Red Hat OpenShift 4.x: Adding a new user with admin rights

Getting Started

Once the initial baremetal OpenShift 4.6 IPI install is complete, you will see output similar to what is shown below.

This output contains the URL for the OpenShift WebUI along with the “kubeadmin” password. You will be able to log into the WebUI using these credentials.

If you forget your kubeadmin login (which you will,. because it’s ugly) you will be able to find in the auth directory.

{ocptest}[kni@bastion ~]$ cat clusterconfigs/auth/kubeadmin-password 

Upon initial login to the WebUI you will see a blue bar at the near the top of the page – as shown below.

Adding a New User with Admin Rights

Bottom line, the Openshift “kubeadmin” password is not user friendly. In my lab I do not want to have to look it up each time I attempt to access the webui. I need simple and easy to remember credentials.

So I am going to create a new admin user. In the example below I am creating a user named ‘admin‘ with the password of ‘admin‘.

I am working in a homelab, so security is not exactly a priority.

{ocp}[kni@bastion ~]$ htpasswd -c -B -b users.htpasswd admin admin
Adding password for user admin

Now I define a secret which uses the HTPasswd user file as shown below.

{ocp}[kni@bastion ~]$ oc create secret generic htpass-secret --from-file=htpasswd=/home/kni/users.htpasswd -n openshift-config
secret/htpass-secret created

Next, I create a custom resource ( that defines the use of the HTPasswd identity provider. This file is straight out of the user doc and is unmodified.

kind: OAuth
  name: cluster
  - name: my_htpasswd_provider 
    mappingMethod: claim 
    type: HTPasswd
        name: htpass-secret 

Now we apply the Custom Resource (CR) via oc apply.

{ocp}[kni@bastion ~]$ oc apply -f /home/kni/ configured

Now let’s test your new id and password on the CLI. If the step below fails, you will need to start all over again.

{ocp}[kni@bastion ~]$ oc login -u admin
Authentication required for https://api.ocp.lab.localdomain:6443 (openshift)
Username: admin
Login successful.

You have access to 59 projects, the list has been suppressed. You can list all projects with ' projects'

Using project "default".

Confirm URL for WebUI.

{ocp}[kni@bastion ~]$ oc whoami --show-console

Navigate to the URL above and select my_htpasswd_provider. Enter your new credentials. At this point you should be able to login without issue. If not, please work through the process again.


If you do run into errors, the files that you created and run the command below to delete the secret.

oc delete secret htpass-secret -n openshift-config

At this point you should be able to repeat the procedure and check for errors.


RHEL 8/CentOS 8: Install and Enable Libvirt

[root@bastion ~]$  dnf module install virt 
[root@bastion ~]$  dnf install virt-install virt-viewer
[root@bastion ~]$  systemctl start libvirtd
[root@bastion ~]$  systemctl enable libvirtd
[root@bastion ~]$  systemctl status libvirtd
● libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-12-14 15:16:44 EST; 8s ago
     Docs: man:libvirtd(8)
 Main PID: 33522 (libvirtd)
    Tasks: 19 (limit: 32768)
   Memory: 22.2M
   CGroup: /system.slice/libvirtd.service
           ├─33522 /usr/sbin/libvirtd --timeout 120
           ├─33653 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
           └─33654 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper

[root@bastion ~]$  virsh list --all
 Id   Name   State

Enhanced Platform Awareness in Red Hat OpenShift


Four part series published on

Enhanced Platform Awareness (EPA) in OpenShift — Part I, HugePages

Enhanced Platform Awareness (EPA) in OpenShift — Part II, CPU pinning

Enhanced Platform Awareness (EPA) in OpenShift — Part III, NUMA Topology Awareness

Enhanced Platform Awareness (EPA) in OpenShift — Part IV, SR-IOV, DPDK and RDMA


Installing RHEL 8.1 on Dell R710/R610 with H700 Raid Controller



A large number of storage controller drivers have been removed from RHEL 8.x, which means that the Dell R710/R610 with the H700 RAID controller, no longer supports RHEL 8.x natively. While this fact is unfortunate for a lot of hobbyists with their own homelabs, you can still install RHEL 8.x on these machines with the use of a driver update disk (DUD).


