This topic describes how to use image-syncer to synchronize images from self-built Harbor to Container Registry Enterprise Edition.

Prerequisites

  • The Container Registry service is activated.

    Log on to the Container Registry console and activate the Container Registry service.

  • A Container Registry Enterprise Edition instance is created.

Background information

Container Registry Enterprise Edition provides an enterprise-class secure service for managing container images and Helm charts. It provides enterprise-class security features and allows you to distribute images to up to 1,000 nodes concurrently and synchronize images among regions around the world. It also allows you to create cloud-native application delivery chains to automatically deliver images globally upon source code changes in multiple scenarios. It is designed for enterprise customers that have high security requirements, deploy services in multiple regions, and use container clusters with a large number of nodes.
Note Container Registry Enterprise Edition is currently in public preview. To use it, submit a ticket.

Create a namespace

A namespace allows you to effectively manage a collection of repositories, including repository permissions and repository attributes. You can enable Automatically Create Repository for a namespace. When you run the docker push command to push images to a repository that does not exist in the namespace, the repository is automatically created.
Note The target repository created by using the docker push command can be public or private based on the setting of Default Repository Type for the namespace.
  1. Log on to the Container Registry console.
  2. In the left-side navigation pane, choose Default Instance > Namespaces.
  3. On the Namespaces page, click Create Namespace in the upper-right corner.
  4. In the Create Namespace dialog box, customize a namespace and click Confirm.
After the namespace is created, you can find it on the Namespaces page. You can also manage namespaces on the Namespaces page.
Note You must turn on the switch for Automatically Create Repository.

Grant permissions to a RAM user

If you perform subsequent operations as a Resource Access Management (RAM) user, you must create a RAM user and grant permissions to the RAM user. Skip this section if you use an Alibaba Cloud account to perform subsequent operations.

  1. Create a RAM user. For more information, see Step 1: Create a RAM user and enable console password logon.
  2. Grant relevant permissions to the RAM user. For more information, see Custom RAM policies.
    In this example, you only grant the create, update, push, and pull permissions to the RAM user and set the accessible resource to the image-syncer namespace.
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cr:CreateRepository",
                    "cr:UpdateRepository",
                    "cr:PushRepository",
                    "cr:PullRepository"
                ],
                "Resource": [
                    "acs:cr:*:*:repository/image-syncer/*"
                ]
            }
        ],
        "Version": "1"
    }

Configure access over the public network

By default, a Container Registry Enterprise Edition instance is inaccessible over the public network. Therefore, you must enable access over the public network before configuring the access control policy for the public network.

  1. Log on to the Container Registry console. In the top navigation bar, select the target region.
  2. In the left-side navigation pane, choose Enterprise Instances > Instances.
  3. On the Instances page, click the Container Registry Enterprise Edition instance to be configured.
  4. In the left-side navigation pane, choose Repositories > Access Control.
    Note If you want to configure access control for Helm charts, choose Helm Chart > Access Control.
  5. On the Internet tab, click Add Internet Whitelist.
  6. In the Add Internet Whitelist dialog box that appears, enter the Classless Inter-Domain Routing (CIDR) block that is allowed to access the Container Registry Enterprise Edition instance and its description.
  7. Click OK.
    After the CIDR block is added, Elastic Compute Service (ECS) instances in the CIDR block can access the Container Registry Enterprise Edition instance.
    Notice If you want to allow all ECS instances on the public network to access the Container Registry Enterprise Edition instance, enable access over the public network but delete all items from the whitelist. If you do so, the Container Registry Enterprise Edition instance is completely exposed to the public network and may be attacked. Perform this operation with caution.

Configure an access credential

Before pulling private images or uploading images, you must run the docker login command to log on to the registry with an access credential. Follow these steps to configure an access credential:

  1. In the left-side navigation pane, choose Default Instance > Access Credential.
  2. On the Access Credential page, click Set Password.
  3. In the Set Password dialog box, set Password and Confirm Password and click OK.

Configure image-syncer

Use the password in the access credential to configure image-syncer.

Different from Container Registry Default Instance Edition, each Container Registry Enterprise Edition instance has its own endpoints and namespaces. Namespaces on different Container Registry Enterprise Edition instances are isolated from each other.
Note Each Container Registry Enterprise Edition instance has two endpoints, one for the public network and the other for Virtual Private Clouds (VPCs).
  • If image-syncer runs on a server on the public network, you must use the endpoint for the public network to access the Container Registry Enterprise Edition instance.
  • If image-syncer runs on an ECS instance in a VPC, you must use the endpoint for VPCs to access the Container Registry Enterprise Edition instance. In addition, you must configure the endpoint to be visible to the VPC where the ECS instance resides.
This example synchronizes images in the library/nginx repository of a self-built Harbor registry to the image-syncer namespace of a Container Registry Enterprise Edition instance. The name of the source repository, which is nginx, is used as the name of destination repository. The configuration file is as follows:
{
    "auth": {
        "harbor.myk8s.paas.com:32080": {
            "username": "admin",
            "password": "xxxxxxxxx",
            "insecure": true
        },
        "ruohe-test-registry.cn-shanghai.cr.aliyuncs.com": {
            "username": "ruohehhy",
            "password": "xxxxxxxx"
        }
    },
    "images": {
        "harbor.myk8s.paas.com:32080/library/nginx": ""
    }
}
  • harbor.myk8s.paas.com:32080: the endpoint of the self-built Harbor registry. It must be replaced with the actual value.
    • username: the username of the self-built Harbor registry. The value is admin in this example.
    • password: the password of the self-built Harbor registry.
    • insecure: Set this parameter to true.
  • ruohe-test-registry.cn-shanghai.cr.aliyuncs.com: the endpoint of the Container Registry Enterprise Edition instance for the public network.
    • username: the username in the access credential.
    • password: the password in the access credential.
  • "harbor.myk8s.paas.com:32080/library/nginx": "": Access the library/nginx repository located on harbor.myk8s.paas.com:32080.

Use image-syncer to synchronize images

  1. Download the latest installation package of image-syncer.
    Note Currently, only the Linux AMD64 version is supported.
  2. Install and configure image-syncer.
    For more information, see the guide on GitHub.
  3. Run the following command to synchronize images:
    # Set the default destination registry to registry.cn-beijing.aliyuncs.com and the default destination namespace to image-syncer.
    # Set both the number of images that can be synchronized concurrently and the maximum number of retries to 10.
    # Record logs in the ./log file. If the file does not exist, it is automatically created. If the log file is not specified, image-syncer displays logs in Stderr by default.
    # Specify harbor-to-acr.json as the configuration file. Its content is described in the previous section.
    ./image-syncer --proc=10 --config=./harbor-to-acr.json --registry=registry.cn-beijing.aliyuncs.com --namespace=image-syncer --retries=10 --log=./log

Synchronization result

When synchronizing images, image-syncer generates synchronization tasks, runs synchronization tasks, and retries failed tasks. Failed tasks include synchronization tasks that fail to be run and those fail to be generated. Each synchronization task synchronizes an image with specified tags. If an image synchronization rule in the configuration file does not specify any tags, image-syncer generates synchronization tasks based on this rule by retaining all the original tags.

  • If images are successfully synchronized, the messages shown in the following figure appear.Success result
  • If images fail to be synchronized, for example, due to incorrect username or password, the messages shown in the following figure appear.Failure result
  • During its running, image-syncer displays log information, as shown in the following figure.Log information