Can the Docker registry store base images? - docker-registry

We're setting up a server to host Windows containers.
This server gets the images from an internal Docker registry we have setup.
The issue is that the server is unable to pull down images because it's trying to get a base image from the internet, and the server has no internet connection.
I found a troubleshooting script from Microsoft and notice one passage:
At least one of 'microsoft/windowsservercore' or
'microsoft/nanoserver' should be installed
Try docker pull microsoft/nanoserver or docker pull
microsoft/windowsservercore to pull a Windows container image
Since my PC has internet connection, I downloaded these images, pushed them to the registry, but pulling the images on the new server fails:
The description for Event ID '1' in Source 'docker' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'Error initiating layer download: Get https://go.microsoft.com/fwlink/?linkid=860052: dial tcp 23.207.173.222:443: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.'
That link it's trying to get is a base image on the internet, but I thought the registry was storing the complete image, so what gives? Is it really not possible to store the base images in a registry?

Doing some reading I found this: https://docs.docker.com/registry/deploying/#considerations-for-air-gapped-registries
Certain images, such as the official Microsoft Windows base images,
are not distributable. This means that when you push an image based on
one of these images to your private registry, the non-distributable
layers are not pushed, but are always fetched from their authorized
location. This is fine for internet-connected hosts, but will not work
in an air-gapped set-up.
The doc then details how to setup the registry to store non-distributable layers, but they also say to be mindful of the terms of use for non-distributable layers.
So two possible solutions are:
Make sure you can store the non-distributable layers, then reconfigure the registry to store the non-distributable layers
Connect the server to the internet, download the base images, then use those images

Related

Know domain name called from docker-compose download step

how could I know which domain are used for the download of my docker image ?
I need it cause the server I'm using only a allow a specific list of domain name for outside traffic.
If you pull an image by simply using its name (e.g.docker pull postgres), the image probably comes from Docker Hub. Otherwise the registry you're pulling the image from will be listed (e.g. docker pull quay.io/keycloak/keycloak:20.0.1)
Docker Documentation
Ended up using wireshark to capture every dns package, and look up the domain name present.

docker pull issue with artifactory and microsoft

I have a strange problem with docker and pulling microsoft images.
Used command docker pull mcr.microsoft.com/dotnet/sdk:6.0
Server 1: no issue
Server 2: Error response from daemon: Get "https://mcr.microsoft.com/v2/": dial tcp 13.69.64.80:443: connect: connection refused
Both servers are
behind the firewall
configured with same /etc/docker/daemon.json whicht points to the internal artifactory instance
commands like docker pull sonarsource/sonar-scanner-cli works on both servers without an issue
also pulling privat images from artifactory works on both servers
any idea on that behavior?
Is your remote repo proxying mcr.microsoft.com and is configured to cache foreign layers?
If there is a local image, when the docker client builds the image and publishes it to Artifactory, Artifactory gets the manifest but has reference to foreign layers which are remote, so Artifactory is not going out and fetch them in a local repository. This behavior we observed appears to be related to this RTFACT-22938 Jira. If the foreign layers from the base image are not cached locally, Artifactory will not fetch these layers. In order for Artifactory to retrieve the foreign layers as well, all of the base image’s layers need to be cached in Artifactory.
Since Microsoft changes the tags of the images constantly, and the manifest is changing, the layers that were pulled will not be used since they are no longer referenced in the manifest. Re-tagging the images with custom tags can be one way to avoid this situation.

Deploying dockerized web app into a closed system

We have to deploy a dockerized web app into a closed external system(our client's server).
(our image is made of gunicorn, nginx, django-python web app)
There are few options i have already considered:
option-1) using docker registries: push image into registry, pull
from client's system run docker-compose up with pulled image
option-2) docker save/load .tar files: docker save image in local dev
environment, move .tar file into the client's system and run docker load
(.tar file) there.
Our current approach:
we want to move source code inside a docker image(if possible).
we can't make our private docker registry public --yet--(so option-1 is gone)
client servers are only accessible from their internal local network(has no connection to any other external network)
we dont want to copy all the files when we make an update(to our app), what we want to do is somehow detect diff or changes on docker image and copy/move/update only changed parts of app into client's server.(option-2 is gone too)
Is there any better way to deploy to client's server with the approach explained above?
PS: I'm currently checking "docker commit": what we could do is, docker load our base image into client's server, start container with that image and when we have an update we could just copy our changed files into that container's file system, then docker commit(in order to keep changed version of container). But the thing i don't like in that option is we would need to keep changes in our minds, then move our changed files(like updated .py or .html files) to client's server.
Thanks in advance

Docker image layer verification

I need to know about offline usage of a registry for docker images.
When a docker image is pulled from the official microsoft site, adjusted, and then pushed to a registry, is it the complete image or are layers missing?
When other hosts pull the image from the registry, which might be used offline, will the client host need an internet connection nonetheless to pull missing/secret layers from the microsoft server? (or is it a full image that was pulled from microsoft and later pushed to the registry?)
What about signatures? Will those get updated automatically for each layer, when the image gets adjusted, applications stored within, etc., so that there are no verification errors when other clients pull the adjusted image from the local registry?
When you build an image from another image docker download the base image locally to your computer you can even save it as a file.
When you push an image to local registry it pushed the complete image including the base image it was built from.
When someone will try to pull the new image from your local registry they won't be needing internet access.

Is there a way track where/when a given Docker image in my registry has been run?

If I want to know where and when a Docker image in my container registry has been run (e.g., for audit purposes, to see what images are being used the most, or to see if an image is truly stale before deleting it), what are the best tools for getting that information?
(For example, for a VM analogy on AWS: I could check the log of API calls via AWS CloudTrail for when EC2 instances have started and stopped, get the instance IDs, and then join that against the VM image that was running on those images.)
Docker images are downloaded from registry onto hosts, so you would not know if someone starts an image pulled from the registry: it is already downloaded.
There is in fact no way for you to know that an image has started on a host, except if you implement a proper reporting on bootstrap/entrypoint.
Cluster orchestrators can of course provide you adequate reporting on when are started pods/containers, but you should refer to the respective documentation for this.
You could attach to each docker daemon to listen to its Events:
https://docs.docker.com/engine/reference/commandline/events/
Also you can filter them by any criteria.
Docker images report the following events:
delete
import
load
pull
push
save
tag
untag

Resources