This topic describes how to use the image-syncer tool to synchronize images from a self-managed Harbor project to an instance of Container Registry Enterprise Edition.

Prerequisites

Background information

Container Registry Enterprise Edition provides an enterprise-class secure service for managing container images and Helm charts. It provides enterprise-class security and allows you to distribute images to thousands of nodes concurrently and synchronize images among regions on a global scale. It also allows you to create cloud-native application delivery chains to automatically deliver images globally upon source code changes in multiple scenarios. This service applies to enterprise customers that have high security requirements, deploy services in multiple regions, and use clusters that consist of a large number of nodes.

Step 1: Create a namespace

A namespace is a collection of repositories, including repository permissions and repository properties. You can use namespaces to efficiently manage repositories. You can enable Automatically Create Repository for a namespace. When you run the docker push command to push images to a repository that does not exist in the namespace, the repository is automatically created.

  1. Log on to the Container Registry console.
  2. In the left-side navigation pane, choose Enterprise Instances > Instances.
  3. Find the created instance and click Manage in the Actions column.
  4. In the left-side navigation pane of the details page, choose Repositories > Namespaces.
  5. In the upper-right corner of the Namespaces page, click Create Namespace.
  6. On the Create Namespace page, select Automatically Create Repository and Default Repository Type, and click Confirm.
    Note You must turn on Automatically Create Repository.

After the namespace is created, you can find the created namespace on the Namespaces page. You can also manage namespaces on the Namespaces page. For more information, see Manage namespaces.

Step 2: Grant permissions to a RAM user

If you want to perform the subsequent operations as a Resource Access Management (RAM) user, you must create and grant permissions to a RAM user. Skip this step if you use an Alibaba Cloud account to perform subsequent operations.

  1. Create a RAM user. For more information, see Create a RAM user.
  2. Grant permissions to the RAM user. For more information, see Create a custom RAM policy.
    In this example, you must grant the RAM user only the permissions to create and update the Container Registry repository. The following code block is used to grant the preceding permissions. The RAM user is allowed to access resources only in the image-syncer namespace.
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cr:CreateRepository",
                    "cr:UpdateRepository",
                    "cr:PushRepository",
                    "cr:PullRepository"
                ],
                "Resource": [
                    "acs:cr:*:*:repository/image-syncer/*"
                ]
            }
        ],
        "Version": "1"
    }

Step 3: Enable Internet access

By default, instances of Container Registry Enterprise Edition cannot be accessed over the Internet. Therefore, you must enable Internet access before you configure an access control policy for Internet access.

  1. Log on to the Container Registry console. In the upper-left corner, select the region where your instance is deployed.
  2. In the left-side navigation pane, choose Enterprise Instances > Instances.
  3. On the Instances page, click the instance of Container Registry Enterprise Edition to be configured.
  4. In the left-side navigation pane, choose Repositories > Access Control.
    Note If you want to configure access control for Helm charts, choose Helm Chart > Access Control.
  5. On the Internet tab, click Add Internet Whitelist.
  6. In the Add Internet Whitelist dialog box, enter the CIDR block that is allowed to access the instance of Container Registry Enterprise Edition and the description.
  7. Click OK.
    After the CIDR block is added, Elastic Compute Service (ECS) instances whose IP addresses fall within the CIDR block can access the instance of Container Registry Enterprise Edition.
    Notice If you want to allow all ECS instances to access the instance of Container Registry Enterprise Edition over the Internet, clear the whitelist that controls Internet access. After you clear the whitelist, the instance of Container Registry Enterprise Edition is completely exposed to the Internet and may be attacked. Proceed with caution.

Step 4: Create a credential

Before you pull private images or upload images, you must run the docker login command to log on to the image registry with a credential. Perform the following steps to create a credential:

  1. In the left-side navigation pane, choose Enterprise Instances > Instances.
  2. On the Instances page, click the instance of Container Registry Enterprise Edition.
  3. In the left-side navigation pane, choose Default Instance > Access Credential.
  4. Click Set Password.
  5. In the Set Password dialog box, set Password and Confirm Password and click OK.

