When working with large container images in OKE, downloading images from a registry to multiple nodes can be time-consuming and bandwidth-intensive. This guide demonstrates how to use OCI File Storage Service (FSS) with skopeo to efficiently distribute container images across worker nodes by storing images in a shared filesystem.
- Reduced bandwidth usage: Download images once, distribute to all nodes via high-speed FSS
- Faster deployment: Nodes can copy images from FSS instead of pulling from remote registries
- Cost savings: Minimize data transfer costs from container registries
- Offline capability: Images remain available even if the registry is temporarily unavailable
- OKE cluster with worker nodes
- OCI File Storage Service file system created
- SSH access to worker nodes
- Sufficient FSS storage capacity for your container images
Create a File Storage Service file system in your compartment. For detailed instructions, see Creating File Systems.
Mount the FSS file system to your worker nodes. For detailed instructions, see Mounting File Systems.
Note
This guide assumes you mounted FSS to /mnt/share. You can select different throughput levels for your mount target based on your performance requirements: 1 Gbps, 20 Gbps, 40 Gbps, or 80 Gbps.
On one of your worker nodes, install skopeo and create a directory for storing container images:
apt update
apt install -y skopeo
mkdir -p /mnt/share/imagesNote
For Oracle Linux, use yum install -y skopeo instead of apt install -y skopeo.
Use skopeo to copy a container image from a registry to the FSS shared folder. This example uses Docker Hub, but you can use any registry, including private registries:
skopeo copy docker://busybox:latest dir:/mnt/share/images/busyboxExample output:
Getting image source signatures
Copying blob 2fce1e0cdfc5 done
Copying config 6fd955f66c done
Writing manifest to image destination
Storing signatures
The image is now stored in the FSS shared folder and accessible from all worker nodes that have the FSS file system mounted.
On any worker node with the FSS file system mounted, import the image from FSS to the local container storage:
skopeo copy dir:/mnt/share/images/busybox containers-storage:busybox:latestVerify that the image has been successfully imported to the node's container runtime:
crictl imagesExample output:
IMAGE TAG IMAGE ID SIZE
ap-melbourne-1.ocir.io/axoxdievda5j/oke-public-cloud-provider-oci <none> 8310661879155 582MB
ap-melbourne-1.ocir.io/axoxdievda5j/oke-public-flannel <none> 8bbca5abb5f3e 308MB
ap-melbourne-1.ocir.io/axoxdievda5j/oke-public-kube-proxy <none> c4f3122c5b070 1.28GB
ap-melbourne-1.ocir.io/axoxdievda5j/oke-public-pause <none> e105b7466686e 146MB
ap-melbourne-1.ocir.io/axoxdievda5j/oke-public-proxymux-cli <none> 14330458a37d2 197MB
docker.io/library/busybox latest 6fd955f66c231 4.5MB
The image is now available on the worker node and can be used by pods running on that node.
When copying images from private registries that require authentication, you can provide credentials to skopeo:
skopeo copy --src-creds=username:password docker://registry.example.com/myapp:v1.0 dir:/mnt/share/images/myappIf you have already authenticated with docker login, skopeo can use the same credentials:
skopeo copy --authfile ~/.docker/config.json docker://registry.example.com/myapp:v1.0 dir:/mnt/share/images/myappFor Oracle Cloud Infrastructure Registry:
skopeo copy --src-creds=<tenancy-namespace>/<username>:<auth-token> \
docker://<region-key>.ocir.io/<tenancy-namespace>/<repo-name>:<tag> \
dir:/mnt/share/images/<image-name>