Customizing EAP 7 Template buildconfig deployment in OCP 4

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 7.x
Red hat OpenShift Container Platform (OCP)
- 4.x

Issue

How to customize EAP 7 buildconfig?

Resolution

EAP 7 deployment via template will create one deployment config, all services, serviceaccounts, RBAC policies, two buildconfig, and image.
The template will create two configbuild one: one type dockerfile for the EAP and one type source, for the application.
After the deployment so then user can edit the buildconfig's source.type dockerfile for the one below - which is the buildconfig for customizing the EAP image, see example below.

Example

The example below source.dockerfile was append to include an custom env variable and to update the timezone package - the example below can be useful for Egypt will reintroduce Daylight Saving Time (DST) in 2023:

kind: BuildConfig
apiVersion: build.openshift.io/v1
...
  source:
    type: Dockerfile
    dockerfile: |-
      FROM jboss-eap74-openjdk11-runtime-openshift:7.4.0
      COPY /server $JBOSS_HOME
      USER root
      RUN chown -R jboss:root $JBOSS_HOME && chmod -R ug+rwX $JBOSS_HOME
      RUN yum update -y tzdata tzdata-java
      ENV MYLABEL="thatsacustomEAPimage"  
      USER jboss
      CMD $JBOSS_HOME/bin/openshift-launch.sh

See below above start-build command and the deployment of the image on deployment.yaml/deploymentconfig.yaml.

start-build command

The update on the buildconfig is not enough for a new deployment, user need to push the build: $ oc start-build bc/eap-app - which forces a new build with the new custom configuration - above.
The build command will force a new build, then deployment, and finally one pod with the EAP image:

$ oc get pod
oc rsh NAME                              READY   STATUS      RESTARTS   AGE
eap-app-1-deploy                  0/1     Completed   0          53m
eap-app-2-build                   0/1     Completed   0          53m
eap-app-2-deploy                  0/1     Completed   0          19m
eap-app-3-74j7m                   0/1     Running     0          9s
eap-app-3-deploy                  1/1     Running     0          15s
eap-app-4-build                   0/1     Completed   0          19m
eap-app-5-build                   0/1     Completed   0          51s
eap-app-build-artifacts-1-build   0/1     Completed   0          57m
$ oc rsh eap-app-3-74j7m
sh-4.4$ echo $MYLABEL 
thatsacustomEAPimage

Example above shows user can add a custom label/env variable inside the EAP container and update the timezone package in the ubi 8 image.

Deployment of that image by EAP 7

If the deployment/deploymentconfig has the annotation image.openshift.io/triggers set, so then a change on the image will trigger a new EAP 7 deployment - automatically.
However, if that's not the case then the user needs to update the imagestream/image stream tag to be sure the latest image (tag) is correctly used.

Two main recommendation deploying EAP images via OCP BuildConfig:

a- Usage of triggering annotations (image.openshift.io/triggers): It is important as well for the deployment not to be decoupled from the build itself. Removing the trigger annotation means the deployment might have different images in case they are not restarted.

b- Use digest instead of tag: otherwise the same tag:latest can mean different images

Root Cause

EAP 7 allows Template deployment and EAP Operator.
EAP template will create deployment config, all services, serviceaccounts, RBAC policies, buildconfig, and image. In regard to the image itself, the process creates two configbuild one: one type dockerfile for the EAP and one type source, for the application.
Example:

$ oc get bc
NAME                      TYPE     FROM         LATEST
eap-app                   Docker   Dockerfile   5 <----------- EAP 7
eap-app-build-artifacts   Source   Git@main     1 <----------- application

Setting logmanager and FIPS disablement on image

User can specify the JAVA_OPTS/JAVA_OPTS_APPEND in case needed for example:

JAVA_OPTS="-Djava.util.logging.manager=org.jboss.logmanager.LogManager -Dcom.redhat.fips=false"

Diagnostic Steps

The outside injection via a Dockerfile via dockerstrategy, like github, the user comes as root not as jboss user, despite the fact the default user on EAP image be jboss user.

SBR

JBoss Base AS

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

JBoss EAP for OpenShift

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.