Mirroring (which happens automatically on pull through) can be used by invoking a HEAD request on the registry for each of the layers. At some point that might be automatic / controllable by the user.
In 3.7 there is a new command “oc image mirror” that can copy images to your registry in bulk. You can also use skope-o or another image tool. Note one correction above - insecure: false is the default, which means the registry will *require* a valid HTTPS endpoint. Setting “true” means the registry will check https first (and not fail if the cert is invalid) and then fallback to http. If you have self signed certs, you’d want to make those trusted by everything in the cluster as Ben was described. On Nov 18, 2017, at 2:55 AM, Joel Pearson <japear...@agiledigital.com.au> wrote: Ahh ok. Is there some way to abuse build config‘s to push existing images to remote OpenShift registries? On Sat, 18 Nov 2017 at 6:15 pm, Ben Parees <bpar...@redhat.com> wrote: > On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson < > japear...@agiledigital.com.au> wrote: > >> So there is no way with the oc command to import an image and not have it >> need the remote to exist after that? I’d just have to use docker push >> instead? > > > currently that is correct. > > >> >> On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees <bpar...@redhat.com> wrote: >> >>> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana <lione...@gmail.com> >>> wrote: >>> >>>> So it sounds like the local option means after it’s pulled once it will >>>>> exist in the local registry? >>>> >>>> >>>> Hmm It always seems to do the pull-through >>>> <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>. >>>> Not sure what will happen if the remote is down. >>>> >>> >>> the blobs will be mirrored in the local registry, but the manifest is >>> not (currently) so the remote still needs to be accessible, but the pull >>> should be faster once the blobs have been cached in the local registry. >>> (assuming mirroring pullthrough is turned on, which by default i believe it >>> is). >>> >>> >>> >>> >>>> >>>> On 18 November 2017 at 16:53, Joel Pearson < >>>> japear...@agiledigital.com.au> wrote: >>>> >>>>> Thanks Lionel. I guess one way to make it secure would be to have a >>>>> certificate that’s valid on the internet. But I guess it’s not really >>>>> important if it’s all internal traffic. >>>>> >>>>> I’ll try out that local option I think that’s what I want. Because I >>>>> don’t want to have to rely on the remote registry always being there, >>>>> because we’re thinking of shutting down our dev and test clusters at night >>>>> time. >>>>> >>>>> So it sounds like the local option means after it’s pulled once it >>>>> will exist in the local registry? >>>>> >>>>> On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <lione...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Joel, >>>>>> >>>>>> By default the imported image stream tag will have a reference policy >>>>>> of Source. That means the pod will end up pulling the image from the >>>>>> remote >>>>>> registry directly. For that to work you have to link a secret containing >>>>>> the docker credentials with the deployment's sa. For the default sa this >>>>>> looks like this >>>>>> >>>>>> oc secrets link default my-dockercfg --for=pull >>>>>> >>>>>> The other option is to set the istag's reference policy to Local. >>>>>> >>>>>> tags: >>>>>> - annotations: null >>>>>> ... >>>>>> name: latest >>>>>> referencePolicy: >>>>>> type: Local . >>>>>> >>>>>> Now the pod will try to get the image from the local registry which >>>>>> in turn will pull from the remote. The registry will look for a dockercfg >>>>>> secret with the remote server name. By default communication with the >>>>>> remote registry will not use ssl. This is controlled by the istag import >>>>>> policy: >>>>>> >>>>>> importPolicy: insecure: true >>>>>> >>>>>> I have not been able to get it to work with insecure: false. I can't >>>>>> find the right place to put the remote's ca for the registry to use it. >>>>>> But >>>>>> it all works well when insecure is true. >>>>>> >>>>>> >>>>>> Cheers >>>>>> >>>>>> Lionel >>>>>> >>>>>> >>>>>> On 18 November 2017 at 13:59, Joel Pearson < >>>>>> japear...@agiledigital.com.au> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I'm using OpenShift 3.6.1 in AWS and I tried using "oc import-image" >>>>>>> to pull an image from one openshift cluster to another. I setup the >>>>>>> docker >>>>>>> secrets, and it appeared to be working as there was a bunch of metadata >>>>>>> visible in the image stream. >>>>>>> >>>>>>> However, when actually started a pod, it seemed at that point it >>>>>>> tried to get the actual layers from the remote registry of the other >>>>>>> openshift cluster, at this point it got some authentication error, >>>>>>> which is >>>>>>> super bizarre since it happily imported all the metadata fine. >>>>>>> >>>>>>> Is there some way to actually do the equivalent of docker pull? So >>>>>>> that the image data is transferred in that moment, as opposed to a >>>>>>> on-demand "lazy" transfer? >>>>>>> >>>>>>> Can "oc tag" actually copy the data? >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Joel >>>>>>> >>>>>>> _______________________________________________ >>>>>>> users mailing list >>>>>>> users@lists.openshift.redhat.com >>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>> >>>>>>> >>>>>> >>>> >>>> _______________________________________________ >>>> users mailing list >>>> users@lists.openshift.redhat.com >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>> >>>> >>> >>> >>> -- >>> Ben Parees | OpenShift >>> >>> > > > -- > Ben Parees | OpenShift > > _______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
