はじめに
s2iベースのCentOS7を使いたくて色々模索中
s2iベースのCentOS7 docker Image
openshiftやcentosから出ている以下のイメージが良さそう。
特にcentosのやつは先のminishift V1.28.0でnginx+gunicorn+Django2を動かすで利用しようとしていたイメージ
これを内部レジストリにPushできれば本物だなぁと思った次第
まずはminishiftへPull
minishift ssh
でminishift内に入りdocker pull
します。
[tak@centos76 ~]$ minishift ssh
Last login: Thu Jan 3 05:30:53 2019 from 192.168.42.1
[docker@minishift ~]$ docker pull docker.io/centos/s2i-base-centos7
Using default tag: latest
Trying to pull repository docker.io/centos/s2i-base-centos7 ...
latest: Pulling from docker.io/centos/s2i-base-centos7
aeb7866da422: Already exists
9291e350be08: Already exists
4d3620628f7c: Already exists
94d526a435e9: Already exists
2603cb6c0d49: Already exists
Digest: sha256:8a0cb263e3b4baf914a773b8951cbd5927c06369fa738d7d31574ae66efa238b
Status: Downloaded newer image for docker.io/centos/s2i-base-centos7:latest
[docker@minishift ~]$ docker pull docker.io/openshift/base-centos7
Using default tag: latest
Trying to pull repository docker.io/openshift/base-centos7 ...
latest: Pulling from docker.io/openshift/base-centos7
45a2e645736c: Pull complete
734fb161cf89: Pull complete
78efc9e155c4: Pull complete
8a3400b7e31a: Pull complete
Digest: sha256:aea292a3bddba020cde0ee83e6a45807931eb607c164ec6a3674f67039d8cd7c
Status: Downloaded newer image for docker.io/openshift/base-centos7:latest
docker imageがあることを確認
[docker@minishift ~]$ docker images | grep centos7
docker.io/centos/s2i-base-centos7 latest 8e5a167a93a2 4 weeks ago 518 MB
docker.io/openshift/base-centos7 latest 4842f0bd3d61 23 months ago 383 MB
ありますね。
内部レジストリへの登録
Pullしただけでは駄目なので内部レジストリにPushし登録します。
oc loginして内部レジストリのアドレスを確認
[tak@centos76 ~]$ eval $(minishift oc-env)
[tak@centos76 ~]$ oc login $(minishift ip):8443 -u developer -p nttmap
Login successful.
You have access to the following projects and can switch between them with 'oc project <projectname>':
django2
* django2-nginx
Using project "django2-nginx".
内部レジストリのアドレスを確認します。
わたしの環境では172.30.1.1:5000
のようですね。
[tak@centos76 ~]$ oc get all
NAME READY STATUS RESTARTS AGE
pod/django2-nginx-ex-1-build 0/1 Error 0 14h
pod/django2-nginx-ex-1-l6s96 1/1 Running 2 11h
pod/django2-nginx-ex-2-build 0/1 Error 0 13h
pod/django2-nginx-ex-3-build 0/1 Error 0 13h
pod/django2-nginx-ex-4-build 0/1 Error 0 12h
pod/django2-nginx-ex-5-build 0/1 Completed 0 11h
pod/python3.6-nginx-1-build 0/1 Completed 0 15h
NAME DESIRED CURRENT READY AGE
replicationcontroller/django2-nginx-ex-1 1 1 1 11h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/django2-nginx-ex ClusterIP 172.30.61.121 <none> 8000/TCP 14h
NAME REVISION DESIRED CURRENT TRIGGERED BY
deploymentconfig.apps.openshift.io/django2-nginx-ex 1 1 1 config,image(django2-nginx-ex:latest)
NAME TYPE FROM LATEST
buildconfig.build.openshift.io/django2-nginx-ex Source Git@master 5
buildconfig.build.openshift.io/python3.6-nginx Docker Git@master 1
NAME TYPE FROM STATUS STARTED DURATION
build.build.openshift.io/python3.6-nginx-1 Docker Git@c9c3a60 Complete 15 hours ago 11m56s
build.build.openshift.io/django2-nginx-ex-1 Source Git@4b8a6c9 Failed (GenericBuildFailed) 15 hours ago 52m52s
build.build.openshift.io/django2-nginx-ex-2 Source Git@master Failed (GenericBuildFailed) 14 hours ago 27m46s
build.build.openshift.io/django2-nginx-ex-3 Source Git@4b8a6c9 Failed (GenericBuildFailed) 13 hours ago 34m59s
build.build.openshift.io/django2-nginx-ex-4 Source Git@master Failed (GenericBuildFailed) 12 hours ago 26m12s
build.build.openshift.io/django2-nginx-ex-5 Source Git@4b8a6c9 Complete 12 hours ago 4m16s
NAME DOCKER REPO TAGS UPDATED
imagestream.image.openshift.io/django2-nginx-ex 172.30.1.1:5000/django2-nginx/django2-nginx-ex latest 12 hours ago
imagestream.image.openshift.io/python3.6-nginx 172.30.1.1:5000/django2-nginx/python3.6-nginx latest 15 hours ago
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
route.route.openshift.io/django2-nginx-ex django2-nginx-ex-django2-nginx.192.168.42.246.nip.io django2-nginx-ex <all> None
ログインせずにpushしてみる
そのままPushしてみます(笑)
Last login: Thu Jan 3 05:39:04 2019 from 192.168.42.1
[docker@minishift ~]$ docker push docker.io/centos/s2i-base-centos7:latest
The push refers to a repository [docker.io/centos/s2i-base-centos7]
b737e1b974e2: Layer already exists
79c4057dbfa8: Layer already exists
6593d9ef5bb7: Layer already exists
5e884d4e3b68: Layer already exists
f972d139738d: Layer already exists
errors:
denied: requested access to the resource is denied
unauthorized: authentication required
どうやら認証がいるみたいですね。
developerで認証しpushしてみる
[docker@minishift ~]$ docker login -u developer -p ***** 172.30.1.1:5000
Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password
あれあれ…。じゃトークンで
[docker@minishift ~]$ exit
logout
[tak@centos76 ~]$ oc whoami
developer
[tak@centos76 ~]$ oc whoami -t
kO6tqeoRtfuqfMHbA****j8MZGOGOG1ioKSg2lHZn0E
[tak@centos76 ~]$ minishift ssh
Last login: Thu Jan 3 06:05:16 2019 from 192.168.42.1
[docker@minishift ~]$ docker login -u developer -p kO6tqeoRtfuqfMHbA****j8MZGOGOG1ioKSg2lHZn0E 172.30.1.1:5000
Login Succeeded
[docker@minishift ~]$ docker push docker.io/centos/s2i-base-centos7
The push refers to a repository [docker.io/centos/s2i-base-centos7]
b737e1b974e2: Layer already exists
79c4057dbfa8: Layer already exists
6593d9ef5bb7: Layer already exists
5e884d4e3b68: Layer already exists
f972d139738d: Layer already exists
errors:
denied: requested access to the resource is denied
unauthorized: authentication required
[docker@minishift ~]$ docker push docker.io/openshift/base-centos7
The push refers to a repository [docker.io/openshift/base-centos7]
cb96aea742c3: Layer already exists
f1bbaf33b49c: Layer already exists
4b1e8db0189a: Layer already exists
34e7b85d83e4: Layer already exists
errors:
denied: requested access to the resource is denied
unauthorized: authentication required
あれあれ...。ならばsystemユーザかな?
systemで認証しpushしてみる
[docker@minishift ~]$ exit
logout
[tak@centos76 ~]$ oc whoami
system
[tak@centos76 ~]$ oc whoami -t
sXP3-hku_E6UgVpdaVER-****uJEZOmLm4KgVZwUtI
[tak@centos76 ~]$ minishift ssh
Last login: Thu Jan 3 06:10:23 2019 from 192.168.42.1
[docker@minishift ~]$ docker login -u system -p sXP3-hku_E6UgVpdaVER-****UuJEZOmLm4KgVZwUtI 172.30.1.1:5000
Login Succeeded
[docker@minishift ~]$ docker push docker.io/centos/s2i-base-centos7
The push refers to a repository [docker.io/centos/s2i-base-centos7]
b737e1b974e2: Layer already exists
79c4057dbfa8: Layer already exists
6593d9ef5bb7: Layer already exists
5e884d4e3b68: Layer already exists
f972d139738d: Layer already exists
errors:
denied: requested access to the resource is denied
unauthorized: authentication required
[docker@minishift ~]$ docker push docker.io/openshift/base-centos7
The push refers to a repository [docker.io/openshift/base-centos7]
cb96aea742c3: Layer already exists
f1bbaf33b49c: Layer already exists
4b1e8db0189a: Layer already exists
34e7b85d83e4: Layer already exists
errors:
denied: requested access to the resource is denied
unauthorized: authentication required
あれ...登録できない...(^^;;
今の状況を整理する
- minishift内のdockerにdocker imageはPullできた
- minishift内の内部レジストリにログインはできた(developer,systemとも)
- minishift内の内部レジストリにdocker imageをPushできていない(developer,systemとも)
- Web-ConsoleからBy Nameで指定するとdocker imageを呼び出せる
はて...方法が違うのかしら…( ;∀;)
oc import-imageコマンドなるものを試してみる
systemユーザでチャレンジ
では気を取り直して(笑)
okd > Develoer Guide > Managing Images > Importing tag and image metadataより
[tak@centos76 ~]$ oc import-image s2i-base-centos7 --from=docker.io/centos/s2i-base-centos7 --confirm
Error from server (Forbidden): imagestreams.image.openshift.io "s2i-base-centos7" is forbidden: User "system" cannot get imagestreams.image.openshift.io in the namespace "default": no RBAC policy matched
"default" namespaceに対する権限がないそうな。
systemなのになぁ~
developerで自身のプロジェクトに
気を取り直してdeveloerで自分自身のプロジェクトにimport-image
[tak@centos76 ~]$ oc login $(minishift ip):8443 -u developer -p ******
Login successful.
You have access to the following projects and can switch between them with 'oc project <projectname>':
django2-nginx
* gitlab-ce
Using project "gitlab-ce".
[tak@centos76 ~]$ oc import-image s2i-base-centos7:latest --from=docker.io/centos/s2i-base-centos7 --confirm
imagestream.image.openshift.io/s2i-base-centos7 imported
Name: s2i-base-centos7
Namespace: gitlab-ce
Created: 1 second ago
Labels: <none>
Annotations: openshift.io/image.dockerRepositoryCheck=2019-01-03T06:52:42Z
Docker Pull Spec: 172.30.1.1:5000/gitlab-ce/s2i-base-centos7
Image Lookup: local=false
Unique Images: 1
Tags: 1
latest
tagged from docker.io/centos/s2i-base-centos7
* docker.io/centos/s2i-base-centos7@sha256:8a0cb263e3b4baf914a773b8951cbd5927c06369fa738d7d31574ae66efa238b
1 second ago
Image Name: s2i-base-centos7:latest
Docker Image: docker.io/centos/s2i-base-centos7@sha256:8a0cb263e3b4baf914a773b8951cbd5927c06369fa738d7d31574ae66efa238b
Name: sha256:8a0cb263e3b4baf914a773b8951cbd5927c06369fa738d7d31574ae66efa238b
Created: 1 second ago
Annotations: image.openshift.io/dockerLayersOrder=ascending
Image Size: 188MB in 5 layers
Layers: 74.7MB sha256:aeb7866da422acc7e93dcf7323f38d7646f6269af33bcdb6647f2094fc4b3bf7
9.895MB sha256:9291e350be08c93d4e48286db9e72d9c74c7cba5778729d167220c664656d314
4.746kB sha256:4d3620628f7cc3d26ed80469f503f521a9939c2aaac68ec1a1bb4076d92b77e8
190.7kB sha256:94d526a435e926d08aaf39d22731d1d58935203409978a2a7eb170fb76a9d4d8
103.2MB sha256:2603cb6c0d494298779d11c9f9888824a121946162ad28397377d47738b15f5e
Image Created: 4 weeks ago
Author: <none>
Arch: amd64
Entrypoint: container-entrypoint
Command: base-usage
Working Dir: /opt/app-root/src
User: <none>
Exposes Ports: <none>
Docker Labels: com.redhat.component=s2i-base-container
description=The s2i-base image, being built upon s2i-core, provides any images layered on top of it with all the tools needed to use source-to-image functionality. Additionally, s2i-base also contains various libraries needed for it to serve as a base for other builder images, like s2i-python or s2i-ruby.
io.k8s.description=The s2i-base image, being built upon s2i-core, provides any images layered on top of it with all the tools needed to use source-to-image functionality. Additionally, s2i-base also contains various libraries needed for it to serve as a base for other builder images, like s2i-python or s2i-ruby.
io.k8s.display-name=s2i base
io.openshift.builder-version="f517f39"
io.openshift.s2i.scripts-url=image:///usr/libexec/s2i
io.s2i.scripts-url=image:///usr/libexec/s2i
maintainer=SoftwareCollections.org <sclorg@redhat.com>
name=centos/s2i-base-centos7
org.label-schema.build-date=20181006
org.label-schema.license=GPLv2
org.label-schema.name=CentOS Base Image
org.label-schema.schema-version=1.0
org.label-schema.vendor=CentOS
summary=Base image with essential libraries and tools used as a base for builder images like perl, python, ruby, etc.
version=1
Environment: PATH=/opt/app-root/src/bin:/opt/app-root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
SUMMARY=Base image with essential libraries and tools used as a base for builder images like perl, python, ruby, etc.
DESCRIPTION=The s2i-base image, being built upon s2i-core, provides any images layered on top of it with all the tools needed to use source-to-image functionality. Additionally, s2i-base also contains various libraries needed for it to serve as a base for other builder images, like s2i-python or s2i-ruby.
STI_SCRIPTS_URL=image:///usr/libexec/s2i
STI_SCRIPTS_PATH=/usr/libexec/s2i
APP_ROOT=/opt/app-root
HOME=/opt/app-root/src
BASH_ENV=/opt/app-root/etc/scl_enable
ENV=/opt/app-root/etc/scl_enable
PROMPT_COMMAND=. /opt/app-root/etc/scl_enable
NODEJS_SCL=rh-nodejs8
おぉ~インポートできました♪
Web-Consoleにログインし該当ProjectのBuilds > Imagesを覗くと居ましたね♪
これでdocker.io/centos/s2i-base-centos7がProject内では使えるようになりました。
本当はopenshift全体のレジストリに登録して個別Projectには登録したくないんだけどなぁ~
なんとかならんのか…
もう一度メッセージを確認するとnamespace "default"
登録したいのはnamespace "openshift"
[tak@centos76 ~]$ oc import-image s2i-base-centos7 --from=docker.io/centos/s2i-base-centos7 --confirm
Error from server (Forbidden): imagestreams.image.openshift.io "s2i-base-centos7" is forbidden: User "system" cannot get imagestreams.image.openshift.io in the namespace "default": no RBAC policy matched
helpを確認してみると…
[tak@centos76 ~]$ oc import-image --help
Import the latest image information from a tag in a Docker registry
Image streams allow you to control which images are rolled out to your builds and applications. This command fetches the
latest version of an image from a remote repository and updates the image stream tag if it does not match the previous
value. Running the command multiple times will not create duplicate entries. When importing an image, only the image
metadata is copied, not the image contents.
If you wish to change the image stream tag or provide more advanced options, see the 'tag' command.
Usage:
oc import-image IMAGESTREAM[:TAG] [flags]
Examples:
oc import-image mystream
Options:
--all=false: If true, import all tags from the provided source on creation or if --from is specified
--allow-missing-template-keys=true: If true, ignore any errors in templates when a field or map key is missing in
the template. Only applies to golang and jsonpath output formats.
--confirm=false: If true, allow the image stream import location to be set or changed
--dry-run=false: Fetch information about images without creating or updating an image stream.
--from='': A Docker image repository to import images from
--insecure=false: If true, allow importing from registries that have invalid HTTPS certificates or are hosted via
HTTP. This flag will take precedence over the insecure annotation.
-o, --output='': Output format. One of:
json|yaml|name|template|go-template|go-template-file|templatefile|jsonpath|jsonpath-file.
--reference-policy='source': Allow to request pullthrough for external image when set to 'local'. Defaults to
'source'.
--scheduled=false: Set each imported Docker image to be periodically imported from a remote repository. Defaults
to false.
--template='': Template string or path to template file to use when -o=go-template, -o=go-template-file. The
template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
Use "oc options" for a list of global command-line options (applies to all commands).
-n openshift
とか行けそうですね。
[tak@centos76 ~]$ oc import-image s2i-base-centos7 --from=docker.io/centos/s2i-base-centos7 -n openshift --confirm
Error from server (Forbidden): imagestreamimports.image.openshift.io is forbidden: User "system" cannot create imagestreamimports.image.openshift.io in the namespace "openshift": no RBAC policy matched
RBAC policyの壁を越えれば良いのかな?
でも壁は分厚そう...(笑)