MSR architecture

MSR architecture

Mirantis Secure Registry (MSR) is a containerized application that runs on a Mirantis Kubernetes Engine cluster.


Once you have MSR deployed, you use your Docker CLI client to login, push, and pull images.

Under the hood

For high-availability you can deploy multiple MSR replicas, one on each MKE worker node.


All MSR replicas run the same set of services and changes to their configuration are automatically propagated to other replicas.

MSR internal components

When you install MSR on a node, the following containers are started:

Name Description
dtr-api-<replica_id> Executes the MSR business logic. It serves the MSR web application and API
dtr-garant-<replica_id> Manages MSR authentication
dtr-jobrunner-<replica_id> Runs cleanup jobs in the background
dtr-nginx-<replica_id> Receives http and https requests and proxies them to other MSR components. By default it listens to ports 80 and 443 of the host
dtr-notary-server-<replica_id> Receives, validates, and serves content trust metadata, and is consulted when pushing or pulling to MSR with content trust enabled
dtr-notary-signer-<replica_id> Performs server-side timestamp and snapshot signing for content trust metadata
dtr-registry-<replica_id> Implements the functionality for pulling and pushing Docker images. It also handles how images are stored
dtr-rethinkdb-<replica_id> A database for persisting repository metadata
dtr-scanningstore-<replica_id> Stores security scanning data

All these components are for internal use of MSR. Don’t use them in your applications.

Networks used by MSR

To allow containers to communicate, when installing MSR the following networks are created:

Name Type Description
dtr-ol overlay Allows MSR components running on different nodes to communicate, to replicate MSR data

Volumes used by MSR

MSR uses these named volumes for persisting data:

Volume name Description
dtr-ca-<replica_id> Root key material for the MSR root CA that issues certificates
dtr-notary-<replica_id> Certificate and keys for the Notary components
dtr-postgres-<replica_id> Vulnerability scans data
dtr-registry-<replica_id> Docker images data, if MSR is configured to store images on the local filesystem
dtr-rethink-<replica_id> Repository metadata
dtr-nfs-registry-<replica_id> Docker images data, if MSR is configured to store images on NFS

You can customize the volume driver used for these volumes, by creating the volumes before installing MSR. During the installation, MSR checks which volumes don’t exist in the node, and creates them using the default volume driver.

By default, the data for these volumes can be found at /var/lib/docker/volumes/<volume-name>/_data.

Image storage

By default, Mirantis Secure Registry stores images on the filesystem of the node where it is running, but you should configure it to use a centralized storage backend.


MSR supports these storage back ends:

  • NFS
  • Amazon S3
  • Cleversafe
  • Google Cloud Storage
  • OpenStack Swift
  • Microsoft Azure

How to interact with MSR

MSR has a web UI where you can manage settings and user permissions.


You can push and pull images using the standard Docker CLI client or other tools that can interact with a Docker registry.