0

我正在运行 OpenShift 3.11 版本并遵循本文档中的说明:https ://docs.openshift.com/container-platform/3.11/install_config/registry/accessing_registry.html

但是,每当我运行以下命令时,都会看到错误:

docker push 172.30.<num>.<num>:5000/project/image
received unexpected HTTP status: 500 Internal Server Error

我还检查了注册表日志的输出:

oc logs dc/docker-registry

它脱口而出巨大的输出,但这是引起我注意的地方:

imagestreams.image.openshift.io <> is forbidden: User \"system:serviceaccount:registry\" cannot get imagestreams.image.openshift.io in the namespace \"<>\": no RBAC policy matched"

因此,我很困惑为什么会收到此权限问题。根据文档,它应该可以工作并且不需要图像流,我应该能够将 docker 图像直接推送到注册表中。有谁知道我在这里缺少什么?

编辑:

以下是整个设置的完整列表命令:

oc cluster up <params>
Created a new project as a test setup and that works.
htpasswd -c /etc/origin/openshift-htpasswd <username> (I use the same <username> by using which I created the project above.)
oc login -u <username> -p <password>
oc policy add-role-to-user registry-editor <username>
oc adm registry
oc get svc/docker-registry (make note of cluster ip and port)
Modify or create /etc/docker/daemon.json
{
    "insecure-registries" : [ "cluster ip:port" ]
}
systemctl restart docker
Restart cluster and login again using <username>
docker login -u nouser -p $(oc whoami -t) cluster ip:port
docker push cluster ip:port/project/image
This is where I see 500 internal server error.

Cluster ip has the format of 172.30.<num>.<num>:5000

编辑2:当我使用以下命令创建注册表时,即使我事先将其删除,我也会收到一些它已经存在的错误:

oc adm registry (for creating registry)
oc delete dc/docker-registry svc/docker-registry (for deleting registry)

在此处输入图像描述

我确实删除了它们,因为我多次重复这些步骤来找出这个问题的原因。你觉得这个输出看起来很麻烦吗?

编辑 3:来自错误消息的更多信息:

findBlobStore: 无法访问图像流 myproject/busybox: ImageStream:Forbidden: Exists: 无法获取图像流 myproject/busybox: ImageStreamGetter:Forbidden: myproject/busybox: imagestreams.image.openshift.io \"busybox\" 被禁止:用户\"system:serviceaccount:myproject:registry\" 无法在命名空间 \"myproject\" 中获取 imagestreams.image.openshift.io:没有匹配的 RBAC 策略"

4

1 回答 1

0

docker-registry之前是否使用正确的帐户登录到内部docker push?此帐户应有权在project您指定的目标上推送或创建图像“172.30..:5000/ project/image”。

$ oc login -u username -p password
$ oc whoami -t
...TOKEN...

$ docker login -u unused -p ...TOKEN... 172.30.<num>.<num>:5000
$ docker push 172.30.<num>.<num>:5000/project/image:tag

我希望它对你有帮助。

于 2020-02-29T04:53:31.757 回答