文章目錄
瞭解OpenShift內部Image Registry
OpenShift容器平臺提供了一個內置的Container Image Registry,該Image Registry用戶提供了一個開箱即用的解決方案來管理運行OpenShift工作負載所用到的Image。Image Registry可以像其他任何集羣工作負載一樣擴展,不需要特定的基礎設施配置。此外,它集成到了集羣用戶認證和授權系統中,這意味着通過定義Image資源的用戶權限來控制創建和檢索Image的訪問。
Image Registry Operator在 openshift-image-registry 命名空間中運行,並在該位置管理Image Registry實例。Image Registry的所有配置和工作負載資源都位於該命名空間中。Image數據存儲在兩個位置。實際的Image數據存儲在可配置的存儲位置,如雲存儲或文件系統卷等。Image元數據被存儲爲標準的API資源,這些API資源包括Image和ImageStream。
當使用podman工具向OpenShift內部Image Registry推送Image的時候,OpenShift會自動爲Image創建對應的ImageStream,這樣在OpenShift中就可以使用ImageStream訪問這些保存在本地的Image了。
podman push命令會將外部Image傳到內部Image Registry中並保存,並根據Image的元數據生成對應的ImageStream對象;而oc import-image命令只是根據外部鏡像的元數據生成ImageStream對象,ImageSteam還是指向外部鏡像。
向內部Image Registry推送Image
爲podman的pull/push操作賦權
爲了能操作內部Image Registry,首先要有權限。用OpenShift集羣管理員(例如admin)登錄後執行命令,爲自己賦權
$ oc policy add-role-to-user registry-viewer $(oc whoami)
$ oc policy add-role-to-user registry-editor $(oc whoami)
新建項目
本文未來手動導入到內部Image Registry的Image是被放在以下命令新建的特定的新建項目中。其實導入的Image也可放在所有用戶都可訪問的公共項目OpenShift中。
$ oc new-project myproject
進入OpenShift集羣內部
首先需要進入的某個OpenShift節點,這樣我們就可以用OpenShift集羣內部地址訪問Image Registry了。
- 查看集羣節點名稱
$ oc get nodes
NAME STATUS ROLES AGE VERSION
ip-10-0-133-204.ec2.internal Ready master 3d8h v1.17.1
ip-10-0-134-17.ec2.internal Ready worker 3d7h v1.17.1
ip-10-0-147-125.ec2.internal Ready master 3d8h v1.17.1
ip-10-0-154-19.ec2.internal Ready worker 3d7h v1.17.1
ip-10-0-161-178.ec2.internal Ready master 3d8h v1.17.1
- 進入一個節點,例如第一個master節點。
$ oc debug nodes/ip-10-0-133-204.ec2.internal
Starting pod/ip-10-0-133-204ec2internal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.133.204
If you don't see a command prompt, try pressing enter.
- 爲了運行可執行程序,要先執行以下命令。
sh-4.2# chroot /host
- 執行命令,用集羣管理員(例如admin)登錄OpenShift。
sh-4.4# oc login -u admin -p <password> https://api-int.<cluster_name>.<base_domain>:6443
Pull Image/Push Image
方法1:在集羣節點內部操作
- 執行podman pull命令,將遠程Image拉到本地。
sh-4.4# podman pull openshift/hello-openshift
Trying to pull registry.access.redhat.com/openshift/hello-openshift...
name unknown: Repo not found
Trying to pull docker.io/openshift/hello-openshift...
Getting image source signatures
Copying blob 4f4fb700ef54 done
Copying blob 8b32988996c5 done
Copying config 7af3297a3f done
Writing manifest to image destination
Storing signatures
7af3297a3fb4487b740ed6798163f618e6eddea1ee5fa0ba340329fcae31c8f6
- 確認本地已有該openshift/hello-openshift鏡像。
sh-4.4# podman images | grep hello-openshift
docker.io/openshift/hello-openshift latest 7af3297a3fb4 2 years ago 6.1 MB
- 對本地的鏡像重新打tag標籤。注意:在Image的新標籤中使用了名爲myproject的項目名作爲Image Repository。
sh-4.4# podman tag docker.io/openshift/hello-openshift:latest image-registry.openshift-image-registry.svc:5000/myproject/hello-openshift-1:latest
- 再次查看本地鏡像,確認hello-openshift鏡像已經有新標籤了。
sh-4.4# podman images | grep hello-openshift
image-registry.openshift-image-registry.svc:5000/myproject/hello-openshift-1 latest 7af3297a3fb4 2 years ago 6.1 MB
docker.io/openshift/hello-openshift latest 7af3297a3fb4 2 years ago 6.1 MB
- 把打過新標籤的Image推送到OpenShift內部Image Registry,其中myproject是上面創建的項目。
sh-4.4# podman push image-registry.openshift-image-registry.svc:5000/myproject/hello-openshift-1:latest
Getting image source signatures
Copying blob 5f70bf18a086 skipped: already exists
Copying blob da0e4d9121c7 [--------------------------------------] 0.0b / 0.0b
Copying config 7af3297a3f [--------------------------------------] 0.0b / 1.3KiB
Writing manifest to image destination
Storing signatures
方法2:在集羣節點外部操作
確保已經在集羣外部的執行節點中安裝了podman。
- 首先確認OpenShift的DefaultRoute是可用的。
$ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
- 獲得OpenShift內部Image Registry對外的訪問地址
$ HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
- 使用podman登錄Image Registry對外的訪問地址。注意:這裏需要切換root身份執行命令。
$ sudo podman login -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false $HOST
Login Succeeded!
