Skip to content

Instantly share code, notes, and snippets.

@northtyphoon

northtyphoon/pull-image-sequence.md

Last active March 25, 2023 19:51
Show Gist options
  • Save northtyphoon/a23134670ace1382b23bb953232cb441 to your computer and use it in GitHub Desktop.
Save northtyphoon/a23134670ace1382b23bb953232cb441 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pull-image-sequence.md

Pull Simple Linux or Windows Image (Single Region)

  • [NOTE] Windows image by default has one or two base layers hosted in Azure CDN seperately (a.k.a foreign layers). The client will download these foreign layers from Azure CDN directly.
sequenceDiagram
    Docker->>+ACR: [Head] <registry>.azurecr.io/v2/library/hello-world/manifests/latest
    Note right of ACR: All manifest request accept-header includes <br>application/vnd.oci.image.manifest.v1+json,<br>application/vnd.docker.distribution.manifest.v2+json,<br>application/vnd.docker.distribution.manifest.list.v2+json,<br>application/vnd.oci.image.index.v1+json,<br>application/vnd.docker.distribution.manifest.v1+prettyjws,<br>application/json
    ACR->>Docker: Manifest Digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
    Docker->>+ACR: [GET] <registry>.azurecr.io/v2/library/hello-world/manifests/sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
    ACR->>Docker: [200] Manifest Digest Content
    loop Emumerate all config and layer blobs
        Docker->>+ACR: [GET] <registry>.azurecr.io/v2/library/hello-world/blobs/sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54
        ACR->>+Docker: [307] Redirect to storage blob 
        Docker->>+Storage: [GET] <storageaccount>.blob.core.windows.net/<container>//v2/blobs/sha256/2d/2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54/data
        Storage->>+Docker: [200/206] Blob content
        Docker->>+Storage: Continue to download remaining layer content
    end
Loading

Pull Multi-Arch Image (Single Region)

sequenceDiagram
    Docker->>+ACR: [Head] <registry>.azurecr.io/v2/library/hello-world/manifests/latest
    Note right of ACR: All manifest request accept-header includes <br>application/vnd.oci.image.manifest.v1+json,<br>application/vnd.docker.distribution.manifest.v2+json,<br>application/vnd.docker.distribution.manifest.list.v2+json,<br>application/vnd.oci.image.index.v1+json,<br>application/vnd.docker.distribution.manifest.v1+prettyjws,<br>application/json
    ACR->>Docker: Manifest List Digest: sha256:faa03e786c97f07ef34423fccceeec2398ec8a5759259f94d99078f264e9d7af
    Docker->>+ACR: [GET] <registry>.azurecr.io/v2/library/hello-world/manifests/sha256:faa03e786c97f07ef34423fccceeec2398ec8a5759259f94d99078f264e9d7af
    ACR->>Docker: [200] Manifest List Digest Content
    Docker->>+Docker: [Parse] Find the matching platform manifest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
    Docker->>+ACR: [GET] <registry>.azurecr.io/v2/library/hello-world/manifests/sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
    ACR->>Docker: [200] Manifest Digest Content
    loop Emumerate all config and layer blobs
        Docker->>+ACR: [GET] <registry>.azurecr.io/v2/library/hello-world/blobs/sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54
        ACR->>+Docker: [307] Redirect to storage blob 
        Docker->>+Storage: [GET] <storageaccount>.blob.core.windows.net/<container>//v2/blobs/sha256/2d/2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54/data
        Storage->>+Docker: [200/206] Blob content
        Docker->>+Storage: Continue to download remaining layer content
    end
Loading

Pull Simple Linux or Windows Image (Multiple Regions)

  • If ACR enables the data replication in multiple regions, the traffic will be routed to the "closest" region which provides the lowest connection latency.
  • In the following example, the registry has data replications in WestUS and EastUS which serve the request for <registry>.azurecr.io. Assume WestUS provides the lowest connection latency to the client, the image will be pulled from WestUS.
sequenceDiagram
    Docker->>+Azure DNS: Query the closest region
    Azure DNS->>+Docker: Return the ACR IP of WestUS which provides the lowest connection latency
    Docker->>+ WestUS ACR: [Head] <registry>.azurecr.io[WestUS IP]/v2/library/hello-world/manifests/latest
    Note right of WestUS ACR: All manifest request accept-header includes <br>application/vnd.oci.image.manifest.v1+json,<br>application/vnd.docker.distribution.manifest.v2+json,<br>application/vnd.docker.distribution.manifest.list.v2+json,<br>application/vnd.oci.image.index.v1+json,<br>application/vnd.docker.distribution.manifest.v1+prettyjws,<br>application/json
    WestUS ACR->>Docker: Manifest Digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
    Docker->>+WestUS ACR: [GET] <registry>.azurecr.io[WestUS IP]/v2/library/hello-world/manifests/sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
    WestUS ACR->>Docker: [200] Manifest Digest Content
    loop Emumerate all config and layer blobs
        Docker->>+ WestUS ACR: [GET] <registry>.azurecr.io[WestUS IP]/v2/library/hello-world/blobs/sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54
        WestUS ACR->>+Docker: [307] Redirect to storage blob 
        Docker->>+WestUS Storage: [GET] <storageaccount>.blob.core.windows.net/<container>//v2/blobs/sha256/2d/2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54/data
        WestUS Storage->>+Docker: [200/206] Blob content
        Docker->>+WestUS Storage: Continue to download remaining layer content
    end
Loading

