MSR architecture

MSR architecture

Mirantis Secure Registry (MSR) is a containerized application that runs on a Mirantis Kubernetes Engine cluster.

Once you have MSR deployed, you use your Docker CLI client to login, push, and pull images.

Under the hood

For high-availability you can deploy multiple MSR replicas, one on each MKE worker node.

All MSR replicas run the same set of services and changes to their configuration are automatically propagated to other replicas.

MSR internal components

When you install MSR on a node, the following containers are started:

Name

Description

dtr-api-<replica_id>

Executes the MSR business logic. It serves the MSR web application and API

dtr-garant-<replica_id>

Manages MSR authentication

dtr-jobrunner-<replica_id>

Runs cleanup jobs in the background

dtr-nginx-<replica_id>

Receives http and https requests and proxies them to other MSR components. By default it listens to ports 80 and 443 of the host

dtr-notary-server-<replica_id>

Receives, validates, and serves content trust metadata, and is consulted when pushing or pulling to MSR with content trust enabled

dtr-notary-signer-<replica_id>

Performs server-side timestamp and snapshot signing for content trust metadata

dtr-registry-<replica_id>

Implements the functionality for pulling and pushing Docker images. It also handles how images are stored

dtr-rethinkdb-<replica_id>

A database for persisting repository metadata

dtr-scanningstore-<replica_id>

Stores security scanning data

All these components are for internal use of MSR. Don’t use them in your applications.

Networks used by MSR

To allow containers to communicate, when installing MSR the following networks are created:

Name

Type

Description

dtr-ol

overlay

Allows MSR components running on different nodes to communicate, to replicate MSR data

Volumes used by MSR

MSR uses these named volumes for persisting data:

Volume name

Description

dtr-ca-<replica_id>

Root key material for the MSR root CA that issues certificates

dtr-notary-<replica_id>

Certificate and keys for the Notary components

dtr-postgres-<replica_id>

Vulnerability scans data

dtr-registry-<replica_id>

Docker images data, if MSR is configured to store images on the local filesystem

dtr-rethink-<replica_id>

Repository metadata

dtr-nfs-registry-<replica_id>

Docker images data, if MSR is configured to store images on NFS

You can customize the volume driver used for these volumes, by creating the volumes before installing MSR. During the installation, MSR checks which volumes don’t exist in the node, and creates them using the default volume driver.

By default, the data for these volumes can be found at /var/lib/docker/volumes/<volume-name>/_data.

Image storage

By default, Mirantis Secure Registry stores images on the filesystem of the node where it is running, but you should configure it to use a centralized storage backend.

MSR supports these storage backends:

  • NFS

  • Amazon S3

  • Cleversafe

  • Google Cloud Storage

  • OpenStack Swift

  • Microsoft Azure

How to interact with MSR

MSR has a web UI where you can manage settings and user permissions.

You can push and pull images using the standard Docker CLI client or other tools that can interact with a Docker registry.