Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 6. Managing image streams

Image streams provide a means of creating and updating container images in an on-going way. As improvements are made to an image, tags can be used to assign new version numbers and keep track of changes. This document describes how image streams are managed.

6.1. Using image streams
Copia collegamento

Image streams provide an abstraction for referencing container images from within Red Hat OpenShift Service on AWS classic architecture. You can use image streams to manage image versions and automate builds and deployments.

Image streams do not contain actual image data, but present a single virtual view of related images, similar to an image repository.

You can configure builds and deployments to watch an image stream for notifications when new images are added and react by performing a build or deployment, respectively.

For example, if a deployment is using a certain image and a new version of that image is created, a deployment could be automatically performed to pick up the new version of the image.

However, if the image stream tag used by the deployment or build is not updated, then even if the container image in the container image registry is updated, the build or deployment continues using the previous, presumably known good image.

The source images can be stored in any of the following:

  • Red Hat OpenShift Service on AWS classic architecture’s integrated registry.
  • An external registry, for example registry.redhat.io or quay.io.
  • Other image streams in the Red Hat OpenShift Service on AWS classic architecture cluster.

When you define an object that references an image stream tag, such as a build or deployment configuration, you point to an image stream tag and not the repository. When you build or deploy your application, Red Hat OpenShift Service on AWS classic architecture queries the repository using the image stream tag to locate the associated ID of the image and uses that exact image.

The image stream metadata is stored in the etcd instance along with other cluster information.

Using image streams has several significant benefits:

  • You can tag, rollback a tag, and quickly deal with images, without having to re-push using the command line.
  • You can trigger builds and deployments when a new image is pushed to the registry. Also, Red Hat OpenShift Service on AWS classic architecture has generic triggers for other resources, such as Kubernetes objects.
  • You can mark a tag for periodic re-import. If the source image has changed, that change is picked up and reflected in the image stream, which triggers the build or deployment flow, depending upon the build or deployment configuration.
  • You can share images using fine-grained access control and quickly distribute images across your teams.
  • If the source image changes, the image stream tag still points to a known-good version of the image, ensuring that your application does not break unexpectedly.
  • You can configure security around who can view and use the images through permissions on the image stream objects.
  • Users that lack permission to read or list images on the cluster level can still retrieve the images tagged in a project using image streams.

6.2. Configuring image streams
Copia collegamento

To customize image retrieval and security policies for your applications, configure image streams within Red Hat OpenShift Service on AWS classic architecture. This process lets you define image pull specifications, manage tags, and control access permissions necessary for reliable application deployment.

An ImageStream object file contains the following elements.

Imagestream object definition

apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftNewApp
  labels:
    app: ruby-sample-build
    template: application-template-stibuild
  name: origin-ruby-sample
  namespace: test
spec: {}
status:
  dockerImageRepository: 172.30.56.218:5000/test/origin-ruby-sample
  tags:
  - items:
    - created: 2017-09-02T10:15:09Z
      dockerImageReference: 172.30.56.218:5000/test/origin-ruby-sample@sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d
      generation: 2
      image: sha256:909de62d1f609a717ec433cc25ca5cf00941545c83a01fb31527771e1fab3fc5
    - created: 2017-09-01T13:40:11Z
      dockerImageReference: 172.30.56.218:5000/test/origin-ruby-sample@sha256:909de62d1f609a717ec433cc25ca5cf00941545c83a01fb31527771e1fab3fc5
      generation: 1
      image: sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d
    tag: latest
Copy to Clipboard Toggle word wrap

where

name
Specifies the name of the image stream
ruby-sample
Specifies the Docker repository path where new images can be pushed to add or update them in this image stream.
dockerImageReference
Specifies the SHA identifier that this image stream tag currently references. Resources that reference this image stream tag use this identifier
image
Specifies the SHA identifier that this image stream tag previously referenced. You can use it to rollback to an older image.
tag
Specifies the image stream tag name.

6.3. Image stream images
Copia collegamento

To precisely identify and manage the actual image content associated with a specific tag, reference and use image stream images in Red Hat OpenShift Service on AWS classic architecture. This ensures your application deployments reliably target immutable image definitions.

An image stream image points from within an image stream to a particular image ID.

Image stream images allow you to retrieve metadata about an image from a particular image stream where it is tagged.

Image stream image objects are automatically created in Red Hat OpenShift Service on AWS classic architecture whenever you import or tag an image into the image stream. You should never have to explicitly define an image stream image object in any image stream definition that you use to create image streams.

