Skip to content

Latest commit

 

History

History
234 lines (211 loc) · 8 KB

4.3.proxy.md

File metadata and controls

234 lines (211 loc) · 8 KB

如何添加 http_proxy 来下载镜像

我们的部署环境,如果有一个image proxy,那么可以配置集群,使用这个proxy去下载镜像。

关键是crio的环境变量,所以给这个目录添加一个环境变量进去,/etc/systemd/system/crio.service.d/

cat << EOF > crio-env.conf
[Service]
Environment=HTTP_PROXY=http://v.redhat.ren:8080
Environment=HTTPS_PROXY=http://v.redhat.ren:8080
Environment=NO_PROXY=redhat.ren,10.254.0.0/16,172.30.0.0/16
EOF

config_source=$(cat ./crio-env.conf | python3 -c "import sys, urllib.parse; print(urllib.parse.quote(''.join(sys.stdin.readlines())))"  )

cat <<EOF > 50-crio-env-conf.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 50-crio-env-conf
spec:
  config:
    ignition:
      version: 2.2.0
    storage:
      files:
      - contents:
          source: data:text/plain,${config_source}
          verification: {}
        filesystem: root
        mode: 0420
        path: /etc/systemd/system/crio.service.d/20-wzh-env.conf
      - contents:
          source: data:text/plain,${config_source}
          verification: {}
        filesystem: root
        mode: 0420
        path: /etc/systemd/system/kubelet.service.d/20-wzh-env.conf
      - contents:
          source: data:text/plain,${config_source}
          verification: {}
        filesystem: root
        mode: 0420
        path: /etc/systemd/system/machine-config-daemon-host.service.d/20-wzh-env.conf
      - contents:
          source: data:text/plain,${config_source}
          verification: {}
        filesystem: root
        mode: 0420
        path: /etc/systemd/system/pivot.service.d/20-wzh-env.conf
EOF
oc apply -f 50-crio-env-conf.yaml -n openshift-config

等待集群重启以后,测试一下

cat << EOF > test-local-dc.yaml
kind: DeploymentConfig
apiVersion: apps.openshift.io/v1
metadata:
  name: busybox
  labels:
    run: busybox
spec:
  replicas: 1
  template:
    metadata:
      labels:
        run: busybox
    spec:
      containers:
        - name: busybox
          image: 'docker.io/busybox:1.28.0-glibc'
          command:
            - sleep
            - '36000'

EOF
oc apply -f test-local-dc.yaml

虽然实验环境网络问题,没下载成功,但是看到下载是在走proxy了。

以下是弯路

这样就可以通过内网的proxy server去pull image了。

调优 /etc/crio/crio.conf 的方法不可以,因为查过源代码以后,发现下面链接说的操作,源代码里面也就支持3个选项,其他选项都不支持。 https://www.redhat.com/en/blog/red-hat-openshift-container-platform-4-now-defaults-cri-o-underlying-container-engine

然后从源代码里面,高兴的发现,/etc/systemd/system/crio.service.d/10-default-env.conf 是可以通过proxy的配置生效的。 https://github.com/openshift/machine-config-operator/blob/master/templates/common/_base/files/etc-systemd-system-crio.service.d-10-default-env.conf.yaml

配置一个proxy https://access.redhat.com/solutions/3442811

apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  name: cluster
spec:
  httpProxy: http://v.redhat.ren:8080 
  httpsProxy: http://v.redhat.ren:8080 
  noProxy: example.com 
cat << EOF > proxy.yaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  name: cluster
spec:
  httpProxy: http://v.redhat.ren:8080 
  httpsProxy: http://v.redhat.ren:8080 
  readinessEndpoints:
  - http://www.google.com 
  noProxy: example.com 
  trustedCA:
    name: ca.for.proxy
EOF
oc apply -f proxy.yaml

cat << EOF > proxy.yaml
apiVersion: config.openshift.io/v1
kind: Proxy
metadata:
  name: cluster
spec: {}
EOF
oc apply -f proxy.yaml

