《OpenShift 4.x HOL教程彙總》
文章目錄
- 對獨立的Docker Registry操作
-
- 檢視Registry上的Image資訊
- 在2個Registry之間複制Image
- 對OpenShift内置Registry操作
-
- 允許從外部通路OpenShift的内置Registry
- 用skopeo對OpenShift内置Registry操作
-
- 檢視OpenShift内部Registry的Image資訊
- 向OpenShift内置Registry複制鏡像
- 參考
說明:由于本文會使用本地的Container Registry,是以在開始本章前,建議先完成《容器入門(1) - 安裝和使用Docker Registry》
Skopeo是用來對Registry的Images操作的工具,它主要功能包括:檢視Registry上的鏡像資訊、在Registry之間或Registry和本地之間複制鏡像、删除Registry上的鏡像。
對獨立的Docker Registry操作
檢視Registry上的Image資訊
$ skopeo inspect docker://${REGISTRY_DOMAIN}:5000/busybox:latest
{
"Name": "registry.domain.com:5000/busybox",
"Digest": "sha256:a6b9238ceed3894db3327cfe00672971b799ed6ade8dce3637c6dce007863fec",
"RepoTags": [
"latest"
],
"Created": "2020-06-29T20:21:41.42102751Z",
"DockerVersion": "18.09.7",
"Labels": null,
"Architecture": "amd64",
"Os": "linux",
"Layers": [
"sha256:74f990a74a8f68958f7ad85ecb9cd091670a0cc4b8560f7ac0712d057052cf84"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
]
}
$ skopeo inspect docker://quay.io/buildah/stable
{
"Name": "quay.io/buildah/stable",
"Digest": "sha256:a742091c1297f02d4130d74c2828e7a494cde37f756d5c1244cf7afe1c0994f3",
"RepoTags": [
"v1.9.0",
"v1.9.1",
"v1.9.2",
"v1.10.1",
"v1.11.2",
"v1.11.1",
"v1.11.0",
"v1.11.3",
"v1.11.4",
"v1.11.6",
"v1.12.0",
"auto",
"v1.14.0",
"v1.14.3",
"v1.14.8",
"master",
"latest"
],
"Created": "2020-07-02T14:26:28.466661245Z",
"DockerVersion": "18.02.0-ce",
"Labels": {
"license": "MIT",
"name": "fedora",
"vendor": "Fedora Project",
"version": "32"
},
"Architecture": "amd64",
"Os": "linux",
"Layers": [
"sha256:03c837e31708e15035b6c6f9a7a4b78b64f6bc10e6daec01684c077655becf95",
"sha256:a5b63bb008e83e62d4cedf329c2a790a325ff6482c8b0547ddccdf17487f50c6",
"sha256:369a1989bb0cf5707b1a856680573c8778b96dcb3e4d21bbfb2995af6b485e1e",
"sha256:1b9ca1b83456cc585de4bacf62e9199357d0437efa5d01671543653a701ccd88",
"sha256:756a6ab6d2f5b8b08e5dee6d585c165de8ba3b1084ac329929da8ad44b590988"
],
"Env": [
"DISTTAG=f32container",
"FGC=f32",
"container=oci",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"BUILDAH_ISOLATION=chroot"
]
}
在2個Registry之間複制Image
$ skopeo copy docker://quay.io/buildah/stable docker://${REGISTRY_DOMAIN}:5000/buildah
Getting image source signatures
Copying blob 369a1989bb0c done
Copying blob a5b63bb008e8 done
Copying blob 756a6ab6d2f5 done
Copying blob 03c837e31708 done
Copying blob 1b9ca1b83456 done
Copying config 5ab6da8e5b done
Writing manifest to image destination
Storing signatures
$ curl -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/_catalog
{"repositories":["buildah","busybox"]}
對OpenShift内置Registry操作
允許從外部通路OpenShift的内置Registry
允許通過OpenShift的DefaultRoute通路内部鏡像Registry。
$ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge
$ REGISTRY_DOMAIN=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')
用skopeo對OpenShift内置Registry操作
檢視OpenShift内部Registry的Image資訊
- 在default項目中建立名為skopeo的serviceaccount,并獲得它的Token。
$ oc create serviceaccount skopeo -n default
$ TOKEN=$(oc get secrets -n default -o jsonpath='{range .items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="skopeo")]}{.metadata.annotations.openshift\.io/token-secret\.value}{end}')
- 檢視OpenShift内置的openshift/nodejs鏡像資訊。
$ skopeo inspect --creds="skopeo:${TOKEN}" --tls-verify=false docker://${REGISTRY_DOMAIN}/openshift/nodejs
{
"Name": "default-route-openshift-image-registry.apps.cluster-beijing-959a.beijing-959a.example.opentlc.com/openshift/nodejs",
"Digest": "sha256:aefd611dcbd4a3fce3ebc5e021092ed793a341d4940be63b51a8a94ce2670dd9",
"RepoTags": [
"12",
"latest",
"10"
],
"Created": "2020-07-13T11:13:38.827037Z",
"DockerVersion": "1.13.1",
"Labels": {
"architecture": "x86_64",
"build-date": "2020-07-13T11:11:59.320502",
"com.redhat.build-host": "cpt-1004.osbs.prod.upshift.rdu2.redhat.com",
"com.redhat.component": "rh-nodejs12-container",
"com.redhat.deployments-dir": "/opt/app-root/src",
"com.redhat.dev-mode": "DEV_MODE:false",
"com.redhat.dev-mode.port": "DEBUG_PORT:5858",
"com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
"description": "Node.js 12 available as container is a base platform for building and running various Node.js 12 applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.",
。。。
向OpenShift内置Registry複制鏡像
- 方法一:使用管理者使用者操作
$ skopeo copy --dest-creds=$(oc whoami):$(oc whoami -t) --dest-tls-verify=false docker://docker.io/openshift/hello-openshift docker://$REGISTRY_DOMAIN/my-images/hello-openshift
Getting image source signatures
Copying blob 8b32988996c5 skipped: already exists
Copying blob 4f4fb700ef54 skipped: already exists
Copying config 7af3297a3f done
Writing manifest to image destination
Storing signatures
2. 方法二:使用SerivceAccount操作(目前有問題,沒有成功)
$ oc new-project my-images
$ oc create serviceaccount skopeo
$ TOKEN=$(oc get secrets -o jsonpath='{range .items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="skopeo")]}{.metadata.annotations.openshift\.io/token-secret\.value}{end}')
$ oc adm policy add-role-to-user system:image-builder -n my-images system:serviceaccount:admin:skopeo
$ skopeo copy --dest-creds=skopeo:$TOKEN --dest-tls-verify=false docker://docker.io/openshift/hello-openshift docker://$REGISTRY_DOMAIN/my-images/hello-openshift
參考
1.https://github.com/nmasse-itix/OpenShift-Examples/blob/master/Using-Skopeo/README.md