无法从外部访问OpenShift 4.2内置docker注册表
我有一个适用于OpenShift 4.2的kubeadmin帐户,并且能够通过oc login-u kubeadmin成功登录。
我公开了内置的docker注册表通过默认路线记录在https://docs.openshift.com/container-platform/4.2/registry/securing-exposing-registry.html
我的docker客户端在macOS上运行,并配置为信任注册表的默认自签名证书
openssl s_client -showcerts -connect $(oc registry info) </dev/null 2>/dev/null|openssl x509 -outform PEM > tls.pem
security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain tls.pem
现在,当我尝试登录内置注册表时,我得到以下错误
docker login $(oc registry info) -u $(oc whoami) -p $(oc whoami -t)
Error response from daemon: Get https://my-openshift-registry.com/v2/: unauthorized: authentication required
注册表日志报告了以下错误
error authorizing context: authorization header required
invalid token: Unauthorized
更具体地说
oc logs -f -n openshift-image-registry deployments/image-registry
time="2019-11-29T18:03:25.581914855Z" level=warning msg="error authorizing context: authorization header required" go.version=go1.11.13 http.request.host=my-openshift-registry.com http.request.id=aa41909a-4aa0-42a5-9568-91aa77c7f7ab http.request.method=GET http.request.remoteaddr=10.16.7.10 http.request.uri=/v2/ http.request.useragent="docker/19.03.5 go/go1.12.12 git-commit/633a0ea kernel/4.9.184-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.5 \\(darwin\\))"
time="2019-11-29T18:03:25.581958296Z" level=info msg=response go.version=go1.11.13 http.request.host=my-openshift-registry.com http.request.id=d2216e3a-0e12-4e77-b3cb-fd47b6f9a804 http.request.method=GET http.request.remoteaddr=10.16.7.10 http.request.uri=/v2/ http.request.useragent="docker/19.03.5 go/go1.12.12 git-commit/633a0ea kernel/4.9.184-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.5 \\(darwin\\))" http.response.contenttype="application/json; charset=utf-8" http.response.duration="923.654µs" http.response.status=401 http.response.written=87
time="2019-11-29T18:03:26.187770058Z" level=error msg="invalid token: Unauthorized" go.version=go1.11.13 http.request.host=my-openshift-registry.com http.request.id=638fc003-1d4a-433c-950e-f9eb9d5328c4 http.request.method=GET http.request.remoteaddr=10.16.7.10 http.request.uri="/openshift/token?account=kube%3Aadmin&client_id=docker&offline_token=true" http.request.useragent="docker/19.03.5 go/go1.12.12 git-commit/633a0ea kernel/4.9.184-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.5 \\(darwin\\))"
time="2019-11-29T18:03:26.187818779Z" level=info msg=response go.version=go1.11.13 http.request.host=my-openshift-registry.com http.request.id=5486d94a-f756-401b-859d-0676e2a28465 http.request.method=GET http.request.remoteaddr=10.16.7.10 http.request.uri="/openshift/token?account=kube%3Aadmin&client_id=docker&offline_token=true" http.request.useragent="docker/19.03.5 go/go1.12.12 git-commit/633a0ea kernel/4.9.184-linuxkit os/linux arch/amd64 UpstreamClient(Docker-Client/19.03.5 \\(darwin\\))" http.response.contenttype=application/json http.response.duration=6.97799ms http.response.status=401 http.response.written=0
我的oc客户是
oc version
