-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker pull with "allow-nondistributable-artifacts" still downloads foreign layer from foreign server #34216
Comments
Side note: this was reproduced also using the "Azure Container Registry" as the backend for the private registry. |
@rodrigozr have you tried with any other registry? I have tested this on a local registry running in a Windows Docker container, and the workflow is as expected - the foreign layers are pushed to the local registry and pulled from there on other clients. |
@sixeyed, we have tested with AWS ECR and Azure CR. |
@rodrigozr yes, the official image only has Windows variants right now, I'm using a custom one: sixeyed/registry. |
@rodrigozr what's your use case? Please note that To get the behavior you're looking for your should use |
@friism, the use case is similar to air-gapped systems. Some locations we will deploy to may/will not have access to Microsoft servers - only to our own servers. If your suggestion of referencing the local image at build time is the only solution, it will probably not work for us, as the registry address will change depending on the environment (development, QA, staging, production). Shouldn't the layer ID / hash be the most important unique identifier for it, rather than the registry where it was located at build time? Thanks in advance for any assistance provided! |
You might be able to template that and re-build for each environment: https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact It'll probably introduce some other problems, but you could also look at simply pre-loading the base images that you care about on the production systems where you'll be running containers. Eg. with |
My workflow was to re-tag the Store image and include my registry domain - so:
Then the foreign layers are in the local registry, but you still need to use the domain prefix to reference the image from that registry instead of Store. |
@rodrigozr yeah, so the reason this works for @sixeyed is that he uses the fully qualified image name including the hostname of the registry in the |
Thanks for the clarifications @friism and @sixeyed .
From the documentation of "allow-nondistributable-artifacts", it sounds like it was designed to solve similar scenarios:
(Emphasis is mine) Any guidance will be greatly appreciated! Thanks again |
I'd separate out dev/staging/etc from production. Hopefully you don't have the non-foreign layer requirement before you have to deploy to production? For production, and with the way that Docker currently works with foreign layers, I'm not sure the Docker registry infrastructure and push/pull is going to work out for you. I would simply |
On that case, would there be a way to save only one of the layers (from the top of the stack) when doing that? |
I think it would work if you just |
Okay, so it looks like the documentation for "allow-nondistributable-artifacts" should be updated, as it does not solve the use-case of air-gapped systems. Please notice that it is not just "defaulting" to the foreign servers... When running a I'm a bit confused now... Can you please elaborate what use-case that newly-introduced configuration option is addressing? |
Below is an example flow using multiple Docker engines running on my laptop to simulate. They use separate graph-driver directories, so they behave as separate hosts for our purposes. Start a local private registryThis simulates registry running behind airgap. We run in its own daemon.
Now start the registry on that daemon:
Tag and push image to local registryFor this example I'm just tagging a random Windows-based image on my machine. Note that I have to configure my daemon to be able to push. This step simulates someone building an image, transporting it physically over the airgap and pushing to airgapped registry:
Use image from airgapped machineAt this point I turned off internet access on my machine and started a third daemon, representing an airgapped host that can consume images from the private, airgapped registry:
SummarySo in your case, for each of the "air-gapped" places you want to make the images available, you will have to transport the image there one way or another, then |
Awesome explanation @friism! In fact, that is exactly how I need it to work, and is somewhat similar to my original step by step report. You didn't have to rebuild Now we probably just need to find out why I'm seeing different results... The main differences that I can see between my tests and yours are:
I will retest taking those factors in consideration! Thanks again |
That's the problem. |
Thanks @sixeyed and @friism for all the support! It is working fine now 👍 Amazingly enough, all I had to do was to run this command:
As my laptop has the configuration for The long-term solution will be to configure our build agents with Closing this issue! |
Glad you have it working @rodrigozr. One thing may help with multiple registries. The domain part of the image name just uses DNS when Docker resolves the registry server. So you could have your image called |
Thanks for the suggestion @sixeyed. But wouldn't that cause the HTTPS certificate to be considered invalid? |
Good point, yes. In my local environment I'm just using HTTP :) |
Description
Pulling an image (from a local private registry) that depends on a foreign layer still downloads the layer from the foreign server, even when "allow-nondistributable-artifacts" is correctly configured and the foreign layer is present in the private registry.
Steps to reproduce the issue:
docker pull microsoft/windowsservercore:10.0.14393.1198
docker tag microsoft/windowsservercore:10.0.14393.1198 myregistry.local/microsoft/windowsservercore:10.0.14393.1198
docker push myregistry.local/microsoft/windowsservercore:10.0.14393.1198
docker pull myregistry.local/microsoft/windowsservercore:10.0.14393.1198
(GOOD - Downloads from local registry)Describe the results you received:
The foreign layer is downloaded from MS servers
Describe the results you expected:
The foreign layer should be downloaded from "myregistry.local"
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Tested on AWS and physical machines, on both Windows 10 and Windows Server 2016
The text was updated successfully, but these errors were encountered: