Extended Registry Configuration

Maintaining the Registry IP Address

OKD refers to the integrated registry by its service IP address, so if you decide to delete and recreate the docker-registry service, you can ensure a completely transparent transition by arranging to re-use the old IP address in the new service. If a new IP address cannot be avoided, you can minimize cluster disruption by rebooting only the masters.

Re-using the Address

To re-use the IP address, you must save the IP address of the old docker-registry service prior to deleting it, and arrange to replace the newly assigned IP address with the saved one in the new docker-registry service.

  1. Make a note of the clusterIP for the service:

    1. $ oc get svc/docker-registry -o yaml | grep clusterIP:
  2. Delete the service:

    1. $ oc delete svc/docker-registry dc/docker-registry
  3. Create the registry definition in registry.yaml, replacing <options> with, for example, those used in step 3 of the instructions in the Non-Production Use section:

    1. $ oc adm registry <options> -o yaml > registry.yaml
  4. Edit registry.yaml, find the Service there, and change its clusterIP to the address noted in step 1.

  5. Create the registry using the modified registry.yaml:

    1. $ oc create -f registry.yaml

Rebooting the Masters

If you are unable to re-use the IP address, any operation that uses a pull specification that includes the old IP address will fail. To minimize cluster disruption, you must reboot the masters:

  1. # master-restart api
  2. # master-restart controllers

This ensures that the old registry URL, which includes the old IP address, is cleared from the cache.

We recommend against rebooting the entire cluster because that incurs unnecessary downtime for pods and does not actually clear the cache.

Configuring an External Registry Search List

You can use the /etc/containers/registries.conf file to create a list of Docker registries to search for container images.

The /etc/containers/registries.conf file is a list of registry servers that OKD should search against when a user pulls an image using the image short name, such as: myimage:latest. You can customize the order of the search, specify secure and insecure registries, and define a blocked registry list. OKD does not search or allow pulls from registries on the blocked list.

For example, if a user wants to pull the myimage:latest image, OKD searches the registries in the order they appear in the list until it finds the myimage:latest.

The registry search list allows you to curate a set of images and templates that are available for download by OKD users. You can place these images in one or more Docker registries, add the registry to the list, and pull those images into your cluster.

When using the registry search list, OKD will not pull images from a registry that is not in the search list.

To configure a registry search list:

  1. Edit the /etc/containers/registries.conf file to add or edit the following parameters as needed:

    1. [registries.search] (1)
    2. registries = ["reg1.example.com", "reg2.example.com"]
    3. [registries.insecure] (2)
    4. registries = ["reg3.example.com"]
    5. [registries.block] (3)
    6. registries = ['docker.io']
    1Specify the secure registries from which users can download images using SSL/TLS.
    2Specify the insecure registries from which users can download images without TLS.
    3Specify the registries from which users cannot download images.

Setting the Registry Host Name

You can configure the host name and port the registry is known by for both internal and external references. By doing this, image streams will provide hostname based push and pull specifications for images, allowing consumers of the images to be isolated from changes to the registry service IP and potentially allowing image streams and their references to be portable between clusters.

To set the hostname used to reference the registry from within the cluster, set the internalRegistryHostname in the imagePolicyConfig section of the master configuration file. The external host name is controlled by setting the externalRegistryHostname value in the same location.

Image Policy Configuration

  1. imagePolicyConfig:
  2. internalRegistryHostname: docker-registry.default.svc.cluster.local:5000
  3. externalRegistryHostname: docker-registry.mycompany.com

The registry itself must be configured with the same internal hostname value. This can be accomplished by setting the **REGISTRY_OPENSHIFT_SERVER_ADDR** environment variable on the registry deployment configuration, or by setting the value in the OpenShift section of the registry configuration.

If you have enabled TLS for your registry the server certificate must include the hostnames by which you expect the registry to be referenced. See securing the registry for instructions on adding hostnames to the server certificate.

Overriding the Registry Configuration

You can override the integrated registry’s default configuration, found by default at /config.yml in a running registry’s container, with your own custom configuration.

Upstream configuration options in this file may also be overridden using environment variables. The middleware section is an exception as there are just a few options that can be overridden using environment variables. Learn how to override specific configuration options.

To enable management of the registry configuration file directly and deploy an updated configuration using a **ConfigMap**:

  1. Deploy the registry.

  2. Edit the registry configuration file locally as needed. The initial YAML file deployed on the registry is provided below. Review supported options.

    Registry Configuration File

    1. version: 0.1
    2. log:
    3. level: debug
    4. http:
    5. addr: :5000
    6. storage:
    7. cache:
    8. blobdescriptor: inmemory
    9. filesystem:
    10. rootdirectory: /registry
    11. delete:
    12. enabled: true
    13. auth:
    14. openshift:
    15. realm: openshift
    16. middleware:
    17. registry:
    18. - name: openshift
    19. repository:
    20. - name: openshift
    21. options:
    22. acceptschema2: true
    23. pullthrough: true
    24. enforcequota: false
    25. projectcachettl: 1m
    26. blobrepositorycachettl: 10m
    27. storage:
    28. - name: openshift
    29. openshift:
    30. version: 1.0
    31. metrics:
    32. enabled: false
    33. secret: <secret>
  3. Create a **ConfigMap** holding the content of each file in this directory:

    1. $ oc create configmap registry-config \
    2. --from-file=</path/to/custom/registry/config.yml>/
  4. Add the registry-config ConfigMap as a volume to the registry’s deployment configuration to mount the custom configuration file at /etc/docker/registry/:

    1. $ oc set volume dc/docker-registry --add --type=configmap \
    2. --configmap-name=registry-config -m /etc/docker/registry/
  5. Update the registry to reference the configuration path from the previous step by adding the following environment variable to the registry’s deployment configuration:

    1. $ oc set env dc/docker-registry \
    2. REGISTRY_CONFIGURATION_PATH=/etc/docker/registry/config.yml

This may be performed as an iterative process to achieve the desired configuration. For example, during troubleshooting, the configuration may be temporarily updated to put it in debug mode.

To update an existing configuration:

This procedure will overwrite the currently deployed registry configuration.

  1. Edit the local registry configuration file, config.yml.

  2. Delete the registry-config configmap:

    1. $ oc delete configmap registry-config
  3. Recreate the configmap to reference the updated configuration file:

    1. $ oc create configmap registry-config\
    2. --from-file=</path/to/custom/registry/config.yml>/
  4. Redeploy the registry to read the updated configuration:

    1. $ oc rollout latest docker-registry

Maintain configuration files in a source control repository.

Registry Configuration Reference

There are many configuration options available in the upstream docker distribution library. Not all configuration options are supported or enabled. Use this section as a reference when overriding the registry configuration.

Upstream configuration options in this file may also be overridden using environment variables. However, the middleware section may not be overridden using environment variables. Learn how to override specific configuration options.

Log

Upstream options are supported.

Example:

  1. log:
  2. level: debug
  3. formatter: text
  4. fields:
  5. service: registry
  6. environment: staging

Hooks

Mail hooks are not supported.

Storage

This section lists the supported registry storage drivers. See the container image registry documentation for more information.

The following list includes storage drivers that need to be configured in the registry’s configuration file:

General registry storage configuration options are supported. See the container image registry documentation for more information.

The following storage options need to be configured through the filesystem driver:

For more information on supported persistent storage drivers, see Configuring Persistent Storage and Persistent Storage Examples.

General Storage Configuration Options

  1. storage:
  2. delete:
  3. enabled: true (1)
  4. redirect:
  5. disable: false
  6. cache:
  7. blobdescriptor: inmemory
  8. maintenance:
  9. uploadpurging:
  10. enabled: true
  11. age: 168h
  12. interval: 24h
  13. dryrun: false
  14. readonly:
  15. enabled: false
1This entry is mandatory for image pruning to work properly.

Auth

Auth options should not be altered. The openshift extension is the only supported option.

  1. auth:
  2. openshift:
  3. realm: openshift

Middleware

The repository middleware extension allows to configure OKD middleware responsible for interaction with OKD and image proxying.

  1. middleware:
  2. registry:
  3. - name: openshift (1)
  4. repository:
  5. - name: openshift (1)
  6. options:
  7. acceptschema2: true (2)
  8. pullthrough: true (3)
  9. mirrorpullthrough: true (4)
  10. enforcequota: false (5)
  11. projectcachettl: 1m (6)
  12. blobrepositorycachettl: 10m (7)
  13. storage:
  14. - name: openshift (1)
1These entries are mandatory. Their presence ensures required components are loaded. These values should not be changed.
2Allows you to store manifest schema v2 during a push to the registry. See below for more details.
3Allows the registry to act as a proxy for remote blobs. See below for more details.
4Allows the registry cache blobs to be served from remote registries for fast access later. The mirroring starts when the blob is accessed for the first time. The option has no effect if the pullthrough is disabled.
5Prevents blob uploads exceeding the size limit, which are defined in the targeted project.
6An expiration timeout for limits cached in the registry. The lower the value, the less time it takes for the limit changes to propagate to the registry. However, the registry will query limits from the server more frequently and, as a consequence, pushes will be slower.
7An expiration timeout for remembered associations between blob and repository. The higher the value, the higher probability of fast lookup and more efficient registry operation. On the other hand, memory usage will raise as well as a risk of serving image layer to user, who is no longer authorized to access it.

S3 Driver Configuration

If you want to use a S3 region that is not supported by the integrated registry you are using, then you can specify a regionendpoint to avoid the region validation error.

For more information about using Amazon Simple Storage Service storage, see Amazon S3 as a Storage Back-end.

For example:

  1. version: 0.1
  2. log:
  3. level: debug
  4. http:
  5. addr: :5000
  6. storage:
  7. cache:
  8. blobdescriptor: inmemory
  9. delete:
  10. enabled: true
  11. s3:
  12. accesskey: BJKMSZBRESWJQXRWMAEQ
  13. secretkey: 5ah5I91SNXbeoUXXDasFtadRqOdy62JzlnOW1goS
  14. bucket: docker.myregistry.com
  15. region: eu-west-3
  16. regionendpoint: https://s3.eu-west-3.amazonaws.com
  17. auth:
  18. openshift:
  19. realm: openshift
  20. middleware:
  21. registry:
  22. - name: openshift
  23. repository:
  24. - name: openshift
  25. storage:
  26. - name: openshift

Verify the region and regionendpoint fields are consistent between themselves. Otherwise the integrated registry will start, but it can not read or write anything to the S3 storage.

The regionendpoint can also be useful if you use a S3 storage different from the Amazon S3.

CloudFront Middleware

The CloudFront middleware extension can be added to support AWS, CloudFront CDN storage provider. CloudFront middleware speeds up distribution of image content internationally. The blobs are distributed to several edge locations around the world. The client is always directed to the edge with the lowest latency.

The CloudFront middleware extension can be only used with S3 storage. It is utilized only during blob serving. Therefore, only blob downloads can be speeded up, not uploads.

The following is an example of minimal configuration of S3 storage driver with a CloudFront middleware:

  1. version: 0.1
  2. log:
  3. level: debug
  4. http:
  5. addr: :5000
  6. storage:
  7. cache:
  8. blobdescriptor: inmemory
  9. delete:
  10. enabled: true
  11. s3: (1)
  12. accesskey: BJKMSZBRESWJQXRWMAEQ
  13. secretkey: 5ah5I91SNXbeoUXXDasFtadRqOdy62JzlnOW1goS
  14. region: us-east-1
  15. bucket: docker.myregistry.com
  16. auth:
  17. openshift:
  18. realm: openshift
  19. middleware:
  20. registry:
  21. - name: openshift
  22. repository:
  23. - name: openshift
  24. storage:
  25. - name: cloudfront (2)
  26. options:
  27. baseurl: https://jrpbyn0k5k88bi.cloudfront.net/ (3)
  28. privatekey: /etc/docker/cloudfront-ABCEDFGHIJKLMNOPQRST.pem (4)
  29. keypairid: ABCEDFGHIJKLMNOPQRST (5)
  30. - name: openshift
1The S3 storage must be configured the same way regardless of CloudFront middleware.
2The CloudFront storage middleware needs to be listed before OpenShift middleware.
3The CloudFront base URL. In the AWS management console, this is listed as Domain Name of CloudFront distribution.
4The location of your AWS private key on the filesystem. This must be not confused with Amazon EC2 key pair. See the AWS documentation on creating CloudFront key pairs for your trusted signers. The file needs to be mounted as a secret into the registry pod.
5The ID of your Cloudfront key pair.

Overriding Middleware Configuration Options

The middleware section cannot be overridden using environment variables. There are a few exceptions, however. For example:

