Merge pull request #13425 from bmcelvee/osdocs-227-configuring-registry

osdocs-227 accessing registry modules

Author: bmcelvee

_topic_map.yml

@@ -149,6 +149,8 @@ Distros: openshift-*
 Topics:
 - Name: Registry options
   File: registry-options
+- Name: Accessing the registry
+  File: accessing-the-registry
 ---
 Name: Scalability and performance
 Dir: scalability_and_performance

modules/registry-accessing-directly.adoc

@@ -0,0 +1,125 @@
+// Module included in the following assemblies:
+//
+// * assembly/registry
+
+[id='registry-accessing-directly-{context}']
+= Accessing registry directly
+
+You can access the registry directly to invoke `docker` commands. This allows
+you to push images to or pull them from the integrated registry directly using
+operations like `docker push` or `docker pull`. To do so, you must be logged in
+to the registry using the `docker login` command. The operations you can perform
+depend on your user permissions, as described in the following sections.
+
+.Prerequisites
+
+* For any direct access, you must have a regular user for your preferred identity
+provider.
+** A regular user can generate an access token required for logging in to
+the registry.
+** System users, such as *system:admin*, cannot obtain access tokens
+and, therefore, cannot access the registry directly.
++
+For example, if you are using `HTPASSWD` authentication, you can create one
+using the following command:
++
+----
+# htpasswd /etc/origin/openshift-htpasswd <user_name>
+----
+
+* For pulling images, for example when using the `docker pull` command,
+the user must have the *registry-viewer* role. To add this role:
++
+----
+$ oc policy add-role-to-user registry-viewer <user_name>
+----
+
+* For writing or pushing images, for example when using the `docker push` command,
+the user must have the *registry-editor* role. To add this role:
++
+----
+$ oc policy add-role-to-user registry-editor <user_name>
+----
+
+.Procedure
+
+. Log in to the registry directly:
+
+.. Ensure you are logged in to {product-title} as a *regular user*:
++
+----
+$ oc login
+----
+
+.. Log in to the container image registry by using your access token:
++
+----
+docker login -u openshift -p $(oc whoami -t) <registry_ip>:<port>
+----
++
+[NOTE]
+====
+You can pass any value for the username, the token contains all necessary
+information. Passing a username that contains colons will result in a login
+failure.
+====
++
+. Perform `docker pull` and `docker push` operations against your registry:
++
+[IMPORTANT]
+====
+You can pull arbitrary images, but if you have the *system:registry* role
+added, you can only push images to the registry in your project.
+====
++
+In the following examples, we use:
++
+|====
+|Component |Value
+
+|*<registry_ip>*
+|`172.30.124.220`
+
+|*<port>*
+|`5000`
+
+|*<project>*
+|`openshift`
+
+|*<image>*
+|`busybox`
+
+|*<tag>*
+| omitted (defaults to `latest`)
+|====
+
+.. Pull an arbitrary image:
++
+----
+$ docker pull docker.io/busybox
+----
+
+.. Tag the new image with the form `<registry_ip>:<port>/<project>/<image>`.
+The project name *must* appear in this pull specification for {product-title} to
+correctly place and later access the image in the registry:
++
+----
+$ docker tag docker.io/busybox 172.30.124.220:5000/openshift/busybox
+----
++
+[NOTE]
+====
+Your regular user must have the *system:image-builder* role for the specified
+project, which allows the user to write or push an image. Otherwise, the `docker
+push` in the next step will fail. To test, you can create a new project to
+push the *busybox* image.
+====
+
+.. Push the newly-tagged image to your registry:
++
+----
+$ docker push 172.30.124.220:5000/openshift/busybox
+...
+cf2616975b4a: Image successfully pushed
+Digest: sha256:3662dd821983bc4326bee12caec61367e7fb6f6a3ee547cbaff98f77403cab55
+----

modules/registry-accessing-metrics.adoc

@@ -0,0 +1,84 @@
+// Module included in the following assemblies:
+//
+// * assembly/registry
+
+[id='registry-accessing-metrics-{context}']
+= Accessing registry metrics
+
+The OpenShift Container Registry provides an endpoint for
+link:https://prometheus.io/docs/introduction/overview/[Prometheus metrics].
+Prometheus is a stand-alone, open source systems monitoring and alerting
+toolkit.
+
+The metrics are exposed at the *_/extensions/v2/metrics_* path of the registry
+endpoint. However, this route must first be enabled; see
+Extended Registry Configuration for instructions.
+
+// Recommended link to extended registry configuration assembly.
+
+.Procedure
+
+There are two ways in which you can access the metrics: running a metrics query
+or by using the cluster role.
+
+*Metrics query*
+. Run a metrics query, for example:
++
+[source, bash]
+----
+$ curl -s -u <user>:<secret> \ <1>
+    http://172.30.30.30:5000/extensions/v2/metrics | grep openshift | head -n 10
+
+# HELP openshift_build_info A metric with a constant '1' value labeled by major, minor, git commit & git version from which OpenShift was built.
+# TYPE openshift_build_info gauge
+openshift_build_info{gitCommit="67275e1",gitVersion="v3.6.0-alpha.1+67275e1-803",major="3",minor="6+"} 1
+# HELP openshift_registry_request_duration_seconds Request latency summary in microseconds for each operation
+# TYPE openshift_registry_request_duration_seconds summary
+openshift_registry_request_duration_seconds{name="test/origin-pod",operation="blobstore.create",quantile="0.5"} 0
+openshift_registry_request_duration_seconds{name="test/origin-pod",operation="blobstore.create",quantile="0.9"} 0
+openshift_registry_request_duration_seconds{name="test/origin-pod",operation="blobstore.create",quantile="0.99"} 0
+openshift_registry_request_duration_seconds_sum{name="test/origin-pod",operation="blobstore.create"} 0
+openshift_registry_request_duration_seconds_count{name="test/origin-pod",operation="blobstore.create"} 5
+----
+<1> `<user>` can be arbitrary, but `<secret>` must match the value specified in the
+registry configuration.
+
+*Cluster role*
+. Create a cluster role if you do not already have one to access the metrics:
++
+[source, bash]
+----
+$ cat <<EOF |
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: prometheus-scraper
+rules:
+- apiGroups:
+  - image.openshift.io
+  resources:
+  - registry/metrics
+  verbs:
+  - get
+EOF
+oc create -f -
+----
+
+. Add this role to a user, run the following command:
++
+[source, bash]
+----
+$ oc adm policy add-cluster-role-to-user prometheus-scraper <username>
+----
+
+. Access the metrics using cluster role. You still need to
+enable the endpoint, but you do not need to specify a `<secret>`. The part of
+the configuration file responsible for metrics should look like this:
+
+----
+openshift:
+  version: 1.0
+  metrics:
+    enabled: true
+...
+----

modules/registry-viewing-contents.adoc

@@ -0,0 +1,90 @@
+// Module included in the following assemblies:
+//
+// * assembly/registry
+
+[id='registry-viewing-contents-{context}']
+= Viewing the registry's contents
+
+Tag and image metadata is stored in {product-title}, but the registry stores
+layer and signature data in a volume that is mounted into the registry container
+at *_/registry_*. As `oc exec` does not work on privileged containers, to view a
+registry's contents you must manually SSH into the node housing the registry
+pod's container, then run `docker exec` on the container itself.
+
+.Procedure
+
+. List the current pods to find the pod name of your container image registry:
++
+----
+# oc get pods
+----
++
+Then, use `oc describe` to find the host name for the node running the
+container:
++
+----
+# oc describe pod <pod_name>
+----
+
+. Log into the desired node:
++
+----
+# ssh node.example.com
+----
+
+. List the running containers from the default project on the node host and identify the container ID for
+the container image registry:
++
+----
+# docker ps --filter=name=registry_docker-registry.*_default_
+----
+
+. List the registry contents using the `oc rsh` command:
++
+----
+# oc rsh dc/docker-registry find /registry
+/registry/docker
+/registry/docker/registry
+/registry/docker/registry/v2
+/registry/docker/registry/v2/blobs <1>
+/registry/docker/registry/v2/blobs/sha256
+/registry/docker/registry/v2/blobs/sha256/ed
+/registry/docker/registry/v2/blobs/sha256/ed/ede17b139a271d6b1331ca3d83c648c24f92cece5f89d95ac6c34ce751111810
+/registry/docker/registry/v2/blobs/sha256/ed/ede17b139a271d6b1331ca3d83c648c24f92cece5f89d95ac6c34ce751111810/data <2>
+/registry/docker/registry/v2/blobs/sha256/a3
+/registry/docker/registry/v2/blobs/sha256/a3/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
+/registry/docker/registry/v2/blobs/sha256/a3/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4/data
+/registry/docker/registry/v2/blobs/sha256/f7
+/registry/docker/registry/v2/blobs/sha256/f7/f72a00a23f01987b42cb26f259582bb33502bdb0fcf5011e03c60577c4284845
+/registry/docker/registry/v2/blobs/sha256/f7/f72a00a23f01987b42cb26f259582bb33502bdb0fcf5011e03c60577c4284845/data
+/registry/docker/registry/v2/repositories <3>
+/registry/docker/registry/v2/repositories/p1
+/registry/docker/registry/v2/repositories/p1/pause <4>
+/registry/docker/registry/v2/repositories/p1/pause/_manifests
+/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions
+/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256
+/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/e9a2ac6418981897b399d3709f1b4a6d2723cd38a4909215ce2752a5c068b1cf
+/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/e9a2ac6418981897b399d3709f1b4a6d2723cd38a4909215ce2752a5c068b1cf/signatures <5>
+/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/e9a2ac6418981897b399d3709f1b4a6d2723cd38a4909215ce2752a5c068b1cf/signatures/sha256
+/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/e9a2ac6418981897b399d3709f1b4a6d2723cd38a4909215ce2752a5c068b1cf/signatures/sha256/ede17b139a271d6b1331ca3d83c648c24f92cece5f89d95ac6c34ce751111810
+/registry/docker/registry/v2/repositories/p1/pause/_manifests/revisions/sha256/e9a2ac6418981897b399d3709f1b4a6d2723cd38a4909215ce2752a5c068b1cf/signatures/sha256/ede17b139a271d6b1331ca3d83c648c24f92cece5f89d95ac6c34ce751111810/link <6>
+/registry/docker/registry/v2/repositories/p1/pause/_uploads <7>
+/registry/docker/registry/v2/repositories/p1/pause/_layers <8>
+/registry/docker/registry/v2/repositories/p1/pause/_layers/sha256
+/registry/docker/registry/v2/repositories/p1/pause/_layers/sha256/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
+/registry/docker/registry/v2/repositories/p1/pause/_layers/sha256/a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4/link <9>
+/registry/docker/registry/v2/repositories/p1/pause/_layers/sha256/f72a00a23f01987b42cb26f259582bb33502bdb0fcf5011e03c60577c4284845
+/registry/docker/registry/v2/repositories/p1/pause/_layers/sha256/f72a00a23f01987b42cb26f259582bb33502bdb0fcf5011e03c60577c4284845/link
+----
+<1> This directory stores all layers and signatures as blobs.
+<2> This file contains the blob's contents.
+<3> This directory stores all the image repositories.
+<4> This directory is for a single image repository *p1/pause*.
+<5> This directory contains signatures for a particular image manifest revision.
+<6> This file contains a reference back to a blob (which contains the signature
+data).
+<7> This directory contains any layers that are currently being uploaded and
+staged for the given repository.
+<8> This directory contains links to all the layers this repository references.
+<9> This file contains a reference to a specific layer that has been linked into
+this repository via an image.

modules/registry-viewing-logs.adoc

@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// * assembly/registry
+
+[id='registry-viewing-logs-{context}']
+= Viewing registry logs
+
+You can view the logs for the registry by using the `oc logs` command.
+
+.Procedure
+
+. Use the `oc logs` command with the deployment configuration to view the logs
+for the container image registry:
++
+----
+$ oc logs dc/docker-registry
+2015-05-01T19:48:36.300593110Z time="2015-05-01T19:48:36Z" level=info msg="version=v2.0.0+unknown"
+2015-05-01T19:48:36.303294724Z time="2015-05-01T19:48:36Z" level=info msg="redis not configured" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002
+2015-05-01T19:48:36.303422845Z time="2015-05-01T19:48:36Z" level=info msg="using inmemory layerinfo cache" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002
+2015-05-01T19:48:36.303433991Z time="2015-05-01T19:48:36Z" level=info msg="Using OpenShift Auth handler"
+2015-05-01T19:48:36.303439084Z time="2015-05-01T19:48:36Z" level=info msg="listening on :5000" instance.id=9ed6c43d-23ee-453f-9a4b-031fea646002
+----

registry/PLACEHOLDER

@@ -0,0 +1,15 @@
+:context: accessing-the-registry.adoc
+= Accessing the registry
+include::modules/common-attributes.adoc[]
+toc::[]
+
+Use the following sections for instructions on accessing the registry, including
+viewing logs and metrics, as well as securing and exposing the registry.
+
+include::modules/registry-accessing-directly.adoc[leveloffset=+1]
+
+include::modules/registry-viewing-contents.adoc[leveloffset=+1]
+
+include::modules/registry-viewing-logs.adoc[leveloffset=+1]
+
+include::modules/registry-accessing-metrics.adoc[leveloffset=+1]