Docker Registry

On This Page

The platform has a predefined, default, tenant-wide Docker Registry service (docker-registry) that uses a pre-deployed, local, on-cluster Docker Registry. This on-cluster Docker Registry is supported only for playground deployments: images are lost if the pod is restarted.

Docker Registry Requirements
Operational clusters require an external Custom User Docker Registry. If you did not create a Custom User Docker Registry during installation (AWS, GCP), see Creating a Custom User Docker Registry.

Configuring the Service

Resources

The default and the off-cluster Docker-registry services have default CPU and memory limits. You can modify the Memory Request and Limits and the CPU requests and Limits, in the Common Parameters tab, of both the default and the external registries you defined.

Creating a Custom User Docker Registry

When deploying multiple systems to the same container registry, you can use different URLs, for example xyz.my-ecr.amazon.com/some-unique-name. This is recommended to avoid overriding the existing container images.

To define a Custom User Docker Registry:

  1. In the dashboard Services page, press New Service.
  2. Select Docker Registry from the drop-down list.
  3. In the Common Parameters tab, configure the Resources.
  4. In the Custom Parameters tab, configure the cluster parameters:
    • URL: Required.
    • Username and password: Required except for AWS Container Registry (ECR).
    • Image prefix. Optional. When defined, the image prefix is appended to the container images (that were built in MLRun) when they are pushed by an Iguazio service (e.g. MLRun) to the registry.
Tip
If you're using the ECR/ACR for both the Custom User Docker Registry and the System Docker Registry, you can distinguish between the registries with suffixes. For example:
my-ecr-address.ecr.com/my-igz-system-runtime for the Custom User Docker Registry
my-ecr-address.ecr.com/my-igz-system for the System Docker Registry

When creating an Elastic Container Registry

  • If the permissions for the ECR are already set as part of the cluster deployment (using the EC2 IAM policy), then use ecm.com as the URL and leave the username and password blank. (EC2 instances are attached with roles allowing it to work with the ECR.)
  • If the ECR was not used for the cluster installation:
    • URL: The ECR URL (in the format <aws_account_id>.dkr.ecr..amazonaws.com).
    • Username: AWS access key ID
    • Password: AWS secret access key
Note
When using an ECR as the external container registry, make sure that the project secrets AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY have read/write access to ECR. (This does not apply when running the Docker Registry on an EC2 instance with an attached role to push images to ECR.)

The access keys or the EC2 IAM policy must have these permissions:

{ 
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:CreateRepository",
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": "*"
        }
    ]
}

See more details in EKS and AWS Vanilla Kubernetes.