A Caching, Proxy Cache, or Pull Through Cache is an application that runs inside your local network and exposes a OCI compliant endpoint for developers to issue image pull requests against. The Caching Registry checks to see if the requested image is stored locally, and if so it serves that image. However, if the image does not exist in the local store a call is made to the backend registry and the image is pulled first to the caching registry and then provided to the client.
A caching registry is a valuable tool in software development, particularly in the context of managing Docker container images or similar artifacts. Here’s why it is beneficial and why you might consider using it:
The following diagram illustrates the flow of image requests in a caching registry setup:
For this example, we will use Harbor, a popular cloud-native registry that is distributed under an OSS license. Full documentation can be found by navigating to the Harbor GitHub project page at https://github.com/goharbor/harbor.
For our purposes, we’ll be using the online installer, which simplifies the installation process by pulling the necessary components from the internet during the installation. This method is especially beneficial for ensuring that you’re setting up the most current version of Harbor with all the latest features and security updates. The installers can be found on their releases page at https://github.com/goharbor/harbor/releases.
$ tar xzvf ~/Downloads/Harbor\ Online\ Installer\ v2.10.0.tgz
x harbor/prepare
x harbor/LICENSE
x harbor/install.sh
x harbor/common.sh
x harbor/harbor.yml.tmpl
harbor.yml.tmpl
is a template you can use to build yours.hostname
or external_url
$ sudo ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 24.0.2
[Step 1]: checking docker-compose is installed ...
Note: Docker Compose version v2.18.1
[Step 2]: preparing environment ...
[Step 3]: preparing harbor configs ...
prepare base dir is set to /home/ubuntu/harbor
WARNING:root:WARNING: HTTP protocol is insecure. Harbor will deprecate http protocol in the future. Please make sure to upgrade to https
Clearing the configuration file: /config/jobservice/config.yml
Clearing the configuration file: /config/jobservice/env
Clearing the configuration file: /config/registry/config.yml
Clearing the configuration file: /config/registry/passwd
Clearing the configuration file: /config/db/env
Clearing the configuration file: /config/log/rsyslog_docker.conf
Clearing the configuration file: /config/log/logrotate.conf
Clearing the configuration file: /config/nginx/nginx.conf
Clearing the configuration file: /config/portal/nginx.conf
Clearing the configuration file: /config/registryctl/config.yml
Clearing the configuration file: /config/registryctl/env
Clearing the configuration file: /config/core/env
Clearing the configuration file: /config/core/app.conf
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
loaded secret from file: /data/secret/keys/secretkey
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir
Note: stopping existing Harbor instance ...
[Step 4]: starting Harbor ...
[+] Running 62/16
✔ log 7 layers [⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 22.9s
✔ postgresql 10 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 27.7s
✔ core 9 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 26.2s
✔ registry 5 layers [⣿⣿⣿⣿⣿] 0B/0B Pulled 7.9s
✔ registryctl 7 layers [⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 5.4s
✔ redis 5 layers [⣿⣿⣿⣿⣿] 0B/0B Pulled 22.8s
✔ jobservice 5 layers [⣿⣿⣿⣿⣿] 0B/0B Pulled 16.5s
✔ portal 4 layers [⣿⣿⣿⣿] 0B/0B Pulled 25.2s
✔ proxy 1 layers [⣿] 0B/0B Pulled 22.4s
[+] Building 0.0s (0/0)
[+] Running 10/10
✔ Network harbor_harbor Created 0.1s
✔ Container harbor-log Started 4.6s
✔ Container registry Started 1.6s
✔ Container harbor-db Started 1.8s
✔ Container redis Started 1.7s
✔ Container harbor-portal Started 1.8s
✔ Container registryctl Started 1.7s
✔ Container harbor-core Started 2.8s
✔ Container harbor-jobservice Started 3.5s
✔ Container nginx Started 3.5s
✔ ----Harbor has been installed and started successfully.----
You will connect on port 80, unless you have enabled and configured SSL.
First, go to the “Registries” page.
Then create a new endpoint; for our example we will use Docker Hub.
Go to the projects page.
Now create a new project; the name we define here will be used as part of the Docker pull/push commands to and from this registry. Since we are creating a proxy cache registry, we put that information into the create dialog. The target is Docker Hub (the registry we defined above).
If you are creating a registry hosted by Harbor (not a pull-through), you would uncheck the proxy cache box. .
You should now be able to test pulling an image through the proxy cache. The format to use the proxy cache is hostname/projectname/image:tag
. For example, dock11.virington.com/dockerhub/nginx:latest
.
$ docker pull dock11.virington.com/dockerhub/nginx:latest
latest: Pulling from dockerhub/nginx
58cc89079bd7: Download complete
6f26751fc54b: Download complete
c98494bb3682: Download complete
3799b53049f3: Download complete
2a580edba2f4: Download complete
24e221e92a36: Download complete
cfe7877ea167: Download complete
Digest: sha256:2bdc49f2f8ae8d8dc50ed00f2ee56d00385c6f8bc8a8b320d0a294d9e3b49026
Status: Downloaded newer image for dock11.virington.com/dockerhub/nginx:latest
dock11.virington.com/dockerhub/nginx:latest
What's Next?
View a summary of image vulnerabilities and recommendations → docker scout quickview dock11.virington.com/dockerhub/nginx:latest
The first pull will require Harbor to pull the image from Docker Hub, while every subsequent pull will use the cached version. If there is a change to the upstream version, the newer version for the tag will be pulled to Harbor and then to the client. This is accomplished by checking the image manifest to determine if there was a change.
Harbor provides data on what images/tags are stored. To see it, naviagate to your project (in this case it’s dockerhub); you will now see a screen showing you information on that registry, as shown below.
In this case, we see that we have our one image - dockerhub/library/nginx:latest
- along with the number of pulls and the last modify time. We also can see that we are using 64.1MiB of our unlimited quota, and that the repository is public.
Note that any images provided by Docker directly are shown as being in the library
project.