#Notes for OSBS with Docker Registry V2
## If you have not done this already, clone the git repository
## (need my fork for Fedora build fixes until merged upstream)
$ git clone https://github.com/maxamillion/atomic-reactor.git
$ git checkout build
## Build SRPM for use with COPR
$ tito build --srpm --test
Submit a build to COPR
## If you have not done this already, clone the git repository
## (need my clone for the tito init and Fedora build fixes until merged upstream)
$ git clone https://github.com/maxamillion/osbs-client.git
$ git checkout build
## Build SRPM for use with COPR
$ tito build --srpm --test
Submit a build to COPR
$ ip addr
$ vi /etc/hosts # add 'osbs.localdomain' for this IP address
$ dnf update -y --refresh
$ systemctl reboot
$ systemctl enable sshd.service
$ systemctl start sshd.service
$ mkdir .ssh; chmod 700 .ssh
$ ssh-keygen # If needed
$ scp .ssh/id_rsa.pub root@osbs.localdomain:.ssh/authorized_keys #why not ssh-copy-id?;)
## Setup dev build COPR
$ dnf copr enable maxamillion/atomic-reactor
## Setup openshift install source for openshift (Fedora 23 only, Fedora 24/Rawhide has it in official repos)
$ dnf copr enable maxamillion/fedora-openshift
## bootstrap ansible for F23+
$ dnf install -y ansible python2-dnf libselinux-python libsemanage-python python-firewall
OpenShift with OSBS configuration setup
# OPENSHIFT
# https://github.com/projectatomic/ansible-osbs
$ git clone https://github.com/projectatomic/ansible-osbs.git
$ cd ansible-osbs
./update-roles.sh
$ vim hosts # change 'rhel71' to 'osbs.localdomain' on line 2
$ vim group_vars/all
# at line 9: 'atomic_reactor_source: git'
# at line 17, uncomment section
$ ansible-playbook -i hosts site.yml
# Re-source ~/.bashrc to pick up the KUBECONFIG env var that ansible playbooks place
$ . ~/.bashrc
Setup atomic-reactor buildroot with dev build from COPR
$ dnf -y install atomic-reactor
$ atomic-reactor create-build-image --reactor-tarball-path /usr/share/atomic-reactor/atomic-reactor.tar.gz /usr/share/atomic-reactor/images/dockerhost-builder buildroot
For V2-only support, the two steps are:
-
Install Pulp using the right versions:
- pulp 2.6
- pulp-docker from branch docker_v2_api
- python-crane 1.2.0
and also install pulp-docker-admin-extensions for 'pulp-admin docker ...' in order to poke at it
-
In your osbs.conf instance definition, set:
registry_api_versions = v2
Note that you will still need to run a docker-distribution instance in
order to transfer V2 content, as the only way to get the content into
Pulp is to have it sync from a V2 registry.
The client atomic-reactor uses to talk to Pulp is dockpulp, so you'll
also need that, https://github.com/release-engineering/dockpulp.
You want to build an /etc/dockpulp.conf into the buildroot too:
[pulps] pulp-registry = https://pulp/ distribution = https://distribution/
[registries] pulp-registry = https://pulp/v1/repositories # not sure if this should be v2 distribution = https://distribution/
[filers] pulp-registry = https://pulp/ distribution = https://distribution/
[verify] pulp-registry = no distribution = no
Adjust to taste. Here, pulp is the pulp server and distribution is
running docker-distribution. pulp-registry is an arbitrary name for the
configuration.
You need to create a Kubernetes secret containing the Pulp certificate
and key. To do that:
dock-pulp.py -s pulp login ...
oc secrets new pulp-secret pulp.cer=/.pulp/pulp.cer pulp.key=/.pulp/pulp.key
oc secrets add serviceaccount/builder secrets/pulp-secret --for=mount
pulp-secret is an arbitrary name for the secret.
Then you can set these `osbs.conf` keys for your instance:
pulp_registry_name = pulp-registry pulp_secret = pulp-secret
### Option 2 - docker-distribution
https://github.com/docker/distribution/blob/master/docs/insecure.md#user-content-using-self-signed-certificates
$ cd ~/ # this should be /root/ because you should be root to run this $ mkdir -p certs && openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key -x509 -days 365 -out certs/domain.crt # use osbs.localdomain for Common Name
$ mkdir -p /etc/docker/certs.d/osbs.localdomain:5000 $ cp certs/domain.crt /etc/docker/certs.d/osbs.localdomain:5000/ca.crt $ trust anchor certs/domain.crt
$ docker run -d -p 5000:5000 --restart=always --name registry -v /root/certs:/certs:z -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key registry:2
$ docker pull fedora $ docker tag fedora osbs.localdomain:5000/fedora $ docker push osbs.localdomain:5000/fedora
## OpenShift image stream setup
cat <<"EOF" | oc create -f - { "apiVersion": "v1", "kind": "ImageStream", "metadata": { "name": "fedora" }, "spec": { "dockerImageRepository": "osbs.localdomain:5000/fedora" } } EOF
## OSBS Client setup
Implement authentication with client certificates.
To test:
* Create cert/key pair for your OpenShift instance for user user_name
and place them in the api_config directory:
oadm create-api-client-config \
--user=user_name \
--client-dir=api_config \
--certificate-authority=/etc/openshift/master/ca.crt \
--signer-cert=/etc/openshift/master/ca.crt \
--signer-key=/etc/openshift/master/ca.key \
--signer-serial=/etc/openshift/master/ca.serial.txt
* Copy the api_config directory to your machine.
* Use osbs-client with client certificate authentication:
osbs \
-i yourinstance \
--client-cert api_config/user_name.crt \
--client-key api_config/user_name.key \
--without-auth \
get-user
You should see Name: "user_name" in the output. Note that OAuth is not
used here.
$ dnf install osbs-client -y
For Docker >= 1.9.1 it needs to be builder_openshift_url = https://172.17.0.1:8443/
$ cat <<"EOF" > /etc/osbs.conf [general] verbose=1 build_json_dir = /usr/share/osbs/ openshift_required_version = 1.0.8
[default] openshift_url = https://osbs.localdomain:8443/ kubelet_uri = http://osbs.localdomain:10250/ (not needed anymore) koji_root = http://koji.fedoraproject.org/koji koji_hub = http://koji.fedoraproject.org/kojihub sources_command = fedpkg sources build_type = prod registry_uri = https://osbs.localdomain:5000/v2 source_registry_uri = https://osbs.localdomain:5000/v2 authoritative_registry = registry.example.com vendor = Fedora Project build_host = osbs.localdomain verify_ssl = false use_auth = false builder_use_auth = true distribution_scope = private registry_api_versions = v2 builder_openshift_url = https://172.17.0.1:8443/ EOF
## Kick Off a Demo Build
$ osbs --conf /etc/osbs.conf build --git-url https://github.com/twaugh/docker-hello-world --git-branch master --user admiller --component docker-hello-world --target rawhide
## Known Issues with workrounds
### port 8443 refused from inside the build container
2015-12-14 23:19:51,857 - atomic_reactor.plugin - DEBUG - Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/plugin.py", line 203, in run plugin_response = plugin_instance.run() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/plugins/exit_store_metadata_in_o sv3.py", line 148, in run osbs.set_annotations_on_build(build_id, labels, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/api.py", line 28, in catch_exceptions return func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/api.py", line 315, in set_annotations_on_build return self.os.set_annotations_on_build(build_id, annotations, namespace=namespace) File "/usr/lib/python2.7/site-packages/osbs/core.py", line 328, in set_annotations_on_build build_json = self._get(url).json() File "/usr/lib/python2.7/site-packages/osbs/core.py", line 85, in _get headers, kwargs = self._request_args(with_auth, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/core.py", line 73, in _request_args self.get_oauth_token() File "/usr/lib/python2.7/site-packages/osbs/core.py", line 104, in get_oauth_token r = self._get(url, with_auth=False, allow_redirects=False) File "/usr/lib/python2.7/site-packages/osbs/core.py", line 86, in _get return self._con.get(url, headers=headers, verify_ssl=self.verify_ssl, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/http.py", line 412, in get return self._do_request(url, "get", **kwargs) File "/usr/lib/python2.7/site-packages/osbs/http.py", line 403, in _do_request raise OsbsNetworkException(url, message, code, *ex.args[2:]) OsbsNetworkException: (7) Failed to connect to osbs.localdomain port 8443: Connection refused
Solution: Make sure to set the following line in `/etc/osbs.conf` under `[default]`
builder_openshift_url = https://172.17.42.1:8443/
If using Docker >= 1.10 make sure this is:
builder_openshift_url = https://172.17.0.1:8443/
### KeyError('access_token',) from atomic_reactor
2015-12-14 23:22:11,877 - atomic_reactor.plugins.store_metadata_in_osv3 - INFO - build id = docker-hello-world-master-2 2015-12-14 23:22:11,878 - atomic_reactor.core - INFO - inspecting image 'fedora:latest' 2015-12-14 23:22:11,879 - atomic_reactor.core - DEBUG - image_id = 'fedora:latest' 2015-12-14 23:22:11,935 - atomic_reactor.plugin - DEBUG - Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/plugin.py", line 203, in run plugin_response = plugin_instance.run() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/plugins/exit_store_metadata_in_o sv3.py", line 148, in run osbs.set_annotations_on_build(build_id, labels, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/api.py", line 39, in catch_exceptions raise OsbsException(cause=ex, traceback=sys.exc_info()[2]) OsbsException: KeyError('access_token',)
Original traceback (most recent call last): File "/usr/lib/python2.7/site-packages/osbs/api.py", line 28, in catch_exceptions return func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/api.py", line 315, in set_annotations_on_build return self.os.set_annotations_on_build(build_id, annotations, namespace=namespace) File "/usr/lib/python2.7/site-packages/osbs/core.py", line 328, in set_annotations_on_build build_json = self._get(url).json() File "/usr/lib/python2.7/site-packages/osbs/core.py", line 85, in _get headers, kwargs = self._request_args(with_auth, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/core.py", line 73, in _request_args self.get_oauth_token() File "/usr/lib/python2.7/site-packages/osbs/core.py", line 118, in get_oauth_token self.token = parsed_fragment[b'access_token'][0] KeyError('access_token',)
Solution: make sure to set the following in `/etc/osbs.conf` under `[default]` section:
builder_use_auth = false
## Known Issues without currently known workarounds
### OsbsNetworkException: (404) and atomic_reactor.plugin.PluginFailedException: plugin 'squash' raised an exception
Reported Upstream:
https://github.com/projectatomic/osbs-client/issues/331
2016-01-04 20:59:19,725 - atomic_reactor.plugin - DEBUG - running plugin 'store_metadata_in_osv3' 2016-01-04 20:59:19,727 - atomic_reactor.plugin - INFO - running plugin instance with args: '{u'url': u'https://172.17.42.1:8443/', u'verify_ssl': False, u'use_auth': True}' 2016-01-04 20:59:19,729 - atomic_reactor.plugins.store_metadata_in_osv3 - INFO - build id = docker-hello-world-master-1 2016-01-04 20:59:52,808 - atomic_reactor.plugin - DEBUG - Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/plugin.py", line 203, in run plugin_response = plugin_instance.run() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/plugins/exit_store_metadata_in_osv3.py", line 148, in run osbs.set_annotations_on_build(build_id, labels, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/api.py", line 28, in catch_exceptions return func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/api.py", line 315, in set_annotations_on_build return self.os.set_annotations_on_build(build_id, annotations, namespace=namespace) File "/usr/lib/python2.7/site-packages/osbs/core.py", line 328, in set_annotations_on_build build_json = self._get(url).json() File "/usr/lib/python2.7/site-packages/osbs/core.py", line 85, in _get headers, kwargs = self._request_args(with_auth, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/core.py", line 73, in _request_args self.get_oauth_token() File "/usr/lib/python2.7/site-packages/osbs/core.py", line 104, in get_oauth_token r = self._get(url, with_auth=False, allow_redirects=False) File "/usr/lib/python2.7/site-packages/osbs/core.py", line 86, in _get return self._con.get(url, headers=headers, verify_ssl=self.verify_ssl, **kwargs) File "/usr/lib/python2.7/site-packages/osbs/http.py", line 412, in get return self._do_request(url, "get", **kwargs) File "/usr/lib/python2.7/site-packages/osbs/http.py", line 403, in _do_request raise OsbsNetworkException(url, message, code, *ex.args[2:]) OsbsNetworkException: (7) Failed to connect to 172.17.42.1 port 8443: No route to host
2016-01-04 20:59:52,809 - atomic_reactor.plugin - WARNING - plugin 'store_metadata_in_osv3' raised an exception: OsbsNetworkException(u'(7) Failed to connect to 172.17.42.1 port 8443: No route to host',) 2016-01-04 20:59:52,809 - atomic_reactor.plugin - INFO - error is not fatal, continuing... 2016-01-04 20:59:52,809 - atomic_reactor.plugin - DEBUG - running plugin 'remove_built_image' 2016-01-04 20:59:52,811 - atomic_reactor.plugin - INFO - running plugin instance with args: '{}' 2016-01-04 20:59:52,811 - atomic_reactor.core - INFO - removing image 'sha256:99117e1c60a0687509ca4a9e042b7a9963e4b91f971894cd5fc117795c0e2eef' from filesystem 2016-01-04 20:59:52,811 - atomic_reactor.core - DEBUG - image_id = 'sha256:99117e1c60a0687509ca4a9e042b7a9963e4b91f971894cd5fc117795c0e2eef' 2016-01-04 21:01:24,800 - atomic_reactor.core - INFO - removing image 'fedora:latest' from filesystem 2016-01-04 21:01:24,800 - atomic_reactor.core - DEBUG - image_id = 'fedora:latest' 2016-01-04 21:01:24,812 - atomic_reactor.core - INFO - removing image 'osbs.localdomain:5000/fedora:latest' from filesystem 2016-01-04 21:01:24,812 - atomic_reactor.core - DEBUG - image_id = 'osbs.localdomain:5000/fedora:latest' Traceback (most recent call last): File "/usr/bin/atomic-reactor", line 9, in load_entry_point('atomic-reactor==1.6.0', 'console_scripts', 'atomic-reactor')() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/cli/main.py", line 299, in run cli.run() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/cli/main.py", line 282, in run args.func(args) File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/cli/main.py", line 89, in cli_inside_build build_inside(input_method=args.input, input_args=args.input_arg, substitutions=args.substitute) File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/inner.py", line 402, in build_inside build_result = dbw.build_docker_image() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/inner.py", line 344, in build_docker_image prepublish_runner.run() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/plugin.py", line 222, in run raise PluginFailedException(msg) atomic_reactor.plugin.PluginFailedException: plugin 'squash' raised an exception: IOError(2, 'No such file or directory') 2016-01-04 21:01:24,975 - osbs.http.curl - DEBUG - b'Closing connection 0' 2016-01-04 21:01:24,976 - osbs.http - DEBUG - end of the stream 2016-01-04 21:01:24,976 - osbs.http - DEBUG - cleaning up
### atomic_reactor RuntimeError("Missing label 'name'.",)
Traceback (most recent call last): File "/usr/bin/atomic-reactor", line 9, in load_entry_point('atomic-reactor==1.6.0', 'console_scripts', 'atomic-reactor')() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/cli/main.py", line 299, in run cli.run() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/cli/main.py", line 282, in run args.func(args) File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/cli/main.py", line 89, in cli_inside_build build_inside(input_method=args.input, input_args=args.input_arg, substitutions=args.substitute) File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/inner.py", line 402, in build_inside build_result = dbw.build_docker_image() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/inner.py", line 352, in build_docker_image postbuild_runner.run() File "/usr/lib/python2.7/site-packages/atomic_reactor-1.6.0-py2.7.egg/atomic_reactor/plugin.py", line 222, in run raise PluginFailedException(msg) atomic_reactor.plugin.PluginFailedException: plugin 'tag_by_labels' raised an exception: RuntimeError("Missing label 'name'.",)
### Unable to connect to server to handle "imagestreams"
{ "apiVersion": "v1", "kind": "ImageStream", "metadata": { "name": "fedora" }, "spec": { "dockerImageRepository": "osbs.localdomain:5000/fedora" } } EOF unable to connect to a server to handle "imagestreams": No configuration file found, please login or point to an existing file:
- Via the command-line flag --config
- Via the KUBECONFIG environment variable
- In your home directory as ~/.kube/config
To view or setup config directly use the 'config' command.
