On Sat, Nov 18, 2017 at 3:16 PM, Joel Pearson <japear...@agiledigital.com.au > wrote:
> It would introduce a new final layer right? Because after every build, > OpenShift automatically adds a bunch of labels? yeah that's true, sorry completely blanked on that. > > On Sun, 19 Nov 2017 at 7:13 am, Ben Parees <bpar...@redhat.com> wrote: > >> On Sat, Nov 18, 2017 at 2:54 AM, Joel Pearson < >> japear...@agiledigital.com.au> wrote: >> >>> Ahh ok. Is there some way to abuse build config‘s to push existing >>> images to remote OpenShift registries? >> >> >> technically you could probably have a dockerfile that just says "FROM >> imagex" and nothing else, and put that in a buildconfig. >> >> I'm not sure if that would introduce any new layers during the docker >> build or not. >> >> But it's probably not the right solution for moving images around >> regardless. >> >> >>> >>> On Sat, 18 Nov 2017 at 6:15 pm, Ben Parees <bpar...@redhat.com> wrote: >>> >>>> On Sat, Nov 18, 2017 at 2:12 AM, Joel Pearson < >>>> japear...@agiledigital.com.au> wrote: >>>> >>>>> So there is no way with the oc command to import an image and not have >>>>> it need the remote to exist after that? I’d just have to use docker push >>>>> instead? >>>> >>>> >>>> currently that is correct. >>>> >>>> >>>>> >>>>> On Sat, 18 Nov 2017 at 6:04 pm, Ben Parees <bpar...@redhat.com> wrote: >>>>> >>>>>> On Sat, Nov 18, 2017 at 1:13 AM, Lionel Orellana <lione...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> So it sounds like the local option means after it’s pulled once it >>>>>>>> will exist in the local registry? >>>>>>> >>>>>>> >>>>>>> Hmm It always seems to do the pull-through >>>>>>> <https://docs.openshift.com/container-platform/latest/install_config/registry/extended_registry_configuration.html#middleware-repository-pullthrough>. >>>>>>> Not sure what will happen if the remote is down. >>>>>>> >>>>>> >>>>>> the blobs will be mirrored in the local registry, but the manifest is >>>>>> not (currently) so the remote still needs to be accessible, but the pull >>>>>> should be faster once the blobs have been cached in the local registry. >>>>>> (assuming mirroring pullthrough is turned on, which by default i believe >>>>>> it >>>>>> is). >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> On 18 November 2017 at 16:53, Joel Pearson < >>>>>>> japear...@agiledigital.com.au> wrote: >>>>>>> >>>>>>>> Thanks Lionel. I guess one way to make it secure would be to have a >>>>>>>> certificate that’s valid on the internet. But I guess it’s not really >>>>>>>> important if it’s all internal traffic. >>>>>>>> >>>>>>>> I’ll try out that local option I think that’s what I want. Because >>>>>>>> I don’t want to have to rely on the remote registry always being there, >>>>>>>> because we’re thinking of shutting down our dev and test clusters at >>>>>>>> night >>>>>>>> time. >>>>>>>> >>>>>>>> So it sounds like the local option means after it’s pulled once it >>>>>>>> will exist in the local registry? >>>>>>>> >>>>>>>> On Sat, 18 Nov 2017 at 4:41 pm, Lionel Orellana <lione...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Joel, >>>>>>>>> >>>>>>>>> By default the imported image stream tag will have a reference >>>>>>>>> policy of Source. That means the pod will end up pulling the image >>>>>>>>> from the >>>>>>>>> remote registry directly. For that to work you have to link a secret >>>>>>>>> containing the docker credentials with the deployment's sa. For the >>>>>>>>> default >>>>>>>>> sa this looks like this >>>>>>>>> >>>>>>>>> oc secrets link default my-dockercfg --for=pull >>>>>>>>> >>>>>>>>> The other option is to set the istag's reference policy to Local. >>>>>>>>> >>>>>>>>> tags: >>>>>>>>> - annotations: null >>>>>>>>> ... >>>>>>>>> name: latest >>>>>>>>> referencePolicy: >>>>>>>>> type: Local . >>>>>>>>> >>>>>>>>> Now the pod will try to get the image from the local registry >>>>>>>>> which in turn will pull from the remote. The registry will look for a >>>>>>>>> dockercfg secret with the remote server name. By default >>>>>>>>> communication with >>>>>>>>> the remote registry will not use ssl. This is controlled by the istag >>>>>>>>> import policy: >>>>>>>>> >>>>>>>>> importPolicy: insecure: true >>>>>>>>> >>>>>>>>> I have not been able to get it to work with insecure: false. I >>>>>>>>> can't find the right place to put the remote's ca for the registry to >>>>>>>>> use >>>>>>>>> it. But it all works well when insecure is true. >>>>>>>>> >>>>>>>>> >>>>>>>>> Cheers >>>>>>>>> >>>>>>>>> Lionel >>>>>>>>> >>>>>>>>> >>>>>>>>> On 18 November 2017 at 13:59, Joel Pearson < >>>>>>>>> japear...@agiledigital.com.au> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I'm using OpenShift 3.6.1 in AWS and I tried using "oc >>>>>>>>>> import-image" to pull an image from one openshift cluster to >>>>>>>>>> another. I >>>>>>>>>> setup the docker secrets, and it appeared to be working as there was >>>>>>>>>> a >>>>>>>>>> bunch of metadata visible in the image stream. >>>>>>>>>> >>>>>>>>>> However, when actually started a pod, it seemed at that point it >>>>>>>>>> tried to get the actual layers from the remote registry of the other >>>>>>>>>> openshift cluster, at this point it got some authentication error, >>>>>>>>>> which is >>>>>>>>>> super bizarre since it happily imported all the metadata fine. >>>>>>>>>> >>>>>>>>>> Is there some way to actually do the equivalent of docker pull? >>>>>>>>>> So that the image data is transferred in that moment, as opposed to a >>>>>>>>>> on-demand "lazy" transfer? >>>>>>>>>> >>>>>>>>>> Can "oc tag" actually copy the data? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> Joel >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> users mailing list >>>>>>>>>> users@lists.openshift.redhat.com >>>>>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> users mailing list >>>>>>> users@lists.openshift.redhat.com >>>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ben Parees | OpenShift >>>>>> >>>>>> >>>> >>>> >>>> -- >>>> Ben Parees | OpenShift >>>> >>>> >> >> >> -- >> Ben Parees | OpenShift >> >> -- Ben Parees | OpenShift
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users