Question 85573 in Docker Question posted in
The official documentation can be found here.

Where does "docker images" look when outputting a list of images

A word of warning, this is my first posting, and I am new to docker and Kubernetes with enough knowledge to get me into trouble.
I am confused about where docker container images are being stored and listing images.

To illustrate my confusion I start with the confirmation that "docker images" indicates no image for nginx is present.
Next I create a pod running nginx.

kubectl run nginx --image=nginx is succesful in pulling image "nginx" from github (or that’s my assumption):

    Events:
      Type    Reason     Age   From               Message
      ----    ------     ----  ----               -------
      Normal  Scheduled  8s    default-scheduler  Successfully assigned default/nginx to minikube
      Normal  Pulling    8s    kubelet            Pulling image "nginx"
      Normal  Pulled     7s    kubelet            Successfully pulled image "nginx" in 833.30993ms
      Normal  Created    7s    kubelet            Created container nginx
      Normal  Started    7s    kubelet            Started container nginx

Even though the above output indicates the image is pulled, issuing "docker images" does not include nginx the output.

If I understand correctly, when an image is pulled, it is being stored on my local disk. In my case (Linux) in /var/lib/docker.

So my first question is, why doesn’t docker images list it in the output, or is the better question where does docker images look for images?

Next if I issue a docker pull for nginx it is pulled from what I assume to be Github. docker images now includes it in it’s output.

Just for my clarification, nothing up to this point involves a private local registry, correct?

I purposefully create a basic local Docker Registry using the docker registry container thinking it would be clearer since that will allow me to explicitly specify a registry but this only results in another issue:

docker run -d 
    -p 5000:5000 
    --restart=always 
    --name registry 
    -v /registry:/var/lib/registry 
    registry

I tag and push the nginx image to my newly created local registry:

docker tag nginx localhost:5000/nginx:latest
docker push localhost:5000/nginx:latest

The push refers to repository [localhost:5000/nginx]
2bed47a66c07: Pushed
82caad489ad7: Pushed
d3e1dca44e82: Pushed
c9fcd9c6ced8: Pushed
0664b7821b60: Pushed
9321ff862abb: Pushed
latest: digest: sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47 size: 1570

I now delete the original nginx image:

docker rmi nginx
Untagged: nginx:latest
Untagged: nginx@sha256:9522864dd661dcadfd9958f9e0de192a1fdda2c162a35668ab6ac42b465f0603

… and the newely tagged one:

docker rmi localhost:5000/nginx
Untagged: localhost:5000/nginx:latest
Untagged: localhost:5000/nginx@sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47
Deleted: sha256:f652ca386ed135a4cbe356333e08ef0816f81b2ac8d0619af01e2b256837ed3e

… but from where are they being deleted?
Now the image nginx should only be present in localhost:5000/? But docker images doesn’t show it in it’s output.

Moving on, I try to create the nginx pod once more using the image pushed to localhost:5000/nginx:latest.

kubectl run nginx --image=localhost:5000/nginx:latest --image-pull-policy=IfNotPresent

This is the new issue. The connection to localhost:5000 is refused.

    Events:
      Type    Reason     Age   From               Message
      ----    ------     ----  ----               ------- 
      Normal   Pulling    1s    kubelet            Pulling image "localhost:5000/nginx:latest"
      Warning  Failed     1s    kubelet            Failed to pull image "localhost:5000/nginx:latest": rpc error: code = Unknown desc = Error response from daemon: Get "http://localhost:5000/v2/": dial tcp 127.0.0.1:5000: connect: connection refused
      Warning  Failed     1s    kubelet            Error: ErrImagePull
      Normal   BackOff    0s    kubelet            Back-off pulling image "localhost:5000/nginx:latest"

Why is it I can pull and push to localhost:5000, but pod creation fails with what appears to be an authorization issue? I try logging into the registry but no matter what I use for the username and user password, login is successful. This confuses me more.
I would try creating/specifying imagePullSecret, but based on docker login outcome, it doesn’t make sense.

