最近在部署service到swarm集羣的時候,出現了下列的報錯:
[root@nccztsjb-node-01 ~]# docker service create \ > --name=nginx \ > --publish published=8080,target=80 \ > 172.20.58.152/middleware/nginx:1.21.4 image 172.20.58.152/middleware/nginx:1.21.4 could not be accessed on a registry to record its digest. Each node will access 172.20.58.152/middleware/nginx:1.21.4 independently, possibly leading to different nodes running different versions of the image. hr3vb5wdzkzhewbc62f06nenr overall progress: 0 out of 1 tasks 1/1: No such image: 172.20.58.152/middleware/nginx:1.21.4
看到報錯信息,才恍然大悟,原來,這個鏡像是在私有的、內部搭建的倉庫中的。
也就是說,拉取鏡像是需要認證的,或者,在拉取鏡像之前,需要登錄倉庫
解決的方法,也是非常的簡單的
首先,登錄到這個倉庫中(在manager節點操作)
[root@nccztsjb-node-01 ~]# docker login 172.20.58.152 Username: admin Password: WARNING! Your password will be stored unencrypted in /root/.docker/config.json. Configure a credential helper to remove this warning. See https://docs.docker.com/engine/reference/commandline/login/#credentials-store Login Succeeded [root@nccztsjb-node-01 ~]#
然後,部署service的時候加上認證參數 --with-registry-auth (在manager節點)
docker service create \ --name=nginx \ --with-registry-auth \ --publish published=8080,target=80 \ 172.20.58.152/middleware/nginx:1.21.4
[root@nccztsjb-node-01 ~]# docker service create \ > --name=nginx \ > --with-registry-auth \ > --publish published=8080,target=80 \ > 172.20.58.152/middleware/nginx:1.21.4 qi8fxxrdrbxlidenqxyd7ywx4 overall progress: 1 out of 1 tasks 1/1: running [==================================================>] verify: Service converged [root@nccztsjb-node-01 ~]# docker service ls ID NAME MODE REPLICAS IMAGE PORTS qi8fxxrdrbxl nginx replicated 1/1 172.20.58.152/middleware/nginx:1.21.4 *:8080->80/tcp hz926ckhmkd9 redis replicated 1/1 172.20.58.152/middleware/redis:3.0.6 pzcsua3xuur9 test-commd replicated 1/1 172.20.58.152/baseimage/alpine:latest [root@nccztsjb-node-01 ~]# docker service ps nginx ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS j0ltlwxwcsnw nginx.1 172.20.58.152/middleware/nginx:1.21.4 nccztsjb-node-04 Running Running 14 seconds ago [root@nccztsjb-node-01 ~]# [root@nccztsjb-node-01 ~]#
有沒有發現,是在nccztsjb-node-01上,即manager節點上做的登錄,但是,現在的task實際上運行nccztsjb-node-04這個節點上的。
也就是說,所有的集羣中的節點,都是可以獲取這個認證的信息的!
原理:會將manager節點本地客戶端的登錄tokenc傳送到swarm集羣中service運行的節點。使用這個token信息,節點可以登錄到私有倉庫,然後拉取鏡像
所以,關鍵步驟:
- manger節點登錄私有倉庫(使用用戶名和密碼)
- 部署service指定認證參數--with-registry-auth