- 執行podman pull命令,將遠程Image拉到本地。說明:我們可以從返回結果看到,由於pull命令中沒有提供完整的外部Registry地址,因此podman命令首先去registry.access.redhat.com、registry.fedoraproject.org和registry.centos.org查找鏡像,最後在docker.io查找到openshift/hello-openshift,然後pull到本地。
$ sudo podman pull openshift/hello-openshift
Trying to pull registry.access.redhat.com/openshift/hello-openshift...
name unknown: Repo not found
Trying to pull registry.fedoraproject.org/openshift/hello-openshift...
manifest unknown: manifest unknown
Trying to pull registry.centos.org/openshift/hello-openshift...
manifest unknown: manifest unknown
Trying to pull docker.io/openshift/hello-openshift...
Getting image source signatures
Copying blob 4f4fb700ef54 done
Copying blob 8b32988996c5 done
Copying config 7af3297a3f done
Writing manifest to image destination
Storing signatures
7af3297a3fb4487b740ed6798163f618e6eddea1ee5fa0ba340329fcae31c8f6
- 確認本地已有該openshift/hello-openshift鏡像。
$ sudo podman images | grep hello-openshift
docker.io/openshift/hello-openshift latest 7af3297a3fb4 2 years ago 6.1 MB
- 對本地的鏡像重新打tag標籤。注意:在Image的新標籤中使用了名爲myproject的項目名作爲Image Repository。
$ sudo podman tag docker.io/openshift/hello-openshift:latest $HOST/myproject/hello-openshift-2:latest
- 再次查看本地鏡像,確認hello-openshift鏡像已經有新標籤了。
$ sudo podman images | grep hello-openshift
default-route-openshift-image-registry.apps.cluster-beijing-1374.beijing-1374.example.opentlc.com/myproject/hello-openshift-2 latest 7af3297a3fb4 2 years ago 6.1 MB
docker.io/openshift/hello-openshift latest 7af3297a3fb4 2 years ago 6.1 MB
- 把打過新標籤的Image推送到OpenShift內部Image Registry,其中myproject是上面創建的項目。
$sudo podman push $HOST/myproject/hello-openshift-2:latest --tls-verify=false
Getting image source signatures
Copying blob da0e4d9121c7 done
Copying blob 5f70bf18a086 done
Copying config 7af3297a3f done
Writing manifest to image destination
Storing signatures
驗證推送的Image
以下從OpenShift集羣外部的節點操作。
- 查看OpenShift的myproject項目中是否有名爲hello-openshift的Image。
$ oc get image -n myproject | grep hello-openshift
sha256:a79c6182e8581564bcdd6c6c91e3a9bfe5acc3e48903a1640f6effe12243cb7f image-registry.openshift-image-registry.svc:5000/myproject/hello-openshift-1@sha256:a79c6182e8581564bcdd6c6c91e3a9bfe5acc3e48903a1640f6effe12243cb7f
sha256:03e2cf83f6ec05a187a86bbbde9a2d47f62463ace5308a2446b828b2aeefe04e image-registry.openshift-image-registry.svc:5000/myproject/hello-openshift-2@sha256:03e2cf83f6ec05a187a86bbbde9a2d47f62463ace5308a2446b828b2aeefe04e
- 查看OpenShift的myproject項目中已經有了ImageStream。說明:這說明OpenShift會根據Push到Image Registry的Image自動創建ImageStream對象。
$ oc get is -n myproject
NAME IMAGE REPOSITORY TAGS UPDATED
hello-openshift-1 default-route-openshift-image-registry.apps.cluster-beijing-1374.beijing-1374.example.opentlc.com/myproject/hello-openshift-1 latest 11 seconds ago
hello-openshift-2 default-route-openshift-image-registry.apps.cluster-beijing-fd91.beijing-fd91.example.opentlc.com/myproject/hello-openshift-2 latest About a minute ago
- 基於名爲hello-openshift-1的Image或名爲hello-openshift-2的ImageSteam,部署podhello-openshift-1和podhello-openshift-2應用。
$ oc new-app hello-openshift-1 --docker-image=image-registry.openshift-image-registry.svc:5000/myproject/hello-openshift-1:latest
$ oc new-app hello-openshift-2 --image-stream=myproject/hello-openshift-2:latest
- 根據Service生成Route
$ oc expose svc hello-openshift-1
$ oc expose svc hello-openshift-2
- 最後訪問hello-openshift-1和hello-openshift-2的route查看結果
$ curl $(oc get route hello-openshift-1 -o template --template '{{.spec.host}}')
Hello OpenShift!
$ curl $(oc get route hello-openshift-2 -o template --template '{{.spec.host}}')
Hello OpenShift!