How to save SUSE NeuVector Docker images to a local Registry

This document (000021218) is provided subject to the disclaimer at the end of this document.

Situation

With Dockerhub rate limit in place, it is common to encounter the following error.

You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limits

This means the limit of Docker images that can be downloaded from Docker Hub with an anonymous user has been reached.

https://docs.docker.com/docker-hub/download-rate-limit/ 

Resolution

The best practice would be for the administrators of the internal Registry to create a repository that acts as a reverse proxy (with cache) towards Docker Hub (or, more precisely, towards docker.io/neuvector/).
In this way, the images will be downloaded only once and saved locally in the Registry cache as defined by policy.
Another best practice after the first download should be to move the images used in QA/PROD to a local repository, i.e., move it from the cache and make it permanent in the Registry storage.

Let’s try to summarise the steps in points:
1. Create a repository that acts as a proxy cache towards Docker Hub.
2. If the cache has short retention and you use NeuVector in QA/PROD environments, move the downloaded images to local repositories that allow the data to persist for longer.
3. Create a technical user with READ privileges on the repositories created in points 1 and 2 (in some Registries the permission could be called VIEW, but the meaning is that it has the possibility of doing PULL only).
4. Create the Kubernetes Secret in the namespace where NeuVector was installed starting from the credentials received in point 3 (https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
5. Edit the YAML manifests as follows ->

apiVersion: apps/v1
kind: Deployment
metadata:
...
spec:
...
  template:
  ...
    spec:
      imagePullSecrets:
        - name: <THE NAME OF THE SECRET CREATED IN STEP 4>
      containers:
      - image: <THE NAME OF THE INTERNAL REGISTRY>/<THE NAME OF THE REPOSITORY THAT STORE NEUVECTOR IMAGES>/<THE NAME OF THE NEUVECTOR IMAGE>:tag
      ...
apiVersion: batch/v1
kind: CronJob
metadata:
...
spec:
...
  jobTemplate:
    spec:
      template:
      ...
        spec:
          imagePullSecrets:
            - name: <THE NAME OF THE SECRET CREATED IN STEP 4>
          containers:
          ...

6. Reapply Kubernetes NeuVector manifests.

Quay Registry useful links:
- https://access.redhat.com/documentation/en-us/red_hat_quay/3.7/html/use_red_hat_quay/quay-as-cache-proxy#doc-wrapper
- https://access.redhat.com/documentation/en-us/red_hat_quay/3/html/use_red_hat_quay/use-quay-manage-repo#allow-user-access-user-repo
JFrog Artifactory Repository useful links:
- https://jfrog.com/help/r/jfrog-artifactory-documentation/docker-registry
- https://jfrog.com/help/r/jfrog-artifactory-documentation/remote-repositories
- https://jfrog.com/help/r/jfrog-platform-administration-documentation/jfrog-platform-permission-migration
 

Alternative

The solution above may take some time, especially if you want to create automation for moving images from one repository to another or if you're going to think carefully about a retention policy.
In this case, while the aspects described above are being defined, you can ask for a local repository, the credentials we have READ privileges on the repo, and manually pull/tag/login/push.

Example:

$ docker pull neuvector/scanner:3.231
$ docker tag docker pull neuvector/scanner:3.231 my-internal-docker-registry-name/my-internal-docker-repository-name/neuvector/scanner:3.231
$ docker login my-internal-docker-registry-name

 

Alternative two 

You can have up to 5000 pulls per day with a registered user of a Docker Subscription.

Note: The scanner image rebuilds daily to incorporate the latest CVE sources.  Ensure a policy is in place to update internal copy to keep it up to date.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021218
  • Creation Date: 28-Sep-2023
  • Modified Date:11-Nov-2023
    • SUSE NeuVector

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center