CentOS 7
Sponsored Link

OpenShift Origin 3.6 : Docker Registry の設定
2017/11/26
 
Docker Registry の設定です。
OpenShift Origin インストールの通り構成すると、デフォルトで Registry 用の Pod も設定され稼働していますが、コンテナーイメージ用のストレージ領域は一時的なもののため、変更したい場合は以下のようにして Registry 用の Pod を再作成します。
なお、ストレージには OpenStack Swift や Google Storage, Microsoft Azure 等が利用可能ですが、当例では デフォルトの Filesystem を例にします。
当例では以下のような環境を例に OpenShift クラスターを構成しています。
-----------+-----------------------------------------------------------+------------
           |10.0.0.30                    |10.0.0.51                    |10.0.0.52
+----------+-----------+      +----------+-----------+      +----------+-----------+
|  [  dlp.srv.world ]  |      | [ node01.srv.world ] |      | [ node02.srv.world ] |
|     (Master Node)    |      |    (Compute Node)    |      |    (Compute Node)    |
|     (Compute Node)   |      |                      |      |                      |
+----------------------+      +----------------------+      +----------------------+

[1] インストーラーが構成したデフォルトの Registry は削除しておきます。
[origin@dlp ~]$
oc get pods

NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-1-zrn3b    1/1       Running   1          15h
registry-console-1-8xndp   1/1       Running   1          15h
router-1-f2j5k             1/1       Running   1          15h

[origin@dlp ~]$
oc describe pod docker-registry-1-zrn3b | grep -A3 'Volumes:'

Volumes:
  registry-storage:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
       1/1       Running   1          15h

# 関連設定削除

[origin@dlp ~]$
oc delete all -l docker-registry=default

deploymentconfig "docker-registry" deleted
pod "docker-registry-1-b4g3z" deleted

[origin@dlp ~]$
oc delete all -l app=registry-console

imagestream "registry-console" deleted
deploymentconfig "registry-console" deleted
service "registry-console" deleted
pod "registry-console-1-2vzks" deleted

[origin@dlp ~]$
oc delete serviceaccount registry

serviceaccount "registry" deleted
[origin@dlp ~]$
oc delete service docker-registry

service "docker-registry" deleted
[origin@dlp ~]$
oc get pods

NAME             READY     STATUS    RESTARTS   AGE
router-1-f4mc9   1/1       Running   1          16h
[2] Master ノード上にコンテナーイメージ保管用ディレクトリーを作成して Registry の設定をします。
# イメージ保管用ディレクトリー作成 (任意の場所でよい)

[origin@dlp ~]$
sudo mkdir /var/lib/origin/registry

[origin@dlp ~]$
sudo chown origin. /var/lib/origin/registry
# registry アカウントに権限を付与

[origin@dlp ~]$
oadm policy add-scc-to-user privileged system:serviceaccount:default:registry
# Registry 設定

[origin@dlp ~]$
sudo oadm registry \
--config=/etc/origin/master/admin.kubeconfig \
--service-account=registry \
--images='openshift/origin-docker-registry' \
--mount-host=/var/lib/origin/registry \
--selector="region=infra" \
--replicas=1

--> Creating registry registry ...
    serviceaccount "registry" created
    clusterrolebinding "registry-registry-role" created
    deploymentconfig "docker-registry" created
    service "docker-registry" created
--> Success

# しばらくするとデプロイが完了し Pod が稼働状態になる

[origin@dlp ~]$
oc get pods

NAME                      READY     STATUS    RESTARTS   AGE
docker-registry-1-5l5mc   1/1       Running   0          37s
router-1-8sh8d            1/1       Running   1          16m

