OpenShift 4.3.8离线镜像制作

作者: ragpo | 来源:发表于2020-04-24 14:51 被阅读0次

    关于版本的选择

    openshift 4的安装需要用到很多文件,如下:

    ocp_bios: "https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.3/4.3.8/rhcos-4.3.8-x86_64-metal.x86_64.raw.gz"
    ocp_initramfs: "https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.3/4.3.8/rhcos-4.3.8-x86_64-installer-initramfs.x86_64.img"
    ocp_install_kernel: "https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.3/4.3.8/rhcos-4.3.8-x86_64-installer-kernel-x86_64"
    ocp_client: "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.3.8/openshift-client-linux-4.3.8.tar.gz"
    ocp_installer: "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.3.8/openshift-install-linux-4.3.8.tar.gz"
    

    开始制作离线包

    我使用在美国的VPS下载离线镜像,体验了一下飞一般的速度,不到一分钟就同步好镜像了,不过从VPS拉取打包的镜像文件时还是遇到网络慢的问题,我搭建了一个http服务,用迅雷去下载镜像文件,速度好很多也稳定。

    • 下载oc命令客户端
    wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.3.8/openshift-client-linux-4.3.8.tar.gz
    
    • 解压,并且将oc命令复制到
    tar -zxvf openshift-client-linux-4.3.8.tar.gz
    cp oc /usr/local/bin
    
    • 安装工具
    yum -y install podman httpd-tools
    
    • 创建准备给本地私有镜像仓库的相关目录
    mkdir -p /opt/registry/{auth,certs,data}
    
    • 创建证书,然后会提示你输入相关信息,

    注意:Common Name (eg, your name or your server's hostname) 字段要填写镜像仓库的域名,不能使用IP。其他的可以空着,这一步我错了几次,如下:

    cd /opt/registry/certs
    openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt
    Generating a 4096 bit RSA private key
    ....................................++
    ................................................................................................................................................................................................................................................................................................................++
    writing new private key to 'domain.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:shanghai
    Locality Name (eg, city) [Default City]: 
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:registry.vps.apo.ocp4.com
    Email Address []:
    
    • 创建密码文件
    htpasswd -bBc /opt/registry/auth/htpasswd admin admin
    
    • 使用一个镜像来部署私有镜像仓库:
    podman run --name mirror-registry -p 5000:5000 \ 
         -v /opt/registry/data:/var/lib/registry:z \
         -v /opt/registry/auth:/auth:z \
         -e "REGISTRY_AUTH=htpasswd" \
         -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
         -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
         -v /opt/registry/certs:/certs:z \
         -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
         -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
         -d docker.io/library/registry:2
    

    注意需要放行特定的防火墙端口,我这里直接关闭防火墙,所以不开放了,也可以按照官方文档开通防火墙:

    firewall-cmd --add-port=5000/tcp --zone=internal --permanent 
    firewall-cmd --add-port=5000/tcp --zone=public   --permanent 
    firewall-cmd --reload
    
    • 更新Linux系统证书
    cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    update-ca-trust
    
    • 测试镜像仓库是否能正常访问:

    需要在/etc/hosts文件中添加域名解析,否则无法解析 registry.vps.apo.ocp4.com地址。

    curl -u admin:admin -k https://registry.vps.apo.ocp4.com:5000/v2/_catalog
    {"repositories":[]}
    
    • 将镜像仓库的用户名密码镜像base64加密
    echo -n ’admin:admin' | base64 -w0
    YWRtaW46YWRtaW4=
    
    • 去下载pull-secret.text文件,然后安装jq,为了能够将密钥文件进行json格式化,好看些。
    yum install jq
    
    • json格式化生成新的文件
    cat ./pull-secret.text | jq .  >  pull-secret2.text
    
    • 文件内容如下:
    {
      "auths": {
        "cloud.openshift.com": {
          "auth": "b3BlbnNo...",
          "email": "you@example.com"
        },
        "quay.io": {
          "auth": "b3BlbnNo...",
          "email": "you@example.com"
        },
        "registry.connect.redhat.com": {
          "auth": "NTE3Njg5Nj...",
          "email": "you@example.com"
        },
        "registry.redhat.io": {
          "auth": "NTE3Njg5Nj...",
          "email": "you@example.com"
        }
      }
    }
    