Using the link below, navigate and download the deprecated drivers.

For Dell the R710/R10, you are specifically looking for the megaraid_sas drivers. See output below from R610.

# dmesg | grep raid
[ 1.402339] megaraid_sas 0000:03:00.0: FW now in Ready state
[ 1.402346] megaraid_sas 0000:03:00.0: 64 bit DMA mask and 32 bit consistent mask
[ 1.402571] megaraid_sas 0000:03:00.0: irq 34 for MSI/MSI-X
[ 1.402593] megaraid_sas 0000:03:00.0: firmware supports msix : (0)

The specific DUD iso that you need for RHEL 8.1 is shown below.


The install process is as follows.

  1. Download RHEL 8.x media and burn to dvd or usb drive
  2. Download deprecated drivers in iso format and burn to usb drive
  3. Boot with both RHEL 8.x media and DUD mounted
  4. The installer should detect the DUD iso and install the proper drivers

Special Note: In my testing (3 systems) the DUD was not automatically detected by Anaconda.  I suggest using the method below.



When you burn your DUD a usb stick, that the usb drive’s volume label is OEMDRV. This was the default when I burned the iso. The RHEL installer (anaconda) will look for this label on any and all available disks and should automatically recognize the DUD and mount the usb drive.

However, if this does not occur during the install process, and the installer still does not see your disks, you may need to reboot and this time interrupt the installer with the TAB key and append the following to your boot options.


On my system, the DUD was /dev/sdb1 and the RHEL 8.1 install media was /dev/sda.



Red Hat: Identity Management Server Setup and HA on RHEL 7



Red Hat Identity Management Server provides is a centralized identity management server for Linux, Mac, Windows.

In this post we are going to setup and configure a HA deployment of Red Hat IDM on two RHEL 7.x servers.

Red Hat Identity Management Server is based on the upstream project, FreeIPA.


Only a couple of prerequisites for a simple lab setup

  • You need working dns with forward and reverse entries for both IDM servers
  • NSCD needs to be disabled on each IDM server
  • Proper hostname needs to be set on each IDM node (cannot use localhost)
  • IPV6 needs to be enabled, but you do not need to have an IPV6 address on external interfaces

Continue reading

OpenSCAP Part 3: Running Scans from the Command Line in RHEL 7



In part 1 of this series we were introduced to OpenSCAP and the process of running scans via the SCAP workbench. In part 2, we explored concepts and components that define security/vulnerability scans. In this 3rd post we are going to dive into the command line operation.

Let’s get started with oscap.

Installing oscap

In RHEL 7 oscap can be installed with the following command

# yum -y install scap-security-guide openscap-scanner

Content is installed under the following directory. Note that ssg is short for SCAP Security Guide.


Lets change directories to the one listed above and view the installed files.

Screenshot from 2019-07-24 15-58-04

Using oscap we can view more info on each file shown above. In this example we are going to inspect the ssg-rhel7-ds.xml file.

# oscap info ssg-rhel7-ds.xml

Continue reading

OpenSCAP Part 2: SCAP Content for RHEL 7



In part one of the OpenSCAP series we were introduced to the basic usage of the OpenSCAP toolset. In that post we learned how to run a basic scan via the scap-workbench in a desktop environment.

This post will focus on the Content, Profiles, and Targets.


All content will be installed in the directory shown below.  The content in this directory will vary based on the installed OS (the content on my Fedora differs from RHEL for example).


The screenshot below contains a list of content installed by default on RHEL 7.

Screenshot from 2019-07-24 15-58-04.png

Additional content can be obtained and added to the content directory shown above.  For example, NIST content can be downloaded directly from the NIST website. Link below.

National Checklist Program Repository

In the screenshot below we have performed a search for all content that targets RHEL 7.6

Screenshot from 2019-07-25 11-45-44.png


Continue reading