CentOS 7
Sponsored Link

OpenShift Origin (OKD) 3.11 : Docker Registry の設定2018/11/20

 
Docker Registry の設定です。
OpenShift Origin インストールの通り構成すると、デフォルトで Registry 用の Pod も設定され稼働していますが、コンテナーイメージ用のストレージ領域は一時的なもののため、変更したい場合は以下のようにして Registry 用の Pod を再作成します。
なお、ストレージには OpenStack Swift や Google Storage, Microsoft Azure 等が利用可能ですが、当例では デフォルトの Filesystem を例にします。
当例では以下のような環境を例に OpenShift クラスターを構成しています。
-----------+-----------------------------+-----------------------------+------------
           |10.0.0.25                    |10.0.0.51                    |10.0.0.52
+----------+-----------+      +----------+-----------+      +----------+-----------+
|  [ ctrl.srv.world ]  |      | [ node01.srv.world ] |      | [ node02.srv.world ] |
|     (Master Node)    |      |    (Compute Node)    |      |    (Compute Node)    |
|     (Infra Node)     |      |                      |      |                      |
|     (Compute Node)   |      |                      |      |                      |
+----------------------+      +----------------------+      +----------------------+

[1] インストーラーが構成したデフォルトの Registry は削除しておきます。
[origin@ctrl ~]$
oc get pods

NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-1-7fhl2    1/1       Running   0          18m
registry-console-1-r6pfv   1/1       Running   0          18m
router-1-pshv8             1/1       Running   0          18m

[origin@ctrl ~]$
oc describe pod docker-registry-1-7fhl2 | grep -A3 'Volumes:'

Volumes:
  registry-storage:
    Type:    EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:

# 関連設定削除

[origin@ctrl ~]$
oc delete all -l docker-registry=default

pod "docker-registry-1-h2cdr" deleted
replicationcontroller "docker-registry-1" deleted
service "docker-registry" deleted
deploymentconfig.apps.openshift.io "docker-registry" deleted

[origin@ctrl ~]$
oc delete all -l name=registry-console

pod "registry-console-1-2cg24" deleted
replicationcontroller "registry-console-1" deleted
service "registry-console" deleted
deploymentconfig.apps.openshift.io "registry-console" deleted

[origin@ctrl ~]$
oc delete serviceaccount registry

serviceaccount "registry" deleted
[origin@ctrl ~]$
oc delete oauthclients cockpit-oauth-client

oauthclient "cockpit-oauth-client" deleted
# もし存在する場合は削除

[origin@ctrl ~]$
oc delete clusterrolebindings registry-registry-role

clusterrolebinding.authorization.openshift.io "registry-registry-role" deleted
[origin@ctrl ~]$
oc get pods

NAME             READY     STATUS    RESTARTS   AGE
router-1-pshv8   1/1       Running   0          21m
[2] Registry の設定です。
例として [compute] ロールに属する [node01.srv.world] ノード上にコンテナーイメージ保管用ディレクトリーを作成し、当該ノード上に Registry Pod を固定して作成する設定をします。
[origin@ctrl ~]$
oc get nodes

NAME               STATUS    ROLES          AGE       VERSION
ctrl.srv.world     Ready     infra,master   3h        v1.11.0+d4cacc0
node01.srv.world   Ready     compute        2h        v1.11.0+d4cacc0
node02.srv.world   Ready     compute        2h        v1.11.0+d4cacc0

# イメージ保管用ディレクトリー作成 (任意の場所でOK)

[origin@ctrl ~]$
ssh node01 "sudo mkdir /var/lib/origin/registry"

[origin@ctrl ~]$
ssh node01 "sudo chown origin. /var/lib/origin/registry"
# registry アカウントに権限を付与

[origin@ctrl ~]$
oc adm policy add-scc-to-user privileged system:serviceaccount:default:registry

scc "privileged" added to: ["system:serviceaccount:default:registry"]
# Registry 設定

[origin@ctrl ~]$
sudo oc adm registry \
--config=/etc/origin/master/admin.kubeconfig \
--service-account=registry \
--mount-host=/var/lib/origin/registry \
--selector='kubernetes.io/hostname=node01.srv.world' \
--replicas=1

--> Creating registry registry ...
    serviceaccount "registry" created
    clusterrolebinding.authorization.openshift.io "registry-registry-role" created
    deploymentconfig.apps.openshift.io "docker-registry" created
    service "docker-registry" created
--> Success