    • 然后添加一下私有镜像仓库的内容,用于将quay的镜像同步到私有镜像仓库过程中需要做认证,这就是个认证密码文件,类似如下。
      "auths": {
    ...
        "<local_registry_host_name>:<local_registry_host_port>": { 
          "auth": "<credentials>", 
          "email": "you@example.com"
      },
    ...
    
    • 导入一些拉取镜像需要的环境变量参数,就是一些镜像仓库的地址,版本之类的信息
    export OCP_RELEASE=4.3.8-x86_64
    export LOCAL_REGISTRY='registry.vps.apo.ocp4.com:5000'
    export LOCAL_REPOSITORY='ocp4/openshift4'
    export PRODUCT_REPO='openshift-release-dev'
    export LOCAL_SECRET_JSON='/opt/registry/certs/pull-secret2.text'
    export RELEASE_NAME="ocp-release" 
    
    • 使用oc命令去同步
    oc adm -a ${LOCAL_SECRET_JSON} release mirror \
         --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \
         --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
         --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}
    
    • 同步的输出日志如下
    info: Mirroring 103 images to registry.vps.apo.ocp4.com:5000/ocp4/openshift4 ...
    registry.vps.apo.ocp4.com:5000/
      ocp4/openshift4
        blobs:
    Success
    Update image:  registry.vps.apo.ocp4.com:5000/ocp4/openshift4:4.3.8-x86_64
    Mirror prefix: registry.vps.apo.ocp4.com:5000/ocp4/openshift4
    
    To use the new mirrored repository to install, add the following section to the install-config.yaml:
    
    imageContentSources:
    - mirrors:
      - registry.vps.apo.ocp4.com:5000/ocp4/openshift4
      source: quay.io/openshift-release-dev/ocp-release
    - mirrors:
      - registry.vps.apo.ocp4.com:5000/ocp4/openshift4
      source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    
    
    To use the new mirrored repository for upgrades, use the following to create an ImageContentSourcePolicy:
    
    apiVersion: operator.openshift.io/v1alpha1
    kind: ImageContentSourcePolicy
    metadata:
      name: example
    spec:
      repositoryDigestMirrors:
      - mirrors:
        - registry.vps.apo.ocp4.com:5000/ocp4/openshift4
        source: quay.io/openshift-release-dev/ocp-release
      - mirrors:
        - registry.vps.apo.ocp4.com:5000/ocp4/openshift4
        source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    
    • 打包镜像仓库文件

    在openshift3的时候是直接拉取镜像,然后打包镜像,在4没有提供这样命令,所以我就将镜像仓库文件直接全部打包,然后拉回国内,再放到一个虚拟机上,启动镜像仓库。

    cd /opt/registry/data/
    tar -czvf ocp4.3.8-images.tar.gz docker/
    ll
    drwxr-xr-x 3 root root       4096 Apr 21 07:10 docker
    -rw-r--r-- 1 root root 5585707233 Apr 21 07:24 ocp4.3.8-images.tar.gz
    

    有意思的地方

    在同步镜像仓库的时候输出的日志,可以看见镜像的名称都是为openshift4,而tag为openshift版本加上具体的组件名称,并且还有对应的hash值

    sha256:d57b9ab77f64cb3cc667d957d53248f004dfa3ba5c8e3270ad06465815fca9e1 registry.vps.apo.ocp4.com:5000/ocp4/openshift4:4.3.8-openshift-state-metrics
    

    相关文章

      网友评论

        本文标题:OpenShift 4.3.8离线镜像制作

        本文链接:https://www.haomeiwen.com/subject/laoyihtx.html