[origin@dlp ~]$
oc describe pod docker-registry-1-5l5mc

Name:                   docker-registry-1-5l5mc
Namespace:              default
Security Policy:        privileged
Node:                   dlp.srv.world/10.0.0.30
Start Time:             Mon, 27 Nov 2017 19:18:26 +0900
Labels:                 deployment=docker-registry-1
                        deploymentconfig=docker-registry
                        docker-registry=default
Annotations:            kubernetes.io/created-by={"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"default","name":"docker-registry-1","uid":"636faee4-d332-11e7-9ce4-525...
                        openshift.io/deployment-config.latest-version=1
                        openshift.io/deployment-config.name=docker-registry
                        openshift.io/deployment.name=docker-registry-1
                        openshift.io/scc=privileged
Status:                 Running
IP:                     10.128.0.9
Controllers:            ReplicationController/docker-registry-1
Containers:
  registry:
    Container ID:       docker://80bd8404ccb6e2733fc1756b9b0ea13c763aa5b265a212716e4ed9f02f686e6c
    Image:              openshift/origin-docker-registry
    Image ID:           docker-pullable://docker.io/openshift/origin-docker-registry@sha256:4563b06d501b2b9afc48faaf66381c9c93d5d6f40978592d140c89a5768d8377
    Port:               5000/TCP
    State:              Running
      Started:          Mon, 27 Nov 2017 19:18:54 +0900
    Ready:              True
    Restart Count:      0
    Requests:
      cpu:      100m
      memory:   256Mi
    Liveness:   http-get http://:5000/healthz delay=10s timeout=5s period=10s #success=1 #failure=3
    Readiness:  http-get http://:5000/healthz delay=0s timeout=5s period=10s #success=1 #failure=3
    Environment:
      REGISTRY_HTTP_ADDR:                                       :5000
      REGISTRY_HTTP_NET:                                        tcp
      REGISTRY_HTTP_SECRET:                                     qSTSreW6U9oKPuEYWps5jcEKpffJPG+foqKDxbU69M0=
      REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA:    false
    Mounts:
      /registry from registry-storage (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from registry-token-bfpzs (ro)
Conditions:
  Type          Status
  Initialized   True
  Ready         True
  PodScheduled  True
Volumes:
  registry-storage:
    Type:       HostPath (bare host directory volume)
    Path:       /var/lib/origin/registry
  registry-token-bfpzs:
    Type:       Secret (a volume populated by a Secret)
    SecretName: registry-token-bfpzs
    Optional:   false
QoS Class:      Burstable
Node-Selectors: region=infra
.....
.....
[3] 任意のユーザーで任意のアプリケーションをデプロイ可能か確認しておきます。 Registry の設定に不備がある場合、コンテナーイメージの Push に失敗するためデプロイも失敗します。
[cent@dlp ~]$
oc login

Authentication required for https://dlp.srv.world:8443 (openshift)
Username: cent
Password:
Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

[cent@dlp ~]$
oc new-project test-project

Now using project "test-project" on server "https://dlp.srv.world:8443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

to build a new example application in Ruby.

[cent@dlp ~]$
oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

--> Creating resources ...
    imagestream "ruby-22-centos7" created
    imagestream "ruby-ex" created
    buildconfig "ruby-ex" created
    deploymentconfig "ruby-ex" created
    service "ruby-ex" created
--> Success
    Build scheduled, use 'oc logs -f bc/ruby-ex' to track its progress.
    Run 'oc status' to view your app.

# しばらくするとデプロイが完了し Pod が稼働状態になる

[cent@dlp ~]$
oc status

In project test-project on server https://dlp.srv.world:8443

svc/ruby-ex - 172.30.136.221:8080
  dc/ruby-ex deploys istag/ruby-ex:latest <-
    bc/ruby-ex source builds https://github.com/openshift/ruby-ex.git on istag/ruby-22-centos7:latest
    deployment #1 deployed 35 seconds ago - 1 pod

View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.

