Docker Registry
The platform has a predefined, default, tenant-wide Docker Registry service (docker-registry
)
that uses a pre-deployed, local, on-cluster Docker Registry. This on-cluster Docker Registry is supported
only for playground deployments: images are lost if the pod is restarted.
Configuring the Service
Resources
The default and the off-cluster Docker-registry services have default CPU and memory limits.
You can modify the
Creating a Custom User Docker Registry
When deploying multiple systems to the same container registry, you can use different URLs, for example xyz.my-ecr.amazon.com/some-unique-name
.
This is recommended to avoid overriding the existing container images.
To define a Custom User Docker Registry:
- In the dashboard Services page, press New Service.
- Select Docker Registry from the drop-down list.
- In the Common Parameters tab, configure the Resources.
- In the
Custom Parameters tab, configure the cluster parameters:- URL: required.
- Username and password: optional.
- Image prefix: optional. When defined, the image prefix is appended to the container images (that were built in MLRun) when they are pushed by an Iguazio service (e.g. MLRun) to the registry.
my-ecr-address.ecr.com/my-igz-system-runtime
for the Custom User Docker Registrymy-ecr-address.ecr.com/my-igz-system
for the System Docker RegistryElastic Container Registry
- If the permissions for the ECR are already set as part of the cluster deployment (using the EC2 IAM policy), then use
ecm.com
as the URL and leave the username and password blank. (EC2 instances are attached with roles allowing it to work with the ECR.) - If the ECR was not used for the cluster installation:
- URL: The ECR URL (in the format <aws_account_id>.dkr.ecr.
.amazonaws.com ). - Username: AWS access key ID
- Password: AWS secret access key
- URL: The ECR URL (in the format <aws_account_id>.dkr.ecr.
AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
have read/write access to ECR.
(This does not apply when running the Docker Registry on an EC2 instance with an attached role to push images to ECR.)The access keys or the EC2 IAM policy must have these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "*"
}
]
}
See more details in EKS and AWS Vanilla Kubernetes.
Userless ACR Access
For RHEL systems only.
- From the client bastion with an AZ admin user, associate the identity to a data node VM.
- From that data node
- Install the Azure CLI on Linux.
- Run:
az login --identity
az acr login --name registryname --expose-token
Exposing the token gives you the password for the next step.
- From the UI, create the external registry service. Use the hook user (00000000-0000-0000-0000-000000000000) and the accessToken as password.
az acr login
TTL is 3 hours,
however the newly set accessToken has TTL=-1
.
It could be that a bare --expose-token
silently changes this behavior.
To view token details after creation, run:
az acr token list --registry registryname # find token name
az acr token show --name MyToken --registry registryname
Since you cannot update the TTL of existing tokens, if needed, you can try
creating a new token and explicitly set the expiration.