The image stream image consists of the image stream name and image ID from the repository, delimited by an @ sign: 

<image-stream-name>@<image-id>
Copy to Clipboard Toggle word wrap

To refer to the image in the ImageStream object example, the image stream image looks like: 

origin-ruby-sample@sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d
Copy to Clipboard Toggle word wrap

6.4. Image stream tags
Copia collegamento

To maintain human-readable references to immutable images, utilize image stream tags within Red Hat OpenShift Service on AWS classic architecture. These tags are essential because they enable your builds and deployments to accurately target specific, stable image content.

An image stream tag is a named pointer to an image in an image stream. It is abbreviated as istag. An image stream tag is used to reference or retrieve an image for a given image stream and tag.

Image stream tags can reference any local or externally managed image. It contains a history of images represented as a stack of all images the tag ever pointed to. Whenever a new or existing image is tagged under a particular image stream tag, it is placed at the first position in the history stack. The image previously occupying the top position is available at the second position. This allows for easy rollbacks to make tags point to historical images again.

The following image stream tag is from an ImageStream object:

Image stream tag with two images in its history

kind: ImageStream
apiVersion: image.openshift.io/v1
metadata:
  name: my-image-stream
# ...
  tags:
  - items:
    - created: 2017-09-02T10:15:09Z
      dockerImageReference: 172.30.56.218:5000/test/origin-ruby-sample@sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d
      generation: 2
      image: sha256:909de62d1f609a717ec433cc25ca5cf00941545c83a01fb31527771e1fab3fc5
    - created: 2017-09-01T13:40:11Z
      dockerImageReference: 172.30.56.218:5000/test/origin-ruby-sample@sha256:909de62d1f609a717ec433cc25ca5cf00941545c83a01fb31527771e1fab3fc5
      generation: 1
      image: sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d
    tag: latest
# ...
Copy to Clipboard Toggle word wrap

Image stream tags can be permanent tags or tracking tags.

  • Permanent tags are version-specific tags that point to a particular version of an image, such as Python 3.5.

  • Tracking tags are reference tags that follow another image stream tag and can be updated to change which image they follow, like a symlink. These new levels are not guaranteed to be backwards-compatible.

    For example, the latest image stream tags that ship with Red Hat OpenShift Service on AWS classic architecture are tracking tags. This means consumers of the latest image stream tag are updated to the newest level of the framework provided by the image when a new level becomes available. A latest image stream tag to v3.10 can be changed to v3.11 at any time. It is important to be aware that these latest image stream tags behave differently than the Docker latest tag. The latest image stream tag, in this case, does not point to the latest image in the Docker repository. It points to another image stream tag, which might not be the latest version of an image. For example, if the latest image stream tag points to v3.10 of an image, when the 3.11 version is released, the latest tag is not automatically updated to v3.11, and remains at v3.10 until it is manually updated to point to a v3.11 image stream tag.

    Note

    Tracking tags are limited to a single image stream and cannot reference other image streams.

You can create your own image stream tags for your own needs.

The image stream tag is composed of the name of the image stream and a tag, separated by a colon: 

<imagestream name>:<tag>
Copy to Clipboard Toggle word wrap

For example, to refer to the sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d image in the ImageStream object example earlier, the image stream tag would be: 

origin-ruby-sample:latest
Copy to Clipboard Toggle word wrap

6.5. Image stream change triggers
Copia collegamento

To automate your application lifecycle and ensure they use the latest code, configure image stream triggers in Red Hat OpenShift Service on AWS classic architecture. Image stream triggers allow your builds and deployments to be automatically invoked when a new version of an upstream image is available.

For example, builds and deployments can be automatically started when an image stream tag is modified. This is achieved by monitoring that particular image stream tag and notifying the build or deployment when a change is detected.

6.6. Working with image streams
Copia collegamento

The following sections describe how to use image streams and image stream tags.

Important

Do not run workloads in or share access to default projects. Default projects are reserved for running core cluster components.

The following default projects are considered highly privileged: default, kube-public, kube-system, openshift, openshift-infra, openshift-node, and other system-created projects that have the openshift.io/run-level label set to 0 or 1. Functionality that relies on admission plugins, such as pod security admission, security context constraints, cluster resource quotas, and image reference resolution, does not work in highly privileged projects.

