Develop Reference

Where does "docker images" look when outputting a list of images

A word of warning, this is my first posting, and I am new to docker and Kubernetes with enough knowledge to get me into trouble.
I am confused about where docker container images are being stored and listing images.
To illustrate my confusion I start with the confirmation that "docker images" indicates no image for nginx is present.
Next I create a pod running nginx.
kubectl run nginx --image=nginx is succesful in pulling image "nginx" from github (or that's my assumption):
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 8s default-scheduler Successfully assigned default/nginx to minikube
Normal Pulling 8s kubelet Pulling image "nginx"
Normal Pulled 7s kubelet Successfully pulled image "nginx" in 833.30993ms
Normal Created 7s kubelet Created container nginx
Normal Started 7s kubelet Started container nginx
Even though the above output indicates the image is pulled, issuing "docker images" does not include nginx the output.
If I understand correctly, when an image is pulled, it is being stored on my local disk. In my case (Linux) in /var/lib/docker.
So my first question is, why doesn't docker images list it in the output, or is the better question where does docker images look for images?
Next if I issue a docker pull for nginx it is pulled from what I assume to be Github. docker images now includes it in it's output.
Just for my clarification, nothing up to this point involves a private local registry, correct?
I purposefully create a basic local Docker Registry using the docker registry container thinking it would be clearer since that will allow me to explicitly specify a registry but this only results in another issue:
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v /registry:/var/lib/registry \
registry
I tag and push the nginx image to my newly created local registry:
docker tag nginx localhost:5000/nginx:latest
docker push localhost:5000/nginx:latest
The push refers to repository [localhost:5000/nginx]
2bed47a66c07: Pushed
82caad489ad7: Pushed
d3e1dca44e82: Pushed
c9fcd9c6ced8: Pushed
0664b7821b60: Pushed
9321ff862abb: Pushed
latest: digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47 size: 1570
I now delete the original nginx image:
docker rmi nginx
Untagged: nginx:latest
Untagged: nginx#sha256:9522864dd661dcadfd9958f9e0de192a1fdda2c162a35668ab6ac42b465f0603
... and the newely tagged one:
docker rmi localhost:5000/nginx
Untagged: localhost:5000/nginx:latest
Untagged: localhost:5000/nginx#sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47
Deleted: sha256:f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e
... but from where are they being deleted?
Now the image nginx should only be present in localhost:5000/? But docker images doesn't show it in it's output.
Moving on, I try to create the nginx pod once more using the image pushed to localhost:5000/nginx:latest.
kubectl run nginx --image=localhost:5000/nginx:latest --image-pull-policy=IfNotPresent
This is the new issue. The connection to localhost:5000 is refused.
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Pulling 1s kubelet Pulling image "localhost:5000/nginx:latest"
Warning Failed 1s kubelet Failed to pull image "localhost:5000/nginx:latest": rpc error: code = Unknown desc = Error response from daemon: Get "http://localhost:5000/v2/": dial tcp 127.0.0.1:5000: connect: connection refused
Warning Failed 1s kubelet Error: ErrImagePull
Normal BackOff 0s kubelet Back-off pulling image "localhost:5000/nginx:latest"
Why is it I can pull and push to localhost:5000, but pod creation fails with what appears to be an authorization issue? I try logging into the registry but no matter what I use for the username and user password, login is successful. This confuses me more.
I would try creating/specifying imagePullSecret, but based on docker login outcome, it doesn't make sense.
Clearly I not getting it.
Someone please have pity on me and show where I have lost my way.

