kubelet 拉取私有鏡像過程

kubelet拉取鏡像是用許多密鑰嘗試去拉取,kubelet拉取私有鏡像除了可以在yaml里面配置私有鏡像倉庫密鑰以外,也可以在運行本地通過配置文件配置,下面就解說一下拉取過程。

//pkg/kubelet/kuberuntime/kuberuntime_image.go
func (m *kubeGenericRuntimeManager) PullImage(image kubecontainer.ImageSpec, pullSecrets []v1.Secret) (string, error) {
        //如果沒有在yaml里面配置私有倉庫密鑰pullSecrets長度就是0
    img := image.Image
    repoToPull, _, _, err := parsers.ParseImageName(img)
    if err != nil {
        return "", err
    }

//下面這一句是根據(jù)pullSecrets生成docker密鑰的過程如果沒有yaml沒有配置那么用的是配置文件配置的密鑰
    keyring, err := credentialprovider.MakeDockerKeyring(pullSecrets, m.keyring)
    if err != nil {
        return "", err
    }

    imgSpec := &runtimeapi.ImageSpec{Image: img}
    creds, withCredentials := keyring.Lookup(repoToPull)
    if !withCredentials {
        glog.V(3).Infof("Pulling image %q without credentials", img)

        imageRef, err := m.imageService.PullImage(imgSpec, nil)
        if err != nil {
            glog.Errorf("Pull image %q failed: %v", img, err)
            return "", err
        }

        return imageRef, nil
    }

    var pullErrs []error
//根據(jù)獲取的密鑰進行嘗試
    for _, currentCreds := range creds {
        authConfig := credentialprovider.LazyProvide(currentCreds)
        auth := &runtimeapi.AuthConfig{
            Username:      authConfig.Username,
            Password:      authConfig.Password,
            Auth:          authConfig.Auth,
            ServerAddress: authConfig.ServerAddress,
            IdentityToken: authConfig.IdentityToken,
            RegistryToken: authConfig.RegistryToken,
        }

        imageRef, err := m.imageService.PullImage(imgSpec, auth)
        // If there was no error, return success
        if err == nil {
            return imageRef, nil
        }

        pullErrs = append(pullErrs, err)
    }

    return "", utilerrors.NewAggregate(pullErrs)
}

獲取本地密鑰過程:

func DefaultDockercfgPaths() []string {
    return []string{GetPreferredDockercfgPath(), workingDirPath, homeDirPath, rootDirPath}
}

//DefaultDockerConfigJSONPaths returns default search paths of .docker/config.json
func DefaultDockerConfigJSONPaths() []string {
    return []string{GetPreferredDockercfgPath(), workingDirPath, homeJsonDirPath, rootJsonDirPath}
}

// ReadDockercfgFile attempts to read a legacy dockercfg file from the given paths.
// if searchPaths is empty, the default paths are used.
func ReadDockercfgFile(searchPaths []string) (cfg DockerConfig, err error) {
    if len(searchPaths) == 0 {
        searchPaths = DefaultDockercfgPaths()
    }

    for _, configPath := range searchPaths {
        absDockerConfigFileLocation, err := filepath.Abs(filepath.Join(configPath, configFileName))
        if err != nil {
            glog.Errorf("while trying to canonicalize %s: %v", configPath, err)
            continue
        }
        glog.V(4).Infof("looking for .dockercfg at %s", absDockerConfigFileLocation)
        contents, err := ioutil.ReadFile(absDockerConfigFileLocation)
        if os.IsNotExist(err) {
            continue
        }
        if err != nil {
            glog.V(4).Infof("while trying to read %s: %v", absDockerConfigFileLocation, err)
            continue
        }
        cfg, err := readDockerConfigFileFromBytes(contents)
        if err == nil {
            glog.V(4).Infof("found .dockercfg at %s", absDockerConfigFileLocation)
            return cfg, nil
        }
    }
    return nil, fmt.Errorf("couldn't find valid .dockercfg after checking in %v", searchPaths)
}