6.6.1. Getting information about image streams
Copia collegamento

To efficiently manage and monitor your image streams in Red Hat OpenShift Service on AWS classic architecture, retrieve information about their versions. You can get general information about the image stream and detailed information about all the tags it is pointing to, ensuring your deployed applications rely on the correct image versions.

Procedure

  • To get general information about the image stream and detailed information about all the tags it is pointing to, enter the following command: 

    $ oc describe is/<image-name>
    Copy to Clipboard Toggle word wrap

    For example: 

    $ oc describe is/python
    Copy to Clipboard Toggle word wrap

    Example output

    Name:			python
Namespace:		default
Created:		About a minute ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2017-10-02T17:05:11Z
Docker Pull Spec:	docker-registry.default.svc:5000/default/python
Image Lookup:		local=false
Unique Images:		1
Tags:			1

3.5
  tagged from centos/python-35-centos7

  * centos/python-35-centos7@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
      About a minute ago
    Copy to Clipboard Toggle word wrap

  • To get all of the information available about a particular image stream tag, enter the following command: 

    $ oc describe istag/<image-stream>:<tag-name>
    Copy to Clipboard Toggle word wrap

    For example: 

    $ oc describe istag/python:latest
    Copy to Clipboard Toggle word wrap

    Example output

    Image Name:	sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
Docker Image:	centos/python-35-centos7@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
Name:		sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
Created:	2 minutes ago
Image Size:	251.2 MB (first layer 2.898 MB, last binary layer 72.26 MB)
Image Created:	2 weeks ago
Author:		<none>
Arch:		amd64
Entrypoint:	container-entrypoint
Command:	/bin/sh -c $STI_SCRIPTS_PATH/usage
Working Dir:	/opt/app-root/src
User:		1001
Exposes Ports:	8080/tcp
Docker Labels:	build-date=20170801
    Copy to Clipboard Toggle word wrap

    Note

    More information is output than shown.

  • Enter the following command to discover which architecture or operating system that an image stream tag supports: 

    $ oc get istag <image-stream-tag> -ojsonpath="{range .image.dockerImageManifests[*]}{.os}/{.architecture}{'\n'}{end}"
    Copy to Clipboard Toggle word wrap

    For example: 

    $ oc get istag busybox:latest -ojsonpath="{range .image.dockerImageManifests[*]}{.os}/{.architecture}{'\n'}{end}"
    Copy to Clipboard Toggle word wrap

    Example output

    linux/amd64
linux/arm
linux/arm64
linux/386
linux/mips64le
linux/ppc64le
linux/riscv64
linux/s390x
    Copy to Clipboard Toggle word wrap

6.6.2. Adding tags to an image stream
Copia collegamento

To accurately manage and track specific versions of your container images, add tags to your image streams within Red Hat OpenShift Service on AWS classic architecture, This ensures reliable referencing and deployment throughout your environment.

Procedure

  • Add a tag that points to one of the existing tags by using the `oc tag`command: 

    $ oc tag <image-name:tag1> <image-name:tag2>
    Copy to Clipboard Toggle word wrap

    For example: 

    $ oc tag python:3.5 python:latest
    Copy to Clipboard Toggle word wrap

    Example output

    Tag python:latest set to python@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25.
    Copy to Clipboard Toggle word wrap

  • Confirm the image stream has two tags, one, 3.5, pointing at the external container image and another tag, latest, pointing to the same image because it was created based on the first tag. 

    $ oc describe is/python
    Copy to Clipboard Toggle word wrap

    Example output

    Name:			python
Namespace:		default
Created:		5 minutes ago
Labels:			<none>
Annotations:		openshift.io/image.dockerRepositoryCheck=2017-10-02T17:05:11Z
Docker Pull Spec:	docker-registry.default.svc:5000/default/python
Image Lookup:		local=false
Unique Images:		1
Tags:			2

latest
  tagged from python@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25

  * centos/python-35-centos7@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
      About a minute ago

3.5
  tagged from centos/python-35-centos7

  * centos/python-35-centos7@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
      5 minutes ago
    Copy to Clipboard Toggle word wrap

6.6.3. Adding tags for an external image
Copia collegamento

To enable Red Hat OpenShift Service on AWS classic architecture resources to track and consume container images sourced from external registries, add tags to the corresponding image streams. This action integrates external image content securely into your cluster’s local image management system.

Procedure

  • Add tags pointing to internal or external images, by using the oc tag command for all tag-related operations: 

    $ oc tag <repository/image> <image-name:tag>
    Copy to Clipboard Toggle word wrap

    For example, this command maps the docker.io/python:3.6.0 image to the 3.6 tag in the python image stream. 

    $ oc tag docker.io/python:3.6.0 python:3.6
    Copy to Clipboard Toggle word wrap

    Example output

    Tag python:3.6 set to docker.io/python:3.6.0.
    Copy to Clipboard Toggle word wrap

    If the external image is secured, you must create a secret with credentials for accessing that registry.

6.6.4. Updating image stream tags
Copia collegamento

To maintain flexibility and consistency in deployment definitions, update an image stream tag to reflect a different tag in Red Hat OpenShift Service on AWS classic architecture. Specifically, you can update a tag to reflect another tag in an image stream, which is essential for managing image versions effectively.

Procedure

  • Update a tag: 

    $ oc tag <image-name:tag> <image-name:latest>
    Copy to Clipboard Toggle word wrap

    For example, the following updates the latest tag to reflect the 3.6 tag in an image stream: 

    $ oc tag python:3.6 python:latest
    Copy to Clipboard Toggle word wrap

    Example output

    Tag python:latest set to python@sha256:438208801c4806548460b27bd1fbcb7bb188273d13871ab43f.
    Copy to Clipboard Toggle word wrap

6.6.5. Removing image stream tags
Copia collegamento

To maintain control over your image history and simplify management within Red Hat OpenShift Service on AWS classic architecture, you can remove old tags from an image stream. This action helps ensure that your resources track only the current and necessary image references.

Procedure

  • Remove old tags from an image stream: 

    $ oc tag -d <image-name:tag>
    Copy to Clipboard Toggle word wrap

    For example: 

    $ oc tag -d python:3.6
    Copy to Clipboard Toggle word wrap

    Example output

    Deleted tag default/python:3.6
    Copy to Clipboard Toggle word wrap

See Removing deprecated image stream tags from the Cluster Samples Operator for more information on how the Cluster Samples Operator handles deprecated image stream tags.

6.6.6. Configuring periodic importing of image stream tags
Copia collegamento

To maintain up-to-date image definitions from an external container image registry, configure periodic importing of image stream tags. This process allows you to quickly re-import images for critical security updates by using the --scheduled flag.

Procedure

  1. Schedule importing images: 

    $ oc tag <repository/image> <image-name:tag> --scheduled
    Copy to Clipboard Toggle word wrap

    For example: 

    $ oc tag docker.io/python:3.6.0 python:3.6 --scheduled
    Copy to Clipboard Toggle word wrap

    Example output

    Tag python:3.6 set to import docker.io/python:3.6.0 periodically.
    Copy to Clipboard Toggle word wrap

    This command causes Red Hat OpenShift Service on AWS classic architecture to periodically update this particular image stream tag. This period is a cluster-wide setting set to 15 minutes by default.

  2. Remove the periodic check, re-run above command but omit the --scheduled flag. This will reset its behavior to default. 

    $ oc tag <repositiory/image> <image-name:tag>
    Copy to Clipboard Toggle word wrap

6.7. Importing and working with images and image streams
Copia collegamento

The following sections describe how to import, and work with, image streams.

6.7.1. Importing images and image streams from private registries
Copia collegamento

To securely manage content from external sources, configure your image streams to import tag and image metadata from private registries requiring authentication. This procedure is essential if you change the registry that the Cluster Samples Operator uses for pulling content to something other than the default registry.redhat.io.

Note

When importing from insecure or secure registries, the registry URL defined in the secret must include the :80 port suffix or the secret is not used when attempting to import from the registry.

Procedure

  1. You must create a secret object that is used to store your credentials by entering the following command: 

    $ oc create secret generic <secret_name> --from-file=.dockerconfigjson=<file_absolute_path> --type=kubernetes.io/dockerconfigjson
    Copy to Clipboard Toggle word wrap

  2. After the secret is configured, create the new image stream or enter the oc import-image command: 

    $ oc import-image <imagestreamtag> --from=<image> --confirm
    Copy to Clipboard Toggle word wrap

    During the import process, Red Hat OpenShift Service on AWS classic architecture picks up the secrets and provides them to the remote party.

6.7.2. Working with manifest lists
Copia collegamento

To precisely manage multi-architecture or variant images contained within a manifest list, use the --import-mode flag with oc import-image or oc tag CLI commands. This functionality allows you to import a single sub-manifest, or all manifests, of a manifest list, providing fine-grained control over your image stream content.

