This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.Este contenido no está disponible en el idioma seleccionado.
Chapter 12. Managing Images
12.1. Overview
An image stream comprises any number of container images identified by tags. It presents a single virtual view of related images, similar to a Docker image repository.
By watching an image stream, builds and deployments can receive notifications when new images are added or modified and react by performing a build or deployment, respectively.
There are many ways you can interact with images and set up image streams, depending on where the images' registries are located, any authentication requirements around those registries, and how you want your builds and deployments to behave. The following sections cover a range of these topics.
12.2. Tagging Images
Before working with OpenShift Container Platform image streams and their tags, it helps to first understand image tags in the context of container images generally.
Container images can have names added to them that make it more intuitive to determine what they contain, called a tag. Using a tag to specify the version of what is contained in the image is a common use case. If you have an image named ruby, you could have a tag named 2.0 for 2.0 version of Ruby, and another named latest to indicate literally the latest built image in that repository overall.
				When interacting directly with images using the docker CLI, the docker tag command can add tags, which essentially adds an alias to an image that can consist of several parts. Those parts can include:
			
<registry_server>/<user_name>/<image_name>:<tag>
<registry_server>/<user_name>/<image_name>:<tag>
				The <user_name> part in the above could also refer to a project or namespace if the image is being stored in an OpenShift Container Platform environment with an internal registry (the OpenShift Container Registry).
			
				OpenShift Container Platform provides the oc tag command, which is similar to the docker tag command, but operates on image streams instead of directly on images.
			
					See Red Hat Enterprise Linux 7’s Getting Started with Containers documentation for more about tagging images directly using the docker CLI.
				
12.2.1. Adding Tags to Image Streams
					Keeping in mind that an image stream in OpenShift Container Platform comprises zero or more container images identified by tags, you can add tags to an image stream using the oc tag command:
				
oc tag <source> <destination>
$ oc tag <source> <destination>For example, to configure the ruby imagestream’s static-2.0 tag to always refer to the current image for the ruby imagestream’s 2.0 tag:
oc tag ruby:2.0 ruby:static-2.0
$ oc tag ruby:2.0 ruby:static-2.0
					This creates a new imagestream tag named static-2.0 in the ruby imagestream. The new tag directly references the image id that the ruby:2.0 imagestream tag pointed to at the time oc tag was run, and the image it points to never changes.
				
					This creates a new imagestream tag named static-2.0 in the ruby imagestream. The new tag references the image id that the ruby:2.0 imagestream tag pointed to at the time oc tag was run, and the image it points to never changes.
				
There are different types of tags available. The default behavior uses a permanent tag, which points to a specific image in time; even when the source changes, the new (destination) tag does not change.
					A tracking tag means the destination tag’s metadata is updated during the import of the source tag. To ensure the destination tag is updated whenever the source tag changes, use the --alias=true flag:
				
oc tag --alias=true <source> <destination>
$ oc tag --alias=true <source> <destination>
					You can also add the --scheduled=true flag to have the destination tag be refreshed (i.e., re-imported) periodically. The period is configured globally at the system level. See Importing Tag and Image Metadata for more details.
				
					If you want to instruct Docker to always fetch the tagged image from the integrated registry, use --reference-policy=local. The registry uses the pull-through feature pull-through feature to serve the image to the client. By default, the image blobs are mirrored locally by the registry. As a result, they can be pulled more quickly the next time they are needed. The flag also allows for pulling from insecure registries without a need to supply --insecure-registry to the Docker daemon as long as the image stream has an insecure annotation or the tag has an insecure import policy.
				
12.2.2. Recommended Tagging Conventions
Images evolve over time and their tags reflect this. An image tag always points to the latest image built.
					If there is too much information embedded in a tag name (for example, v2.0.1-may-2016), the tag points to just one revision of an image and is never be updated. Using default image pruning options, such an image is never be removed. In very large clusters, the schema of creating new tags for every revised image could eventually fill up the etcd datastore with excess tag metadata for images that are long outdated.
				
					Instead, if the tag is named v2.0, more image revisions are more likely. This results in longer tag history and, therefore, the image pruner is more likely remove to old and unused images. Refer to Pruning Images for more information.
				
					Although tag naming convention is up to you, here are a few examples in the format <image_name>:<image_tag>:
				
| Description | Example | 
|---|---|
| Revision | 
									 | 
| Architecture | 
									 | 
| Base image | 
									 | 
| Latest (potentially unstable) | 
									 | 
| Latest stable | 
									 | 
					If you require dates in tag names, periodically inspect old and unsupported images and istags and remove them. Otherwise, you might experience increasing resource usage caused by old images.
				
12.2.3. Removing Tags from Image Streams
To remove a tag completely from an image stream run:
oc delete istag/ruby:latest
$ oc delete istag/ruby:latestor:
oc tag -d ruby:latest
$ oc tag -d ruby:latest12.2.4. Referencing Images in Image Streams
Images can be referenced in image streams using the following reference types:
- An - ImageStreamTagis used to reference or retrieve an image for a given image stream and tag. It uses the following convention for its name:- <image_stream_name>:<tag> - <image_stream_name>:<tag>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- An - ImageStreamImageis used to reference or retrieve an image for a given image stream and image name. It uses the following convention for its name:- <image_stream_name>@<id> - <image_stream_name>@<id>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The - <id>is an immutable identifier for a specific image, also called a digest.
- A - DockerImageis used to reference or retrieve an image for a given external registry. It uses standard Docker pull specification for its name, e.g.:- openshift/ruby-20-centos7:2.0 - openshift/ruby-20-centos7:2.0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- When no tag is specified, it is assumed the latest tag is used. - You can also reference a third-party registry: - registry.access.redhat.com/rhel7:latest - registry.access.redhat.com/rhel7:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Or an image with a digest: - centos/ruby-22-centos7@sha256:3a335d7d8a452970c5b4054ad7118ff134b3a6b50a2bb6d0c07c746e8986b28e - centos/ruby-22-centos7@sha256:3a335d7d8a452970c5b4054ad7118ff134b3a6b50a2bb6d0c07c746e8986b28e- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					When viewing example image stream definitions, such as the example CentOS image streams, you may notice they contain definitions of ImageStreamTag and references to DockerImage, but nothing related to ImageStreamImage.
				
					This is because the ImageStreamImage objects are automatically created in OpenShift Container Platform whenever you import or tag an image into the image stream. You should never have to explicitly define an ImageStreamImage object in any image stream definition that you use to create image streams.
				
					You can view an image’s object definition by retrieving an ImageStreamImage definition using the image stream name and ID:
				
oc export isimage <image_stream_name>@<id>
$ oc export isimage <image_stream_name>@<id>
						You can find valid <id> values for a given image stream by running:
					
oc describe is <image_stream_name>
$ oc describe is <image_stream_name>
					For example, from the ruby image stream asking for the ImageStreamImage with the name and ID of ruby@3a335d7:
				
Example 12.1. Definition of an Image Object Retrieved via ImageStreamImage
12.3. Image Pull Policy
Each container in a pod has a container image. Once you have created an image and pushed it to a registry, you can then refer to it in the pod.
				When OpenShift Container Platform creates containers, it uses the container’s imagePullPolicy to determine if the image should be pulled prior to starting the container. There are three possible values for imagePullPolicy:
			
- 
						Always- always pull the image.
- 
						IfNotPresent- only pull the image if it does not already exist on the node.
- 
						Never- never pull the image.
				If a container’s imagePullPolicy parameter is not specified, OpenShift Container Platform sets it based on the image’s tag:
			
- 
						If the tag is latest, OpenShift Container Platform defaults imagePullPolicytoAlways.
- 
						Otherwise, OpenShift Container Platform defaults imagePullPolicytoIfNotPresent.
12.4. Accessing the Internal Registry
				You can access OpenShift Container Platform’s internal registry directly to push or pull images. For example, this could be helpful if you wanted to create an image stream by manually pushing an image, or just to docker pull an image directly.
			
