$ oc policy add-role-to-user registry-viewer <user_name>
Use the following sections for instructions on accessing the registry, including viewing logs and metrics, as well as securing and exposing the registry.
You can access the registry directly to invoke podman
commands. This allows
you to push images to or pull them from the integrated registry directly using
operations like podman push
or podman pull
. To do so, you must be logged in
to the registry using the oc login
command. The operations you can perform
depend on your user permissions, as described in the following sections.
You must have configured an identity provider (IDP).
For pulling images, for example when using the podman pull
command,
the user must have the registry-viewer
role. To add this role:
$ oc policy add-role-to-user registry-viewer <user_name>
For writing or pushing images, for example when using the podman push
command,
the user must have the registry-editor
role. To add this role:
$ oc policy add-role-to-user registry-editor <user_name>
You can access the registry from inside the cluster.
Access the registry from the cluster by using internal routes:
Access the node by getting the node’s address:
$ oc get nodes $ oc debug nodes/<node_address>
In order to have access to tools such as oc
and podman
on the node, run the following command:
sh-4.2# chroot /host
Log in to the container image registry by using your access token:
sh-4.4# oc login -u kubeadmin -p <password_from_install_log> https://api-int.<cluster_name>.<base_domain>:6443 sh-4.4# podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
You should see a message confirming login, such as:
Login Succeeded!
You can pass any value for the user name; the token contains all necessary information. Passing a user name that contains colons will result in a login failure. Since the Image registry Operator creates the route, it will likely be similar to
|
Perform podman pull
and podman push
operations against your registry:
You can pull arbitrary images, but if you have the system:registry role added, you can only push images to the registry in your project. |
In the following examples, use:
Component | Value |
---|---|
<registry_ip> |
|
<port> |
|
<project> |
|
<image> |
|
<tag> |
omitted (defaults to |
Pull an arbitrary image:
$ podman pull name.io/image
Tag the new image with the form <registry_ip>:<port>/<project>/<image>
.
The project name must appear in this pull specification for OpenShift Container Platform to
correctly place and later access the image in the registry:
$ podman tag name.io/image image-registry.openshift-image-registry.svc:5000/openshift/image
You must have the |
Push the newly-tagged image to your registry:
$ podman push image-registry.openshift-image-registry.svc:5000/openshift/image
As an administrator, you can view your registry’s contents.
Log in as administrator.
Check the pods under project
openshift-image-registry
:
# oc get pods NAME READY STATUS RESTARTS AGE cluster-image-registry-operator-764bd7f846-qqtpb 1/1 Running 0 78m image-registry-79fb4469f6-llrln 1/1 Running 0 77m node-ca-hjksc 1/1 Running 0 73m node-ca-tftj6 1/1 Running 0 77m node-ca-wb6ht 1/1 Running 0 77m node-ca-zvt9q 1/1 Running 0 74m
You can view the logs for the registry by using the oc logs
command.
Use the oc logs
command with deployments to view the logs for the container
image registry:
$ oc logs deployments/image-registry 2015-05-01T19:48:36.300593110Z time="2015-05-01T19:48:36Z" level=info msg="version=v2.0.0+unknown" 2015-05-01T19:48:36.303294724Z time="2015-05-01T19:48:36Z" level=info msg="redis not configured" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002 2015-05-01T19:48:36.303422845Z time="2015-05-01T19:48:36Z" level=info msg="using inmemory layerinfo cache" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002 2015-05-01T19:48:36.303433991Z time="2015-05-01T19:48:36Z" level=info msg="Using OpenShift Auth handler" 2015-05-01T19:48:36.303439084Z time="2015-05-01T19:48:36Z" level=info msg="listening on :5000" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002
The OpenShift Container registry provides an endpoint for Prometheus metrics. Prometheus is a stand-alone, open source systems monitoring and alerting toolkit.
The metrics are exposed at the /extensions/v2/metrics path of the registry endpoint.
There are two ways in which you can access the metrics, running a metrics query or using the cluster role.
Metrics query
Run a metrics query, for example:
$ curl --insecure -s -u <user>:<secret> \ (1) https://image-registry.openshift-image-registry.svc:5000/extensions/v2/metrics | grep imageregistry | head -n 20 # HELP imageregistry_build_info A metric with a constant '1' value labeled by major, minor, git commit & git version from which the image registry was built. # TYPE imageregistry_build_info gauge imageregistry_build_info{gitCommit="9f72191",gitVersion="v3.11.0+9f72191-135-dirty",major="3",minor="11+"} 1 # HELP imageregistry_digest_cache_requests_total Total number of requests without scope to the digest cache. # TYPE imageregistry_digest_cache_requests_total counter imageregistry_digest_cache_requests_total{type="Hit"} 5 imageregistry_digest_cache_requests_total{type="Miss"} 24 # HELP imageregistry_digest_cache_scoped_requests_total Total number of scoped requests to the digest cache. # TYPE imageregistry_digest_cache_scoped_requests_total counter imageregistry_digest_cache_scoped_requests_total{type="Hit"} 33 imageregistry_digest_cache_scoped_requests_total{type="Miss"} 44 # HELP imageregistry_http_in_flight_requests A gauge of requests currently being served by the registry. # TYPE imageregistry_http_in_flight_requests gauge imageregistry_http_in_flight_requests 1 # HELP imageregistry_http_request_duration_seconds A histogram of latencies for requests to the registry. # TYPE imageregistry_http_request_duration_seconds summary imageregistry_http_request_duration_seconds{method="get",quantile="0.5"} 0.01296087 imageregistry_http_request_duration_seconds{method="get",quantile="0.9"} 0.014847248 imageregistry_http_request_duration_seconds{method="get",quantile="0.99"} 0.015981195 imageregistry_http_request_duration_seconds_sum{method="get"} 12.260727916000022
1 | <user> can be arbitrary, but <secret> must match the value specified in the
registry configuration. |
Cluster role
Create a cluster role if you do not already have one to access the metrics:
$ cat <<EOF | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: prometheus-scraper rules: - apiGroups: - image.openshift.io resources: - registry/metrics verbs: - get EOF $ oc create -f -
Add this role to a user, run the following command:
$ oc adm policy add-cluster-role-to-user prometheus-scraper <username>
Access the metrics using cluster role. The part of the configuration file responsible for metrics should look like this:
openshift: version: 1.0 metrics: enabled: true ...
A kubeadmin
can access the registry until deleted. See
Removing the kubeadmin user for
more information.
For more information on configuring an identity provider, see Understanding identity provider configuration.