In some cases, users might want to use sub-manifests directly. When oc adm prune images is run, or the CronJob pruner runs, they cannot detect when a sub-manifest list is used. As a result, an administrator using oc adm prune images, or the CronJob pruner, might delete entire manifest lists, including sub-manifests.

To avoid this limitation, you can use the manifest list by tag or by digest instead.

Procedure

  • Create an image stream that includes multi-architecture images, and sets the import mode to PreserveOriginal, by entering the following command: 

    $ oc import-image <multiarch-image-stream-tag>  --from=<registry>/<project_name>/<image-name> \
--import-mode='PreserveOriginal' --reference-policy=local --confirm
    Copy to Clipboard Toggle word wrap

    Example output

    ---
Arch:           <none>
Manifests:      linux/amd64     sha256:6e325b86566fafd3c4683a05a219c30c421fbccbf8d87ab9d20d4ec1131c3451
                linux/arm64     sha256:d8fad562ffa75b96212c4a6dc81faf327d67714ed85475bf642729703a2b5bf6
                linux/ppc64le   sha256:7b7e25338e40d8bdeb1b28e37fef5e64f0afd412530b257f5b02b30851f416e1
---
    Copy to Clipboard Toggle word wrap

  • Alternatively, enter the following command to import an image with the Legacy import mode, which discards manifest lists and imports a single sub-manifest: 

    $ oc import-image <multiarch-image-stream-tag>  --from=<registry>/<project_name>/<image-name> \
--import-mode='Legacy' --confirm
    Copy to Clipboard Toggle word wrap
    Note

    The --import-mode= default value is Legacy. Excluding this value, or failing to specify either Legacy or PreserveOriginal, imports a single sub-manifest. An invalid import mode returns the following error: error: valid ImportMode values are Legacy or PreserveOriginal.

6.7.2.1. Configuring periodic importing of manifest lists
Copia collegamento

To maintain up-to-date image references for complex, multi-architecture images, configure periodic importing of manifest lists. To periodically re-import a manifest list, you can use the --scheduled flag, ensuring your image stream tracks the latest versions from external registries.

Procedure

  • Set the image stream to periodically update the manifest list by entering the following command: 

    $ oc import-image <multiarch-image-stream-tag>  --from=<registry>/<project_name>/<image-name> \
--import-mode='PreserveOriginal' --scheduled=true
    Copy to Clipboard Toggle word wrap

6.7.2.2. Configuring SSL/TLS when importing manifest lists
Copia collegamento

To control connection security and access policies for manifest lists sourced from external repositories, configure SSL/TLS settings during image importing. To configure SSL/TLS when importing a manifest list, you can use the --insecure flag to bypass standard certificate validation requirements if necessary.

Procedure

  • Set --insecure=true so that importing a manifest list skips SSL/TLS verification. For example: 

    $ oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \
--import-mode='PreserveOriginal' --insecure=true
    Copy to Clipboard Toggle word wrap

6.7.3. Specifying architecture for --import-mode
Copia collegamento

To control the architecture of your imported images and ensure proper deployment, use the --import-mode= flag. You can swap your imported image stream between multi-architecture and single architecture by excluding or including the --import-mode= flag as needed.

Procedure

  • Run the following command to update your image stream from multi-architecture to single architecture by excluding the --import-mode= flag: 

    $ oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name>
    Copy to Clipboard Toggle word wrap

  • Run the following command to update your image stream from single-architecture to multi-architecture: 

    $ oc import-image <multiarch_image_stream_tag>  --from=<registry>/<project_name>/<image_name> \
--import-mode='PreserveOriginal'
    Copy to Clipboard Toggle word wrap

6.7.4. Configuration fields for --import-mode
Copia collegamento

To implement multi-architecture image management using the --import-mode flag, reference the necessary configuration fields. These fields define precise parameters for selecting and importing specific manifests into your Red Hat OpenShift Service on AWS classic architecture cluster.

The following table describes the options available for the --import-mode= flag:

Expand
ParameterDescription

Legacy

The default option for --import-mode. When specified, the manifest list is discarded, and a single sub-manifest is imported. The platform is chosen in the following order of priority:

  1. Tag annotations
  2. Control plane architecture
  3. Linux/AMD64
  4. The first manifest in the list

PreserveOriginal

When specified, the original manifest is preserved. For manifest lists, the manifest list and all of its sub-manifests are imported.

Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat