All Products
Search
Document Center

Container Registry:Create a delivery chain

Last Updated:Feb 28, 2024

Container Registry provides the cloud native application delivery chain feature. You can streamline tasks such as image building, image scanning, global image replication, and image distribution in a delivery chain. The entire delivery chain is observable, traceable, and secured. You can use a delivery chain to build, scan, replicate, and distribute images around the world only by submitting changes of source code. This topic describes how to create a delivery chain.

Prerequisites

Step 1: Create a delivery chain and configure basic information

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the Enterprise Edition instance that you want to manage.

  5. On the management page of the Container Registry Enterprise Edition instance, choose Delivery Chain > Chain in the left-side navigation pane.

  6. In the upper-left corner of the Chain page, click Create Delivery Chain.

  7. In the Basic Information section of the Create Delivery Chain page, configure the following parameters:

    • Name: the name of the delivery chain.

    • Description: optional. The description of the delivery chain.

    • Scope: Select a namespace and an image repository in the namespace.

    • All Effective: If you turn on this switch, all repositories in the current namespace are added to the delivery chain. If you turn off this switch, you can specify the repositories that you do not want to add to the delivery chain.

Step 2: Configure image building rules

If you select an on-premises image repository, you cannot use the image building feature of the delivery chain.

  1. In the Chain section, click Image Building. Then, click Add Build Rule.

  2. In the Build Information step, configure the following parameters and click Next.

    Parameter

    Description

    Type

    Specify the type of the source code repository. Valid values: Branch and Tag.

    Branch/Tag

    Select or enter a branch or a tag. Regular expressions are supported. If you use release-(?<imageTag>\w*) as the regular expression, the system builds a V1 image when the source code under the release-v1 branch is updated. The V1 image is built within a few minutes. For more information about how to use regular expressions, see Use regular expressions in named capturing groups.

    Note

    After you specify regular expressions, images can be built only by the system. You cannot manually build images.

    Build Context Directory

    Specify the directory in which the Dockerfile resides. You must specify a relative directory. The parent directory is the root directory of the code branch.

    Dockerfile Filename

    Specify the name of the Dockerfile. The default name is Dockerfile.

  3. In the Tag step, configure the parameters, click Save, and then click Next.

    Note

    Click Add Configuration to add image tags. You can add up to three image tags.

    Parameter

    Description

    Image Tag

    The tag of the image. Example: latest. You can enable named capturing groups. For example, if you specify a named capturing group for Branch/Tag, you can use the captured content.

    Build Time

    The time (UTC+8) when source code is pushed. Example: 20201015 or 202010151613.

    Note

    This parameter is optional. If you set this parameter, only the system can build images. You cannot manually build images.

    Commit ID

    The number of characters to be obtained from the commit ID of the most recently pushed code. By default, the first six characters are used. You can adjust the slider to change the number of characters.

    Note

    This parameter is optional. If you set this parameter, only the system can build images. You cannot manually build images.

  4. In the Build Configurations step, configure the following parameters and click Confirm.

    Parameter

    Description

    Build Architecture

    The architecture for which you want to build images. You can select multiple architectures. If you select multiple architectures, multiple container images for the architectures are built for each image tag.

    Build Parameters

    The runtime parameters of the image building. Each building parameter is a key-value pair that is case-sensitive. You can configure a maximum of 20 building parameters.

Step 3: Configure the blocking rule for image security scanning

Image security scanning ensures image security when images are replicated and distributed.

  1. In the Chain section, click Security Scan.

  2. In the Node configuration section, configure the blocking rule.

    • Security Engine: valid values: Security Center Scan Engine and Trivy Scan Engine.

      If vulnerabilities are detected, the Security Center Scan Engine allows you to fix the vulnerabilities with a few clicks. You cannot use the Trivy San Engine of Container Registry to fix vulnerabilities with a few clicks.

      Note

      If you want to use the image scanning feature of Security Center, you must purchase the Ultimate Edition of Security Center. For more information, see Purchase Security Center. If Security Center is not activated in the current region, the option of Security Center is not displayed in the Container Registry console.

    • Block strategy:

      • Blocking: If the blocking rule is met, the system stops the subsequent steps for all images.

        You must specify the Severity and Vulnerability parameters in the blocking rule. You must specify the subsequent steps after the delivery chain is stopped, including whether to delete the original image and whether to back up the images.

      • Non-blocking: The system proceeds with subsequent steps for all images.

Step 4: Configure image replication rules

After you configure image replication rules, updated images are automatically replicated between Container Registry Enterprise Edition instances based on the rules.

  1. In the Chain section, click Trigger Synchronization. Then, click Create Rule.

  2. In the Create Rule dialog box, enter a rule name, specify the destination Container Registry Enterprise Edition instance, and then click Next.

    Note

    If Internet access is disabled, images can be automatically replicated in different regions.

  3. In the Replication Information wizard, configure the replication information of the source instance and click Create Rule.

    Parameter

    Description

    Replication Level

    Select the replication level. Valid values: Namespaces and Repository.

    Source Address

    Specify a namespace and a repository. Enter a regular expression to filter image tags in the repositories of the namespace or in the specified repository. By default, all image tags are replicated. You can specify the source repository only if you set the Replication Level parameter to Repository.

Step 5: Configure distribution triggers

You can configure distribution triggers to automatically distribute images. This way, applications can be automatically redeployed.

  1. In the Chain section, click Trigger. Then, click Create.

  2. In the Create Trigger dialog box, configure the parameters and then click Confirm.

    Parameter

    Description

    Name

    The name of the trigger.

    Trigger URL

    The URL to which the trigger sends notifications. You can obtain the URL from the configurations of your Container Service for Kubernetes (ACK) cluster.

    Trigger

    The trigger method. Valid values:

    • All: Each time an image is updated, image distribution is triggered.

    • By RegExp: A regular expression is used to filter image tags. Image distribution is triggered only if an image tag matches the regular expression.

    • By Tags: Tags are used to filter images. Image distribution is triggered only if an image tag is in the specified tag list.

  3. On the Create Delivery Chain page, click Create.

Result

On the Chain page, you can view the created delivery chain.

After source code is submitted to the code repository or an image is pulled, you can log on to the Container Registry Enterprise Edition instance and go to the Record page. On this page, you can view the status and result of each step in the delivery chain. Then, you can check whether the images are updated in your ACK cluster.