1
我使用與我的分段項目相同的結構設置生產項目減去BuildConfiguration
s,然後將我的容器從分段圖像流標記爲prod圖像流。只有兩個豆莢部署了其中一個,其他豆莢沒有被授權拉扯容器
oc tag my-staging/nginx:latest my-prod/nginx:prod
oc tag my-staging/gunicorn:latest my-prod/gunicorn:prod
oc tag my-staging/celery-worker:latest my-prod/celery-worker:prod
其中每一個爲DeploymentConfig
爲2個副本。前兩個已經拿出了兩個豆莢,但celery-worker
容器只有一個豆莢。其他吊艙生成一個錯誤:
Failed to pull image "172.x.x.x:5000/my-staging/[email protected]:xxx": unauthorized: authentication required
我不明白如何一個kubelet可以訪問,但不是另一個。特別是因爲所有其他豆莢都起來了。
下面是從註冊表中的日誌:
10.1.3.1 - - [22/Feb/2016:02:52:58 +0000] "GET /v2/cwl-staging/cwl-leadershift-20-celery-worker/manifests/sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a HTTP/1.1" 401 176 "" "docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-327.4.5.el7.x86_64 os/linux arch/amd64"
time="2016-02-22T02:52:58.297372303Z" level=error msg="OpenShift access denied: User \"system:serviceaccount:cwl-production:default\" cannot get imagestreams/layers in project \"cwl-staging\"" go.version=go1.4.2 http.request.host="172.30.140.184:5000" http.request.id=71a32c41-9e91-40be-9774-166bfa7264f8 http.request.method=GET http.request.remoteaddr="10.1.3.1:48777" http.request.uri="/v2/cwl-staging/cwl-leadershift-20-celery-worker/manifests/sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a" http.request.useragent="docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-327.4.5.el7.x86_64 os/linux arch/amd64" instance.id=180a3a82-b568-40ab-aaa0-538588e8e765 vars.name="cwl-staging/cwl-leadershift-20-celery-worker" vars.reference="sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a"
time="2016-02-22T02:52:58.297449598Z" level=error msg="error authorizing context: access denied" go.version=go1.4.2 http.request.host="172.30.140.184:5000" http.request.id=71a32c41-9e91-40be-9774-166bfa7264f8 http.request.method=GET http.request.remoteaddr="10.1.3.1:48777" http.request.uri="/v2/cwl-staging/cwl-leadershift-20-celery-worker/manifests/sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a" http.request.useragent="docker/1.8.2-el7.centos go/go1.4.2 kernel/3.10.0-327.4.5.el7.x86_64 os/linux arch/amd64" instance.id=180a3a82-b568-40ab-aaa0-538588e8e765 vars.name="cwl-staging/cwl-leadershift-20-celery-worker" vars.reference="sha256:7a2608ce648b767d65209410fd9f0e8d2fe3f559367c77ba45ba9a713940f83a"
註冊表日誌應該包含有關拒絕的pull操作的信息。這可能是其他註冊表或Kubelet中的意外競爭狀態。如果你刪除了半拉莢,會發生什麼?如果它第二次運行,請使用該期間的節點日誌和註冊表日誌打開問題。如果仍然存在,請嘗試重新啓動節點並查看節點是否繼續。由於這些圖像都在同一個命名空間中,所以我不希望這種行爲是由於您在CLI中執行的操作造成的。 – Clayton
所以圖像共享一個名稱空間,無論imagestreams /項目等? –
刪除吊艙沒有任何區別。附加註冊表容器中的日誌。 –