cat /etc/systemd/system/crio.service.d/10-default-env.conf

cat << EOF > ca.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: ca.for.proxy
  namespace: openshift-config 
data:
  ca-bundle.crt: | 
    -----BEGIN PRIVATE KEY-----
    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCpRqAtwkQsmdA5
    qDyAV7ABoRmZdDh7aaH9OY+gHRVtMDYbEH1e3u4oIJ5CoAK4EiZ/AZA2Pb5xFO+5
    63YwMFEucg0TcCAs20yFbhkRXac1UxsGmx3zUSfex6/A6yxwyx14/HBoli6Trqpr
    oPxUFDFoHHe6zIqgQkdjdYttL/vwrVg2yH2Z3IS1qQ/uN8UpyL/yY48VRimQsGjX
    9FmRusONsUdRYh29gbOI76hJ7ooCNGvgbXq/6L6OGu6by+g6MgqHtBWMjnObWkWV
    ln1lRRfmhwlGO0136lURt58diJSIWPXOpSO4Ulc2JMH9D+pgAD59JU4pm1PvGotc
    e+WIxvJ9AgMBAAECggEACpulcBirgwwEk4hqejSEkCWTYB17aKh/AUp5KLSJ4jTS
    PzHyWV6pGBSrNkumv/hLN0xWyD9oTtfcCg+qcWylub5l+WDec1Eu43G52m+/CcVy
    fSB9aQEd+YUUC4fxWgQwjaNsO/Gla5XXkjUdevtk+TxHeIpW6aIdrSrxmN8X78Yj
    F0FIPYSAM4Lh2ZdykFS9igbteRN27WGlypKF6D7efDfbh4TLuVtSMRyehjewyy3U
    DAYkkMm1SD/TH4HJQU8eU3Gp3ZZmP4uSTESfBc/6lrSy/ooXqtc/x8dv0SQtky0I
    FQu/bTdrSjz3gOKZVfaLsG4LMiMo7M4SekyU2EGulQKBgQDUobsMXV0WrwVF4JFF
    ug3PxXwcatlnesrlcOPQQdhZz4ngk3z49GxPrXykzFQ5KtMCsgyOhNpXOVu6vqew
    0QmxJvF8Mo0GhwIOANlrQSn/Flt5s5GIPqteAE//RxSsAhRm6fDnxKik2aT5XOYl
    9GQvFvPDtjSR0nBHQg5BuBgtbwKBgQDLzSDr61tbU02/bV/td6CkVMSSpGHpfUU+
    0rGC9/JzBmBDr/mC5fDUN0bno1zq35HURxzhk306BJSbMMwnwmUFgWxPuJwlVo2V
    Zs3x41eYzTj7JOPZ/AphR+6pdpXlsoxpXUQRgWq1j8hq0wUqDL8s0ltzoDJFMxri
    J9N7fv6A0wKBgQChFk3Q1kKZ1sqV38XvHz8rcx/Nn51I6hwgqt/MfLXdhH+eJd59
    9R7BVluhtjLwhGMMHbuplTic8BVwatQ7/oHrNeepAdsZYNrLpRUSTnH0kQmIL+RH
    ZcMKGg6BBWbB0WmHdiBOVgy1pzV2vUyW4ImtqyPN15IID3eEZKTMYR3f/QKBgFke
    QBEp/+71hH/64gHDV/nEH5lITJB/ePI5y+nLZrepyBqRLvhweFk0Oss8Anuqe+hp
    mFWD2zStoBYkxoF0XhyENcq+nXkuWgdExzXJBhsJUqtvvDssHZXgkJqGApJI+2Fv
    qT5Ga1UtpKQh1pZGsKp26gqruI/OAyl15OKR69SFAoGADAOAADooY3Qcn9AWH1e8
    ebSDdimi4j1H9yFvcByaJkNrGhNgKwYYYeLsCvwxGLjRontoH6xOJAVdwmadV/CH
    6Ket3yJLWRIuu1N1IKvfLEqLsp2sbWKInhohEfh5yZmvCeTUjJKkz62DYS20JsN0
    1+gdBRElKgEz14GTvj7lpas=
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIDVzCCAj+gAwIBAgIJANzkXo7TCVYVMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNV
    BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
