You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+24-23Lines changed: 24 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,34 +7,17 @@ A caching proxy for Docker; allows centralized management of registries and thei
7
7
### What?
8
8
9
9
Created as an evolution and simplification of [docker-caching-proxy-multiple-private](https://github.com/rpardini/docker-caching-proxy-multiple-private)
10
-
using the `HTTPS_PROXY` mechanism and injected CA root certificates instead of `/etc/hosts` hacks and _`--insecure-registry`
10
+
using the `HTTPS_PROXY` mechanism and injected CA root certificates instead of `/etc/hosts` hacks and `--insecure-registry`
11
11
12
-
As a bonus it allows for centralized management of Docker registry credentials.
12
+
Main feature is Docker layer/image caching, even from S3, Google Storage, etc. As a bonus it allows for centralized management of Docker registry credentials.
13
13
14
14
You configure the Docker clients (_err... Kubernetes Nodes?_) once, and then all configuration is done on the proxy --
15
15
for this to work it requires inserting a root CA certificate into system trusted root certs.
16
16
17
-
#### Why not use Docker's own registry, which has a mirror feature?
18
-
19
-
Yes, Docker offers [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/), *unfortunately*
20
-
it only covers the DockerHub case. It won't cache images from `quay.io`, `k8s.gcr.io`, `gcr.io`, or any such, including any private registries.
21
-
22
-
That means that your shiny new Kubernetes cluster is now a bandwidth hog, since every image will be pulled from the
23
-
Internet on every Node it runs on, with no reuse.
24
-
25
-
This is due to the way the Docker "client" implements `--registry-mirror`, it only ever contacts mirrors for images
26
-
with no repository reference (eg, from DockerHub).
27
-
When a repository is specified `dockerd` goes directly there, via HTTPS (and also via HTTP if included in a
28
-
`--insecure-registry` list), thus completely ignoring the configured mirror.
29
-
30
-
#### Docker itself should provide this.
31
-
32
-
Yeah. Docker Inc should do it. So should NPM, Inc. Wonder why they don't. 😼
33
-
34
17
### Usage
35
18
36
-
- Run the proxy on a dedicated machine.
37
-
- Expose port 3128
19
+
- Run the proxy on a host close to the Docker clients
20
+
- Expose port 3128 to the network
38
21
- Map volume `/docker_mirror_cache` for up to 32gb of cached images from all registries
39
22
- Map volume `/ca`, the proxy will store the CA certificate here across restarts
40
23
- Env `REGISTRIES`: space separated list of registries to cache; no need to include Docker Hub, its already there
@@ -98,3 +81,21 @@ Test your own registry caching and authentication the same way; you don't need `
98
81
99
82
- If you authenticate to a private registry and pull through the proxy, those images will be served to any client that can reach the proxy, even without authentication. *beware*
100
83
- Repeat, this will make your private images very public if you're not careful.
84
+
85
+
#### Why not use Docker's own registry, which has a mirror feature?
86
+
87
+
Yes, Docker offers [Registry as a pull through cache](https://docs.docker.com/registry/recipes/mirror/), *unfortunately*
88
+
it only covers the DockerHub case. It won't cache images from `quay.io`, `k8s.gcr.io`, `gcr.io`, or any such, including any private registries.
89
+
90
+
That means that your shiny new Kubernetes cluster is now a bandwidth hog, since every image will be pulled from the
91
+
Internet on every Node it runs on, with no reuse.
92
+
93
+
This is due to the way the Docker "client" implements `--registry-mirror`, it only ever contacts mirrors for images
94
+
with no repository reference (eg, from DockerHub).
95
+
When a repository is specified `dockerd` goes directly there, via HTTPS (and also via HTTP if included in a
96
+
`--insecure-registry` list), thus completely ignoring the configured mirror.
97
+
98
+
#### Docker itself should provide this.
99
+
100
+
Yeah. Docker Inc should do it. So should NPM, Inc. Wonder why they don't. 😼
0 commit comments