[cent@dlp ~]$
oc get pods

NAME              READY     STATUS      RESTARTS   AGE
ruby-ex-1-build   0/1       Completed   0          2m
ruby-ex-1-vvjck   1/1       Running     0          35s

[cent@dlp ~]$
oc describe service ruby-ex

Name:                   ruby-ex
Namespace:              test-project
Labels:                 app=ruby-ex
Annotations:            openshift.io/generated-by=OpenShiftNewApp
Selector:               app=ruby-ex,deploymentconfig=ruby-ex
Type:                   ClusterIP
IP:                     172.30.136.221
Port:                   8080-tcp        8080/TCP
Endpoints:              10.128.0.13:8080
Session Affinity:       None
Events:                 <none>

[cent@dlp ~]$
curl 172.30.136.221:8080


.....
.....

</head>
<body>

<section class='container'>
          <hgroup>
            <h1>Welcome to your Ruby application on OpenShift</h1>
          </hgroup>

.....
.....

</body>
</html>
[4] Registry Console を有効化して Web ベースの UI が利用できるよう設定します。
# ルート確認

[origin@dlp ~]$
oc get routes

NAME             HOST/PORT                               PATH  SERVICES         PORT   TERMINATION   WILDCARD
docker-registry  docker-registry-default.apps.srv.world        docker-registry  <all>  passthrough   None
registry-console registry-console-default.apps.srv.world       registry-console <all>  passthrough   None

# ルート確認の結果 [registry-console] が存在しなかった場合は以下のようにして作成

[origin@dlp ~]$
oc create route passthrough --service registry-console --port registry-console -n default
# Registry Console アプリケーション作成

# [OPENSHIFT_OAUTH_PROVIDER_URL] は [/etc/origin/master/master-config.yaml] 内の

# [oauthConfig] セクション内で指定されている URL

[origin@dlp ~]$
oc new-app -n default --template=registry-console \
-p OPENSHIFT_OAUTH_PROVIDER_URL="https://dlp.srv.world:8443" \
-p REGISTRY_HOST=$(oc get route docker-registry -n default --template='{{ .spec.host }}') \
-p COCKPIT_KUBE_URL=$(oc get route registry-console -n default --template='https://{{ .spec.host }}')

--> Deploying template "openshift/registry-console" to project default

     registry-console
     ---------
     Template for deploying registry web console. Requires cluster-admin.

     * With parameters:
        * IMAGE_NAME=cockpit/kubernetes
        * IMAGE_VERSION=latest
        * OPENSHIFT_OAUTH_PROVIDER_URL=https://dlp.srv.world:8443
        * COCKPIT_KUBE_URL=https://registry-console-default.apps.srv.world
        * OPENSHIFT_OAUTH_CLIENT_SECRET=userjmtYpn0hpAghbeC7e7462ckrT6KkWymRXnxjDGTiejiV4W...
        * OPENSHIFT_OAUTH_CLIENT_ID=cockpit-oauth-client
        * REGISTRY_HOST=docker-registry-default.apps.srv.world

--> Creating resources ...
    deploymentconfig "registry-console" created
    service "registry-console" created
    imagestream "registry-console" created
--> Success

[origin@dlp ~]$
oc get pods

NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-1-5l5mc    1/1       Running   0          18m
registry-console-1-738dt   1/1       Running   0          1m
router-1-8sh8d             1/1       Running   1          34m

[origin@dlp ~]$
oc get routes

NAME             HOST/PORT                               PATH  SERVICES         PORT   TERMINATION   WILDCARD
docker-registry  docker-registry-default.apps.srv.world        docker-registry  <all>  passthrough   None
registry-console registry-console-default.apps.srv.world       registry-console <all>  passthrough   None
[5] Registry Console に割り当てられた URL (上記例の場合 [registry-console-default.apps.srv.world]) が名前解決可能な任意のホストから [https://registry-console-default.apps.srv.world/] へ Web アクセスし(認証時はリダイレクトされる)、任意のユーザーでログインすると Registry の状況が閲覧できます。
 
Tweet