A container/docker registry cache. This runs one or many containers registry as a pull-through cache. Includes a process as a cleaner to control the max size. It allows private registries with credentials.
The container is a container that running some processes via supervisord:
registry: based on official registry v2 with an starting script to generate registry config with quay.io cache enabled. Credential are extracted frompull-secret.jsonlogger: which takes the container images requests and update the access time of the layers (blobs) and the manifests, in order to control the aging of them.cleaner: sort blobs by access time an remove oldest blobs until used size of registry was between limits.haproxy: reverse proxy for differents registries running (haproxy 1.8). Its redirect to the registry cache according to the path.rsyslogd: to be able to have logs from haproxy- registries in pull through cache mode: every registry specified in
pull-secret.jsonfile will be used to run up an registry pull-through cache mode registry.
For example, if you want to cache a quay image instead of pulling quay.io/podman/hello:latest, you will pull yourregistry.local/quay.io/podman/hello:latest
┌───────────────────┐
│ ├─────────┐
┌──────────────────┐ ┌──────►│ Registry cache 1 ├────┐ │ datastore
│ HAProxy ├────┘ └───────────────────┘ │ │ ┌─────────────────────┐
│ │ │ └────────►│ │
│ (reverse proxy) ├───────┐ ┌───────────────────┐ │ │ blobs & manifests │
└────────┬───────┬─┘ │ │ ├────┼─────────────►│ │
│ │ └───►│ Registry cache 2 │────│ └─────────────────────┘
│ │ └───────────────────┘ │ ▲ ▲ ▲
│ │ .... │ │ │ │
│ │ ┌───────────────────┐ │ │ │ │
│ │ │ │────│ │ │ │
│ └─────────────►│ Registry cache n ├────┼───────────────┘ │ │
│ └───────────────────┘ │ │ │
│ │ │ │
│ │ │ │
▼ ▼ │ │
┌─────────────────┐ ┌───────────────────┐ │ │
│ │ │ │ │ │
│ RSYSLOG │ │ LOGGER ├─────┘ │
│ │ │ │ │
└─────────────────┘ └───────────────────┘ │
│
┌───────────────────┐ │
│ │ │
│ CLEANER ├──────────┘
│ │
└───────────────────┘
# yum install -y podman httpd-tools
# mkdir -p /opt/registry/{auth,certs,data}
- The Auth subdirectory stores the htpasswd file used for authentication.
- The Certs subdirectory stores certificates used by the registry for authentication.
- The Data directory stores the actual images stored in the registry.
# htpasswd -bBc /opt/registry/auth/htpasswd registryuser registryuserpassword
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/registry/certs/domain.key -x509 -days 365 -out /opt/registry/certs/domain.crt
Enter the respective options for your certificate. The CN= value is the hostname of your host. The host's hostname should be resolvable by DNS or the /etc/hosts file.
and then build the .pem file:
cat /opt/registry/certs/domain.crt /opt/registry/certs/domain.key > /certs/certs.pem
IMPORTANT: the name of the PEM must be certs.pem
The certificate will also have to be trusted by your hosts and clients:
# cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust
# trust list | grep -i "<hostname>"
The container and its config process analyze the pull secret JSON file provided and create a registry process per each credential according to it. The format of this JSON file is similar to kubernetes uses. Example:
{
"auths":{
"docker.io":{
},
"registry.redhat.io":{
"auth":"b3Blb=",
"email":"[email protected]"
},
"quay.io":{
"auth":"b3Blb=",
"email":"[email protected]"
}
}
}
With this example, the container will cache images from quay.io and registry.redhat.io.
It's important you map your pull secret to
/pull-secret.jsoninto the container.
There are two ways, with podman play feature or just with podman run:
Edit variables in deployment.yaml and run:
podman play kube deployment.yaml
podman run -d --name registry-cache \
-v /opt/registry/pull-secret.json:/pull-secret.json \
-v /opt/registry/data:/var/lib/registry:z \
-e CLEANER_MAXSIZE=10G \
-e CLEANER_THRESHOLD_PERCENTAGE=20 \
-e CLEANER_RUNEVERY_TIME=30m \
-v /opt/registry/certs:/certs:z \
-v /opt/registry/auth:/auth:z
-e "REGISTRY_AUTH=htpasswd" \
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
-p 8443:8443 \
quay.io/mvalledi/registry-cache:main
podman play kube deployment.yaml --down
or
podman stop registry-cache
CLEANER_MAXSIZE: Max Size in human redeable size (M, MB, MiB, G, GB, GiB, ...). By default "10G"CLEANER_THRESHOLD_PERCENTAGE: Percentage threshold. If cache takes more thanCLEANER_MAXSIZE+CLEANER_THRESHOLD_PERCENTAGE%, then cleaner cleans. By default '20' (== 20%).CLEANER_RUNEVERY_TIME:Cleaner check everyCLEANER_RUNEVERY_TIMEthe cache size. In format "1h2m3s". By default "30m" (== 30 minutes).IGNOREREGISTRYLIST: Space separated list of registries to be ignored from pull secret. By default 'cloud.openshift.com'.
If a firewall is running on the hosts, the exposed port (8443) will need to be permitted.
# # Registry port
# firewall-cmd --add-port=8443/tcp --zone=internal --permanent
# firewall-cmd --add-port=8443/tcp --zone=public --permanent
# firewall-cmd --reload
We will try to pull quay.io/podman/hello image through our registry
# podman login <hostname>:8443
Enter Username:xxxxxxxx
Enter Password:yyyyyyyy
Login Succeeded!
# podman pull <hostname>:8443/quay.io/podman/hello
Trying to pull <hostname>:8443/quay.io/podman/hello:latest...
Getting image source signatures
Copying blob 35e2aab76e8b done
Copying config 133ff45f55 done
Writing manifest to image destination
Storing signatures
133ff45f557da063a1f6f301866c7276c22ea07aeda078d00a790ea50516dcbc
Image is building by Quay.io. You can find it in https://quay.io/repository/mvalledi/registry-cache
You can configure your Openshift Cluster to be able to use this registry cache instance applying this yaml file:
apiVersion: operator.openshift.io/v1alpha1
kind: ImageContentSourcePolicy
metadata:
name: mirror-ocp
spec:
repositoryDigestMirrors:
- mirrors:
- <your registry hostname>:8443/quay.io/openshift-release-dev/ocp-release
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- <your registry hostname>:8443/quay.io/openshift-release-dev/ocp-v4.0-art-dev
source: quay.io/openshift-release-dev/ocp-v4.0-art-dev