by Velucid ⏲ June 09, 2021
OCI OKE(Oracle Kubernetes Engine) 따라하기
OCI OKE 운영을 위한 기본 환경 구성
OCI OKE에 애플리케이션 배포하기
외부의 Docker Hub에서 Docker 이미지를 다운받아, OCI Registry의 Repository에 등록하고, 이를 안전하게 OCI내에서 OKE Cluster에서 사용하는 과정을 보여 줍니다.
Docker 공식 이미지인 karthequian/helloworld를 다운 받아 OCI Repository(helloword)에 등록합니다.
Kubernetes에서 OCI Registry에 접속하기 위한 Auth Token(Password)을 생성하고 등록합니다.
"helloworld"라는 이름으로 OCI Repository를 생성합니다.
Repository 생성
[opc@k8s-manager ~]$ sudo su -
# cd /etc/yum.repos.d/
# wget http://yum.oracle.com/public-yum-ol7.repo
xxxxxxxxxx
# yum install docker-engine
xxxxxxxxxx
# systemctl start docker
# systemctl enable docker
# systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-04-27 12:41:48 GMT; 22s ago
...
xxxxxxxxxx
[opc@k8s-manager ~]$ sudo usermod -aG docker opc
xxxxxxxxxx
[opc@k8s-manager ~]$ id
uid=1000(opc) gid=1000(opc) groups=1000(opc),4(adm),10(wheel),190(systemd-journal),992(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
xxxxxxxxxx
[opc@k8s-manager ~]$ docker pull karthequian/helloworld:latest
Trying to pull repository docker.io/karthequian/helloworld ...
latest: Pulling from docker.io/karthequian/helloworld
83ee3a23efb7: Pull complete
db98fc6f11f0: Pull complete
f611acd52c6c: Pull complete
ce6148ee5b27: Pull complete
f41d580b4c45: Pull complete
272afdecd73d: Pull complete
603e831d3bf2: Pull complete
4b3f00fe862f: Pull complete
1813c5daf2e4: Pull complete
4db7ca47ea28: Pull complete
37d652721feb: Pull complete
e9bce6aacaff: Pull complete
50da342c2533: Pull complete
Digest: sha256:48413fdddeae11e4732896e49b6d82979847955666ed95e4d6e57b433920c9e1
Status: Downloaded newer image for karthequian/helloworld:latest
karthequian/helloworld:latest
xxxxxxxxxx
[opc@k8s-manager ~]$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
karthequian/helloworld latest a0d8db65e6fb 3 months ago 227MB
[opc@k8s-manager ~]$ docker image inspect karthequian/helloworld | grep -A 1 Layers | grep sha256
"sha256:9f32931c9d28f10104a8eb1330954ba90e76d92b02c5256521ba864feec14009",
[opc@k8s-manager ~]$
[opc@k8s-manager ~]$ sudo ls -l /var/lib/docker/image/overlay2/layerdb/sha256 | grep 4009
9f32931c9d28f10104a8eb1330954ba90e76d92b02c5256521ba864feec14009
Seoul 리전의 OCIR endpoints 이름 확인
Seoul 리전의 OCIR에 영구 로그인
Username
Password : <OCI Auth Token>
x[opc@k8s-manager ~]$ docker login icn.ocir.io
Username: <tenancy>/oracleidentitycloudservice/<username>
Password: ********
WARNING! Your password will be stored unencrypted in /home/opc/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[opc@k8s-manager ~]$
ocir 전용 image tag 생성
OCIR image name 규칙: <region>.ocir.io/<namespace>/<image name>/<tag>
xxxxxxxxxx
$ docker tag karthequian/helloworld:latest icn.ocir.io/<tenency>/helloworld:latest
xxxxxxxxxx
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
karthequian/helloworld latest a0d8db65e6fb 3 months ago 227MB
icn.ocir.io/<tenency>/helloworld latest a0d8db65e6fb 3 months ago 227MB
xxxxxxxxxx
[opc@k8s-manager ~]$ docker push icn.ocir.io/<tenancy>/helloworld:latest
The push refers to repository [icn.ocir.io/<tenancy>/helloworld]
e790d2968402: Pushed
9988350afb63: Pushed
d178243a0617: Pushed
8865d8e83073: Pushed
63f60cac95f0: Pushed
6967353de304: Pushed
89c0daa71499: Pushed
2f60cf94f33d: Pushed
ebb24b834d91: Pushed
689fb57937fb: Pushed
02473afd360b: Pushed
dbf2c0f42a39: Pushed
9f32931c9d28: Pushed
latest: digest: sha256:48413fdddeae11e4732896e49b6d82979847955666ed95e4d6e57b433920c9e1 size: 3029
Note: Docker Enterprise Edition에서는 docker CLI를 통해 Registry의 내용도 확인 가능
$ docker registry ls
xxxxxxxxxx
$ kubectl create secret docker-registry <secret-name> --docker-server=<region-key>.ocir.io --docker-username='<tenancy-namespace>/<oci-username>' --docker-password='<oci-auth-token>' --docker-email='<email-address>'
xxxxxxxxxx
[opc@k8s-manager ~]$ kubectl create secret docker-registry ocir-icn-secret --docker-server=icn.ocir.io --docker-username='<tenancy>/oracleidentitycloudservice/velucid@acme.com' --docker-password='k]j64r{1sJSSF-;)K8'
--docker-email='velucid@acme.com'
secret/ocir-icn-secret created
xxxxxxxxxx
[opc@k8s-manager ~]$ kubectl get secrets
NAME TYPE DATA AGE
default-token-x9xxl kubernetes.io/service-account-token 3 11d
ocir-icn-secret kubernetes.io/dockerconfigjson 1 11m
xxxxxxxxxx
$ cat helloworld-deplyment.yaml
xxxxxxxxxx
apiVersion apps/v1
kind Deployment
metadata
name helloworld
spec
selector
matchLabels
app helloworld
replicas1
template
metadata
labels
app helloworld
spec
containers
name helloworld
image icn.ocir.io/<tenancy-namespace>/helloworld latest
ports
containerPort80
imagePullSecrets
name ocir-icn-secret
xxxxxxxxxx
$ kubectl create -f helloworld-deplyment.yaml
deployment.apps/helloworld created
xxxxxxxxxx
$ kubectl get pod -l app=helloworld
NAME READY STATUS RESTARTS AGE
helloworld-85cfcf4757-qxz8b 1/1 Running 0 83s
xxxxxxxxxx
$ kubectl exec -it helloworld-85cfcf4757-qxz8b -- bash
root@helloworld-85cfcf4757-qxz8b:/#
xxxxxxxxxx
root@helloworld-85cfcf4757-qxz8b:/# apt-get update
root@helloworld-85cfcf4757-qxz8b:/# apt-get install curl
xxxxxxxxxx
root@helloworld-85cfcf4757-qxz8b:/# curl http://localhost:80
<html>
<head>
...
<body onload="updateVisit(); updateClock(); setInterval('updateClock()', 1000 )">
...
<div class="jumbotron">
<h1>Hello</h1>
<p>Is it me you're looking for?</p>
</div>
...
</body>
</html>
root@helloworld-85cfcf4757-qxz8b:/#
참고 자료
- OCI Tutorial : Push an Image to Oracle Cloud Infrastructure Registry
- Oracle Blog : Install Docker on Oracle Linux 7