Mirantis Secure Registry maintains data about:
Data | Description |
---|---|
Con figurations | The MSR cluster configurations |
Repository metadata | The metadata about the repositories and images deployed |
Access control to repos and images | Permissions for teams and repositories |
Notary data | Notary tags and signatures |
Scan results | Security scanning results for images |
C ertificates and keys | The certificates, public keys, and private keys that are used for mutual TLS communication |
Images content | The images you push to MSR. This can be stored on the file system of the node running MSR, or other storage system, depending on the configuration |
This data is persisted on the host running MSR, using named volumes.
To perform a backup of a MSR node, run the mirantis/dtr backup <msr-cli-backup> command. This command backs up the following data:
Data | Backed up | Description |
---|---|---|
Configurations | yes | MSR settings |
Repository metadata | yes | Metadata such as image architecture and size |
Access control to repos and images | yes | Data about who has access to which images |
Notary data | yes | Signatures and digests for images that are signed |
Scan results | yes | Information about vulnerabilities in your images |
Certificates and keys | yes | TLS certificates and keys used by MSR |
Image content | no | Needs to be backed up separately, depends on MSR configuration |
Users, orgs, teams | no | Create a MKE backup to back up this data |
Vulnerability database | no | Can be redownloaded after a restore |
To create a backup of MSR, you need to:
You should always create backups from the same MSR replica, to ensure a smoother restore. If you have not previously performed a backup, the web interface displays a warning for you to do so:
Since you need your MSR replica ID during a backup, the following covers a few ways for you to determine your replica ID:
You can find the list of replicas by navigating to Shared Resources > Stacks or Swarm > Volumes (when using swarm mode) on the MKE web interface.
From a terminal using a MKE client bundle, run:
docker ps --format "{{.Names}}" | grep dtr
# The list of MSR containers with <node>/<component>-<replicaID>, e.g.
# node-1/dtr-api-a1640e1c15b6
Another way to determine the replica ID is to log into a MSR node using SSH and run the following:
REPLICA_ID=$(docker ps --format '{{.Names}}' -f name=dtr-rethink | cut -f 3 -d '-') && echo $REPLICA_ID
Since you can configure the storage backend that MSR uses to store images, the way you back up images depends on the storage backend you’re using.
If you’ve configured MSR to store images on the local file system or NFS
mount, you can back up the images by using SSH to log into a MSR node,
and creating a tar
archive of the msr-registry
volume.
sudo tar -cf dtr-image-backup-$(date +%Y%m%d-%H_%M_%S).tar \
/var/lib/docker/volumes/dtr-registry-$(docker ps --format '{{.Names}}' -f name=dtr-rethink | cut -f 3 -d '-')
DTR_VERSION=$(docker container inspect $(docker container ps -f name=dtr-registry -q) | \
grep -m1 -Po '(?<=DTR_VERSION=)\d.\d.\d'); \
REPLICA_ID=$(docker ps --format '{{.Names}}' -f name=dtr-rethink | cut -f 3 -d '-'); \
read -p 'ucp-url (The MKE URL including domain and port): ' UCP_URL; \
read -p 'ucp-username (The MKE administrator username): ' UCP_ADMIN; \
read -sp 'ucp password: ' UCP_PASSWORD; \
docker run --log-driver none -i --rm \
--env UCP_PASSWORD=$UCP_PASSWORD \
docker/dtr:$DTR_VERSION backup \
--ucp-username $UCP_ADMIN \
--ucp-url $UCP_URL \
--ucp-ca "$(curl https://${UCP_URL}/ca)" \
--existing-replica-id $REPLICA_ID > dtr-metadata-${DTR_VERSION}-backup-$(date +%Y%m%d-%H_%M_%S).tar
<mke-url>
is the URL you use to access MKE.<mke-username>
is the username of a MKE administrator.<mke-password>
is the password for the indicated MKE administrator.The above chained commands run through the following tasks:
--existing-replica-id
flag in
the backup command.--ucp-ca
flag with --ucp-insecure-tls
.
Docker does not recommend this flag for production environments.tar
backup file.You can learn more about the supported flags in the MSR backup reference documentation.
By default, the backup command does not pause the MSR replica being
backed up to prevent interruptions of user access to MSR. Since the
replica is not stopped, changes that happen during the backup may not be
saved. Use the --offline-backup
flag to stop the MSR replica during
the backup procedure. If you set this flag, remove the replica from the
load balancing pool to avoid user interruption.
Also, the backup contains sensitive information like private keys, so you can encrypt the backup by running:
gpg --symmetric {{ metadata_backup_file }}
This prompts you for a password to encrypt the backup, copies the backup file and encrypts it.
To validate that the backup was correctly performed, you can print the contents of the tar file created. The backup of the images should look like:
tar -tf {{ images_backup_file }}
dtr-backup-v2.7.5/
dtr-backup-v2.7.5/rethink/
dtr-backup-v2.7.5/rethink/layers/
And the backup of the MSR metadata should look like:
tar -tf {{ metadata_backup_file }}
# The archive should look like this
dtr-backup-v2.7.5/
dtr-backup-v2.7.5/rethink/
dtr-backup-v2.7.5/rethink/properties/
dtr-backup-v2.7.5/rethink/properties/0
If you’ve encrypted the metadata backup, you can use:
gpg -d {{ metadata_backup_file }} | tar -t
You can also create a backup of a MKE cluster and restore it into a new cluster. Then restore MSR on that new cluster to confirm that everything is working as expected.