OpenShift 4 - 部署Mirror Registry并复制Image
文章目录
- 安装Mirror Registry运行环境
- 复制Image到Mirror Registry
- 准备登陆认证文件
- 生成远程Registry(quay.io)认证文件
- 生成Mirror Registry的认证文件
- 生成all-secret.json文件
- 复制Image到Mirror Registry
- 直接复制Image
- 间接复制Image
- 参考
说明:
- 本节我们以将安装OpenShift所需要的基础Image从quay.io镜像复制到运行在本地的Mirror Image Registry中。
- 本地的Mirror Image Registry我们使用Docker Registry。
安装Mirror Registry运行环境
以下命令使用root用户执行。
- 安装必要的软件包。
$ yum -y install podman httpd-tools
- 创建Registry使用的存储目录。
$ mkdir -p /opt/registry/{auth,certs,data}
- 获得运行Mirror Registry的主机的完整域名。
$ MIRRIR_REGISTRY=<FULL-DOMAIN-NAME>
- 创建Registry使用的证书(本例为自签名证书),包括私钥registry.key和证书registry.crt。
$ openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/registry/certs/registry.key -x509 -days 365 \
-out /opt/registry/certs/registry.crt \
-subj "/C=CN/ST=BEIJING/L=BJ/O=RedHat/OU=OpenShift.RedHat/CN=${MIRRIR_REGISTRY}/emailAddress=admin@${MIRRIR_REGISTRY}"
Generating a 4096 bit RSA private key
..............................................................................................................................................++
.................................................................................................................................................................................++
writing new private key to '/opt/registry/certs/registry.key'
-----
- 将自签名证书加到运行Mirror Registry节点的可信证书中,然后确认前几行就是上一步添加的“OU=OpenShift.RedHat”的证书。
$ cp /opt/registry/certs/registry.crt /etc/pki/ca-trust/source/anchors/
$ update-ca-trust
$ trust list | head -5
pkcs11:id=%fc%97%20%48%09%ec%49%74%85%87%12%be%d0%24%3a%62%63%a3%f6%7e;type=cert
type: certificate
label: OpenShift.RedHat
trust: anchor
category: authority
- 创建基于密码的认证文件htpasswd,并向其添加用户和密码。
$ htpasswd -bBc /opt/registry/auth/htpasswd <USER> <PASSWORD>
- 运行Mirror Registry。
$ podman run --name mirror-registry -p 5000:5000 \
-v /opt/registry/data:/var/lib/registry:z \
-v /opt/registry/auth:/auth:z \
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-v /opt/registry/certs:/certs:z \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
-e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
-e REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true \
-d docker.io/library/registry:2
Trying to pull docker.io/library/registry:2...
Getting image source signatures
Copying blob 3db6272dcbfa done
Copying blob c1cc712bcecd done
Copying blob cbdbe7a5bc2a done
Copying blob 47112e65547d done
Copying blob 46bcb632e506 done
Copying config 2d4f4b5309 done
Writing manifest to image destination
Storing signatures
1dbd16a4592bef9f386702b63ad2c67b3e4ccfae3dbbc232857bf3e69c202482
- 打开运行Mirror Registry节点的防火墙端口(或者关闭防火墙)。
$ firewall-cmd --add-port=5000/tcp --zone=internal --permanent
$ firewall-cmd --add-port=5000/tcp --zone=public --permanent
$ firewall-cmd --reload
- 确认可以访问Mirror Registry。
$ curl -u <USER>:<PASSWORD> -k https://${MIRRIR_REGISTRY}:5000/v2/_catalog
{"repositories":[]}
复制Image到Mirror Registry
将Image从远端Registry复制到Mirror Registry可以有以下2种方法:
- 如果远端Registry和Mirror Registry网络可以互通,可以采用直接复制的方式。
- 如果远端Registry和Mirror Registry网络不能互通,可以先将Image保存到摆渡环境,然后再导入到Mirror Registry。
在以下示例中由于需要访问远端Registry(quay.io)和本地Mirror Registry,所以需要用到2个用来登录的secret文件(local-secret.json和remote-secret.json)。另外由于第一种方式需要在一个命令中同时访问远端Registry(quay.io)和本地Mirror Registry,因此还需要将2个用来登录的secret文件合并成一个all-secret.json文件。
准备登陆认证文件
生成远程Registry(quay.io)认证文件
- 打开网页https://cloud.redhat.com/openshift/install/pull-secret,用你的redhat开发账号登录。
- 点击页面上的“Copy pull secret”链接,复制可访问quay.io的认证字符串。
- 将复制的字符串保存到操作节点的remote-secret.json文件中。
- 查看remote-secret.json。
$ jq . remote-secret.json
{
"auths": {
"cloud.openshift.com": {
"auth": "b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K2Rhd25saXUxZW8zZmYzOXpvenQ1ZDQ5b2JudGNmM3Rwbm86VDdKSEVKOFpZS1FaNVFSNVFMVDdXRDlZUTFCTENHSlBVSU9LUU0yRUhIMDRHUFVZTUE4TUYwQVA0STdSTlVJMw==",
"email": "[email protected]"
},
"quay.io": {
"auth": "b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K2Rhd25saXUxZW8zZmYzOXpvenQ1ZDQ5b2JudGNmM3Rwbm86VDdKSEVKOFpZS1FaNVFSNVFMVDdXRDlZUTFCTENHSlBVSU9LUU0yRUhIMDRHUFVZTUE4TUYwQVA0STdSTlVJMw==",
"email": "[email protected]"
},
"registry.connect.redhat.com": {
"auth": "NTE1MTA1OTN8dWhjLTFFTzNmRjM5ek96dDVENDlvQm50Q0YzdHBObzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVNak5oT0dOaFpqRXpPVEEwTUdZMVlqRXhOVGMxWWpBell6WXlZalpqWlNKOS5QOVFtUGJRTHktQ0lEbmV0VjlHVS1fWDY5QklyUEZQRi1idHJ4UGJwU0ZRMHBOQlhla0RoQ1RrZGV5V2lTNnRJaG5KckdFaENuWUhKNXlmcU80QXBHcV83S1U0a0o0WDl5TFB3Q1hlc3hzQWxJa3p1OURNYldBRnd4RmttYVBaLUlYQ2pFV1BSMzhBdEdSdlE4U25aVm5BQ0V0cTFNQTdUUTZSeFBSUUw5ZllMeU5YY3JJYUhQWlc3cUt1dWhTYkdERzVfY190SHQwQkR2TmhZZ1Nhck91X01SMl9jQk9TRllMSHl4TXozTVZQQ3hSMnh5UjB0OWQ2YnZad2dmWTlaTy1EQWV4d29MWVFZVWpDaXdCVl9kRnVhLWZmaFJrUVFLSFpmakk0WXlQSFNnYUVTLUpud21KV2tQdWJORDh6M3U4VWc0ZWJiQ25OZHpOZlUyc1gtOUcxYzR3aUhPYWdhVDdhV3RpNmhNWXpCMmJKcVVjR1RmeFJyZTFFMjA0QTRCTWhHSFA2WUFieUsxRlJxbUY2Tk1PYkN3TFB6SmZsUEZtQVB6aXJyZ0FfME9fZTd4b1NKc2dLUEZuYVRpbDFBVzlNek12TDM3eHlDT25IUE53MFAxLUdIcUVWZklOd2pSOFZ4cS1ZSnplS19jekVMNkhJeldienJaRDBkeTEzaTA0ekFHYi1ha3Zuel9EUUNQRkZCV01XWWdfUDZKYmtHVmwxbG4yaTVBeDJRb1JZX0ktTVk5c3A4OXI2M0ptQW1ucFZfNEtGRUVZSkdTbWh6VVcwOFNCdTVVWDZHRjlMQ1NRVEhmV3MweXAybVM0TzNiRjhnVDF1R1JJSmZueE1YQ05WdlZfQWh1UHgyRnRJSEpCZWtRNEFSUGRSMTRyemFGQk5UX2lQSF81TQ==",
"email": "[email protected]"
},
"registry.redhat.io": {
"auth": "NTE1MTA1OTN8dWhjLTFFTzNmRjM5ek96dDVENDlvQm50Q0YzdHBObzpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSTVNak5oT0dOaFpqRXpPVEEwTUdZMVlqRXhOVGMxWWpBell6WXlZalpqWlNKOS5QOVFtUGJRTHktQ0lEbmV0VjlHVS1fWDY5QklyUEZQRi1idHJ4UGJwU0ZRMHBOQlhla0RoQ1RrZGV5V2lTNnRJaG5KckdFaENuWUhKNXlmcU80QXBHcV83S1U0a0o0WDl5TFB3Q1hlc3hzQWxJa3p1OURNYldBRnd4RmttYVBaLUlYQ2pFV1BSMzhBdEdSdlE4U25aVm5BQ0V0cTFNQTdUUTZSeFBSUUw5ZllMeU5YY3JJYUhQWlc3cUt1dWhTYkdERzVfY190SHQwQkR2TmhZZ1Nhck91X01SMl9jQk9TRllMSHl4TXozTVZQQ3hSMnh5UjB0OWQ2YnZad2dmWTlaTy1EQWV4d29MWVFZVWpDaXdCVl9kRnVhLWZmaFJrUVFLSFpmakk0WXlQSFNnYUVTLUpud21KV2tQdWJORDh6M3U4VWc0ZWJiQ25OZHpOZlUyc1gtOUcxYzR3aUhPYWdhVDdhV3RpNmhNWXpCMmJKcVVjR1RmeFJyZTFFMjA0QTRCTWhHSFA2WUFieUsxRlJxbUY2Tk1PYkN3TFB6SmZsUEZtQVB6aXJyZ0FfME9fZTd4b1NKc2dLUEZuYVRpbDFBVzlNek12TDM3eHlDT25IUE53MFAxLUdIcUVWZklOd2pSOFZ4cS1ZSnplS19jekVMNkhJeldienJaRDBkeTEzaTA0ekFHYi1ha3Zuel9EUUNQRkZCV01XWWdfUDZKYmtHVmwxbG4yaTVBeDJRb1JZX0ktTVk5c3A4OXI2M0ptQW1ucFZfNEtGRUVZSkdTbWh6VVcwOFNCdTVVWDZHRjlMQ1NRVEhmV3MweXAybVM0TzNiRjhnVDF1R1JJSmZueE1YQ05WdlZfQWh1UHgyRnRJSEpCZWtRNEFSUGRSMTRyemFGQk5UX2lQSF81TQ==",
"email": "[email protected]"
}
}
}
生成Mirror Registry的认证文件
