On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson <[email protected] > wrote:
> So there is no way with the oc command to import an image and not have it > need the remote to exist after that? I’d just have to use docker push > instead? currently that is correct. > > On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees <[email protected]> wrote: > >> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana <[email protected]> >> wrote: >> >>> So it sounds like the local option means after it’s pulled once it will >>>> exist in the local registry? >>> >>> >>> Hmm It always seems to do the pull-through >>> <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>. >>> Not sure what will happen if the remote is down. >>> >> >> the blobs will be mirrored in the local registry, but the manifest is not >> (currently) so the remote still needs to be accessible, but the pull should >> be faster once the blobs have been cached in the local registry. (assuming >> mirroring pullthrough is turned on, which by default i believe it is). >> >> >> >> >>> >>> On 18 November 2017 at 16:53, Joel Pearson < >>> [email protected]> wrote: >>> >>>> Thanks Lionel. I guess one way to make it secure would be to have a >>>> certificate that’s valid on the internet. But I guess it’s not really >>>> important if it’s all internal traffic. >>>> >>>> I’ll try out that local option I think that’s what I want. Because I >>>> don’t want to have to rely on the remote registry always being there, >>>> because we’re thinking of shutting down our dev and test clusters at night >>>> time. >>>> >>>> So it sounds like the local option means after it’s pulled once it will >>>> exist in the local registry? >>>> >>>> On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <[email protected]> >>>> wrote: >>>> >>>>> Hi Joel, >>>>> >>>>> By default the imported image stream tag will have a reference policy >>>>> of Source. That means the pod will end up pulling the image from the >>>>> remote >>>>> registry directly. For that to work you have to link a secret containing >>>>> the docker credentials with the deployment's sa. For the default sa this >>>>> looks like this >>>>> >>>>> oc secrets link default my-dockercfg --for=pull >>>>> >>>>> The other option is to set the istag's reference policy to Local. >>>>> >>>>> tags: >>>>> - annotations: null >>>>> ... >>>>> name: latest >>>>> referencePolicy: >>>>> type: Local . >>>>> >>>>> Now the pod will try to get the image from the local registry which in >>>>> turn will pull from the remote. The registry will look for a dockercfg >>>>> secret with the remote server name. By default communication with the >>>>> remote registry will not use ssl. This is controlled by the istag import >>>>> policy: >>>>> >>>>> importPolicy: insecure: true >>>>> >>>>> I have not been able to get it to work with insecure: false. I can't >>>>> find the right place to put the remote's ca for the registry to use it. >>>>> But >>>>> it all works well when insecure is true. >>>>> >>>>> >>>>> Cheers >>>>> >>>>> Lionel >>>>> >>>>> >>>>> On 18 November 2017 at 13:59, Joel Pearson < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image" >>>>>> to pull an image from one openshift cluster to another. I setup the >>>>>> docker >>>>>> secrets, and it appeared to be working as there was a bunch of metadata >>>>>> visible in the image stream. >>>>>> >>>>>> However, when actually started a pod, it seemed at that point it >>>>>> tried to get the actual layers from the remote registry of the other >>>>>> openshift cluster, at this point it got some authentication error, which >>>>>> is >>>>>> super bizarre since it happily imported all the metadata fine. >>>>>> >>>>>> Is there some way to actually do the equivalent of docker pull? So >>>>>> that the image data is transferred in that moment, as opposed to a >>>>>> on-demand "lazy" transfer? >>>>>> >>>>>> Can "oc tag" actually copy the data? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Joel >>>>>> >>>>>> _______________________________________________ >>>>>> users mailing list >>>>>> [email protected] >>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>> >>>>>> >>>>> >>> >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> >> >> >> -- >> Ben Parees | OpenShift >> >> -- Ben Parees | OpenShift
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
