Before deploying OpenFaaS, you should provision a Kubernetes cluster.
Installing OpenFaaS (an overview)¶
There are many options for deploying a local or remote cluster. You can read about the various Kubernetes distributions here.
The Pi Hole Docker install is well documented and quite nicely done. After installing Docker on the Raspberry Pi it was an easy git clone, a couple of modifications to select my timezone and preferred DNS servers (CloudFlare 1.1.1.1), then docker-compose up, and we were in business. 2 weeks back in Dockercon 2019 San Francisco, Docker & ARM demonstrated the integration of ARM capabilities into Docker Desktop Community for the first time. Docker & ARM unveiled go-to-market strategy to accelerate Cloud, Edge & IoT Development. These two companies have planned to streamline the app development tools for cloud, edge, and internet of things environments built on. To use the upcoming Fedora nextcloud container on an EL7 box using docker/runc. However, that decision is indeed still a little way off. In terms of Fedora at least Nextcloud will be maintained so long as it exists. I ended up packaging NC 10 rather than the 11 build to get through the review quicker as there were some dependency issues.
Once you have a cluster, you can follow the detailed instructions on this page.
- Install OpenFaaS CLI
- Deploy OpenFaaS using via helm or arkade
- Find your OpenFaaS gateway address
- Retrieve your gateway credentials
- Log in, deploy a function, and try out the UI.
From there, you should consider: adding a TLS certificate with Ingress, switching to the OIDC/OAuth2 plugin for authentication, and tuning-up for production use.
Build your cluster¶
Local clusters¶
Below are the most popular ways to run a local Kubernetes cluster, but OpenFaaS should run on any.
- k3d - makes k3s available on any computer where Docker is also running
- KinD - upstream Kubernetes running inside a Docker container.
- k3s - a light-weight Kubernetes distribution ideal for edge and development - compatible with Raspberry Pi & ARM64 (Equinix Metal, AWS Graviton, etc)
- minikube - a popular, but heavy-weight option that creates a Linux virtual machine your computer using VirtualBox or similar
- microk8s - a Kubernetes distribution, specifically for Ubuntu users.
Remote/managed options¶
You can run k3s
and k3d
on a single node Virtual Machine so that you don't have to run Kubernetes on your own computer.
- The k3sup ('ketchup') tool can help you to do this by installing k3s onto a remote VM
Kubernetes services/engines:
A guide is available for configuring minikube here:
Tip
Are you using Google Kubernetes Engine (GKE)? You'll need to create an RBAC role with the following command:
Also, ensure any default load-balancer timeouts within GKE are understood and configured appropriately.
Install the faas-cli
¶
Windows users are encouraged to download Git Bash for use with the OpenFaaS guides and tooling.
You can install the OpenFaaS CLI using curl
on MacOS, Windows (Git Bash) and Linux.
The CLI is also available on brew
for MacOS users, however it may lag behind by a few releases:
Install the OpenFaaS chart using arkade
or helm
¶
There are three recommended ways to install OpenFaaS and you can pick whatever makes sense for you and your team.
1) Helm with arkade install
- arkade installs OpenFaaS to Kubernetes using its official helm chart and is the easiest and quickest way to get up and running.2) helm
client - sane defaults and easy to configure through YAML or CLI flags. Secure options such as helm template
or helm 3
also exist for those working within restrictive environments.3) With GitOps tooling. You can install OpenFaaS and keep it up to date with Flux or ArgoCD.
1) Deploy the Chart with arkade
(fastest option)¶
The arkade install
command installs OpenFaaS using its official helm chart, but without using tiller
, a component which is insecure by default. arkade can also install other important software for OpenFaaS users such as cert-manager
and nginx-ingress
. It's the easiest and quickest way to get up and running.
You can use arkade to install OpenFaaS to a regular cloud cluster, your laptop, a VM, a Raspberry Pi, or a 64-bit ARM machine.
- Get arkade
- Install the OpenFaaS
app
If you're using a managed cloud Kubernetes service which supplies LoadBalancers, then run the following:
Note: the --load-balancer
flag has a default of false
, so by passing the flag, the installation will request one from your cloud provider.
