CentOS 7
Sponsored Link

OpenShift Origin 3.7 : Docker Registry の設定2018/02/07

Docker Registry の設定です。
OpenShift Origin インストールの通り構成すると、デフォルトで Registry 用の Pod も設定され稼働していますが、コンテナーイメージ用のストレージ領域は一時的なもののため、変更したい場合は以下のようにして Registry 用の Pod を再作成します。
なお、ストレージには OpenStack Swift や Google Storage, Microsoft Azure 等が利用可能ですが、当例では デフォルトの Filesystem を例にします。
当例では以下のような環境を例に OpenShift クラスターを構成しています。
           |                    |                    |
+----------+-----------+      +----------+-----------+      +----------+-----------+
|  [  dlp.srv.world ]  |      | [ node01.srv.world ] |      | [ node02.srv.world ] |
|     (Master Node)    |      |    (Compute Node)    |      |    (Compute Node)    |
|     (Compute Node)   |      |                      |      |                      |
+----------------------+      +----------------------+      +----------------------+

[1] インストーラーが構成したデフォルトの Registry は削除しておきます。
[origin@dlp ~]$
oc get pods

NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-1-qjkzk    1/1       Running   1          1h
registry-console-1-jx2zv   1/1       Running   1          1h
router-1-btps5             1/1       Running   1          1h

[origin@dlp ~]$
oc describe pod docker-registry-1-qjkzk | grep -A3 'Volumes:'

    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)

# 関連設定削除

[origin@dlp ~]$
oc delete all -l docker-registry=default

deploymentconfig "docker-registry" deleted
pod "docker-registry-1-qjkzk" deleted

[origin@dlp ~]$
oc delete all -l app=registry-console

imagestream "registry-console" deleted
deploymentconfig "registry-console" deleted
pod "registry-console-1-jx2zv" deleted
service "registry-console" deleted

[origin@dlp ~]$
oc delete serviceaccount registry

serviceaccount "registry" deleted
[origin@dlp ~]$
oc delete service docker-registry

service "docker-registry" deleted
[origin@dlp ~]$
oc delete oauthclients cockpit-oauth-client

oauthclient "cockpit-oauth-client" deleted
[origin@dlp ~]$
oc get pods

router-1-btps5   1/1       Running   1          1h
[2] Master ノード上にコンテナーイメージ保管用ディレクトリーを作成して Registry の設定をします。
# イメージ保管用ディレクトリー作成 (任意の場所でよい)

[origin@dlp ~]$
sudo mkdir /var/lib/origin/registry

[origin@dlp ~]$
sudo chown origin. /var/lib/origin/registry
# registry アカウントに権限を付与

[origin@dlp ~]$
oadm policy add-scc-to-user privileged system:serviceaccount:default:registry

scc "privileged" added to: ["system:serviceaccount:default:registry"]
# Registry 設定

[origin@dlp ~]$
sudo oadm registry \
--config=/etc/origin/master/admin.kubeconfig \
--service-account=registry \
--images='openshift/origin-docker-registry' \
--mount-host=/var/lib/origin/registry \
--selector="region=infra" \

--> Creating registry registry ...
    serviceaccount "registry" created
    clusterrolebinding "registry-registry-role" created
    deploymentconfig "docker-registry" created
    service "docker-registry" created
--> Success

# しばらくするとデプロイが完了し Pod が稼働状態になる

[origin@dlp ~]$
oc get pods

NAME                      READY     STATUS    RESTARTS   AGE
docker-registry-1-95lsw   1/1       Running   0          55s
router-1-btps5            1/1       Running   1          17h

[origin@dlp ~]$
oc describe pod docker-registry-1-95lsw

Name:           docker-registry-1-95lsw
Namespace:      default
Node:           dlp.srv.world/
Start Time:     Fri, 08 Feb 2018 19:30:28 +0900
Labels:         deployment=docker-registry-1
Annotations:    kubernetes.io/created-by={"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"default","name":"docker-registry-1","uid":"6b94e04e-0d30-11e8-8fa8-525...
Status:         Running
Created By:     ReplicationController/docker-registry-1
Controlled By:  ReplicationController/docker-registry-1
    Container ID:       docker://ccb51a2e6186c83c178f0d2d08ccc519cc5caf31196d314f7243295936b21313
    Image:              openshift/origin-docker-registry
    Image ID:           docker-pullable://docker.io/openshift/origin-docker-registry@sha256:1d9da3c66a8d496e9ab0ff34967f62d577e2cab38a6ac6071cdd8e8ccb61389b
    Port:               5000/TCP
    State:              Running
      Started:          Fri, 08 Feb 2018 19:30:59 +0900
    Ready:              True
    Restart Count:      0
      cpu:      100m
      memory:   256Mi
    Liveness:   http-get http://:5000/healthz delay=10s timeout=5s period=10s #success=1 #failure=3
    Readiness:  http-get http://:5000/healthz delay=0s timeout=5s period=10s #success=1 #failure=3
      REGISTRY_HTTP_ADDR:                                       :5000
      REGISTRY_HTTP_NET:                                        tcp
      REGISTRY_HTTP_SECRET:                                     pzGkgYI9NwU/rxs/JlESoRT0uHrpG4k9jH3N6Lw4dJc=
      /registry from registry-storage (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from registry-token-48jr9 (ro)
  Type          Status
  Initialized   True
  Ready         True
  PodScheduled  True
    Type:       HostPath (bare host directory volume)
    Path:       /var/lib/origin/registry
    Type:       Secret (a volume populated by a Secret)
    SecretName: registry-token-48jr9
    Optional:   false
QoS Class:      Burstable
Node-Selectors: region=infra
[3] 任意のユーザーで任意のアプリケーションをデプロイ可能か確認しておきます。 Registry の設定に不備がある場合、コンテナーイメージの Push に失敗するためデプロイも失敗します。
[cent@dlp ~]$
oc login

Authentication required for https://dlp.srv.world:8443 (openshift)
Username: cent
Login successful.

You don't have any projects. You can try to create a new project, by running

    oc new-project <projectname>

[cent@dlp ~]$
oc new-project test-project

Now using project "test-project" on server "https://dlp.srv.world:8443".

You can add applications to this project with the 'new-app' command. For example, try:

    oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

to build a new example application in Ruby.

[cent@dlp ~]$
oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

--> Creating resources ...
    imagestream "ruby-22-centos7" created
    imagestream "ruby-ex" created
    buildconfig "ruby-ex" created
    deploymentconfig "ruby-ex" created
    service "ruby-ex" created
--> Success
    Build scheduled, use 'oc logs -f bc/ruby-ex' to track its progress.
    Run 'oc status' to view your app.

# しばらくするとデプロイが完了し Pod が稼働状態になる

[cent@dlp ~]$
oc status

In project test-project on server https://dlp.srv.world:8443

svc/ruby-ex -
  dc/ruby-ex deploys istag/ruby-ex:latest <-
    bc/ruby-ex source builds https://github.com/openshift/ruby-ex.git on istag/ruby-22-centos7:latest
    deployment #1 deployed 19 seconds ago - 1 pod

View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.

[cent@dlp ~]$
oc get pods

NAME              READY     STATUS      RESTARTS   AGE
ruby-ex-1-build   0/1       Completed   0          3m
ruby-ex-2-pgd2m   1/1       Running     0          57s

[cent@dlp ~]$
oc describe service ruby-ex

Name:                   ruby-ex
Namespace:              test-project
Labels:                 app=ruby-ex
Annotations:            openshift.io/generated-by=OpenShiftNewApp
Selector:               app=ruby-ex,deploymentconfig=ruby-ex
Type:                   ClusterIP
Port:                   8080-tcp        8080/TCP
Session Affinity:       None
Events:                 <none>

[cent@dlp ~]$



<section class='container'>
            <h1>Welcome to your Ruby application on OpenShift</h1>


[4] Registry Console を有効化して Web ベースの UI が利用できるよう設定します。
# ルート確認

[origin@dlp ~]$
oc get routes

NAME             HOST/PORT                               PATH SERVICES         PORT  TERMINATION   WILDCARD
docker-registry  docker-registry-default.apps.srv.world       docker-registry  <all> passthrough   None
registry-console registry-console-default.apps.srv.world      registry-console <all> passthrough   None

# ルート確認の結果 [registry-console] が存在しなかった場合は以下のようにして作成

[origin@dlp ~]$
oc create route passthrough --service registry-console --port registry-console -n default
# Registry Console アプリケーション作成

# [OPENSHIFT_OAUTH_PROVIDER_URL] は [/etc/origin/master/master-config.yaml] 内の

# [oauthConfig] セクション内で指定されている URL

[origin@dlp ~]$
oc new-app -n default --template=registry-console \
-p OPENSHIFT_OAUTH_PROVIDER_URL="https://dlp.srv.world:8443" \
-p REGISTRY_HOST=$(oc get route docker-registry -n default --template='{{ .spec.host }}') \
-p COCKPIT_KUBE_URL=$(oc get route registry-console -n default --template='https://{{ .spec.host }}')

--> Deploying template "openshift/registry-console" to project default

     Template for deploying registry web console. Requires cluster-admin.

     * With parameters:
        * IMAGE_PREFIX=cockpit/
        * IMAGE_BASENAME=kubernetes
        * IMAGE_VERSION=latest
        * OPENSHIFT_OAUTH_PROVIDER_URL=https://dlp.srv.world:8443
        * COCKPIT_KUBE_URL=https://registry-console-default.apps.srv.world
        * OPENSHIFT_OAUTH_CLIENT_SECRET=user5WjmnJvHPAhJL8f2WopDOkcfy24R3IkHTpOn2YFiyyQcx2H8eDfr1EuuH1afHbxG # generated
        * OPENSHIFT_OAUTH_CLIENT_ID=cockpit-oauth-client
        * REGISTRY_HOST=docker-registry-default.apps.srv.world

--> Creating resources ...
    deploymentconfig "registry-console" created
    service "registry-console" created
    imagestream "registry-console" created
    oauthclient "cockpit-oauth-client" created
--> Success
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose svc/registry-console'
    Run 'oc status' to view your app.

[origin@dlp ~]$
oc get pods

NAME                       READY     STATUS    RESTARTS   AGE
docker-registry-1-95lsw    1/1       Running   0          9m
registry-console-1-xtz52   1/1       Running   0          1m
router-1-btps5             1/1       Running   1          17h

[origin@dlp ~]$
oc get routes

NAME             HOST/PORT                               PATH SERVICES         PORT   TERMINATION WILDCARD
docker-registry  docker-registry-default.apps.srv.world       docker-registry  <all>  passthrough None
registry-console registry-console-default.apps.srv.world      registry-console <all>  passthrough None
[5] Registry Console に割り当てられた URL (上記例の場合 [registry-console-default.apps.srv.world]) が名前解決可能な任意のホストから [https://registry-console-default.apps.srv.world/] へ Web アクセスし(認証時はリダイレクトされる)、任意のユーザーでログインすると Registry の状況が閲覧できます。