Today, most container registries run independently of the clusters that run the containers built from their images. But running a registry within a cluster itself could offer many advantages, including faster boot times, better auditing, and more control over the namespace, noted Adrian Mouat, chief scientist at Container Solutions.
To test this idea, the company is building an OCI-compliant image registry and image management system that runs inside a Kubernetes cluster, called Trow. Mouat will be demonstrating the technology in an April 14 webinar, at 11 a.m. Eastern.
“At the moment, most registries are seen as completely separate entities to the clusters they provide images to. But in integrations with clusters, we can potentially provide a much richer service,” Mouat explained in a session at D2IQ’s Cloud Native Virtual Summit, held earlier this month online.
Traditionally most organizations use external registries, and with good reason. Docker Hub has provided a great service for the industry, a free place to store and share container images, as well as a comprehensive archive. For software projects, Docker Hub is a great place to get their code downloaded. It even builds images for the users, though as a result, the images from this hub are rooted in the Docker namespace. “By default, everything still effectively points towards the Docker Hub,” Mouat said.
Other registry services are built on a similar model. Building on the Docker Hub-based Open Container Initiative specification, cloud providers and service providers such as GitHub offer their own registries that offer features such as archiving, storage and a central location to push and images.
But beyond archiving, another big job of registries is to distribute images to nodes, which is to say “to focus on securely and efficiently delivering the working set of images to cluster nodes,” Mouat said during the virtual event. Perhaps this function could be better handled within the cluster.
Trow works as a basic registry, with the ability to push and pull images like a Docker client, with full OCI compatibility.
To minimize the performance impact it would have within the cluster, the project developers wrote Trow in Rust. As a result, “it can start up and shut down quickly. There’s no runtime in JVM to wait for. It’s designed for safety without sacrificing efficiency,” he said. It also supports the OCI catalog API, which provides a way to list repositories and tags that are available from the command line. With an integration with Kubernetes, it can allow only certain images to be loaded, preventing others as a security measure.
“The event log registry is a great resource for determining what’s happening or has happened in your cluster. You can see what images have been downloaded, who downloaded them, how often, if they are out of date, etc,” Mouat said.
Admittedly, an approach like Trow would not be suitable for long-term archiving of images, though having a registry within a Kubernetes cluster could provide a lot more control and logging capabilities, Mouat pointed out. Additional planned features include:
- Full audit log of operations
- Integration with existing authentication and authorization solutions
- Advanced distribution options for quick deployment of image updates
- Support for immutable tags and image streams
- Integration with vulnerability scanners
Trow is available under an Apache 2.0 license.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.