Use the remote replication capability of Harbor to synchronize images on a Harbor registry to a Container Registry Enterprise Edition instance and implement geo-disaster recovery - Container Registry

This topic describes how to use the remote replication capability of Harbor to synchronize images on a Harbor registry to a Container Registry Enterprise Edition instance and implement geo-disaster recovery of container image repositories.

Note

If you do not want to synchronize images by using the remote replication capability of Harbor or you have high requirements for the synchronization speed, see Migrate images from a Harbor registry to a Container Registry Enterprise Edition instance within 10 minutes.

Prerequisites

A Container Registry Enterprise Edition instance is created. For more information, see Create a Container Registry Enterprise Edition instance.

Procedure

Synchronize images on a Harbor registry to a Container Registry Enterprise Edition instance

Note

If the Harbor registry is deployed in a data center, you must connect the Harbor registry to the Enterprise Edition instance over a VPC of the Enterprise Edition instance. For more information, see Access a Container Registry Enterprise Edition instance from a data center.

Step 1: Create a namespace

Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Container Registry Enterprise Edition instance to which you want to synchronize images.
In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose Repository > Namespace.
On the Namespace page, click Create Namespace.

In the Create Namespace dialog box, configure the Namespace, Automatically Create Repository, and Default Repository Type parameters. The following table describes the parameters. Then, click OK.

Parameter	Description
Namespace	Enter the name of the project in Harbor that you want to synchronize. Example: test-project.
Automatically Create Repository	Turn on Automatically Create Repository. Note If you turn off Automatically Create Repository, you must create a repository in the namespace before you synchronize the image.
Default Repository Type	Select a repository type. We recommend that you select Private.

Step 2: Configure the destination repository in Harbor

Log on to Harbor.
In the left-side navigation pane, choose Administration > Registries.
On the Registries page, click NEW ENDPOINT.

In the New Registry Endpoint dialog box, configure the parameters. The following table describes the parameters.

Parameter	Description
Provider	Select Docker Registry from the drop-down list.
Name	Enter a name for the new endpoint.
Description	Enter a description for the new endpoint.
Endpoint URL	Enter the endpoint of the destination repository of the Container Registry Enterprise Edition instance. Example:`https://my**-registry.cn-hangzhou.cr.aliyuncs.com`. If the Harbor registry and the Container Registry Enterprise Edition instance belong to the same VPC, you can use the VPC to synchronize images. An example of the endpoint: `https://my**-registry-vpc.cn-hangzhou.cr.aliyuncs.com`.
Access ID	Enter the username that you use to access the destination repository.
Access Secret	Enter the Secret that you use to access the destination repository.

Click TEST CONNECTION. If the Connection tested successfully message appears, the parameters that you entered are valid. Click OK.

Step 3: Configure a synchronization rule

Log on to Harbor.
In the left-side navigation pane, choose Administration > Replications.
On the Replications page, click NEW REPLICATION RULE.

In the New Replication Rule dialog box, configure the parameters. The following table describes the parameters. Then, click SAVE.

Parameter	Description
Name	Enter a name for the synchronization rule.
Description	Enter a description for the synchronization rule.
Replication mode	Select Push-based.
Source resource filter	Follow the on-screen instructions to configure this parameter. This parameter is used to filter the resources that you want to synchronize. The default value of the Resource parameter in the "Source resource filter" section is All.
Destination registry	Select the destination repository that you configured in Step 2.
Destination	In the Namespace field, enter the namespace that you created in Step 1 in the Container Registry Enterprise Edition instance. The Flattening parameter is used to simplify the hierarchy of the repository when you replicate images. We recommend that you select Flatten 1 Level. For example, images may be replicated from harbor-project/nginx to `acr-ns/nginx` after you select Replace Level 1.
Trigger Mode	Select a trigger mode. We recommend that you select Event Based to synchronize image changes in Harbor.
Bandwidth	Specify a value for this parameter to limit the maximum network bandwidth during synchronization. The default value is -1, which specifies that no limit is imposed on the maximum network bandwidth.

