Oracle Cloud Infrastructure is Oracle’s second generation infrastructure as a service offering – that support many components including compute nodes, networks, storage, Kubernetes clusters and Database as a Service. Oracle Cloud Infrastructure can be administered through a GUI – a browser based console – as well as through a REST API and with the OCI Command Line Interface. Oracle offers a Terraform provider that allows automated, scripted provisioning of OCI artefacts.
This article describes an easy approach to get going with the Command Line Interface for Oracle Cloud Infrastructure – using the oci-cli Docker image. Using a Docker container image and a simple configuration file, oci commands can be executed without locally having to install and update the OCI Command Line Interface (and the Python runtime environment) itself.
These are the steps to get going on a Linux or Mac Host that contains a Docker engine:
- create a new user in OCI (or use an existing user) with appropriate privileges; you need the OCID for the user
- also make sure you have the name of the region and the OCID for the tenancy on OCI
- execute a docker run command to prepare the OCI CLI configuration file
- update the user in OCI with the public key created by the OCI CLI setup action
- edit the .profile to associate the oci command line instruction on the Docker host with running the OCI CLI Docker image
At that point, you can locally run any OCI CLI command against the specified user and tenant – using nothing but the Docker container that contains the latest version of the OCI CLI and the required runtime dependencies.
In more detail, the steps look like this:
Create a new user in OCI
(or use an existing user) with appropriate privileges; you need the OCID for the user
You can reuse an existing user or create a fresh one – which is what I did. This step I performed in the OCI Console:
I then added this user to the group Administrators.
And I noted the OCID for this user:
also make sure you have the name of the region and the OCID for the tenancy on OCI:
Execute a docker run command to prepare the OCI CLI configuration file
On the Docker host machine, create a directory to hold the OCI CLI configuration files. These files will be made available to the CLI tool by mounting the directory into the Docker container.
mkdir ~/.oci
Run the following Docker command:
docker run --rm --mount type=bind,source=$HOME/.oci,target=/root/.oci -it stephenpearson/oci-cli:latest setup config
This starts the OCI CLI container in interactive mode – with the ~/.oci directory mounted into the container at /root/oci – the and executes the setup config command on the OCI CLI (see https://docs.cloud.oracle.com/iaas/tools/oci-cli/latest/oci_cli_docs/cmdref/setup/config.html).
This command will start a dialog that results in the OCI Config file being written to /root/.oci inside the container and to ~/.oci on the Docker host. The dialog also result in a private and public key file, in that same dircetory.
Here is the content of the config file that the dialog has generated on the Docker host:
Update the user in OCI with the public key created by the OCI CLI setup action
The contents of the file that contains the public key – ~/.oci/oci_api_key_public.pem in this case – should be configured on the OCI user – kubie in this case – as API Key:
Create shortcut command for OCI CLI on Docker host
We did not install the OCI CLI on the Docker host – but we can still make it possible to run the CLI commands as if we did. If we edit the .profile file to associate the oci command line instruction on the Docker host with running the OCI CLI Docker image, we get the same experience on the host command line as if we did install the OCI CLI.
Edit ~/.profile and add this line:
oci() { docker run --rm --mount type=bind,source=$HOME/.oci,target=/root/.oci stephenpearson/oci-cli:latest "$@"; }
On the docker host I can now run oci cli commands (that will be sent to the docker container that uses the configuration in ~/.oci for connecting to the OCI instance)
Run OCI CLI command on the Host
We are now set to run OCI CLI command – even though we did not actually install the OCI CLI and the Python runtime environment.
Note: most commands we run will require us to pass the Compartment Id of the OCI Compartment against which we want to perform an action. It is convenient to set an environment variable with the Compartment OCID value and then refer in all cli commands to the variable.
For example:
export COMPARTMENT_ID=ocid1.tenancy.oc1..aaaaaaaaot3ihdt
Now to list all policies in this compartment:
oci iam policy list --compartment-id $COMPARTMENT_ID --all
And to create a new policy – one that I need in order to provision a Kubernetes cluster:
oci iam policy create --name oke-service --compartment-id $COMPARTMENT_ID --statements '[ "allow service OKE to manage all-re sources in tenancy"]' --description 'policy for granting rights on OKE to manage cluster resources'
Or to create a new compartment:
oci iam compartment create --compartment-id $COMPARTMENT_ID --name oke-compartment --description "Compartment for OCI resources created for OKE Cluster"
From here on, it is just regular OCI CLI work, just as if it had been installed locally. But by using the Docker container, we keep our system tidy and we can easily benefit from the latest version of the OCI CLI at all times.
Resources
OCI CLI Command Reference – https://docs.cloud.oracle.com/iaas/tools/oci-cli/latest/oci_cli_docs/index.html
Terraform Provider for OCI: https://www.terraform.io/docs/providers/oci/index.html
GitHub repo for OCI CLI Docker – https://github.com/stephenpearson/oci-cli