# しばらくするとデプロイが完了し Pod が稼働状態になる

[origin@ctrl ~]$
oc get pods

NAME                      READY     STATUS    RESTARTS   AGE
docker-registry-1-tqtnv   1/1       Running   0          29s
router-1-pshv8            1/1       Running   0          22m

[origin@ctrl ~]$
oc describe pod docker-registry-1-tqtnv

Name:               docker-registry-1-tqtnv
Namespace:          default
Priority:           0
PriorityClassName:  <none>
Node:               node01.srv.world/10.0.0.51
Start Time:         Mon, 19 Nov 2018 15:41:22 +0900
Labels:             deployment=docker-registry-1
                    deploymentconfig=docker-registry
                    docker-registry=default
Annotations:        openshift.io/deployment-config.latest-version=1
                    openshift.io/deployment-config.name=docker-registry
                    openshift.io/deployment.name=docker-registry-1
                    openshift.io/scc=privileged
Status:             Running
IP:                 10.130.0.5
Controlled By:      ReplicationController/docker-registry-1
Containers:
  registry:
    Container ID:   docker://ca29fa97475885674a71eb1a58fe6d45866fdb07044bcf59fca3b01473adc968
    Image:          openshift/origin-docker-registry:v3.11.0
    Image ID:       docker-pullable://docker.io/openshift/origin-docker-registry@sha256:82b693c48dc3a12d78b1b30a73c4a48b656118f542350663f42ddd19193fc417
    Port:           5000/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Mon, 19 Nov 2018 15:41:30 +0900
    Ready:          True
    Restart Count:  0
    Requests:
      cpu:      100m
      memory:   256Mi
    Liveness:   http-get http://:5000/healthz delay=10s timeout=5s period=10s #success=1 #failure=3
    Readiness:  http-get http://:5000/healthz delay=0s timeout=5s period=10s #success=1 #failure=3
    Environment:
      REGISTRY_HTTP_ADDR:                                     :5000
      REGISTRY_HTTP_NET:                                      tcp
      REGISTRY_HTTP_SECRET:                                   +zTDrwQD6BTWW6qFMJZlb3aRWplxkwOofQJBhldVh7s=
      REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA:  false
    Mounts:
      /registry from registry-storage (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from registry-token-75xqr (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  registry-storage:
    Type:          HostPath (bare host directory volume)
    Path:          /var/lib/origin/registry
    HostPathType:
  registry-token-75xqr:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  registry-token-75xqr
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  kubernetes.io/hostname=node01.srv.world
Tolerations:     node.kubernetes.io/memory-pressure:NoSchedule
.....
.....
[3] 任意のユーザーで任意のアプリケーションをデプロイ可能か確認しておきます。 Registry の設定に不備がある場合、コンテナーイメージの Push に失敗するためデプロイも失敗します。
[cent@ctrl ~]$
oc login

Authentication required for https://ctrl.srv.world:8443 (openshift)
Username: cent
Password:
Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

[cent@ctrl ~]$
oc new-project test-project

Now using project "test-project" on server "https://ctrl.srv.world:8443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git

to build a new example application in Ruby.

[cent@ctrl ~]$
oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git

--> Found Docker image b1c2a30 (13 days old) from Docker Hub for "centos/ruby-25-centos7"

    Ruby 2.5
    --------
    Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.

    Tags: builder, ruby, ruby25, rh-ruby25

    * An image stream tag will be created as "ruby-25-centos7:latest" that will track the source image
    * A source build using source code from https://github.com/sclorg/ruby-ex.git will be created
      * The resulting image will be pushed to image stream tag "ruby-ex:latest"
      * Every time "ruby-25-centos7:latest" changes a new build will be triggered
    * This image will be deployed in deployment config "ruby-ex"
    * Port 8080/tcp will be load balanced by service "ruby-ex"
      * Other containers can access this service through the hostname "ruby-ex"

--> Creating resources ...
    imagestream.image.openshift.io "ruby-25-centos7" created
    imagestream.image.openshift.io "ruby-ex" created
    buildconfig.build.openshift.io "ruby-ex" created
    deploymentconfig.apps.openshift.io "ruby-ex" created
    service "ruby-ex" created
--> Success
    Build scheduled, use 'oc logs -f bc/ruby-ex' to track its progress.
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose svc/ruby-ex'
    Run 'oc status' to view your app.

# しばらくするとデプロイが完了し Pod が稼働状態になる

[cent@ctrl ~]$
oc status

In project test-project on server https://ctrl.srv.world:8443

svc/ruby-ex - 172.30.190.225:8080
  dc/ruby-ex deploys istag/ruby-ex:latest <-
    bc/ruby-ex source builds https://github.com/sclorg/ruby-ex.git on istag/ruby-25-centos7:latest
    deployment #1 deployed 49 seconds ago - 1 pod


2 infos identified, use 'oc status --suggest' to see details.

