Container Registry is a service provided by Alibaba Cloud for managing container images. It supports full-lifecycle management of images in 20 regions around the world. Integrated with other Alibaba Cloud services such as Container Service, Container Registry offers a one-stop cloud-native service for managing container images. This topic describes how to use image-syncer to synchronize images from self-built Harbor to Container Registry Default Instance Edition.

Prerequisites

The Container Registry service is activated.

Log on to the Container Registry console and activate the Container Registry service.

Create a namespace

A namespace allows you to effectively manage a collection of repositories, including repository permissions and repository attributes. You can enable Automatically Create Repository for a namespace. When you run the docker push command to push images to a repository that does not exist in the namespace, the repository is automatically created.
Note The target repository created by using the docker push command can be public or private based on the setting of Default Repository Type for the namespace.
  1. Log on to the Container Registry console.
  2. In the left-side navigation pane, choose Default Instance > Namespaces.
  3. On the Namespaces page, click Create Namespace in the upper-right corner.
  4. In the Create Namespace dialog box, customize a namespace and click Confirm.

After the namespace is created, you can find it on the Namespaces page. You can also manage namespaces on the Namespaces page.

Grant permissions to a RAM user

If you perform subsequent operations as a Resource Access Management (RAM) user, you must create a RAM user and grant permissions to the RAM user. Skip this section if you use an Alibaba Cloud account to perform subsequent operations.

  1. Create a RAM user. For more information, see Step 1: Create a RAM user and enable console password logon.
  2. Grant relevant permissions to the RAM user. For more information, see Custom RAM policies.
    In this example, you only grant the create, update, push, and pull permissions to the RAM user and set the accessible resource to the image-syncer namespace.
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cr:CreateRepository",
                    "cr:UpdateRepository",
                    "cr:PushRepository",
                    "cr:PullRepository"
                ],
                "Resource": [
                    "acs:cr:*:*:repository/image-syncer/*"
                ]
            }
        ],
        "Version": "1"
    }

Configure an access credential

Before pulling private images or uploading images, you must run the docker login command to log on to the registry with an access credential. Follow these steps to configure an access credential:

  1. In the left-side navigation pane, choose Default Instance > Access Credential.
  2. On the Access Credential page, click Set Password.
  3. In the Set Password dialog box, set Password and Confirm Password and click OK.

Configure image-syncer

This example synchronizes images in the library/nginx repository of a self-built Harbor registry to the image-syncer namespace of Container Registry in the China (Beijing) region. The name of the source repository, which is nginx, is used as the name of destination repository. The configuration file is as follows:
{
    "auth": {
        "harbor.myk8s.paas.com:32080": {
            "username": "admin",
            "password": "xxxxxxxxx",
            "insecure": true
        },
        "registry.cn-beijing.aliyuncs.com": {
            "username": "acr_pusher@1938562138124787",
            "password": "xxxxxxxx"
        }
    },
    "images": {
        "harbor.myk8s.paas.com:32080/library/nginx": ""
    }
}
  • harbor.myk8s.paas.com:32080: the endpoint of the self-built Harbor registry. It must be replaced with the actual value.
    • username: the username of the self-built Harbor registry. The value is admin in this example.
    • password: the password of the self-built Harbor registry.
    • insecure: Set this parameter to true.
  • registry.cn-beijing.aliyuncs.com: the endpoint of the destination registry. The registry resides in the China (Beijing) region in this example.
    • username: the username in the access credential.
    • password: the password in the access credential.
  • "harbor.myk8s.paas.com:32080/library/nginx": "": Access the library/nginx repository located on harbor.myk8s.paas.com:32080.

Use image-syncer to synchronize images

  1. Download the latest installation package of image-syncer.
    Note Currently, only the Linux AMD64 version is supported.
  2. Install and configure image-syncer.
    For more information, see the guide on GitHub.
  3. Run the following command to synchronize images:
    # Set the default destination registry to registry.cn-beijing.aliyuncs.com and the default destination namespace to image-syncer.
    # Set both the number of images that can be synchronized concurrently and the maximum number of retries to 10.
    # Record logs in the ./log file. If the file does not exist, it is automatically created. If the log file is not specified, image-syncer displays logs in Stderr by default.
    # Specify harbor-to-acr.json as the configuration file. Its content is described in the previous section.
    ./image-syncer --proc=10 --config=./harbor-to-acr.json --registry=registry.cn-beijing.aliyuncs.com --namespace=image-syncer --retries=10 --log=./log

Synchronization result

When synchronizing images, image-syncer generates synchronization tasks, runs synchronization tasks, and retries failed tasks. Failed tasks include synchronization tasks that fail to be run and those fail to be generated. Each synchronization task synchronizes an image with specified tags. If an image synchronization rule in the configuration file does not specify any tags, image-syncer generates synchronization tasks based on this rule by retaining all the original tags.

  • If images are successfully synchronized, the messages shown in the following figure appear.Success result
  • If images fail to be synchronized, for example, due to incorrect username or password, the messages shown in the following figure appear.Failure result
  • During its running, image-syncer displays log information, as shown in the following figure.Log information