Clearly I not getting it.
Someone please have pity on me and show where I have lost my way.

Tags:

2

Answers


  1. 0

    I will try to bring some clarity to you despite the fact your question already contains about 1000 questions (and you’ll probably have 1000 more after my answer :D)

    Before you can begin to understand any of this, you need to learn a few basic things:

    1. Docker produces images which are used by containers – it similar to Virtual Machine, but more lightweight (I’m oversimplifying, but the TL;DR is pretty much that).

    2. Kubernetes is an orchestration tool – it is responsible for starting containers (by using already built images) and tracking their state (i.e. if this container has crashed it should be restarted, or if it’s not started it should be started, etc)

    Docker can run on any machine. To be able to start a container you need to build an image first. The image is essentially a lightweight mini OS (i.e. alpine, ubuntu, windows, etc) which is configured with only those dependencies you need to run your application. This image is then pushed to a public repository/registry (hub.docker.com) or to a private one. And afterwards it’s used for starting containers.

    Kubernetes builds on top of this and adds the "automation" layer which is responsible for scheduling and monitoring the containers. For example, you have a group of 10 servers all running nginx. One of those servers restarts – the nginx container will be automatically started by k8s.

    A kubernetes cluster is the group of physical machines that are dedicated to the mentioned logical cluster. These machines have labels or tags which define the purpose of physical node and work as a constraint for where a container will be scheduled.

    Now that I have explained the minimum basics in an oversimplified way I can move with answering your questions.

    1. When you do docker run nginx – you are instructing docker to pull the nginx image from https://hub.docker.com/_/nginx and then start it on the machine you executed the command on (usually your local machine).

    2. When you do kubectl run nginx --image=nginx – you are instructing Kubernetes to do something similar to 1. but in a cluster. The container will be deployed to a random machine somewhere in the cluster unless you put a nodeSelector or configure affinity. If you put a nodeSelector this container (called Pod in K8S) will be placed on that specific node.

    3. You have started a private registry server on your local machine. It is crucial to know that localhost inside a container will point to the container itself.

    4. It is worth mentioning that some of the kubernetes commands will create their own container for the execution phase of the command. (remember this!)

    5. When you run kubectl run nginx --image=nginx everything works fine, because it is downloading the image from https://hub.docker.com/_/nginx.

    6. When you run kubectl run nginx --image=localhost:5000/nginx you are telling kubernetes to instruct docker to look for the image at localhost which is ambiguous because you have multiple layers of containers running (check 4.). This means the command that will do docker pull localhost:5000/nginx also runs in a docker container — so there is no service running at port :5000 (the registry is running in a completely different isolated container!) 😀

    7. And this is why you are getting Error: ErrImagePull – it can’t resolve localhost as it points to itslef.

    8. As for the docker rmi nginx and docker rmi localhost:5000/nginx commands – by running them you removed your local copy of the nginx images.

    9. If you run docker run localhost:5000/nginx on the machine where you started docker run registry you should get a running nginx container.

    You should definitely read the Docker Guide BEFORE you try to dig into Kubernetes or nothing will ever make sense.

    Your head will stop hurting after that I promise… 😀

    Login or Signup to reply.
  2. 0

    TL;DR

    docker images lists images stored in the docker daemon’s data root, by default /var/lib/docker.

    You’re deploying images to Kubernetes, the images are pulled onto the node on which the pod is scheduled. For example, using Kubernetes in Docker:

    kind create cluster
kubectl run nginx --image=nginx
docker exec -it $(kubectl get pod nginx -o jsonpath={.spec.nodeName}) crictl images

    crictl images

    crictl is a command-line interface for CRI-compatible container runtimes.

    Docker images are pulled from Docker Hub by default, not Github. When using a local docker registry, images are stored in the registry‘s data volume. The docker registry storage may be customized, by default data is stored in (storage.filesystem.rootdirectory) /var/lib/registry.

    You can use tools like skopeo to list images stored in a docker registry, for example:

    skopeo list-tags docker://localhost:5000/nginx --tls-verify=false

    skopeo list-tags

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search