If you're using a local Kubernetes cluster or a VM, then run:
After the installation you'll receive a command to retrieve your OpenFaaS URL and password.
Other options for installation are available with arkade install openfaas --help
For cloud users run kubectl get -n openfaas svc/gateway-external
and look for EXTERNAL-IP
. This is your gateway address.
2) Deploy the Chart with helm
¶
A Helm chart is provided in the faas-netes
repository. Follow the link below then come back to this page.
Using Raspberry Pi and ARM¶
Use arkade
to install OpenFaaS, it will determine the correct files and container images to install OpenFaaS on an ARM device.
To build and deploy images for Raspberry Pi and ARM, see the notes here: Building multi-arch images for ARM and Raspberry Pi
For a complete tutorial (including OpenFaaS) see:
- Tutorial: Walk-through — install Kubernetes to your Raspberry Pi in 15 minutes
- Video: Kubernetes Homelab with Raspberry Pi 4
For the Function Store, use the --platform
flag to filter to compatible images:
For 64-bit ARM OSes use --platform arm64
instead.
Getting help, expert installations and proof-of-concepts¶
- You can get help by connecting with the community on the Community Page.
- OpenFaaS Ltd offers expert installation, proof-of-concepts, and architecture reviews. Get in touch at: sales@openfaas.com to find out more.
- The OpenFaaS Premium Subscription offers enterprise-grade authentication with SSO and OpenID Connect (OIDC).
- Guidelines are also provided for preparing for production and for performance testing.
Learn the OpenFaaS fundamentals¶
The community has built a workshop with 12 self-paced hands-on labs. Use the workshop to begin learning OpenFaaS at your own pace:
You can also find a list of community tutorials, events, and videos.
A walk-through video shows auto-scaling in action and the Prometheus UI: walk-through video.
Troubleshooting¶
If you are running into any issues please check out the troubleshooting guide and search the documentation / past issues before raising an issue.
Advanced¶
This section covers additional advanced topics beyond the initial deployment.
Deploy with TLS¶
To enable TLS while using Helm, try one of the following references:
Use a private registry with Kubernetes¶
If you are using a hosted private Docker registry (Docker Hub, or other),in order to check how to configure it, please visit the Kubernetes documentation.
If you try to deploy using faas-cli deploy
it will fail because the Kubernetes kubelet component will not have credentials to authorize the docker image pull request.
Once you have pushed an image to a private registry using faas-cli push
follow the instructions below to either create a pull secret that can be referenced by each function which needs it, or create a secret for the ServiceAccount in the openfaas-fn
namespace so that any functions which need it can make use of it.
If you need to troubleshoot the use of a private image then see the Kubernetes section of the troubleshooting guide.
You can set up your own private Docker registry using this tutorial: Get a TLS-enabled Docker registry in 5 minutes
Option 1 - use an ad-hoc image pull secret¶
To deploy your function(s) first you need to create an Image Pull Secret with the commands below.
Setup some environmental variables:
Then run this command to create the secret:
Note if not using the Docker Hub you will also need to pass --docker-server
and the address of your remote registry.
The secret must be created in the openfaas-fn
namespace or the equivalent if you have customised this.
Create a sample function with a --prefix
variable:
Update the stack.yml
file and add a reference to the new secret:
Now deploy the function using faas-cli up
.
Option 2 - Link an image pull secret to the namespace's ServiceAccount¶
Rather than specifying the pull secret for each function that needs it you can bind the secret to the namespace's ServiceAccount. With this option you do not need to update the secrets:
section of the stack.yml
file.
Create the image pull secret in the openfaas-fn
namespace (or equivalent):
If needed, pass in the --docker-server
address.
Use the following command to edit the default ServiceAccount's configuration:
At the bottom of the manifest add:
Save the changes in the editor and this configuration will be applied.
The OpenFaaS controller will now deploy functions with images in private repositories without having to specify the secret in the stack.yml
file.
Set a custom ImagePullPolicy¶
Kubernetes allows you to control the conditions for when the Docker images for your functions are pulled onto a node. This is configured through an imagePullPolicy.
