spec xmlns="urn:jboss:galleon:layer-spec:1.0" name="mariadb-driver"> <feature spec="subsystem.datasources"> 1 <feature spec="subsystem.datasources.jdbc-driver"> <param name="driver-name" value="mariadb"/> <param name="jdbc-driver" value="mariadb"/> <param name="driver-xa-datasource-class-name" value="org.mariadb.jdbc.MariaDbDataSource"/> <param name="driver-module-name" value="org.mariadb.jdbc"/> </feature> </feature> <packages> 2 <package name="org.mariadb.jdbc"/> </packages> </layer-spec>
The
mariadb-driver
layer updates thedatasources
subsystem with the configuration of a JDBC driver, implemented by theJBoss Modules
module.-
Create the directory
src/main/resources/layers/standalone/mariadb-datasource
. In the
mariadb-datasource
directory, create thelayer-spec.xml
file with the following content:<?xml version="1.0" ?> <layer-spec xmlns="urn:jboss:galleon:layer-spec:1.0" name="mariadb-datasource"> <dependencies> <layer name="mariadb-driver"/> 1 </dependencies> <feature spec="subsystem.datasources.data-source"> 2 <param name="data-source" value="MariaDBDS"/> <param name="jndi-name" value="java:jboss/datasources/${env.MARIADB_DATASOURCE:MariaDBDS}"/> <param name="connection-url" value="jdbc:mariadb://${env.MARIADB_HOST:localhost}:${env.MARIADB_PORT:3306}/${env.MARIADB_DATABASE}"/> 3 <param name="driver-name" value="mariadb"/> <param name="user-name" value="${env.MARIADB_USER}"/> 4 <param name="password" value="${env.MARIADB_PASSWORD}"/> </feature> </layer-spec>
- 1
- This dependency enforces the provisioning of the MariaDB driver when the data source is provisioned. All the layers a layer depends on are automatically provisioned when that layer is provisioned.
- 2
- Update the
datasources
subsystem configuration with a data source named MariaDBDS. - 3
- Datasource’s name, host, port, and database values are resolved from the environment variables
MARIADB_DATASOURCE
,MARIADB_HOST
,MARIADB_PORT
, andMARIADB_DATABASE
, which are set when the server is started. - 4
- User name and password values are resolved from the environment variables
MARIADB_USER
andMARIADB_PASSWORD
.
Build the Galleon feature-pack by running the following command:
mvn clean install
The file
target/mariadb-galleon-pack-1.0-SNAPSHOT.zip
is created.
5.2.1.3. Using the custom Galleon feature-pack during S2I build
A custom feature-pack must be made available to the Maven build that occurs during OpenShift S2I build. This is usually achieved by deploying the custom feature-pack as an artifact, for example, org.jboss.eap.demo:mariadb-galleon-pack:1.0-SNAPSHOT
to an accessible Maven repository.
For more information about configuring the JBoss EAP S2I image for custom Galleon feature-pack usage, see Configure Galleon by using advanced environment variables.
Prerequisites
-
You have
oc
command-line installed - You are logged in to an OpenShift cluster
-
You have configured access to the
Red Hat Container
registry. For detailed information, see Red Hat Container Registry. - You have created a custom Galleon feature-pack. For detailed information, see Preparing the Maven project.
Procedure
Start the
MariaDB
database by running the following command. This example uses theMariaDB
image mariadb-105-rhel7
. You must use the latest supported version ofMariaDB
image. See Red Hat Ecosystem Catalog to get more information aboutMariaDB images
.oc new-app -e MYSQL_USER=admin -e MYSQL_PASSWORD=admin -e MYSQL_DATABASE=mariadb registry.redhat.io/rhscl/mariadb-105-rhel7
The OpenShift service
mariadb-101-rhel7
is created and started.Create a secret from the feature-pack archive, generated by the custom feature-pack Maven build, by running the following command within the Maven project directory
mariadb-galleon-pack
:oc create secret generic mariadb-galleon-pack --from-file=target/mariadb-galleon-pack-1.0-SNAPSHOT.zip
The secret
mariadb-galleon-pack
is created. When initiating the S2I build, this secret is used to mount the feature-pack .zip file in the pod, making the file available during the server provisioning phase.
5.2.1.4. Importing the JBoss EAP 8 image stream
You can import the JBoss EAP 8.0 Beta image stream by following the procedure below.
Procedure
Import the JBoss EAP 8.0 Beta image stream:
oc import-image jboss-eap-8-tech-preview/eap8-openjdk11-builder-openshift-rhel8:latest \ --from=registry.redhat.io/jboss-eap-8-tech-preview/eap8-openjdk11-builder-openshift-rhel8:latest \ --confirm
5.2.1.4.1. Creating an S2I build using the JBoss EAP maven plugin
The eap-maven-plugin
has been configured with both a reference to the JBoss EAP galleon feature-pack
, JBoss EAP cloud galleon feature-pack
and the mariadb galleon feature-pack
. See an extract of the pom.xml
:
<feature-packs> <feature-pack> <location>org.jboss.eap:wildfly-ee-galleon-pack</location> </feature-pack> <feature-pack> <location>org.jboss.eap.cloud:eap-cloud-galleon-pack</location> </feature-pack> <feature-pack> <location>org.jboss.eap.demo:mariadb-galleon-pack:1.0-SNAPSHOT</location>1 </feature-pack> </feature-packs> <layers> <layer>jaxrs-server</layer> <layer>mariadb-datasource</layer>2 </layers>
Procedure
Create the S2I build by running the following command:
oc new-build eap8-openjdk11-builder-openshift-rhel8:latest~https://github.com/jboss-container-images/jboss-eap-8-openshift-image#EAP_8.0.0.Beta \ --context-dir=examples/eap/custom-layers/application \ --build-secret=mariadb-galleon-pack:/tmp/demo-maven-repository/org/jboss/eap/demo/mariadb-galleon-pack/1.0-SNAPSHOT \ 1 --name=mariadb-app-build
- 1
- The
mariadb-galleon-pack
secret is mounted in the/tmp/demo-maven-repository/org/jboss/eap/demo/mariadb-galleon-pack/1.0-SNAPSHOT
directory.
Additional resources
For more information see the JBoss EAP 8.0 Beta demo example.
5.2.1.4.2. Creating an S2I build using the legacy S2I provisioning capabilities
You can use the openshift-legacy
profile to configure your S2I build so that you can provision your server.
Procedure
Create a new OpenShift build by running the following command:
oc new-build eap8-openjdk11-builder-openshift-rhel8:latest~https://github.com/jboss-container-images/jboss-eap-8-openshift-image#EAP_8.0.0.Beta \ --context-dir=examples/eap/custom-layers/application \ --env=GALLEON_PROVISION_CHANNELS="org.jboss.eap.channels:eap-8.0-beta" \ 1 --env=GALLEON_PROVISION_FEATURE_PACKS="org.jboss.eap:wildfly-ee-galleon-pack,org.jboss.eap.cloud:eap-cloud-galleon-pack,org.jboss.eap.demo:mariadb-galleon-pack:1.0-SNAPSHOT" \ 2 --env=GALLEON_PROVISION_LAYERS="jaxrs-server,mariadb-datasource" \ 3 --env=GALLEON_CUSTOM_FEATURE_PACKS_MAVEN_REPO="/tmp/demo-maven-repository" \ 4 --env=MAVEN_ARGS="-Popenshift-legacy" \ 5 --build-secret=mariadb-galleon-pack:/tmp/demo-maven-repository/org/jboss/eap/demo/mariadb-galleon-pack/1.0-SNAPSHOT \ 6 --name=mariadb-app-build
- 1
- This environment variable uses the JBoss EAP 8.0 Beta channel during provisioning.
- 2
- This environment variable references the JBoss EAP 8.0 Beta
feature-pack
,cloud feature-pack
and themariadb feature-pack
. - 3
- This environment variable references the set of Galleon layers you want to use to provision the server.
jaxrs-server
is a base server layer,mariadb-datasource
is our custom layer that brings themariadb
driver and a new data source to the server installation. - 4
- This points to the location of your local maven repository where the
mariadb feature-pack
is contained. - 5
- This environment variable redefines the
MAVEN_ARGS
to enable theopenshift-legacy
profile. - 6
- The
mariadb-galleon-pack
secret is mounted in the/tmp/demo-maven-repository/org/jboss/eap/demo/mariadb-galleon-pack/1.0-SNAPSHOT
directory.
This directory path complies with Maven repository artifact coordinates to path mapping.
5.2.1.4.3. Starting the build
You can create the mariadb-app-build
image by creating a new build.
Procedure
Start a new build from the same OpenShift build that you created earlier and run the following command:
oc start-build mariadb-app-build
After successful command execution, the image
mariadb-app-build
is created.
5.2.1.4.4. Creating a new deployment
You can create a new deployment by providing the environment variables that are required to bind the data source to the running MariaDB
database
Procedure
Create a new deployment by running the following command:
oc new-app --name=mariadb-app mariadb-app-build \ --env=MARIADB_PORT=3306 \ --env=MARIADB_USER=admin \ --env=MARIADB_PASSWORD=admin \ --env=MARIADB_HOST=mariadb-105-rhel7 \ --env=MARIADB_DATABASE=mariadb \ --env=MARIADB_DATASOURCE=Demo 1
- 1
- The demo expects the data source to be named
Demo
NoteFor more details about the custom Galleon feature-pack environment variables, see Custom Galleon feature pack environment variables.
