Reputation: 272
Is it possible to setup Hyperledger Fabric network using RedHat Openshift in production?
Keeping in mind that "peer" node creates and starts "chaincode" container (dev-*) using communication path /var/run/docker.sock to the Docker demon, I have some doubts it is doable in production ready RH Openshift cluster.
Please correct me if I'm wrong, but the only solutions for running HLF components in Openshift clusters are:
a) step into Docker-In-Docker setup - cons: requires privileged containers in Openshift. It's unacceptable for production ready clusters.
b) run "chaincode" in dev-mode - cons: dev-mode is for development only. It's not suitable for production.
Starting "chaincode" containers outside Openshift cluster and communicate with them using TCP/IP connection is not possible because Openshift cluster uses layer7 reverse proxy for communication with pods.
so the question remains:
Q: Is it possible to setup HLF network using RedHat Openshift in production?
Upvotes: 1
Views: 697
Answers (2)
Reputation: 505
Yes, it is possible to run HLF in OpenShift, but DinD is required to do it right now on v1.4.4, and thus privileged pods. Properly securing the cluster can negate the risk and many, many organizations are running in production using OpenShift and Kube with privileged pods.
That being said, Fabric v2.0.0 will ship with a new chaincode model that will allow you to run Fabric without DinD. We are planning to release the official v2.0.0 release before the end of the month. If you want to test it out now, v2.0.0-beta is available here: https://github.com/hyperledger/fabric/releases/tag/v2.0.0-beta
Upvotes: 0
Reputation: 41
No immediate way around Docker in Docker ○ Security risk remains so evaluate risks before production use ○ setenforce permissive ■ Allows use of docker.sock ■ Make sure you change it on all the nodes ○ oc adm policy add-scc-to-user anyuid -z default ■ Privileged mode
Short term Brute force solution
● Look to use Secrets and ConfigMaps to replace host mounts
● Use NFS mounts where needed
○ oc adm policy add-scc-to-user hostmount-anyuid -z default
● Replace docker-compose, docker calls with:
○ kubectl , oc, podman,Buildah, kompose
● Convert docker-compose.yaml files with kompose
○ kompose convert --provider=openshift -f
■ Then edit and merge files
● Alternate (if fairly simple yaml file)
○ kompose up --provider==openshift -f
Read more from here: https://www.redhat.com/files/summit/session-assets/2019/T905A4.pdf
Upvotes: 0
Related Questions
- How to setup HyperLedger Fabric on production
- How to integrate Hyperledger Fabric Network and Hyperledger Composer
- Hyperledger-fabric setup in real systems
- Hyperledger fabric deployment (real network)
- Hyperledger Fabric on production
- Use hyperledger composer in production
- How to deploy Hyperledger Fabric V1.0 network in production level?
- How to set up a raspberry pi to a fabric network, to use hyperledger composer?
- Using Hyperledger Fabric in production
- Hyperledger Fabric Network Setup on Ubuntu