OpenShift image registry 访问镜像
1. OpenShift 内部 image registry
Openshift 自带内部 image registry,可通过 podman 实现 image 的 pull 和 push 操作。
对不同操作,需要给用户指定相应的 role:
// podman pull
oc policy add-role-to-user registry-viewer <user_name>
// podman push
oc policy add-role-to-user registry-editor <user_name>
使用用户名 + token 的方式 login 内部 image registry:
$ podman login -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false image-registry.openshift-image-registry.svc:5000
Login Succeeded!
通过 podman pull 拉取远端 registy image(这里直接拉取的内部 registry image):
$ podman pull image-registry.openshift-image-registry.svc:5000/default/xxx:0.4.1
podman images 查看是否拉取 image 到本地:
$ podman images | grep default/lcmaas-engine
image-registry.openshift-image-registry.svc:5000/default/xxx 0.4.1 f7b265fd6c39 3 weeks ago 64.9 MB
对本地的 image 打 tag 并且 push 到内部 image registry:
$ podman tag image-registry.openshift-image-registry.svc:5000/default/xxx:0.4.1 image-registry.openshift-image-registry.svc:5000/luban/xxx:0.4.1
$ podman push image-registry.openshift-image-registry.svc:5000/luban/xxx:0.4.1
注意 podman images 看不到内部 image registry 存储的 image,查看内部 image registry 存储的 image 可通过 curl registry url 的方式查看:
$ curl -s -k -H "Authorization: Bearer $(oc whoami -t)" https://image-registry.openshift-image-registry.svc:5000/v2/_catalog | jq
$ env | grep http
https_proxy=http://10.158.xxx.xxx:8080/
http_proxy=http://10.158.xxx.xxx:8080/
$ unset https_proxy
$ unset http_proxy
$ curl -s -k -H "Authorization: Bearer $(oc whoami -t)" https://image-registry.openshift-image-registry.svc:5000/v2/_catalog | jq
{
"repositories": [
"luban/xxx1",
"luban/xxx2",
...
这里要注意 curl 访问的是本地内部image registry 不需要走代理,如果设置了代理的话需要取消代理。
2. OpenShift 内部 insecure image registry
上节介绍的 image registry 是内部 secure 的,当访问内部 insecure image registry 时会报错 x509: certificate signed by unknown authority
:
$ podman pull default-route-openshift-image-registry.apps.xxx.net/default/xxx-0.4.1:latest
Trying to pull default-route-openshift-image-registry.apps.xxx.net/default/xxx-0.4.1:latest...
Error: Error initializing source docker://default-route-openshift-image-registry.apps.xxx.net/default/xxx-0.4.1:latest:
error pinging docker registry default-route-openshift-image-registry.xxx.net:
Get "https://default-route-openshift-image-registry.apps.xxx.net/v2/": x509: certificate signed by unknown authority
解决方法可以从两个角度入手:
- 将 image registry 置为 secure。
- 忽视 insecure 的证书检查。
这里实践了第二种将 registry 配成 insecure 。
在 /etc/containers/registries.conf 文件下,添加如下 registry field:
[[registry]]
location = "default-route-openshift-image-registry.apps.xxx.net"
insecure = true
表示 location 定义的 registry 允许不安全的 HTTP 拉取。
详细解释可看 Podman添加私有镜像源配置 registries.conf
继续执行 podman pull insecure image registry:
$ podman pull default-route-openshift-image-registry.apps.xxx.net/default/xxx:0.4.1
Trying to pull default-route-openshift-image-registry.apps.xxx.net/default/xxx:0.4.1...
Getting image source signatures
Copying blob 298d29d50a74 [--------------------------------------] 0.0b / 0.0b
Copying config f7b265fd6c done
Writing manifest to image destination
Storing signatures
f7b265fd6c39b522c6c606eb49a124def7ff8bce8560ba83dfc83982eac00d53
拉取成功!
使用 kubernetes 部署 pod 并且指定 insecure image registry 看是否能拉取成功:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning Failed 5m48s (x6 over 7m5s) kubelet Error: ImagePullBackOff
Normal Pulling 5m35s (x4 over 7m6s) kubelet Pulling image "default-route-openshift-image-registry.apps.xxx.net/default/xxx:0.250.3554"
Warning Failed 5m35s (x4 over 7m6s) kubelet Failed to pull image "default-route-openshift-image-registry.apps.xxx.net/default/xxx:0.250.3554": rpc error: code = Unknown desc = pinging container registry default-route-openshift-image-registry.apps.xxx.net: Get "https://default-route-openshift-image-registry.apps.xxx.net/v2/": x509: certificate signed by unknown authority
Warning Failed 5m35s (x4 over 7m6s) kubelet Error: ErrImagePull
Normal BackOff 114s (x22 over 7m5s) kubelet Back-off pulling image "default-route-openshift-image-registry.apps.xxx.net/default/xxx:0.250.3554"
还是报 x509: certificate signed by unknown authority
错误。
猜测 containerd(OpenShift 安装的 containerd 是 oci-o) 在 pull image 时报错,解决方式应该是类似的,在 containerd 的配置文件中添加 insecure registry。这里就不继续实践了。
3. 参考文章
- Trouble with insecure_registries
- https://docs.docker.com/registry/insecure/
- Failed to pull image with "x509: certificate signed by unknown authority" error
- Accessing the registry
- 向OpenShift内部Image Registry推送Image