Docker Registry Mirrors

  1. Docker Registry Mirror Quay.io
  2. Docker Registry-mirrors Authentication

Docker also has a free public registry, Docker Hub, that can host your custom Docker images, but there are situations where you will not want your image to be publicly available. Images typically contain all the code necessary to run an application, so using a private registry is preferable when using proprietary software. Mirror 是一种代理中转服务,我们(指daocloud)提供的 Mirror 服务,直接对接 Docker Hub 的官方 Registry。 Docker Hub 上有数以十万计的各类 Docker 镜像。 在使用 Private Registry 时,需要在 Docker Pull 或 Dockerfile 中直接键入 Private Registry 的地址,通常这样会导致与 Private Registry.

cross-post

TL;DR:

  • to create a local pull-through registry to speed up image pulling in a Kind cluster, run:

  • you can’t use this pull-through proxy registry to push your own images (e.g. to speed up Tilt builds), but you can create two registries (one for caching, the other for local images). See this section for more context; the lines are:

  • in case you often create & delete Kind clusters, using a local registry that serves as a proxy avoids redundant downloads

  • KIND_EXPERIMENTAL_DOCKER_NETWORK is useful but remember that the default network (bridge) doesn’t have DNS resolution for container hostnames

  • the Docker default network (bridge) has limitations as detailed by Docker.

  • If you play with ClusterAPI with its Docker provider, you might not be able to use a local registry due to the clusters being created on the default network, which means the “proxy” hostname won’t be resolved (but we could work around that).

Kind is an awesome tool that allows you to spin up local Kubernetes clusters locally in seconds. It is perfect for Kubernetes developers or anyone who wants to play with controllers.

One thing I hate about Kind is that images are not cached between two Kind containers. Even worse: when deleting and re-creating a cluster, all the downloaded images disappear.

In this post, I detail my discoveries around local registries and why the default Docker network is a trap.

Contents:

Kind has no image caching mechanism

Whenever I re-create a Kind cluster and try to install ClusterAPI, all the (quite heavy) images have to be re-downloaded. Just take a look at all the images that get re-downloaded:

That’s a total of 418 MB that get re-downloaded every time I restart both clusters!

Unfortunately, there is no way to re-use the image registry built into your default Docker engine (both on Linux and on macOS). One solution to this problem is to spin up an intermediary Docker registry in a side container; as long as this container exists, all the images that have already been downloaded once can be served from cache.

Creating a caching proxy registry

We want to create a registry with a simple Kind cluster; let’s start with the registry:

Details:

  • --net kind is required because Kind creates its containers in a separate network; it does that the because the “bridge” has limitations and doesn’t allow you to use container names as DNS names:

    By default, a container inherits the DNS settings of the host, as defined in the /etc/resolv.conf configuration file. Containers that use the default bridge network get a copy of this file, whereas containers that use a custom network use Docker’s embedded DNS server, which forwards external DNS lookups to the DNS servers configured on the host.

    which means that the container runtime (containerd) that runs our Kind cluster won’t be able to resove the address proxy:5000.

  • REGISTRY_PROXY_REMOTEURL is required due to the fact that by default, the registry won’t forward requests. It simply tries to find the image in /var/lib/registry/docker/registry/v2/repositories and returns 404 if it doesn’t find it.

    Using the pull-through feature (I call it “caching proxy”), the registry will proxy all requests coming from all mirror prefixes and cache the blobs and manifests locally. To enable this feature, we set REGISTRY_PROXY_REMOTEURL.

    Other interesting bit about REGISTRY_PROXY_REMOTEURL: this environement variable name is mapped from the registry YAML config API. The variable

    is equivalent to the following YAML config:

    ⚠️ The registry can’t be both in normal mode (“local proxy”) and in caching proxy mode at the same time, see below.

Creating a Kind cluster that knows about this caching proxy registry

The second step is to create a Kind cluster and tell the container runtime to use a specific registry; here is the command to create it:

Note:containerdConfigPatches is a way to semantically patch /etc/containerd/config.conf. By default, this file looks like:

Docker registry-mirrors nexus

Note 2: the mirror prefix (docker.io) can be omitted for images stored on Docker Hub. For other registries such as gcr.io, this mirror prefix has to be given. Here is a table with some examples of image names that are first prepended with “docker.io” if the mirror prefix is not present, and we get the final address by mapping these mirror prefixes with mirror entries:

Registry-mirrors
image name“actual” image nameregistry address w.r.t. mirrors
alpinedocker.io/alpinehttps://registry-1.docker.io/v2/library/alpine/manifests/latest
gcr.io/istio-release/pilotgcr.io/istio-release/pilothttps://gcr.io/v2/istio-release/pilot/manifests/1.9.1
foo.org/something/someimagefoo.org/something/someimagehttps://foo.org/v2/something/someimage/manifests/latest

Check that the caching proxy registry works

Let’s see if the proxy registry works by running a pod:

We can also see through the registry logs that everything is going well:

Docker Registry Mirror Quay.io

Docker proxy vs. local registry

A bit later, I discovered that you can’t push to a proxy registry. Tilt is a tool I use to ease the process of developping in a containerized environment (and it works best with Kubernetes); it relies on a local registry in order to cache build containers even when restarting the Kind cluster.

Either the registry is used as a “local registry” (where you can push images), or it is used as a pull-through proxy. So instead of configuring one single “proxy” registry, I configure two registries: one for local images, one for caching.

Note that we do use a port-forwarding proxy (-p 5000:5000) so that we can push images “from the host”, e.g.:

If you use Tilt, you might also want to tell Tilt that it can use the local registry. I find it a bit weird to have to set an annotation (hidden Tilt API?) but whatever. If you set this:

then Tilt will use docker push localhost:5000/you-image (from your host, not from the cluster container) in order to speed up things. Note that there is a proposal (KEP 1755) that aims at standardizing the discovery of local registries using a configmap. Tilt already supports it, so you may use it!

Improving the ClusterAPI docker provider to use a given network

When I play with ClusterAPI, I usually use the CAPD provider (ClusterAPI Provider Docker). This provider is kept in-tree inside the cluster-api projet.

I want to use the caching mechanism presented above. But to do that, I need to make sure the clusters created by CAPD are not created on the default network (current implementation creates CAPD clusters on the default “bridge” network).

I want to be able to customize the network on which the CAPD provider creates the container that make up the cluster. Imagine that we could pass the network name as part of a DockerMachineTemplate (the content of the spec is defined in code here):

Update 26 July 2020: added a section about local registry vs. caching proxy. Reworked the whole post (less noise, more useful information).

📝 Edit this page

If you are behind a proxy and want to proxy docker registry or have multiple machines pulling the same images over and over (CI/CD/ML/DL etc..) and just want to cache them locally the following is a good choice.

create a folder docker-registry-local-cache and create docker-compose.yml file as follows and customize it with your env variables.

run the container with
docker-compose up -d

run
docker logs dockerregistrylocalcache_registry2_1
and you should see the following

run
curl http://10.0.0.7:5000/v2/_catalog
should output in something similar to this
{'repositories':[]}

Docker Registry-mirrors Authentication

Next configure your docker client to use this mirror. See this previous post on how to do that.

Once client side is configured, you can pull a image from a remote dockerhub via your local mirror. For example run
docker pull ubuntu:17.10
like you normally would. then run
curl http://10.0.0.7:5000/v2/_catalog'
again to see the following
{'repositories':['library/ubuntu']}

This should significantly improve the speed of any subsequent pull from the local clients. Hope you finds this useful.