Install Mirantis Secure Registry
docker run -it --rm mirantis/dtr \
install [command options]
This command installs Mirantis Secure Registry (MSR) on a node managed by Mirantis Kubernetes Engine (MKE).
After installing MSR, you can join additional MSR replicas using
mirantis/dtr join
.
$ docker run -it --rm docker/dtr:2.7.5 install \
--ucp-node <MKE_NODE_HOSTNAME> \
--ucp-insecure-tls
Note
Use --ucp-ca "$(cat ca.pem)"
instead of --ucp-insecure-tls
for a production deployment.
Option | Environment variable | Description |
---|---|---|
--async-nfs |
$ASYNC_NFS | Use async NFS volume options on the replica specified in the
--existing-replica-id option. The NFS configuration must be set with
--nfs-storage-url explicitly to use this option. Using
--async-nfs will bring down any containers on the replica that use
the NFS volume, delete the NFS volume, bring it back up with the
appropriate configuration, and restart any containers that were brought
down. |
--client-cert-auth-ca |
$CLIENT_CA | Specify root CA certificates for client authentication with
--client-cert-auth-ca "$(cat ca.pem)" . |
--debug |
$DEBUG | Enable debug mode for additional logs. |
--dtr-ca |
$DTR_CA | Use a PEM-encoded TLS CA certificate for MSR. By default MSR generates a
self-signed TLS certificate during deployment. You can use your own root
CA public certificate with --dtr-ca "$(cat ca.pem)" . |
--dtr-cert |
$DTR_CERT | Use a PEM-encoded TLS certificate for MSR. By default MSR generates a
self-signed TLS certificate during deployment. You can use your own
public key certificate with --dtr-cert "$(cat cert.pem)" . If the
certificate has been signed by an intermediate certificate authority,
append its public key certificate at the end of the file to establish a
chain of trust. |
--dtr-external-url |
$DTR_EXTERNAL_URL | URL of the host or load balancer clients use to reach MSR. When you use
this flag, users are redirected to MKE for logging in. Once
authenticated they are redirected to the URL you specify in this flag.
If you don’t use this flag, MSR is deployed without single sign-on with
MKE. Users and teams are shared but users log in separately into the two
applications. You can enable and disable single sign-on within your MSR
system settings. Format https://host[:port] , where port is the
value you used with --replica-https-port . Since HSTS (HTTP
Strict-Transport-Security) header is included in all API responses, make
sure to specify the FQDN (Fully Qualified Domain Name) of your MSR, or
your browser may refuse to load the web interface. |
--dtr-key |
$DTR_KEY | Use a PEM-encoded TLS private key for MSR. By default MSR generates a
self-signed TLS certificate during deployment. You can use your own TLS
private key with --dtr-key "$(cat key.pem)" . |
--dtr-storage-volume |
$DTR_STORAGE_VOLUME | Customize the volume to store Docker images. By default MSR creates a
volume to store the Docker images in the local filesystem of the node
where MSR is running, without high-availability. Use this flag to
specify a full path or volume name for MSR to store images. For
high-availability, make sure all MSR replicas can read and write data on
this volume. If you’re using NFS, use --nfs-storage-url instead. |
--enable-client-cert-auth |
$ENABLE_CLIENT_CERT_AUTH | Enables TLS client certificate authentication; use
--enable-client-cert-auth=false to disable it. If enabled, MSR will
additionally authenticate users via TLS client certificates. You must
also specify the root certificate authorities (CAs) that issued the
certificates with --client-cert-auth-ca . |
--enable-pprof |
$DTR_PPROF | Enables pprof profiling of the server. Use --enable-pprof=false to
disable it. Once MSR is deployed with this flag, you can access the pprof
endpoint for the api server at /debug/pprof , and the registry
endpoint at /registry_debug_pprof/debug/pprof . |
--help-extended |
$DTR_EXTENDED_HELP | Display extended help text for a given command. |
--http-proxy |
$DTR_HTTP_PROXY | The HTTP proxy used for outgoing requests. |
--https-proxy |
$DTR_HTTPS_PROXY | The HTTPS proxy used for outgoing requests. |
--log-host |
$LOG_HOST | The syslog system to send logs to. The endpoint to send logs to. Use
this flag if you set --log-protocol to tcp or udp . |
--log-level |
$LOG_LEVEL | Log level for all container logs when logging to syslog. Default: INFO. The supported log levels are debug, info, warn, error, or fatal. |
--log-protocol |
$LOG_PROTOCOL | The protocol for sending logs. Default is internal. By default, MSR
internal components log information using the logger specified in the
Docker daemon in the node where the MSR replica is deployed. Use this
option to send MSR logs to an external syslog system. The supported
values are tcp , udp , or internal . Internal is the default
option, stopping MSR from sending logs to an external system. Use this
flag with --log-host . |
--nfs-storage-url |
$NFS_STORAGE_URL | Use NFS to store Docker images following this format: nfs://<ip|
hostname>/<mountpoint> . By default, MSR creates a volume to store the
Docker images in the local filesystem of the node where MSR is running,
without high availability. To use this flag, you need to install an NFS
client library like nfs-common in the node where you’re deploying MSR.
