在swarm集羣中部署service時，如何使用私有鏡像倉庫中的鏡像？

最近在部署service到swarm集羣的時候，出現了下列的報錯：

 

[root@nccztsjb-node-01 ~]# docker service create \
>   --name=nginx \
>   --publish published=8080,target=80 \
>   172.20.58.152/middleware/nginx:1.21.4  
image 172.20.58.152/middleware/nginx:1.21.4 could not be accessed on a registry to record
its digest. Each node will access 172.20.58.152/middleware/nginx:1.21.4 independently,
possibly leading to different nodes running different
versions of the image.

hr3vb5wdzkzhewbc62f06nenr
overall progress: 0 out of 1 tasks 
1/1: No such image: 172.20.58.152/middleware/nginx:1.21.4 

 

 

看到報錯信息，才恍然大悟，原來，這個鏡像是在私有的、內部搭建的倉庫中的。

 

也就是說，拉取鏡像是需要認證的，或者，在拉取鏡像之前，需要登錄倉庫

 

解決的方法，也是非常的簡單的

 

首先，登錄到這個倉庫中（在manager節點操作）

 

[root@nccztsjb-node-01 ~]# docker login  172.20.58.152
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
[root@nccztsjb-node-01 ~]# 

 

 

然後，部署service的時候加上認證參數  --with-registry-auth （在manager節點）

 

docker service create \
  --name=nginx \
  --with-registry-auth \
  --publish published=8080,target=80 \
  172.20.58.152/middleware/nginx:1.21.4  

 

 

[root@nccztsjb-node-01 ~]# docker service create \
>   --name=nginx \
>   --with-registry-auth \
>   --publish published=8080,target=80 \
>   172.20.58.152/middleware/nginx:1.21.4  
qi8fxxrdrbxlidenqxyd7ywx4
overall progress: 1 out of 1 tasks 
1/1: running   [==================================================>] 
verify: Service converged 
[root@nccztsjb-node-01 ~]# docker service ls
ID             NAME         MODE         REPLICAS   IMAGE                                   PORTS
qi8fxxrdrbxl   nginx        replicated   1/1        172.20.58.152/middleware/nginx:1.21.4   *:8080->80/tcp
hz926ckhmkd9   redis        replicated   1/1        172.20.58.152/middleware/redis:3.0.6    
pzcsua3xuur9   test-commd   replicated   1/1        172.20.58.152/baseimage/alpine:latest   
[root@nccztsjb-node-01 ~]# docker service ps nginx
ID             NAME      IMAGE                                   NODE               DESIRED STATE   CURRENT STATE            ERROR     PORTS
j0ltlwxwcsnw   nginx.1   172.20.58.152/middleware/nginx:1.21.4   nccztsjb-node-04   Running         Running 14 seconds ago             
[root@nccztsjb-node-01 ~]# 
[root@nccztsjb-node-01 ~]# 

 

 

有沒有發現，是在nccztsjb-node-01上，即manager節點上做的登錄，但是，現在的task實際上運行nccztsjb-node-04這個節點上的。

 

也就是說，所有的集羣中的節點，都是可以獲取這個認證的信息的！

 

原理：會將manager節點本地客戶端的登錄tokenc傳送到swarm集羣中service運行的節點。使用這個token信息，節點可以登錄到私有倉庫，然後拉取鏡像

 

所以，關鍵步驟：

 

• manger節點登錄私有倉庫(使用用戶名和密碼)
• 部署service指定認證參數--with-registry-auth