It would introduce a new final layer right? Because after every build, OpenShift automatically adds a bunch of labels? On Sun, 19 Nov 2017 at 7:13 am, Ben Parees <bpar...@redhat.com> wrote:
> On Sat, Nov 18, 2017 at 2:54 AM, Joel Pearson < > japear...@agiledigital.com.au> wrote: > >> Ahh ok. Is there some way to abuse build config‘s to push existing images >> to remote OpenShift registries? > > > technically you could probably have a dockerfile that just says "FROM > imagex" and nothing else, and put that in a buildconfig. > > I'm not sure if that would introduce any new layers during the docker > build or not. > > But it's probably not the right solution for moving images around > regardless. > > >> >> On Sat, 18 Nov 2017 at 6:15 pm, Ben Parees <bpar...@redhat.com> wrote: >> >>> On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson < >>> japear...@agiledigital.com.au> wrote: >>> >>>> So there is no way with the oc command to import an image and not have >>>> it need the remote to exist after that? I’d just have to use docker push >>>> instead? >>> >>> >>> currently that is correct. >>> >>> >>>> >>>> On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees <bpar...@redhat.com> wrote: >>>> >>>>> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana <lione...@gmail.com> >>>>> wrote: >>>>> >>>>>> So it sounds like the local option means after it’s pulled once it >>>>>>> will exist in the local registry? >>>>>> >>>>>> >>>>>> Hmm It always seems to do the pull-through >>>>>> <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>. >>>>>> Not sure what will happen if the remote is down. >>>>>> >>>>> >>>>> the blobs will be mirrored in the local registry, but the manifest is >>>>> not (currently) so the remote still needs to be accessible, but the pull >>>>> should be faster once the blobs have been cached in the local registry. >>>>> (assuming mirroring pullthrough is turned on, which by default i believe >>>>> it >>>>> is). >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> On 18 November 2017 at 16:53, Joel Pearson < >>>>>> japear...@agiledigital.com.au> wrote: >>>>>> >>>>>>> Thanks Lionel. I guess one way to make it secure would be to have a >>>>>>> certificate that’s valid on the internet. But I guess it’s not really >>>>>>> important if it’s all internal traffic. >>>>>>> >>>>>>> I’ll try out that local option I think that’s what I want. Because I >>>>>>> don’t want to have to rely on the remote registry always being there, >>>>>>> because we’re thinking of shutting down our dev and test clusters at >>>>>>> night >>>>>>> time. >>>>>>> >>>>>>> So it sounds like the local option means after it’s pulled once it >>>>>>> will exist in the local registry? >>>>>>> >>>>>>> On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <lione...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Joel, >>>>>>>> >>>>>>>> By default the imported image stream tag will have a reference >>>>>>>> policy of Source. That means the pod will end up pulling the image >>>>>>>> from the >>>>>>>> remote registry directly. For that to work you have to link a secret >>>>>>>> containing the docker credentials with the deployment's sa. For the >>>>>>>> default >>>>>>>> sa this looks like this >>>>>>>> >>>>>>>> oc secrets link default my-dockercfg --for=pull >>>>>>>> >>>>>>>> The other option is to set the istag's reference policy to Local. >>>>>>>> >>>>>>>> tags: >>>>>>>> - annotations: null >>>>>>>> ... >>>>>>>> name: latest >>>>>>>> referencePolicy: >>>>>>>> type: Local . >>>>>>>> >>>>>>>> Now the pod will try to get the image from the local registry which >>>>>>>> in turn will pull from the remote. The registry will look for a >>>>>>>> dockercfg >>>>>>>> secret with the remote server name. By default communication with the >>>>>>>> remote registry will not use ssl. This is controlled by the istag >>>>>>>> import >>>>>>>> policy: >>>>>>>> >>>>>>>> importPolicy: insecure: true >>>>>>>> >>>>>>>> I have not been able to get it to work with insecure: false. I >>>>>>>> can't find the right place to put the remote's ca for the registry to >>>>>>>> use >>>>>>>> it. But it all works well when insecure is true. >>>>>>>> >>>>>>>> >>>>>>>> Cheers >>>>>>>> >>>>>>>> Lionel >>>>>>>> >>>>>>>> >>>>>>>> On 18 November 2017 at 13:59, Joel Pearson < >>>>>>>> japear...@agiledigital.com.au> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I'm using OpenShift 3.6.1 in AWS and I tried using "oc >>>>>>>>> import-image" to pull an image from one openshift cluster to another. >>>>>>>>> I >>>>>>>>> setup the docker secrets, and it appeared to be working as there was a >>>>>>>>> bunch of metadata visible in the image stream. >>>>>>>>> >>>>>>>>> However, when actually started a pod, it seemed at that point it >>>>>>>>> tried to get the actual layers from the remote registry of the other >>>>>>>>> openshift cluster, at this point it got some authentication error, >>>>>>>>> which is >>>>>>>>> super bizarre since it happily imported all the metadata fine. >>>>>>>>> >>>>>>>>> Is there some way to actually do the equivalent of docker pull? >>>>>>>>> So that the image data is transferred in that moment, as opposed to a >>>>>>>>> on-demand "lazy" transfer? >>>>>>>>> >>>>>>>>> Can "oc tag" actually copy the data? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Joel >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> users mailing list >>>>>>>>> users@lists.openshift.redhat.com >>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> users mailing list >>>>>> users@lists.openshift.redhat.com >>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ben Parees | OpenShift >>>>> >>>>> >>> >>> >>> -- >>> Ben Parees | OpenShift >>> >>> > > > -- > Ben Parees | OpenShift > >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
