OpenShift

OpenShift 的 Image Registry、Image 和 ImageStream 概念

Posted Cola🌀
Container Image(容器镜像)

不用再解释了,就是容器镜像。以前叫Docker Image,现在叫Container Image更准确些,因为有了OCI容器规范后,容器不再是Docker一家的了。

ImageStream

ImageStream是OpenShift独有的一种对象,在Kubernetes中没有对应的对象。它主要目标是简化容积镜像管理,机制就是通过使用标签实现镜像指针。ImageStream包括一系列”标签指针“指向实际的容器,例如下图有latest、8和7版本的容器指针,它们分别指向了不同位置和版本的容器镜像。ImageStream本身并不保存镜像,而是只保存容器元数据和”标签指针“。

ImageStream记录OpenShift使用的Container Image的元数据,这些元数据包括:

  • ImageStreamTag: 指向Container Image的标签。
  • ImageStreamImage: 是ImageStreamTag实际指向的Image。
  • ImageStreamTrigger: 当ImageStreamImage发生变化后,通过ImageStreamTrigger可获取该事件。通常使用ImageStreamTrigger触发依赖变化Image的上层Image进行自动镜像更新。
Internal Registry和External Registry

OpenShift内部自带Image Registry用来保存两类Container Image。

  • Base Image:顾名思义,就是应用使用的基础镜像。Base Image里主要包括应用运行环境,一般不包括应用代码。例如Java应用的Base Image至少要包括JDK。
  • App Image:即将应用+Base Image打包的应用镜像。 OpenShift内部自带Image Registry和外部Image Registry的关系如下图。Base Image可以由OpenShift自动从External Registry上拉到Internal Registry,另外OpenShift会将构建好的App Image推送到Internal Registry。

操作篇

根据ImageStream的Image元数据自动拉取容器镜像

1.执行命令创建项目my-container-image。

$ oc new-project my-container-image

2.然后获取的容器元数据,并建立ImageStream。

#方法1:为dockerhub上的openshift/deployment-example:v1镜像打标签deployment-example:v1
$ oc tag docker.io/openshift/deployment-example:v1 deployment-example:v1

#方法2:导入外部Image的元数据到OOpenShift
$ oc import-image docker.io/openshift/deployment-example:v1 --confirm

3.在对外部镜像打标签后,OpenShift会自动获取Image元数据,并在OpenShift中通过ImageStream(简写 IS)记录这些Image的元数据信息。执行命令查看ImageStream信息,下面是包括tag为v1版容器镜像的ImageStream。

$ oc describe is deployment-example
Namespace:		my-container-image
Created:		9 minutes ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2019-12-06T06:23:26Z
Image Repository:	default-route-openshift-image-registry.apps-crc.testing/my-container-image/deployment-example
Image Lookup:		local=false
Unique Images:		1
Tags:			1
v1
  tagged from docker.io/openshift/deployment-example:v1
  *docker.io/openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b

4.运行以下命令,查看ImageStream的tag列表。

$ oc get istag
NAME                    IMAGE REF                                                                                                        UPDATED
deployment-example:v1   docker.io/openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b   12 minutes ago

5.查看上面istag指向Image的详细信息,其中包括分层文件。

$ oc get istag
NAME                    IMAGE REF                                                                                                        UPDATED
deployment-example:v1   docker.io/openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b   12 minutes ago
[dawnsky@rhel76 crc]$ oc describe istag deployment-example:v1
Image Name:	sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b
Docker Image:	docker.io/openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b
Name:		sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b
Created:	14 minutes ago
Annotations:	image.openshift.io/dockerLayersOrder=ascending
Image Size:	5.77MB in 6 layers
Layers:		0B	sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
		5.77MB	sha256:50438f3701c47319ff1c8189ff19f5a8c779f2479aa2066979b930c7dbb3bde8
		0B	sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
		0B	sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
		0B	sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
		0B	sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Image Created:	4 years ago
Author:		Clayton Coleman <ccoleman@redhat.com>
Arch:		amd64
Entrypoint:	/deployment v1
Working Dir:	<none>
User:		<none>
Exposes Ports:	8080/tcp
Docker Labels:	<none>
Environment:	COLOR=#006e9c

