This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.Questo contenuto non è disponibile nella lingua selezionata.
Chapter 5. Managing images
5.1. Managing images overview
With OpenShift Container Platform you can interact with images and set up image streams, depending on where the registries of the images are located, any authentication requirements around those registries, and how you want your builds and deployments to behave.
5.1.1. Images overview
An image stream comprises any number of container images identified by tags. It presents a single virtual view of related images, similar to a container image repository.
By watching an image stream, builds and deployments can receive notifications when new images are added or modified and react by performing a build or deployment, respectively.
5.2. Tagging images
The following sections provide an overview and instructions for using image tags in the context of container images for working with OpenShift Container Platform image streams and their tags.
5.2.1. Image tags
					An image tag is a label applied to a container image in a repository that distinguishes a specific image from other images in an image stream. Typically, the tag represents a version number of some sort. For example, here :v3.11.59-2 is the tag:
				
registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11.59-2
registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11.59-2
					You can add additional tags to an image. For example, an image might be assigned the tags :v3.11.59-2 and :latest.
				
					OpenShift Container Platform provides the oc tag command, which is similar to the docker tag command, but operates on image streams instead of directly on images.
				
5.2.2. Image tag conventions
Images evolve over time and their tags reflect this. Generally, an image tag always points to the latest image built.
					If there is too much information embedded in a tag name, like v2.0.1-may-2019, the tag points to just one revision of an image and is never updated. Using default image pruning options, such an image is never removed. In very large clusters, the schema of creating new tags for every revised image could eventually fill up the etcd datastore with excess tag metadata for images that are long outdated.
				
					If the tag is named v2.0, image revisions are more likely. This results in longer tag history and, therefore, the image pruner is more likely to remove old and unused images.
				
					Although tag naming convention is up to you, here are a few examples in the format <image_name>:<image_tag>:
				
| Description | Example | 
|---|---|
| Revision | 
									 | 
| Architecture | 
									 | 
| Base image | 
									 | 
| Latest (potentially unstable) | 
									 | 
| Latest stable | 
									 | 
					If you require dates in tag names, periodically inspect old and unsupported images and istags and remove them. Otherwise, you can experience increasing resource usage caused by retaining old images.
				
5.2.3. Adding tags to image streams
An image stream in OpenShift Container Platform comprises zero or more container images identified by tags.
					There are different types of tags available. The default behavior uses a permanent tag, which points to a specific image in time. If the permanent tag is in use and the source changes, the tag does not change for the destination.
				
					A tracking tag means the destination tag’s metadata is updated during the import of the source tag.
				
Procedure
- You can add tags to an image stream using the - oc tagcommand:- oc tag <source> <destination> - $ oc tag <source> <destination>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example, to configure the - rubyimage stream- static-2.0tag to always refer to the current image for the- rubyimage stream- 2.0tag:- oc tag ruby:2.0 ruby:static-2.0 - $ oc tag ruby:2.0 ruby:static-2.0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This creates a new image stream tag named - static-2.0in the- rubyimage stream. The new tag directly references the image id that the- ruby:2.0image stream tag pointed to at the time- oc tagwas run, and the image it points to never changes.
- To ensure the destination tag is updated when the source tag changes, use the - --alias=trueflag:- oc tag --alias=true <source> <destination> - $ oc tag --alias=true <source> <destination>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
						Use a tracking tag for creating permanent aliases, for example, latest or stable. The tag only works correctly within a single image stream. Trying to create a cross-image stream alias produces an error.
					
- 
							You can also add the --scheduled=trueflag to have the destination tag be refreshed, or re-imported, periodically. The period is configured globally at the system level.
- The - --referenceflag creates an image stream tag that is not imported. The tag points to the source location, permanently.- If you want to instruct OpenShift Container Platform to always fetch the tagged image from the integrated registry, use - --reference-policy=local. The registry uses the pull-through feature to serve the image to the client. By default, the image blobs are mirrored locally by the registry. As a result, they can be pulled more quickly the next time they are needed. The flag also allows for pulling from insecure registries without a need to supply- --insecure-registryto the container runtime as long as the image stream has an insecure annotation or the tag has an insecure import policy.
5.2.4. Removing tags from image streams
You can remove tags from an image stream.
Procedure
- To remove a tag completely from an image stream run: - oc delete istag/ruby:latest - $ oc delete istag/ruby:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - or: - oc tag -d ruby:latest - $ oc tag -d ruby:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.2.5. Referencing images in imagestreams
You can use tags to reference images in image streams using the following reference types.
| Reference type | Description | 
|---|---|
| 
									 | 
									An  | 
| 
									 | 
									An  | 
| 
									 | 
									A  | 
					When viewing example image stream definitions you may notice they contain definitions of ImageStreamTag and references to DockerImage, but nothing related to ImageStreamImage.
				
					This is because the ImageStreamImage objects are automatically created in OpenShift Container Platform when you import or tag an image into the image stream. You should never have to explicitly define an ImageStreamImage object in any image stream definition that you use to create image streams.
				
Procedure
- To reference an image for a given image stream and tag, use - ImageStreamTag:- <image_stream_name>:<tag> - <image_stream_name>:<tag>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To reference an image for a given image stream and image - shaID, use- ImageStreamImage:- <image_stream_name>@<id> - <image_stream_name>@<id>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The - <id>is an immutable identifier for a specific image, also called a digest.
- To reference or retrieve an image for a given external registry, use - DockerImage:- openshift/ruby-20-centos7:2.0 - openshift/ruby-20-centos7:2.0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- When no tag is specified, it is assumed the - latesttag is used.- You can also reference a third-party registry: - registry.redhat.io/rhel7:latest - registry.redhat.io/rhel7:latest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Or an image with a digest: - centos/ruby-22-centos7@sha256:3a335d7d8a452970c5b4054ad7118ff134b3a6b50a2bb6d0c07c746e8986b28e - centos/ruby-22-centos7@sha256:3a335d7d8a452970c5b4054ad7118ff134b3a6b50a2bb6d0c07c746e8986b28e- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.3. Image pull policy
Each container in a pod has a container image. After you have created an image and pushed it to a registry, you can then refer to it in the pod.
5.3.1. Image pull policy overview
					When OpenShift Container Platform creates containers, it uses the container imagePullPolicy to determine if the image should be pulled prior to starting the container. There are three possible values for imagePullPolicy:
				
| Value | Description | 
|---|---|
| 
									 | Always pull the image. | 
| 
									 | Only pull the image if it does not already exist on the node. | 
| 
									 | Never pull the image. | 
					If a container imagePullPolicy parameter is not specified, OpenShift Container Platform sets it based on the image tag:
				
- 
							If the tag is latest, OpenShift Container Platform defaultsimagePullPolicytoAlways.
- 
							Otherwise, OpenShift Container Platform defaults imagePullPolicytoIfNotPresent.
5.4. Using image pull secrets
If you are using the OpenShift image registry and are pulling from image streams located in the same project, then your pod service account should already have the correct permissions and no additional action should be required.
However, for other scenarios, such as referencing images across OpenShift Container Platform projects or from secured registries, then additional configuration steps are required.
				You can obtain the image pull secret from the Red Hat OpenShift Cluster Manager. This pull secret is called pullSecret.
			
You use this pull secret to authenticate with the services that are provided by the included authorities, Quay.io and registry.redhat.io, which serve the container images for OpenShift Container Platform components.
5.4.1. Allowing pods to reference images across projects
					When using the OpenShift image registry, to allow pods in project-a to reference images in project-b, a service account in project-a must be bound to the system:image-puller role in project-b.
				
When you create a pod service account or a namespace, wait until the service account is provisioned with a docker pull secret; if you create a pod before its service account is fully provisioned, the pod fails to access the OpenShift image registry.
Procedure
- To allow pods in - project-ato reference images in- project-b, bind a service account in- project-ato the- system:image-pullerrole in- project-b:- oc policy add-role-to-user \ system:image-puller system:serviceaccount:project-a:default \ --namespace=project-b- $ oc policy add-role-to-user \ system:image-puller system:serviceaccount:project-a:default \ --namespace=project-b- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After adding that role, the pods in - project-athat reference the default service account are able to pull images from- project-b.
- To allow access for any service account in - project-a, use the group:- oc policy add-role-to-group \ system:image-puller system:serviceaccounts:project-a \ --namespace=project-b- $ oc policy add-role-to-group \ system:image-puller system:serviceaccounts:project-a \ --namespace=project-b- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.4.2. Allowing pods to reference images from other secured registries
					The .dockercfg $HOME/.docker/config.json file for Docker clients is a Docker credentials file that stores your authentication information if you have previously logged into a secured or insecure registry.
				
To pull a secured container image that is not from OpenShift image registry, you must create a pull secret from your Docker credentials and add it to your service account.
The Docker credentials file and the associated pull secret can contain multiple references to the same registry, each with its own set of credentials.
Example config.json file
Example pull secret
Procedure
- If you already have a - .dockercfgfile for the secured registry, you can create a secret from that file by running:- oc create secret generic <pull_secret_name> \ --from-file=.dockercfg=<path/to/.dockercfg> \ --type=kubernetes.io/dockercfg- $ oc create secret generic <pull_secret_name> \ --from-file=.dockercfg=<path/to/.dockercfg> \ --type=kubernetes.io/dockercfg- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Or if you have a - $HOME/.docker/config.jsonfile:- oc create secret generic <pull_secret_name> \ --from-file=.dockerconfigjson=<path/to/.docker/config.json> \ --type=kubernetes.io/dockerconfigjson- $ oc create secret generic <pull_secret_name> \ --from-file=.dockerconfigjson=<path/to/.docker/config.json> \ --type=kubernetes.io/dockerconfigjson- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you do not already have a Docker credentials file for the secured registry, you can create a secret by running: - oc create secret docker-registry <pull_secret_name> \ --docker-server=<registry_server> \ --docker-username=<user_name> \ --docker-password=<password> \ --docker-email=<email>- $ oc create secret docker-registry <pull_secret_name> \ --docker-server=<registry_server> \ --docker-username=<user_name> \ --docker-password=<password> \ --docker-email=<email>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To use a secret for pulling images for pods, you must add the secret to your service account. The name of the service account in this example should match the name of the service account the pod uses. The default service account is - default:- oc secrets link default <pull_secret_name> --for=pull - $ oc secrets link default <pull_secret_name> --for=pull- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.4.2.1. Pulling from private registries with delegated authentication
A private registry can delegate authentication to a separate service. In these cases, image pull secrets must be defined for both the authentication and registry endpoints.
Procedure
- Create a secret for the delegated authentication server: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a secret for the private registry: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
5.4.3. Updating the global cluster pull secret
You can update the global pull secret for your cluster by either replacing the current pull secret or appending a new pull secret.
To transfer your cluster to another owner, you must first initiate the transfer in OpenShift Cluster Manager, and then update the pull secret on the cluster. Updating a cluster’s pull secret without initiating the transfer in OpenShift Cluster Manager causes the cluster to stop reporting Telemetry metrics in OpenShift Cluster Manager.
For more information about transferring cluster ownership, see "Transferring cluster ownership" in the Red Hat OpenShift Cluster Manager documentation.
Prerequisites
- 
							You have access to the cluster as a user with the cluster-adminrole.
Procedure
- Optional: To append a new pull secret to the existing pull secret, complete the following steps: - Enter the following command to download the pull secret: - oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' ><pull_secret_location>- $ oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' ><pull_secret_location>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Provide the path to the pull secret file.
 
- Enter the following command to add the new pull secret: - oc registry login --registry="<registry>" \ --auth-basic="<username>:<password>" \ --to=<pull_secret_location> - $ oc registry login --registry="<registry>" \- 1 - --auth-basic="<username>:<password>" \- 2 - --to=<pull_secret_location>- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Alternatively, you can perform a manual update to the pull secret file. 
 
- Enter the following command to update the global pull secret for your cluster: - oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location> - $ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Provide the path to the new pull secret file.
 - This update is rolled out to all nodes, which can take some time depending on the size of your cluster. Note- As of OpenShift Container Platform 4.7.4, changes to the global pull secret no longer trigger a node drain or reboot.