I will try to bring some clarity to you despite the fact your question already contains about 1000 questions (and you'll probably have 1000 more after my answer :D)
Before you can begin to understand any of this, you need to learn a few basic things:
Docker produces images which are used by containers - it similar to Virtual Machine, but more lightweight (I'm oversimplifying, but the TL;DR is pretty much that).
Kubernetes is an orchestration tool - it is responsible for starting containers (by using already built images) and tracking their state (i.e. if this container has crashed it should be restarted, or if it's not started it should be started, etc)
Docker can run on any machine. To be able to start a container you need to build an image first. The image is essentially a lightweight mini OS (i.e. alpine, ubuntu, windows, etc) which is configured with only those dependencies you need to run your application. This image is then pushed to a public repository/registry (hub.docker.com) or to a private one. And afterwards it's used for starting containers.
Kubernetes builds on top of this and adds the "automation" layer which is responsible for scheduling and monitoring the containers. For example, you have a group of 10 servers all running nginx. One of those servers restarts - the nginx container will be automatically started by k8s.
A kubernetes cluster is the group of physical machines that are dedicated to the mentioned logical cluster. These machines have labels or tags which define the purpose of physical node and work as a constraint for where a container will be scheduled.
Now that I have explained the minimum basics in an oversimplified way I can move with answering your questions.
When you do docker run nginx - you are instructing docker to pull the nginx image from https://hub.docker.com/_/nginx and then start it on the machine you executed the command on (usually your local machine).
When you do kubectl run nginx --image=nginx - you are instructing Kubernetes to do something similar to 1. but in a cluster. The container will be deployed to a random machine somewhere in the cluster unless you put a nodeSelector or configure affinity. If you put a nodeSelector this container (called Pod in K8S) will be placed on that specific node.
You have started a private registry server on your local machine. It is crucial to know that localhost inside a container will point to the container itself.
It is worth mentioning that some of the kubernetes commands will create their own container for the execution phase of the command. (remember this!)
When you run kubectl run nginx --image=nginx everything works fine, because it is downloading the image from https://hub.docker.com/_/nginx.
When you run kubectl run nginx --image=localhost:5000/nginx you are telling kubernetes to instruct docker to look for the image at localhost which is ambiguous because you have multiple layers of containers running (check 4.). This means the command that will do docker pull localhost:5000/nginx also runs in a docker container -- so there is no service running at port :5000 (the registry is running in a completely different isolated container!) :D
And this is why you are getting Error: ErrImagePull - it can't resolve localhost as it points to itslef.
As for the docker rmi nginx and docker rmi localhost:5000/nginx commands - by running them you removed your local copy of the nginx images.
If you run docker run localhost:5000/nginx on the machine where you started docker run registry you should get a running nginx container.
You should definitely read the Docker Guide BEFORE you try to dig into Kubernetes or nothing will ever make sense.
Your head will stop hurting after that I promise... :D

TL;DR
docker images lists images stored in the docker daemon's data root, by default /var/lib/docker.
You're deploying images to Kubernetes, the images are pulled onto the node on which the pod is scheduled. For example, using Kubernetes in Docker:
kind create cluster
kubectl run nginx --image=nginx
docker exec -it $(kubectl get pod nginx -o jsonpath={.spec.nodeName}) crictl images
crictl is a command-line interface for CRI-compatible container runtimes.
Docker images are pulled from Docker Hub by default, not Github. When using a local docker registry, images are stored in the registry's data volume. The docker registry storage may be customized, by default data is stored in (storage.filesystem.rootdirectory) /var/lib/registry.
You can use tools like skopeo to list images stored in a docker registry, for example:
skopeo list-tags docker://localhost:5000/nginx --tls-verify=false

Not able to remove docker artifactory container

we are trying to get rid of an artifactory container.
Nothing helps, things tried so far:
docker rm -f artifactory
docker update --restart=no artifactory
reboot
container keeps starting up:
docker.bintray.io/jfrog/artifactory-oss:latest "/entrypoint-artifac…" 17 minutes ago Up 17 minutes 0.0.0.0:8081->8081/tcp artifactory
What options do we have?
We do not have a docker-compose yaml file
Thanks

are you using docker desktop? I am wondering if you have a k8s artifactory deployment. That can explain this behavior.
Try these commands
kubectl get deployments -A
if you find one, you can delete using
#kubectl -n namespace delete deployment deployment-name
kubectl -n artifactory delete deployment artifactory

i was able to remove the container by hand:
systemctl stop docker
docker ps --no-trunc to get the full container ID
cd /var/lib/docker/containers
rm -r <full container ID>
systemctl start docker
Thanks to you all for your help,
Bodo

Unable to PULL image into minikube from insecure private registry - http: server gave HTTP response to HTTPS client

On Ubuntu 18, I installed Docker (19.03.12) from these instructions
https://docs.docker.com/engine/install/ubuntu/
And then went through these steps
manage docker as non-root user
https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
start on boot using systemd
https://docs.docker.com/engine/install/linux-postinstall/#configure-docker-to-start-on-boot
and set up a private docker registry using this
docker run -d -p 5000:5000 -e REGISTRY_DELETE_ENABLED=true --restart=always --name registry registry:2
I also added this to the daemon.json file
{ "insecure-registries" : ["my.registrydomain.lan:5000"] }
And restarted the docker daemon
sudo /etc/init.d/docker restart
I checked docker info to make sure the setting for insecure registry was applied and I saw this at the end so it seems ok
Insecure Registries:
my.registrydomain.lan:5000
127.0.0.0/8
On the same machine I start minikube (1.12.3) with this command
minikube start --driver=docker --memory=3000 --insecure-registry=my.registrydomain.lan:5000
So everything is running and fine, and I proceed to apply my deployments using kubectl except when I get to the pod that needs to pull the container form the local registry I get an ErrImagePull status. Here is part of my deployment
spec:
containers:
- name: my-container
image: my.registrydomain.lan:5000/name:1.0.0.9
imagePullPolicy: IfNotPresent
When I describe the pod that failed using
kubectl describe pod mypod-8474577f6f-bpmp2
I see this message
Failed to pull image "my.registrydomain.lan:5000/name:1.0.0.9": rpc
error: code = Unknown desc = Error response from daemon: Get
https://my.registrydomain.lan:5000/v2/: http: server gave HTTP
response to HTTPS client
EDIT: I forgot to mention that I am able to PUSH my images into the registry without any issues from a separate machine over http (machine is Windows 10 and I set the insecure registry option in the daemon config)

I tried to reproduce your issue with exact same settings that you provided and this works just fine. Image is being pulled without any problem. I tested this with my debian 9 and fresh ubuntu installation with this settings:
minikube version: v1.12.3
docker version: v19.03.12
k8s version: v1.18.3
ubuntu version: v18
What I`ve done what is not described in the question is to place an entry in minikube container hosts file:
root#minikube:/# cat /etc/hosts
...
10.128.5.6 my.registrydomain.lan
...
And the tag/push commands:
docker tag 4e2eef94cd6b my.registrydomain.lan:5000/name:1.0.0.9
docker push my.registrydomain.lan:5000/name:1.0.0.9
Here`s the describe from the pod:
Normal Pulling 8m19s (x5 over 10m) kubelet, minikube Pulling image "my.registrydomain.lan:5000/name:1.0.0.9"
As suggested in the comments already you may want to check this github case. It goes thru couple of solution of your problem:
First is to check your hosts file and update it correctly if you hosting your repository on another node. Second solution is related to pushing images in to repository which turned for the user that both insecure-registries and docker push command are case sensitive. Third one is to use systemd to control docker daemon.
Lastly If those would not help I would try to clear all settings, uninstall docker, clear docker configuration and start again from scratch.

Can't get my Docker Container to start and give me a shell

I am trying to get a Docker Container running. I am following this guide: http://opendata.cern.ch/docs/cms-guide-docker.
The container refuses to start and give me access to the shall I expect.
Running the following command (as mentioned in the guide) does nothing, the process exits with a non-0 exit code. The first time I ran it, it downloaded the container image but did not land me into the sell as the guide says it would.
$ docker run --name opendata-2010 -it cmsopendata/cmssw_4_2_8 /bin/bash
I can see the container, it exits soon as it starts.
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
be670158d200 cmsopendata/cmssw_5_3_32 "/opt/cms/entrypoint…" 34 minutes ago Exited (139) 3 seconds ago opendata
These are other things I have tried to no avail.
$ docker exec -it be670158d200 /bin/bash
Error response from daemon: Container be670158d200ae85871fbda810fa6074dcb7bc8fc606f000710f630add1b80b6 is not running
$ docker start --attach be670158d200
failed to resize tty, using default size
My question is similar to this: Docker - Container is not running, but I know that unlike in that question, here I should be getting the shell.
I am running this in Windows Subsystem for Linux 2 - Ubuntu 20.04, docker version 19.03.8 - build afacb8b7f0. Any help is greatly appreciated, thanks.

