Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
q
quick-keyboard-83126
06/29/2022, 8:49 PMSo, I'd like to use
docker buildx build--pushdocker run -d -p 5001:5000 --restart=always --name registry registry:2Server: AirTunes/615.12.1error: failed to solve: failed to do request: Head "https://<my-non-localhost-ip>:5001/v2/foo/blobs/sha256:<random-sha>": http: server gave HTTP response to HTTPS clientregistryhttpdockerhttpslima vmf
fast-garage-66093
06/29/2022, 9:07 PMYou either have to configure it as an "insecure registry" or provide certs for your registry (even self-signed work if you add your CA to you local keychain)
q
quick-keyboard-83126
06/29/2022, 9:07 PMThis whole thing is really suboptimal
local keychain = macOS?
as opposed to lima?
f
fast-garage-66093
06/29/2022, 9:08 PMYes, Rancher Desktop will automatically import all CA certs into the VM on startup
q
quick-keyboard-83126
06/29/2022, 9:08 PMIt'd be really nice if there was a:
☑️ Run local docker registry
👍 1
f
fast-garage-66093
06/29/2022, 9:09 PMYeah, I think one day we'll add this, but not right now
BTW, from my notes testing an insecure registry:
lima-rancher-desktop:~# tail -1 /etc/conf.d/docker
DOCKER_OPTS="--insecure-registry=insecure.home:80"You need to restart the docker service after making the change
q
quick-keyboard-83126
06/29/2022, 9:11 PMThis is so very very very messy
f
fast-garage-66093
06/29/2022, 9:11 PMThis is a docker requirement; only localhost based registry will work without SSL; everything else must be declared as an insecure registry first
q
quick-keyboard-83126
06/29/2022, 9:12 PMAll I really want is to a way to build a multiplatform image and then build another multiplatform image that depends on that first one
f
fast-garage-66093
06/29/2022, 9:12 PMAdding certs to a registry is pretty trivial; no reason not to do it
q
quick-keyboard-83126
06/29/2022, 9:12 PMI shouldn't have to set up a registry at all
👍 1
I really really really really don't want to run a registry.
If it was a vaguely simple task to workaround a really stupid wart, I could tolerate doing it. But this far exceeds that.
f
fast-garage-66093
06/29/2022, 9:13 PMI don't understand why you have to; do you have a repro case you can share (hopefully somewhat limited in scope)?
q
quick-keyboard-83126
06/29/2022, 9:13 PMYeah, gimme a few bits
(cd foo; cat Dockerfile; docker buildx build --platform linux/arm64,linux/amd64 -t foo .); (cd bar; cat Dockerfile; docker buildx build --platform linux/arm64,linux/amd64 -t bar .)
from busybox
RUN echo 'hello' > world
WARNING: No output specified for docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
[+] Building 0.2s (8/8) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 76B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [linux/amd64 internal] load metadata for <http://docker.io/library/busybox:latest|docker.io/library/busybox:latest> 0.2s
=> [linux/arm64 internal] load metadata for <http://docker.io/library/busybox:latest|docker.io/library/busybox:latest> 0.2s
=> [linux/arm64 1/2] FROM <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> => resolve <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> [linux/amd64 1/2] FROM <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> => resolve <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> CACHED [linux/arm64 2/2] RUN echo 'hello' > world 0.0s
=> CACHED [linux/amd64 2/2] RUN echo 'hello' > world 0.0s
from foo
RUN echo 'cruel' >> world
WARNING: No output specified for docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
[+] Building 0.3s (4/4) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 73B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> CANCELED [linux/arm64 internal] load metadata for <http://docker.io/library/foo:latest|docker.io/library/foo:latest> 0.3s
=> ERROR [linux/amd64 internal] load metadata for <http://docker.io/library/foo:latest|docker.io/library/foo:latest> 0.3s
------
> [linux/amd64 internal] load metadata for <http://docker.io/library/foo:latest|docker.io/library/foo:latest>:
------
Dockerfile:1
--------------------
1 | >>> from foo
2 |
3 | RUN echo 'cruel' >> world
--------------------
error: failed to solve: foo: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failedcat foo/Dockerfile; echo '----'; cat bar/Dockerfile
from busybox
RUN echo 'hello' > world
----
from foo
RUN echo 'cruel' >> worldFor comparison:
(cd foo; cat Dockerfile; docker build -t foo .); (cd bar; cat Dockerfile; docker build -t bar .)
from busybox
RUN echo 'hello' > world
Sending build context to Docker daemon 2.048kB
Step 1/2 : from busybox
---> 3c277069c6ae
Step 2/2 : RUN echo 'hello' > world
---> Using cache
---> 68edd097ffa9
Successfully built 68edd097ffa9
Successfully tagged foo:latest
from foo
RUN echo 'cruel' >> world
Sending build context to Docker daemon 2.048kB
Step 1/2 : from foo
---> 68edd097ffa9
Step 2/2 : RUN echo 'cruel' >> world
---> Running in c282b4b1c190
Removing intermediate container c282b4b1c190
---> 65f0f7d6e0b9
Successfully built 65f0f7d6e0b9
Successfully tagged bar:latestI can "fix" this by not using
-t foo-t bar-t real.registry/path/foo-t real.registry/path/barfrom foobar/Dockerfilefrom real.registry/path/foof
fast-garage-66093
06/29/2022, 9:22 PMYeah, it is a limitation of the exporter:
$ docker buildx build --platform linux/arm64,linux/amd64 -t foo . --load
[+] Building 0.0s (0/0)
error: docker exporter does not currently support exporting manifest listsq
quick-keyboard-83126
06/29/2022, 9:22 PMYeah, I know, I ran that 🙂
It is not a remotely helpful message.
f
fast-garage-66093
06/29/2022, 9:25 PMLooks like local registry is the only option; it is a limitation of moby: Building images for multi-arch with --load parameter fails · Issue #59 · docker/buildx
q
quick-keyboard-83126
06/29/2022, 9:26 PMlocal registry = feature request to rancher-desktop to "magic make it work" 🙂
I guess I can file an RFE for it.
f
fast-garage-66093
06/29/2022, 9:26 PMSure, please do, but I don't understand why you can't use the local registry on
localhostIf you don't want to configure it as "insecure"
$ docker run -d -p 5001:5000 --restart=always --name registry registry:2
Unable to find image 'registry:2' locally
2: Pulling from library/registry
2408cc74d12b: Pull complete
ea60b727a1ce: Pull complete
c87369050336: Pull complete
e69d20d3dd20: Pull complete
fc30d7061437: Pull complete
Digest: sha256:bedef0f1d248508fe0a16d2cacea1d2e68e899b2220e2258f1b604e1f327d475
Status: Downloaded newer image for registry:2
cda0f8aad69d1a53870bb9f285e3c4a10765e96c233ba277f45f3111ed3de405
$ docker tag registry:2 localhost:5001/registry:2
$ docker push localhost:5001/registry:2
The push refers to repository [localhost:5001/registry]
a1d94f4a4c89: Pushed
1d80677cd085: Pushed
58548fced558: Pushed
79f02b258438: Pushed
24302eb7d908: Pushed
2: digest: sha256:affdb68e24c93262ee98a5bdc371e8f631568e9b4401375e7a0ecc705ac526b2 size: 1363q
quick-keyboard-83126
06/29/2022, 9:30 PMBecause it didn't work? 🙂
(cd foo; cat Dockerfile; docker buildx build --platform linux/arm64,linux/amd64 -t 127.0.0.1:5001/foo .); (cd bar; cat Dockerfile; docker buildx build --platform linux/arm64,linux/amd64 -t bar .); curl -v 127.0.0.1:5001/foo:latest
from busybox
RUN echo 'hello' > world
WARNING: No output specified for docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
[+] Building 0.1s (8/8) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 76B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [linux/amd64 internal] load metadata for <http://docker.io/library/busybox:latest|docker.io/library/busybox:latest> 0.1s
=> [linux/arm64 internal] load metadata for <http://docker.io/library/busybox:latest|docker.io/library/busybox:latest> 0.1s
=> [linux/amd64 1/2] FROM <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> => resolve <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> [linux/arm64 1/2] FROM <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> => resolve <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> CACHED [linux/arm64 2/2] RUN echo 'hello' > world 0.0s
=> CACHED [linux/amd64 2/2] RUN echo 'hello' > world 0.0s
from 127.0.0.1:5001/foo
RUN echo 'cruel' >> world
WARNING: No output specified for docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
[+] Building 0.0s (4/4) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 88B 0.0s
=> ERROR [linux/amd64 internal] load metadata for 127.0.0.1:5001/foo:latest 0.0s
=> CANCELED [linux/arm64 internal] load metadata for 127.0.0.1:5001/foo:latest 0.0s
------
> [linux/amd64 internal] load metadata for 127.0.0.1:5001/foo:latest:
------
Dockerfile:1
--------------------
1 | >>> from 127.0.0.1:5001/foo
2 |
3 | RUN echo 'cruel' >> world
--------------------
error: failed to solve: 127.0.0.1:5001/foo: failed to do request: Head "<http://127.0.0.1:5001/v2/foo/manifests/latest>": dial tcp 127.0.0.1:5001: connect: connection refused
* Trying 127.0.0.1:5001...
* Connected to 127.0.0.1 (127.0.0.1) port 5001 (#0)
> GET /foo:latest HTTP/1.1
> Host: 127.0.0.1:5001
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
< Date: Wed, 29 Jun 2022 21:29:36 GMT
< Content-Length: 19
<
404 page not found
* Connection #0 to host 127.0.0.1 left intactI think for it to work, the registry would have to run in lima and not on my mac
f
fast-garage-66093
06/29/2022, 9:31 PMNot sure what you mean, it does run in lima; how would it run on your mac?
Let me try your example; I didn't see you push the foo image to the registry though (use
--push--loadq
quick-keyboard-83126
06/29/2022, 9:33 PM(cd foo; cat Dockerfile; docker buildx build --platform linux/arm64,linux/amd64 -t 127.0.0.1:5001/foo . --push); (cd bar; cat Dockerfile; docker buildx build --platform linux/arm64,linux/amd64 -t bar .); curl -v 127.0.0.1:5001/foo:latest
from busybox
RUN echo 'hello' > world
[+] Building 0.3s (9/9) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 76B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [linux/amd64 internal] load metadata for <http://docker.io/library/busybox:latest|docker.io/library/busybox:latest> 0.2s
=> [linux/arm64 internal] load metadata for <http://docker.io/library/busybox:latest|docker.io/library/busybox:latest> 0.2s
=> [linux/amd64 1/2] FROM <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> => resolve <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> [linux/arm64 1/2] FROM <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> => resolve <http://docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83|docker.io/library/busybox@sha256:3614ca5eacf0a3a1bcc361c939202a974b4902b9334ff36eb29ffe9011aaad83> 0.0s
=> CACHED [linux/amd64 2/2] RUN echo 'hello' > world 0.0s
=> CACHED [linux/arm64 2/2] RUN echo 'hello' > world 0.0s
=> ERROR exporting to image 0.0s
=> => exporting layers 0.0s
=> => exporting manifest sha256:0d067956ce52bc021a48a4ccd287c3829f4b0eca79a5fa419a35f82d634e25e0 0.0s
=> => exporting config sha256:cec764602494d167dbf293bccaf36a0880332bf4037ed31ad81fed0505f6ecb3 0.0s
=> => exporting manifest sha256:8cc4b99868c5c81d709fe248d69f899ba04267d340f13424bcc10e8704857770 0.0s
=> => exporting config sha256:3efad4c0fdf3cf85b6ef37fea7eb9092a5ba9ad72e0bb2ff55eb9f33534527d9 0.0s
=> => exporting manifest list sha256:29131e9a7b5a8cbe1a5e93e8427332a2ade54eea915d97fbb3dfeb445102e866 0.0s
=> => pushing layers 0.0s
------
> exporting to image:
------
error: failed to solve: failed to do request: Head "<http://127.0.0.1:5001/v2/foo/blobs/sha256:cec764602494d167dbf293bccaf36a0880332bf4037ed31ad81fed0505f6ecb3>": dial tcp 127.0.0.1:5001: connect: connection refused
from 127.0.0.1:5001/foo
RUN echo 'cruel' >> world
WARNING: No output specified for docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
[+] Building 0.0s (4/4) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 88B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> ERROR [linux/amd64 internal] load metadata for 127.0.0.1:5001/foo:latest 0.0s
=> CANCELED [linux/arm64 internal] load metadata for 127.0.0.1:5001/foo:latest 0.0s
------
> [linux/amd64 internal] load metadata for 127.0.0.1:5001/foo:latest:
------
Dockerfile:1
--------------------
1 | >>> from 127.0.0.1:5001/foo
2 |
3 | RUN echo 'cruel' >> world
--------------------
error: failed to solve: 127.0.0.1:5001/foo: failed to do request: Head "<http://127.0.0.1:5001/v2/foo/manifests/latest>": dial tcp 127.0.0.1:5001: connect: connection refused
* Trying 127.0.0.1:5001...
* Connected to 127.0.0.1 (127.0.0.1) port 5001 (#0)
> GET /foo:latest HTTP/1.1
> Host: 127.0.0.1:5001
> User-Agent: curl/7.79.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
< Date: Wed, 29 Jun 2022 21:32:47 GMT
< Content-Length: 19
<
404 page not found
* Connection #0 to host 127.0.0.1 left intactFwiw, here's the command I used "on my mac" to start the registry:
% docker run -d -p 5001:5000 --restart=always --name registry registry:2
da7c130ba1956c9c191c8d5957459b19d34cdc33900377381cbb7208222f4c63f
fast-garage-66093
06/29/2022, 9:34 PMYeah, it doesn't work because buildkit runs inside a container, so
localhost💡 1
q
quick-keyboard-83126
06/29/2022, 9:34 PMAnyway, I can't otherwise explain why it wouldn't work, you're right they're all running in lima
Of course.
Alright, lemme see if I can write this up
Am I right that if I was on Linux and didn't have rancher-desktop or docker-desktop, this series of commands would "magically work"?
Or does this never work w/o a registry?
f
fast-garage-66093
06/29/2022, 9:38 PMI think it would never work without a registry because you cannot load "foreign" images into Moby; it will always only load the layers that match the current arch
q
quick-keyboard-83126
06/29/2022, 9:39 PMHmm. So, basically people never do this?
It seems strange to me that there couldn't be two "native" image sets, one for "host native" and one for "other platform -- which from its own perspective was its own native"
(roughly running a
mobylinux/amd64build... --platform linux/amd64mobylinux/arm64build... -platform linux/arm64f
fast-garage-66093
06/29/2022, 9:42 PMWell, it isn't implemented in buildkit afaict
q
quick-keyboard-83126
06/29/2022, 9:42 PMCertainly willing to believe that 🙂
I'm pretty sure I don't want to know what buildkit is doing instead...
f
fast-garage-66093
06/29/2022, 9:42 PMSo either defining an insecure registry, or adding certs to your registry seem to be the only ways forward
q
quick-keyboard-83126
06/29/2022, 9:43 PM"file a bug asking for rancher-desktop to do it for me" seems like a very good way forward for me 🙂
f
fast-garage-66093
06/29/2022, 9:43 PMBTW, I find FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like. useful for quickly generating the certs and adding them to your registry
q
quick-keyboard-83126
06/29/2022, 9:44 PMI'm fully capable of making certs. But there are way too many steps for me to ask a bunch of my coworkers to do. Especially for something they should need to deal w/ once every 9-30 months.
And they're way too intricate afaict, since some of them involve jumping into lima and restarting things
(or worse, not lima, in case we ever run rancher-desktop on Windows, which we may)
f
fast-garage-66093
06/29/2022, 9:45 PMOh, I thought this was just for yourself
q
quick-keyboard-83126
06/29/2022, 9:45 PMNo, I represent a dozen folks 🙂
f
fast-garage-66093
06/29/2022, 9:46 PMSure, please file an issue. Adding a registry is one thing though, but then adding a UI on top is something else...
q
quick-keyboard-83126
06/29/2022, 9:46 PMI've already built the image we actually care about (or rather dragged someone else through doing it, using our live remote https repository)
I'm happy to design the UI. I'm half doing that for a number of public products 🙂
Heck, at times I might even make the UI code, although I do try to avoid it 🙂
f
fast-garage-66093
06/29/2022, 9:47 PMThere is SUSE/Portus: Authorization service and frontend for Docker registry (v2) but it seems to be dead
😢 1
So, create the Github issue, and get other people to "upvote" it (not just your coworkers 🙂)
q
quick-keyboard-83126
06/29/2022, 9:52 PMYeah, we don't have the energy to cheat like that 🙂
f
fast-garage-66093
06/29/2022, 9:54 PMI think a registry will also be useful if you are using a multi-node cluster because you can no longer build the images on the node; the image must be loadable from multiple nodes.
Of course RD doesn't support multi-node clusters directly (yet?), but you can get them with
k3dq
quick-keyboard-83126
06/29/2022, 9:55 PMI'll leave that to you to write. I've used
k3df
fast-garage-66093
06/29/2022, 9:55 PMNo, just write up your own use case; this was just brainstorming
Another thing I've been thinking about before: if we do add registry support, I would like it to store the images on the host, and not inside the VM, so I can recreate the VM without losing the images. Not sure if that is important or not; may be more something to think about for air-gapped installations
👍 1
(don't add that to your issue either; still brainstorming)
q
quick-keyboard-83126
06/29/2022, 9:58 PMThat's just a matter of the docker run thing giving a volume for storage to the registry, no?
f
fast-garage-66093
06/29/2022, 9:59 PMNot really, as all the volumes are still stored inside the VM
This may be another underdeveloped area of Rancher Desktop 🙂
q
quick-keyboard-83126
06/29/2022, 10:00 PMIf rancher-desktop does a docker run, it doesn't map a volume into the vm?
f
fast-garage-66093
06/29/2022, 10:01 PMNo volumes are still blobs of data inside the VM, or are you talking about volume mounts (bind mounts), which are indeed bound from the host
But volumes are also a docker concept to store data, and those have typically much better performance than bind-mounts from the host
So "docker volumes" are stored under
/var/lib/docker/volumes/q
quick-keyboard-83126
06/29/2022, 10:07 PMAh, sorry, I clearly meant
volume mountsI guess I do know that volumes technically exist as things, but, we're a kubernetes house, so I don't care that docker technically supports such things most of the time 🙂
f
fast-garage-66093
06/29/2022, 10:08 PMOk, yeah, they live on the host, but have pretty poor performance
q
quick-keyboard-83126
06/29/2022, 10:08 PMYeah, I'm pretty sure I don't care about perf for this
I'd assume most of the time is spent building images as opposed to the final store or the initial load
But, if someone wants to figure out a way to optimize that problem, they're welcome to 🙂.
f
fast-garage-66093
06/29/2022, 10:09 PMWell, we'll still need to deal with the size of the registry data, and ways of pruning it etc. Nothing is ever easy.
q
quick-keyboard-83126
06/29/2022, 10:10 PMSure, but isn't that roughly equivalent to the problem exposed by the
imagesf
fast-garage-66093
06/29/2022, 10:10 PMPeople already complain that the VM volume grows to 100GB because they are running on Laptops with puny disks
q
quick-keyboard-83126
06/29/2022, 10:10 PMSee me adding tasks to https://rancher-users.slack.com/archives/C0200L1N1MM/p1656537831543789
Yeah, I tried to get a 4TB recently
Instead, I have a 1TB mbp
and it's 3/4 full 🙂
f
fast-garage-66093
06/29/2022, 10:11 PMThe images are stored inside the VM, so are also bound by the 100GB max. You will run out of memory, and then have to clean them. But you can also use
docker pruneI think Guna has already added your tasks to the epic
q
quick-keyboard-83126
06/29/2022, 10:12 PMYeah, probably. Basically, I'm saying I'm aware that there needs to be a related UI to surface this stuff, especially for pruning 🙂
f
fast-garage-66093
06/29/2022, 10:12 PMAnyways, my point is that pruning a registry is harder than pruning the images in the runtime because there is no simple CLI for it
q
quick-keyboard-83126
06/29/2022, 10:13 PMboggles
f
fast-garage-66093
06/29/2022, 10:13 PMAdding the registry and making it accessible is the easy part...
q
quick-keyboard-83126
06/29/2022, 10:13 PMok, I think I'm missing a lot here. ELI5.
Can a registry not be treated as a flat set of images just like the images view?
f
fast-garage-66093
06/29/2022, 10:15 PMYeah, but images consists of manifests, digests, layers, etc, which are separate "blobs". You don't have one file per image
q
quick-keyboard-83126
06/29/2022, 10:16 PMRight
f
fast-garage-66093
06/29/2022, 10:16 PMSo if your images share layers, there is only a single copy of that layer in the registry
q
quick-keyboard-83126
06/29/2022, 10:16 PMBut is the rest just a matter of having a garbage collector?
or rather, don't you have the same problem w/ the
imagesf
fast-garage-66093
06/29/2022, 10:16 PMYes
q
quick-keyboard-83126
06/29/2022, 10:16 PMdon't images share layers?
f
fast-garage-66093
06/29/2022, 10:17 PMYes, but you can do this:
$ docker system prune
WARNING! This will remove:
- all stopped containers
- all networks not used by at least one container
- all dangling images
- all dangling build cache
Are you sure you want to continue? [y/N] ^CAnd you can list the images, and delete the ones you no longer need.
q
quick-keyboard-83126
06/29/2022, 10:19 PMAh. Well, a button in the registry page that says
prune dangling imagesf
fast-garage-66093
06/29/2022, 10:19 PMYou need 3rd-party tools like
regq
quick-keyboard-83126
06/29/2022, 10:19 PMI guess I'm missing a detail
I can publish an untagged sha to a registry
so it's really only garbage when i actively delete the sha (having already deleted all the tags) and when no other images use its layers.
but it still feels like one could garbage collect any time someone performs a delete operation.
f
fast-garage-66093
06/29/2022, 10:21 PMYeah, I don't know; nowadays you can store other things besides images in registries too (like helm charts), so I don't know how it works
q
quick-keyboard-83126
06/29/2022, 10:21 PM(and a narrow gc at that, since you're only looking to see if the thing you deleted is the last reference for an object)
we run
nexus(and we have gcr.io, and technically the google replacement for it...)
(Artifact Registry)
*.pkg.dev
f
fast-garage-66093
06/29/2022, 10:23 PMok, this is ballooning out of scope now; maybe running a registry inside the VM, and destroy all the data when you destroy the VM is the way to start
q
quick-keyboard-83126
06/29/2022, 10:24 PMf
fast-garage-66093
06/29/2022, 10:24 PMConceptually it would be just an image cache for local images
We could still use it as an insecure registry on
192.168.5.15q
quick-keyboard-83126
06/29/2022, 10:27 PMOk -- I'll leave fixing the issue to you. It was too many things to keep in my head 🙂
f
fast-garage-66093
06/29/2022, 10:27 PMok, thanks for creating the issue; we'll continue this at a later time 🙂
✅ 1
q
quick-keyboard-83126
06/30/2022, 12:02 AMlooks like https://github.com/docker/buildx/issues/777#issuecomment-928000274 has info on how to set up insecure registry w/ the buildx builder...
cat > buildkit-config.toml <<EOF
# Custom registry.
[registry."192.168.0.2:5050"]
http = true
insecure = true
EOF
docker buildx create --use --config buildkit-config.toml