mirantis/dtr reconfigure

Change MSR configurations.

Usage

docker run -it --rm mirantis/dtr reconfigure [command options]

Description

This command changes MSR configuration settings.

MSR is restarted for the new configurations to take effect. To have no down time, configure your MSR for high availability.

Options

Option

Environment variable

Description

--async-nfs

$ASYNC_NFS

Use async NFS volume options on the replica specified in the --existing-replica-id option. The NFS configuration must be set with --nfs-storage-url explicitly to use this option. Using --async-nfs will bring down any containers on the replica that use the NFS volume, delete the NFS volume, bring it back up with the appropriate configuration, and restart any containers that were brought down.

--client-cert-auth-ca

$CLIENT_CA

Specify root CA certificates for client authentication with --client-cert-auth-ca "$(cat ca.pem)".

--custom-ca-cert-bundle

$CUSTOM_CA_CERTS_ BUNDLE

Specify additional CA certificates for MSR service containers to use when verifying TLS server certificates with --custom-ca-cert-bundle "$(cat ca.pem)"

--debug

$DEBUG

Enable debug mode for additional logs of this bootstrap container (the log level of downstream MSR containers can be set with --log-level).

--dtr-ca

$MSR_CA

Use a PEM-encoded TLS CA certificate for MSR. By default MSR generates a self-signed TLS certificate during deployment. You can use your own root CA public certificate with --dtr-ca "$(cat ca.pem)".

--dtr-cert

$MSR_CERT

Use a PEM-encoded TLS certificate for MSR. By default MSR generates a self-signed TLS certificate during deployment. You can use your own public key certificate with --dtr-cert "$(cat cert.pem)". If the certificate has been signed by an intermediate certificate authority, append its public key certificate at the end of the file to establish a chain of trust.

--dtr-external-url

$MSR_EXTERNAL_URL

URL of the host or load balancer clients use to reach MSR. When you use this flag, users are redirected to MKE for logging in. Once authenticated they are redirected to the url you specify in this flag. If you don’t use this flag, MSR is deployed without single sign-on with MKE. Users and teams are shared but users login separately into the two applications. You can enable and disable single sign-on in the MSR settings. Format https://host[:port], where port is the value you used with --replica-https-port. Since HSTS (HTTP Strict-Transport-Security) header is included in all API responses, make sure to specify the FQDN (Fully Qualified Domain Name) of your MSR, or your browser may refuse to load the web interface.

--dtr-key

$MSR_KEY

Use a PEM-encoded TLS private key for MSR. By default MSR generates a self-signed TLS certificate during deployment. You can use your own TLS private key with --dtr-key "$(cat key.pem)".

--dtr-storage-volume

$MSR_STORAGE_ VOLUME

Customize the volume to store Docker images. By default MSR creates a volume to store the Docker images in the local filesystem of the node where MSR is running, without high-availability. Use this flag to specify a full path or volume name for MSR to store images. For high-availability, make sure all MSR replicas can read and write data on this volume. If you’re using NFS, use --nfs-storage-url instead.

--enable-client-cert-auth

$ENABLE_CLIENT_CERT_ AUTH

Enables TLS client certificate authentication; use --enable-client-cert-auth=false to disable it. If enabled, MSR will additionally authenticate users via TLS client certificates. You must also specify the root certificate authorities (CAs) that issued the certificates with --client-cert-auth-ca.

--enable-pprof

$MSR_PPROF

Enables pprof profiling of the server. Use --enable-pprof=false to disable it. Once MSR is deployed with this flag, you can access the pprof endpoint for the api server at /debug/pprof, and the registry endpoint at /registry_debug_pprof/debug/pprof.

--existing-replica-id

$MSR_REPLICA_ID

The ID of an existing MSR replica. To add, remove or modify MSR, you must connect to an existing healthy replica’s database.

--force-recreate-nfs-volume

$FORCE_RECREATE_NFS_ VOLUME

Force MSR to recreate NFS volumes on the replica specified by --existing-replica-id.

--help-extended

$MSR_EXTENDED_HELP

Display extended help text for a given command.

--http-proxy

$MSR_HTTP_PROXY

The HTTP proxy used for outgoing requests.

--https-proxy

$MSR_HTTPS_PROXY

The HTTPS proxy used for outgoing requests.

--log-host

$LOG_HOST

The syslog system to send logs to. The endpoint to send logs to. Use this flag if you set --log-protocol to tcp or udp.

--log-level

$LOG_LEVEL

Log level for all container logs when logging to syslog. Default: INFO. The supported log levels are debug, info, warn, error, or fatal.

--log-protocol

$LOG_PROTOCOL

The protocol for sending logs. Default is internal. By default, MSR internal components log information using the logger specified in the Docker daemon in the node where the MSR replica is deployed. Use this option to send MSR logs to an external syslog system. The supported values are tcp, udp, and internal. Internal is the default option, stopping MSR from sending logs to an external system. Use this flag with --log-host.

--max-wait

$MAX_WAIT

The maximum amount of time MSR allows an operation to complete within. This is frequently used to allocate more startup time to very large MSR databases. The value is a Golang duration string. For example, "10m" represents 10 minutes.

--nfs-options

$NFS_OPTIONS

Pass in NFS volume options verbatim for the replica specified in the --existing-replica-id option. The NFS configuration must be set with --nfs-storage-url explicitly to use this option. Specifying --nfs-options will pass in character-for-character the options specified in the argument when creating or recreating the NFS volume. For instance, to use NFS v4 with async, pass in “rw,nfsvers=4,async” as the argument.

--nfs-storage-url

$NFS_STORAGE_URL

Set the URL for the NFS storage back end.

docker run -it --rm mirantis/dtr:2.8.13 reconfigure --nfs-storage-url nfs://<IP-of-NFS-server>/path/to/mountdir

To reconfigure MSR to stop using NFS, leave the option empty:

docker run -it --rm mirantis/dtr:{{ page.dtr_version}} reconfigure --nfs-storage-url ""

Refer to Reconfigure MSR to use NFS for more details.

--no-proxy

$MSR_NO_PROXY

List of domains the proxy should not be used for. When using --http-proxy you can use this flag to specify a list of domains that you don’t want to route through the proxy. Format acme.com[, acme.org].

--reinitialize-storage

$REINITIALIZE_STORAGE

Set the flag when you have changed storage back ends but have not moved the contents of the old storage back end to the new one. Erases all tags in the registry.

--replica-http-port

$REPLICA_HTTP_PORT

The public HTTP port for the MSR replica. Default is 80. This allows you to customize the HTTP port where users can reach MSR. Once users access the HTTP port, they are redirected to use an HTTPS connection, using the port specified with –replica-https-port. This port can also be used for unencrypted health checks.

--replica-https-port

$REPLICA_HTTPS_PORT

The public HTTPS port for the MSR replica. Default is 443. This allows you to customize the HTTPS port where users can reach MSR. Each replica can use a different port.

--replica-rethinkdb-cache-mb

$RETHINKDB_CACHE_ MB

The maximum amount of space in MB for RethinkDB in-memory cache used by the given replica. Default is auto. Auto is (available_memory - 1024) / 2. This config allows changing the RethinkDB cache usage per replica. You need to run it once per replica to change each one.

--storage-migrated

$STORAGE_MIGRATED

A flag added in 2.6.4 which lets you indicate the migration status of your storage data. Specify this flag if you are migrating to a new storage back end and have already moved all contents from your old back end to your new one. If not specified, MSR will assume the new back end is empty during a back end storage switch, and consequently destroy your existing tags and related image metadata.

--ucp-ca

$UCP_CA

Use a PEM-encoded TLS CA certificate for MKE. Download the MKE TLS CA certificate from https://<mke-url>/ca, and use --ucp-ca "$(cat ca.pem)".

--ucp-insecure-tls

$UCP_INSECURE_TLS

Disable TLS verification for MKE.

--ucp-password

$UCP_PASSWORD

The MKE administrator password.

--ucp-url

$UCP_URL

The MKE URL including domain and port.

--ucp-username

$UCP_USERNAME

The MKE administrator username.