Client Version: version.Info{Major:"4", Minor:"1+", GitVersion:"v4.1.0+b4261e0", GitCommit:"b4261e07ed", GitTreeState:"clean", BuildDate:"2019-07-06T03:16:01Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.6+2e5ed54", GitCommit:"2e5ed54", GitTreeState:"clean", BuildDate:"2019-10-10T22:04:13Z", GoVersion:"go1.12.8", Compiler:"gc", Platform:"linux/amd64"}
我的码头工人信息是
docker info
Client:
Debug Mode: false
Server:
Containers: 7
Running: 0
Paused: 0
Stopped: 7
Images: 179
Server Version: 19.03.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: b34a5c8af56e510852c35414db4c1f4fa6172339
runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.9.184-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 6
Total Memory: 5.818GiB
Name: docker-desktop
ID: JRNE:4IBW:MUMK:CGKT:SMWT:27MW:D6OO:YFE5:3KVX:AEWI:QC7M:IBN4
Docker Root Dir: /var/lib/docker
Debug Mode: true
File Descriptors: 29
Goroutines: 44
System Time: 2019-11-29T21:12:21.3565037Z
EventsListeners: 2
HTTP Proxy: gateway.docker.internal:3128
HTTPS Proxy: gateway.docker.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
我已经尝试将注册表查看者角色添加到kubeadmin中,但是这没有产生任何影响
oc policy add-role-to-user registry-viewer kubeadmin
oc policy add-role-to-user registry-viewer kube:admin
关于我可以尝试什么或如何进一步诊断问题,是否有任何建议?我可以从集群内部访问注册表,但是,我需要通过docker log从外部访问它。
共有2个答案
若要添加注册表查看者角色,命令是
oc adm policy add-cluster-role-to-user registry-viewer kubeadmin
您可以参考他们的文档来使用内部注册表。
虽然听起来很傻,但问题是$(oc whoami)的计算结果是kube:admin,而不是kubeadmin并且只有后者有效。例如,为了成功登录,我必须替换
docker login $(oc registry info) -u $(oc whoami) -p $(oc whoami -t)
跟
docker login $(oc registry info) -u kubeadmin -p $(oc whoami -t)
相关角色是注册表查看器,但是,我认为用户 kubeadmin 会预先配置它
oc policy add-role-to-user registry-viewer kubeadmin
oc adm policy add-cluster-role-to-user registry-viewer kubeadmin
-
https://github.com/confluentinc/cp-docker-images/blob/5.0.0-post/examples/kafka-cluster/docker-compose.yml 我已经编辑了该文件,并将选项添加到docker组合文件中,以便可以在主机之外访问它们。 我已经运行了以下命令: kafka-1、kafka-2、kafka-3的docker日志(均相同)
-
tl;如果在Docker容器中运行,一个RestController正确回答,另一个则不正确。 该服务有两个API 和。 它们都是通过docker compose运行的。 返回。 返回一个空的200响应。正如预期的那样。 应该返回一个200响应和一个每次调用API时都会增加的数字。可悲的是,事实并非如此。 在本地运行该服务可以提供预期的结果。 maven spotify插件用于从以下创建图像。 我
-
我一直在尝试使用githubrowsersample对sunflower应用程序示例进行Restfulise,所以我一直在尝试进行一些复制和粘贴。然而,我完全搞不懂为什么会出现这个错误。此特定代码是完整的复制和粘贴。 我收到的错误是: 错误:DataBoundViewHolder(T)在DataBoundViewHolder中不是公共的;无法从T为类型变量的包外部访问:T扩展了DataBoundV
-
问题内容: 我正在尝试使用docker-compose启动kafka服务,并且应该可以在docker内部和外部进行访问。因此,应该在内部和外部设置合适的广告客户: 问题是,当我尝试从群集外部进行连接时,节点名称不是127.0.0.1,而是内部主机名: 这不是KAFKA_ADVERTISED_LISTENERS和KAFKA_LISTENERS处理这种情况的目的吗?我尝试设置KAFKA_ADVERTI
-
我无法从外部访问我的服务。首先,这里是我的conf yaml文件: nginx-pod.yaml nginx-service.yaml metallb-config.yaml 然后我创建了集群。命令 打印: 一切正常,而且< code > ku bectl describe service/nginx-service 打印: curl命令在主服务器打印。接下来我试图从另一个网络打开,它不起作用,但
-
我在Amazon linux ec2上安装了dd-agent。如果我直接在主机上运行我的python脚本(我使用了名为"dogstatsd-python"的SDK),所有指标都可以发送到datadog(我登录到datadoghq.com并在那里看到了指标)。脚本类似: 然而,我启动了一个docker容器,并从容器内部运行相同的脚本: '172.14.0.1'是主机的IP,它是用命令提取的 根本没有