				The internal registry authenticates using the same tokens as the OpenShift Container Platform API. To perform a docker login against the internal registry, you can choose any user name and email, but the password must be a valid OpenShift Container Platform token.
			
To log into the internal registry:
- Log in to OpenShift Container Platform: - oc login - $ oc login- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Get your access token: - oc whoami -t - $ oc whoami -t- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Log in to the internal registry using the token. You must have docker installed on your system: - docker login -u <user_name> -e <email_address> \ -p <token_value> <registry_server>:<port>- $ docker login -u <user_name> -e <email_address> \ -p <token_value> <registry_server>:<port>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Contact your cluster administrator if you do not know the registry IP or host name and port to use. 
				In order to pull an image, the authenticated user must have get rights on the requested imagestreams/layers. In order to push an image, the authenticated user must have update rights on the requested imagestreams/layers.
			
By default, all service accounts in a project have rights to pull any image in the same project, and the builder service account has rights to push any image in the same project.
12.5. Using Image Pull Secrets
Docker registries can be secured to prevent unauthorized parties from accessing certain images. If you are using OpenShift Container Platform’s internal registry and are pulling from image streams located in the same project, then your pod’s service account should already have the correct permissions and no additional action should be required.
However, for other scenarios, such as referencing images across OpenShift Container Platform projects or from secured registries, then additional configuration steps are required. The following sections detail these scenarios and their required steps.
12.5.1. Allowing Pods to Reference Images Across Projects
					When using the internal registry, to allow pods in project-a to reference images in project-b, a service account in project-a must be bound to the system:image-puller role in project-b:
				
oc policy add-role-to-user \
    system:image-puller system:serviceaccount:project-a:default \
    --namespace=project-b
$ oc policy add-role-to-user \
    system:image-puller system:serviceaccount:project-a:default \
    --namespace=project-bAfter adding that role, the pods in project-a that reference the default service account is able to pull images from project-b.
To allow access for any service account in project-a, use the group:
oc policy add-role-to-group \
    system:image-puller system:serviceaccounts:project-a \
    --namespace=project-b
$ oc policy add-role-to-group \
    system:image-puller system:serviceaccounts:project-a \
    --namespace=project-b12.5.2. Allowing Pods to Reference Images from Other Secured Registries
The .dockercfg file (or $HOME/.docker/config.json for newer Docker clients) is a Docker credentials file that stores your information if you have previously logged into a secured or insecure registry.
To pull a secured container image that is not from OpenShift Container Platform’s internal registry, you must create a pull secret from your Docker credentials and add it to your service account.
If you already have a .dockercfg file for the secured registry, you can create a secret from that file by running:
oc secrets new <pull_secret_name> .dockercfg=<path/to/.dockercfg>
$ oc secrets new <pull_secret_name> .dockercfg=<path/to/.dockercfg>Or if you have a $HOME/.docker/config.json file:
oc secrets new <pull_secret_name> .dockerconfigjson=<path/to/.docker/config.json>
$ oc secrets new <pull_secret_name> .dockerconfigjson=<path/to/.docker/config.json>If you do not already have a Docker credentials file for the secured registry, you can create a secret by running:
oc secrets new-dockercfg <pull_secret_name> \
    --docker-server=<registry_server> --docker-username=<user_name> \
    --docker-password=<password> --docker-email=<email>
$ oc secrets new-dockercfg <pull_secret_name> \
    --docker-server=<registry_server> --docker-username=<user_name> \
    --docker-password=<password> --docker-email=<email>To use a secret for pulling images for pods, you must add the secret to your service account. The name of the service account in this example should match the name of the service account the pod uses; default is the default service account:
oc secrets link default <pull_secret_name> --for=pull
$ oc secrets link default <pull_secret_name> --for=pullTo use a secret for pushing and pulling build images, the secret must be mountable inside of a pod. You can do this by running:
oc secrets link builder <pull_secret_name>
$ oc secrets link builder <pull_secret_name>12.6. Importing Tag and Image Metadata
An image stream can be configured to import tag and image metadata from an image repository in an external Docker image registry. You can do this using a few different methods.
- You can manually import tag and image information with the - oc import-imagecommand using the- --fromoption:- oc import-image <image_stream_name>[:<tag>] --from=<docker_image_repo> --confirm - $ oc import-image <image_stream_name>[:<tag>] --from=<docker_image_repo> --confirm- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can also add the - --allflag to import all tags for the image instead of just latest.
- Like most objects in OpenShift Container Platform, you can also write and save a JSON or YAML definition to a file then create the object using the CLI. Set the - spec.dockerImageRepositoryfield to the Docker pull spec for the image:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Then create the object: - oc create -f <file> - $ oc create -f <file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
When you create an image stream that references an image in an external Docker registry, OpenShift Container Platform communicates with the external registry within a short amount of time to get up to date information about the image.
After the tag and image metadata is synchronized, the image stream object would look similar to the following:
				You can set a tag to query external registries at a scheduled interval to synchronize tag and image metadata by setting the --scheduled=true flag with the oc tag command as mentioned in Adding Tags to Image Streams.
			
