 Hi, this is a quick demo of one of the new features in Red Hat Quay 3.7 pull-through caching. My name is Daniel Messer, I'm the product manager for Red Hat Quay and I'm going to walk you through the user experience and the benefits of using Quay as a transparent cache for other external registries. First, ensure that you enable the proxy caching feature in the Quay configuration file. Note that in Red Hat Quay 3.7 this feature is introduced in technology preview and is therefore disabled by default. Let's now switch to the Quay UI. We're going to create a new organization and configure it as a cache for another registry. I'll simply call it cache for the sake of brevity. The actual name doesn't really matter and you can have an arbitrary number of cache organizations in Quay to cache different registries. To turn an organization into a cache we are going to switch to the settings panel of the organization and enter the domain name of the remote registry to be cached. In this case Quay.io. Optionally we could enter credentials for the registry here or leave them out to pull anonymously from Quay.io. The expiration time settings control when cached images will expire and subsequently be evicted from the cached. The default is 24 hours here. I'm fine with this and by clicking save we are completing the configuration process and the organization is now a cache. And now on from the client perspective this is a read-only organization. You cannot push to this organization or create new content within it. You can only pull through the organizations in the form of a cache. Before we use it though we can take a last look at the contents and see that currently there's nothing there. I'm now going to pull an image through the cache from my own Quay registry. First let me also show you that I have currently no images in my local part-man environment either. Now let's say I want to pull the community version of Quay security scanner Clare which is available in Quay.io slash project Quay slash Clare. To pull that image through my cache I will simply append the path to the Clare image without the Quay.io domain name to the URL of my cache organization so it becomes quay.dmesher.io slash cache slash project Quay slash Clare and I'm going to pull the tag nightly. As you can see the pull succeeds as it would normally do. But here's what happened in the background. When I attempted to pull from quay.dmesher.io slash cache slash project Quay slash Clare Quay recognized that this is actually a cache organization and it subsequently checked first whether the desired image was already in the cache. Since the cache was empty at this point in time I pulled the image from the configured remote registry by panning the path of the desired image within the cache organization to the domain of the remote registry Quay.io. If the cache would have credentials configured it would have authenticated to Quay.io with these first. The response from Quay.io to my cache is a set of image layers which are directly streamed back to my part-man client. In parallel my Quay instance also stored the image layers in the cache organization. All this happened completely transparently to the client which was not even aware that the original image came from Quay.io. I have the Clare image now in my local machine. Let's inspect it using part-man to get the SHA-256 digest of the image and copy that to my clipboard. When I take a look in my cache organization now I can also see that the Clare image is present in the cache and note that it has been stored with the full path spec. If I would attempt to pull that image truly cache again it would now be directly served from the cache in Quay unless the tag has changed in the remote registry. This greatly improves pull performance which is one of the main advantages of the cache. When I inspect the tag I can see that it is the same SHA-256 digest that I have locally on my machine confirming that the image in the cache is the same that part-man has. I also see that this is a multi-arch image and both versions of Clare for x86 and ARM have been cached. Lastly I see the expiration time of the image. It's currently set to expire in about 24 hours from now. Every time this image will be pulled through the cache again the timer will actually be reset and the 24-hour countdown starts again. This way popular images stay in the cache longer. Lastly let's look at the actual Clare image in the source at quay.io from where it was pulled into the cache. If we inspect the nightly tag here we can see that the same SHA-256 digest appears that we saw earlier on my local machine and also in my own Quay Registry's cache organization. This proves that the image was pulled through the cache from the configured remote registry with guaranteed integrity of the image. And this way the pull through cache feature allows to greatly reduce the amount of traffic to remote registries and speed up the download prices to clients of my own registry. In this example we have cached an entire registry like quay.io. That means any image that is accessible there can be accessed through my cache. This may not be desired sometimes. Sometimes you only want to allow access to a certain portion of a remote registry through a cache. And with Quay you can do that as well. Let's return to the settings manual of our cache organization and reset its configuration. Now let's configure it to be a cache of the Docker Hub library project. Instead of all images in Docker Hub only those with the prefix Docker.io slash library will be accessible through the cache. Let's go back to my client that only has the image from the previous example stored locally. Let's now pull the open source Postgres image through the cache. It would normally be available behind Docker.io slash library slash Postgres. But since I have configured my cache to proxy the library project I can address it through my cache as quay.demesser.io slash cache slash Postgres. Again the pull succeeds and I have the Postgres image available locally. To prove that it originally came from Docker Hub I can also attempt to pull the image directly from there. The pull attempt from Docker Hub finishes fairly quickly because the image and all its layers are already present as a result of the previous pull through of my cache. I can also see the Postgres image now in my cache organization. This time without the full path since my cache only covers the library project in Docker Hub. This is a very effective way for security conscious network and container platform administrators to give developers a certain level of freedom by allowing selective access to certain parts of upstream industries which are normally completely untrusted. While at the network layer access to Docker Hub might be blocked it can be exposed by quay through a pull through cache at the very granular level. The only caveat here is that developers need to know about this and the location of the cache and therefore adjust all their pull specs. With Portman there is a nice way to circumvent this. You can edit the registry.conf file of your Portman installation and enter the following configuration segment. It essentially makes Portman redirect all pull attempts to the Docker Hub library project towards our cache organization. Let's run with this. If we now attempt to pull another image from Docker Hub's library project directly it will be transparently pulled through our cache. Even though the pull specs at Docker IO library engine X in this example. We can see the result in our registry. The engine X images now cache there as well. Another nice feature of Portman is that it normalizes Docker Hub references. So in your pull command you can actually omit the library path like I'm doing here when pulling redis. This is very popular in beginner tutorials for learning containers. Portman knows how to interpret this for Docker Hub and changes it transparently to docker.io slash library slash redis which in turn causes it to be pulled through our cache. Searching back to our Quay UI we can see the redis image is now cached as well. This concludes this demonstration. Be sure to also check out the other new features of Reddit Quay 37 storage quota management, container native builds and geo-replication with the Reddit Quay operator. Thanks for watching.