You can test this by running showmount -e <nfs-server> . When you
join new replicas, they will start using NFS so there is no need to
specify this flag. To reconfigure MSR to stop using NFS, leave this
option empty: --nfs-storage-url "" . See USE NFS for more details. |
--nfs-options |
$NFS_OPTIONS | Pass in NFS volume options verbatim for the replica specified in the
--existing-replica-id option. The NFS configuration must be set with
--nfs-storage-url explicitly to use this option. Specifying
--nfs-options will pass in character-for-character the options
specified in the argument when creating or recreating the NFS volume.
For instance, to use NFS v4 with async, pass in “rw,nfsvers=4,async” as
the argument. |
--no-proxy |
$DTR_NO_PROXY | List of domains the proxy should not be used for. When using
--http-proxy you can use this flag to specify a list of domains that
you don’t want to route through the proxy. Format acme.com[, acme.org] . |
--overlay-subnet |
$DTR_OVERLAY_SUBNET | The subnet used by the dtr-ol overlay network. Example: 10.0.0.0/24 .
For high-availability, MSR creates an overlay network between MKE nodes.
This flag allows you to choose the subnet for that network. Make sure
the subnet you choose is not used on any machine where MSR replicas are
deployed. |
--replica-http-port |
$REPLICA_HTTP_PORT | The public HTTP port for the MSR replica. Default is 80 . This allows
you to customize the HTTP port where users can reach MSR. Once users
access the HTTP port, they are redirected to use an HTTPS connection,
using the port specified with --replica-https-port . This port can
also be used for unencrypted health checks. |
--replica-https-port |
$REPLICA_HTTPS_PORT | The public HTTPS port for the MSR replica. Default is 443 . This
allows you to customize the HTTPS port where users can reach MSR. Each
replica can use a different port. |
--replica-id |
$DTR_INSTALL_REPLICA_ID | Assign a 12-character hexadecimal ID to the MSR replica. Random by default. |
--replica-rethinkdb-cache-mb |
$RETHINKDB_CACHE_MB | The maximum amount of space in MB for RethinkDB in-memory cache used by
the given replica. Default is auto. Auto is (available_memory - 1024)
/ 2 . This config allows changing the RethinkDB cache usage per replica.
You need to run it once per replica to change each one. |
--ucp-ca |
$UCP_CA | Use a PEM-encoded TLS CA certificate for MKE. Download the MKE TLS CA
certificate from https://<mke-url>/ca , and use --ucp-ca "$(cat ca.pem)" . |
--ucp-insecure-tls |
$UCP_INSECURE_TLS | Disable TLS verification for MKE. The installation uses TLS but always
trusts the TLS certificate used by MKE, which can lead to MITM
(man-in-the-middle) attacks. For production deployments, use --ucp-ca
"$(cat ca.pem)" instead. |
--ucp-node |
$UCP_NODE | The hostname of the MKE node to deploy MSR. Random by default. You can
find the hostnames of the nodes in the cluster in the MKE web interface,
or by running docker node ls on a MKE manager node. |
--ucp-password |
$UCP_PASSWORD | The MKE administrator password. |
--ucp-url |
$UCP_URL | The MKE URL including domain and port. |
--ucp-username |
$UCP_USERNAME | The MKE administrator username. |