Skip to main content

Image Registry

Image Registry 

  • We use image registries to store container images and share them in a controlled manner.
  • A container image is a packaged version of our application, with all the dependencies necessary for the application to run.
  • Examples of image registries include Quay.io, Red Hat Registry, Docker Hub, or Amazon ECR.
  • Red Hat distributes container images by using two registries:
    • registry.access.redhat.com: requires no authentication
    • registry.redhat.io: requires authentication
  • The Red Hat Ecosystem Catalog, available at https://catalog.redhat.com/. 
    • We can use Red Hat Ecosystem Catalog to search for images and get technical details about them.
  • The container image details page gives you relevant information about the container image, such as the Containerfile used to create the image, the packages installed within the image, or a security scanning.
  • Red Hat UBIs are Open Container Initiative (OCI) compliant enterprise grade container images that provide the base operating system layer for your containerized applications.
    • UBIs include a subset of Red Hat Enterprise Linux (RHEL) components. 
    • UBIs can additionally provide a set of pre-built language runtimes.
    • UBIs are freely distributable, and you can use UBIs on both Red Hat and non-Red Hat platforms or container registries.
  • We can use the Quay.io registry to store your custom images.
    • Storing public images in Quay.io is free, and paying customers receive further benefits, such as private repositories. 
    • Developers can also deploy an on-premise Quay instance, which you can use to set up an image registry on your infrastructure.
  • If you do not provide the registry URL, then Podman uses the /etc/containers/registries.conf file to search other container registries that might contain the image name.
Skopeo
  • Skopeo is a command-line tool for working with container images. Developers can use Skopeo in a number of ways
    • Inspect remote container images.
    • Copy a container image between registries.
    • Sign an image with OpenPGP keys.
    • Convert image format, for example from Docker to the OCI format.
  • Skopeo can inspect remote images or transfer images between registries without using local storage.
    • The skopeo command uses the transport:image format, such as docker://remote_image, dir:path, or oci:path:tag.
  • The "skopeo inspect" command is used to read image metadata
    • skopeo inspect docker://registry.access.redhat.com/ubi9/go-toolset
  • Use the skopeo copy command to copy images between registries.
Manage Registry Credentials
  • We can authenticate our calls by executing the podman login command
  • Podman stores the credentials in the ${XDG_RUNTIME_DIR}/containers/auth.json file
    • ${XDG_RUNTIME_DIR} refers to a directory specific to the current user.
      • cat ${XDG_RUNTIME_DIR}/containers/auth.json
      • echo -n Z2F1cmF2OnBhc3N3b3Jk | base64 -d
  • Skopeo uses the same ${XDG_RUNTIME_DIR}/containers/auth.json file to access authentication details.
Image Versioning and Tags
  • Map the image versions to the versions of the packaged software.
  • Update the OS libraries within the image to receive improvements and security fixes.
  • Use semantic versioning to version images relative to their packaged software product.
    • Semantic version numbers form a string with the format MAJOR.MINOR.PATCH
      • MAJOR: backward incompatible changes
      • MINOR: backward compatible changes
      • PATCH: bug fixes
  • Image versions can be used in the image name or in the image tag
  • An image tag is a string that you specify after the image name.
  • Using a tag in Podman is optional. 
    • When no tag is specified in a Podman command, Podman uses the latest tag by default.
  • We can use the podman search command to search for images in all the registries present in the unqualified-search-registries listed in registries.conf file.
  • To retrieve an image, run podman image pull IMAGE_NAME or podman pull IMAGE_NAME.
  • Podman stores container images in the ~/.local/share/containers directory
    • To list local images use the podman image ls or podman images command.
  • Images pulled using root user are stored in the /var/lib/containers directory
    • Run sudo podman image ls to list them
  • To build an image from a Containerfile run the podman build --file CONTAINERFILE --tag IMAGE_REFEREN
  • Share an image by pushing it to a remote registry. 
    • To push an image, you must be logged in to the registry.
    • Run the podman login REGISTRY to log in to the specified registry.
    • Use podman push IMAGE command to push a local image to the remote registry.
  • The podman image inspect command provides useful information about a locally available image. It shows following informtion 
    • The default user for the image.
    • The port that the application exposes.
    • The environment variables used by the image.
    • The entrypoint, a command that runs when the container starts.
    • The command that the container-entrypoint script runs.
    • The working directory for the commands in the image.
    • Labels providing extra metadata.
    • The architecture where this image can be used.
  • Run the podman image rm or the podman rmi command to delete a container image
    • If the image is in use by a container, then Podman fails to remove it.
    • Forcing Podman to remove the image by providing the -f option automatically stops and removes any containers using the image and then removes the image.
    • With the --all option, you can delete all images in the local storage.
  • Images without tags and that are not referenced by other images are considered dangling images.
    • Use the podman image prune command to delete dangling images from your local storage.
    • Podman displays an interactive prompt to confirm image removal.
    • To delete both dangling and unused images, provide the --all or -a option.
    • Include the -f option to force the removal and to avoid the interactive prompt.
Export and Import File Systems
  • The podman export command exports a container's filesystem to a .tar file on your local machine.
  • It creates a snapshot of an existing container.
  • If we make changes to the container's filesystem  and want to revert back we can use the snapshot.
  • By default, the podman export command writes to the standard output (STDOUT). 
  • To redirect the output to a file use the --output or -o option,specifying the name for the archive to create, and the container name or ID
    • podman export -o mytarfile.tar fb601b05cd3b
  • To import a .tar file containing a container file system, and save the file system as a container image, use the podman import command.
  • The podman import command requires the image name and tag as arguments.
    • podman import mytarfle.tar httpdcustom:2.4
  • After importing a file system, you can verify the creation of the container image by using the podman images command

Comments

Post a Comment