All Products
Search
Document Center

Container Registry:Replicate images across accounts

Last Updated:Sep 11, 2024

Container Registry allows you to replicate images between instances that belong to different Alibaba Cloud accounts. The cross-account image replication feature applies to all regions. Manual replication and automatic replication are supported.

Prerequisites

The source instance must be of the Advanced Edition. The destination instance can be of the Basic Edition or Advanced Edition.

Note
  • If your Container Registry Enterprise Edition instance is of the Basic Edition, you can click Instances in the left-side navigation pane of the Container Registry console and then find the Enterprise Edition instance. Click Upgrade in the card of the instance to upgrade the instance to the Advanced Edition.

  • You cannot replicate images from a public cloud region to a non-public cloud region, such as an Alibaba Finance Cloud region or an Alibaba Gov Cloud region.

Background information

You can replicate images between instances from one Alibaba Cloud account to another, from one RAM user to another, and from one Alibaba Cloud account to a RAM user.

Automatically replicate images

You can configure a replication rule to automate image replication between two instances that belong to different accounts. After you upload an image to the source instance, the system automatically replicates the image to the destination instance. In this example, the source instance belongs to Account A and the destination instance belongs to Account B.

Important

Only images that are uploaded after the replication rule is configured can be automatically replicated between instances that belong to different accounts. Existing images cannot be replicated.

Two solutions can be used to replicate existing images:

  • If you do not have a large number of existing images, you can manually replicate the images. For more information, see the "Manually replicate images" section of this topic and CreateRepoSyncTask.

  • If you have a large number of existing images, we recommend that you use the combination solution of replicating images to OSS buckets and importing Container Registry images.

    1. Copy all files in an OSS bucket to the OSS bucket of a Container Registry instance. For more information, see Data replication.

    2. Create an import rule, select an OSS bucket as the migration source, and start an image import task.

Preparations

You must obtain the following information before you set up replication between instances that belong to different accounts:

  • The IDs of Account A and Account B.

    Note

    If your account is a RAM user, you must obtain the ID of the Alibaba Cloud account to which the RAM user belongs.

  • The region where the destination instance is deployed and the ID of the destination instance.

    Log on to the Container Registry console. In the upper part of the Instances page, select a region and click the Enterprise Edition instance that you want to use as the destination instance. On the Overview page, you can find the region of the instance. You can also find the instance ID in the Instance section.

  • Images can be automatically replicated between instances that belong to different accounts by namespace or repository.

    • If you want to replicate images by namespace, the source and destination instances must each have a namespace with the same name, and automatic repository creation must be enabled for the corresponding namespace in the destination instance. For information about how to enable automatic repository creation for a namespace, see Step 4: Create a namespace.

    • If you want to replicate images by repository, the source and destination instances must each have a namespace with the same name, and each have a repository with the same name and configuration in their own namespace.

Step 1: Grant permissions to Account A

You must log on to the RAM console with Account B and grant Account A the permissions to replicate images to instances that belong to Account B.

  1. Create a RAM role named aliyuncontainerregistrycrossaccoutsyncrole.

    Note

    You must set the name of the RAM role to aliyuncontainerregistrycrossaccoutsyncrole.

    1. Log on to the RAM console by using Account B.

    2. In the left-side navigation pane, choose Identities > Roles. On the page that appears, click Create Role.

    3. In the Select Role Type step of the Create Role wizard, select Alibaba Cloud Account as the trusted entity and click Next.

    4. In the Configure Role step, set RAM Role Name to aliyuncontainerregistrycrossaccoutsyncrole and click OK.

  2. Create a permission policy.

    1. In the left-side navigation pane of the RAM console, choose Permissions > Policies. On the page that appears, click Create Policy.

    2. On the Create Policy page, click JSON. In the following code block, set the Resource field based on the actual condition. Then, copy the modified code block to the editor and click Next to edit policy information.

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "cr:CreateSyncRule",
                      "cr:CreateRepositorySync"
                  ],
                  "Resource": "acs:cr:cn-beijing:151356101970****:instance/cri-4im1o411ls8g****"
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "cr:CreateSyncRule",
                      "cr:CreateRepositorySync"
                  ],
                  "Resource": "acs:cr:cn-hangzhou:151356101970****:instance/cri-4im1o411ls8gxr****"
              }
          ],
          "Version": "1"
      }

      Resource: the resource that you want to authorize Account A to access. Specify the resource in the following format: acs:cr:<region where the destination instance of Account B is deployed>:<ID of Account B>:instance/<ID of the destination instance of Account B>.

