Use the following sections for instructions on accessing the registry, including viewing logs and metrics, as well as securing and exposing the registry.

You can access the registry directly to invoke podman commands. This allows you to push images to or pull them from the integrated registry directly using operations like podman push or podman pull. To do so, you must be logged in to the registry using the oc login command. The operations you can perform depend on your user permissions, as described in the following sections.

  • You must have configured an identity provider (IDP).

  • For pulling images, for example when using the podman pull command, the user must have the registry-viewer role. To add this role:

    $ oc policy add-role-to-user registry-viewer <user_name>
  • For writing or pushing images, for example when using the podman push command, the user must have the registry-editor role. To add this role:

    $ oc policy add-role-to-user registry-editor <user_name>

Accessing registry directly from the cluster

You can access the registry from inside the cluster.


Access the registry from the cluster by using internal routes:

  1. Access the node by getting the node’s address:

    $ oc get nodes
    $ oc debug nodes/<node_address>
  2. Log in to the container image registry by using your access token:

    $ oc login -u kubeadmin -p <password_from_install_log>
    $ podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000

    You should see a message confirming login, such as:

    Login Succeeded!

    You can pass any value for the user name; the token contains all necessary information. Passing a user name that contains colons will result in a login failure.

    Since the Image Registry Operator creates the route, it will likely be similar to default-route-openshift-image-registry.<cluster_name>.

  3. Perform podman pull and podman push operations against your registry:

    You can pull arbitrary images, but if you have the system:registry role added, you can only push images to the registry in your project.

    In the following examples, use:

    Component Value









    omitted (defaults to latest)

    1. Pull an arbitrary image:

      $ podman pull
    2. Tag the new image with the form <registry_ip>:<port>/<project>/<image>. The project name must appear in this pull specification for OpenShift Container Platform to correctly place and later access the image in the registry:

      $ podman tag image-registry.openshift-image-registry.svc:5000/openshift/image

      You must have the system:image-builder role for the specified project, which allows the user to write or push an image. Otherwise, the podman push in the next step will fail. To test, you can create a new project to push the image.

    3. Push the newly-tagged image to your registry:

      $ podman push image-registry.openshift-image-registry.svc:5000/openshift/image

Viewing the registry’s contents

As an administrator, you can view your registry’s contents.

  • Log in as administrator.

  1. Check the pods under project openshift-image-registry:

    # oc get pods
    cluster-image-registry-operator-764bd7f846-qqtpb 1/1 Running 0 78m
    image-registry-79fb4469f6-llrln 1/1 Running 0 77m
    node-ca-hjksc 1/1 Running 0 73m
    node-ca-tftj6 1/1 Running 0 77m
    node-ca-wb6ht 1/1 Running 0 77m
    node-ca-zvt9q 1/1 Running 0 74m

Viewing registry logs

You can view the logs for the registry by using the oc logs command.

  1. Use the oc logs command with deployments to view the logs for the container image registry:

    $ oc logs deployments/image-registry
    2015-05-01T19:48:36.300593110Z time="2015-05-01T19:48:36Z" level=info msg="version=v2.0.0+unknown"
    2015-05-01T19:48:36.303294724Z time="2015-05-01T19:48:36Z" level=info msg="redis not configured"
    2015-05-01T19:48:36.303422845Z time="2015-05-01T19:48:36Z" level=info msg="using inmemory layerinfo cache"
    2015-05-01T19:48:36.303433991Z time="2015-05-01T19:48:36Z" level=info msg="Using OpenShift Auth handler"
    2015-05-01T19:48:36.303439084Z time="2015-05-01T19:48:36Z" level=info msg="listening on :5000"

Accessing registry metrics

The OpenShift Container Registry provides an endpoint for Prometheus metrics. Prometheus is a stand-alone, open source systems monitoring and alerting toolkit.

The metrics are exposed at the /extensions/v2/metrics path of the registry endpoint.


There are two ways in which you can access the metrics, running a metrics query or using the cluster role.

Metrics query

  1. Run a metrics query, for example:

    $ curl -s -u <user>:<secret> \ (1) | grep openshift | head -n 10
    # HELP openshift_build_info A metric with a constant '1' value labeled by major, minor, git commit & git version from which OpenShift was built.
    # TYPE openshift_build_info gauge
    openshift_build_info{gitCommit="67275e1",gitVersion="v3.6.0-alpha.1+67275e1-803",major="3",minor="6+"} 1
    # HELP openshift_registry_request_duration_seconds Request latency summary in microseconds for each operation
    # TYPE openshift_registry_request_duration_seconds summary
    openshift_registry_request_duration_seconds{name="test/origin-pod",operation="blobstore.create",quantile="0.5"} 0
    openshift_registry_request_duration_seconds{name="test/origin-pod",operation="blobstore.create",quantile="0.9"} 0
    openshift_registry_request_duration_seconds{name="test/origin-pod",operation="blobstore.create",quantile="0.99"} 0
    openshift_registry_request_duration_seconds_sum{name="test/origin-pod",operation="blobstore.create"} 0
    openshift_registry_request_duration_seconds_count{name="test/origin-pod",operation="blobstore.create"} 5
    1 <user> can be arbitrary, but <secret> must match the value specified in the registry configuration.

Cluster role

  1. Create a cluster role if you do not already have one to access the metrics:

    $ cat <<EOF |
    kind: ClusterRole
      name: prometheus-scraper
    - apiGroups:
      - registry/metrics
      - get
    $ oc create -f -
  2. Add this role to a user, run the following command:

    $ oc adm policy add-cluster-role-to-user prometheus-scraper <username>
  3. Access the metrics using cluster role. The part of the configuration file responsible for metrics should look like this:

      version: 1.0
        enabled: true
Additional resources