Docker Registry

On This Page

The platform has a predefined, default, tenant-wide Docker Registry service (docker-registry), which uses a pre-deployed, local, on-cluster Docker Registry.

You can create additional, external (off-cluster), Docker Registry services for storing the container images required by the platform to operate (e.g.: mlrun, jupyter, v3iod, shell...). ECR, ACR, GCR, GHCR, quay etc. are all supported.

Recommendation
It's highly recommended to store your persistent user images on an external registry. If the local registry restarts, the images are lost.
Note
External docker registry is relevant if the platform is running with MLRun 1.0.5 or higher, and Nuclio is 1.10.0 or higher.

Configuring the Service

Resources

The default and the off-cluster Docker-registry services have default CPU and memory limits.

You can modify the Memory Request and Limits and the CPU requests and Limits, in the Common Parameters tab, of both the default and the external registries you defined.

Creating an Off-Cluster (External) Docker Registry

Create the off-cluster Docker Registry as you create any other service. The cluster parameters in the Custom Parameters tab are:

The system registry ensures that all container images required by the system to operate are pulled from the given address. This is supported for managed Kubernetes integrated with cloud-provided container registry. (e.g.: AKS with ACR, EKS with ECR). The URL is the container registry address. When deploying multiple systems to the same container registry, you can use different URLs, for example xyz.my-ecr.amazon.com/some-unique-name. This is recommended to avoid overriding the existing container images.

Either select an external Docker Registry from the drop-down list, or press Create new..

Parameters:

  • URL: Required.
  • Username and password: Optional
  • Image prefix. Optional. When defined, the image prefix is appended to the container images (that were built in MLRun) when they are pushed by an Iguazio service (e.g. MLRun) to the registry.

The external registry does not support explicit authentication. You must ensure that the k8s is deployed with a role that allows it to read/write to that given registry.

Tip
If you're using the ECR/ACR for both the user custom registry and the external system docker registry, you can distinguish between the registries with suffixes. For example:
my-ecr-address.ecr.com/my-igz-system-runtime for the custom system container registry
my-ecr-address.ecr.com/my-igz-system for the custom user registry

When creating a registry on ECR

  • If the permissions for the ECR are already set as part of the cluster deployment (using the EC2 IAM policy), then use ecm.com as the URL and leave the username and password blank. (EC2 instances are attached with roles allowing it to work with the ECR.)
  • If the ECR was not used for the cluster installation:
    • URL: The ECR URL (in the format <aws_account_id>.dkr.ecr..amazonaws.com).
    • Username: AWS access key ID
    • Password: AWS secret access key
Note
When using ECR as the external container registry, make sure that the project secrets AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY have read/write access to ECR.

The access keys or the EC2 IAM policy must have these permissions:

{ 
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:CreateRepository",
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:BatchGetImage",
                "ecr:CompleteLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": "*"
        }
    ]
}

See more details in EKS and AWS Vanilla Kubernetes.