search

Registry Mirror For Container Images

hashtag
What is a Container Registry

A container registry is a catalogue of storage locations where you can push and pull container images.

However, the actual physical locations where images are stored are known as repositories. Each repository stores a collection of related images with the same name.

Each image within a repository represents a different version of the same container deployment. For example, on the popular container registry Docker Hub, nginx is the name of the repository that contains different versions of the Docker image for open-source web server installation NGINX.

A specific image is identified by either its tag or its own unique reference.

hashtag
What is a Registry Mirror

A registry mirror is a local copy of a public registry that copies or mirrors the file structure of the public registry. For example, let's say that the path to your registry mirror is 10.101.101.100:443. When containerd encounters a request to pull an image such as gcr.io/etcd-development/etcd:v3.5.5, containerd attempts to pull that image, not from gcr.io, but from your registry at the following path: 10.101.101.100:443/etcd-development/etcd:v3.5.5. If the image isn't in this registry path, the image is pulled automatically from the public registry gcr.io.

Using a registry mirror provides the following benefits:

  • Can be used as custom registry for images.

  • Protects from public registry outages.

  • Speeds up pod creation.

  • Allows to conduct image vulnerability scanning.

  • Avoids limits imposed by public registries on how frequently you can issue commands to them.

hashtag
Using Registry Mirror with PMK clusters

hashtag
Pre-requisites

  • Container registry server set up in your network.

  • If your registry server runs a private TLS certificate, you must have the certificate authority (CA) file.

  • If your registry server needs authentication, you must have the login credentials.

  • Must use containerd as a runtime.

  • Supported only with PMK Qbert API and must be used to configure clusters.

  • PMK support only the following repositories with this feature. Images with any other registry URL will be directly downloaded from the mentioned registry (See in figure - anyOtherRegistry).

    • platform9.io

    • docker.io

    • gcr.io

    • quay.io

    • registry.k8s.io

hashtag
Understanding the API Body changes in cluster API

API spec located at https://platform9.com/docs/qbert/refarrow-up-right

Example:

API Parameter
Type
Description
default
Example

customRegistryUrl

string

Endpoint URL for the registry.

null

Eg: https://10.101.101.100:443arrow-up-right, https://user.jfrog.ioarrow-up-right

customRegistryRepoPath

Path where all images are cached.

null

- Can be empty, meaning all images are cached at root. - Can be like infra where all images will be cached in infra repository. - Can be like infra/k8s where all images will be cached under infra/k8s

customRegistryUsername

string

Username for the registry.

null

customRegistryPassword

string

Password for the registry.

null

customRegistrySkipTls

boolean

To be used to skip TLS.

false

customRegistrySelfSignedCerts

boolean

To be used if the the registry has a self-signed certificate.

false

customRegistryCertPath

string

Path to the cert file on the nodes or the endpoint URL from where it can be fetched.

null

Can be of the following formats: - https://example.com/path/to/certarrow-up-right - http://example.com/path/to/certarrow-up-right - file:///path/to/cert - /path/to/cert

Note: Before using the API

  • Add the CA certificate file (ca.cert file) at specified location "customRegistryCertPath": "/usr/local/share/reg-ca.crt" on the node. (this path should be readable by pf9 user) OR

  • Store the CA certificate file at some endpoint say https://example.com/cacert and set this field to "customRegistryCertPath": "https://example.com/cacert" so that the nodelet can fetch the cert from this endpoint and place it on nodes and configure it into containerd.

hashtag
Example Registry

As a user if you have setvup a private Jfrog registry like the below image:

API request body will have following parameters to use this feature:

hashtag
How this feature affects containerd?

Containerd configurations for registries are stored at /etc/containerd/certs.d on the nodes.

For example, if 10.101.101.100:443 is used as the registry mirror and in PMK there are multiple images from various registries, the /etc/containerd/certs.d will look like:

PMK currently has above 5 registries. Along with that, we configure the custom registry 10.101.101.100:443 . The pull requests to all the registries will go through config in their hosts.toml.

Listed are examples of all registry hosts.toml files for this case:

  • 10.101.101.100:443 ← custom registry

  • docker.io

  • platform9.io

  • quay.io

  • gcr.io

  • registry.k8s.io

hashtag
Using this feature during cluster creation

Cluster Create (API Referencearrow-up-right)

  • Use the Cluster POST API with the following parameters to use this feature. Example:

hashtag
Using this feature with an existing cluster with cluster Kubernetes version upgrade

Cluster Create (API Referencearrow-up-right)

  • Use the Cluster POST API with the following parameters to use this feature. Example:

This shall update all the the nodes with new containerd configuration.

hashtag
Using this feature with an existing cluster with cluster update (no Kubernetes version upgrade)

Cluster Create (API Referencearrow-up-right)

  • Use the Cluster PUT API with the following parameters to use this feature. Example:

Note: With cluster update, following commands have to be run on each node of the cluster to restart the nodelet phases. With cluster version upgrade, following takes places automatically during node upgrades.

Example:

PreviousKubernetes Api Server CustomizationNextConfiguring Containerd Storage

Last updated

Was this helpful?