## Deploy koji-containerbuild plugin
https://github.com/release-engineering/koji-containerbuild
Install `koji-containerbuild` from my [COPR](https://copr.fedoraproject.org/coprs/maxamillion/atomic-reactor/)
$ yum -y install koji-containerbuild koji-containerbuild-{builder,cli,hub}
Enabled the plugins for hub and builder (kojid) on respective hosts
In `/etc/kojid/kojid.conf` add `builder_containerbuild` to the plugins line:
plugins = builder_container
In `/etc/koji-hub/hub.conf` add `hub_containerbuild` to the plugins line:
plugins = hub_containerbuild
On for the client stuff you'll need to add the following to `/etc/koji.conf` (changing the needed bits)
[koji-containerbuild]
;configuration for koji cli tool
;url of XMLRPC server server = http://devops.example.com/kojihub
;url of web interface weburl = http://devops.example.com/koji
;url of package download site topurl = https://kojipkgs.localdomain/
;path to the koji top directory ;topdir = /mnt/koji
;configuration for Kerberos authentication
;the service name of the principal being used by the hub ;krbservice = host
;configuration for SSL authentication
;client certificate cert = ~/.koji/client.crt
;certificate of the CA that issued the client certificate ca = ~/.koji/serverca.crt
;certificate of the CA that issued the HTTP server certificate serverca = ~/.koji/serverca.crt
### Setup Koji tag, target, docker "packages" - Option 1
As the kojiadmin, add builder(s) to the channel and add a package
This setup is for inheriting from f24 and all it's content. This is ideal but we're waiting on signed repos to be implemented that make it work properly.
$ koji add-host-to-channel kojibuilder1.stg.fedoraproject.org container --new
$ stg-koji add-tag f24-docker --parent f24
$ stg-koji add-tag f24-docker-build --parent f24-build --arches x86_64
$ stg-koji add-target f24-docker-candidate f24-docker-build f24-docker
$ stg-koji add-pkg --owner maxamillion f24-docker $PKG_NAME
$ stg-koji grant-cg-access containerbuild atomic-reactor --new
### Setup Koji tag, target, docker "packages" - Option 2
As the kojiadmin, add builder(s) to the channel and add a package
This setup does not inherit from f24. This is to work around the fact that we don't have koji signed repos and will instead inject alternate repos into the atomic-reactor buildroot
$ koji add-host-to-channel kojibuilder1.stg.fedoraproject.org container --new
$ stg-koji add-tag f24-docker
$ stg-koji add-tag f24-docker-build --arches x86_64 --parent=f24-docker
$ stg-koji add-target f24-docker-candidate f24-docker-build f24-docker
$ stg-koji add-pkg --owner maxamillion f24-docker $PKG_NAME
$ stg-koji grant-cg-access containerbuild atomic-reactor --new
$ stg-koji add-external-repo -t f24-docker kojipkgs-everything-f24-branched 'https://kojipkgs.fedoraproject.org/pub/fedora/linux/development/24/Everything/$arch/os/'