This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.Este contenido no está disponible en el idioma seleccionado.
Chapter 5. Accessing the registry
Use the following sections for instructions on accessing the registry, including viewing logs and metrics, as well as securing and exposing the registry.
			You can access the registry directly to invoke podman commands. This allows you to push images to or pull them from the integrated registry directly using operations like podman push or podman pull. To do so, you must be logged in to the registry using the oc login command. The operations you can perform depend on your user permissions, as described in the following sections.
		
5.1. Prerequisites
- You must have configured an identity provider (IDP).
- For pulling images, for example when using the - podman pullcommand, the user must have the- registry-viewerrole. To add this role:- oc policy add-role-to-user registry-viewer <user_name> - $ oc policy add-role-to-user registry-viewer <user_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- For writing or pushing images, for example when using the - podman pushcommand, the user must have the- registry-editorrole. To add this role:- oc policy add-role-to-user registry-editor <user_name> - $ oc policy add-role-to-user registry-editor <user_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.2. Accessing registry directly from the cluster
You can access the registry from inside the cluster.
Procedure
Access the registry from the cluster by using internal routes:
- Access the node by getting the node’s address: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - oc debug nodes/<node_address> - $ oc debug nodes/<node_address>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To enable access to tools such as - ocand- podmanon the node, run the following command:- chroot /host - sh-4.2# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Log in to the container image registry by using your access token: - oc login -u kubeadmin -p <password_from_install_log> https://api-int.<cluster_name>.<base_domain>:6443 - sh-4.2# oc login -u kubeadmin -p <password_from_install_log> https://api-int.<cluster_name>.<base_domain>:6443- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000 - sh-4.2# podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You should see a message confirming login, such as: - Login Succeeded! - Login Succeeded!- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- You can pass any value for the user name; the token contains all necessary information. Passing a user name that contains colons will result in a login failure. - Since the Image Registry Operator creates the route, it will likely be similar to - default-route-openshift-image-registry.<cluster_name>.
- Perform - podman pulland- podman pushoperations against your registry:Important- You can pull arbitrary images, but if you have the system:registry role added, you can only push images to the registry in your project. - In the following examples, use: - Expand - Component - Value - <registry_ip> - 172.30.124.220- <port> - 5000- <project> - openshift- <image> - image- <tag> - omitted (defaults to - latest)- Pull an arbitrary image: - podman pull name.io/image - $ podman pull name.io/image- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Tag the new image with the form - <registry_ip>:<port>/<project>/<image>. The project name must appear in this pull specification for OpenShift Container Platform to correctly place and later access the image in the registry:- podman tag name.io/image image-registry.openshift-image-registry.svc:5000/openshift/image - $ podman tag name.io/image image-registry.openshift-image-registry.svc:5000/openshift/image- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- You must have the - system:image-builderrole for the specified project, which allows the user to write or push an image. Otherwise, the- podman pushin the next step will fail. To test, you can create a new project to push the image.
- Push the newly tagged image to your registry: - podman push image-registry.openshift-image-registry.svc:5000/openshift/image - $ podman push image-registry.openshift-image-registry.svc:5000/openshift/image- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
5.3. Checking the status of the registry pods
				As a cluster administrator, you can list the image registry pods running in the openshift-image-registry project and check their status.
			
Prerequisites
- 
						You have access to the cluster as a user with the cluster-adminrole.
- 
						You have installed the OpenShift CLI (oc).
Procedure
- List the pods in the - openshift-image-registryproject and view their status:- oc get pods -n openshift-image-registry - $ oc get pods -n openshift-image-registry- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.4. Viewing registry logs
				You can view the logs for the registry by using the oc logs command.
			
Procedure
- Use the - oc logscommand with deployments to view the logs for the container image registry:- oc logs deployments/image-registry -n openshift-image-registry - $ oc logs deployments/image-registry -n openshift-image-registry- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2015-05-01T19:48:36.300593110Z time="2015-05-01T19:48:36Z" level=info msg="version=v2.0.0+unknown" 2015-05-01T19:48:36.303294724Z time="2015-05-01T19:48:36Z" level=info msg="redis not configured" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002 2015-05-01T19:48:36.303422845Z time="2015-05-01T19:48:36Z" level=info msg="using inmemory layerinfo cache" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002 2015-05-01T19:48:36.303433991Z time="2015-05-01T19:48:36Z" level=info msg="Using OpenShift Auth handler" 2015-05-01T19:48:36.303439084Z time="2015-05-01T19:48:36Z" level=info msg="listening on :5000" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002 - 2015-05-01T19:48:36.300593110Z time="2015-05-01T19:48:36Z" level=info msg="version=v2.0.0+unknown" 2015-05-01T19:48:36.303294724Z time="2015-05-01T19:48:36Z" level=info msg="redis not configured" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002 2015-05-01T19:48:36.303422845Z time="2015-05-01T19:48:36Z" level=info msg="using inmemory layerinfo cache" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002 2015-05-01T19:48:36.303433991Z time="2015-05-01T19:48:36Z" level=info msg="Using OpenShift Auth handler" 2015-05-01T19:48:36.303439084Z time="2015-05-01T19:48:36Z" level=info msg="listening on :5000" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.5. Accessing registry metrics
The OpenShift Container Registry provides an endpoint for Prometheus metrics. Prometheus is a stand-alone, open source systems monitoring and alerting toolkit.
The metrics are exposed at the /extensions/v2/metrics path of the registry endpoint.
Procedure
There are two ways in which you can access the metrics, running a metrics query or using the cluster role.
Metrics query
- Run a metrics query, for example: - curl --insecure -s -u <user>:<secret> \ https://image-registry.openshift-image-registry.svc:5000/extensions/v2/metrics | grep imageregistry | head -n 20- $ curl --insecure -s -u <user>:<secret> \- 1 - https://image-registry.openshift-image-registry.svc:5000/extensions/v2/metrics | grep imageregistry | head -n 20- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <user>can be arbitrary, but- <secret>must match the value specified in the registry configuration.
 
Cluster role
- Create a cluster role if you do not already have one to access the metrics: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add this role to a user, run the following command: - oc adm policy add-cluster-role-to-user prometheus-scraper <username> - $ oc adm policy add-cluster-role-to-user prometheus-scraper <username>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Access the metrics using cluster role. The part of the configuration file responsible for metrics should look like this: - openshift: version: 1.0 metrics: enabled: true ...- openshift: version: 1.0 metrics: enabled: true ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.6. Additional resources
- For more information on allowing pods in a project to reference images in another project, see Allowing pods to reference images across projects.
- 
						A kubeadmincan access the registry until deleted. See Removing the kubeadmin user for more information.
- For more information on configuring an identity provider, see Understanding identity provider configuration.