  1. middleware:
  2. repository:
  3. - name: openshift
  4. options:
  5. acceptschema2: true (1)
  6. pullthrough: true (2)
  7. mirrorpullthrough: true (3)
  8. enforcequota: false (4)
  9. projectcachettl: 1m (5)
  10. blobrepositorycachettl: 10m (6)
1A configuration option that can be overridden by the boolean environment variable REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ACCEPTSCHEMA2, which allows for the ability to accept manifest schema v2 on manifest put requests. Recognized values are true and false (which applies to all the other boolean variables below).
2A configuration option that can be overridden by the boolean environment variable REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_PULLTHROUGH, which enables a proxy mode for remote repositories.
3A configuration option that can be overridden by the boolean environment variable REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_MIRRORPULLTHROUGH, which instructs registry to mirror blobs locally if serving remote blobs.
4A configuration option that can be overridden by the boolean environment variable REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA, which allows the ability to turn quota enforcement on or off. By default, quota enforcement is off.
5A configuration option that can be overridden by the environment variable REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_PROJECTCACHETTL, specifying an eviction timeout for project quota objects. It takes a valid time duration string (for example, 2m). If empty, you get the default timeout. If zero (0m), caching is disabled.
6A configuration option that can be overridden by the environment variable REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_BLOBREPOSITORYCACHETTL, specifying an eviction timeout for associations between blob and containing repository. The format of the value is the same as in projectcachettl case.

Image Pullthrough

If enabled, the registry will attempt to fetch requested blob from a remote registry unless the blob exists locally. The remote candidates are calculated from DockerImage entries stored in status of the image stream, a client pulls from. All the unique remote registry references in such entries will be tried in turn until the blob is found.

Pullthrough will only occur if an image stream tag exists for the image being pulled. For example, if the image being pulled is **docker-registry.default.svc:5000/yourproject/yourimage:prod** then the registry will look for an image stream tag named **yourimage:prod** in the project **yourproject**. If it finds one, it will attempt to pull the image using the **dockerImageReference** associated with that image stream tag.

When performing pullthrough, the registry will use pull credentials found in the project associated with the image stream tag that is being referenced. This capability also makes it possible for you to pull images that reside on a registry they do not have credentials to access, as long as you have access to the image stream tag that references the image.

You must ensure that your registry has appropriate certificates to trust any external registries you do a pullthrough against. The certificates need to be placed in the /etc/pki/tls/certs directory on the pod. You can mount the certificates using a configuration map or secret. Note that the entire /etc/pki/tls/certs directory must be replaced. You must include the new certificates and replace the system certificates in your secret or configuration map that you mount.

Note that by default image stream tags use a reference policy type of **Source** which means that when the image stream reference is resolved to an image pull specification, the specification used will point to the source of the image. For images hosted on external registries, this will be the external registry and as a result the resource will reference and pull the image by the external registry. For example, **registry.redhat.io/openshift3/jenkins-2-rhel7** and pullthrough will not apply. To ensure that resources referencing image streams use a pull specification that points to the internal registry, the image stream tag should use a reference policy type of **Local**. More information is available on Reference Policy.

This feature is on by default. However, it can be disabled using a configuration option.

By default, all the remote blobs served this way are stored locally for subsequent faster access unless mirrorpullthrough is disabled. The downside of this mirroring feature is an increased storage usage.

The mirroring starts when a client tries to fetch at least a single byte of the blob. To pre-fetch a particular image into integrated registry before it is actually needed, you can run the following command:

  1. $ oc get imagestreamtag/${IS}:${TAG} -o jsonpath=’{ .image.dockerImageLayers[*].name }’ | \
  2. xargs -n1 -I {} curl -H Range: bytes=0-1 -u user:${TOKEN} \
  3. http://${REGISTRY_IP}:${PORT}/v2/default/mysql/blobs/{}

This OKD mirroring feature should not be confused with the upstream registry pull through cache feature, which is a similar but distinct capability.

Manifest Schema v2 Support

Each image has a manifest describing its blobs, instructions for running it and additional metadata. The manifest is versioned, with each version having different structure and fields as it evolves over time. The same image can be represented by multiple manifest versions. Each version will have different digest though.

The registry currently supports manifest v2 schema 1 (schema1) and manifest v2 schema 2 (schema2). The former is being obsoleted but will be supported for an extended amount of time.

The default configuration is to store schema2.

You should be wary of compatibility issues with various Docker clients:

  • Docker clients of version 1.9 or older support only schema1. Any manifest this client pulls or pushes will be of this legacy schema.

  • Docker clients of version 1.10 support both schema1 and schema2. And by default, it will push the latter to the registry if it supports newer schema.

The registry, storing an image with schema1 will always return it unchanged to the client. Schema2 will be transferred unchanged only to newer Docker client. For the older one, it will be converted on-the-fly to schema1.

This has significant consequences. For example an image pushed to the registry by a newer Docker client cannot be pulled by the older Docker by its digest. That’s because the stored image’s manifest is of schema2 and its digest can be used to pull only this version of manifest.

