registry.hpc.ut.ee¶
registry.hpc.ut.ee is UTHPC center's central container image proxy. This system allows to either host your own container images publicly or privately, or use it as a pull through cache, for an example to circumvent the Docker Hub rate limit issue.
Anyone can use the registry to pull images, if the project is public. Only authenticated users can push images, or pull from private projects. Authentication happens through the app itself, using the central University of Tartu credentials.
Pulling images from pull-through cache¶
As Docker Hub has a limit of 60 image pulls per 4 hours, and these container pulls get counted for each user coming from University internal network, it's very easy to hit the limit. Using a cache helps to circumvent this problem.
Pulling from the cache is fairly simple, you just specify the appropriate image on top of the base URL and remote project. You can use a cache project called mirror for this purpose.
docker pull registry.hpc.ut.ee/mirror/<project>/<image>
The confusing part is the <project>. Container systems hide a part of the URL for ease of use, which can't be ignore. There's two options:
| Pulling from Docker Hub | Image name | Remote project name | How to pull from cache |
|---|---|---|---|
docker pull redis | redis | library | docker pull registry.hpc.ut.ee/mirror/library/redis |
docker pull tiangolo/uwsgi-nginx-flask | uwsgi-nginx-flask | tiangolo | docker pull registry.hpc.ut.ee/mirror/tiangolo/uwsgi-nginx-flask |
If you fail to specify the correct address, the following error happens:
> docker pull registry.hpc.ut.ee/mirror/redis
Trying to pull registry.hpc.ut.ee/mirror/redis...
unauthorized: http status code: 401, body:
Error: unable to pull registry.hpc.ut.ee/mirror/redis: Error initializing source docker://registry.hpc. ut.ee/mirror/redis:latest: Error reading manifest latest in registry.hpc.ut.ee/mirror/redis: unauthorized: http status code: 401
This cache can also be easily used when building other containers, by specifying the full address in the Dockerfile.
FROM registry.hpc.ut.ee/mirror/library/alpine
...
Creating public and private projects¶
Anyone who can log into the registry can create themselves a repository to upload and share images. This is also very useful for CI/CD pipelines, as they can automatically upload the images to appropriate project.
Creating a project is simple. Login to registry.hpc.ut.ee and click ’+ New Project’.
Then you need to fill out the settings.
- ’Project name’ - can be whatever you need it to be.
- ’Access level’ - specifies whether you want it to be readable by unauthenticated users. Public means, that anyone can pull images from this project. Private means that only people with access to specific project can.
- ’Storage Quota’ - limits the amount of storage space your images can allocate.
- ’Proxy Cache’ - should be un-enabled, as this makes your project into a pull-through cache, and you can't host images here then.
Using the registry from command line¶
Pushing¶
After creation, the website shows you how to push images to registry by first going to ’Repository’ tab, and then ’PUSH COMMAND’ menu on the right.
There are multiple providers you can do this with helm, docker or other container manager.
Login and robot accounts¶
It is necessary to log in when working in your registry directly on the command line. It is not safe to log in to docker with your UT credentials as Docker saves them in plain text. For safe login create a robot account.
In the web interface under your project there is a tab 'Robot Accounts'. There click '+ NEW ROBOT ACCOUNT'. Add the necessary rights and save the name and password for future use. Now in the command line run
docker login <full path to your registry>
and then enter your robot accounts credentials.