      Note

      If Account B is a RAM user, set <ID of Account B> in the Resource field to the ID of the Alibaba Cloud account to which the RAM user belongs.

  3. Attach the policy to the aliyuncontainerregistrycrossaccoutsyncrole role.

    1. On the Policies page, search for the policy that you created and click the name of the policy.

    2. On the page that appears, click the References tab. Then, click Grant Permission.

    3. In the Grant Permission panel, set Resource Scope to Account and Principal to aliyuncontainerregistrycrossaccoutsyncrole, and then click Grant permissions.

    4. Click Close.

  4. Modify the trust policy of aliyuncontainerregistrycrossaccoutsyncrole.

    1. In the left-side navigation pane of the RAM console, choose Identities > Roles.

    2. Search for aliyuncontainerregistrycrossaccoutsyncrole and click the role name in the search result.

    3. Click Trust Policy, and then click Edit Trust Policy.

    4. Set the Service field in the following code block based on the actual condition, copy the modified code block to the editor, and then click Save trust policy document.

      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "125287961064****@cr.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }

      Service: The object to whom you want to grant permissions. Specify the service in the following format: <ID of Account A>@cr.aliyuncs.com.

      Note

      If Account A is a RAM user, set <ID of Account A> in the Service field to the ID of the Alibaba Cloud account to which the RAM user belongs.

Step 2: Create a replication rule

  1. Log on to the Container Registry console with Account A.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the Enterprise Edition instance that you want to manage.

  5. In the left-side navigation pane of the management page of the Enterprise Edition instance, choose Distribution > Instance Replication. On the page that appears, click Create Rule.

  6. In the Instance Information step of the Create Rule wizard, configure parameters and then click Next. The following table describes the parameters.

    Parameter

    description

    Rule Name

    Enter a name for the replication rule.

    Replication Scenario

    Set Replication Scenario to Across Accounts.

    Destination UID

    Enter the ID of the account to which the destination instance belongs.

    Destination Instance

    Select the region where the destination instance is deployed and enter the ID of the destination instance.

  7. In the Replication Information step, set Replication Level to Namespace or Repository based on your requirements, select the namespace or repository, and enter a regular expression to filter image tags. Then, click Create Rule.

    In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose Distribution > Replication Record. On the Replication Record page, the status of the replication task is displayed as Completed. If the image appears in the destination instance, the automatic replication between instances that belong to different accounts is successful.

Manually replicate images

You can configure a replication rule to manually replicate an image between two instances that belong to different accounts. In this example, the source instance belongs to Account A and the destination instance belongs to Account B.

  1. Obtain the IDs of Account A and Account B, the region where the destination instance is deployed, and the ID of the destination instance. For more information, see the Preparations section in this topic.

  2. You must log on to the RAM console with Account B and grant Account A the permissions to replicate images to instances that belong to Account B. For more information, see Step 1 in this topic.

  3. Log on to the Container Registry console.

  4. In the top navigation bar, select a region.

  5. In the left-side navigation pane, click Instances.

  6. On the Instances page, click the Enterprise Edition instance that you want to manage.

  7. In the left-side navigation pane of the management page of the Enterprise Edition instance, choose Repository > Repositories.

  8. On the page that appears, click the name of the repository in which the image to be replicated resides.

  9. In the left-side navigation pane of the details page of the image repository, click Tags. On the page that appears, find the image that you want to replicate and click Replicate in the Actions column that corresponds to the image.

  10. In the Image Replication dialog box, set Replication Scenario to Cross Accounts and enter the ID of the destination instance account. Select the destination repository, enter the ID of the destination instance, the destination namespace, destination repository name, and image tag, and then click OK.

    In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose Distribution > Replication Record. On the Replication Record page, the status of the replication task is displayed as Completed. If the image appears in the destination instance, the manual replication is successful.

References

To replicate images between instances that belong to the same account across regions, see Replicate images within same account.