Openshift Origin registry: how to make it accessible?

2
votes

We are setting up a test cloud Openshift Origin which we created using the openshift ansible playbook. We are following the documentation at: https://docs.openshift.com/container-platform/latest/install_config/install/advanced_install.html
We have not done anything special concerning the openshift registry or router. We are pretty new to this topic and we tried since few tags to bring the openshift registry accessible....

We have 3 hosts:

  • master (unschedulable)
  • node-1 which is set to the region 'infra' and has the registry and router services
  • node-2 (other region).

Here the services running on the default project:

NAME               CLUSTER-IP       EXTERNAL-IP   PORT(S)                   AGE
docker-registry    172.30.78.66     <none>        5000/TCP                  3h
kubernetes         172.30.0.1       <none>        443/TCP,53/UDP,53/TCP     3h
registry-console   172.30.190.63    <none>        9000/TCP                  3h
router             172.30.197.135   <none>        80/TCP,443/TCP,1936/TCP   3h

When we SSH directly on the node-1 where the registry and router are running, we can access the registry without problem and we can push some images. Exactly what is here described: docs.openshift.org/latest/install_config/registry/accessing_registry.html

Now we cannot access the registry for other hosts (master or node-2) and we really do not understand how we can make the registry accessible.... We have of course read: docs.openshift.org/latest/install_config/registry/securing_and_exposing_registry.html#access-insecure-registry-by-exposing-route

We have used this command:

oc expose service docker-registry --hostname=<hostname> -n default

The documentation says: You must be able to resolve this name externally via DNS to the router’s IP address.

As the router does not have any EXTERNAL-IP address attached to it, we do not understand how to reach it.

Is there any oc or oadm command for exposing the router through an external-ip address?

Thanks a lot in advance

Emmanuel

1
openshiftopenshift-origin
1. What URL are you using when you try to access the registry from master and node-2? 2. The router takes over node-1's IP address, so your DNS entries should resolve to node-1.Grega Bremec
Hi @Greca Bremec I use the docker-registry CLUSTER-IP 172.30.78.66, when I try to login from the master for example, I get: Error response from daemon: Get 172.30.78.66:5000/v1/users: dial tcp 172.30.78.66:5000: getsockopt: no route to host.user7261496
what distribution is this? can you double-verify that firewalld is stopped and disabled? this sounds like something was messing with iptables.Grega Bremec
We are with CentOS 7.3 / oc v3.6.0+c4dd4cf / kubernetes v1.6.1+5115d708d7 / features: Basic-Auth GSSAPI Kerberos SPNEGO / openshift v3.6.0+c4dd4cf / No firewalld running. I will check the iptables later on and let you know. Thanks very much for your help ;)user7261496
what is the output of "systemctl is-enabled firewalld"? on all nodes - master, node-1 and node-2.Grega Bremec

1 Answers

0
votes

Based on your stated configuration I would expect the path to your UI/API for Openshift (openshift.yourdomain.com) to be routed to the same IP as your node-1, because that is where you are running the router.

If that is the case then you would point the hostname you are passing via the command in DNS to the same IP, or as a CNAME to that host.

oc expose service docker-registry --hostname=<hostname> -n default

In a larger setup with dedicated set of load balancer (lb) nodes you might have a specific A record for the set. You could then have the hostname be a CNAME to that record.