    Q29tcGFueSBMdGQwHhcNMjAwMjIyMDMxOTMxWhcNMjEwMjIxMDMxOTMxWjBCMQsw
    CQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZh
    dWx0IENvbXBhbnkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
    qUagLcJELJnQOag8gFewAaEZmXQ4e2mh/TmPoB0VbTA2GxB9Xt7uKCCeQqACuBIm
    fwGQNj2+cRTvuet2MDBRLnINE3AgLNtMhW4ZEV2nNVMbBpsd81En3sevwOsscMsd
    ePxwaJYuk66qa6D8VBQxaBx3usyKoEJHY3WLbS/78K1YNsh9mdyEtakP7jfFKci/
    8mOPFUYpkLBo1/RZkbrDjbFHUWIdvYGziO+oSe6KAjRr4G16v+i+jhrum8voOjIK
    h7QVjI5zm1pFlZZ9ZUUX5ocJRjtNd+pVEbefHYiUiFj1zqUjuFJXNiTB/Q/qYAA+
    fSVOKZtT7xqLXHvliMbyfQIDAQABo1AwTjAdBgNVHQ4EFgQUaTkD399lxrjHrHkl
    Mq1se4L+yr0wHwYDVR0jBBgwFoAUaTkD399lxrjHrHklMq1se4L+yr0wDAYDVR0T
    BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkuBFWQV2dFfwVChhVGKxynQ3JD48
    tT27b8G0YHMIM1WGkYIO7jWOx4Vvpo0ykqvwP1r7gVLHectPynCt55c1/lN9FxuV
    o+VTGN2ObA8AyEr4pPUJf7rav9GBlyJlIGL2IM4A9b0aCqfwIg0OyTSQzI5E5Cv8
    SDj1XTCPwkZT+Vq8aXorpej4dNhz//0AA872pAtwp9ex+KPOVRRZM4cQfQof3saB
    oPSkc8R2sA1TYNweeF4cWctWz2G0Vy/uo0fwcTb9NJwpzZlRBclg2S9WA9dMwnV8
    LVnyLpo2cf4R2z8zDcfDoQV7i6JxzfTQCeUO1Zy4zPTbtKt1k8g3dYfF0w==
    -----END CERTIFICATE-----
EOF
oc apply -f ca.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
metadata:
 name: set-log-and-pid
spec:
 machineConfigPoolSelector:
   matchLabels:
     debug-crio: config1
 containerRuntimeConfig:
   conmon_env: "[ HTTP_PROXY=http://v.redhat.ren:8080, HTTPS_PROXY=http://v.redhat.ren:8080 ]" 
cat << EOF > crio.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: ContainerRuntimeConfig
metadata:
 name: set-log-and-pid
spec:
 machineConfigPoolSelector:
   matchLabels:
     debug-crio: config1
 containerRuntimeConfig:
   conmon_env: '[HTTP_PROXY=http://v.redhat.ren:8080,HTTPS_PROXY=http://v.redhat.ren:8080]'
EOF

oc apply -f crio.yaml

oc delete -f crio.yaml

oc edit MachineConfigPool/worker

oc get ContainerRuntimeConfig -o yaml

oc get MachineConfigs

python3 -c "import sys, urllib.parse; print(urllib.parse.unquote(sys.argv[1]))" $(oc get MachineConfig/rendered-worker-a01b5da25ec85d2f0ffabfeb1fbe996d -o YAML | grep -B4 crio.conf | grep source | tail -n 1 | cut -d, -f2) | grep conmon