Installing a Stand-alone Deployment of OpenShift Container Registry

You are viewing documentation for a release that is no longer supported. The latest supported version of version 3 is [3.11]. For the most recent version 4, see [4]

You are viewing documentation for a release that is no longer supported. The latest supported version of version 3 is [3.11]. For the most recent version 4, see [4]

About OpenShift Container Registry

OKD is a fully-featured enterprise solution that includes an integrated container registry called OpenShift Container Registry (OCR). Alternatively, instead of deploying OKD as a full PaaS environment for developers, you can install OCR as a stand-alone container registry to run on-premise or in the cloud.

When installing a stand-alone deployment of OCR, a cluster of masters and nodes is still installed, similar to a typical OKD installation. Then, the container registry is deployed to run on the cluster. This stand-alone deployment option is useful for administrators that want a container registry, but do not require the full OKD environment that includes the developer-focused web console and application build and deployment tools.

OCR provides the following capabilities:

• A user-focused registry web console, Cockpit.

• Secured traffic by default, served via TLS.

• Global identity provider authentication.

• A project namespace model to enable teams to collaborate through role-based access control (RBAC) authorization.

• A Kubernetes-based cluster to manage services.

• An image abstraction called image streams to enhance image management.

Administrators may want to deploy a stand-alone OCR to manage a registry separately that supports multiple OKD clusters. A stand-alone OCR also enables administrators to separate their registry to satisfy their own security or compliance requirements.

Minimum Hardware Requirements

Installing a stand-alone OCR has the following hardware requirements:

• Physical or virtual system, or an instance running on a public or private IaaS.

• Base OS: Fedora 21, CentOS 7.4, or RHEL 7.4 or 7.5 with the “Minimal” installation option and the latest packages from the RHEL 7 Extras channel, or RHEL Atomic Host 7.4.5 or later.

• NetworkManager 1.0 or later

• 2 vCPU.

• Minimum 16 GB RAM.

• Minimum 15 GB hard disk space for the file system containing /var/.

• An additional minimum 15 GB unallocated space to be used for Docker’s storage back end; see Configuring Docker Storage for details.

Supported System Topologies

The following system topologies are supported for stand-alone OCR:

Host Preparation

Before installing stand-alone OCR, all of the same steps detailed in the Host Preparation topic for installing a full OKD PaaS must be performed. This includes registering and subscribing the host(s) to the proper repositories, installing or updating certain packages, and setting up Docker and its storage requirements.

Follow the steps in the Host Preparation topic, then continue to Stand-alone Registry Installation Methods.

Installing Using Ansible

When installing stand-alone OCR, the steps are mostly the same as installing a full OKD cluster using Ansible, as described in the full cluster installation process. The main difference is that you must set deployment_subtype=registry in the inventory file within the [OSEv3:vars] section for the playbooks to follow the registry installation path.

See the following example inventory files for the different supported system topologies:

All-in-one Stand-alone OpenShift Container Registry Inventory File

# Create an OSEv3 group that contains the masters and nodes groups
[OSEv3:children]
masters
nodes
etcd
# Set variables common for all OSEv3 hosts
[OSEv3:vars]
# SSH user, this user should allow ssh based auth without requiring a password
ansible_ssh_user=root
openshift_master_default_subdomain=apps.test.example.com
# If ansible_ssh_user is not root, ansible_become must be set to true
#ansible_become=true
openshift_deployment_type=openshift-enterprise
deployment_subtype=registry (1)
openshift_hosted_infra_selector="" (2)
# uncomment the following to enable htpasswd authentication; defaults to DenyAllPasswordIdentityProvider
#openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
# host group for masters
[masters]
registry.example.com
# host group for etcd
[etcd]
registry.example.com
# host group for nodes
[nodes]
registry.example.com openshift_node_group_name='node-config-all-in-one'

Multiple Masters (Highly-Available) Stand-alone OpenShift Container Registry Inventory File

# Create an OSEv3 group that contains the master, nodes, etcd, and lb groups.
# The lb group lets Ansible configure HAProxy as the load balancing solution.
# Comment lb out if your load balancer is pre-configured.
[OSEv3:children]
masters
nodes
etcd
lb
# Set variables common for all OSEv3 hosts
[OSEv3:vars]
ansible_ssh_user=root
openshift_deployment_type=openshift-enterprise
deployment_subtype=registry (1)
openshift_master_default_subdomain=apps.test.example.com
# Uncomment the following to enable htpasswd authentication; defaults to
# DenyAllPasswordIdentityProvider.
#openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
# Native high availability cluster method with optional load balancer.
# If no lb group is defined installer assumes that a load balancer has
# been preconfigured. For installation the value of
# openshift_master_cluster_hostname must resolve to the load balancer
# or to one or all of the masters defined in the inventory if no load
# balancer is present.
openshift_master_cluster_method=native
openshift_master_cluster_hostname=openshift-internal.example.com
openshift_master_cluster_public_hostname=openshift-cluster.example.com
# apply updated node-config-compute group defaults
openshift_node_groups=[{'name': 'node-config-compute', 'labels': ['node-role.kubernetes.io/compute=true'], 'edits': [{'key': 'kubeletArguments.pods-per-core','value': ['20']}, {'key': 'kubeletArguments.max-pods','value': ['250']}, {'key': 'kubeletArguments.image-gc-high-threshold', 'value':['90']}, {'key': 'kubeletArguments.image-gc-low-threshold', 'value': ['80']}]}]
# enable ntp on masters to ensure proper failover
openshift_clock_enabled=true
# host group for masters
[masters]
master1.example.com
master2.example.com
master3.example.com
# host group for etcd
[etcd]
etcd1.example.com
etcd2.example.com
etcd3.example.com
# Specify load balancer host
[lb]
lb.example.com
# host group for nodes, includes region info
[nodes]
master[1:3].example.com openshift_node_group_name='node-config-master-infra'
node1.example.com       openshift_node_group_name='node-config-compute'
node2.example.com       openshift_node_group_name='node-config-compute'

After you have configured Ansible by defining an inventory file in /etc/ansible/hosts:

1. Run the prerequisites.yml playbook to configure base packages and Docker. This must be run only once before deploying a new cluster. Use the following command, specifying -i if your inventory file located somewhere other than /etc/ansible/hosts:

   The host that you run the Ansible playbook on must have at least 75MiB of free memory per host in the inventory.

   # ansible-playbook [-i /path/to/inventory] \
       ~/openshift-ansible/playbooks/prerequisites.yml

2. Run the deploy_cluster.yml playbook to initiate the installation:

   # ansible-playbook [-i /path/to/inventory] \
       ~/openshift-ansible/playbooks/deploy_cluster.yml