MSR cache fundamentals

The further away you are from the geographical location where MSR is deployed, the longer it will take to pull and push images. This happens because the files being transferred from MSR to your machine need to travel a longer distance, across multiple networks.

To decrease the time to pull an image, you can deploy MSR caches geographically closer to users.

Caches are transparent to users, since users still log in and pull images using the MSR URL address. MSR checks if users are authorized to pull the image, and redirects the request to the cache.

In this example, MSR is deployed on a datacenter in the United States, and a cache is deployed in the Asia office.

Users in the Asia office update their user profile within MSR to fetch from the cache in their office. They pull an image using:

# Log in to MSR
docker login msr.example.org

# Pull image
docker image pull msr.example.org/website/ui:3-stable

MSR authenticates the request and checks if the user has permission to pull the image they are requesting. If they have permissions, they get an image manifest containing the list of image layers to pull and redirecting them to pull the images from the Asia cache.

When users request those image layers from the Asia cache, the cache pulls them from MSR and keeps a copy that can be used to serve to other users without having to pull the image layers from MSR again.

Caches or mirroring policies

Use caches if you:

  • Want to make image pulls faster for users in different geographical regions.

  • Want to manage user permissions from a central place.

If you need users to be able to push images faster, or you want to implement RBAC policies based on different regions, do not use caches. Instead, deploy multiple MSR clusters and implement mirroring policies between them.

With mirroring policies you can set up a development pipeline where images are automatically pushed between different MSR repositories, or across MSR deployments.

As an example you can set up a development pipeline with three different stages. Developers can push and pull images from the development environment, only pull from QA, and have no access to Production.

With multiple MSR deployments you can control the permissions developers have for each deployment, and you can create policies to automatically push images from one deployment to the next.