Expose the
mariadb-app
application, run the following command:oc expose svc/mariadb-app
To create a new task, run the following command:
curl -X POST http://$(oc get route mariadb-app --template='{{ .spec.host }}')/tasks/title/foo
To access the list of tasks, run the following command:
curl http://$(oc get route mariadb-app --template='{{ .spec.host }}')
The added task is displayed in a browser.
5.2.2. Configure Galleon by using advanced environment variables
You can use advanced custom Galleon feature pack environment variables to customize the location where you store your custom Galleon feature packs and layers during the S2I image build process. These advanced custom Galleon feature pack environment variables are as follows:
-
GALLEON_DIR=<path>
, which overrides the default<project_root_dir>/galleon
directory path to<project_root_dir>/<GALLEON_DIR>
. -
GALLEON_CUSTOM_FEATURE_PACKS_MAVEN_REPO=<path>
, which overrides the<project root dir>/galleon/repository
directory path with an absolute path to a Maven local repository cache directory. This repository contains custom Galleon feature packs.
You must locate the Galleon feature pack archive files inside a sub-directory that is compliant with the Maven local-cache file system configuration. For example, locate the org.examples:my-feature-pack:1.0.0.Final
feature pack inside the path-to-repository/org/examples/my-feature-pack/1.0.0.Final/my-feature-pack-1.0.0.Final.zip
path.
You can configure your Maven project settings by creating a settings.xml
file in the <project_root>/<GALLEON_DIR>
directory. The default value for GALLEON_DIR
is <project_root_dir>/galleon
. Maven uses the file to provision your custom Galleon feature packs for your application. If you do not create a settings.xml
file, Maven uses a default settings.xml
file that was created by the S2I image.
Do not specify a local Maven repository location in a settings.xml
file, because the S2I builder image specifies a location to your local Maven repository. The S2I builder image uses this location during the S2I build process.
Additional resources
5.2.3. Custom Galleon feature pack environment variables
You can use any of the following custom Galleon feature pack environment variables to customize how you use your JBoss EAP S2I image.
Environment variable | Description |
---|---|
GALLEON_DIR=<path> |
Where <path> is a directory relative to the root directory of your application project. Your <path> directory contains your optional Galleon custom content, such as the
Directory defaults to |
GALLEON_CUSTOM_FEATURE_PACKS_MAVEN_REPO=<path> |
<path> is the absolute path to a Maven local repository directory that contains custom feature packs. Directory defaults to |
GALLEON_PROVISION_FEATURE_PACKS=<list_of_galleon_feature_packs> | Where <list_of_galleon_feature_packs> is a comma-separated list of your custom Galleon feature packs identified by Maven coordinates. The listed feature packs must be compatible with the version of the JBoss EAP 8.0 Beta server present in the builder image.
You can use the |
Chapter 6. Deploying your Jboss EAP application on the OpenShift Container Platform
6.1. JBoss EAP operator for automating application deployment on OpenShift
EAP operator is a JBoss EAP-specific controller that extends the OpenShift API. You can use the EAP operator to create, configure, manage, and seamlessly upgrade instances of complex stateful applications.
The EAP operator manages multiple JBoss EAP Java application instances across the cluster. It also ensures safe transaction recovery in your application cluster by verifying all transactions are completed before scaling down the replicas and marking a pod as clean
for termination. The EAP operator uses StatefulSet
for the appropriate handling of Jakarta Enterprise Beans remoting and transaction recovery processing. The StatefulSet
ensures persistent storage and network hostname stability even after pods are restarted.
You must install the EAP operator using OperatorHub, which can be used by OpenShift cluster administrators to discover, install, and upgrade operators.
In OpenShift Container Platform 4, you can use the Operator Lifecycle Manager (OLM) to install, update, and manage the lifecycle of all operators and their associated services running across multiple clusters.
The OLM runs by default in OpenShift Container Platform 4. It aids cluster administrators in installing, upgrading, and granting access to operators running on their cluster. The OpenShift Container Platform web console provides management screens for cluster administrators to install operators, as well as grant specific projects access to use the catalog of operators available on the cluster.
For more information about operators and the OLM, see the OpenShift documentation.
6.1.1. Installing EAP operator using the web console
As a JBoss EAP cluster administrator, you can install an EAP operator from Red Hat OperatorHub using the OpenShift Container Platform web console. You can then subscribe the EAP operator to one or more namespaces to make it available for developers on your cluster.
Here are a few points you must be aware of before installing the EAP operator using the web console:
- Installation Mode: Choose All namespaces on the cluster (default) to have the operator installed on all namespaces or choose individual namespaces, if available, to install the operator only on selected namespaces.
- Update Channel: If the EAP operator is available through multiple channels, you can choose which channel you want to subscribe to. For example, to deploy from the stable channel, if available, select it from the list.
- Approval Strategy: You can choose automatic or manual updates. If you choose automatic updates for the EAP operator, when a new version of the operator is available, the Operator Lifecycle Manager (OLM) automatically upgrades the running instance of EAP operator. If you choose manual updates, when a newer version of the operator is available, the OLM creates an update request. You must then manually approve the update request to have the operator updated to the new version.
The following procedure might change in accordance with the modifications in the OpenShift Container Platform web console. For the latest and most accurate procedure, see the Installing from the OperatorHub using the web console section in the latest version of the Working with Operators in OpenShift Container Platform guide.
Prerequisites
-
Access to an OpenShift Container Platform cluster using an account with
cluster-admin
permissions.
Procedure
- In the OpenShift Container Platform web console, navigate to Operators→ OperatorHub.
-
Scroll down or type
EAP
into the Filter by keyword box to find the EAP operator. - Select JBoss EAP operator and click Install.
On the Create Operator Subscription page:
Select one of the following:
-
All namespaces on the cluster (default) installs the operator in the default
openshift-operators
namespace to watch and be made available to all namespaces in the cluster. This option is not always available. - A specific namespace on the cluster installs the operator in a specific, single namespace that you choose. The operator is made available for use only in this single namespace.
-
All namespaces on the cluster (default) installs the operator in the default
- Select an Update Channel.
- Select Automatic or Manual approval strategy, as described earlier.
Click Subscribe to make the EAP operator available to the selected namespaces on this OpenShift Container Platform cluster.
- If you selected a manual approval strategy, the subscription’s upgrade status remains Upgrading until you review and approve its install plan. After you approve the install plan on the Install Plan page, the subscription upgrade status moves to Up to date.
- If you selected an automatic approval strategy, the upgrade status moves to Up to date without intervention.
After the subscription’s upgrade status is Up to date, select Operators → Installed Operators to verify that the EAP ClusterServiceVersion (CSV) shows up and its Status changes to InstallSucceeded in the relevant namespace.
NoteFor the All namespaces… installation mode, the status displayed is InstallSucceeded in the
openshift-operators
namespace. In other namespaces the status displayed is Copied. . If the Status field does not change to InstallSucceeded, check the logs in any pod in theopenshift-operators
project (or other relevant namespace if A specific namespace… installation mode was selected) on the Workloads → Pods page that are reporting issues to troubleshoot further.
6.1.2. Installing EAP operator using the CLI
As a JBoss EAP cluster administrator, you can install an EAP operator from Red Hat OperatorHub using the OpenShift Container Platform CLI. You can then subscribe the EAP operator to one or more namespaces to make it available for developers on your cluster.
When installing the EAP operator from the OperatorHub using the CLI, use the oc
command to create a Subscription
object.
Prerequisites
-
You have access to an OpenShift Container Platform cluster using an account with
cluster-admin
permissions. -
You have installed the
oc
tool in your local system.
Procedure
View the list of operators available to the cluster from the OperatorHub:
$ oc get packagemanifests -n openshift-marketplace | grep eap NAME CATALOG AGE ... eap Red Hat Operators 43d ...
Create a
Subscription
object YAML file (for example,eap-operator-sub.yaml
) to subscribe a namespace to your EAP operator. The following is an exampleSubscription
object YAML file:apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: eap namespace: openshift-operators spec: channel: stable installPlanApproval: Automatic name: eap 1 source: redhat-operators 2 sourceNamespace: openshift-marketplace
For information about channels and approval strategy, see the web console version of this procedure.
Create the
Subscription
object from the YAML file:$ oc apply -f eap-operator-sub.yaml $ oc get csv -n openshift-operators NAME DISPLAY VERSION REPLACES PHASE eap-operator.v1.0.0 JBoss EAP 1.0.0 Succeeded
The EAP operator is successfully installed. At this point, the OLM is aware of the EAP operator. A ClusterServiceVersion (CSV) for the operator appears in the target namespace, and APIs provided by the EAP operator is available for creation.
6.1.3. Deploying a Java application on OpenShift using the EAP operator
The EAP operator helps automate Java application deployment on OpenShift. For information about the EAP operator APIs, see EAP Operator: API Information.
Prerequisites
- You have installed EAP operator. For more information about installing the EAP operator, see Installing EAP operator using the web console and Installing EAP operator using the CLI.
- You have built a Docker image of the user application using JBoss EAP for OpenShift Source-to-Image (S2I) build image.
-
The
APPLICATION_IMAGE
parameter in youreap-s2i-build
template has an imagestream, if you want to enable automatic upgrade of your application after it is deployed on OpenShift.
-
You have created a
Secret
object, if your application’s CustomResourceDefinition (CRD) file references one. For more information about creating a newSecret
object, see Creating a Secret. -
You have created a
ConfigMap
, if your application’s CRD file references one. For information about creating aConfigMap
, see Creating a ConfigMap. -
You have created a
ConfigMap
from thestandalone.xml
file, if you choose to do so. For information about creating aConfigMap
from thestandalone.xml
file, see Creating a ConfigMap from a standalone.xml File.