You can call an API operation to obtain a temporary token for accessing the instance. For more information, see GetAuthorizationToken.

Step 5: Configure image-syncer

Use the password in the credential to configure image-syncer.

Container Registry Enterprise Edition works in a different mode from Container Registry Default Instance Edition. Each instance of Container Registry Enterprise Edition has a unique domain name. Namespaces on different instances of Container Registry Enterprise Edition are isolated from each other.
Note Each instance of Container Registry Enterprise Edition has two endpoints: one for Internet access and the other for virtual private cloud (VPC) access.
  • If image-syncer runs on a server on the Internet, you must use the endpoint for Internet access to access the instance of Container Registry Enterprise Edition.
  • If image-syncer runs on an ECS instance in a VPC, you must use the endpoint for VPC access to access the instance of Container Registry Enterprise Edition. In addition, you must make the endpoint visible to the VPC where the ECS instance is deployed.
In this example, images in the library/nginx repository of a self-managed Harbor project are synchronized to the image-syncer namespace on an instance of Container Registry Enterprise Edition. The name of the source repository, which is nginx, is used as the name of the destination repository. The following code block is a sample configuration file:
{
    "auth": {
        "harbor.myk8s.paas.com:32080": {
            "username": "admin",
            "password": "xxxxxxxxx",
            "insecure": true
        },
        "ruohe-test-registry.cn-shanghai.cr.aliyuncs.com": {
            "username": "ruohehhy",
            "password": "xxxxxxxx"
        }
    },
    "images": {
        "harbor.myk8s.paas.com:32080/library/nginx": ""
    }
}
  • harbor.myk8s.paas.com:32080: the endpoint of the self-managed Harbor project. It must be replaced with the actual endpoint.
    • username: the username of the self-managed Harbor instance. The value is admin in this example.
    • password: the password of the self-managed Harbor instance.
    • insecure: Set this parameter to true.
  • ruohe-test-registry.cn-shanghai.cr.aliyuncs.com: the endpoint of the instance of Container Registry Enterprise Edition for Internet access.
    • username: the username in the credential.
    • password: the password in the credential.
  • "harbor.myk8s.paas.com:32080/library/nginx": "": access the library/nginx repository through the endpoint harbor.myk8s.paas.com:32080.

Use image-syncer to synchronize images

  1. Download the latest installation package of image-syncer.
    Note Only the Linux AMD64 version is supported.
  2. Install and configure image-syncer.
    For more information, see Install and configure image-syncer.
  3. Run the following command to synchronize images:
    # Set the default destination repository to registry.cn-beijing.aliyuncs.com and the default destination namespace to image-syncer.
    # Set both the number of images that can be synchronized at a time and the maximum number of retries to 10.
    # Record logs in the ./log file. If the file does not exist, it is automatically created. By default, image-syncer logs are stored in Stderr if the log file is not specified.
    # Specify harbor-to-acr.json as the configuration file. Its content is described in the previous section.
    ./image-syncer --proc=10 --config=./harbor-to-acr.json --registry=registry.cn-beijing.aliyuncs.com --namespace=image-syncer --retries=10 --log=./log

Synchronization result

Each time you synchronize an image, image-syncer generates a synchronization task, runs the task, and retries if the task fails. Each task synchronizes an image that is represented by a tag. If no tag is specified for a rule in the configuration file, image-syncer lists all the tags in the source repository and generates synchronization tasks for all the images. If image-syncer fails to generate synchronization tasks, image-syncer retries after it runs generated tasks.

  • The following figure shows the output of a successful synchronization task. Success
  • The following figure shows the output of a failed synchronization task. Possible reasons include invalid usernames or passwords. Failure
  • The following figure shows the logs of image-syncer. Log data