我在筆記本上用已有的離線mirror registry,重新用離線方式部署一套OCP4,然後做S2I的配置,遇到的坑如下:
坑1:向倉庫推入鏡像報x509錯誤
我的buider image是準備好的,在其他環境用podman save -o存下來的tgz包。
在筆記本環境導入:
[root@repo mybank]# podman load -i jws52-tomcat9.tgz
root@repo mybank]# podman tag registry.redhat.io/jboss-webserver-5/webserver52-openjdk8-tomcat9-openshift-rhel7:latest repo.ocp4.example.com:5000/webserver52-openjdk8-tomcat9-openshift-rhel7:latest
[root@repo mybank]# podman push repo.ocp4.example.com:5000/webserver52-openjdk8-tomcat9-openshift-rhel7:latest
這個時候,會報x509: certificate signed by unknown authority error
也就是說,OCP中沒有這個倉庫的證書,解決方法:
#oc create configmap ca.for.registry -n openshift-config --from-file=repo.ocp4.example.com..5000=/opt/registry/certs/example.com.crt
#oc patch image.config.openshift.io/cluster -p '{"spec":{"additionalTrustedCA":{"name":"ca.for.registry"}}}' --type=merge
坑2:從鏡像生成imagestream報錯
[root@repo mybank]# oc import-image repo.ocp4.example.com:5000/webserver52-openjdk8-tomcat9-openshift-rhel7:latest --confirm -n openshift
! error: Import failed (Unauthorized): you may not have access to the container image "repo.ocp4.example.com:5000/webserver52-openjdk8-tomcat9-openshift-rhel7:latest"
Less than a second ago
解決方法:在openshift項目中增加pull secret:
增加以後,瞬間可以導入(導入之前要先把OCP内部的registry配置好)。
導入成功後:
[root@repo mybank]# oc get is |grep -i tomcat9
webserver52-openjdk8-tomcat9-openshift-rhel7 default-route-openshift-image-registry.apps.ocp4.example.com/mybank/webserver52-openjdk8-tomcat9-openshift-rhel7 latest 35 seconds ago
[root@repo mybank]# oc get istag |grep -i tomcat9
webserver52-openjdk8-tomcat9-openshift-rhel7:latest repo.ocp4.example.com:5000/webserver52-openjdk8-tomcat9-openshift-rhel7@sha256:0521fa33fa1a8833e3dc673a2630b03075e4c0d86130b7b2c7d4d1bf5d54552d 43 seconds ago
坑3:build時報報錯
S2I分為build和deploy兩部分,我為了說明問題,先建立一個bc。從本地部署的gogs拉取源碼。
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
name: example
namespace: mybank
spec:
source:
git:
ref: master
uri: 'http://192.168.137.130:10080/root/david1.git'
'
type: Git
strategy:
type: Source
sourceStrategy:
from:
kind: ImageStreamTag
name: 'webserver52-openjdk8-tomcat9-openshift-rhel7:latest'
namespace: mybank
env: []
triggers:
- type: ImageChange
imageChange: {}
- type: ConfigChange
檢視build日志,報錯如下:
解決方案,在本namespaces中,将倉庫的pull secert賦予給以下sa(必須全都賦予,隻給default不成!!!)
[root@repo mybank-demo-maven]# oc secrets link builder david
[root@repo mybank-demo-maven]# oc secrets link deployer david
[root@repo mybank-demo-maven]# oc secrets link default david
拉取鏡像不再報錯:
但出現一個新的報錯:
[root@repo ~]# oc logs -f example-5-build
Error from server: Get https://192.168.137.133:10250/containerLogs/mybank/example-5-build/sti-build?follow=true: remote error: tls: internal error
通過檢視文檔10250是K8S服務的端口:
我登入到對應worker節點檢視日志:
[root@worker01 ~]# journalctl -f
Aug 19 16:13:43 worker01.ocp4.example.com hyperkube[1630]: I0819 16:13:43.710278 1630 log.go:172] http: TLS handshake error from 10.254.1.4:42210: no serving certificate available for the kubelet
懷疑是有pendding的csr,一看果然是:
批量準許後解決:
# oc get csr -ojson | jq -r '.items[] | select(.status == {} ) | .metadata.name' | xargs oc adm certificate approve
坑5:S2I時的maven報錯。
接下來,發起S2I:
# oc new-app webserver52-openjdk8-tomcat9-openshift-rhel7:latest~http://192.168.137.130:10080/root/david1
檢視建構日志,有如下報錯:
[root@repo materials]# oc logs -f example-3-build
[WARNING] The requested profile "openshift" could not be activated because it does not exist.
[ERROR] Plugin org.apache.maven.plugins:maven-resources-plugin:2.6 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:2.6: Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:2.6 from/to central (https://repo1.maven.org/maven2): repo1.maven.org: Name or service not known: Unknown host repo1.maven.org: Name or service not known -> [Help 1]
build pod無法解析repo1.maven.org,造成報錯(離線要麼自己手工搭建maven repo,要麼開個通路外部repo的端口)。
我嘗試登入其他pod,nslookuop是可以成功,就是有點慢。是以我在dns伺服器上手工加上repo1.maven.org後解決:
#vi /etc/dnsmasq.conf
address=/repo1.maven.org/151.101.196.209
#systemctl restart dnsmasq.service
重新發起build,不再報錯:
部署成功:
企業客戶内部,通過會有maven的repo(這樣建構的速度會快得多),需要在bc中指定這個位址即可:
env:
- name: MAVEN_MIRROR_URL
value: https://maven.xxxx.com