// ReadDockerConfigJSONFile attempts to read a docker config.json file from the given paths.
// if searchPaths is empty, the default paths are used.
func ReadDockerConfigJSONFile(searchPaths []string) (cfg DockerConfig, err error) {
    if len(searchPaths) == 0 {
        searchPaths = DefaultDockerConfigJSONPaths()
    }
    for _, configPath := range searchPaths {
        absDockerConfigFileLocation, err := filepath.Abs(filepath.Join(configPath, configJsonFileName))
        if err != nil {
            glog.Errorf("while trying to canonicalize %s: %v", configPath, err)
            continue
        }
        glog.V(4).Infof("looking for %s at %s", configJsonFileName, absDockerConfigFileLocation)
        cfg, err = ReadSpecificDockerConfigJsonFile(absDockerConfigFileLocation)
        if err != nil {
            if !os.IsNotExist(err) {
                glog.V(4).Infof("while trying to read %s: %v", absDockerConfigFileLocation, err)
            }
            continue
        }
        glog.V(4).Infof("found valid %s at %s", configJsonFileName, absDockerConfigFileLocation)
        return cfg, nil
    }
    return nil, fmt.Errorf("couldn't find valid %s after checking in %v", configJsonFileName, searchPaths)

}

//ReadSpecificDockerConfigJsonFile attempts to read docker configJSON from a given file path.
func ReadSpecificDockerConfigJsonFile(filePath string) (cfg DockerConfig, err error) {
    var contents []byte

    if contents, err = ioutil.ReadFile(filePath); err != nil {
        return nil, err
    }
    return readDockerConfigJsonFileFromBytes(contents)
}

func ReadDockerConfigFile() (cfg DockerConfig, err error) {
    if cfg, err := ReadDockerConfigJSONFile(nil); err == nil {
        return cfg, nil
    }
    // Can't find latest config file so check for the old one
    return ReadDockercfgFile(nil)
}

密鑰分為兩種文件類型一種是config.json另一種是.dockercfg,根據(jù)這兩種文件可以從不同的目錄下讀取,例如:

/var/lib/kubelet/config.json
/root/.docker/config.json
/var/lib/kubelet/.dockercfg
/root/.docker/.dockercfg
...

所以只要上述的文件只要有私有倉庫的登錄信息就能達到拉取私有倉庫的目的。

?著作權歸作者所有,轉載或內容合作請聯(lián)系作者
【社區(qū)內容提示】社區(qū)部分內容疑似由AI輔助生成,瀏覽時請結合常識與多方信息審慎甄別。
平臺聲明:文章內容(如有圖片或視頻亦包括在內)由作者上傳并發(fā)布,文章內容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務。

相關閱讀更多精彩內容

  • Spring Cloud為開發(fā)人員提供了快速構建分布式系統(tǒng)中一些常見模式的工具(例如配置管理,服務發(fā)現(xiàn),斷路器,智...
    卡卡羅2017閱讀 136,506評論 19 139
  • Spring Boot 參考指南 介紹 轉載自:https://www.gitbook.com/book/qbgb...
    毛宇鵬閱讀 47,256評論 6 342
  • 我愛你, 無關你愛不愛我, 只是我想愛你而已!
    情深深幾許閱讀 134評論 0 0
  • 當我想形容一下什么的時候 我的腦子空空 我用不起華彩 也受不了粗樸 我把你比作糖 因為最愛聽甜甜的 你卻唱不好它 ...
    小丐閱讀 218評論 0 0
  • 北京時間8月18日,由酷高網(wǎng)和陽江濤景高爾夫球會發(fā)起的2016首屆粵西公開賽暨2016廣東業(yè)余高爾夫隊際公開賽粵西...
    高球動態(tài)閱讀 267評論 0 0

友情鏈接更多精彩內容