-
在目標端(Quay)配置界面開啟鏡像同步功能
存成.tar.gz文件后記得在quay server上解開,並通過docker restart 將quay重啟生效。
-
啟動一個mirror-worker
docker run -d --name mirroring-worker \ -v /mnt/quay/config:/conf/stack quay.io/redhat/quay:v3.2.0 \ repomirror
-
配置robot賬戶
需要對目標端的鏡像庫開啟寫的權限。
-
在鏡像庫中Enable mirror
設置源端repository地址
sync now,並且觀察日志
這里遇到幾個坑。
- 無論是worker還是quay server在啟動的時候都需要去解析鏡像庫的地址,比如registry.redhat.ren和mirror.redhat.ren,容器啟動的時候會將宿主機/etc/resolv.conf里面的DNS設置作為DNS Server,所以必須在宿主機配置DNS Server,並且能夠解析兩邊的Server域名。
如果解析不到,錯誤信息如下
Getting image source signatures time="2020-01-26T08:11:56Z" level=fatal msg="Error trying to reuse blob sha256:a5a6f2f73cd8abbdc55d0df0d8834f7262713e87d6c8800ea3851f103025e0f0 at destination: pinging docker registry returned: Get http://registry.redhat.ren/v2/: dial tcp: lookup registry.redhat.ren on 192.168.56.107:53: server misbehaving
- skepeo在運行中的X509報錯
time="2020-01-26T08:03:37Z" level=fatal msg="pinging docker registry returned: Get https://mirror.redhat.ren/v2/: x509: certificate signed by unknown authority"
解決辦法
mkdir -p /mnt/quay/config/extra_ca_certs
cp /etc/docker/certs.d/registry.redhat.ren/ca.crt /mnt/quay/config/extra_ca_certs/
[root@registry config]# tree /mnt/quay/config /mnt/quay/config ├── config.yaml ├── extra_ca_certs │?? └── ca.crt ├── quay-config-mir-config.tar.gz ├── ssl.cert └── ssl.key
然后docker restart containerid 重新啟動worker就可以了。
同步完成
-
DNS配置
注意allow-query和listen-on address.
[root@registry config]# cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { 192.168.56.107; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "redhat.ren" IN { type master; file "redhat.ren"; }; zone "56.168.192.in-addr.arpa" IN { type master; file "192.168.56.db"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
[root@registry config]# cat /var/named/redhat.ren $TTL 1W @ IN SOA ns1.redhat.ren. root ( 2019052300 ; serial 3H ; refresh (3 hours) 30M ; retry (30 minutes) 2W ; expiry (2 weeks) 1W ) ; minimum (1 week) IN NS ns1.redhat.ren. IN MX 10 smtp.redhat.ren. ; ; ns1 IN A 192.168.56.107 smtp IN A 192.168.56.107 ; ; The api points to the IP of your load balancer registry IN A 192.168.56.107 mirror IN A 192.168.56.108 ; ;EOF
[root@registry config]# cat /var/named/192.168.56.db $TTL 1W @ IN SOA ns1.redhat.ren. root ( 2019052300 ; serial 3H ; refresh (3 hours) 30M ; retry (30 minutes) 2W ; expiry (2 weeks) 1W ) ; minimum (1 week) IN NS ns1.redhat.ren. ; ; syntax is "last octet" and the host must have fqdn with trailing dot 107 IN PTR registry.redhat.ren. 108 IN PTR mirror.redhat.ren. ; ; ;EOF