从私有注册中心拉取 k3s 镜像

时间:2021-02-16 11:42:36

标签: docker kubernetes docker-registry k3s

我一直在查看有关如何启用 k3s(在我的 pi 上运行)从我的家庭网络(我的网络上的服务器笔记本电脑)上的私有注册表中提取 docker 镜像的不同参考资料。如果有人可以请把我的头指向正确的方向?这是我的方法:

  1. 在我的服务器上创建了 docker 注册表(并通过端口 10000 进行访问):
docker run -d -p 10000:5000 --restart=always --local-docker-registry registry:2

这行得通,并且能够将图像从“服务器 pc”推拉到它。我还没有添加身份验证 TLS 等...

(通过 VS Code 上的 docker 插件查看图像)。

registry docker image

  1. 在我的笔记本电脑服务器上添加了入站防火墙规则,并测试了可以从我的 pi 中“看到”注册表(所以这也有效):
$ curl -ks http://<server IP>:10000/v2/_catalog
{"repositories":["tcpserialpassthrough"]}
  1. 将注册表链接添加到 registries.yaml 文件中的 k3s(在我的 pi 上运行的 k3s),并重新启动 k3s 和 pi
$ cat /etc/rancher/k3s/registries.yaml
mirrors:
  pwlaptopregistry:
    endpoint:
      - "http://<host IP here>:10000"
  1. 将注册表前缀添加到部署清单上的图像端点:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tcpserialpassthrough
spec:
  selector:
    matchLabels:
      app: tcpserialpassthrough
  replicas: 1
  template:
    metadata:
      labels:
        app: tcpserialpassthrough
    spec:
      containers:
      - name: tcpserialpassthrough
        image: pwlaptopregistry/tcpserialpassthrough:vers1.3-arm
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 8001
          hostPort: 8001
          protocol: TCP
        command: ["dotnet", "/app/TcpConnector.dll"]

但是,当我检查部署启动顺序时,它仍然无法拉取映像(并且可能还引用了 docker hub?):

kubectl get events -w
LAST SEEN   TYPE      REASON             OBJECT                                      MESSAGE
8m24s       Normal    SuccessfulCreate   replicaset/tcpserialpassthrough-88fb974d9   Created pod: tcpserialpassthrough-88fb974d9-b88fc
8m23s       Warning   FailedScheduling   pod/tcpserialpassthrough-88fb974d9-b88fc    0/1 nodes are available: 1 node(s) didn't have free ports for the requested pod ports.
8m23s       Warning   FailedScheduling   pod/tcpserialpassthrough-88fb974d9-b88fc    0/1 nodes are available: 1 node(s) didn't have free ports for the requested pod ports.
8m21s       Normal    Scheduled          pod/tcpserialpassthrough-88fb974d9-b88fc    Successfully assigned default/tcpserialpassthrough-88fb974d9-b88fc to raspberrypi
6m52s       Normal    Pulling            pod/tcpserialpassthrough-88fb974d9-b88fc    Pulling image "pwlaptopregistry/tcpserialpassthrough:vers1.3-arm"
6m50s       Warning   Failed             pod/tcpserialpassthrough-88fb974d9-b88fc    Error: ErrImagePull
6m50s       Warning   Failed             pod/tcpserialpassthrough-88fb974d9-b88fc    Failed to pull image "pwlaptopregistry/tcpserialpassthrough:vers1.3-arm": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/pwlaptopregistry/tcpserialpassthrough:vers1.3-arm": failed to resolve reference "docker.io/pwlaptopregistry/tcpserialpassthrough:vers1.3-arm": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
6m3s        Normal    BackOff            pod/tcpserialpassthrough-88fb974d9-b88fc    Back-off pulling image "pwlaptopregistry/tcpserialpassthrough:vers1.3-arm"
3m15s       Warning   Failed             pod/tcpserialpassthrough-88fb974d9-b88fc    Error: ImagePullBackOff

想知道问题是否与授权有关,并在 this youtube guide 之后基于基本身份验证添加,但同样的问题仍然存在。 还注意到必须编辑 /etc/docker/daemon.json 以允许未经授权的非 TLS 连接,通过:

{
  "Insecure-registries": [ "<host IP>:10000" ]
}
<块引用>

但似乎这需要在节点端完成,而节点没有安装 docker cli??

1 个答案:

答案 0 :(得分:4)

...这太愚蠢了,不知道为什么需要将域名和端口指定为您推荐的注册机构的“名称”,但无论如何这解决了我的问题(供参考):

$cat /etc/rancher/k3s/registries.yaml
mirrors:
  "<host IP>:10000":
    endpoint:
      - "http://<host IP>:10000"
<块引用>

并重新启动 k3s:

systemctl restart k3s

然后在您的部署中,在您的图像路径中将其引用为:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: tcpserialpassthrough
spec:
  selector:
    matchLabels:
      app: tcpserialpassthrough
  replicas: 1
  template:
    metadata:
      labels:
        app: tcpserialpassthrough
    spec:
      containers:
      - name: tcpserialpassthrough
        image: <host IP>:10000/tcpserialpassthrough:vers1.3-arm
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 8001
          hostPort: 8001
          protocol: TCP
        command: ["dotnet", "/app/TcpConnector.dll"]
      imagePullSecrets:
      - name: mydockercredentials
<块引用>

引用保存为机密的注册表的基本身份验证详细信息:

$ kubectl create secret docker-registry mydockercredentials --docker-server host IP:10000 --docker-username username --docker -password password

您将能够通过

验证拉取过程 <块引用>

$ kubectl get events -w

相关问题
最新问题