LDAP configuration on OCI compute using FaaS

• Intro
• OCIR (OCI Registry)
• Application
• fn-hotwrap
• Build function
• Deploy function
• Invoke function
• fn-python
• Build function
• Deploy function
• Invoke function
• Github location

Intro

OCIR (OCI Registry)

Application

fn-hotwrap

• In OCI shell, create working location, like /home/zarko/fn/ldap_hotwrap
• Create your code, in this case there is the shell scripts ldap_config.sh (LDAP configuration), and public key for opc user (id_rsa-opc)
• Create func.yaml (metadata definition file, to describe function)

# schema version determines supported fields schema_version: 20180708 # name matches directory name containing the code name: ldap-hotwrap version: 0.0.1 # 2min for function execution timeout: 120

• Create Dockerfile (ENV COMPUTE is hard-coded, so this is one time use fn, it has to be re-built for each host)

FROM docker.io/oraclelinux:7 # Install hotwrap binary in the container COPY --from=fnproject/hotwrap:latest /hotwrap /hotwrap # Function runs by fn user (uid 1000), it has to be created # RUN commit changes into new image during build time RUN groupadd --gid 1000 fn && \ adduser --uid 1000 --gid fn -d /home/fn fn && \ mkdir -p /home/fn/.ssh && chown -R fn:fn /home/fn/.ssh && chmod 700 /home/fn/.ssh COPY id_rsa-opc /home/fn/.ssh/id_rsa-opc RUN chown fn:fn /home/fn/.ssh/id_rsa-opc && chmod 400 /home/fn/.ssh/id_rsa-opc COPY ldap_config.sh /ldap_config.sh # hard-coded OCI compute name ENV COMPUTE <oci-compute-name> RUN echo $COMPUTE > /compute.txt # CMD defines argument for ENTRYPOINT CMD "/bin/scp -i /home/fn/.ssh/id_rsa-opc -o \"StrictHostKeyChecking no\" /ldap_config.sh opc@`echo $COMPUTE`:/tmp && /bin/ssh -i /home/fn/.ssh/id_rsa-opc -o \"StrictHostKeyChecking no\" opc@`echo $COMPUTE` \"sudo /tmp/ldap_config.sh\" " # Defines what to executes during container runtime ENTRYPOINT ["/hotwrap"]

Build function

In OCI console shell, build the function, with verbose (or DEBUG=1 in front of fn):

fn -v build

Deploy function

This creates a function (function name is same as directory name) within application (ldap-app), and pushes Docker image into OCIR.

Syntax: fn -v deploy --app <application-name> Ex: fn -v deploy --app ldap-app

Check OCI console web interface to see a function, and check OCI to see repo with image you just created/deployed.

Invoke function

The function can be invoked from OCI shell (if app and compute are in same VCN subnet) or on-prem host (requirement is to have proper ~/.oci/config).
• Using oci command, need to know function ocid

oci fn function invoke \ --function-id ocid1.fnfunc.oc1.iad.aaaa-shortened-wdka \ --file "-" --body ""

• Using fn command from OCI console shell or on-prem host (need to install fn with: curl -LSs https://raw.githubusercontent.com/fnproject/cli/master/install | sh )

Syntax: fn -v invoke <application-name> <function-name> Ex: fn -v invoke ldap-app ldap-hotwrap

That's it, function metrics read the ldap configuration takes about 40 sec. Now SSH to compute with you ldap account.

fn-python

The python FDK lets you write functions in python 3.6/3.7 (visit fdk-python on GitHub ). To build function, create working directory named as function. The files we have are:
• id_rsa-opc (opc user private key)
• ldap_config.sh (script to configure LDAP)
• requirements.txt (contains list of modules to be installed via pip3, here it's only "fdk>=0.1.16")
• Dockerfile

  FROM oraclelinux:8 RUN groupadd --gid 1000 fn && \ adduser --uid 1000 --gid fn -d /home/fn fn && \ mkdir -p /home/fn/.ssh && chown -R fn:fn /home/fn/.ssh && chmod 700 /home/fn/.ssh WORKDIR /function ADD requirements.txt /function/ ADD id_rsa-opc /home/fn/.ssh RUN yum -y install python36 && pip3 install --no-cache --no-cache-dir -r requirements.txt && \ rm -fr ~/.cache/pip /tmp* requirements.txt func.yaml Dockerfile .venv && \ chown fn:fn /home/fn/.ssh/id_rsa-opc && chmod 400 /home/fn/.ssh/id_rsa-opc ADD . /function/ RUN rm -fr /function/.pip_cache ENTRYPOINT ["/usr/local/bin/fdk", "/function/func.py", "handler"]

• func.py (my code)

  import os import sys import io import json from fdk import response def handler(ctx, data: io.BytesIO=None): """ input is '{"compute" : "some oci compute"}', invoke function as: $ echo -n '{"ocicompute" : "some-oci-compute-fqdn"}' | fn -v invoke ldap-app fn-python """ body = json.loads(data.getvalue()) ocicompute = body["ocicompute"] resp = ldap_cfg(ocicompute) return response.Response( ctx, response_data=json.dumps(resp), headers={"Content-Type": "application/json"} ) # ----- my code def ldap_cfg(ocicompute): opc_public_key="/home/fn/.ssh/id_rsa-opc" try: os.system('ssh -i %s -o "StrictHostKeyChecking no" opc@%s "sudo bash -s" < /function/ldap_config.sh >/dev/null' % (opc_public_key, ocicompute)) except Exception as err: # general exception sys.exit("Error: {0}".format(err)) resp = ("LDAP is configured on " + ocicompute) return resp

• func.yaml (metadata definition file, describing function)

  schema_version: 20180708 name: fn-python version: 0.0.1 runtime: python entrypoint: /usr/local/bin/fdk /function/func.py handler memory: 256 timeout: 120

Build function

fn -v build

Deploy function

Syntax: fn -v deploy <application-name> Example: fn -v deploy --app ldap-app

Invoke function

Syntax: $ echo -n '{"ocicompute" : "some-oci-compute-name"}' | fn -v invoke <applicattion-name> <function-name> Ex: $ echo -n '{"ocicompute" : "instance-20200706-2139.devops.tenancylhr.oraclevcn.com"}' | fn -v invoke ldap-app fn-python

Now SSH to compute with you ldap account.

GitHub location



Back to the main page