【注】企业docker register域名,以下以registry.honsen.com为例
1.开发环境master节点支持以https方式访问企业registryserver
1)将证书放入开发环境master节点
将registry server上生成的证书domain.crt拷贝至开发环境master节点的/root/certs下
mkdir /etc/docker/certs.d/registry.honsen.com:5000
cp /root/certs/domain.crt /etc/docker/certs.d/registry.honsen.com:5000/ca.crt
2)将domain.crt内容添加至/etc/pki/tls/certs/ca-bundle.crt末尾
ca t/root/certs/domain.crt >> /etc/pki/tls/certs/ca-bundle.crt
4)测试以https方式访问registryserver
curl https://registry.honsen.com:5000/v2
结果是:
Moved Permanently.
2.从开发环境导出应用的镜像
1)查看并登录到开发环境的内部s2i镜像仓库
管理员用户登录开发环境的OpenShift Web Console, 切换至default project
左边菜单点击Applications、选Routes, 点击打开registry-console
管理员用户登录registry-console
左边菜单点击概览,查看登录命令
拷贝登录到注册表的命令行,远程登录开发环境master节点,执行登录到注册表的命令行
2)从开发环境的内部s2i镜像仓库pull应用镜像
registry-console上选择dev项目, 查看应用镜像的pull命令,例如:
docker pull docker-registry-default.router.default.svc.cluster.local/honsen-dev-4/pcweb:latest
docker pull docker-registry-default.router.default.svc.cluster.local/honsen-dev-4/honsen-apiserver:latest
docker pull docker-registry-default.router.default.svc.cluster.local/honsen-dev-4/notice-push:latest
docker pull docker-registry-default.router.default.svc.cluster.local/honsen-dev-4/honsen-admin-collect:latest
docker pull docker-registry-default.router.default.svc.cluster.local/honsen-dev-4/wechat:latest
docker pull docker-registry-default.router.default.svc.cluster.local/honsen/honsen-gateway:latest
远程登录开发环境master节点,执行上面的docker pull命令
3.将应用镜像push到企业docker registry
docker tag docker-registry-default.router.default.svc.cluster.local/honsen-dev-4/pcweb:latest registry.honsen.com:5000/pcweb:1.0
docker push registry.honsen.com:5000/pcweb:1.0
docker tag docker-registry-default.router.default.svc.cluster.local/honsen-dev-4/honsen-apiserver:latest registry.honsen.com:5000/honsen-apiserver:1.0
docker push registry.honsen.com:5000/honsen-apiserver:1.0
docker tag docker-registry-default.router.default.svc.cluster.local/honsen-dev-4/notice-push:latest registry.honsen.com:5000/notice-push:1.0
docker push registry.honsen.com:5000/notice-push:1.0
docker tag docker-registry-default.router.default.svc.cluster.local/honsen-dev-4/honsen-admin-collect:latest registry.honsen.com:5000/honsen-admin-collect:1.0
docker push registry.honsen.com:5000/honsen-admin-collect:1.0
docker tag docker-registry-default.router.default.svc.cluster.local/honsen-dev-4/wechat:latest registry.honsen.com:5000/wechat:1.0
docker push registry.honsen.com:5000/wechat:1.0
docker tag docker-registry-default.router.default.svc.cluster.local/honsen/honsen-gateway:latest registry.honsen.com:5000/honsen-gateway:1.0
docker push registry.honsen.com:5000/honsen-gateway:1.0
【注】openshift project name,以下以honsen为例
4.导入应用镜像,生成honsen project的OpenShift Image Stream
远程登录生产环境master节点,执行:
oc import-image registry.honsen.com:5000/pcweb:1.0 -n honsen --confirm
oc import-image registry.honsen.com:5000/honsen-apiserver:1.0 -n honsen --confirm
oc import-image registry.honsen.com:5000/notice-push:1.0 -n honsen --confirm
oc import-image registry.honsen.com:5000/honsen-admin-collect:1.0 -n honsen--confirm
oc import-image registry.honsen.com:5000/wechat:1.0 -n honsen --confirm
oc import-image registry.honsen.com:5000/honsen-gateway:1.0 -n honsen --confirm
5.授权以root身份运行容器的权限
【注】基于nginx的容器需要用root来运行
ocadm policy add-scc-to-user anyuid -z default -n honsen
oc describe scc anyuid
6.部署应用
7.配置route