Quay 鏡像同步配置實踐


  • 在目標端(Quay)配置界面開啟鏡像同步功能

 

 存成.tar.gz文件后記得在quay server上解開,並通過docker restart 將quay重啟生效。

  • 啟動一個mirror-worker

docker run -d --name mirroring-worker \
  -v /mnt/quay/config:/conf/stack quay.io/redhat/quay:v3.2.0 \
  repomirror

 

  • 配置robot賬戶

 

 需要對目標端的鏡像庫開啟寫的權限。

 

  •  在鏡像庫中Enable mirror

 

 設置源端repository地址

 

 sync now,並且觀察日志

 

 

這里遇到幾個坑。

  • 無論是worker還是quay server在啟動的時候都需要去解析鏡像庫的地址,比如registry.redhat.ren和mirror.redhat.ren,容器啟動的時候會將宿主機/etc/resolv.conf里面的DNS設置作為DNS Server,所以必須在宿主機配置DNS Server,並且能夠解析兩邊的Server域名。

如果解析不到,錯誤信息如下

Getting image source signatures
time="2020-01-26T08:11:56Z" level=fatal msg="Error trying to reuse blob sha256:a5a6f2f73cd8abbdc55d0df0d8834f7262713e87d6c8800ea3851f103025e0f0 at destination: pinging docker registry returned: Get http://registry.redhat.ren/v2/: dial tcp: lookup registry.redhat.ren on 192.168.56.107:53: server misbehaving

 

  • skepeo在運行中的X509報錯
time="2020-01-26T08:03:37Z" level=fatal msg="pinging docker registry returned: Get https://mirror.redhat.ren/v2/: x509: certificate signed by unknown authority" 

解決辦法

mkdir -p /mnt/quay/config/extra_ca_certs
cp /etc/docker/certs.d/registry.redhat.ren/ca.crt /mnt/quay/config/extra_ca_certs/
[root@registry config]# tree /mnt/quay/config
/mnt/quay/config
├── config.yaml
├── extra_ca_certs
│?? └── ca.crt
├── quay-config-mir-config.tar.gz
├── ssl.cert
└── ssl.key

然后docker restart containerid 重新啟動worker就可以了。

同步完成

 

  • DNS配置

注意allow-query和listen-on address.

[root@registry config]# cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
    listen-on port 53 { 192.168.56.107; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
    allow-query     { any; };

    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;
    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.root.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "redhat.ren" IN {
    type master;
    file    "redhat.ren";
};

zone "56.168.192.in-addr.arpa" IN {
    type    master;
    file    "192.168.56.db";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 

[root@registry config]# cat /var/named/redhat.ren 
$TTL 1W
@    IN    SOA    ns1.redhat.ren.    root (
            2019052300    ; serial
            3H        ; refresh (3 hours)
            30M        ; retry (30 minutes)
            2W        ; expiry (2 weeks)
            1W )        ; minimum (1 week)
    IN    NS    ns1.redhat.ren.
    IN    MX 10    smtp.redhat.ren.
;
; 
ns1    IN    A    192.168.56.107
smtp    IN    A    192.168.56.107
;
; The api points to the IP of your load balancer
registry    IN    A    192.168.56.107
mirror    IN    A    192.168.56.108
;
;EOF

 

[root@registry config]# cat /var/named/192.168.56.db 
$TTL 1W
@    IN    SOA    ns1.redhat.ren.    root (
            2019052300    ; serial
            3H        ; refresh (3 hours)
            30M        ; retry (30 minutes)
            2W        ; expiry (2 weeks)
            1W )        ; minimum (1 week)
    IN    NS    ns1.redhat.ren.
;
; syntax is "last octet" and the host must have fqdn with trailing dot
107    IN    PTR    registry.redhat.ren.
108    IN    PTR    mirror.redhat.ren.
; 
;
;EOF

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM