OpenShift 4安装后缺省是将registry.access.redhat.com和docker.io作为容器镜像源。我们可以通过修改配置为OpenShift 4添加其他镜像源,例如Insecure Registry和Blocked Registry镜像源。
首先查看缺省的Image Registry配置,其中包括Registry的internal和external的访问地址。
$ oc get images.config.openshift.io -n openshift-config
NAME AGE
cluster 22d
$ oc get images.config.openshift.io cluster -o yaml -n openshift-config
apiVersion: config.openshift.io/v1
kind: Image
metadata:
annotations:
release.openshift.io/create-only: "true"
creationTimestamp: "2019-11-22T15:53:20Z"
generation: 1
name: cluster
resourceVersion: "20150"
selfLink: /apis/config.openshift.io/v1/images/cluster
uid: 35059e15-0d40-11ea-912d-525400ae0293
spec: {}
status:
externalRegistryHostnames:
- default-route-openshift-image-registry.apps-crc.testing
internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
执行以下命令可以修改images.config.openshift.io配置:
$ oc edit images.config.openshift.io cluster
我们可以在上面的spec: {}中添加定制的blockedRegistries和insecureRegistries配置。
spec:
registrySources:
blockedRegistries:
- docker.io
insecureRegistries:
- bastion.mycloud.com:5000
- 198.18.100.1:5000
在修改完后OpenShift会自动更新所有masters和nodes节点上的配置文件/etc/containers/registries.conf。使用《OpenShift 4 之进入到集群节点内执行sosreport收集故障信息》登录到节点查看Registry的配置文件。
[core@worker-0 ~]$ sudo cat /etc/containers/registries.conf
[registries]
[registries.search]
registries = ["registry.access.redhat.com", "docker.io"]
[registries.insecure]
registries = ["bastion.mycloud.com:5000", "198.18.100.1:5000"]
[registries.block]
registries = ["docker.io"]
最后我们可以验证一下,执行以下命令使用docker.io的镜像,然后可以从日志中查看到错误消息:
$ oc new-app --name sleep https://github.com/liuxiaoyu-git/openshift-dockerfile-example.git
$ oc logs bc/sleep
。。。。。
Pulling image bash@sha256:d6696f7ac04ec9753f56c6bb2ab69b4f03a39a14a3dd72341bb41b9f6855def9 ...
Warning: Pull failed, retrying in 5s ...
Warning: Pull failed, retrying in 5s ...
Warning: Pull failed, retrying in 5s ...
error: build error: failed to pull image: After retrying 2 times, Pull image still failed due to error: while pulling "docker://bash@sha256:d6696f7ac04ec9753f56c6bb2ab69b4f03a39a14a3dd72341bb41b9f6855def9" as "bash@sha256:d6696f7ac04ec9753f56c6bb2ab69b4f03a39a14a3dd72341bb41b9f6855def9": pullaccess to registry for "docker://bash@sha256:d6696f7ac04ec9753f56c6bb2ab69b4f03a39a14a3dd72341bb41b9f6855def9" is blocked by configuration