Providing a standalone.xml
file from the ConfigMap
is not supported in JBoss EAP 8-beta.
Procedure
- Open your web browser and log on to OperatorHub.
- Select the Project or namespace you want to use for your Java application.
- Navigate to Installed Operator and select JBoss EAP operator.
- On the Overview tab, click the Create Instance link.
Specify the application image details.
The application image specifies the Docker image that contains the Java application. The image must be built using the JBoss EAP for OpenShift Source-to-Image (S2I) build image. If the
applicationImage
field corresponds to an imagestreamtag, any change to the image triggers an automatic upgrade of the application.You can provide any of the following references of the JBoss EAP for OpenShift application image:
- The name of the image: mycomp/myapp
- A tag: mycomp/myapp:1.0
- A digest: mycomp/myapp:@sha256:0af38bc38be93116b6a1d86a9c78bd14cd527121970899d719baf78e5dc7bfd2
- An imagestreamtag: my-app:latest
Specify the size of the application. For example:
spec: replicas:2
Configure the application environment using the
env spec
. The Environment variables can come directly from values, such as POSTGRESQL_SERVICE_HOST or fromSecret
objects, such as POSTGRESQL_USER. For example:spec: env: - name: POSTGRESQL_SERVICE_HOST value: postgresql - name: POSTGRESQL_SERVICE_PORT value: '5432' - name: POSTGRESQL_DATABASE valueFrom: secretKeyRef: key: database-name name: postgresql - name: POSTGRESQL_USER valueFrom: secretKeyRef: key: database-user name: postgresql - name: POSTGRESQL_PASSWORD valueFrom: secretKeyRef: key: database-password name: postgresql
Complete the following optional configurations that are relevant to your application deployment:
- Specify the storage requirements for the server data directory. For more information, see Configuring Persistent Storage for Applications.
Specify the name of the
Secret
you created inWildFlyServerSpec
to mount it as a volume in the pods running the application. For example:spec: secrets: - my-secret
The
Secret
is mounted at/etc/secrets/<secret name>
and each key/value is stored as a file. The name of the file is the key and the content is the value. TheSecret
is mounted as a volume inside the pod. The following example demonstrates commands that you can use to find key values:$ ls /etc/secrets/my-secret/ my-key my-password $ cat /etc/secrets/my-secret/my-key devuser $ cat /etc/secrets/my-secret/my-password my-very-secure-pasword
NoteModifying a
Secret
object might lead to project inconsistencies. Instead of modifying an existingSecret
object, Red Hat recommends creating a new object with the same content as that of the old one. You can then update the content as required and change the reference in operator custom resource (CR) from old to new. This is considered a new CR update and the pods are reloaded.Specify the name of the
ConfigMap
you created inWildFlyServerSpec
to mount it as a volume in the pods running the application. For example:spec: configMaps: - my-config
The
ConfigMap
is mounted at/etc/configmaps/<configmap name>
and each key/value is stored as a file. The name of the file is the key and the content is the value. TheConfigMap
is mounted as a volume inside the pod. To find the key values:$ ls /etc/configmaps/my-config/ key1 key2 $ cat /etc/configmaps/my-config/key1 value1 $ cat /etc/configmaps/my-config/key2 value2
NoteModifying a
ConfigMap
might lead to project inconsistencies. Instead of modifying an existingConfigMap
, Red Hat recommends creating a newConfigMap
with the same content as that of the old one. You can then update the content as required and change the reference in operator custom resource (CR) from old to new. This is considered a new CR update and the pods are reloaded.If you choose to have your own standalone
ConfigMap
, provide the name of theConfigMap
as well as the key for thestandalone.xml
file:standaloneConfigMap: name: clusterbench-config-map key: standalone.xml
NoteCreating a
ConfigMap
from thestandalone.xml
file is not supported in JBoss EAP 8-beta.If you want to disable the default HTTP route creation in OpenShift, set
disableHTTPRoute
totrue
:spec: disableHTTPRoute: true
6.1.3.1. Creating a secret
If your application’s CustomResourceDefinition (CRD) file references a Secret
, you must create the Secret
before deploying your application on OpenShift using the EAP operator.
Procedure
-
To create a
Secret
:
$ oc create secret generic my-secret --from-literal=my-key=devuser --from-literal=my-password='my-very-secure-pasword'
6.1.3.2. Creating a configMap
If your application’s CustomResourceDefinition (CRD) file references a ConfigMap in the spec.ConfigMaps field, you must create the ConfigMap before deploying your application on OpenShift using the EAP operator.
Procedure
- To create a configmap:
$ oc create configmap my-config --from-literal=key1=value1 --from-literal=key2=value2 configmap/my-config created
6.1.3.3. Creating a configMap from a standalone.xml File
You can create your own JBoss EAP standalone configuration instead of using the one in the application image that comes from JBoss EAP for OpenShift Source-to-Image (S2I). The standalone.xml
file must be put in a ConfigMap
that is accessible by the operator.
Providing a standalone.xml
file from the ConfigMap
is not supported in JBoss EAP 8-beta.
Procedure
-
To create a
ConfigMap
from thestandalone.xml
file:
$ oc create configmap clusterbench-config-map --from-file examples/clustering/config/standalone.xml configmap/clusterbench-config-map created
6.1.3.4. Configuring persistent storage for applications
If your application requires persistent storage for some data, such as, transaction or messaging logs that must persist across pod restarts, configure the storage spec. If the storage spec is empty, an EmptyDir
volume is used by each pod of the application. However, this volume does not persist after its corresponding pod is stopped.
Procedure
Specify
volumeClaimTemplate
to configure resources requirements to store the JBoss EAP standalone data directory. The name of the template is derived from the name of JBoss EAP. The corresponding volume is mounted inReadWriteOnce
access mode.spec: storage: volumeClaimTemplate: spec: resources: requests: storage: 3Gi
The persistent volume that meets this storage requirement is mounted on the
/eap/standalone/data
directory.
6.1.4. Viewing metrics of an application using the EAP operator
You can view the metrics of an application deployed on OpenShift using the EAP operator.
When your cluster administrator enables metrics monitoring in your project, the EAP operator automatically displays the metrics on the OpenShift console.
Prerequisites
- Your cluster administrator has enabled monitoring for your project. For more information, see Enabling monitoring for user-defined projects.
Procedure
- In the OpenShift Container Platform web console, navigate to Monitoring→ Metrics.
- On the Metrics screen, type the name of your application in the text box to select your application. The metrics for your application appear on the screen.
6.1.5. Uninstalling EAP operator using web console
You can delete, or uninstall, EAP operator from your cluster, you can delete the subscription to remove it from the subscribed namespace. You can also remove the EAP operator’s ClusterServiceVersion (CSV) and deployment.
To ensure data consistency and safety, scale down the number of pods in your cluster to 0 before uninstalling the EAP operator.
You can uninstall the EAP operator using the web console.
If you decide to delete the entire wildflyserver
definition (oc delete wildflyserver <deployment_name>
), then no transaction recovery process is started and the pod is terminated regardless of unfinished transactions. The unfinished work that results from this operation might block the data changes that you later initiate. The data changes for other JBoss EAP instances involved in transactional enterprise bean remote calls with this wildflyserver
might also be blocked.
Procedure
- From the Operators→ Installed Operators page, select JBoss EAP.
- On the right-hand side of the Operator Details page, select Uninstall Operator from the Actions drop-down menu.
- When prompted by the Remove Operator Subscription window, optionally select the Also completely remove the Operator from the selected namespace check box if you want all components related to the installation to be removed. This removes the CSV, which in turn removes the pods, deployments, custom resource definitions (CRDs), and custom resources (CRs) associated with the operator.
- Click Remove. The EAP operator stops running and no longer receives updates.
6.1.6. Uninstalling JBoss EAP operator using the CLI
You can delete, or uninstall, the EAP operator from your cluster, you can delete the subscription to remove it from the subscribed namespace. You can also remove the EAP operator’s ClusterServiceVersion (CSV) and deployment.
To ensure data consistency and safety, scale down the number of pods in your cluster to 0 before uninstalling the EAP operator.
You can uninstall the EAP operator using the command line.
When using the command line, you uninstall the operator by deleting the subscription and CSV from the target namespace.
If you decide to delete the entire wildflyserver
definition (oc delete wildflyserver <deployment_name>
), then no transaction recovery process is started and the pod is terminated regardless of unfinished transactions. The unfinished work that results from this operation might block the data changes that you later initiate. The data changes for other JBoss EAP instances involved in transactional enterprise bean remote calls with this wildflyserver
might also be blocked.
Procedure
Check the current version of the EAP operator subscription in the
currentCSV
field:$ oc get subscription eap-operator -n openshift-operators -o yaml | grep currentCSV currentCSV: eap-operator.v1.0.0
Delete the EAP operator’s subscription:
$ oc delete subscription eap-operator -n openshift-operators subscription.operators.coreos.com "eap-operator" deleted
Delete the CSV for the EAP operator in the target namespace using the
currentCSV
value from the previous step:$ oc delete clusterserviceversion eap-operator.v1.0.0 -n openshift-operators clusterserviceversion.operators.coreos.com "eap-operator.v1.0.0" deleted
6.1.7. JBoss EAP operator for safe transaction recovery
JBoss EAP operator ensures data consistency before terminating your application cluster. To do this, the operator verifies that all transactions are completed before scaling down the replicas and marking a pod as clean
for termination.
This means that if you want to remove the deployment safely without data inconsistencies, you must first scale down the number of pods to 0, wait until all pods are terminated, and only then delete the wildflyserver
instance.
