On Sat, Nov 18, 2017 at 2:54 AM, Joel Pearson <[email protected] > wrote:
> Ahh ok. Is there some way to abuse build config‘s to push existing images > to remote OpenShift registries? technically you could probably have a dockerfile that just says "FROM imagex" and nothing else, and put that in a buildconfig. I'm not sure if that would introduce any new layers during the docker build or not. But it's probably not the right solution for moving images around regardless. > > On Sat, 18 Nov 2017 at 6:15 pm, Ben Parees <[email protected]> wrote: > >> On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson < >> [email protected]> wrote: >> >>> So there is no way with the oc command to import an image and not have >>> it need the remote to exist after that? I’d just have to use docker push >>> instead? >> >> >> currently that is correct. >> >> >>> >>> On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees <[email protected]> wrote: >>> >>>> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana <[email protected]> >>>> wrote: >>>> >>>>> So it sounds like the local option means after it’s pulled once it >>>>>> will exist in the local registry? >>>>> >>>>> >>>>> Hmm It always seems to do the pull-through >>>>> <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>. >>>>> Not sure what will happen if the remote is down. >>>>> >>>> >>>> the blobs will be mirrored in the local registry, but the manifest is >>>> not (currently) so the remote still needs to be accessible, but the pull >>>> should be faster once the blobs have been cached in the local registry. >>>> (assuming mirroring pullthrough is turned on, which by default i believe it >>>> is). >>>> >>>> >>>> >>>> >>>>> >>>>> On 18 November 2017 at 16:53, Joel Pearson < >>>>> [email protected]> wrote: >>>>> >>>>>> Thanks Lionel. I guess one way to make it secure would be to have a >>>>>> certificate that’s valid on the internet. But I guess it’s not really >>>>>> important if it’s all internal traffic. >>>>>> >>>>>> I’ll try out that local option I think that’s what I want. Because I >>>>>> don’t want to have to rely on the remote registry always being there, >>>>>> because we’re thinking of shutting down our dev and test clusters at >>>>>> night >>>>>> time. >>>>>> >>>>>> So it sounds like the local option means after it’s pulled once it >>>>>> will exist in the local registry? >>>>>> >>>>>> On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Joel, >>>>>>> >>>>>>> By default the imported image stream tag will have a reference >>>>>>> policy of Source. That means the pod will end up pulling the image from >>>>>>> the >>>>>>> remote registry directly. For that to work you have to link a secret >>>>>>> containing the docker credentials with the deployment's sa. For the >>>>>>> default >>>>>>> sa this looks like this >>>>>>> >>>>>>> oc secrets link default my-dockercfg --for=pull >>>>>>> >>>>>>> The other option is to set the istag's reference policy to Local. >>>>>>> >>>>>>> tags: >>>>>>> - annotations: null >>>>>>> ... >>>>>>> name: latest >>>>>>> referencePolicy: >>>>>>> type: Local . >>>>>>> >>>>>>> Now the pod will try to get the image from the local registry which >>>>>>> in turn will pull from the remote. The registry will look for a >>>>>>> dockercfg >>>>>>> secret with the remote server name. By default communication with the >>>>>>> remote registry will not use ssl. This is controlled by the istag import >>>>>>> policy: >>>>>>> >>>>>>> importPolicy: insecure: true >>>>>>> >>>>>>> I have not been able to get it to work with insecure: false. I can't >>>>>>> find the right place to put the remote's ca for the registry to use it. >>>>>>> But >>>>>>> it all works well when insecure is true. >>>>>>> >>>>>>> >>>>>>> Cheers >>>>>>> >>>>>>> Lionel >>>>>>> >>>>>>> >>>>>>> On 18 November 2017 at 13:59, Joel Pearson < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I'm using OpenShift 3.6.1 in AWS and I tried using "oc >>>>>>>> import-image" to pull an image from one openshift cluster to another. >>>>>>>> I >>>>>>>> setup the docker secrets, and it appeared to be working as there was a >>>>>>>> bunch of metadata visible in the image stream. >>>>>>>> >>>>>>>> However, when actually started a pod, it seemed at that point it >>>>>>>> tried to get the actual layers from the remote registry of the other >>>>>>>> openshift cluster, at this point it got some authentication error, >>>>>>>> which is >>>>>>>> super bizarre since it happily imported all the metadata fine. >>>>>>>> >>>>>>>> Is there some way to actually do the equivalent of docker pull? So >>>>>>>> that the image data is transferred in that moment, as opposed to a >>>>>>>> on-demand "lazy" transfer? >>>>>>>> >>>>>>>> Can "oc tag" actually copy the data? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Joel >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> users mailing list >>>>>>>> [email protected] >>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>>> _______________________________________________ >>>>> users mailing list >>>>> [email protected] >>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ben Parees | OpenShift >>>> >>>> >> >> >> -- >> Ben Parees | OpenShift >> >> -- Ben Parees | OpenShift
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
