我在笔记本上用已有的离线mirror registry,重新用离线方式部署一套OCP4,然后做S2I的配置,遇到的坑如下:
坑1:向仓库推入镜像报x509错误
我的buider image是准备好的,在其他环境用podman save -o存下来的tgz包。
在笔记本环境导入:
[root@repo mybank]# podman load -i jws52-tomcat9.tgz
root@repo mybank]# podman tag registry.redhat.io/jboss-webserver-5/webserver52-openjdk8-tomcat9-openshift-rhel7:latest repo.ocp4.example.com:5000/webserver52-openjdk8-tomcat9-openshift-rhel7:latest
[root@repo mybank]# podman push repo.ocp4.example.com:5000/webserver52-openjdk8-tomcat9-openshift-rhel7:latest
这个时候,会报x509: certificate signed by unknown authority error
也就是说,OCP中没有这个仓库的证书,解决方法:
#oc create configmap ca.for.registry -n openshift-config --from-file=repo.ocp4.example.com..5000=/opt/registry/certs/example.com.crt
#oc patch image.config.openshift.io/cluster -p '{"spec":{"additionalTrustedCA":{"name":"ca.for.registry"}}}' --type=merge
坑2:从镜像生成imagestream报错
[root@repo mybank]# oc import-image repo.ocp4.example.com:5000/webserver52-openjdk8-tomcat9-openshift-rhel7:latest --confirm -n openshift
! error: Import failed (Unauthorized): you may not have access to the container image "repo.ocp4.example.com:5000/webserver52-openjdk8-tomcat9-openshift-rhel7:latest"
Less than a second ago
解决方法:在openshift项目中增加pull secret:
增加以后,瞬间可以导入(导入之前要先把OCP内部的registry配置好)。
导入成功后:
[root@repo mybank]# oc get is |grep -i tomcat9
webserver52-openjdk8-tomcat9-openshift-rhel7 default-route-openshift-image-registry.apps.ocp4.example.com/mybank/webserver52-openjdk8-tomcat9-openshift-rhel7 latest 35 seconds ago
[root@repo mybank]# oc get istag |grep -i tomcat9
webserver52-openjdk8-tomcat9-openshift-rhel7:latest repo.ocp4.example.com:5000/webserver52-openjdk8-tomcat9-openshift-rhel7@sha256:0521fa33fa1a8833e3dc673a2630b03075e4c0d86130b7b2c7d4d1bf5d54552d 43 seconds ago
坑3:build时报报错
S2I分为build和deploy两部分,我为了说明问题,先创建一个bc。从本地部署的gogs拉取源码。
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
name: example
namespace: mybank
spec:
source:
git:
ref: master
uri: 'http://192.168.137.130:10080/root/david1.git'
'
type: Git
strategy:
type: Source
sourceStrategy:
from:
kind: ImageStreamTag
name: 'webserver52-openjdk8-tomcat9-openshift-rhel7:latest'
namespace: mybank
env: []
triggers:
- type: ImageChange
imageChange: {}
- type: ConfigChange
查看build日志,报错如下:
解决方案,在本namespaces中,将仓库的pull secert赋予给以下sa(必须全都赋予,只给default不成!!!)
[root@repo mybank-demo-maven]# oc secrets link builder david
[root@repo mybank-demo-maven]# oc secrets link deployer david
[root@repo mybank-demo-maven]# oc secrets link default david
拉取镜像不再报错:
但出现一个新的报错:
[root@repo ~]# oc logs -f example-5-build
Error from server: Get https://192.168.137.133:10250/containerLogs/mybank/example-5-build/sti-build?follow=true: remote error: tls: internal error
通过查看文档10250是K8S服务的端口:
我登录到对应worker节点查看日志:
[root@worker01 ~]# journalctl -f
Aug 19 16:13:43 worker01.ocp4.example.com hyperkube[1630]: I0819 16:13:43.710278 1630 log.go:172] http: TLS handshake error from 10.254.1.4:42210: no serving certificate available for the kubelet
怀疑是有pendding的csr,一看果然是:
批量批准后解决:
# oc get csr -ojson | jq -r '.items[] | select(.status == {} ) | .metadata.name' | xargs oc adm certificate approve
坑5:S2I时的maven报错。
接下来,发起S2I:
# oc new-app webserver52-openjdk8-tomcat9-openshift-rhel7:latest~http://192.168.137.130:10080/root/david1
查看构建日志,有如下报错:
[root@repo materials]# oc logs -f example-3-build
[WARNING] The requested profile "openshift" could not be activated because it does not exist.
[ERROR] Plugin org.apache.maven.plugins:maven-resources-plugin:2.6 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.apache.maven.plugins:maven-resources-plugin:jar:2.6: Could not transfer artifact org.apache.maven.plugins:maven-resources-plugin:pom:2.6 from/to central (https://repo1.maven.org/maven2): repo1.maven.org: Name or service not known: Unknown host repo1.maven.org: Name or service not known -> [Help 1]
build pod无法解析repo1.maven.org,造成报错(离线要么自己手工搭建maven repo,要么开个访问外部repo的端口)。
我尝试登录其他pod,nslookuop是可以成功,就是有点慢。因此我在dns服务器上手工加上repo1.maven.org后解决:
#vi /etc/dnsmasq.conf
address=/repo1.maven.org/151.101.196.209
#systemctl restart dnsmasq.service
重新发起build,不再报错:
部署成功:
企业客户内部,通过会有maven的repo(这样构建的速度会快得多),需要在bc中指定这个地址即可:
env:
- name: MAVEN_MIRROR_URL
value: https://maven.xxxx.com