I had the same error with below logs
dockerd[15309]: time="2022-01-11T11:13:35.133154132+05:30" level=error msg="Handler for POST /v1.41/exec/94553dc2f9aaa3c1245df7384138786a8a576af99105a285258fce8b980b4660/resize returned error: timeout waiting for exec session ready"
This is a bug in docker 20.10 version and can be solved by downgrading containerd rpm
Removed:
containerd.io.x86_64 0:1.4.4-3.1.el7
Installed:
containerd.io.x86_64 0:1.4.3-3.1.el7

Docker dm_task_run failed error

Today I first time installed docker on Fedora 21. Now, I need change location of docker images folder from default /var/lib/docker.
After copying files (devicemapper subfolder skipped, docker service stopped) and changing /etc/sysconfig/docker (adding -g option), I run docker service again, no problems, devicemapper/metadata created.
Next, I'm trying to pull first image:
docker pull centos
But this error occured:
docker pull centos
latest: Pulling from docker.io/centos
6941bfcbbfca: Download complete
6941bfcbbfca: Error downloading dependent layers
41459f052977: Downloading [==========================> ] 41.61 MB/77.28 MB
fd44297e2ddb: Error pulling image (latest) from docker.io/centos, endpoint: https://registry-1.docker.io/v1/, Driver devicemapper failed to create image rootfs 6941bfcbbfca7f4f48becd38f2639157042bfd44297e2ddb: Error pulling image (latest) from docker.io/centos, Driver devicemapper failed to create image rootfs 6941bfcbbfca7f4f48becd38f2639157042b5cf9ab8c080f1d8b6d047380ecfc: Error running DeviceCreate (createSnapDevice) dm_task_run failed
FATA[0013] Error pulling image (latest) from docker.io/centos, Driver devicemapper failed to create image rootfs 6941bfcbbfca7f4f48becd38f2639157042b5cf9ab8c080f1d8b6d047380ecfc: Error running DeviceCreate (createSnapDevice) dm_task_run failed
If I try this without changing location - ok, no problems.
How to fix it?

1) service docker stop
2) thin_check /home/docker/devicemapper/devicemapper/metadata
3) thin_check --clear-needs-check-flag /home/docker/devicemapper/devicemapper/metadata
4) service docker start

As seen in issue 3721, this generally is a disk space issue.
The problem is that docker rmi doesn't always work in that case:
Getting this in v1.2 on CentOS 6.5 if a disk fills up before the image finishes pulling. Unable to rmi the incomplete image.
One "nuclear" option:
removing everything in /var/lib/docker worked out. Thanks
Another reason can be a common layer of fs to be downloaded between two images.

This was worked for me,
mv -f /var/lib/docker/* /data/tmp
systemctl restart docker.service
docker system prune -a

this could be caused when disk usage got full you can check this by doing df -h if so clean up unwanted space or can prune docker by doing docker system prune once after freeing up space , stop docker because thin_check cannot be run on live metadata.
systemctl stop docker
thin_check /var/lib/docker/devicemapper/devicemapper/metadata
check for error if noting clear check flag by
thin_check --clear-needs-check-flag /var/lib/docker/devicemapper/devicemapper/metadata
then start docker
systemctl start docker.service
if thin check not installed
yum install -y device-mapper-persistent-data
for centos
apt-get install -y thin-provisioning-tools

Got this today.
sudo reboot
Problem's out.

I encounter another dm_task_run issue during docker import, for my case, I yum erase docker.x86_64; yum install docker.x86_64; systemctl start docker.service works.