dragonflyoss · gaius-qi · Sep 30, 2021 · Sep 30, 2021 · Sep 30, 2021
@@ -17,57 +17,62 @@ When enable runtime configuration in dragonfly, you can skip [Configure Runtime]
 
 #### 1. Docker
 
+> **We did not recommend to using dragonfly with docker in Kubernetes** due to many reasons: 1. no fallback image pulling policy. 2. deprecated in Kubernetes.
 > Because the original `daemonset` in Kubernetes did not support `Surging Rolling Update` policy.
 > When kill current dfdaemon pod, the new pod image can not be pulled anymore.
-> Using Docker with dragonfly, when upgrade dfdaemon, should pull newly dfdaemon image manually, or use [ImagePullJob](https://openkruise.io/docs/user-manuals/imagepulljob).
 
-> We did not recommend to using dragonfly with docker in k8s due to many reasons: 1. no fallback image pulling policy. 2. deprecated in Kubernetes.
+> If you can not change runtime from docker to others, remind to choose a plan when upgrade dfdaemon:
+>     Option 1: pull newly dfdaemon image manually before upgrade dragonfly, or use [ImagePullJob](https://openkruise.io/docs/user-manuals/imagepulljob) to pull image automate.
+>     Option 2: keep the image registry of dragonfly is different from common registries and add host in `containerRuntime.docker.skipHosts`.
 
 Dragonfly helm supports config docker automatically.
 
 Config cases:
 
-**Case 1: Implicit registries support**
+**Case 1: [Preferred] Arbitrary registries support with restart docker**
 
 Chart customize values.yaml:
 ```yaml
 containerRuntime:
   docker:
     enable: true
-    # -- Inject domains into /etc/hosts to force redirect traffic to dfdaemon.
-    # Caution: This feature need dfdaemon to implement SNI Proxy, confirm image tag is greater than v0.4.0.
-    # When use certs and inject hosts in docker, no necessary to restart docker daemon.
-    injectHosts: true
-    registryDomains:
-    - "harbor.example.com"
-    - "harbor.example.net"
+    # -- Restart docker daemon to redirect traffic to dfdaemon
+    # When containerRuntime.docker.restart=true, containerRuntime.docker.injectHosts and containerRuntime.registry.domains is ignored.
+    # If did not want restart docker daemon, keep containerRuntime.docker.restart=false and containerRuntime.docker.injectHosts=true.
+    restart: true
+    skipHosts:
+    - "127.0.0.1"
+    - "docker.io" # Dragonfly use this image registry to upgrade itself, so we need skip it. Change it in real environment.
 ```
 
-This config enables docker pulling images from registries `harbor.example.com` and `harbor.example.net` via Dragonfly.
-When deploying Dragonfly with above config, it's unnecessary to restart docker daemon.
+This config enables docker pulling images from arbitrary registries via Dragonfly.
+When deploying Dragonfly with above config, dfdaemon will restart docker daemon.
 
 Limitations:
-* Only support implicit registries
+* Must enable live-restore feature in docker
+* Need restart docker daemon
 
-**Case 2: Arbitrary registries support**
+**Case 2: Implicit registries support without restart docker**
 
 Chart customize values.yaml:
 ```yaml
 containerRuntime:
   docker:
     enable: true
-    # -- Restart docker daemon to redirect traffic to dfdaemon
-    # When containerRuntime.docker.restart=true, containerRuntime.docker.injectHosts and containerRuntime.registry.domains is ignored.
-    # If did not want restart docker daemon, keep containerRuntime.docker.restart=false and containerRuntime.docker.injectHosts=true.
-    restart: true
+    # -- Inject domains into /etc/hosts to force redirect traffic to dfdaemon.
+    # Caution: This feature need dfdaemon to implement SNI Proxy, confirm image tag is greater than v0.4.0.
+    # When use certs and inject hosts in docker, no necessary to restart docker daemon.
+    injectHosts: true
+    registryDomains:
+    - "harbor.example.com"
+    - "harbor.example.net"
 ```
 
-This config enables docker pulling images from arbitrary registries via Dragonfly.
-When deploying Dragonfly with above config, dfdaemon will restart docker daemon.
+This config enables docker pulling images from registries `harbor.example.com` and `harbor.example.net` via Dragonfly.
+When deploying Dragonfly with above config, it's unnecessary to restart docker daemon.
 
 Limitations:
-* Must enable live-restore feature in docker
-* Need restart docker daemon
+* Only support implicit registries
 
 #### 2. Containerd
 

@@ -16,55 +16,58 @@
 
 #### 1. Docker
 
+> **不推荐在 docker 环境中使用蜻蜓**：1. 拉镜像没有 fallback 机制，2. 在未来的 Kubernetes 中已经废弃。
+> 
 > 因为当前 Kubernetes 里的 `daemonset` 并不支持 `Surging Rolling Update` 策略,
 > 一旦旧的 dfdaemon pod 被删除后，新的 dfdaemon 就再也拉取不了了。
-> 当使用 Docker 时，在升级 dfdaemon 的时候，请先手动拉取新的 dfdaemon 镜像，或者使用 [ImagePullJob](https://openkruise.io/docs/user-manuals/imagepulljob)
 
-> 不推荐在 docker 环境中使用蜻蜓：1. 拉镜像没有 fallback 机制，2. 在未来的 Kubernetes 中已经废弃。
+> 如果无法更换容器运行时的话，那在升级蜻蜓的时候，请从下面两种方案选择比较适合的：
+> 选项1：先手动拉取新的 dfdaemon 镜像，或者使用 [ImagePullJob](https://openkruise.io/docs/user-manuals/imagepulljob) 去自动拉取，
+> 选项2：保持蜻蜓的镜像中心和通用的镜像中心不一样，同时将蜻蜓镜像中心相关的 host 加入 `containerRuntime.docker.skipHosts`。
 
 Dragonfly Helm 支持自动更改 docker 配置。
 
-**情况 1: 支持指定仓库**
+**情况 1:【推荐的】支持任意仓库**
 
 定制 values.yaml 文件:
 ```yaml
 containerRuntime:
   docker:
     enable: true
-    # -- Inject domains into /etc/hosts to force redirect traffic to dfdaemon.
-    # Caution: This feature need dfdaemon to implement SNI Proxy, confirm image tag is greater than v0.4.0.
-    # When use certs and inject hosts in docker, no necessary to restart docker daemon.
-    injectHosts: true
-    registryDomains:
-    - "harbor.example.com"
-    - "harbor.example.net"
+    # -- Restart docker daemon to redirect traffic to dfdaemon
+    # When containerRuntime.docker.restart=true, containerRuntime.docker.injectHosts and containerRuntime.registry.domains is ignored.
+    # If did not want restart docker daemon, keep containerRuntime.docker.restart=false and containerRuntime.docker.injectHosts=true.
+    restart: true
 ```
 
-此配置允许 docker 通过 Dragonfly 拉取 `harbor.example.com` 和 `harbor.example.net` 域名镜像。
-使用上述配置部署 Dragonfly 时，无需重新启动 docker。
+此配置允许 Dragonfly 拦截所有 docker 流量。
+使用上述配置部署 Dragonfly 时，dfdaemon 将重新启动 docker。
 
 限制:
-* 只支持指定域名。
+* 必须开启 docker 的 `live-restore` 功能
+* 需要重启 docker daemon
 
-**情况 2: 支持任意仓库**
+**情况 2: 支持指定仓库**
 
 定制 values.yaml 文件:
 ```yaml
 containerRuntime:
   docker:
     enable: true
-    # -- Restart docker daemon to redirect traffic to dfdaemon
-    # When containerRuntime.docker.restart=true, containerRuntime.docker.injectHosts and containerRuntime.registry.domains is ignored.
-    # If did not want restart docker daemon, keep containerRuntime.docker.restart=false and containerRuntime.docker.injectHosts=true.
-    restart: true
+    # -- Inject domains into /etc/hosts to force redirect traffic to dfdaemon.
+    # Caution: This feature need dfdaemon to implement SNI Proxy, confirm image tag is greater than v0.4.0.
+    # When use certs and inject hosts in docker, no necessary to restart docker daemon.
+    injectHosts: true
+    registryDomains:
+    - "harbor.example.com"
+    - "harbor.example.net"
 ```
 
-此配置允许 Dragonfly 拦截所有 docker 流量。
-使用上述配置部署 Dragonfly 时，dfdaemon 将重新启动 docker。
+此配置允许 docker 通过 Dragonfly 拉取 `harbor.example.com` 和 `harbor.example.net` 域名镜像。
+使用上述配置部署 Dragonfly 时，无需重新启动 docker。
 
 限制:
-* 必须开启 docker 的 `live-restore` 功能
-* 需要重启 docker daemon
+* 只支持指定域名。
 
 #### 2. Containerd