> > So it sounds like the local option means after it’s pulled once it will > exist in the local registry?
Hmm It always seems to do the pull-through <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>. Not sure what will happen if the remote is down. On 18 November 2017 at 16:53, Joel Pearson <[email protected]> wrote: > Thanks Lionel. I guess one way to make it secure would be to have a > certificate that’s valid on the internet. But I guess it’s not really > important if it’s all internal traffic. > > I’ll try out that local option I think that’s what I want. Because I don’t > want to have to rely on the remote registry always being there, because > we’re thinking of shutting down our dev and test clusters at night time. > > So it sounds like the local option means after it’s pulled once it will > exist in the local registry? > > On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <[email protected]> > wrote: > >> Hi Joel, >> >> By default the imported image stream tag will have a reference policy of >> Source. That means the pod will end up pulling the image from the remote >> registry directly. For that to work you have to link a secret containing >> the docker credentials with the deployment's sa. For the default sa this >> looks like this >> >> oc secrets link default my-dockercfg --for=pull >> >> The other option is to set the istag's reference policy to Local. >> >> tags: >> - annotations: null >> ... >> name: latest >> referencePolicy: >> type: Local . >> >> Now the pod will try to get the image from the local registry which in >> turn will pull from the remote. The registry will look for a dockercfg >> secret with the remote server name. By default communication with the >> remote registry will not use ssl. This is controlled by the istag import >> policy: >> >> importPolicy: insecure: true >> >> I have not been able to get it to work with insecure: false. I can't find >> the right place to put the remote's ca for the registry to use it. But it >> all works well when insecure is true. >> >> >> Cheers >> >> Lionel >> >> >> On 18 November 2017 at 13:59, Joel Pearson <[email protected] >> > wrote: >> >>> Hi, >>> >>> I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image" to >>> pull an image from one openshift cluster to another. I setup the docker >>> secrets, and it appeared to be working as there was a bunch of metadata >>> visible in the image stream. >>> >>> However, when actually started a pod, it seemed at that point it tried >>> to get the actual layers from the remote registry of the other openshift >>> cluster, at this point it got some authentication error, which is super >>> bizarre since it happily imported all the metadata fine. >>> >>> Is there some way to actually do the equivalent of docker pull? So that >>> the image data is transferred in that moment, as opposed to a on-demand >>> "lazy" transfer? >>> >>> Can "oc tag" actually copy the data? >>> >>> Thanks, >>> >>> Joel >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> >>
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