In the Name column of the Replications page, select the rule that you created in the previous step and click REPLICATE. This way, existing images on the Harbor registry are replicated to the Container Registry Enterprise Edition instance. When the status of the replication task becomes Succeeded, the synchronization task is complete. Subsequent changes to the image repository in Harbor are synchronized to the Container Registry Enterprise Edition instance in the event-based trigger mode.

Configure a custom endpoint to implement geo-disaster recovery

Container Registry Enterprise Edition supports the custom endpoint feature that allows you to add custom endpoints and SSL certificates to Container Registry Enterprise Edition instances. This way, you can use the custom endpoints to access the Container Registry Enterprise Edition instances over HTTPS.

You can use the following disaster recovery solutions based on your network environments.

Solution 1: If the Harbor registry is deployed on Alibaba Cloud, the business accesses the Container Registry Enterprise Edition instance over the Internet

In this example, the Container Registry Enterprise Edition instance is deployed in China (Hangzhou), and the Harbor registry is deployed in China (Zhangjiakou). The instances have the same endpoint. PrivateZone is configured for the instances. For information about how to configure PrivateZone, see Use a custom domain name to access a Container Registry Enterprise Edition instance.

The following table describes the basic information about the Container Registry Enterprise Edition instance and the Harbor registry.

Instance ID	Public Endpoint	Name of the associated VPC	Custom endpoint
ACR-A	a-registry.cn-hangzhou.cr.aliyuncs.com	vpc-aaaaa	cross-region.registry.io
Harbor-B	-	vpc-bbbbb	cross-region.registry.io

If the Harbor registry in the China (Zhangjiakou) region fails and the business cannot push images to and pull image from the registry, you can modify the PrivateZone resolution configuration of the custom endpoint to pull the synchronized image from the Container Registry Enterprise Edition instance across regions. Procedure:

Log on to the Alibaba Cloud DNS console.
In the left-side navigation pane, select PrivateZone.
On the Authoritative Zones tab, enter the endpoint cross-region.registry.io to search for the zone. Two zones are displayed. Click the zone that is associated with the vpc-bbbbb VPC.
On the DNS Settings tab, find the record that you want to modify and click Modify in the Actions column.

In the Modify Record dialog box, configure the parameters. The following table describes the parameters. Then, click OK.

Parameter	Description
Record Type	Select CNAME.
Hostname	Set this parameter to @.
Record Value	Set this parameter to the public endpoint of the Container Registry Enterprise Edition instance: `a-registry.cn-hangzhou.cr.aliyuncs.com`.
TTL Period	Retain the default value.

Solution 2: If the Harbor registry is not deployed on Alibaba Cloud, the business accesses the Container Registry Enterprise Edition instance over the Internet

Set the custom endpoint of the Container Registry Enterprise Edition instance to the endpoint of the Harbor registry. Example: www.ha****.com. For more information, see Use a custom domain name to access a Container Registry Enterprise Edition instance.

If the Harbor registry fails and the business cannot push images to and pull images from the registry, you must modify the DNS resolution settings of the endpoint of the registry and allow the endpoint (for example, www.harbor.com) of the registry to be resolved to the public IP address of the Container Registry Enterprise Edition instance. This way, the business can access the Container Registry Enterprise Edition instance over the Internet to push and pull images.

Solution 3: If the Harbor registry is not deployed on Alibaba Cloud, the business accesses the Container Registry Enterprise Edition instance over the VPC

If the Harbor registry fails and the business cannot push images to and pull images from the instance, you must obtain the IP address of the Container Registry Enterprise Edition instance and configure a routing rule and DNS resolution that allow the endpoint (for example, www.harbor.com) of the Harbor registry to be resolved to the IP address of the Container Registry Enterprise Edition instance. This way, the business can access the Container Registry Enterprise Edition instance over the VPC to push and pull images. For more information, see Access a Container Registry Enterprise Edition instance from a data center.