If you decide to delete the entire wildflyserver
definition (oc delete wildflyserver <deployment_name>
), then no transaction recovery process is started and the pod is terminated regardless of unfinished transactions. The unfinished work that results from this operation might block the data changes that you later initiate. The data changes for other JBoss EAP instances involved in transactional enterprise bean remote calls with this wildflyserver
might also be blocked.
When the scaledown process begins the pod state (oc get pod <pod_name>
) is still marked as Running
, because the pod must complete all the unfinished transactions, including the remote enterprise beans calls that target it.
If you want to monitor the state of the scaledown process, observe the status of the wildflyserver
instance. For more information, see Monitoring the Scaledown Process. For information about pod statuses during scaledown, see Pod Status During Scaledown.
6.1.7.1. StatefulSets for stable network host names
The EAP operator that manages the wildflyserver creates a StatefulSet
as an underlying object managing the JBoss EAP pods.
A StatefulSet
is the workload API object that manages stateful applications. It manages the deployment and scaling of a set of pods, and provides guarantees about the ordering and uniqueness of these pods.
The StatefulSet
ensures that the pods in a cluster are named in a predefined order. It also ensures that pod termination follows the same order. For example, let us say, pod-1 has a transaction with heuristic outcome, and so is in the state of SCALING_DOWN_RECOVERY_DIRTY
. Even if pod-0 is in the state of SCALING_DOWN_CLEAN
, it is not terminated before pod-1. Until pod-1 is clean
and is terminated, pod-0 remains in the SCALING_DOWN_CLEAN
state. However, even if pod-0 is in the SCALING_DOWN_CLEAN
state, it does not receive any new request and is practically idle.
Decreasing the replica size of the StatefulSet
or deleting the pod itself has no effect and such changes are reverted.
6.1.7.2. Monitoring the scaledown process
If you want to monitor the state of the scaledown process, you must observe the status of the wildflyserver
instance. For more information about the different pod statuses during scaledown, see Pod Status During Scaledown.
Procedure
To observe the state of the scaledown process:
oc describe wildflyserver <name>
- The WildFlyServer.Status.Scalingdown Pods and WildFlyServer.Status.Replicas fields shows the overall state of the active and non-active pods.
- The Scalingdown Pods field shows the number of pods which are about to be terminated when all the unfinished transactions are complete.
- The WildFlyServer.Status.Replicas field shows the current number of running pods.
- The WildFlyServer.Spec.Replicas field shows the number of pods in ACTIVE state.
- If there are no pods in scaledown process the numbers of pods in the WildFlyServer.Status.Replicas and WildFlyServer.Spec.Replicas fields are equal.
6.1.7.2.1. Pod status during Scaledown
The following table describes the different pod statuses during scaledown:
Pod Status | Description |
---|---|
ACTIVE | The pod is active and processing requests. |
SCALING_DOWN_RECOVERY_INVESTIGATION | The pod is about to be scaled down. The scale-down process is under investigation about the state of transactions in JBoss EAP. |
SCALING_DOWN_RECOVERY_DIRTY | JBoss EAP contains some incomplete transactions. The pod cannot be terminated until they are cleaned. The transaction recovery process is periodically run at JBoss EAP and it waits until the transactions are completed. |
SCALING_DOWN_CLEAN |
The pod is processed by transaction scaled down processing and is marked as |
6.1.7.3. Scaling down during transactions with heuristic outcomes
When the outcome of a transaction is unknown, automatic transaction recovery is impossible. You must then manually recover your transactions.
Prerequisites
-
The status of your pod is stuck at
SCALING_DOWN_RECOVERY_DIRTY
.
Procedure
- Access your JBoss EAP instance using CLI.
- Resolve all the heuristics transaction records in the transaction object store. For more information, see Recovering Heuristic Outcomes in the Managing Transactions on JBoss EAP.
Remove all records from the enterprise bean client recovery folder.
Remove all files from the pod enterprise bean client recovery directory:
$JBOSS_HOME/standalone/data/ejb-xa-recovery oc exec <podname> rm -rf $JBOSS_HOME/standalone/data/ejb-xa-recovery
-
The status of your pod changes to
SCALING_DOWN_CLEAN
and the pod is terminated.
6.1.7.4. Configuring the transactions subsystem to use the JDBC storage for transaction log
In cases where the system does not provide a file system to store transaction logs
, use the JBoss EAP S2I image to configure the JDBC object store.
S2I environment variables are not usable when JBoss EAP is deployed as a bootable JAR. In this case, you must create a Galleon layer or configure a CLI script to make the necessary configuration changes.
The JDBC object store can be set up with the environment variable TX_DATABASE_PREFIX_MAPPING
. This variable has the same structure as DB_SERVICE_PREFIX_MAPPING
.
Prerequisite
- You have created a datasource based on the value of the environment variables.
-
You have ensured consistent data reads and writes permissions exist between the database and the
transaction manager
communicating over the JDBC object store. For more information see configuring JDBC data sources
Procedure
Set up and configure the JDBC object store through the S2I environment variable.
Example
# Narayana JDBC objectstore configuration via s2i env variables - name: TX_DATABASE_PREFIX_MAPPING value: 'PostgresJdbcObjectStore-postgresql=PG_OBJECTSTORE' - name: POSTGRESJDBCOBJECTSTORE_POSTGRESQL_SERVICE_HOST value: 'postgresql' - name: POSTGRESJDBCOBJECTSTORE_POSTGRESQL_SERVICE_PORT value: '5432' - name: PG_OBJECTSTORE_JNDI value: 'java:jboss/datasources/PostgresJdbc' - name: PG_OBJECTSTORE_DRIVER value: 'postgresql' - name: PG_OBJECTSTORE_DATABASE value: 'sampledb' - name: PG_OBJECTSTORE_USERNAME value: 'admin' - name: PG_OBJECTSTORE_PASSWORD value: 'admin'
Verification
You can verify both the datasource configuration and transaction subsystem configuration by checking the
standalone.xml
configuration fileoc rsh <podname> cat /opt/server/standalone/configuration/standalone.xml
.Expected output:
<datasource jta="false" jndi-name="java:jboss/datasources/PostgresJdbcObjectStore" pool-name="postgresjdbcobjectstore_postgresqlObjectStorePool" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}"> <connection-url>jdbc:postgresql://postgresql:5432/sampledb</connection-url> <driver>postgresql</driver> <security> <user-name>admin</user-name> <password>admin</password> </security> </datasource> <!-- under subsystem urn:jboss:domain:transactions --> <jdbc-store datasource-jndi-name="java:jboss/datasources/PostgresJdbcObjectStore"> <!-- the pod name was named transactions-xa-0 --> <action table-prefix="ostransactionsxa0"/> <communication table-prefix="ostransactionsxa0"/> <state table-prefix="ostransactionsxa0"/> </jdbc-store>
Additional resources
- For more information about creating datasources by using either the management console or the management CLI, see Creating Datasources in the JBoss EAP Configuration Guide.
6.1.8. Automatically scaling pods with the horizontal pod autoscaler HPA
With EAP operator, you can use a horizontal pod autoscaler HPA to automatically increase or decrease the scale of an EAP application based on metrics collected from the pods that belong to that EAP application.
Using HPA ensures that transaction recovery is still handled when a pod is scaled down.
Procedure
Configure the resources:
apiVersion: wildfly.org/v1alpha1 kind: WildFlyServer metadata: name: eap-helloworld spec: applicationImage: 'eap-helloworld:latest' replicas: 1 resources: limits: cpu: 500m memory: 2Gi requests: cpu: 100m memory: 1Gi
ImportantYou must specify the resource limits and requests for containers in a pod for autoscaling to work as expected.
Create the Horizontal pod autoscaler:
oc autoscale wildflyserver/eap-helloworld --cpu-percent=50 --min=1 --max=10
Verification
- You can verify the HPA behavior by checking the replicas. The number of replicas increase or decrease depending on the increase or decrease of the workload.
oc get hpa -w NAME REFERENCE TARGETS MINPODS MAXPODS REPLICAS AGE eap-helloworld WildFlyServer/eap-helloworld 217%/50% 1 10 1 4s eap-helloworld WildFlyServer/eap-helloworld 217%/50% 1 10 4 17s eap-helloworld WildFlyServer/eap-helloworld 133%/50% 1 10 8 32s eap-helloworld WildFlyServer/eap-helloworld 133%/50% 1 10 10 47s eap-helloworld WildFlyServer/eap-helloworld 139%/50% 1 10 10 62s eap-helloworld WildFlyServer/eap-helloworld 180%/50% 1 10 10 92s eap-helloworld WildFlyServer/eap-helloworld 133%/50% 1 10 10 2m2s
Additional resources
6.1.9. Jarkarta enterprise beans remoting on OpenShift
6.1.9.1. Jakarta Enterprise Beans remoting on openShift
For JBoss EAP to work correctly with enterprise bean remoting calls between different JBoss EAP clusters on OpenShift, you must understand the enterprise bean remoting configuration options on OpenShift.
When deploying on OpenShift, consider the use of the EAP operator. The EAP operator uses StatefulSet
for the appropriate handling of enterprise bean remoting and transaction recovery processing. The StatefulSet
ensures persistent storage and network hostname stability even after pods are restarted.
Network hostname stability is required when the JBoss EAP instance is contacted using an enterprise bean remote call with transaction propagation. The JBoss EAP instance must be reachable under the same hostname even if the pod restarts. The transaction manager, which is a stateful component, binds the persisted transaction data to a particular JBoss EAP instance. Because the transaction log is bound to a specific JBoss EAP instance, it must be completed in the same instance.
To prevent data loss when the JDBC transaction log store is used, make sure your database provides data-consistent reads and writes. Consistent data reads and writes are important when the database is scaled horizontally with multiple instances.
An enterprise bean remote caller has two options to configure the remote calls:
- Define a remote outbound connection. For more information, see Configuring a Remote Outbound Connection.
- Use a programmatic JNDI lookup for the bean at the remote server. For more information, see Using Remote Jakarta Enterprise Beans Clients.
You must reconfigure the value representing the address of the target node depending on the enterprise bean remote call configuration method.
The name of the target enterprise bean for the remote call must be the DNS address of the first pod.
The StatefulSet
behaviour depends on the ordering of the pods. The pods are named in a predefined order. For example, if you scale your application to three replicas, your pods have names such as eap-server-0
, eap-server-1
, and eap-server-2
.
The EAP operator also uses a headless service that ensures a specific DNS hostname is assigned to the pod. If the application uses the EAP operator, a headless service is created with a name such as eap-server-headless
. In this case, the DNS name of the first pod is eap-server-0.eap-server-headless
.
The use of the hostname eap-server-0.eap-server-headless
ensures that the enterprise bean call reaches any EAP instance connected to the cluster. A bootstrap connection is used to initialize the Jakarta Enterprise Beans client, which gathers the structure of the EAP cluster as the next step.
6.1.9.1.1. Configuring Jakarta Enterprise Beans on OpenShift
You must configure the JBoss EAP servers that act as callers for enterprise bean remoting. The target server must configure a user with permission to receive the enterprise bean remote calls.
Prerequisites
- You have used the EAP operator and the supported JBoss EAP for OpenShift S2I image for deploying and managing the JBoss EAP application instances on OpenShift.
- The clustering is set correctly. For more information about JBoss EAP clustering, see the Clustering section.
Procedure
Create a user in the target server with permission to receive the enterprise bean remote calls:
$JBOSS_HOME/bin/add-user.sh
Configure the caller JBoss EAP application server.
-
Create the
eap-config.xml
file in$JBOSS_HOME/standalone/configuration
using the custom configuration functionality. For more information, see Custom Configuration. Configure the caller JBoss EAP application server with the
wildfly.config.url
property:JAVA_OPTS_APPEND="-Dwildfly.config.url=$JBOSS_HOME/standalone/configuration/eap-config.xml"
NoteIf you use the following example for your configuration, replace the
>>PASTE_…_HERE<<
with username and password you configured.Example Configuration
<configuration> <authentication-client xmlns="urn:elytron:1.0"> <authentication-rules> <rule use-configuration="jta"> <match-abstract-type name="jta" authority="jboss" /> </rule> </authentication-rules> <authentication-configurations> <configuration name="jta"> <sasl-mechanism-selector selector="DIGEST-MD5" /> <providers> <use-service-loader /> </providers> <set-user-name name="PASTE_USER_NAME_HERE" /> <credentials> <clear-password password="PASTE_PASSWORD_HERE" /> </credentials> <set-mechanism-realm name="ApplicationRealm" /> </configuration> </authentication-configurations> </authentication-client> </configuration>
-
Create the
Chapter 7. Troubleshooting
Pods can restart for a number of reasons, but a common cause of JBoss EAP pod restarts might include OpenShift resource constraints, especially out-of-memory issues. See the OpenShift documentation for more information on OpenShift pod eviction.
7.1. Troubleshooting Pod restarts
By default, JBoss EAP for OpenShift templates are configured to automatically restart affected containers when they encounter situations like out-of-memory issues. The following steps can help you diagnose and troubleshoot out-of-memory and other pod restart issues.
Get the name of the pod that has been having trouble.
You can see pod names, as well as the number times each pod has restarted with the following command.
$ oc get pods
To diagnose why a pod has restarted, you can examine the JBoss EAP logs of the previous pod, or the OpenShift events.
To see the JBoss EAP logs of the previous pod, use the following command.
oc logs --previous POD_NAME
To see the OpenShift events, use the following command.
$ oc get events
- If a pod has restarted because of a resource issue, you can attempt to modify your OpenShift pod configuration to increase its resource requests and limits. See the OpenShift documentation for more information on configuring pod compute resources.
7.2. Troubleshooting using the JBoss EAP management CLI
The JBoss EAP management CLI, EAP_HOME/bin/jboss-cli.sh
, is accessible from within a container for troubleshooting purposes.
It is not recommended to make configuration changes in a running pod using the JBoss EAP management CLI. Any configuration changes made using the management CLI in a running container will be lost when the container restarts.
To make configuration changes to JBoss EAP for OpenShift, see Configuring your JBoss EAP server and application.
First open a remote shell session to the running pod.
$ oc rsh POD_NAME
Run the following command from the remote shell session to launch the JBoss EAP management CLI:
$ /opt/server/bin/jboss-cli.sh
Chapter 8. Reference information for OpenShift Container Platform
The content in this section is derived from the engineering documentation for this application image. The content is provided as a reference for development purposes and for testing beyond the scope of the product documentation.
8.1. Information environment variables
The following environment variables are designed to provide information to the image and should not be modified by the user:
Variable Name | Description and Value |
---|---|
JBOSS_IMAGE_NAME | The image names. Values:
|
JBOSS_IMAGE_VERSION | The image version. Value: This is the image version number. See the Red Hat Container Catalog for the latest values: |
JBOSS_MODULES_SYSTEM_PKGS | A comma-separated list of JBoss EAP system modules packages that are available to applications.
Value: |
STI_BUILDER |
Provides OpenShift S2I support for
Value: |
8.2. Configuration environment variables
You can configure the following environment variables to adjust the image without requiring a rebuild.
See the JBoss EAP documentation for other environment variables that are not listed here.
Variable Name | Description |
---|---|
CLI_GRACEFUL_SHUTDOWN |
If set to any non-zero length value, the image will prevent shutdown with the
Example value: |
CONTAINER_HEAP_PERCENT | Set the maximum Java heap size, as a percentage of available container memory.
Example value: |
CUSTOM_INSTALL_DIRECTORIES | A list of comma-separated directories used for installation and configuration of artifacts for the image during the S2I process.
Example value: |
DEFAULT_JMS_CONNECTION_FACTORY |
This value is used to specify the default JNDI binding for the Jakarta Messaging connection factory, for example
Example value: |
ENABLE_ACCESS_LOG | Enable logging of access messages to the standard output channel. Logging of access messages is implemented using following methods:
Defaults to |
INITIAL_HEAP_PERCENT | Set the initial Java heap size, as a percentage of the maximum heap size.
Example value: |
JAVA_OPTS_APPEND | Server startup options.
Example value: |
JBOSS_MODULES_SYSTEM_PKGS_APPEND |
A comma-separated list of package names that will be appended to the
Example value: |
JGROUPS_CLUSTER_PASSWORD |
Password used to authenticate the node so it is allowed to join the JGroups cluster. Required, when using
Example value: |
JGROUPS_ENCRYPT_KEYSTORE |
Name of the keystore file within the created secret specified when using
Example value: |
JGROUPS_ENCRYPT_KEYSTORE_DIR | Directory path in which the secret containing the keystore is mounted.
Example value: |
JGROUPS_ENCRYPT_NAME |
Name associated with the server’s certificate, when using
Example value: |
JGROUPS_ENCRYPT_PASSWORD |
Password used to access the keystore and the certificate, when using
Example value: |
JGROUPS_ENCRYPT_PROTOCOL |
JGroups protocol to use for encryption of cluster traffic. Can be either
Defaults to
Example value: |
JGROUPS_PING_PROTOCOL |
JGroups protocol to use for node discovery. Can be either |
MQ_SIMPLE_DEFAULT_PHYSICAL_DESTINATION |
For backwards compatibility, set to |
OPENSHIFT_DNS_PING_SERVICE_NAME | Name of the service exposing the ping port on the servers for the DNS discovery mechanism.
Example value: |
OPENSHIFT_DNS_PING_SERVICE_PORT |
The port number of the ping port for the DNS discovery mechanism. If not specified, an attempt is made to discover the port number from the SRV records for the service, otherwise the default
Defaults to |
OPENSHIFT_KUBE_PING_LABELS | Clustering labels selector for the Kubernetes discovery mechanism.
Example value: |
OPENSHIFT_KUBE_PING_NAMESPACE | Clustering project namespace for the Kubernetes discovery mechanism.
Example value: |
SCRIPT_DEBUG |
If set to |
8.3. Exposed ports
Port Number | Description |
---|---|
8443 | HTTPS |
8.4. Datasources
Datasources are automatically created based on the value of some of the environment variables.
The most important environment variable is DB_SERVICE_PREFIX_MAPPING
, as it defines JNDI mappings for the datasources. The allowed value for this variable is a comma-separated list of POOLNAME-DATABASETYPE=PREFIX
triplets, where:
-
POOLNAME
is used as thepool-name
in the datasource. -
DATABASETYPE
is the database driver to use. -
PREFIX
is the prefix used in the names of environment variables that are used to configure the datasource.
8.4.1. JNDI mappings for datasources
For each POOLNAME-DATABASETYPE=PREFIX
triplet defined in the DB_SERVICE_PREFIX_MAPPING
environment variable, the launch script creates a separate datasource, which is executed when running the image.
The first part (before the equal sign) of the DB_SERVICE_PREFIX_MAPPING
should be lowercase.
The DATABASETYPE
determines the driver for the datasource.
For more information about configuring a driver, see Modules, Drivers, and Generic Deployments. The JDK 8 image has drivers for postgresql
and mysql
configured by default.
Do not use any special characters for the POOLNAME
parameter.
Support for using the Red Hat-provided internal datasource drivers with the JBoss EAP for OpenShift image is now deprecated. Red Hat recommends that you use JDBC drivers obtained from your database vendor for your JBoss EAP applications.
The following internal datasources are no longer provided with the JBoss EAP for OpenShift image:
- MySQL
- PostgreSQL
For more information about installing drivers, see Modules, Drivers, and Generic Deployments.
For more information on configuring JDBC drivers with JBoss EAP, see JDBC drivers in the JBoss EAP Configuration Guide.
Note that you can also create a custom layer to install these drivers and datasources if you want to add them to a provisioned server.
8.4.1.1. Datasource Configuration Environment Variables
To configure other datasource properties, use the following environment variables.
Be sure to replace the values for POOLNAME
, DATABASETYPE
, and PREFIX
in the following variable names with the appropriate values. These replaceable values are described in this section and in the Datasources section.
Variable Name | Description |
---|---|
POOLNAME_DATABASETYPE_SERVICE_HOST |
Defines the database server’s host name or IP address to be used in the datasource’s
Example value: |
POOLNAME_DATABASETYPE_SERVICE_PORT | Defines the database server’s port for the datasource.
Example value: |
PREFIX_BACKGROUND_VALIDATION |
When set to |
PREFIX_BACKGROUND_VALIDATION_MILLIS |
Specifies frequency of the validation, in milliseconds, when the |
PREFIX_CONNECTION_CHECKER | Specifies a connection checker class that is used to validate connections for the particular database in use.
Example value: |
PREFIX_DATABASE | Defines the database name for the datasource.
Example value: |
PREFIX_DRIVER | Defines Java database driver for the datasource.
Example value: |
PREFIX_EXCEPTION_SORTER | Specifies the exception sorter class that is used to properly detect and clean up after fatal database connection exceptions.
Example value: |
PREFIX_JNDI |
Defines the JNDI name for the datasource. Defaults to
Example value: |
PREFIX_JTA | Defines Jakarta Transactions option for the non-XA datasource. The XA datasources are already Jakarta Transactions capable by default.
Defaults to |
PREFIX_MAX_POOL_SIZE | Defines the maximum pool size option for the datasource.
Example value: |
PREFIX_MIN_POOL_SIZE | Defines the minimum pool size option for the datasource.
Example value: |
PREFIX_NONXA |
Defines the datasource as a non-XA datasource. Defaults to |
PREFIX_PASSWORD | Defines the password for the datasource.
Example value: |
PREFIX_TX_ISOLATION | Defines the java.sql.Connection transaction isolation level for the datasource.
Example value: |
PREFIX_URL | Defines connection URL for the datasource.
Example value: |
PREFIX_USERNAME | Defines the username for the datasource.
Example value: |
When running this image in OpenShift, the POOLNAME_DATABASETYPE_SERVICE_HOST
and POOLNAME_DATABASETYPE_SERVICE_PORT
environment variables are set up automatically from the database service definition in the OpenShift application template, while the others are configured in the template directly as env
entries in container definitions under each pod template.
8.4.1.2. Examples
These examples show how value of the DB_SERVICE_PREFIX_MAPPING
environment variable influences datasource creation.
8.4.1.2.1. Single Mapping
Consider value test-postgresql=TEST
.
This creates a datasource with java:jboss/datasources/test_postgresql
name. Additionally, all the required settings like password and username are expected to be provided as environment variables with the TEST_
prefix, for example TEST_USERNAME
and TEST_PASSWORD
.
8.4.1.2.2. Multiple Mappings
You can specify multiple datasource mappings.
Always separate multiple datasource mappings with a comma.
Consider the following value for the DB_SERVICE_PREFIX_MAPPING
environment variable: cloud-postgresql=CLOUD,test-mysql=TEST_MYSQL
.
This creates the following two datasources:
-
java:jboss/datasources/test_mysql
-
java:jboss/datasources/cloud_postgresql
Then you can use TEST_MYSQL
prefix for configuring things like the username and password for the MySQL datasource, for example TEST_MYSQL_USERNAME
. And for the PostgreSQL datasource, use the CLOUD_
prefix, for example CLOUD_USERNAME
.
8.5. Clustering
8.5.1. Configuring a JGroups Discovery Mechanism
To enable JBoss EAP clustering on OpenShift, configure the JGroups protocol stack in your JBoss EAP configuration to use either the kubernetes.KUBE_PING
or the dns.DNS_PING
discovery mechanism.
Although you can use a custom standalone.xml
configuration file, it is recommended that you use Environment variables to configure JGroups in your image build.
The instructions below use environment variables to configure the discovery mechanism for the JBoss EAP for OpenShift image.
If you use one of the available application templates to deploy an application on top of the JBoss EAP for OpenShift image, the default discovery mechanism is dns.DNS_PING
.
The dns.DNS_PING
and kubernetes.KUBE_PING
discovery mechanisms are not compatible with each other. It is not possible to form a supercluster out of two independent child clusters, with one using the dns.DNS_PING
mechanism for discovery and the other using the kubernetes.KUBE_PING
mechanism. Similarly, when performing a rolling upgrade, the discovery mechanism needs to be identical for both the source and the target clusters.
8.5.1.1. Configuring KUBE_PING
To use the KUBE_PING
JGroups discovery mechanism:
The JGroups protocol stack must be configured to use
KUBE_PING
as the discovery mechanism.You can do this by setting the
JGROUPS_PING_PROTOCOL
environment variable tokubernetes.KUBE_PING
:JGROUPS_PING_PROTOCOL=kubernetes.KUBE_PING
The
KUBERNETES_NAMESPACE
environment variable must be set to your OpenShift project name. If not set, the server behaves as a single-node cluster (a "cluster of one"). For example:KUBERNETES_NAMESPACE=PROJECT_NAME
The
KUBERNETES_LABELS
environment variable should be set. This should match the label set at the service level. If not set, pods outside of your application (albeit in your namespace) will try to join. For example:KUBERNETES_LABELS=application=APP_NAME
Authorization must be granted to the service account the pod is running under to be allowed to access Kubernetes' REST API. This is done using the OpenShift CLI. The following example uses the
default
service account in the current project’s namespace:oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default -n $(oc project -q)
Using the
eap-service-account
in the project namespace:oc policy add-role-to-user view system:serviceaccount:$(oc project -q):eap-service-account -n $(oc project -q)
NoteSee Preparing OpenShift to deploy an application for more information on adding policies to service accounts.
8.5.1.2. Configuring DNS_PING
To use the DNS_PING
JGroups discovery mechanism:
The JGroups protocol stack must be configured to use
DNS_PING
as the discovery mechanism.You can do this by setting the
JGROUPS_PING_PROTOCOL
environment variable todns.DNS_PING
:JGROUPS_PING_PROTOCOL=dns.DNS_PING
The
OPENSHIFT_DNS_PING_SERVICE_NAME
environment variable must be set to the name of the ping service for the cluster.OPENSHIFT_DNS_PING_SERVICE_NAME=PING_SERVICE_NAME
The
OPENSHIFT_DNS_PING_SERVICE_PORT
environment variable should be set to the port number on which the ping service is exposed. TheDNS_PING
protocol attempts to discern the port from the SRV records, otherwise it defaults to8888
.OPENSHIFT_DNS_PING_SERVICE_PORT=PING_PORT
A ping service which exposes the ping port must be defined. This service should be headless (ClusterIP=None) and must have the following:
- The port must be named.
The service must be annotated with the
service.alpha.kubernetes.io/tolerate-unready-endpoints
and thepublishNotReadyAddresses
properties, both set totrue
.Note-
Use both the
service.alpha.kubernetes.io/tolerate-unready-endpoints
and thepublishNotReadyAddresses
properties to ensure that the ping service works in both the older and newer OpenShift releases. - Omitting these annotations result in each node forming its own "cluster of one" during startup. Each node then merges its cluster into the other nodes' clusters after startup, because the other nodes are not detected until after they have started.
kind: Service apiVersion: v1 spec: publishNotReadyAddresses: true clusterIP: None ports: - name: ping port: 8888 selector: deploymentConfig: eap-app metadata: name: eap-app-ping annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" description: "The JGroups ping port for clustering."
-
Use both the
DNS_PING
does not require any modifications to the service account and works using the default permissions.
8.5.2. Configuring JGroups to Encrypt Cluster Traffic
To encrypt cluster traffic for JBoss EAP on OpenShift, you must configure the JGroups protocol stack in your JBoss EAP configuration to use either the SYM_ENCRYPT
or ASYM_ENCRYPT
protocol.
Although you can use a custom standalone.xml
configuration file, it is recommended that you use Environment variables to configure JGroups in your image build.
The instructions below use environment variables to configure the protocol for cluster traffic encryption for the JBoss EAP for OpenShift image.
The SYM_ENCRYPT
and ASYM_ENCRYPT
protocols are not compatible with each other. It is not possible to form a supercluster out of two independent child clusters, with one using the SYM_ENCRYPT
protocol for the encryption of cluster traffic and the other using the ASYM_ENCRYPT
protocol. Similarly, when performing a rolling upgrade, the protocol needs to be identical for both the source and the target clusters.
8.5.2.1. Configuring SYM_ENCRYPT
To use the SYM_ENCRYPT
protocol to encrypt JGroups cluster traffic:
The JGroups protocol stack must be configured to use
SYM_ENCRYPT
as the encryption protocol.You can do this by setting the
JGROUPS_ENCRYPT_PROTOCOL
environment variable toSYM_ENCRYPT
:JGROUPS_ENCRYPT_PROTOCOL=SYM_ENCRYPT
The
JGROUPS_ENCRYPT_KEYSTORE_DIR
environment variable must be set to the directory path in which the secret containing the keystore is mounted. For example:JGROUPS_ENCRYPT_KEYSTORE_DIR=/etc/jgroups-encrypt-secret-volume
The
JGROUPS_ENCRYPT_KEYSTORE
environment variable must be set to the name of the keystore file within the created secret specified. If not set, cluster communication is not encrypted and a warning is issued. For example:JGROUPS_ENCRYPT_KEYSTORE=jgroups.jceks
The
JGROUPS_ENCRYPT_NAME
environment variable must be set to the name associated with the server’s certificate. If not set, cluster communication is not encrypted and a warning is issued. For example:JGROUPS_ENCRYPT_NAME=jgroups
The
JGROUPS_ENCRYPT_PASSWORD
environment variable must be set to the password used to access the keystore and the certificate. If not set, cluster communication is not encrypted and a warning is issued. For example:JGROUPS_ENCRYPT_PASSWORD=mypassword
8.5.2.2. Configuring ASYM_ENCRYPT
JBoss EAP 8.0 Beta includes a new version of the ASYM_ENCRYPT
protocol. The previous version of the protocol is deprecated. If you specify the JGROUPS_CLUSTER_PASSWORD
environment variable, the deprecated version of the protocol is used and a warning is printed in the pod log.
To use the ASYM_ENCRYPT
protocol to encrypt JGroups cluster traffic, specify ASYM_ENCRYPT
as the encryption protocol, and configure it to use a keystore configured in the elytron
subsystem.
-e JGROUPS_ENCRYPT_PROTOCOL="ASYM_ENCRYPT" \ -e JGROUPS_ENCRYPT_NAME="encrypt_name" \ -e JGROUPS_ENCRYPT_PASSWORD="encrypt_password" \ -e JGROUPS_ENCRYPT_KEYSTORE="encrypt_keystore" \ -e JGROUPS_CLUSTER_PASSWORD="cluster_password"
8.6. Health checks
The JBoss EAP for OpenShift image utilizes the liveness and readiness probes included in OpenShift by default. In addition, this image includes Eclipse MicroProfile Health, as discussed in the Configuration Guide.
The following table demonstrates the values necessary for these health checks to pass. If the status is anything other than the values found below, then the check is failed and the image is restarted per the image’s restart policy.
Performed Test | Liveness | Readiness |
---|---|---|
Server Status | Any status | Running |
Boot Errors | None | None |
Deployment Status [a] |
N/A or no |
N/A or no |
Eclipse MicroProfile Health [b] |
N/A or |
N/A or |
[a]
N/A is only a valid state when no deployments are present.
[b]
N/A is only a valid state when the microprofile-health-smallrye subsystem has been disabled.
|
8.7. Messaging
8.7.1. Configuring External Red Hat AMQ Brokers
You can configure the JBoss EAP for OpenShift image with environment variables to connect to external Red Hat AMQ brokers.
Example OpenShift Application Definition
The following example uses a template to create a JBoss EAP application connected to an external Red Hat AMQ 7 broker.
Example: JDK 8
oc new-app eap74-amq-s2i \ -p EAP_IMAGE_NAME=jboss-eap74-openjdk8-openshift:7.4.0 \ -p EAP_RUNTIME_IMAGE_NAME=jboss-eap74-openjdk8-runtime-openshift:7.4.0 \ -p APPLICATION_NAME=eap74-mq \ -p MQ_USERNAME=MY_USERNAME \ -p MQ_PASSWORD=MY_PASSWORD
The template used in this example provides valid default values for the required parameters. If you do not use a template and provide your own parameters, be aware that the MQ_SERVICE_PREFIX_MAPPING
name must match the APPLICATION_NAME
name, appended with "-amq7=MQ".
8.8. Security domains
To configure a new Security Domain, the user must define the SECDOMAIN_NAME
environment variable.
This results in the creation of a security domain named after the environment variable. The user may also define the following environment variables to customize the domain:
Variable name | Description |
---|---|
SECDOMAIN_NAME | Defines an additional security domain.
Example value: |
SECDOMAIN_PASSWORD_STACKING |
If defined, the
Example value: |
SECDOMAIN_LOGIN_MODULE | The login module to be used.
Defaults to |
SECDOMAIN_USERS_PROPERTIES | The name of the properties file containing user definitions.
Defaults to |
SECDOMAIN_ROLES_PROPERTIES | The name of the properties file containing role definitions.
Defaults to |
8.9. HTTPS environment variables
Variable name | Description |
---|---|
HTTPS_NAME |
If defined along with
This should be the value specified as the alias name of your keystore if you created it with the
Example value: |
HTTPS_PASSWORD |
If defined along with
Example value: |
HTTPS_KEYSTORE |
If defined along with
Example value: |
8.10. Administration environment variables
Variable name | Description |
---|---|
ADMIN_USERNAME |
If both this and
Example value: |
ADMIN_PASSWORD |
The password for the specified
Example value: |
8.11. S2I
The image includes S2I scripts and Maven. Maven is currently only supported as a build tool for applications that are supposed to be deployed on JBoss EAP-based containers (or related/descendant images) on OpenShift.
Only WAR deployments are supported at this time.
8.11.1. Custom Configuration
It is possible to add custom configuration files for the image. All files put into configuration/
directory will be copied into EAP_HOME/standalone/configuration/
. For example to override the default configuration used in the image, just add a custom standalone.xml
into the configuration/
directory. See example for such a deployment.
8.11.1.1. Custom Modules
It is possible to add custom modules. All files from the modules/
directory will be copied into EAP_HOME/modules/
. See example for such a deployment.
8.11.2. Deployment Artifacts
By default, artifacts from the source target
directory will be deployed. To deploy from different directories set the ARTIFACT_DIR
environment variable in the BuildConfig definition. ARTIFACT_DIR
is a comma-delimited list. For example: ARTIFACT_DIR=app1/target,app2/target,app3/target
8.11.3. Artifact repository mirrors
A repository in Maven holds build artifacts and dependencies of various types, for example, all of the project JARs, library JARs, plug-ins, or any other project specific artifacts. It also specifies locations from where to download artifacts while performing the S2I build. Besides using central repositories, it is a common practice for organizations to deploy a local custom mirror repository.
Benefits of using a mirror are:
- Availability of a synchronized mirror, which is geographically closer and faster.
- Ability to have greater control over the repository content.
- Possibility to share artifacts across different teams (developers, CI), without the need to rely on public servers and repositories.
- Improved build times.
Often, a repository manager can serve as local cache to a mirror. Assuming that the repository manager is already deployed and reachable externally at https://10.0.0.1:8443/repository/internal/
, the S2I build can then use this manager by supplying the MAVEN_MIRROR_URL
environment variable to the build configuration of the application as follows:
Identify the name of the build configuration to apply
MAVEN_MIRROR_URL
variable against.oc get bc -o name buildconfig/eap
Update build configuration of
eap
with aMAVEN_MIRROR_URL
environment variable.oc env bc/eap MAVEN_MIRROR_URL="https://10.0.0.1:8443/repository/internal/" buildconfig "eap" updated
Verify the setting.
oc env bc/eap --list # buildconfigs eap MAVEN_MIRROR_URL=https://10.0.0.1:8443/repository/internal/
- Schedule new build of the application.
During application build, you will notice that Maven dependencies are pulled from the repository manager, instead of the default public repositories. Also, after the build is finished, you will see that the mirror is filled with all the dependencies that were retrieved and used during the build.
8.11.3.1. Secure artifact repository mirror URLs
To prevent "man-in-the-middle" attacks through the Maven repository, JBoss EAP requires the use of secure URLs for artifact repository mirror URLs.
The URL should specify a secure http ("https") and a secure port.
By default, if you specify an unsecure URL, an error will be returned. You can override this behavior using the the property -Dinsecure.repositories=WARN
.
8.11.4. Scripts
run
-
This script uses the
openshift-launch.sh
script that configures and starts JBoss EAP with thestandalone.xml
configuration. assemble
-
This script uses Maven to build the source, create a package (WAR), and move it to the
EAP_HOME/standalone/deployments
directory.
8.11.5. Custom Scripts
You can add custom scripts to run when starting a pod, before JBoss EAP is started.
You can add any script valid to run when starting a pod, including CLI scripts.
Two options are available for including scripts when starting JBoss EAP from an image:
- Mount a configmap to be executed as postconfigure.sh
- Add an install.sh script in the nominated installation directory
8.11.5.1. Mounting a configmap to execute custom scripts
Mount a configmap when you want to mount a custom script at runtime to an existing image (in other words, an image that has already been built).
To mount a configmap:
Create a configmap with content you want to include in the postconfigure.sh.
For example, create a directory called
extensions
in the project root directory to include the scriptspostconfigure.sh
andextensions.cli
and run the following command:$ oc create configmap jboss-cli --from-file=postconfigure.sh=extensions/postconfigure.sh --from-file=extensions.cli=extensions/extensions.cli
Mount the configmap into the pods via the deployment controller (dc).
$ oc set volume dc/eap-app --add --name=jboss-cli -m /opt/server/extensions -t configmap --configmap-name=jboss-cli --default-mode='0755' --overwrite
Example postconfigure.sh
#!/usr/bin/env bash set -x echo "Executing postconfigure.sh" $JBOSS_HOME/bin/jboss-cli.sh --file=$JBOSS_HOME/extensions/extensions.cli
Example extensions.cli
embed-server --std-out=echo --server-config=standalone.xml :whoami quit
8.11.5.2. Using install.sh to execute custom scripts
Use install.sh when you want to include the script as part of the image when it is built.
To execute custom scripts using install.sh:
-
In the git repository of the project that will be used during s2i build, create a directory called
.s2i
. Inside the
s2i
directory, add a file called environment, with the following content:$ cat .s2i/environment CUSTOM_INSTALL_DIRECTORIES=extensions
-
Create a directory called
extensions
. In the
extensions
directory, create the file postconfigure.sh with contents similar to the following (replace placeholder code with appropriate code for your environment):$ cat extensions/postconfigure.sh #!/usr/bin/env bash echo "Executing patch.cli" $JBOSS_HOME/bin/jboss-cli.sh --file=$JBOSS_HOME/extensions/some-cli-example.cli
In the extensions directory, create the file install.sh with contents similar to the following (replace placeholder code with appropriate code for your environment):
$ cat extensions/install.sh #!/usr/bin/env bash set -x echo "Running $PWD/install.sh" injected_dir=$1 # copy any needed files into the target build. cp -rf ${injected_dir} $JBOSS_HOME/extensions
8.11.6. Environment variables
You can influence the way the build is executed by supplying environment variables to the s2i build
command. The environment variables that can be supplied are:
Variable name | Description |
---|---|
ARTIFACT_DIR |
The
Example value: |
ENABLE_GENERATE_DEFAULT_DATASOURCE |
Optional. When included with the value |
GALLEON_PROVISION_LAYERS | Optional. Instructs the S2I process to provision the specified layers. The value is a comma-separated list of layers to provision, including one base layer and any number of decorator layers.
Example value: |
GALLEON_PROVISION_CHANNELS |
This is a comma separated list of JBoss EAP channels. The EAP channel is identified by Note
The version is optional, which means that the latest channel will be retrieved. For JBoss EAP 8.0 Beta, use this channel |
GALLEON_PROVISION_FEATURE_PACKS |
Builds environment variable to specify a custom Galleon feature pack for your S2I image. For example: Note
When you set up the |
HTTP_PROXY_HOST | Host name or IP address of a HTTP proxy for Maven to use.
Example value: |
HTTP_PROXY_PORT | TCP Port of a HTTP proxy for Maven to use.
Example value: |
HTTP_PROXY_USERNAME |
If supplied with
Example value: |
HTTP_PROXY_PASSWORD |
If supplied with
Example value: |
HTTP_PROXY_NONPROXYHOSTS | If supplied, a configured HTTP proxy will ignore these hosts.
Example value: |
MAVEN_ARGS | Overrides the arguments supplied to Maven during build.
Example value: |
MAVEN_ARGS_APPEND | Appends user arguments supplied to Maven during build.
Example value: |
MAVEN_MIRROR_URL | URL of a Maven Mirror/repository manager to configure.
Example value: Note that the specified URL should be secure. For details see Secure artifact repository mirror URLs. |
MAVEN_CLEAR_REPO | Optionally clear the local Maven repository after the build. If the server present in the image is strongly coupled to the local cache, the cache is not deleted and a warning is printed.
Example value: |
APP_DATADIR | If defined, directory in the source from where data files are copied.
Example value: |
DATA_DIR |
Directory in the image where data from
Example value: |
For more information, see Building and running JBoss EAP applications on OpenShift Container Platform, which uses Maven and the S2I scripts included in the JBoss EAP for OpenShift image.
8.12. Single sign-On image
This image includes the Red Hat Single Sign-On-enabled applications.
For more information on deploying the Red Hat Single Sign-On for OpenShift image with the JBoss EAP for OpenShift image, see Deploy the Red Hat Single Sign-On-enabled JBoss EAP Image on the Red Hat Single Sign-On for OpenShift guide.
Variable name | Description |
---|---|
SSO_URL | URL of the Single Sign-On server. |
SSO_REALM | Single Sign-On realm for the deployed applications. |
SSO_PUBLIC_KEY | Public key of the Single Sign-On realm. This field is optional but if omitted can leave the applications vulnerable to man-in-the-middle attacks. |
SSO_USERNAME | Single Sign-On user required to access the Single Sign-On REST API.
Example value: |
SSO_PASSWORD |
Password for the Single Sign-On user defined by the
Example value: |
SSO_SAML_KEYSTORE |
Keystore location for SAML. Defaults to |
SSO_SAML_KEYSTORE_PASSWORD |
Keystore password for SAML. Defaults to |
SSO_SAML_CERTIFICATE_NAME |
Alias for keys/certificate to use for SAML. Defaults to |
SSO_BEARER_ONLY | Single Sign-On client access type. (Optional)
Example value: |
SSO_CLIENT |
Path for Single Sign-On redirects back to the application. Defaults to match |
SSO_ENABLE_CORS |
If |
SSO_SECRET | The Single Sign-On client secret for confidential access.
Example value: |
SSO_DISABLE_SSL_CERTIFICATE_VALIDATION |
If
Example value: |
8.13. Unsupported Transaction Recovery Scenarios
- JTS transactions are not supported in OpenShift.
- XTS transactions are not supported in OpenShift.
- The XATerminator interface that some third parties use for transaction completion and crash recovery flows is not supported in OpenShift.
- Transactions propagated over JBoss Remoting is Unsupported.
Transactions propagated over JBoss Remoting is supported using EAP operator.
8.14. Included JBoss modules
The table below lists included JBoss Modules in the JBoss EAP for OpenShift image.
JBoss Module |
---|
org.jboss.as.clustering.common |
org.jboss.as.clustering.jgroups |
org.jboss.as.ee |
org.jgroups |
org.openshift.ping |
net.oauth.core |
8.15. EAP Operator: API Information
The EAP operator introduces the following APIs:
8.15.1. WildFlyServer
WildFlyServer
defines a custom JBoss EAP resource.
Field | Description | Scheme | Required |
---|---|---|---|
| Standard object’s metadata | false | |
| Specification of the desired behaviour of the JBoss EAP deployment. | true | |
| Most recent observed status of the JBoss EAP deployment. Read-only. | false |
8.15.2. WildFlyServerList
WildFlyServerList
defines a list of JBoss EAP deployments.
Field | Description | Scheme | Required |
---|---|---|---|
| Standard list’s metadata | false | |
|
List of | true |
8.15.3. WildFlyServerSpec
WildFlyServerSpec
is a specification of the desired behavior of the JBoss EAP resource.
It uses a StatefulSet
with a pod spec that mounts the volume specified by storage on /opt/jboss/wildfly/standalone/data.
Field | Description | Scheme | Required |
---|---|---|---|
| Name of the application image to be deployed | string | false |
| the desired number of replicas for the application | int32] | true |
|
Spec to specify how a standalone configuration can be read from a | false | |
|
| false | |
|
Storage spec to specify how storage should be used. If omitted, an | false | |
| Name of the ServiceAccount to use to run the JBoss EAP pods | string | false |
|
List of environment variables present in the containers from | false | |
| List of environment variable present in the containers | false | |
|
List of secret names to mount as volumes in the containers. Each secret is mounted as a read-only volume at | string | false |
|
List of | string | false |
| Disable the creation a route to the HTTP port of the application service (false if omitted) | boolean | false |
| If connections from the same client IP are passed to the same JBoss EAP instance/pod each time (false if omitted) | boolean | false |
8.15.4. Resources
Resources
defines the configured resources for a WildflyServer
resource. If the Resources
field is not defined or Request
or Limits
is empty, this resource is removed from the StatefulSet
. The description of this resource is a standard Container
resource and uses the scheme for corev1.ResourceRequirements.
8.15.5. StorageSpec
StorageSpec
defines the configured storage for a WildFlyServer
resource. If neither an EmptyDir
nor a volumeClaimTemplate
is defined, a default EmptyDir
is used.
The EAP Operator configures the StatefulSet
using information from this StorageSpec
to mount a volume dedicated to the standalone/data directory used by JBoss EAP to persist its own data. For example, transaction log). If an EmptyDir
is used, the data does not survive a pod restart. If the application deployed on JBoss EAP relies on transaction, specify a volumeClaimTemplate
, so that the same persistent volume can be reused upon pod restarts.
Field | Description | Scheme | Required |
---|---|---|---|
|
| false | |
|
A PersistentVolumeClaim spec to configure | false |
8.15.6. StandaloneConfigMapSpec
StandaloneConfigMapSpec
defines how JBoss EAP standalone configuration can be read from a ConfigMap
. If omitted, JBoss EAP uses its standalone.xml
configuration from its image.
Field | Description | Scheme | Required |
---|---|---|---|
|
Name of the | string | true |
key |
Key of the | string | false |
8.15.7. WildFlyServerStatus
WildFlyServerStatus
is the most recent observed status of the JBoss EAP deployment. Read-only.
Field | Description | Scheme | Required |
---|---|---|---|
| The actual number of replicas for the application | int32 | true |
| selector for pods, used by HorizontalPodAutoscaler | string | true |
| Hosts that route to the application HTTP service | string | true |
| Status of the pods | true | |
| Number of pods that are under scale down cleaning process | int32 | true |
8.15.8. PodStatus
PodStatus
is the most recent observed status of a pod running the JBoss EAP application.
Field | Description | Scheme | Required |
---|---|---|---|
| Name of the pod | string | true |
| IP address allocated to the pod | string | true |
| State of the pod in the scale down process. The state is ACTIVE by default, which means it serves requests. | string | false |
Revised on 2022-12-16 12:08:58 UTC