Foreign Layers

NEW IN RELEASE 3.19


You can enable NXRM to cache the foreign layers of Docker images so that the client will not need to communicate to a Docker registry other than your proxied Docker repository. This can be useful in air-gapped environments in which client hosts may not have full access to the internet where the layer may not be accessible.

To enable this functionality, in your Docker proxy repository configuration check the Foreign Layer Caching option:

This will expand the area to display the additional configuration of allowed URL patterns. In order to provide fine grained control over where your proxy repository communicates you will need to add a URL pattern (a regular expression) to the configuration. These patterns act as a white list to determine if your proxy repository is allowed to retrieve and cache foreign layers from a particular location. The list is inclusive such that a URL that matches any configured pattern will be allowed. When caching is enabled a default pattern of .* will be added which will match any URL; modify the pattern as desired, and click Add URL Pattern to set additional values. At least one value must be set.


Single, Defaulted Entry allowing all URLs:




Multiple entries:

 

For the later example the two patterns would allow foreign layer retrieval from any URL path in the go.microsoft.com domain for either http or https protocols, as well as any URL path for any subdomain of the azurecr.io domain for only the https protocol.


It should be noted that the regular expressions used here must match the URL entirely, not just a portion. The examples accomplish this by adding the .* to the end of the pattern in order to match any path.


Once setup your docker proxy repository will be able to fetch foreign layer instances, providing a single source of data for the corresponding images.