				Alternatively, you can set importPolicy.scheduled to true in the tag’s definition:
			
12.6.1. Importing Images from Insecure Registries
An image stream can be configured to import tag and image metadata from insecure image registries, such as those signed with a self-signed certificate or using plain HTTP instead of HTTPS.
					To configure this, add the openshift.io/image.insecureRepository annotation and set it to true. This setting bypasses certificate validation when connecting to the registry:
				
- 1
- Set theopenshift.io/image.insecureRepositoryannotation to true
						The above definition only affects importing tag and image metadata. For this image to be used in the cluster (e.g., to be able to do a docker pull), each node must have Docker configured with the --insecure-registry flag. See Host Preparation for information.
					
					Additionally, you can specify a single tag using an insecure repository. To do so, set importPolicy.insecure in the tag’s definition to true:
				
- 1
- Set tag mytag to use insecure connection to that registry.
12.6.2. Importing Images from Private Registries
An image stream can be configured to import tag and image metadata from private image registries, requiring authentication.
To configure this, you need to create a secret which is used to store your credentials.
Create the secret first, before importing the image from the private repository:
oc secrets new-dockercfg <secret_name> \
    --docker-server=<docker_registry_server> \
    --docker-username=<docker_user> \
    --docker-password=<docker_password> \
    --docker-email=<docker_email>
$ oc secrets new-dockercfg <secret_name> \
    --docker-server=<docker_registry_server> \
    --docker-username=<docker_user> \
    --docker-password=<docker_password> \
    --docker-email=<docker_email>For more options, see:
oc secrets new-dockercfg --help
$ oc secrets new-dockercfg --help
					After the secret is configured, proceed with creating the new image stream or using the oc import-image command. During the import process, OpenShift Container Platform picks up the secrets and provide them to the remote party.
				
						When importing from an insecure registry, the registry URL defined in the secret must include the :80 port suffix or the secret is not used when attempting to import from the registry.
					
12.6.3. Adding Trusted Certificates for External Registries
If the registry you are importing from is using a certificate that is not signed by a standard certificate authority, you need to explicitly configure the system to trust the registry’s certificate or signing authority. This can be done by adding the CA certificate or registry certificate to the host system running the registry import controller (typically the master node).
					The certificate or CA certificate must be added to /etc/pki/tls/certs or /etc/pki/ca-trust, respectively, on the host system. The update-ca-trust command also needs to be run on Red Hat distributions followed by a restart of the master service to pick up the certificate changes.
				
12.6.4. Importing Images Across Projects
					An image stream can be configured to import tag and image metadata from the internal registry, but from a different project. The recommended method for this is to use the oc tag command as shown in Adding Tags to Image Streams:
				
oc tag <source_project>/<image_stream>:<tag> <new_image_stream>:<new_tag>
$ oc tag <source_project>/<image_stream>:<tag> <new_image_stream>:<new_tag>Another method is to import the image from the other project manually using the pull spec:
						The following method is strongly discouraged and should be used only if the former using oc tag is insufficient.
					
- First, add the necessary policy to access the other project: - oc policy add-role-to-group \ system:image-puller \ system:serviceaccounts:<destination_project> \ -n <source_project>- $ oc policy add-role-to-group \ system:image-puller \ system:serviceaccounts:<destination_project> \ -n <source_project>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This allows - <destination_project>to pull images from- <source_project>.
- With the policy in place, you can import the image manually: - oc import-image <new_image_stream> --confirm \ --from=<docker_registry>/<source_project>/<image_stream>- $ oc import-image <new_image_stream> --confirm \ --from=<docker_registry>/<source_project>/<image_stream>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
12.6.5. Creating an Image Stream by Manually Pushing an Image
An image stream can also be automatically created by manually pushing an image to the internal registry. This is only possible when using an OpenShift Container Platform internal registry.
Before performing this procedure, the following must be satisfied:
- The destination project you push to must already exist.
- 
							The user must be authorized to {get, update} "imagestream/layers"in that project. The system:image-pusher role can be added to a user to provide these permissions. If you are a project administrator, then you would also have these permissions.
To create an image stream by manually pushing an image:
- First, log in to the internal registry.
- Then, tag your image using the appropriate internal registry location. For example, if you had already pulled the docker.io/centos:centos7 image locally: - docker tag docker.io/centos:centos7 172.30.48.125:5000/test/my-image - $ docker tag docker.io/centos:centos7 172.30.48.125:5000/test/my-image- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Finally, push the image to your internal registry. For example: - docker push 172.30.48.125:5000/test/my-image - $ docker push 172.30.48.125:5000/test/my-image The push refers to a repository [172.30.48.125:5000/test/my-image] (len: 1) c8a648134623: Pushed 2bf4902415e3: Pushed latest: digest: sha256:be8bc4068b2f60cf274fc216e4caba6aa845fff5fa29139e6e7497bb57e48d67 size: 6273- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the image stream was created: - oc get is - $ oc get is NAME DOCKER REPO TAGS UPDATED my-image 172.30.48.125:5000/test/my-image latest 3 seconds ago- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
12.7. Writing Image Stream Definitions
				You can define image streams by writing the image stream definition for the entire image stream. This allows you to distribute the definition to different clusters without running oc commands.
			
An image stream definition specifies information about the image stream and the specific tags to be imported.
Definition of an Image Stream Object
- 1
- A brief, user-friendly name for the whole image stream.
- 2
- The tag is referred to as the version. Tags appear in a drop-down menu.
- 3
- A user-friendly name for this tag within the image stream. This should be brief and include version information when appropriate.
- 4
- A description of the tag, which includes enough detail for users to understand what the image is providing. It can include links to additional instructions. Limit the description to a few sentences.
- 5
- The icon to show for this tag. Pick from our existing logo icons when possible. Icons from FontAwesome and Patternfly can also be used. Alternatively, provide icons through CSS customizations that can be added to an OpenShift Container Platform cluster that uses your image stream. You must specify an icon class that exists, or it prevents falling back to the generic icon.
- 6
- A URL to a source repository that works with this builder image tag and results in a sample running application.
- 7
- Categories that the image stream tag is associated with. The builder tag is required for it to show up in the catalog. Add tags that associates it with one of the provided catalog categories. Refer to theidandcategoryAliasesinCATALOG_CATEGORIESin the console’s constants file. The categories can also be customized for the whole cluster.
- 8
- Languages this image supports. This value is used duringoc new-appinvocations to try to match potential builder images to the provided source repository.
- Version information for this tag.
- 9
- The type of object this image stream tag is referencing. Valid values are:DockerImage,ImageStreamTag, andImageStreamImage.
- 10
- The object this image stream tag imports.