How do I docker buildx build into a local "registry" container - docker

I am trying to build a multi-arch image but would like to avoid pushing it to docker hub. I've had a lot of trouble finding out how to control the export options. is there a way to make "--push" push to a registry of my choosing?
Any help is appreciated

Docker provides a container image for a registry server that you may self run even on localhost, see: Deploying a registry server.
There are other servers|services that implement the registry API (see below) but this is a good place to start.
Conventionally, images pushed|pulled default to Docker registry; unless a registry is explicitly specifed, an image e.g. your-image:your-tag defaults to docker.io/my-image:my-tag. In my opinion, it's a good practice to always include this default to be more transparent about this.
If you run Docker's registry image on localhost on the default port 5000, you'll need to take your images with localhost:5000/your-image:your-tag to ensure that when you docker push localhost:5000/your-image:your-tag, the CLI is able to determine your local registry is the intended destination.
Similarly, if you use e.g. Quay registry, images must be prefixed quay.io, Google Artifact Registry, images are prefixed ${REGION}-docker.pkg.dev/${PROJECT}/${REPOSITORY} etc.
IIRC it's not possible to push to Docker's registry (aka dockerhub) without an account so, as long as you ensure you're not logged in, you should not accidentally push images to Docker's registry.
NOTE You only need to use a registry to ease distribution of container images between machines. If you're only interested in local(host) development, you can docker run ... immediately after a successful docker build without any pushing|pulling (beyond interim images, e.g. FROM).

Related

Dockerfile FROM command - Does it always download from Docker Hub?

I just started working with docker this week and came across a 'dockerfile'. I was reading up on what this file does, and the official documentation basically mentions that the FROM keyword is needed to build a "base image". These base images are pulled from Docker hub, or downloaded from there.
Silly question - Are base images always pulled from docker hub?
If so and if I understand correctly I am assuming that running the dockerfile to create an image is not done very often (only when needing to create an image) and once the image is created then the image is whats run all the time?
So the dockerfile then can be migrated to which ever enviroment and things can be set up all over again quickly?
Pardon the silly question I am just trying to understand the over all flow and how dockerfile fits into things.
If the local (on your host) Docker daemon (already) has a copy of the container image (i.e. it's been docker pull'd) specified by FROM in a Dockerfile then it's cached and won't be repulled.
Container images include a tag (be wary of ever using latest) and the image name e.g. foo combined with the tag (which defaults to latest if not specified) is the full name of the image that's checked i.e. if you have foo:v0.0.1 locally and FROM:v0.0.1 then the local copy is used but FROM foo:v0.0.2 will pull foo:v0.0.2.
There's an implicit docker.io prefix i.e. docker.io/foo:v0.0.1 that references the Docker registry that's being used.
You could repeatedly docker build container images on the machines where the container is run but this is inefficient and the more common mechanism is that, once a container image is built, it is pushed to a registry (e.g. DockerHub) and then pulled from there by whatever machines need it.
There are many container registries: DockerHub, Google Artifact Registry, Quay etc.
There are tools other than docker that can be used to interact with containers e.g. (Red Hat's) Podman.

Use cache docker image for gitlab-ci

I was wondering is it possible to use cached docker images in gitlab registry for gitlab-ci?
for example, I want to use node:16.3.0-alpine docker image, can I cache it in my gitlab registry and pull it from that and speed up my gitlab ci instead of pulling it from docker hub?
Yes, GitLab's dependency proxy features allow you to configure GitLab as a "pull through cache". This is also beneficial for working around rate limits of upstream sources like dockerhub.
It should be faster in most cases to use the dependency proxy, but not necessarily so. It's possible that dockerhub can be more performant than a small self-hosted server, for example. GitLab runners are also remote with respect to the registry and not necessarily any "closer" to the GitLab registry than any other registry over the internet. So, keep that in mind.
As a side note, the absolute fastest way to retrieve cached images is to self-host your GitLab runners and hold images directly on the host. That way, when jobs start, if the image already exists on the host, the job will start immediately because it does not need to pull the image (depending on your pull configuration). (that is, assuming you're using images in the image: declaration for your job)
I'm using a corporate Gitlab instance where for some reason the Dependency Proxy feature has been disabled. The other option you have is to create a new Docker image on your local machine, then push it into the Container Registry of your personal Gitlab project.
# First create a one-line Dockerfile containing "FROM node:16.3.0-alpine"
docker pull node:16.3.0-alpine
docker build . -t registry.example.com/group/project/image
docker login registry.example.com -u <username> -p <token>
docker push registry.example.com/group/project/image
where the image tag should be constructed based on the example given on your project's private Container Registry page.
Now in your CI job, you just change image: node:16.3.0-alpine to image: registry.example.com/group/project/image. You may have to run the docker login command (using a deploy token for credentials, see Settings -> Repository) in the before_script section -- I think maybe newer versions of Gitlab will have the runner authenticate to the private Container Registry using system credentials, but that could vary depending on how it's configured.

