《OpenShift 4.x HOL教程彙總》
文章目錄
- 部署拓撲
- 準備主控端
-
- 建立SSL證書和使用者認證檔案
- 安裝Docker環境
- 打開防火牆
- 安裝Docker Registry
-
- 基于容器安裝運作Docker Registry
- 基于軟體包安裝運作Docker Registry
- 容器操作
-
- 連通性驗證
-
- 本地主控端驗證
- 遠端主控端驗證
- 鏡像推拉驗證
- Docker Registry操作
-
- 檢視Docker Registry儲存的鏡像
- 從Docker Registry中删除鏡像
- 停止Docker Registry
- 一些常見問題
- 參考
部署拓撲
為了運作Registry并進行驗證,建議在以下兩個主控端分别運作Docker用戶端和包含Registry的容器(或運作Docker-Distribution軟體)。
準備主控端
建立SSL證書和使用者認證檔案
在運作Registry的主控端上完成本節的操作。
- 确定環境變量。其中REGISTRY_DOMAIN的是運作Registry服務的主控端的有效域名(假設主控端域名是registry.domain.com)。
$ REGISTRY_PATH=/data/registry
$ DOMAIN=domain.com
$ REGISTRY_DOMAIN=registry.${DOMAIN}
- 建立Registry使用目錄,其中auth是用來存放校驗使用者名/密碼的檔案目錄、certs是用來存放TLS所需證書/秘鑰的目錄、data是用來存放容器鏡像的目錄。
- 執行指令建立證書(包括公鑰和私鑰檔案),以支援Registry運作在HTTPs上。其中CN必須是運作Registry服務的主控端的有效域名。
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout ${REGISTRY_PATH}/certs/registry.key -x509 -days 365 \
-out ${REGISTRY_PATH}/certs/registry.crt \
-subj "/C=CN/ST=BEIJING/L=BJ/O=REDHAT/OU=IT/CN=${REGISTRY_DOMAIN}/emailAddress=admin@${DOMAIN}"
- 檢視證書。
$ openssl x509 -in ${REGISTRY_PATH}/certs/registry.crt -text | head -n 14
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c2:02:34:f6:e0:55:14:8f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=BEIJING, L=BJ, O=REDHAT, OU=IT, CN=registry.domain.com/emailAddress=[email protected]
Validity
Not Before: Jun 28 04:37:54 2020 GMT
Not After : Jun 28 04:37:54 2021 GMT
Subject: C=CN, ST=BEIJING, L=BJ, O=REDHAT, OU=IT, CN=registry.domain.com/emailAddress=[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
- 建立基于httppasswd的使用者認證檔案,其中的user1/password1是登入使用者和密碼。
$ yum -y install httpd-tools
$ htpasswd -bBc ${REGISTRY_PATH}/auth/htpasswd user1 password1
$ cat ${REGISTRY_PATH}/auth/htpasswd
user1:$2y$05$i5UFQBVopBbZsXJ6sG0SoOw1krIa9YU/5IjAPjKAsSUd5dssU5yTe
安裝Docker環境
安裝Docker用戶端,然後啟動它。
$ yum -y install docker
$ systemctl start docker
打開防火牆
為了能在其它節點遠端通路registry.domain.com節點運作的Container Registry服務,要確定關閉Registry主控端節點的防火牆,或執行以下指令打開節點防火牆的5000端口。
$ firewall-cmd --permanent --add-port=5000/tcp
$ firewall-cmd --reload
$ firewall-cmd --query-port=5000/tcp
安裝Docker Registry
基于容器安裝運作Docker Registry
- 運作Registry鏡像,并将容器中/var/lib/registry目錄挂到主控端的/data/registry/data目錄上。同時配置跟随Docker服務啟動自動Registry容器。
$ docker run --name registry -p 5000:5000 \
-v ${REGISTRY_PATH}/data:/var/lib/registry:z \
-v ${REGISTRY_PATH}/auth:/auth:z \
-v ${REGISTRY_PATH}/certs:/certs:z \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
-d docker.io/library/registry:2
Unable to find image 'registry:2' locally
Trying to pull repository registry.access.redhat.com/registry ...
Pulling repository registry.access.redhat.com/registry
Trying to pull repository registry.fedoraproject.org/registry ...
Pulling repository registry.fedoraproject.org/registry
Trying to pull repository registry.centos.org/registry ...
Pulling repository registry.centos.org/registry
Trying to pull repository docker.io/library/registry ...
2: Pulling from docker.io/library/registry
cbdbe7a5bc2a: Pull complete
47112e65547d: Pull complete
46bcb632e506: Pull complete
c1cc712bcecd: Pull complete
3db6272dcbfa: Pull complete
Digest: sha256:8be26f81ffea54106bae012c6f349df70f4d5e7e2ec01b143c46e2c03b9e551d
Status: Downloaded newer image for docker.io/registry:2
8940dc961afeeb5d8a9ffa52915fca038f2c1156b1b59f2ae81aad064134b93b
- 檢視運作Registry的容器。
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
79906ce6b19b docker.io/library/registry:2 "/entrypoint.sh /e..." 2 hours ago Up 2 hours 0.0.0.0:5000->5000/tcp registry
注意:如果還想在相同的主控端上完成“基于軟體包安裝運作”章節操作,需要先運作以下指令停掉Registry容器以釋放5000端口。
$ docker stop registry
$ docker rm registry
基于軟體包安裝運作Docker Registry
- 如果是RHEL,需要先用“subscription-manager repos --enable=rhel-7-server-extras-rpms”指令打開名為rhel-7-server-extras-rpms的Yum Reop。也可以執行以下指令,使用CentOS的YUM源建立Repo配置檔案。
$ cat > /etc/yum.repos.d/docker.repo << EOF
[extras]
name=CentOS 7 - Extras
baseurl=http://mirrors.163.com/centos/7/extras/x86_64
gpgcheck=0
EOF
- 在配置完docker-distribution用到的Yum後,就可以執行以下操作安裝docker-distribution和httpd-tools。注意:要確定“/data/registry”目錄存在,并且“registry.domain.com”文本機域名或主機名。
$ sudo -i
$ yum -y install docker-distribution
- 修改/etc/docker-distribution/registry/config.yml檔案。為了允許該删除鏡像,可将“storage.delete.enabled”設為true。
version: 0.1
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /data/registry/data
delete:
enabled: true
auth:
htpasswd:
realm: basic-realm
path: /data/registry/auth/htpasswd
http:
addr: 0.0.0.0:5000
host: https://registry.domain.com:5000
tls:
certificate: /data/registry/certs/registry.crt
key: /data/registry/certs/registry.key
- 啟動docker-distribution服務,然後檢視其服務啟動狀态。
$ systemctl restart docker-distribution
$ systemctl status docker-distribution
● docker-distribution.service - v2 Registry server for Docker
Loaded: loaded (/usr/lib/systemd/system/docker-distribution.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2020-07-07 01:13:06 EDT; 37s ago
Main PID: 10252 (registry)
CGroup: /system.slice/docker-distribution.service
└─10252 /usr/bin/registry serve /etc/docker-distribution/registry/config.yml
Jul 07 01:13:06 registry systemd[1]: Stopped v2 Registry server for Docker.
Jul 07 01:13:06 registry systemd[1]: Started v2 Registry server for Docker.
Jul 07 01:13:06 registry registry[10252]: time="2020-07-07T01:13:06-04:00" level=info msg="Starting upload purge in 5m0s" go.version=go1.9.2 instance....+unknown"
Jul 07 01:13:06 registry registry[10252]: time="2020-07-07T01:13:06-04:00" level=warning msg="No HTTP secret provided - generated random secret. This may cause...
Jul 07 01:13:06 registry registry[10252]: time="2020-07-07T01:13:06-04:00" level=info msg="redis not configured" go.version=go1.9.2 instance.id=b07fc7...+unknown"
Jul 07 01:13:06 registry registry[10252]: time="2020-07-07T01:13:06-04:00" level=info msg="using inmemory blob descriptor cache" go.version=go1.9.2 in...+unknown"
Jul 07 01:13:06 registry registry[10252]: time="2020-07-07T01:13:06-04:00" level=info msg="listening on [::]:5000, tls" go.version=go1.9.2 instance.id...+unknown"
Hint: Some lines were ellipsized, use -l to show in full.
容器操作
連通性驗證
本地主控端驗證
- 在安裝docker-registry的本地主控端執行指令,将公鑰證書儲存到系統預設目錄。
$ cp ${REGISTRY_PATH}/certs/registry.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust
- 在運作Registry的主控端上執行指令,從本地通路docker-distribution,檢視其上的repositories。
$ curl -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/_catalog
{"repositories":[]}
- 在運作Registry的主控端上執行指令登入Registry。
$ docker login ${REGISTRY_DOMAIN}:5000 -u user1 -p password1
遠端主控端驗證
- 為了能通過SSL通路Registry服務,需将公鑰證書到複制用戶端主控端。在遠端客戶主控端上執行以下指令:
$ REGISTRY_PATH=/data/registry
$ DOMAIN=domain.com
$ REGISTRY_DOMAIN=registry.${DOMAIN}
$ scp root@${REGISTRY_DOMAIN}:${REGISTRY_PATH}/certs/registry.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust
- 在遠端客戶主控端上安裝Docker,然後啟動它。
$ yum -y install docker
$ systemctl start docker
- 在遠端客戶主控端上執行以下指令,檢視遠端節點上的鏡像repositories。
$ curl -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/_catalog
{"repositories":[]}
- 在遠端客戶主控端上執行指令登入Registry。
$ docker login ${REGISTRY_DOMAIN}:5000 -u user1 -p password1
鏡像推拉驗證
以下操作在Registry服務的本地節點或遠端節點均可執行。
- 檢視docker的配置檔案,确認其中在‘[registries.search]’區域中包括‘docker.io’。
$ more /etc/containers/registries.conf | grep registries.search -A1
[registries.search]
registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
- 将busybox鏡像從docker.io拉到本地緩存。
$ docker pull busybox
Using default tag: latest
Trying to pull repository docker.io/library/busybox ...
latest: Pulling from docker.io/library/busybox
76df9210b28c: Pull complete
Digest: sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209
Status: Downloaded newer image for docker.io/busybox:latest
- 檢視本地緩存鏡像。
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/busybox latest 1c35c4412082 3 weeks ago 1.22 MB
- 對本地busybox鏡像重新打标簽。
$ docker tag docker.io/busybox ${REGISTRY_DOMAIN}:5000/busybox
- 再次檢視本地緩存鏡像。
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/busybox latest 1c35c4412082 3 weeks ago 1.22 MB
registry.domain.com:5000/busybox latest 1c35c4412082 3 weeks ago 1.22 MB
- 将本地緩存中的registry.domain.com:5000/busybox鏡像推至Registry上。
$ docker push ${REGISTRY_DOMAIN}:5000/busybox
The push refers to a repository [registry.domain.com:5000/busybox]
- 執行指令,确認registry.domain.com:5000上已經有busybox的Repository。
$ curl -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/_catalog
{"repositories":["busybox"]}
$ curl -XGET -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/busybox/tags/list
{"name":"busybox","tags":["latest"]}
- 從本地緩存中删除所有busybox鏡像。
$ docker image remove docker.io/busybox:latest
Untagged: docker.io/busybox:latest
Untagged: docker.io/[email protected]:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209
$ docker image remove ${REGISTRY_DOMAIN}:5000/busybox:latest
Untagged: registry.domain.com:5000/busybox:latest
Untagged: registry.domain.com:5000/[email protected]:fd4a8673d0344c3a7f427fe4440d4b8dfd4fa59cfabbd9098f9eb0cb4ba905d0
Deleted: sha256:1c35c441208254cb7c3844ba95a96485388cef9ccc0646d562c7fc026e04c807
Deleted: sha256:1be74353c3d0fd55fb5638a52953e6f1bc441e5b1710921db9ec2aa202725569
- 執行指令,确認本地緩存中已經沒有鏡像了
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
- 從本地Docker Registry上拉取busybox鏡像。
$ docker pull ${REGISTRY_DOMAIN}:5000/busybox:latest
Trying to pull repository registry.domain.com:5000/busybox ...
