Ahh ok. Is there some way to abuse build config‘s to push existing images to remote OpenShift registries? On Sat, 18 Nov 2017 at 6:15 pm, Ben Parees <bpar...@redhat.com> wrote:
> On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson < > japear...@agiledigital.com.au> wrote: > >> So there is no way with the oc command to import an image and not have it >> need the remote to exist after that? I’d just have to use docker push >> instead? > > > currently that is correct. > > >> >> On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees <bpar...@redhat.com> wrote: >> >>> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana <lione...@gmail.com> >>> wrote: >>> >>>> So it sounds like the local option means after it’s pulled once it will >>>>> exist in the local registry? >>>> >>>> >>>> Hmm It always seems to do the pull-through >>>> <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>. >>>> Not sure what will happen if the remote is down. >>>> >>> >>> the blobs will be mirrored in the local registry, but the manifest is >>> not (currently) so the remote still needs to be accessible, but the pull >>> should be faster once the blobs have been cached in the local registry. >>> (assuming mirroring pullthrough is turned on, which by default i believe it >>> is). >>> >>> >>> >>> >>>> >>>> On 18 November 2017 at 16:53, Joel Pearson < >>>> japear...@agiledigital.com.au> wrote: >>>> >>>>> Thanks Lionel. I guess one way to make it secure would be to have a >>>>> certificate that’s valid on the internet. But I guess it’s not really >>>>> important if it’s all internal traffic. >>>>> >>>>> I’ll try out that local option I think that’s what I want. Because I >>>>> don’t want to have to rely on the remote registry always being there, >>>>> because we’re thinking of shutting down our dev and test clusters at night >>>>> time. >>>>> >>>>> So it sounds like the local option means after it’s pulled once it >>>>> will exist in the local registry? >>>>> >>>>> On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <lione...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Joel, >>>>>> >>>>>> By default the imported image stream tag will have a reference policy >>>>>> of Source. That means the pod will end up pulling the image from the >>>>>> remote >>>>>> registry directly. For that to work you have to link a secret containing >>>>>> the docker credentials with the deployment's sa. For the default sa this >>>>>> looks like this >>>>>> >>>>>> oc secrets link default my-dockercfg --for=pull >>>>>> >>>>>> The other option is to set the istag's reference policy to Local. >>>>>> >>>>>> tags: >>>>>> - annotations: null >>>>>> ... >>>>>> name: latest >>>>>> referencePolicy: >>>>>> type: Local . >>>>>> >>>>>> Now the pod will try to get the image from the local registry which >>>>>> in turn will pull from the remote. The registry will look for a dockercfg >>>>>> secret with the remote server name. By default communication with the >>>>>> remote registry will not use ssl. This is controlled by the istag import >>>>>> policy: >>>>>> >>>>>> importPolicy: insecure: true >>>>>> >>>>>> I have not been able to get it to work with insecure: false. I can't >>>>>> find the right place to put the remote's ca for the registry to use it. >>>>>> But >>>>>> it all works well when insecure is true. >>>>>> >>>>>> >>>>>> Cheers >>>>>> >>>>>> Lionel >>>>>> >>>>>> >>>>>> On 18 November 2017 at 13:59, Joel Pearson < >>>>>> japear...@agiledigital.com.au> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image" >>>>>>> to pull an image from one openshift cluster to another. I setup the >>>>>>> docker >>>>>>> secrets, and it appeared to be working as there was a bunch of metadata >>>>>>> visible in the image stream. >>>>>>> >>>>>>> However, when actually started a pod, it seemed at that point it >>>>>>> tried to get the actual layers from the remote registry of the other >>>>>>> openshift cluster, at this point it got some authentication error, >>>>>>> which is >>>>>>> super bizarre since it happily imported all the metadata fine. >>>>>>> >>>>>>> Is there some way to actually do the equivalent of docker pull? So >>>>>>> that the image data is transferred in that moment, as opposed to a >>>>>>> on-demand "lazy" transfer? >>>>>>> >>>>>>> Can "oc tag" actually copy the data? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Joel >>>>>>> >>>>>>> _______________________________________________ >>>>>>> users mailing list >>>>>>> users@lists.openshift.redhat.com >>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>> >>>>>>> >>>>>> >>>> >>>> _______________________________________________ >>>> users mailing list >>>> users@lists.openshift.redhat.com >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>> >>>> >>> >>> >>> -- >>> Ben Parees | OpenShift >>> >>> > > > -- > Ben Parees | OpenShift > >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users