Can a docker registry be copied from one machine to another?

Can a docker registry populated on one host be 'tree-copied' to another machine and be 'turned on' as a pre-populated docker registry served by the new host?
I am working on a project providing Platform-as-a-Service which includes a docker registry service. These run in disconnected environments (not connected to the Internet). One very time consuming aspect of each deployment is creating an empty registry and loading, tagging, and pushing hundreds of docker images (tens of gigabytes of data) from a compressed tar into the registry for each new deployment.
I am thinking it would be faster to do this differently. Instead of a tarball of docker files, could we at 'build time' create and populate the docker registry then and compress that. At deploy time we just unpack the registry into /var/lib/registry or wherever...
But, I don't know if any of the data in the registry is dependent upon, say, a machine ID, certificate, or other aspect of the host upon which the registry was first running.
It seems to me an equivalent question is, if I populate two docker registries running on different machines with the same set of docker images in the same order, will the file contents of the registry folder be the same (or similar, allowing for timestamps and such?)
Every time I search for "docker registry transfer" or "move docker registry to new machine" or similar terms, I am flooded with answers about moving single docker images from one machine or registry to another, but don't see anything about docker registry migration or portability.
I haven't had the time or resources to test this out; maybe someone already expert in docker registry structures could clue me in that this is practical (or can say it absolutely will not work) I can make a better decision about whether to pursue getting the time and machines to demonstrate this approach.
Thank you.
I don't know if any of the data in the registry is dependent upon,
say, a machine ID, certificate, or other aspect of the host upon which
the registry was first running.
The configuration will be associated to the registry, for example, if you are running a secure registry by adding certs to the registry.
In this case, you will have to configure the registry in the same manner on a new machine as on the previous machine, use a configuration manager(like ansible) for that.
Instead of a tarball of docker files, could we at 'build time' create
and populate the docker registry then and compress that. At deploy
time we just unpack the registry into /var/lib/registry or wherever...
Adding to what #DazWilkin already mentioned in the comments, a storage location can be configured which can be,
filesystem: the rootdirectory default is /var/lib/registry
based on the cloud provider if the registry is deployed on a private cloud
Example, S3 bucket for AWS
You can take backup of that like the rootdirectory in case of filesystem or attach the storage location to the new registry.
**Words of caution**
Try to use the exact configuration and version of the docker registry.

How to get transferable docker compose stack without dockerhub

I have few docker images composed together in the stack using docker-compose.yml.
Now I want to transfer whole docker compose stack to the other host machine without uploading to the dockerhub,
And deploy it on the docker swarm.
I saw there is a thing called docker compose bundle, would that help?
If you’re deploying on a multi-host swarm (or something similar like Kubernetes or Nomad) you all but need a Docker registry. It doesn’t specifically have to be Docker Hub — quay.io, Amazon’s ECR, Google’s GCR, and self-hosted registries all work fine — but you do need to have pushed the built images somewhere where the orchestrator can retrieve them by name.
I’ve never used docker-compose bundle myself, but its documentation also notes that its operation “requires interaction with a Docker registry”.
The only real alternative is using docker save and docker load to manually move images between machines, but as a manual process it will get tedious very quickly, and you need to make sure an identical set of images are on every machine for consistency. Using a registry will be vastly easier.
The easyest way to do it is to use a Docker registry. The problem with Docker Hub is that you can only have one private registry, the rest must be public or paid.
Thankfully, there are other (free) alternatives:
Deploy your own private registry. Here is a nice tutorial where you can try it in the browser.
Use a free private registry. I personnaly use Codefresh. It can automatically build your image from a private repo (like bitbucket who has free plan too), but you can also just use it like a "simple" docker registry and push and pull your Docker images there.

Docker show current registry

In docker, how can one display the current registry info you are currently logged in? I installed docker, if I now do docker push, where does it send my images?
I spend over 30min searching this info from Google and docker docs, and couldn't find it, so I think it deserves its own question.
There's no concept of a "current" registry - full image tags always contain the registry address, but if no registry is specified then the Docker Hub is used as the default.
So docker push user/app pushes to Docker Hub. If you want to push it to a local registry you need to explicitly tag it with the registry address:
docker tag user/app localhost:5000/user/app
docker push localhost:5000/user/app
If your local registry is secured, you need to run docker login localhost:5000 but that does not change the default registry. If you push or pull images without a registry address in the tag, Docker will always use the Hub.
This issue explains the rationale.
The way docker images work is not the most obvious but it is easy to explain.
The location where your images will be sent to must be define in the image name.
When you commit an image you must name it [registry-IP]:[registry-port]/[imagepath]/[image-name]
If you already have the image created and you want to send it to the local registry you must tagged it including the registry path before you push it:
docker tag [image-name] [registry-IP]:[registry-port]/[image-name]
docker push [registry-IP]:[registry-port]/[image-name]

Resources