[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How to pull images from a remote registry with the actual layers instead of just metadata?



So it sounds like the local option means after it’s pulled once it will exist in the local registry?

Hmm It always seems to do the pull-through. Not sure what will happen if the remote is down.

On 18 November 2017 at 16:53, Joel Pearson <japearson agiledigital com au> wrote:
Thanks Lionel. I guess one way to make it secure would be to have a certificate that’s valid on the internet. But I guess it’s not really important if it’s all internal traffic.

I’ll try out that local option I think that’s what I want. Because I don’t want to have to rely on the remote registry always being there, because we’re thinking of shutting down our dev and test clusters at night time.

So it sounds like the local option means after it’s pulled once it will exist in the local registry?

On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <lionelve gmail com> wrote:
Hi Joel,

By default the imported image stream tag will have a reference policy of Source. That means the pod will end up pulling the image from the remote registry directly. For that to work you have to link a secret containing the docker credentials with the deployment's sa. For the default sa this looks like this

 oc secrets link default my-dockercfg --for="">

The other option is to set the istag's reference policy to Local.

tags:
    - annotations: null
  ...
      name: latest
      referencePolicy:
        type: Local  . 

Now the pod will try to get the image from the local registry which in turn will pull from the remote. The registry will look for a dockercfg secret with the remote server name. By default communication with the remote registry will not use ssl. This is controlled by the istag import policy:

importPolicy: insecure: true

I have not been able to get it to work with insecure: false. I can't find the right place to put the remote's ca for the registry to use it. But it all works well when insecure is true.


Cheers

Lionel


On 18 November 2017 at 13:59, Joel Pearson <japearson agiledigital com au> wrote:
Hi,

I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image" to pull an image from one openshift cluster to another.  I setup the docker secrets, and it appeared to be working as there was a bunch of metadata visible in the image stream.

However, when actually started a pod, it seemed at that point it tried to get the actual layers from the remote registry of the other openshift cluster, at this point it got some authentication error, which is super bizarre since it happily imported all the metadata fine.

Is there some way to actually do the equivalent of docker pull?  So that the image data is transferred in that moment, as opposed to a on-demand "lazy" transfer?

Can "oc tag" actually copy the data?

Thanks,

Joel

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]