OpenShift Origin (OKD) 3.11 : Docker Registry の設定2018/11/20 |
Docker Registry の設定です。
OpenShift Origin インストールの通り構成すると、デフォルトで Registry 用の Pod も設定され稼働していますが、コンテナーイメージ用のストレージ領域は一時的なもののため、変更したい場合は以下のようにして Registry 用の Pod を再作成します。
なお、ストレージには OpenStack Swift や Google Storage, Microsoft Azure 等が利用可能ですが、当例では
デフォルトの Filesystem を例にします。
当例では以下のような環境を例に OpenShift クラスターを構成しています。
-----------+-----------------------------+-----------------------------+------------ |10.0.0.25 |10.0.0.51 |10.0.0.52 +----------+-----------+ +----------+-----------+ +----------+-----------+ | [ ctrl.srv.world ] | | [ node01.srv.world ] | | [ node02.srv.world ] | | (Master Node) | | (Compute Node) | | (Compute Node) | | (Infra Node) | | | | | | (Compute Node) | | | | | +----------------------+ +----------------------+ +----------------------+ |
[1] | インストーラーが構成したデフォルトの Registry は削除しておきます。 |
[origin@ctrl ~]$ oc get pods NAME READY STATUS RESTARTS AGE docker-registry-1-7fhl2 1/1 Running 0 18m registry-console-1-r6pfv 1/1 Running 0 18m router-1-pshv8 1/1 Running 0 18m[origin@ctrl ~]$ oc describe pod docker-registry-1-7fhl2 | grep -A3 'Volumes:' Volumes: registry-storage: Type: EmptyDir (a temporary directory that shares a pod's lifetime) Medium: # 関連設定削除 [origin@ctrl ~]$ oc delete all -l docker-registry=default pod "docker-registry-1-h2cdr" deleted replicationcontroller "docker-registry-1" deleted service "docker-registry" deleted deploymentconfig.apps.openshift.io "docker-registry" deleted[origin@ctrl ~]$ oc delete all -l name=registry-console pod "registry-console-1-2cg24" deleted replicationcontroller "registry-console-1" deleted service "registry-console" deleted deploymentconfig.apps.openshift.io "registry-console" deleted
[origin@ctrl ~]$
oc delete serviceaccount registry serviceaccount "registry" deleted
[origin@ctrl ~]$
oc delete oauthclients cockpit-oauth-client oauthclient "cockpit-oauth-client" deleted # もし存在する場合は削除 [origin@ctrl ~]$ oc delete clusterrolebindings registry-registry-role clusterrolebinding.authorization.openshift.io "registry-registry-role" deleted oc get pods NAME READY STATUS RESTARTS AGE router-1-pshv8 1/1 Running 0 21m |
[2] | Registry の設定です。 例として [compute] ロールに属する [node01.srv.world] ノード上にコンテナーイメージ保管用ディレクトリーを作成し、当該ノード上に Registry Pod を固定して作成する設定をします。 |
[origin@ctrl ~]$ oc get nodes NAME STATUS ROLES AGE VERSION ctrl.srv.world Ready infra,master 3h v1.11.0+d4cacc0 node01.srv.world Ready compute 2h v1.11.0+d4cacc0 node02.srv.world Ready compute 2h v1.11.0+d4cacc0 # イメージ保管用ディレクトリー作成 (任意の場所でOK) [origin@ctrl ~]$ [origin@ctrl ~]$ # registry アカウントに権限を付与 [origin@ctrl ~]$ oc adm policy add-scc-to-user privileged system:serviceaccount:default:registry scc "privileged" added to: ["system:serviceaccount:default:registry"] # Registry 設定 [origin@ctrl ~]$ sudo oc adm registry \ --config=/etc/origin/master/admin.kubeconfig \ --service-account=registry \ --mount-host=/var/lib/origin/registry \ --selector='kubernetes.io/hostname=node01.srv.world' \ --replicas=1 --> Creating registry registry ... serviceaccount "registry" created clusterrolebinding.authorization.openshift.io "registry-registry-role" created deploymentconfig.apps.openshift.io "docker-registry" created service "docker-registry" created --> Success # しばらくするとデプロイが完了し Pod が稼働状態になる [origin@ctrl ~]$ oc get pods NAME READY STATUS RESTARTS AGE docker-registry-1-tqtnv 1/1 Running 0 29s router-1-pshv8 1/1 Running 0 22m[origin@ctrl ~]$ oc describe pod docker-registry-1-tqtnv Name: docker-registry-1-tqtnv Namespace: default Priority: 0 PriorityClassName: <none> Node: node01.srv.world/10.0.0.51 Start Time: Mon, 19 Nov 2018 15:41:22 +0900 Labels: deployment=docker-registry-1 deploymentconfig=docker-registry docker-registry=default Annotations: openshift.io/deployment-config.latest-version=1 openshift.io/deployment-config.name=docker-registry openshift.io/deployment.name=docker-registry-1 openshift.io/scc=privileged Status: Running IP: 10.130.0.5 Controlled By: ReplicationController/docker-registry-1 Containers: registry: Container ID: docker://ca29fa97475885674a71eb1a58fe6d45866fdb07044bcf59fca3b01473adc968 Image: openshift/origin-docker-registry:v3.11.0 Image ID: docker-pullable://docker.io/openshift/origin-docker-registry@sha256:82b693c48dc3a12d78b1b30a73c4a48b656118f542350663f42ddd19193fc417 Port: 5000/TCP Host Port: 0/TCP State: Running Started: Mon, 19 Nov 2018 15:41:30 +0900 Ready: True Restart Count: 0 Requests: cpu: 100m memory: 256Mi Liveness: http-get http://:5000/healthz delay=10s timeout=5s period=10s #success=1 #failure=3 Readiness: http-get http://:5000/healthz delay=0s timeout=5s period=10s #success=1 #failure=3 Environment: REGISTRY_HTTP_ADDR: :5000 REGISTRY_HTTP_NET: tcp REGISTRY_HTTP_SECRET: +zTDrwQD6BTWW6qFMJZlb3aRWplxkwOofQJBhldVh7s= REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA: false Mounts: /registry from registry-storage (rw) /var/run/secrets/kubernetes.io/serviceaccount from registry-token-75xqr (ro) Conditions: Type Status Initialized True Ready True ContainersReady True PodScheduled True Volumes: registry-storage: Type: HostPath (bare host directory volume) Path: /var/lib/origin/registry HostPathType: registry-token-75xqr: Type: Secret (a volume populated by a Secret) SecretName: registry-token-75xqr Optional: false QoS Class: Burstable Node-Selectors: kubernetes.io/hostname=node01.srv.world Tolerations: node.kubernetes.io/memory-pressure:NoSchedule ..... ..... |
[3] | 任意のユーザーで任意のアプリケーションをデプロイ可能か確認しておきます。 Registry の設定に不備がある場合、コンテナーイメージの Push に失敗するためデプロイも失敗します。 |
[cent@ctrl ~]$ oc login Authentication required for https://ctrl.srv.world:8443 (openshift) Username: cent Password: Login successful. You don't have any projects. You can try to create a new project, by running oc new-project <projectname>[cent@ctrl ~]$ oc new-project test-project Now using project "test-project" on server "https://ctrl.srv.world:8443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git to build a new example application in Ruby.[cent@ctrl ~]$ oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git --> Found Docker image b1c2a30 (13 days old) from Docker Hub for "centos/ruby-25-centos7" Ruby 2.5 -------- Ruby 2.5 available as container is a base platform for building and running various Ruby 2.5 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible. Tags: builder, ruby, ruby25, rh-ruby25 * An image stream tag will be created as "ruby-25-centos7:latest" that will track the source image * A source build using source code from https://github.com/sclorg/ruby-ex.git will be created * The resulting image will be pushed to image stream tag "ruby-ex:latest" * Every time "ruby-25-centos7:latest" changes a new build will be triggered * This image will be deployed in deployment config "ruby-ex" * Port 8080/tcp will be load balanced by service "ruby-ex" * Other containers can access this service through the hostname "ruby-ex" --> Creating resources ... imagestream.image.openshift.io "ruby-25-centos7" created imagestream.image.openshift.io "ruby-ex" created buildconfig.build.openshift.io "ruby-ex" created deploymentconfig.apps.openshift.io "ruby-ex" created service "ruby-ex" created --> Success Build scheduled, use 'oc logs -f bc/ruby-ex' to track its progress. Application is not exposed. You can expose services to the outside world by executing one or more of the commands below: 'oc expose svc/ruby-ex' Run 'oc status' to view your app. # しばらくするとデプロイが完了し Pod が稼働状態になる [cent@ctrl ~]$ oc status In project test-project on server https://ctrl.srv.world:8443 svc/ruby-ex - 172.30.190.225:8080 dc/ruby-ex deploys istag/ruby-ex:latest <- bc/ruby-ex source builds https://github.com/sclorg/ruby-ex.git on istag/ruby-25-centos7:latest deployment #1 deployed 49 seconds ago - 1 pod 2 infos identified, use 'oc status --suggest' to see details.[cent@ctrl ~]$ oc get pods NAME READY STATUS RESTARTS AGE ruby-ex-1-build 0/1 Completed 0 1m ruby-ex-1-cwsbq 1/1 Running 0 1m[cent@ctrl ~]$ oc describe service ruby-ex Name: ruby-ex Namespace: test-project Labels: app=ruby-ex Annotations: openshift.io/generated-by=OpenShiftNewApp Selector: app=ruby-ex,deploymentconfig=ruby-ex Type: ClusterIP IP: 172.30.190.225 Port: 8080-tcp 8080/TCP TargetPort: 8080/TCP Endpoints: 10.130.0.6:8080 Session Affinity: None Events: <none>[cent@ctrl ~]$ curl 172.30.190.225:8080 ..... ..... </head> <body> <section class='container'> <hgroup> <h1>Welcome to your Ruby application on OpenShift</h1> </hgroup> ..... ..... </body> </html> |
[4] | Registry Console を有効化して Web ベースの UI が利用できるよう設定します。 |
# ルート確認 [origin@ctrl ~]$ oc get routes NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD docker-registry docker-registry-default.apps.srv.world docker-registry <all> passthrough None registry-console registry-console-default.apps.srv.world registry-console <all> passthrough None # ルート確認の結果 [registry-console] が存在しなかった場合は以下のようにして作成 [origin@ctrl ~]$ oc create route passthrough --service registry-console --port registry-console -n default
# Registry Console アプリケーション作成 # [OPENSHIFT_OAUTH_PROVIDER_URL] は [/etc/origin/master/master-config.yaml] 内の # [oauthConfig] セクション内で指定されている URL [origin@ctrl ~]$ oc new-app -n default --template=registry-console \ -p IMAGE_NAME="docker.io/cockpit/kubernetes:latest" \ -p OPENSHIFT_OAUTH_PROVIDER_URL="https://ctrl.srv.world:8443" \ -p REGISTRY_HOST=$(oc get route docker-registry -n default --template='{{ .spec.host }}') \ -p COCKPIT_KUBE_URL=$(oc get route registry-console -n default --template='https://{{ .spec.host }}') --> Deploying template "openshift/registry-console" to project default registry-console --------- Template for deploying registry web console. Requires cluster-admin. * With parameters: * IMAGE_NAME=docker.io/cockpit/kubernetes:latest * OPENSHIFT_OAUTH_PROVIDER_URL=https://ctrl.srv.world:8443 * COCKPIT_KUBE_URL=https://registry-console-default.apps.srv.world * OPENSHIFT_OAUTH_CLIENT_SECRET=userb54oTgh2x67xXbmBcEqWeTTTFl5n7h1YrYk2Wg2HCxpiTu5NBelNfusNvwdJHhR3 # generated * OPENSHIFT_OAUTH_CLIENT_ID=cockpit-oauth-client * REGISTRY_HOST=docker-registry-default.apps.srv.world --> Creating resources ... deploymentconfig.apps.openshift.io "registry-console" created service "registry-console" created oauthclient.oauth.openshift.io "cockpit-oauth-client" created --> Success Application is not exposed. You can expose services to the outside world by executing one or more of the commands below: 'oc expose svc/registry-console' Run 'oc status' to view your app.[origin@ctrl ~]$ oc get pods NAME READY STATUS RESTARTS AGE docker-registry-1-ttw9l 1/1 Running 0 9m registry-console-1-zjbqb 1/1 Running 0 1m router-1-mjch7 1/1 Running 1 15h[origin@ctrl ~]$ oc get routes NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD docker-registry docker-registry-default.apps.srv.world docker-registry <all> passthrough None registry-console registry-console-default.apps.srv.world registry-console <all> passthrough None |
[5] | Registry Console に割り当てられた URL (上記例の場合 [registry-console-default.apps.srv.world]) が名前解決可能な任意のホストから [https://registry-console-default.apps.srv.world/] へ Web アクセスし(認証時はリダイレクトされる)、任意のユーザーでログインすると Registry の状況が閲覧できます。 |
Sponsored Link |
|