Pull Simple Linux or Windows Image with Data Proxy (Single Region)

  • If ACR enables private endpoint, service endpoint, dedicated data-endpoint, customer managed keys or pull through cache, the layer download will be proxied through data proxy server.
sequenceDiagram
    Docker->>+ACR: [Head] <registry>.azurecr.io/v2/library/hello-world/manifests/latest
    Note right of ACR: All manifest request accept-header includes <br>application/vnd.oci.image.manifest.v1+json,<br>application/vnd.docker.distribution.manifest.v2+json,<br>application/vnd.docker.distribution.manifest.list.v2+json,<br>application/vnd.oci.image.index.v1+json,<br>application/vnd.docker.distribution.manifest.v1+prettyjws,<br>application/json
    ACR->>Docker: Manifest Digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
    Docker->>+ACR: [GET] <registry>.azurecr.io/v2/library/hello-world/manifests/sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
    ACR->>Docker: [200] Manifest Digest Content
    loop Emumerate all config and layer blobs
        Docker->>+ACR: [GET] <registry>.azurecr.io/v2/library/hello-world/blobs/sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54
        ACR->>+Docker: [307] Redirect to DataProxy 
        Docker->>+DataProxy: [GET] <registry>.<region>.data.azurecr.io/<encrypted-upstream-data-source-uri>
        DataProxy->>+Upstream: [GET] Forward the reqeust to upstream
        Upstream->>+DataProxy: [200/206] Blob content
        DataProxy->>+Docker: [200/206] Blob content
        Docker->>+DataProxy: Continue to download remaining layer content
    end
Loading

Pull Simple Linux or Windows Image with Data Proxy (Multiple Regions)

  • If ACR enables the data replication in multiple regions, the traffic will be routed to the "closest" region which provides the lowest connection latency.
  • If ACR also enables private endpoint, service endpoint, dedicated data-endpoint, customer managed keys or pull through cache, the layer download will be proxied through data proxy server.
  • In the following example, the registry has data replications in WestUS and EastUS which serve the request for <registry>.azurecr.io. Assume WestUS provides the lowest connection latency to the client, the image will be pulled from WestUS.
sequenceDiagram
    Docker->>+Azure DNS: Query the closest region
    Azure DNS->>+Docker: Return the ACR IP of WestUS which provides the lowest connection latency
    Docker->>+ WestUS ACR: [Head] <registry>.azurecr.io[WestUS IP]/v2/library/hello-world/manifests/latest
    Note right of WestUS ACR: All manifest request accept-header includes <br>application/vnd.oci.image.manifest.v1+json,<br>application/vnd.docker.distribution.manifest.v2+json,<br>application/vnd.docker.distribution.manifest.list.v2+json,<br>application/vnd.oci.image.index.v1+json,<br>application/vnd.docker.distribution.manifest.v1+prettyjws,<br>application/json
    WestUS ACR->>Docker: Manifest Digest: sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
    Docker->>+WestUS ACR: [GET] <registry>.azurecr.io[WestUS IP]/v2/library/hello-world/manifests/sha256:f54a58bc1aac5ea1a25d796ae155dc228b3f0e11d046ae276b39c4bf2f13d8c4
    WestUS ACR->>Docker: [200] Manifest Digest Content
    loop Emumerate all config and layer blobs
        Docker->>+ WestUS ACR: [GET] <registry>.azurecr.io/v2/library/hello-world/blobs/sha256:2db29710123e3e53a794f2694094b9b4338aa9ee5c40b930cb8063a1be392c54
        WestUS ACR->>+Docker: [307] Redirect to WestUS DataProxy 
        Docker->>+WestUS DataProxy: [GET] <registry>.westus.data.azurecr.io/<encrypted-upstream-data-source-uri>
        WestUS DataProxy->>+Upstream: [GET] Forward the reqeust to upstream
        Upstream->>+WestUS DataProxy: [200/206] Blob content
        WestUS DataProxy->>+Docker: [200/206] Blob content
        Docker->>+WestUS DataProxy: Continue to download remaining layer content
    end
Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment