Singularity Enterprise Registry Caching

By Staff

Jan 11, 2024 | How To Guides

Introduction

A proxy cache plays one of many key roles in optimizing the efficiency of container image registries, and its significance becomes even more pronounced in the context of modern software development practices. Essentially, a proxy cache is an intermediate server that sits between client requests and the container image registry. Its primary function is to store copies of frequently requested container images locally, helping to reduce the need to repeatedly download them from the upstream registry. This local caching mechanism not only accelerates the image retrieval process but also contributes significantly to the overall performance of containerized applications.

Proxy Caching

The importance of utilizing a proxy cache for container image registries is particularly evident when considering bandwidth conservation. In a containerized environment where numerous containers are deployed across distributed systems, the demand for container images can saturate network resources. By employing a proxy cache, organizations can minimize the amount of data transferred over the network by serving frequently requested images directly from the local cache. This not only enhances the responsiveness of containerized applications but also leads to considerable bandwidth savings. As the volume of containerized deployments continues to grow, the conservation of bandwidth becomes a critical aspect of maintaining efficient and cost-effective operations.

Use case

Imagine many HPC users utilizing Singularity Enterprise as their container image registry. Singularity Enterprise, known for its advanced features, includes a crucial functionality piece of software called Harbor, which provides proxy caching. This proves instrumental in a scenario where users regularly pull container images from various external repositories, such as Docker Hub or other public registries, as part of their software development and deployment processes.
Without a proxy cache, each request for a container image would directly hit the external registry (Like node 4), potentially leading to delays and increased network bandwidth consumption. However, with Harbor’s proxy caching functionality, the registry intelligently intercepts these requests. When a container image is requested for the first time, Harbor fetches it from the external registry and caches a local copy. Subsequent requests for the same image are then served directly from Harbor’s local cache, avoiding the need to repeatedly download the image from the external source.

Setup

In order to set up proxy caching capabilities in Harbor, it is necessary to add an external registry record, then create a project and mark it as a proxy cache using the external registry as its source.
First, login to the harbor registry administration dashboard. You will need the username, password and address that was specified when installing Singularity Enterprise the first time. This is most commonly “https://harbor.DOMAIN or https://registry.DOMAIN” for newer installations. After login, add a registry by clicking on the Administrator > Registries option, then click on the “+ New Endpoint” button.
Next, a pop up dialog will appear. In this example, the use case is with Docker Hub, so select the Docker Hub provider, assign it a name, and type your user and password. Even better, create a token at Docker Hub and use it in Harbor as a password, leave the “Verify remote certificate” checked to increase security, and click on the OK button.
The registry will be available on the Harbor system, and you can see it with the tag “Healthy” if the connectivity is correct.
Then, to add a project, click on the Projects option at the left menu, and click on the “+ New Project” option.
Type a name for the project. In this example, it will be “hub.docker.com”. According to the use case, we want all Singularity Enterprise users to consume the proxy cache without access restrictions by marking it as “Public”. Unlimited quota can be specified as “-1” or set a limit for it. Select it as a “Proxy Cache” by sliding the option button, select the previously created registry, and then click the OK button to create it.
Every image you try to pull from this new project will pull it from the upstream registry — in this case, it will pull from Docker Hub.
JCBzaW5ndWxhcml0eSByZW1vdGUgZ2V0LWxvZ2luLXBhc3N3b3JkIHwgZG9ja2VyIGxvZ2luIC11IGpvc3VlbmVvIC0tcGFzc3dvcmQtc3RkaW4gcmVnaXN0cnkuRE9NQUlO
* Remember to add Singularity Enterprise remote and create an access token through the user interface. Then we can use Docker to pull from that project, let’s measure how long does it take to pull an image,
JCB0aW1lIGRvY2tlciBwdWxsIHJlZ2lzdHJ5LkRPTUFJTi9odWIuZG9ja2VyLmNvbS9saWJyYXJ5L3B5dGhvbjozLjkuMTgtYWxwaW5lMy4xOAozLjkuMTgtYWxwaW5lMy4xODogUHVsbGluZyBmcm9tIGRvY2tlcmh1Yi9saWJyYXJ5L3B5dGhvbgpjOTI2YjYxYmFkM2I6IFB1bGwgY29tcGxldGUgCjJiY2I2MDViODVkMjogUHVsbCBjb21wbGV0ZSAKNDkyYzdjYWQ3NGI0OiBQdWxsIGNvbXBsZXRlIAplMzdkNDA1MDJiOTQ6IFB1bGwgY29tcGxldGUgCjdkM2I3MDFiZTQ2ZTogUHVsbCBjb21wbGV0ZSAKRGlnZXN0OiBzaGEyNTY6NjYwMDY0NjYuLi5mOGNhY2QyMTVmYThkYTYyZDFkZjFkZGIzClN0YXR1czogRG93bmxvYWRlZCBuZXdlciBpbWFnZSBmb3IgcmVnaXN0cnkuRE9NQUlOL2h1Yi5kb2NrZXIuY29tL2xpYnJhcnkvcHl0aG9uOjMuOS4xOC1hbHBpbmUzLjE4CgpyZWFsICAgIDBtMTMuNDIycwp1c2VyICAgIDBtMC4wMDlzCnN5cyAgICAgMG0wLjAwN3M=
It now takes 13 seconds to pull the first time, if the image is removed from the local system and pulled again, it should take less time thanks to proxy caching:
JCBkb2NrZXIgcm1pIHJlZ2lzdHJ5LkRPTUFJTi9odWIuZG9ja2VyLmNvbS9saWJyYXJ5L3B5dGhvbjozLjkuMTgtYWxwaW5lMy4xOApVbnRhZ2dlZDogcmVnaXN0cnkuRE9NQUlOL2h1Yi5kb2NrZXIuY29tL2xpYnJhcnkvcHl0aG9uOjMuOS4xOC1hbHBpbmUzLjE4ClVudGFnZ2VkOiBoYXJib3IubXR5Lm9oYW5hLmxvY2FsL2RvY2tlcmh1Yi9saWJyYXJ5L3B5dGhvbkBzaGEyNTY6NjYwMDY3Zi4uLjYyZGRiMwpEZWxldGVkOiBzaGEyNTY6ZDU3YWExYmEuLi5jYzQwNzQyOApEZWxldGVkOiBzaGEyNTY6NGQ1MmNjMDEuLi44ZWFlZWU1MQpEZWxldGVkOiBzaGEyNTY6NWUxMzJhYzcuLi5mMWJlNDkwZApEZWxldGVkOiBzaGEyNTY6NWZlN2VhN2MuLi5mMTU2M2I2NApEZWxldGVkOiBzaGEyNTY6MzI5ZDU2NTguLi40YzJlNTNhZgoKJCB0aW1lIGRvY2tlciBwdWxsIHJlZ2lzdHJ5LkRPTUFJTi9odWIuZG9ja2VyLmNvbS9saWJyYXJ5L3B5dGhvbjozLjkuMTgtYWxwaW5lMy4xOAozLjkuMTgtYWxwaW5lMy4xODogUHVsbGluZyBmcm9tIGRvY2tlcmh1Yi9saWJyYXJ5L3B5dGhvbgpjOTI2YjYxYmFkM2I6IFB1bGwgY29tcGxldGUgCjJiY2I2MDViODVkMjogUHVsbCBjb21wbGV0ZSAKNDkyYzdjYWQ3NGI0OiBQdWxsIGNvbXBsZXRlIAplMzdkNDA1MDJiOTQ6IFB1bGwgY29tcGxldGUgCjdkM2I3MDFiZTQ2ZTogUHVsbCBjb21wbGV0ZSAKRGlnZXN0OiBzaGEyNTY6NjYwMDY0NjYwNGIuLi5hY2QyMTVmYThkYTYyZDFkZjFkZGIzClN0YXR1czogRG93bmxvYWRlZCBuZXdlciBpbWFnZSBmb3IgcmVnaXN0cnkuRE9NQUlOL2h1Yi5kb2NrZXIuY29tL2xpYnJhcnkvcHl0aG9uOjMuOS4xOC1hbHBpbmUzLjE4CgpyZWFsICAgIDBtMi41MzlzCnVzZXIgICAgMG0wLjAwOHMKc3lzICAgICAwbTAuMDA0cw==
This time it takes 2.5 seconds. It is evident this mechanism significantly reduces the time it takes to retrieve images and, more importantly, conserves bandwidth by minimizing redundant downloads.

Conclusion

In addition to bandwidth savings, a proxy cache also provides enhanced control and security. Organizations can implement access controls and policies at the proxy level, ensuring that only authorized users and systems have access to certain container images. This adds an extra layer of security to the containerized environment, mitigating the risk of unauthorized access and potential security vulnerabilities. The implementation of a proxy cache for container image registries is a strategic decision that not only optimizes performance and conserves bandwidth but also strengthens security measures in the dynamic landscape of modern software development and deployment.

Join Our Mailing List

Recent Posts

Related Posts

Remote Building with OCI Registries

This blog post will demonstrate how to use a definition file in a remote build that references an Open Container Initiative (OCI) image stored in Singularity Enterprise and Singularity Container Services.First, create an account in Singularity Container Service. To do...

read more

OCI Basics using Singularity Enterprise Registry

Overview Singularity Enterprise comes with a fully compliant Open Container Initiative (OCI) registry. The following is a collection of typical registry operations within your workflow. Assuming the Singularity Enterprise registry address is registry.sylabs.io, please...

read more