There are three options:
Always
- pull the Docker image from the registry every time a deployment changesIfNotPresent
- only pull the image if it does not exist in the local registry cacheNever
- never attempt to pull an image
By default, deployed functions will use an imagePullPolicy
of Always
, which ensures functions using static image tags (e.g. 'latest' tags) are refreshed during an update. This behavior is configurable in faas-netes
via the image_pull_policy
environment variable.
If you're using helm you can pass a configuration flag:
If you're using the plain YAML files then edit gateway-dep.yml
and set the following for faas-netes
:
Notes on picking an 'imagePullPolicy'¶
As mentioned above, the default value is Always
. Every time a function is deployed or is scaled up, Kubernetes will pull a potentially updated copy of the image from the registry. If you are using static image tags like latest
, this is necessary.
When set to IfNotPresent
, function deployments may not be updated when using static image tags like latest
. IfNotPresent
is particularly useful when developing locally with minikube. In this case, you can set your local environment to use minikube's docker so faas-cli build
builds directly into the Docker library used by minikube. faas-cli push
is unnecessary in this workflow - use faas-cli build then faas-cli deploy.
When set to Never
, only local (or pulled) images will work. This is useful if you want to tightly control which images are available and run in your Kubernetes cluster.
Estimated reading time: 4 minutes
Welcome! We are excited that you want to learn Docker.
This page contains step-by-step instructions on how to get started with Docker. In this tutorial, you’ll learn how to:
- Build and run an image as a container
- Share images using Docker Hub
- Deploy Docker applications using multiple containers with a database
- Running applications using Docker Compose
In addition, you’ll also learn about the best practices for building images, including instructions on how to scan your images for security vulnerabilities.
If you are looking for information on how to containerize an application using your favorite language, see Language-specific getting started guides.
We also recommend the video walkthrough from DockerCon 2020.
Download and install Docker
This tutorial assumes you have a current version of Docker installed on yourmachine. If you do not have Docker installed, choose your preferred operating system below to download Docker:
For Docker Desktop installation instructions, see Install Docker Desktop on Mac and Install Docker Desktop on Windows.
Start the tutorial
If you’ve already run the command to get started with the tutorial, congratulations! If not, open a command prompt or bash window, and run the command:
You’ll notice a few flags being used. Here’s some more info on them:
-d
- run the container in detached mode (in the background)-p 80:80
- map port 80 of the host to port 80 in the containerdocker/getting-started
- the image to use
Tip
Docker On Raspberry
You can combine single character flags to shorten the full command.As an example, the command above could be written as:
The Docker Dashboard
Before going too far, we want to highlight the Docker Dashboard, which givesyou a quick view of the containers running on your machine. The Docker Dashboard is available for Mac and Windows. It gives you quick access to container logs, lets you get a shell inside the container, and lets youeasily manage container lifecycle (stop, remove, etc.).
To access the dashboard, follow the instructions for either Mac or Windows. If you open the dashboardnow, you will see this tutorial running! The container name (jolly_bouman
below) is arandomly created name. So, you’ll most likely have a different name.
What is a container?
Now that you’ve run a container, what is a container? Simply put, a container issimply another process on your machine that has been isolated from all other processeson the host machine. That isolation leverages kernel namespaces and cgroups, features that have been in Linux for a long time. Docker has worked to make these capabilities approachable and easy to use.
Creating containers from scratch
If you’d like to see how containers are built from scratch, Liz Rice from Aqua Securityhas a fantastic talk in which she creates a container from scratch in Go. While she makesa simple container, this talk doesn’t go into networking, using images for the filesystem, and more. But, it gives a fantastic deep dive into how things are working.
What is a container image?
When running a container, it uses an isolated filesystem. This custom filesystem is provided by a container image. Since the image contains the container’s filesystem, it must contain everything needed to run an application - all dependencies, configuration, scripts, binaries, etc. The image also contains other configuration for the container, such as environment variables,a default command to run, and other metadata.
We’ll dive deeper into images later on, covering topics such as layering, best practices, and more.
Info
If you’re familiar with chroot
, think of a container as an extended version of chroot
. Thefilesystem is simply coming from the image. But, a container adds additional isolation notavailable when simply using chroot.
CLI references
Docker On Raspberry Pi Ubuntu Server
Refer to the following topics for further documentation on all CLI commands used in this article: