Este contenido no está disponible en el idioma seleccionado.

Chapter 5. Managing images


5.1. Managing images overview

With Red Hat OpenShift Service on AWS you can interact with images and set up image streams, depending on where the registries of the images are located, any authentication requirements around those registries, and how you want your builds and deployments to behave.

5.1.1. Images overview

An image stream comprises any number of container images identified by tags. It presents a single virtual view of related images, similar to a container image repository.

By watching an image stream, builds and deployments can receive notifications when new images are added or modified and react by performing a build or deployment, respectively.

5.2. Tagging images

The following sections provide an overview and instructions for using image tags in the context of container images for working with Red Hat OpenShift Service on AWS image streams and their tags.

5.2.1. Image tags

An image tag is a label applied to a container image in a repository that distinguishes a specific image from other images in an image stream. Typically, the tag represents a version number of some sort. For example, here :v3.11.59-2 is the tag:

registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11.59-2

You can add additional tags to an image. For example, an image might be assigned the tags :v3.11.59-2 and :latest.

Red Hat OpenShift Service on AWS provides the oc tag command, which is similar to the docker tag command, but operates on image streams instead of directly on images.

5.2.2. Image tag conventions

Images evolve over time and their tags reflect this. Generally, an image tag always points to the latest image built.

If there is too much information embedded in a tag name, like v2.0.1-may-2019, the tag points to just one revision of an image and is never updated. Using default image pruning options, such an image is never removed.

If the tag is named v2.0, image revisions are more likely. This results in longer tag history and, therefore, the image pruner is more likely to remove old and unused images.

Although tag naming convention is up to you, here are a few examples in the format <image_name>:<image_tag>:

Table 5.1. Image tag naming conventions
DescriptionExample

Revision

myimage:v2.0.1

Architecture

myimage:v2.0-x86_64

Base image

myimage:v1.2-centos7

Latest (potentially unstable)

myimage:latest

Latest stable

myimage:stable

If you require dates in tag names, periodically inspect old and unsupported images and istags and remove them. Otherwise, you can experience increasing resource usage caused by retaining old images.

5.2.3. Adding tags to image streams

An image stream in Red Hat OpenShift Service on AWS comprises zero or more container images identified by tags.

There are different types of tags available. The default behavior uses a permanent tag, which points to a specific image in time. If the permanent tag is in use and the source changes, the tag does not change for the destination.

A tracking tag means the destination tag’s metadata is updated during the import of the source tag.

Procedure

  • You can add tags to an image stream using the oc tag command:

    $ oc tag <source> <destination>

    For example, to configure the ruby image stream static-2.0 tag to always refer to the current image for the ruby image stream 2.0 tag:

    $ oc tag ruby:2.0 ruby:static-2.0

    This creates a new image stream tag named static-2.0 in the ruby image stream. The new tag directly references the image id that the ruby:2.0 image stream tag pointed to at the time oc tag was run, and the image it points to never changes.

  • To ensure the destination tag is updated when the source tag changes, use the --alias=true flag:

    $ oc tag --alias=true <source> <destination>
Note

Use a tracking tag for creating permanent aliases, for example, latest or stable. The tag only works correctly within a single image stream. Trying to create a cross-image stream alias produces an error.

  • You can also add the --scheduled=true flag to have the destination tag be refreshed, or re-imported, periodically. The period is configured globally at the system level.
  • The --reference flag creates an image stream tag that is not imported. The tag points to the source location, permanently.

    If you want to instruct Red Hat OpenShift Service on AWS to always fetch the tagged image from the integrated registry, use --reference-policy=local. The registry uses the pull-through feature to serve the image to the client. By default, the image blobs are mirrored locally by the registry. As a result, they can be pulled more quickly the next time they are needed. The flag also allows for pulling from insecure registries without a need to supply --insecure-registry to the container runtime as long as the image stream has an insecure annotation or the tag has an insecure import policy.

5.2.4. Removing tags from image streams

You can remove tags from an image stream.

Procedure

  • To remove a tag completely from an image stream run:

    $ oc delete istag/ruby:latest

    or:

    $ oc tag -d ruby:latest

5.2.5. Referencing images in imagestreams

You can use tags to reference images in image streams using the following reference types.

Table 5.2. Imagestream reference types
Reference typeDescription

ImageStreamTag

An ImageStreamTag is used to reference or retrieve an image for a given image stream and tag.

ImageStreamImage

An ImageStreamImage is used to reference or retrieve an image for a given image stream and image sha ID.

DockerImage

A DockerImage is used to reference or retrieve an image for a given external registry. It uses standard Docker pull specification for its name.

When viewing example image stream definitions you may notice they contain definitions of ImageStreamTag and references to DockerImage, but nothing related to ImageStreamImage.

This is because the ImageStreamImage objects are automatically created in Red Hat OpenShift Service on AWS when you import or tag an image into the image stream. You should never have to explicitly define an ImageStreamImage object in any image stream definition that you use to create image streams.

Procedure

  • To reference an image for a given image stream and tag, use ImageStreamTag:

    <image_stream_name>:<tag>
  • To reference an image for a given image stream and image sha ID, use ImageStreamImage:

    <image_stream_name>@<id>

    The <id> is an immutable identifier for a specific image, also called a digest.

  • To reference or retrieve an image for a given external registry, use DockerImage:

    openshift/ruby-20-centos7:2.0
    Note

    When no tag is specified, it is assumed the latest tag is used.

    You can also reference a third-party registry:

    registry.redhat.io/rhel7:latest

    Or an image with a digest:

    centos/ruby-22-centos7@sha256:3a335d7d8a452970c5b4054ad7118ff134b3a6b50a2bb6d0c07c746e8986b28e

5.3. Image pull policy

Each container in a pod has a container image. After you have created an image and pushed it to a registry, you can then refer to it in the pod.

5.3.1. Image pull policy overview

When Red Hat OpenShift Service on AWS creates containers, it uses the container imagePullPolicy to determine if the image should be pulled prior to starting the container. There are three possible values for imagePullPolicy:

Table 5.3. imagePullPolicy values
ValueDescription

Always

Always pull the image.

IfNotPresent

Only pull the image if it does not already exist on the node.

Never

Never pull the image.

If a container imagePullPolicy parameter is not specified, Red Hat OpenShift Service on AWS sets it based on the image tag:

  1. If the tag is latest, Red Hat OpenShift Service on AWS defaults imagePullPolicy to Always.
  2. Otherwise, Red Hat OpenShift Service on AWS defaults imagePullPolicy to IfNotPresent.

5.4. Using image pull secrets

If you are using the OpenShift image registry and are pulling from image streams located in the same project, then your pod service account should already have the correct permissions and no additional action should be required.

However, for other scenarios, such as referencing images across Red Hat OpenShift Service on AWS projects or from secured registries, additional configuration steps are required.

You can obtain the image pull secret from Red Hat OpenShift Cluster Manager. This pull secret is called pullSecret.

You use this pull secret to authenticate with the services that are provided by the included authorities, Quay.io and registry.redhat.io, which serve the container images for Red Hat OpenShift Service on AWS components.

5.4.1. Allowing pods to reference images across projects

When using the OpenShift image registry, to allow pods in project-a to reference images in project-b, a service account in project-a must be bound to the system:image-puller role in project-b.

Note

When you create a pod service account or a namespace, wait until the service account is provisioned with a docker pull secret; if you create a pod before its service account is fully provisioned, the pod fails to access the OpenShift image registry.

Procedure

  1. To allow pods in project-a to reference images in project-b, bind a service account in project-a to the system:image-puller role in project-b:

    $ oc policy add-role-to-user \
        system:image-puller system:serviceaccount:project-a:default \
        --namespace=project-b

    After adding that role, the pods in project-a that reference the default service account are able to pull images from project-b.

  2. To allow access for any service account in project-a, use the group:

    $ oc policy add-role-to-group \
        system:image-puller system:serviceaccounts:project-a \
        --namespace=project-b

5.4.2. Allowing pods to reference images from other secured registries

To pull a secured container from other private or secured registries, you must create a pull secret from your container client credentials, such as Docker or Podman, and add it to your service account.

Both Docker and Podman use a configuration file to store authentication details to log in to secured or insecure registry:

  • Docker: By default, Docker uses $HOME/.docker/config.json.
  • Podman: By default, Podman uses $HOME/.config/containers/auth.json.

These files store your authentication information if you have previously logged in to a secured or insecure registry.

Note

Both Docker and Podman credential files and the associated pull secret can contain multiple references to the same registry if they have unique paths, for example, quay.io and quay.io/<example_repository>. However, neither Docker nor Podman support multiple entries for the exact same registry path.

Example config.json file

{
   "auths":{
      "cloud.openshift.com":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      },
      "quay.io":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      },
      "quay.io/repository-main":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      }
   }
}

Example pull secret

apiVersion: v1
data:
  .dockerconfigjson: ewogICAiYXV0aHMiOnsKICAgICAgIm0iOnsKICAgICAgIsKICAgICAgICAgImF1dGgiOiJiM0JsYj0iLAogICAgICAgICAiZW1haWwiOiJ5b3VAZXhhbXBsZS5jb20iCiAgICAgIH0KICAgfQp9Cg==
kind: Secret
metadata:
  creationTimestamp: "2021-09-09T19:10:11Z"
  name: pull-secret
  namespace: default
  resourceVersion: "37676"
  uid: e2851531-01bc-48ba-878c-de96cfe31020
type: Opaque

Procedure

  • Create a secret from an existing authentication file:

    • For Docker clients using .docker/config.json, enter the following command:

      $ oc create secret generic <pull_secret_name> \
          --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
          --type=kubernetes.io/dockerconfigjson
    • For Podman clients using .config/containers/auth.json, enter the following command:

      $ oc create secret generic <pull_secret_name> \
           --from-file=<path/to/.config/containers/auth.json> \
           --type=kubernetes.io/podmanconfigjson
  • If you do not already have a Docker credentials file for the secured registry, you can create a secret by running:

    $ oc create secret docker-registry <pull_secret_name> \
        --docker-server=<registry_server> \
        --docker-username=<user_name> \
        --docker-password=<password> \
        --docker-email=<email>
  • To use a secret for pulling images for pods, you must add the secret to your service account. The name of the service account in this example should match the name of the service account the pod uses. The default service account is default:

    $ oc secrets link default <pull_secret_name> --for=pull

5.4.2.1. Pulling from private registries with delegated authentication

A private registry can delegate authentication to a separate service. In these cases, image pull secrets must be defined for both the authentication and registry endpoints.

Procedure

  1. Create a secret for the delegated authentication server:

    $ oc create secret docker-registry \
        --docker-server=sso.redhat.com \
        --docker-username=developer@example.com \
        --docker-password=******** \
        --docker-email=unused \
        redhat-connect-sso
    
    secret/redhat-connect-sso
  2. Create a secret for the private registry:

    $ oc create secret docker-registry \
        --docker-server=privateregistry.example.com \
        --docker-username=developer@example.com \
        --docker-password=******** \
        --docker-email=unused \
        private-registry
    
    secret/private-registry
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.