OpenShift image registry 访问镜像

1. OpenShift 内部 image registry

Openshift 自带内部 image registry,可通过 podman 实现 image 的 pull 和 push 操作。

对不同操作,需要给用户指定相应的 role:

// podman pull 
oc policy add-role-to-user registry-viewer <user_name>

// podman push
oc policy add-role-to-user registry-editor <user_name>

使用用户名 + token 的方式 login 内部 image registry:

$ podman login -u $(oc whoami) -p $(oc whoami -t) --tls-verify=false image-registry.openshift-image-registry.svc:5000
Login Succeeded!

通过 podman pull 拉取远端 registy image(这里直接拉取的内部 registry image):

$ podman pull image-registry.openshift-image-registry.svc:5000/default/xxx:0.4.1

podman images 查看是否拉取 image 到本地:

$ podman images | grep default/lcmaas-engine
image-registry.openshift-image-registry.svc:5000/default/xxx   0.4.1    f7b265fd6c39  3 weeks ago    64.9 MB

对本地的 image 打 tag 并且 push 到内部 image registry:

$ podman tag image-registry.openshift-image-registry.svc:5000/default/xxx:0.4.1 image-registry.openshift-image-registry.svc:5000/luban/xxx:0.4.1

$ podman push image-registry.openshift-image-registry.svc:5000/luban/xxx:0.4.1

注意 podman images 看不到内部 image registry 存储的 image,查看内部 image registry 存储的 image 可通过 curl registry url 的方式查看:

$ curl -s -k -H "Authorization: Bearer $(oc whoami -t)" https://image-registry.openshift-image-registry.svc:5000/v2/_catalog | jq

$ env | grep http
https_proxy=http://10.158.xxx.xxx:8080/
http_proxy=http://10.158.xxx.xxx:8080/
$ unset https_proxy
$ unset http_proxy

$ curl -s -k -H "Authorization: Bearer $(oc whoami -t)" https://image-registry.openshift-image-registry.svc:5000/v2/_catalog | jq
{
  "repositories": [
    "luban/xxx1",
    "luban/xxx2",
	...

这里要注意 curl 访问的是本地内部image registry 不需要走代理,如果设置了代理的话需要取消代理。

2. OpenShift 内部 insecure image registry

上节介绍的 image registry 是内部 secure 的,当访问内部 insecure image registry 时会报错 x509: certificate signed by unknown authority

$ podman pull default-route-openshift-image-registry.apps.xxx.net/default/xxx-0.4.1:latest
Trying to pull default-route-openshift-image-registry.apps.xxx.net/default/xxx-0.4.1:latest...
Error: Error initializing source docker://default-route-openshift-image-registry.apps.xxx.net/default/xxx-0.4.1:latest: 
error pinging docker registry default-route-openshift-image-registry.xxx.net: 
Get "https://default-route-openshift-image-registry.apps.xxx.net/v2/": x509: certificate signed by unknown authority

解决方法可以从两个角度入手:

  1. 将 image registry 置为 secure。
  2. 忽视 insecure 的证书检查。

这里实践了第二种将 registry 配成 insecure 。
在 /etc/containers/registries.conf 文件下,添加如下 registry field:

[[registry]]
location = "default-route-openshift-image-registry.apps.xxx.net"
insecure = true

表示 location 定义的 registry 允许不安全的 HTTP 拉取。

详细解释可看 Podman添加私有镜像源配置 registries.conf

继续执行 podman pull insecure image registry:

$ podman pull default-route-openshift-image-registry.apps.xxx.net/default/xxx:0.4.1
Trying to pull default-route-openshift-image-registry.apps.xxx.net/default/xxx:0.4.1...
Getting image source signatures
Copying blob 298d29d50a74 [--------------------------------------] 0.0b / 0.0b
Copying config f7b265fd6c done
Writing manifest to image destination
Storing signatures
f7b265fd6c39b522c6c606eb49a124def7ff8bce8560ba83dfc83982eac00d53

拉取成功!

使用 kubernetes 部署 pod 并且指定 insecure image registry 看是否能拉取成功:

Events:
  Type     Reason                  Age                   From                     Message
  ----     ------                  ----                  ----                     -------
  Warning  Failed                  5m48s (x6 over 7m5s)  kubelet                  Error: ImagePullBackOff
  Normal   Pulling                 5m35s (x4 over 7m6s)  kubelet                  Pulling image "default-route-openshift-image-registry.apps.xxx.net/default/xxx:0.250.3554"
  Warning  Failed                  5m35s (x4 over 7m6s)  kubelet                  Failed to pull image "default-route-openshift-image-registry.apps.xxx.net/default/xxx:0.250.3554": rpc error: code = Unknown desc = pinging container registry default-route-openshift-image-registry.apps.xxx.net: Get "https://default-route-openshift-image-registry.apps.xxx.net/v2/": x509: certificate signed by unknown authority
  Warning  Failed                  5m35s (x4 over 7m6s)  kubelet                  Error: ErrImagePull
  Normal   BackOff                 114s (x22 over 7m5s)  kubelet                  Back-off pulling image "default-route-openshift-image-registry.apps.xxx.net/default/xxx:0.250.3554"

还是报 x509: certificate signed by unknown authority 错误。
猜测 containerd(OpenShift 安装的 containerd 是 oci-o) 在 pull image 时报错,解决方式应该是类似的,在 containerd 的配置文件中添加 insecure registry。这里就不继续实践了。

3. 参考文章

  1. Trouble with insecure_registries
  2. https://docs.docker.com/registry/insecure/
  3. Failed to pull image with "x509: certificate signed by unknown authority" error
  4. Accessing the registry
  5. 向OpenShift内部Image Registry推送Image
posted @ 2022-02-17 21:42  hxia043  阅读(889)  评论(0编辑  收藏  举报