2. 技术
    3. 容器入门(4) -skopeo

    容器入门(4) -skopeo

    技术2022-07-16  85

    《OpenShift 4.x HOL教程汇总》

    文章目录

    对独立的Docker Registry操作查看Registry上的Image信息在2个Registry之间复制Image 对OpenShift内置Registry操作允许从外部访问OpenShift的内置Registry用skopeo对OpenShift内置Registry操作查看OpenShift内部Registry的Image信息向OpenShift内置Registry复制镜像 参考

    说明:由于本文会使用本地的Container Registry,因此在开始本章前,建议先完成《容器入门(1) - 安装和使用Docker Registry》

    Skopeo是用来对Registry的Images操作的工具,它主要功能包括:查看Registry上的镜像信息、在Registry之间或Registry和本地之间复制镜像、删除Registry上的镜像。

    对独立的Docker Registry操作

    查看Registry上的Image信息

    $ skopeo inspect docker://${REGISTRY_DOMAIN}:5000/busybox:latest { "Name": "registry.domain.com:5000/busybox", "Digest": "sha256:a6b9238ceed3894db3327cfe00672971b799ed6ade8dce3637c6dce007863fec", "RepoTags": [ "latest" ], "Created": "2020-06-29T20:21:41.42102751Z", "DockerVersion": "18.09.7", "Labels": null, "Architecture": "amd64", "Os": "linux", "Layers": [ "sha256:74f990a74a8f68958f7ad85ecb9cd091670a0cc4b8560f7ac0712d057052cf84" ], "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ] } $ skopeo inspect docker://quay.io/buildah/stable { "Name": "quay.io/buildah/stable", "Digest": "sha256:a742091c1297f02d4130d74c2828e7a494cde37f756d5c1244cf7afe1c0994f3", "RepoTags": [ "v1.9.0", "v1.9.1", "v1.9.2", "v1.10.1", "v1.11.2", "v1.11.1", "v1.11.0", "v1.11.3", "v1.11.4", "v1.11.6", "v1.12.0", "auto", "v1.14.0", "v1.14.3", "v1.14.8", "master", "latest" ], "Created": "2020-07-02T14:26:28.466661245Z", "DockerVersion": "18.02.0-ce", "Labels": { "license": "MIT", "name": "fedora", "vendor": "Fedora Project", "version": "32" }, "Architecture": "amd64", "Os": "linux", "Layers": [ "sha256:03c837e31708e15035b6c6f9a7a4b78b64f6bc10e6daec01684c077655becf95", "sha256:a5b63bb008e83e62d4cedf329c2a790a325ff6482c8b0547ddccdf17487f50c6", "sha256:369a1989bb0cf5707b1a856680573c8778b96dcb3e4d21bbfb2995af6b485e1e", "sha256:1b9ca1b83456cc585de4bacf62e9199357d0437efa5d01671543653a701ccd88", "sha256:756a6ab6d2f5b8b08e5dee6d585c165de8ba3b1084ac329929da8ad44b590988" ], "Env": [ "DISTTAG=f32container", "FGC=f32", "container=oci", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "BUILDAH_ISOLATION=chroot" ] }

    在2个Registry之间复制Image

    $ skopeo copy docker://quay.io/buildah/stable docker://${REGISTRY_DOMAIN}:5000/buildah Getting image source signatures Copying blob 369a1989bb0c done Copying blob a5b63bb008e8 done Copying blob 756a6ab6d2f5 done Copying blob 03c837e31708 done Copying blob 1b9ca1b83456 done Copying config 5ab6da8e5b done Writing manifest to image destination Storing signatures $ curl -u user1:password1 https://${REGISTRY_DOMAIN}:5000/v2/_catalog {"repositories":["buildah","busybox"]}

    对OpenShift内置Registry操作

    允许从外部访问OpenShift的内置Registry

    允许通过OpenShift的DefaultRoute访问内部镜像Registry。

    $ oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge $ REGISTRY_DOMAIN=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')

    用skopeo对OpenShift内置Registry操作

    查看OpenShift内部Registry的Image信息

    在default项目中创建名为skopeo的serviceaccount,并获得它的Token。 $ oc create serviceaccount skopeo -n default $ TOKEN=$(oc get secrets -n default -o jsonpath='{range .items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="skopeo")]}{.metadata.annotations.openshift\.io/token-secret\.value}{end}') 查看OpenShift内置的openshift/nodejs镜像信息。 $ skopeo inspect --creds="skopeo:${TOKEN}" --tls-verify=false docker://${REGISTRY_DOMAIN}/openshift/nodejs { "Name": "default-route-openshift-image-registry.apps.cluster-beijing-959a.beijing-959a.example.opentlc.com/openshift/nodejs", "Digest": "sha256:aefd611dcbd4a3fce3ebc5e021092ed793a341d4940be63b51a8a94ce2670dd9", "RepoTags": [ "12", "latest", "10" ], "Created": "2020-07-13T11:13:38.827037Z", "DockerVersion": "1.13.1", "Labels": { "architecture": "x86_64", "build-date": "2020-07-13T11:11:59.320502", "com.redhat.build-host": "cpt-1004.osbs.prod.upshift.rdu2.redhat.com", "com.redhat.component": "rh-nodejs12-container", "com.redhat.deployments-dir": "/opt/app-root/src", "com.redhat.dev-mode": "DEV_MODE:false", "com.redhat.dev-mode.port": "DEBUG_PORT:5858", "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI", "description": "Node.js 12 available as container is a base platform for building and running various Node.js 12 applications and frameworks. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.", 。。。

    向OpenShift内置Registry复制镜像

    方法一:使用管理员用户操作 $ skopeo copy --dest-creds=$(oc whoami):$(oc whoami -t) --dest-tls-verify=false docker://docker.io/openshift/hello-openshift docker://$REGISTRY_DOMAIN/my-images/hello-openshift Getting image source signatures Copying blob 8b32988996c5 skipped: already exists Copying blob 4f4fb700ef54 skipped: already exists Copying config 7af3297a3f done Writing manifest to image destination Storing signatures

    2. 方法二:使用SerivceAccount操作(目前有问题,没有成功)

    $ oc new-project my-images $ oc create serviceaccount skopeo $ TOKEN=$(oc get secrets -o jsonpath='{range .items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="skopeo")]}{.metadata.annotations.openshift\.io/token-secret\.value}{end}') $ oc adm policy add-role-to-user system:image-builder -n my-images system:serviceaccount:admin:skopeo $ skopeo copy --dest-creds=skopeo:$TOKEN --dest-tls-verify=false docker://docker.io/openshift/hello-openshift docker://$REGISTRY_DOMAIN/my-images/hello-openshift

    参考

    1.https://github.com/nmasse-itix/OpenShift-Examples/blob/master/Using-Skopeo/README.md

    Processed: 0.010, SQL: 10