[cent@ctrl ~]$
oc get pods

NAME              READY     STATUS      RESTARTS   AGE
ruby-ex-1-build   0/1       Completed   0          1m
ruby-ex-1-cwsbq   1/1       Running     0          1m

[cent@ctrl ~]$
oc describe service ruby-ex

Name:              ruby-ex
Namespace:         test-project
Labels:            app=ruby-ex
Annotations:       openshift.io/generated-by=OpenShiftNewApp
Selector:          app=ruby-ex,deploymentconfig=ruby-ex
Type:              ClusterIP
IP:                172.30.190.225
Port:              8080-tcp  8080/TCP
TargetPort:        8080/TCP
Endpoints:         10.130.0.6:8080
Session Affinity:  None
Events:            <none>

[cent@ctrl ~]$
curl 172.30.190.225:8080


.....
.....

</head>
<body>

<section class='container'>
          <hgroup>
            <h1>Welcome to your Ruby application on OpenShift</h1>
          </hgroup>

.....
.....

</body>
</html>
[4] Registry Console を有効化して Web ベースの UI が利用できるよう設定します。
# ルート確認

[origin@ctrl ~]$
oc get routes

NAME               HOST/PORT                                 PATH      SERVICES           PORT      TERMINATION   WILDCARD
docker-registry    docker-registry-default.apps.srv.world              docker-registry    <all>     passthrough   None
registry-console   registry-console-default.apps.srv.world             registry-console   <all>     passthrough   None

# ルート確認の結果 [registry-console] が存在しなかった場合は以下のようにして作成

[origin@ctrl ~]$
oc create route passthrough --service registry-console --port registry-console -n default
# Registry Console アプリケーション作成

# [OPENSHIFT_OAUTH_PROVIDER_URL] は [/etc/origin/master/master-config.yaml] 内の

# [oauthConfig] セクション内で指定されている URL

[origin@ctrl ~]$
oc new-app -n default --template=registry-console \
-p IMAGE_NAME="docker.io/cockpit/kubernetes:latest" \
-p OPENSHIFT_OAUTH_PROVIDER_URL="https://ctrl.srv.world:8443" \
-p REGISTRY_HOST=$(oc get route docker-registry -n default --template='{{ .spec.host }}') \
-p COCKPIT_KUBE_URL=$(oc get route registry-console -n default --template='https://{{ .spec.host }}')

--> Deploying template "openshift/registry-console" to project default

     registry-console
     ---------
     Template for deploying registry web console. Requires cluster-admin.

     * With parameters:
        * IMAGE_NAME=docker.io/cockpit/kubernetes:latest
        * OPENSHIFT_OAUTH_PROVIDER_URL=https://ctrl.srv.world:8443
        * COCKPIT_KUBE_URL=https://registry-console-default.apps.srv.world
        * OPENSHIFT_OAUTH_CLIENT_SECRET=userb54oTgh2x67xXbmBcEqWeTTTFl5n7h1YrYk2Wg2HCxpiTu5NBelNfusNvwdJHhR3 # generated
        * OPENSHIFT_OAUTH_CLIENT_ID=cockpit-oauth-client
        * REGISTRY_HOST=docker-registry-default.apps.srv.world

--> Creating resources ...
    deploymentconfig.apps.openshift.io "registry-console" created
    service "registry-console" created
    oauthclient.oauth.openshift.io "cockpit-oauth-client" created
--> Success
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose svc/registry-console'
    Run 'oc status' to view your app.

[origin@ctrl ~]$
oc get pods

NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-1-ttw9l    1/1       Running   0          9m
registry-console-1-zjbqb   1/1       Running   0          1m
router-1-mjch7             1/1       Running   1          15h

[origin@ctrl ~]$
oc get routes

NAME               HOST/PORT                                 PATH      SERVICES           PORT      TERMINATION   WILDCARD
docker-registry    docker-registry-default.apps.srv.world              docker-registry    <all>     passthrough   None
registry-console   registry-console-default.apps.srv.world             registry-console   <all>     passthrough   None
[5] Registry Console に割り当てられた URL (上記例の場合 [registry-console-default.apps.srv.world]) が名前解決可能な任意のホストから [https://registry-console-default.apps.srv.world/] へ Web アクセスし(認証時はリダイレクトされる)、任意のユーザーでログインすると Registry の状況が閲覧できます。
関連コンテンツ