Re: How to pull images from a remote registry with the actual layers instead of just metadata?

Sat, 18 Nov 2017 04:13:14 -0800 

Wow! Thanks Lars, I’ll try out your ideas on Monday.
On Sat, 18 Nov 2017 at 10:34 pm, Lars Milland <l...@mailme.dk> wrote:

> Hi
>
>
>
> This limitation or ”design” of the oc import-image and also the
> limitations of Docker push where one needs to have the image locally to be
> able to push it, is the reason why we have shifted to use Skopeo for all
> such Docker image importing.
>
>
>
> We have two OpenShift environments with their own OpenShift Docker
> Registries inside, one for test and one for production, and move images up
> from test through the use of Skopeo, using OpenShift service account
> credentials in Jenkins pipelines running from the production OpenShift
> environment. That way we ensure that images are always available in the
> embedded OpenShift Docker registry, and not have the OpenShift environment
> be dependent on other resources as in this case an external Docker registry.
>
>
>
> We are then also using Skopeo to copy in Docker images that are not our
> own from DockerHub or other outside our OpenShift environments Docker
> registries.
>
>
>
> We have added the Skopeo command to the Jenkins slave images we use for
> all deployment pipeline activities, so imports of images cross environments
> can be run inside our Jenkins pipelines.
>
>
>
> So a Jenkins based pipeline that imports a Java application based image
> and activates the matching Fabric8 based DeploymentConfig running from the
> OpenShift production environment as a Maven/Fabric8/Skopeo Jenkins slave
> connecting to the OpenShift Test environment, would look like this:
>
>
>
> def version() {
>
>   def matcher = readFile('pom.xml') =~ '<version>(.+)</version>'
>
>   matcher ? matcher[0][1] : null
>
> }
>
>
>
>
>
> def destNamespace = 'myproject'
>
> def srcRegistry ='registry-test.mydomain.com:443'
>
> def destRegistry = 'docker-registry.default.svc:5000'
>
> def srcNamespace = 'myproject-preproduction'
>
> def application = 'myapp'
>
> def version = version()
>
> def tag = application + '-' + version
>
> def kubernetesserver='https://kubernetes.default:443'
>
> def srckubernetesserver='https://openshift-test.mydomain.com:8443'
>
> def replicaCount = '2'
>
>
>
>
>
> node('java8-maven') {
>
>     withEnv(["KUBERNETES_TRUST_CERTIFICATES=true",
> "KUBERNETES_NAMESPACE=${ destNamespace }"]) {
>
>
>
>     checkout scm
>
>
>
>         stage('Import Image') {
>
>
>
> withCredentials(
>
>     [   usernamePassword(
>
>             credentialsId: 'test-myproject-builder',
>
>             passwordVariable: 'SRC_TOKEN',
>
>             usernameVariable: 'SRC_USERNAME'),
>
>         usernamePassword(
>
>             credentialsId: 'prod-myproject-builder',
>
>             passwordVariable: 'DEST_TOKEN',
>
>             usernameVariable: 'DEST_USERNAME')
>
>         ]) {
>
> sh """
>
>             echo "Importing image with Skopeo
> \${srcRegistry}/${srcNamespace}/${application}:${tag} ->
> \${destRegistry}/${destNamespace}/${application}:${tag}"
>
>             oc login ${kubernetesserver} --token=${DEST_TOKEN}
> --insecure-skip-tls-verify
>
>             oc login ${srckubernetesserver} --token=${SRC_TOKEN}
> --insecure-skip-tls-verify
>
>             skopeo --debug copy --src-tls-verify=false
> --dest-tls-verify=false --src-creds openshift:${SRC_TOKEN} --dest-creds
> openshift:${DEST_TOKEN}
> atomic:${srcRegistry}/${srcNamespace}/${application}:${tag}
> atomic:${destRegistry}/${destNamespace}/${application}:${tag}
>
>            echo 'Executing deploy of latest DeploymentController'
>
>            oc login ${kubernetesserver} --token=\$(cat /var/run/secrets/
> kubernetes.io/serviceaccount/token) --insecure-skip-tls-verify
>
>            mvn -B -e -Dappargs='--spring.profiles.active=production
> --spring.cloud.kubernetes.secrets.paths=/tmp/applicationproperties'
> -Dmaven.test.skip=true -Djava.net.preferIPv4Stack=true
> -Dfabric8.mode=openshift -Dfabric8.skipResourceValidation=true
> -Dopenshiftnamespace=${destNamespace}  -Dreplicas=${replicaCount} clean
> fabric8:resource-apply -s devops/maven/settings.xml
>
>            oc rollout latest dc/${application} -n ${destNamespace}
>
> """
>
>            openshiftVerifyDeployment depCfg: "${application}", namespace:
> "${destNamespace}", verifyReplicaCount: "${replicaCount}"
>
>             }
>
>         }
>
>     }
>
> }
>
>
>
>
>
>
>
> Best regards
>
> Lars Milland
>
>
>
> *From:* users-boun...@lists.openshift.redhat.com [mailto:
> users-boun...@lists.openshift.redhat.com] *On Behalf Of *Joel Pearson
> *Sent:* 18. november 2017 08:55
> *To:* Ben Parees <bpar...@redhat.com>
> *Cc:* users <users@lists.openshift.redhat.com>
> *Subject:* Re: How to pull images from a remote registry with the actual
> layers instead of just metadata?
>
>
>
> Ahh ok. Is there some way to abuse build config‘s to push existing images
> to remote OpenShift registries?
>
> On Sat, 18 Nov 2017 at 6:15 pm, Ben Parees <bpar...@redhat.com> wrote:
>
> On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
> So there is no way with the oc command to import an image and not have it
> need the remote to exist after that? I’d just have to use docker push
> instead?
>
>
>
> currently that is correct.
>
>
>
>
>
> On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees <bpar...@redhat.com> wrote:
>
> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana <lione...@gmail.com>
> wrote:
>
> So it sounds like the local option means after it’s pulled once it will
> exist in the local registry?
>
>
>
> Hmm It always seems to do the pull-through
> <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>.
> Not sure what will happen if the remote is down.
>
>
>
> the blobs will be mirrored in the local registry, but the manifest is not
> (currently) so the remote still needs to be accessible, but the pull should
> be faster once the blobs have been cached in the local registry.  (assuming
> mirroring pullthrough is turned on, which by default i believe it is).
>
>
>
>
>
>
>
>
>
> On 18 November 2017 at 16:53, Joel Pearson <japear...@agiledigital.com.au>
> wrote:
>
> Thanks Lionel. I guess one way to make it secure would be to have a
> certificate that’s valid on the internet. But I guess it’s not really
> important if it’s all internal traffic.
>
> I’ll try out that local option I think that’s what I want. Because I don’t
> want to have to rely on the remote registry always being there, because
> we’re thinking of shutting down our dev and test clusters at night time.
>
> So it sounds like the local option means after it’s pulled once it will
> exist in the local registry?
>
>
>
> On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <lione...@gmail.com>
> wrote:
>
> Hi Joel,
>
>
>
> By default the imported image stream tag will have a reference policy of
> Source. That means the pod will end up pulling the image from the remote
> registry directly. For that to work you have to link a secret containing
> the docker credentials with the deployment's sa. For the default sa this
> looks like this
>
>
>
>  oc secrets link default my-dockercfg --for=pull
>
>
>
> The other option is to set the istag's reference policy to Local.
>
>
>
> tags:
>
>     - annotations: null
>
>   ...
>
>       name: latest
>
>       referencePolicy:
>
>         type: Local  .
>
>
>
> Now the pod will try to get the image from the local registry which in
> turn will pull from the remote. The registry will look for a dockercfg
> secret with the remote server name. By default communication with the
> remote registry will not use ssl. This is controlled by the istag import
> policy:
>
>
>
> *importPolicy**: **insecure**: **true*
>
>
>
> I have not been able to get it to work with insecure: false. I can't find
> the right place to put the remote's ca for the registry to use it. But it
> all works well when insecure is true.
>
>
>
>
>
> Cheers
>
>
>
> Lionel
>
>
>
>
>
> On 18 November 2017 at 13:59, Joel Pearson <japear...@agiledigital.com.au>
> wrote:
>
> Hi,
>
>
>
> I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image" to
> pull an image from one openshift cluster to another.  I setup the docker
> secrets, and it appeared to be working as there was a bunch of metadata
> visible in the image stream.
>
>
>
> However, when actually started a pod, it seemed at that point it tried to
> get the actual layers from the remote registry of the other openshift
> cluster, at this point it got some authentication error, which is super
> bizarre since it happily imported all the metadata fine.
>
>
>
> Is there some way to actually do the equivalent of docker pull?  So that
> the image data is transferred in that moment, as opposed to a on-demand
> "lazy" transfer?
>
>
>
> Can "oc tag" actually copy the data?
>
>
>
> Thanks,
>
>
>
> Joel
>
>
>
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
>
>
>
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
>
>
>
> --
>
> Ben Parees | OpenShift
>
>
>
>
>
> --
>
> Ben Parees | OpenShift
>
>

_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Reply via email to