- 登录Mirror Registry,并将登录凭证写到local-secret.json文件中。
$ podman login -u <USER> -p <PASSWORD> --authfile local-secret.json ${MIRRIR_REGISTRY}:5000
- 查看local-secret.json文件内容,其中的"dXNlcjpwYXNzd29yZA=="就是登录凭证
$ cat local-secret.json
{
"auths": {
"clientvm.beijing-f5b3.internal:5000": {
"auth": "dXNlcjpwYXNzd29yZA=="
}
}
}
- 执行命令,查看登录凭证包括的信息,确认就是Mirror Registry的登录用户名和密码。
$ AUTH="dXNlcjpwYXNzd29yZA=="
$ echo $AUTH | base64 -d
user:password
生成all-secret.json文件
- 执行命令,将local-secret.json的“auths”中的内容和remote-secret.json合并,然后写入all-secret.json文件。
$ LOCAL_SECRET=$(jq .auths local-secret.json)
$ jq ".auths += $LOCAL_SECRET" < remote-secret.json > $HOME/all-secret.json
- 确认all-secret.json文件包括local-secret.json和remote-secret.json的内容。
$ cat $HOME/all-secret.json
复制Image到Mirror Registry
直接复制Image
- 设置环境变量
$ export OCP_RELEASE=4.5.4
$ export LOCAL_REGISTRY=${MIRRIR_REGISTRY}:5000
$ export LOCAL_REPOSITORY=ocp4/openshift4
$ export PRODUCT_REPO='openshift-release-dev'
$ export SECRET_JSON=$HOME/all-secret.json
$ export RELEASE_NAME="ocp-release"
$ export ARCHITECTURE=x86_64
$ export REMOVABLE_MEDIA_PATH=$HOME
- 执行命令,在2个Registry之间直接复制镜像。
$ oc adm -a ${SECRET_JSON} release mirror \
--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}
- 执行上述命令后,会将110个OpenShift Image复制到Mirror Registry。成功后会有以下结果,注意提示:提示可在OpenShift创建“ImageContentSourcePolicy”对象,以为OpenShift增加Mirror Registry的配置。
。。。。
Success
Update image: clientvm.beijing-959a.internal:5000/ocp4/openshift4:4.5.4-x86_64
Mirror prefix: clientvm.beijing-959a.internal:5000/ocp4/openshift4
To use the new mirrored repository to install, add the following section to the install-config.yaml:
imageContentSources:
- mirrors:
- clientvm.beijing-959a.internal:5000/ocp4/openshift4
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- clientvm.beijing-959a.internal:5000/ocp4/openshift4
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
To use the new mirrored repository for upgrades, use the following to create an ImageContentSourcePolicy:
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: example
spec:
repositoryDigestMirrors:
- mirrors:
- clientvm.beijing-959a.internal:5000/ocp4/openshift4
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- clientvm.beijing-959a.internal:5000/ocp4/openshift4
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
- 最后验证即可。
$ curl -u <USER>:<PASSWORD> -k https://${MIRRIR_REGISTRY}:5000/v2/_catalog
$ oc adm release info -a ${SECRET_JSON} "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"
间接复制Image
- 在互联网区,先将Image下载到本地文件目录中。
$ oc adm release mirror -a ${SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror \
--to-dir=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
- 在网络隔离区,再将下载的Image导入到Mirror Registry。
$ oc image mirror -a ${SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror \
'file://openshift/release:${OCP_RELEASE}*' \
${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}f
- 最后验证即可。
$ curl -u <USER>:<PASSWORD> -k https://${MIRRIR_REGISTRY}:5000/v2/_catalog
$ oc adm release info -a ${SECRET_JSON} "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"
参考
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.5/html-single/images/index
- https://www.openshift.com/blog/openshift-4-2-disconnected-install