The best practice of distribute docker images

Hi I’m a new and

I’m wondering how I can do a bulk distribution of docker images from one host (that I have enlisted) to other hosts that need to be decoupled from the world.

What is the best way to do this automatically?
Thank you for your advice.

BR
S

If both hosts are connected via network connection: run a private image registry :slight_smile:
host1: tag the images to refer to the private image registry, push the image, be good
host2: use the image from the private image registy

If both hosts are connected via “sneaker net”:
host1: docker save ${list of image names} | gzip > your_images.tar.gz
host2: docker load -i your_images.tar.gz
… of course this involves copying the tar.gz to a portable disk, and then copy it to the other host.

You can

  • use a proxy server and enable only the docker registries
  • use a “pull through cache” registry and access only your registry on LAN network which has access to Docker Hub and use the original image names
  • Download allowed images manually or with some automation tool like cronjob, and
    • push them to your registry with a different name.
    • or export them using docker save, copy them to other servers and load them using docker load

I recommend these based on my experiences since these are what I have already used… The solution you choose depends on what is more important to you. Setting a proxy can be complicated since you have to find out what domains you have to allow on the proxy, but sometimes one registry redirects to other domains. You can set up a registry without restrictions and download images, then check the access logs looking for used domains, although sometimes these domains are changing.

I am not sure because it was long ago, but if I remember well, the cache registry has some limitations. For example I am not sure if it can be used for multiple registries.

Using an exported copy of images requires some automation or regular manual work.

Using a local registry could be the best solution if you don’t mind renaming the official images.

(I was slow again :D)

nah, you just went more into detail and even added the proxy, which I didn’t.
I assumed this would be an “air-gapped” enviorenment