imagePolicyConfig:
internalregistryHostname: docker-registry.default.svc.cluster.local:5000
externalregistryHostname: docker-registry.mycompany.com
If the integrated registry was not previously deployed automatically during the initial installation of your OpenShift Container Platform cluster, or if it is no longer running successfully and you need to redeploy it on your existing cluster, see the following sections for options on deploying a new registry.
This topic is not required if you installed a stand-alone registry. |
You can configure the host name and port the registry is known by for both internal and external references. By doing this, image streams will provide hostname based push and pull specifications for images, allowing consumers of the images to be isolated from changes to the registry service IP and potentially allowing image streams and their references to be portable between clusters.
To set the hostname used to reference the registry from within the cluster, set
the internalregistryHostname
in the imagePolicyConfig
section of the master
configuration file. The external host name is controlled by setting the
externalregistryHostname
value in the same location.
imagePolicyConfig:
internalregistryHostname: docker-registry.default.svc.cluster.local:5000
externalregistryHostname: docker-registry.mycompany.com
The registry itself must be configured with the same internal hostname value.
This can be accomplished by setting the registry_OPENSHIFT_SERVER_ADDR
environment variable on the registry deployment configuration, or by setting the
value in the
OpenShift
section of the registry configuration.
If you have enabled TLS for your registry the server certificate must include the hostnames by which you expect the registry to be referenced. See securing the registry for instructions on adding hostnames to the server certificate. |
To deploy the integrated container image registry, use the oc adm registry
command as a
user with cluster administrator privileges. For example:
$ oc adm registry --config=/etc/origin/master/admin.kubeconfig \(1) --service-account=registry \(2) --images='registry.redhat.io/openshift3/ose-${component}:${version}' (3)
1 | --config is the path to the
CLI configuration file for
the cluster
administrator. |
2 | --service-account is the service account used to run the registry’s pod. |
3 | Required to pull the correct image for OpenShift Container Platform. ${component} and ${version} are dynamically replaced during installation. |
This creates a service and a deployment configuration, both called docker-registry. Once deployed successfully, a pod is created with a name similar to docker-registry-1-cpty9.
To see a full list of options that you can specify when creating the registry:
$ oc adm registry --help
The value for --fs-group
must be
permitted by the SCC
used by the registry (typically, the restricted SCC).
Use the oc adm registry
command to deploy the registry as a DaemonSet
with the
--daemonset
option.
Daemonsets ensure that when nodes are created, they contain copies of a specified pod. When the nodes are removed, the pods are garbage collected.
For more information on DaemonSets
, see
Using Daemonsets.
By default, the registry is created with no settings for compute resource requests or limits. For production, it is highly recommended that the deployment configuration for the registry be updated to set resource requests and limits for the registry pod. Otherwise, the registry pod will be considered a BestEffort pod.
See Compute Resources for more information on configuring requests and limits.
The registry stores container images and metadata. If you simply deploy a pod with the registry, it uses an ephemeral volume that is destroyed if the pod exits. Any images anyone has built or pushed into the registry would disappear.
This section lists the supported registry storage drivers. See the container image registry documentation for more information.
The following list includes storage drivers that need to be configured in the registry’s configuration file:
Filesystem. Filesystem is the default and does not need to be configured.
S3. See the CloudFront configuration documentation for more information.
General registry storage configuration options are supported. See the container image registry documentation for more information.
The following storage options need to be configured through the filesystem driver:
For more information on supported persistent storage drivers, see Configuring Persistent Storage and Persistent Storage Examples. |
For production use, attach a remote volume or define and use the persistent storage method of your choice.
For example, to use an existing persistent volume claim:
$ oc set volume deploymentconfigs/docker-registry --add --name=registry-storage -t pvc \ --claim-name=<pvc_name> --overwrite
Testing shows issues with using the RHEL NFS server as a storage backend for the container image registry. This includes the OpenShift Container registry and Quay. Therefore, using the RHEL NFS server to back PVs used by core services is not recommended. Other NFS implementations on the marketplace might not have these issues. Contact the individual NFS implementation vendor for more information on any testing that was possibly completed against these OpenShift core components. |
There is also an option to use Amazon Simple Storage Service storage with the internal container image registry. It is a secure cloud storage manageable through AWS Management Console. To use it, the registry’s configuration file must be manually edited and mounted to the registry pod. However, before you start with the configuration, look at upstream’s recommended steps.
Take a default YAML configuration file as a base and replace the filesystem entry in the storage section with s3 entry such as below. The resulting storage section may look like this:
storage:
cache:
layerinfo: inmemory
delete:
enabled: true
s3:
accesskey: awsaccesskey (1)
secretkey: awssecretkey (2)
region: us-west-1
regionendpoint: http://myobjects.local
bucket: bucketname
encrypt: true
keyid: mykeyid
secure: true
v4auth: false
chunksize: 5242880
rootdirectory: /s3/object/name/prefix
1 | Replace with your Amazon access key. |
2 | Replace with your Amazon secret key. |
All of the s3 configuration options are documented in upstream’s driver reference documentation.
Overriding the registry configuration will take you through the additional steps on mounting the configuration file into pod.
When the registry runs on the S3 storage back-end, there are reported issues. |
If you want to use a S3 region that is not supported by the integrated registry you are using, see S3 Driver Configuration.
For non-production use, you can use the --mount-host=<path>
option to specify
a directory for the registry to use for persistent storage. The registry volume
is then created as a host-mount at the specified <path>
.
The |
The --mount-host
option requires that the registry container run in privileged
mode. This is automatically enabled when you specify --mount-host
.
However, not all pods are allowed to run
privileged containers by default.
If you still want to use this option, create the registry and specify that it use the registry service account that was created during installation:
$ oc adm registry --service-account=registry \ --config=/etc/origin/master/admin.kubeconfig \ --images='registry.redhat.io/openshift3/ose-${component}:${version}' \ (1) --mount-host=<path>
1 | Required to pull the correct image for OpenShift Container Platform. ${component} and ${version} are dynamically replaced during installation. |
The container image registry pod runs as user 1001. This user must be able to write to the host directory. You may need to change directory ownership to user ID 1001 with this command: $ sudo chown 1001:root <path> |
OpenShift Container Platform provides a web-based interface to the integrated registry. This registry console is an optional component for browsing and managing images. It is deployed as a stateless service running as a pod.
If you installed OpenShift Container Platform as a stand-alone registry, the registry console is already deployed and secured automatically during installation. |
If Cockpit is already running, you’ll need to shut it down before proceeding in order to avoid a port conflict (9090 by default) with the registry console. |
You must first have exposed the registry. |
Create a passthrough route in the default project. You will need this when creating the registry console application in the next step.
$ oc create route passthrough --service registry-console \ --port registry-console \ -n default
Deploy the registry console application. Replace <openshift_oauth_url>
with
the URL of the OpenShift Container Platform OAuth provider, which is typically the master.
$ oc new-app -n default --template=registry-console \ -p OPENSHIFT_OAUTH_PROVIDER_URL="https://<openshift_oauth_url>:8443" \ -p registry_HOST=$(oc get route docker-registry -n default --template='{{ .spec.host }}') \ -p COCKPIT_KUBE_URL=$(oc get route registry-console -n default --template='https://{{ .spec.host }}')
If the redirection URL is wrong when you are trying to log in to the
registry console, check your OAuth client with |
Finally, use a web browser to view the console using the route URI.
By default, the registry console generates self-signed TLS certificates if deployed manually per the steps in Deploying the registry Console. See Troubleshooting the registry Console for more information.
Use the following steps to add your organization’s signed certificates as a
secret volume. This assumes your certificates are available on the oc
client host.
Create a .cert file containing the certificate and key. Format the file with:
One or more BEGIN CERTIFICATE blocks for the server certificate and the intermediate certificate authorities
A block containing a BEGIN PRIVATE KEY or similar for the key. The key must not be encrypted
For example:
-----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIJAPXW+CuNYS6QMA0GCSqGSIb3DQEBCwUAMD8xKTAnBgNV BAoMIGI0OGE2NGNkNmMwNTQ1YThhZTgxOTEzZDE5YmJjMmRjMRIwEAYDVQQDDAls ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDUzCCAjugAwIBAgIJAPXW+CuNYS6QMA0GCSqGSIb3DQEBCwUAMD8xKTAnBgNV BAoMIGI0OGE2NGNkNmMwNTQ1YThhZTgxOTEzZDE5YmJjMmRjMRIwEAYDVQQDDAls ... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyOJ5garOYw0sm 8TBCDSqQ/H1awGMzDYdB11xuHHsxYS2VepPMzMzryHR137I4dGFLhvdTvJUH8lUS ... -----END PRIVATE KEY-----
The secured registry should contain the following Subject Alternative Names (SAN) list:
Two service hostnames.
For example:
docker-registry.default.svc.cluster.local docker-registry.default.svc
Service IP address.
For example:
172.30.124.220
Use the following command to get the container image registry service IP address:
oc get service docker-registry --template='{{.spec.clusterIP}}'
Public hostname.
For example:
docker-registry-default.apps.example.com
Use the following command to get the container image registry public hostname:
oc get route docker-registry --template '{{.spec.host}}'
For example, the server certificate should contain SAN details similar to the following:
X509v3 Subject Alternative Name: DNS:docker-registry-public.openshift.com, DNS:docker-registry.default.svc, DNS:docker-registry.default.svc.cluster.local, DNS:172.30.2.98, IP Address:172.30.2.98
The registry console loads a certificate from the /etc/cockpit/ws-certs.d directory. It uses the last file with a .cert extension in alphabetical order. Therefore, the .cert file should contain at least two PEM blocks formatted in the OpenSSL style.
If no certificate is found, a self-signed certificate is created using the
openssl
command and stored in the 0-self-signed.cert file.
Create the secret:
$ oc create secret generic console-secret \ --from-file=/path/to/console.cert
Add the secrets to the registry-console deployment configuration:
$ oc set volume dc/registry-console --add --type=secret \ --secret-name=console-secret -m /etc/cockpit/ws-certs.d
This triggers a new deployment of the registry console to include your signed certificates.
The registry console debug mode is enabled using an environment variable. The following command redeploys the registry console in debug mode:
$ oc set env dc registry-console G_MESSAGES_DEBUG=cockpit-ws,cockpit-wrapper
Enabling debug mode allows more verbose logging to appear in the registry console’s pod logs.
To check which certificate the registry console is using, a command can be run from inside the console pod.
List the pods in the default project and find the registry console’s pod name:
$ oc get pods -n default NAME READY STATUS RESTARTS AGE registry-console-1-rssrw 1/1 Running 0 1d
Using the pod name from the previous command, get the certificate path that the cockpit-ws process is using. This example shows the console using the auto-generated certificate:
$ oc exec registry-console-1-rssrw remotectl certificate certificate: /etc/cockpit/ws-certs.d/0-self-signed.cert