Che on OpenShift
[This post is updated with the latest on running Eclipse Che on the Red Hat OpenShift Kubernetes Platform.]
Today you can run the open source Eclipse Che project (licensed under the enterprise-friendly Eclipse Foundation EPL 2.0 license) on any Kubernetes distribution, including Red Hat OpenShift.
For those looking to try that out see our documentation for Eclipse Che 7 or Eclipse Che 6.
Red Hat has also brought to market a subscription that enables any customer of OpenShift to get global support from Red Hat for their distribution of Eclipse Che which is called CodeReady Workspaces (product overview and docs).
The original post outlines some of the benefits of using OpenShift with Eclipse Che or CodeReady Workspaces.
[Original Post from 2018]
For the past several months the Red Hat team has been working on changes to Eclipse Che that would allow it to use OpenShift (OKD or Red Hat OpenShift) as its container engine.
Last week we updated Che documentation to explain how to run single-user or multi-user Che on OpenShift.
This month we also made our first release of Red Hat CodeReady Workspaces, which is a Red Hat supported packaging of Eclipse Che targeted at enterprises and ISVs who want to take advantage of Che’s power in their private installations (behind a firewall) with the full support of Red Hat behind them. You can find more details about CodeReady Workspaces on the Red Hat Developer Portal.
We’d love to get your feedback — talk to us on Mattermost, send emails to che-dev@eclipse.org or file issues in the Che GitHub repo.
Advantages of running Che on OpenShift
OpenShift is a the leading distribution of enterprise-grade Kubernetes. It is Kubernetes, but with security and operational features focused on large scale enterprise uses cases and backed by Red Hat’s renowned support.
Improved Security
Che and the workspace agents are run in unprivileged containers. sudo commands are not allowed and access to the Docker socket is forbidden. Moreover the only TCP port that is exposed by Che and its agents is port 80. As a consequence, if a malicious user get access to your workspace terminal, or if a Docker vulnerability is exploited in the wild (e.g. CVE-2016-8867), the damages that can be done to your infrastructure are limited.
TLS Support
If the OpenShift cluster is configured with TLS Che will use TLS out of the box to secure all communications between your browser and Che itself.
Embedded Reverse Proxy
OpenShift runs a reverse proxy (HAProxy is the default) that routes traffic to your application in the OpenShift cluster and controls which services are publicly exposed. Che uses OpenShift reverse proxy to expose IDE services.
Distributed Volumes
Che uses volumes to persist server configuration, server data and workspaces projects files. When running with Docker, Che uses local file system volumes so Che and the volumes must be located on the same host.
On OpenShift Che uses Kubernetes’ Persistent Volume Claim subsystem to provide access to distributed storage services like GlusterFS, AWS Elastic Block Store, Azure Files, GCE Persistent Disk, etc… This allows Che and the volumes to exist on separate/remote hosts.
Current Limitations of Running Che on OpenShift
Fewer Stacks [no longer the case as of 2019]
Not all Che runtime stacks are compatible with OpenShift’s security restrictions. Currently supported stacks are vert.x, spring-boot, wildfly-swarm, nodeJS (CentOS), Java (CentOS) and Java-MySQL (CentOS) but we are working to adapt all existing stacks to run on OpenShift.
No Support for Stack Recipes of Type Dockerfile
OpenShift allows definition of a runtime stack using a Kubernetes YAML recipe or a Docker image.
Alternatively, you can create a custom runtime stacks to share with others.
SSH access to workspaces
Due to using an HTTP reverse proxy other protocols, like SSH, are not supported. As a consequence it’s not possible to access Che workspace using an SSH client. But this can be easily remedied using the OpenShift CLI: the command oc rsh provides access to the workspace shell. Of course the Che terminal is available from the browser even when using OpenShift.
Install Che on OpenShift for multi-user or single-user mode on your own system.
Use Che in our hosted SaaS (no install at all).
Get involved with the Che project!