latest: Pulling from registry.domain.com:5000/busybox
76df9210b28c: Pull complete
Digest: sha256:fd4a8673d0344c3a7f427fe4440d4b8dfd4fa59cfabbd9098f9eb0cb4ba905d0
Status: Downloaded newer image for registry.domain.com:5000/busybox:latest
- 确認本地緩存中有了registry.domain.com:5000/busybox鏡像。
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.domain.com:5000/busybox latest 1c35c4412082 3 weeks ago 1.22 MB
Docker Registry操作
本節操作都在Registry主控端上完成。
檢視Docker Registry儲存的鏡像
- 檢視docker-distribution在本地儲存的鏡像。
$ export REGISTRY_DATA_DIR=${REGISTRY_PATH}/data/docker/registry/v2
$ ll ${REGISTRY_DATA_DIR}/repositories
drwxr-xr-x. 5 root root 55 Jun 28 12:44 busybox
從Docker Registry中删除鏡像
- 下載下傳删除Registry中鏡像的腳本。
$ curl -L https://raw.githubusercontent.com/burnettk/delete-docker-registry-image/master/delete_docker_registry_image.py -o /usr/local/bin/delete_docker_registry_image
$ chmod +x /usr/local/bin/delete_docker_registry_image
- 确認Docker鏡像儲存的目錄。
$ echo ${REGISTRY_DATA_DIR}
/data/registry/data/docker/registry/v2/
- 執行指令,删除busybox鏡像。
$ delete_docker_registry_image --image busybox
- 驗證鏡像已經從Docker Registry上被删除
$ curl -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/_catalog
{"repositories":[]}
- 驗證在本地存儲中已經沒有了儲存busybox鏡像用到的目錄。
$ ll ${REGISTRY_DATA_DIR}/repositories
total 0
停止Docker Registry
- 如果是以容器方式運作Registry,可執行以下指令停掉Registry容器運作。
$ docker container stop registry
$ docker container rm -v registry
- 如果Docker Registry是在主控端上直接運作,執行以下指令停掉該服務運作。
$ systemctl stop docker-distribution
一些常見問題
- 證書不比對錯誤。例如當Container Registry所運作的主控端有多個域名的時候(例如域名分别為registry,domain.com、registry.com),此時如果沒有使用Docker-Distribution所用證書中的域名(即證書中使用的registry,domain.com域名)通路它,那麼會出現以下錯誤:
$ curl -u user1:password1 https://registry.com:5000/v2/_catalog
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
$ docker login registry.com:5000 -u user1 -p password1
Error response from daemon: Get https://registry.com:5000/v1/users/: x509: certificate is valid for registry.domain.com, not registry.com
Action:必須使用Docker-Distribution所用證書中的域名。
$ curl -u user1:password1 https://registry.domain.com:5000/v2/_catalog
{"repositories":[]}
$ docker login registry.domain.com:5000 -u user1 -p password1
Login Succeeded
參考
https://www.centlinux.com/2019/04/configure-secure-registry-docker-distribution-centos-7.html
https://docs.docker.com/registry/configuration/
![docker run mysql 報錯:ERROR 2002 (HY000)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)