Once you’re confident that all the registry clients support schema2, you’ll be safe to enable its support in the registry. See the middleware configuration reference above for particular option.

OpenShift

This section reviews the configuration of global settings for features specific to OKD. In a future release, openshift-related settings in the Middleware section will be obsoleted.

Currently, this section allows you to configure registry metrics collection:

  1. openshift:
  2. version: 1.0 (1)
  3. server:
  4. addr: docker-registry.default.svc (2)
  5. metrics:
  6. enabled: false (3)
  7. secret: <secret> (4)
  8. requests:
  9. read:
  10. maxrunning: 10 (5)
  11. maxinqueue: 10 (6)
  12. maxwaitinqueue 2m (7)
  13. write:
  14. maxrunning: 10 (8)
  15. maxinqueue: 10 (9)
  16. maxwaitinqueue 2m (10)
1A mandatory entry specifying configuration version of this section. The only supported value is 1.0.
2The hostname of the registry. Should be set to the same value configured on the master. It can be overridden by the environment variable REGISTRY_OPENSHIFT_SERVER_ADDR.
3Can be set to true to enable metrics collection. It can be overridden by the boolean environment variable REGISTRY_OPENSHIFT_METRICS_ENABLED.
4A secret used to authorize client requests. Metrics clients must use it as a bearer token in Authorization header. It can be overridden by the environment variable REGISTRY_OPENSHIFT_METRICS_SECRET.
5Maximum number of simultaneous pull requests. It can be overridden by the environment variable REGISTRY_OPENSHIFT_REQUESTS_READ_MAXRUNNING. Zero indicates no limit.
6Maximum number of queued pull requests. It can be overridden by the environment variable REGISTRY_OPENSHIFT_REQUESTS_READ_MAXINQUEUE. Zero indicates no limit.
7Maximum time a pull request can wait in the queue before being rejected. It can be overridden by the environment variable REGISTRY_OPENSHIFT_REQUESTS_READ_MAXWAITINQUEUE. Zero indicates no limit.
8Maximum number of simultaneous push requests. It can be overridden by the environment variable REGISTRY_OPENSHIFT_REQUESTS_WRITE_MAXRUNNING. Zero indicates no limit.
9Maximum number of queued push requests. It can be overridden by the environment variable REGISTRY_OPENSHIFT_REQUESTS_WRITE_MAXINQUEUE. Zero indicates no limit.
10Maximum time a push request can wait in the queue before being rejected. It can be overridden by the environment variable REGISTRY_OPENSHIFT_REQUESTS_WRITE_MAXWAITINQUEUE. Zero indicates no limit.

See Accessing Registry Metrics for usage information.

Reporting

Reporting is unsupported.

HTTP

Upstream options are supported. Learn how to alter these settings via environment variables. Only the tls section should be altered. For example:

  1. http:
  2. addr: :5000
  3. tls:
  4. certificate: /etc/secrets/registry.crt
  5. key: /etc/secrets/registry.key

Notifications

Upstream options are supported. The REST API Reference provides more comprehensive integration options.

Example:

  1. notifications:
  2. endpoints:
  3. - name: registry
  4. disabled: false
  5. url: https://url:port/path
  6. headers:
  7. Accept:
  8. - text/plain
  9. timeout: 500
  10. threshold: 5
  11. backoff: 1000

Redis

Redis is not supported.

Health

Upstream options are supported. The registry deployment configuration provides an integrated health check at /healthz.

Proxy

Proxy configuration should not be enabled. This functionality is provided by the OKD repository middleware extension, pullthrough: true.

Cache

The integrated registry actively caches data to reduce the number of calls to slow external resources. There are two caches:

  1. The storage cache that is used to cache blobs metadata. This cache does not have an expiration time and the data is there until it is explicitly deleted.

  2. The application cache contains association between blobs and repositories. The data in this cache has an expiration time.

In order to completely turn off the cache, you need to change the configuration:

  1. version: 0.1
  2. log:
  3. level: debug
  4. http:
  5. addr: :5000
  6. storage:
  7. cache:
  8. blobdescriptor: "" (1)
  9. openshift:
  10. version: 1.0
  11. cache:
  12. disabled: true (2)
  13. blobrepositoryttl: 10m
1Disables cache of metadata accessed in the storage backend. Without this cache, the registry server will constantly access the backend for metadata.
2Disables the cache in which contains the blob and repository associations. Without this cache, the registry server will continually re-query the data from the master API and recompute the associations.