6.基于ImageStream的v1指向的Image创建应用。最后访问应用,可以看到页面返回的v1版的应用。

$ oc new-app my-container-image/deployment-example:v1
$ oc expose svc deployment-example
$ curl $(oc get route deployment-example -o template --template '{{.spec.host}}') | grep h1

7.执行命令查看events事件,可以看到有3项,其中名为deployment-example的Image是在第一次部署应用的时候才从网上pulled到OpenShift本地的Internal Registry。

$ oc get events | grep Pull
15m         Normal   Pulled              pod/deployment-example-1-deploy              Container image "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9ac5a8dceed67e3c3e1c018dc581bf5f03d77a20a2f1ca1bf00c32b5e75b19f6" already present on machine
14m         Normal   Pulling             pod/deployment-example-1-djw48               Pulling image "openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b"
14m         Normal   Pulled              pod/deployment-example-1-djw48               Successfully pulled im

增加标签

1.在ImageStream中增加“latest”的标签,并让它指向v1版的Image。此时可以看到v1和latest指向的同一个Image。

$ oc tag docker.io/openshift/deployment-example:v1 deployment-example:latest
$ oc get istag
NAME                        IMAGE REF                                                                                                        UPDATED
deployment-example:latest   docker.io/openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b   8 seconds ago
deployment-example:v1       docker.io/openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b   19 minutes ago

2.设置ImageStream的latest标签指向v2版的Image。然后通过查看ImageStream信息,其中记录了每个tag指向的历史Image。可以看到当前latest指向v2的Image,不过以前指向的是v1的Image。

$ oc tag docker.io/openshift/deployment-example:v2 deployment-example:latest
$ oc describe is deployment-example
Name:			deployment-example
Namespace:		my-container-image
Created:		26 minutes ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2019-12-06T07:50:11Z
Image Repository:	default-route-openshift-image-registry.apps-crc.testing/my-container-image/deployment-example
Image Lookup:		local=false
Unique Images:		2
Tags:			2

latest
  tagged from docker.io/openshift/deployment-example:v2

  * docker.io/openshift/deployment-example@sha256:1318f08b141aa6a4cdca8c09fe8754b6c9f7802f8fc24e4e39ebf93e9d58472b
      4 minutes ago
    docker.io/openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b
      7 minutes ago

v1
  tagged from docker.io/openshift/deployment-example:v1

  * docker.io/openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b
      26 minutes ago

删除并恢复标签

1.删除ImageStream中v1的tag。然后再查看ImageStream,确认已经没有单独的v1版tag的信息了。但是还可通过latest的历史查到v1版tag指向的ImageStreamImage。

$ oc tag -d deployment-example:v1
$ oc describe is deployment-example
Name:			deployment-example
Namespace:		my-container-image
Created:		45 minutes ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2019-12-06T07:50:11Z
Image Repository:	default-route-openshift-image-registry.apps-crc.testing/my-container-image/deployment-example
Image Lookup:		local=false
Unique Images:		2
Tags:			1
latest
  tagged from docker.io/openshift/deployment-example:v2

  * docker.io/openshift/deployment-example@sha256:1318f08b141aa6a4cdca8c09fe8754b6c9f7802f8fc24e4e39ebf93e9d58472b
      23 minutes ago
    docker.io/openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b
      25 minutes ago

2.从历史的ImageStreamImage恢复istag。

$ oc tag --source=docker openshift/deployment-example@sha256:c505b916f7e5143a356ff961f2c21aee40fbd2cd906c1e3feeb8d5e978da284b deployment-example:v1
$ oc get istag

其它镜像操作

  1. 参考《OpenShift 4 之通过直接访问内部的 Image Registry 操作容器镜像》,实现对Internal Registry的直接操作。
  2. 查看所有ImageStreamImage(即ImageStream包括的每个以版本的Image)的镜像大小。
$ oc adm top images

3.查看所有ImageStream的大小(包括了每个ImageStream中所有ImageStreamImage)。

oc adm top imagestreams