Pull-Through Cache
Last updated
Was this helpful?
Last updated
Was this helpful?
Docker Hub, Quay, and other registry providers have pull limits, and costs associated with using them. Running large builds (or many small builds, frequently) may incur costs, rate limiting, or both. This guide will help you set up your own "pull-through" cache to reduce network traffic, and bypass the limitations imposed by registry providers.
A pull through cache is a registry mirror that contains no images. When your client checks the registry for an image, the registry will either:
Give an existing response from its cache; thereby avoiding egress (or a pull) from your registry,
Or pull the image and its metadata from the registry on your behalf; caching it for later use.
To run a cache, you'll need the ability to deploy a persistent service, somewhere. This could be a dedicated instance with Docker installed, or a container in your Kubernetes cluster.
There are multiple ways to setup a registry -- Docker, for example, has a , as well as documentation for the , and other details under the .
Documenting all the possible ways to setup a pull through cache is beyond the scope of this document; however, it does include a for those who wish to run an insecure pull through cache.
Pull-through caches run unsecured by default. Add an htpasswd
file for basic authentication, at a minimum:
Adding TLS is also highly recommended. you can bring your own certificates, or use the built-in LetsEncrypt support:
By default, Earthly expects your mirror to be using TLS. While this is not recommended, you can use an unsecured mirror by specifying the following config in the buildkit_additional_config
setting:
Where <mirror>
is the host/port of your mirror, and <upstream>
is the address of the registry you are intending to mirror.
This section contains a quick-start guide for running an insecure pull through cache using docker's registry
container.
This guide assumes you are running on a trusted network with one computer acting as a server, and the other as your development workstation.
In these examples, we will assume the server has an IP set to 192.168.0.80
.
First connect to the server where you will be running the cache (e.g. ssh 192.168.0.80
), and create a file under ~/.docker-registry-config.yml
containing:
Note that you'll need to replace [username]
and [password]
with your dockerhub credentials.
Next, start the registry container with:
You can then verify the registry is running by tailing logs with:
The rest of the guide focus on configuring your workstation to use this cache.
To configure docker to use this cache as a mirror, edit the /etc/docker/daemon.json
file, and add:
Then restart docker:
Next you should be able to pull an image (e.g. docker pull alpine:3.15
), which should use the cache.
If you want to verify the cache is working, you can block access to dockerhub on your workstation by adding
to your /etc/hosts
file.
If /etc/docker/daemon.json
was not correctly configured, you should see an error such as:
If the cache is correctly configured, the pull command should work, and you should see logs on your server under the docker-registry container:
To configure earthly to use the cache, you must edit ~/.earthly/config.yml
to include:
The next time earthly is run, it will detect the configuration change and will restart the earthly-buildkitd
container to reflect these settings.
You can force these settings to be applied, and verify the mirror appears in the buildkit config by running:
The currently shipping library/registry
image does not support the DNS-01 challenge yet, and . If you need this, there is a ; We have had success by and replacing it in the image that Docker ships.