OpenShift Origin 3.7 : Docker Registry の設定2018/02/07 |
Docker Registry の設定です。
OpenShift Origin インストールの通り構成すると、デフォルトで Registry 用の Pod も設定され稼働していますが、コンテナーイメージ用のストレージ領域は一時的なもののため、変更したい場合は以下のようにして Registry 用の Pod を再作成します。
なお、ストレージには OpenStack Swift や Google Storage, Microsoft Azure 等が利用可能ですが、当例では
デフォルトの Filesystem を例にします。
当例では以下のような環境を例に OpenShift クラスターを構成しています。
-----------+-----------------------------------------------------------+------------ |10.0.0.30 |10.0.0.51 |10.0.0.52 +----------+-----------+ +----------+-----------+ +----------+-----------+ | [ dlp.srv.world ] | | [ node01.srv.world ] | | [ node02.srv.world ] | | (Master Node) | | (Compute Node) | | (Compute Node) | | (Compute Node) | | | | | +----------------------+ +----------------------+ +----------------------+ |
[1] | インストーラーが構成したデフォルトの Registry は削除しておきます。 |
[origin@dlp ~]$ oc get pods NAME READY STATUS RESTARTS AGE docker-registry-1-qjkzk 1/1 Running 1 1h registry-console-1-jx2zv 1/1 Running 1 1h router-1-btps5 1/1 Running 1 1h[origin@dlp ~]$ oc describe pod docker-registry-1-qjkzk | grep -A3 'Volumes:' Volumes: registry-storage: Type: EmptyDir (a temporary directory that shares a pod's lifetime) Medium: # 関連設定削除 [origin@dlp ~]$ oc delete all -l docker-registry=default deploymentconfig "docker-registry" deleted pod "docker-registry-1-qjkzk" deleted[origin@dlp ~]$ oc delete all -l app=registry-console imagestream "registry-console" deleted deploymentconfig "registry-console" deleted pod "registry-console-1-jx2zv" deleted service "registry-console" deleted[origin@dlp ~]$ oc delete serviceaccount registry serviceaccount "registry" deleted
[origin@dlp ~]$
oc delete service docker-registry service "docker-registry" deleted
[origin@dlp ~]$
[origin@dlp ~]$ oc delete oauthclients cockpit-oauth-client oauthclient "cockpit-oauth-client" deleted oc get pods NAME READY STATUS RESTARTS AGE router-1-btps5 1/1 Running 1 1h |
[2] | Master ノード上にコンテナーイメージ保管用ディレクトリーを作成して Registry の設定をします。 |
# イメージ保管用ディレクトリー作成 (任意の場所でよい) [origin@dlp ~]$ [origin@dlp ~]$ # registry アカウントに権限を付与 [origin@dlp ~]$ oadm policy add-scc-to-user privileged system:serviceaccount:default:registry scc "privileged" added to: ["system:serviceaccount:default:registry"] # Registry 設定 [origin@dlp ~]$ sudo oadm registry \ --config=/etc/origin/master/admin.kubeconfig \ --service-account=registry \ --images='openshift/origin-docker-registry' \ --mount-host=/var/lib/origin/registry \ --selector="region=infra" \ --replicas=1 --> Creating registry registry ... serviceaccount "registry" created clusterrolebinding "registry-registry-role" created deploymentconfig "docker-registry" created service "docker-registry" created --> Success # しばらくするとデプロイが完了し Pod が稼働状態になる [origin@dlp ~]$ oc get pods NAME READY STATUS RESTARTS AGE docker-registry-1-95lsw 1/1 Running 0 55s router-1-btps5 1/1 Running 1 17h[origin@dlp ~]$ oc describe pod docker-registry-1-95lsw Name: docker-registry-1-95lsw Namespace: default Node: dlp.srv.world/10.0.0.30 Start Time: Fri, 08 Feb 2018 19:30:28 +0900 Labels: deployment=docker-registry-1 deploymentconfig=docker-registry docker-registry=default Annotations: kubernetes.io/created-by={"kind":"SerializedReference","apiVersion":"v1","reference":{"kind":"ReplicationController","namespace":"default","name":"docker-registry-1","uid":"6b94e04e-0d30-11e8-8fa8-525... openshift.io/deployment-config.latest-version=1 openshift.io/deployment-config.name=docker-registry openshift.io/deployment.name=docker-registry-1 openshift.io/scc=privileged Status: Running IP: 10.129.0.15 Created By: ReplicationController/docker-registry-1 Controlled By: ReplicationController/docker-registry-1 Containers: registry: Container ID: docker://ccb51a2e6186c83c178f0d2d08ccc519cc5caf31196d314f7243295936b21313 Image: openshift/origin-docker-registry Image ID: docker-pullable://docker.io/openshift/origin-docker-registry@sha256:1d9da3c66a8d496e9ab0ff34967f62d577e2cab38a6ac6071cdd8e8ccb61389b Port: 5000/TCP State: Running Started: Fri, 08 Feb 2018 19:30:59 +0900 Ready: True Restart Count: 0 Requests: cpu: 100m memory: 256Mi Liveness: http-get http://:5000/healthz delay=10s timeout=5s period=10s #success=1 #failure=3 Readiness: http-get http://:5000/healthz delay=0s timeout=5s period=10s #success=1 #failure=3 Environment: REGISTRY_HTTP_ADDR: :5000 REGISTRY_HTTP_NET: tcp REGISTRY_HTTP_SECRET: pzGkgYI9NwU/rxs/JlESoRT0uHrpG4k9jH3N6Lw4dJc= REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA: false Mounts: /registry from registry-storage (rw) /var/run/secrets/kubernetes.io/serviceaccount from registry-token-48jr9 (ro) Conditions: Type Status Initialized True Ready True PodScheduled True Volumes: registry-storage: Type: HostPath (bare host directory volume) Path: /var/lib/origin/registry registry-token-48jr9: Type: Secret (a volume populated by a Secret) SecretName: registry-token-48jr9 Optional: false QoS Class: Burstable Node-Selectors: region=infra ..... ..... |
[3] | 任意のユーザーで任意のアプリケーションをデプロイ可能か確認しておきます。 Registry の設定に不備がある場合、コンテナーイメージの Push に失敗するためデプロイも失敗します。 |
[cent@dlp ~]$ oc login Authentication required for https://dlp.srv.world:8443 (openshift) Username: cent Password: Login successful. You don't have any projects. You can try to create a new project, by running oc new-project <projectname>[cent@dlp ~]$ oc new-project test-project Now using project "test-project" on server "https://dlp.srv.world:8443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git to build a new example application in Ruby.[cent@dlp ~]$ oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git --> Creating resources ... imagestream "ruby-22-centos7" created imagestream "ruby-ex" created buildconfig "ruby-ex" created deploymentconfig "ruby-ex" created service "ruby-ex" created --> Success Build scheduled, use 'oc logs -f bc/ruby-ex' to track its progress. Run 'oc status' to view your app. # しばらくするとデプロイが完了し Pod が稼働状態になる [cent@dlp ~]$ oc status In project test-project on server https://dlp.srv.world:8443 svc/ruby-ex - 172.30.76.211:8080 dc/ruby-ex deploys istag/ruby-ex:latest <- bc/ruby-ex source builds https://github.com/openshift/ruby-ex.git on istag/ruby-22-centos7:latest deployment #1 deployed 19 seconds ago - 1 pod View details with 'oc describe <resource>/<name>' or list everything with 'oc get all'.[cent@dlp ~]$ oc get pods NAME READY STATUS RESTARTS AGE ruby-ex-1-build 0/1 Completed 0 3m ruby-ex-2-pgd2m 1/1 Running 0 57s[cent@dlp ~]$ oc describe service ruby-ex Name: ruby-ex Namespace: test-project Labels: app=ruby-ex Annotations: openshift.io/generated-by=OpenShiftNewApp Selector: app=ruby-ex,deploymentconfig=ruby-ex Type: ClusterIP IP: 172.30.76.211 Port: 8080-tcp 8080/TCP Endpoints: 10.129.0.17:8080 Session Affinity: None Events: <none>[cent@dlp ~]$ curl 172.30.76.211:8080 ..... ..... </head> <body> <section class='container'> <hgroup> <h1>Welcome to your Ruby application on OpenShift</h1> </hgroup> ..... ..... </body> </html> |
[4] | Registry Console を有効化して Web ベースの UI が利用できるよう設定します。 |
# ルート確認 [origin@dlp ~]$ oc get routes NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD docker-registry docker-registry-default.apps.srv.world docker-registry <all> passthrough None registry-console registry-console-default.apps.srv.world registry-console <all> passthrough None # ルート確認の結果 [registry-console] が存在しなかった場合は以下のようにして作成 [origin@dlp ~]$ oc create route passthrough --service registry-console --port registry-console -n default
# Registry Console アプリケーション作成 # [OPENSHIFT_OAUTH_PROVIDER_URL] は [/etc/origin/master/master-config.yaml] 内の # [oauthConfig] セクション内で指定されている URL [origin@dlp ~]$ oc new-app -n default --template=registry-console \ -p OPENSHIFT_OAUTH_PROVIDER_URL="https://dlp.srv.world:8443" \ -p REGISTRY_HOST=$(oc get route docker-registry -n default --template='{{ .spec.host }}') \ -p COCKPIT_KUBE_URL=$(oc get route registry-console -n default --template='https://{{ .spec.host }}') --> Deploying template "openshift/registry-console" to project default registry-console --------- Template for deploying registry web console. Requires cluster-admin. * With parameters: * IMAGE_PREFIX=cockpit/ * IMAGE_BASENAME=kubernetes * IMAGE_VERSION=latest * OPENSHIFT_OAUTH_PROVIDER_URL=https://dlp.srv.world:8443 * COCKPIT_KUBE_URL=https://registry-console-default.apps.srv.world * OPENSHIFT_OAUTH_CLIENT_SECRET=user5WjmnJvHPAhJL8f2WopDOkcfy24R3IkHTpOn2YFiyyQcx2H8eDfr1EuuH1afHbxG # generated * OPENSHIFT_OAUTH_CLIENT_ID=cockpit-oauth-client * REGISTRY_HOST=docker-registry-default.apps.srv.world --> Creating resources ... deploymentconfig "registry-console" created service "registry-console" created imagestream "registry-console" created oauthclient "cockpit-oauth-client" created --> Success Application is not exposed. You can expose services to the outside world by executing one or more of the commands below: 'oc expose svc/registry-console' Run 'oc status' to view your app.[origin@dlp ~]$ oc get pods NAME READY STATUS RESTARTS AGE docker-registry-1-95lsw 1/1 Running 0 9m registry-console-1-xtz52 1/1 Running 0 1m router-1-btps5 1/1 Running 1 17h[origin@dlp ~]$ oc get routes NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD docker-registry docker-registry-default.apps.srv.world docker-registry <all> passthrough None registry-console registry-console-default.apps.srv.world registry-console <all> passthrough None |
[5] | Registry Console に割り当てられた URL (上記例の場合 [registry-console-default.apps.srv.world]) が名前解決可能な任意のホストから [https://registry-console-default.apps.srv.world/] へ Web アクセスし(認証時はリダイレクトされる)、任意のユーザーでログインすると Registry の状況が閲覧できます。 |
Sponsored Link |
|