mirantis/dtr install¶
Install Mirantis Secure Registry.
Usage¶
docker run -it --rm mirantis/dtr \
install [command options]
Description¶
The install command installs Mirantis Secure Registry (MSR) on a node managed by Mirantis Kubernetes Engine (MKE).
After installing MSR, you can join additional MSR replicas using
mirantis/dtr join
.
Example Usage¶
$ docker run -it --rm mirantis/dtr:2.9.21 install \
--ucp-node <UCP_NODE_HOSTNAME> \
--ucp-insecure-tls
Note
Use --ucp-ca "$(cat ca.pem)"
instead of --ucp-insecure-tls
for a production deployment.
Options¶
Option |
Environment variable |
Description |
---|---|---|
|
$ASYNC_NFS |
Use async NFS volume options on the replica specified in the
|
|
$CLIENT_CA |
Specify root CA certificates for client authentication with
|
|
$CUSTOM_CA_CERTS_BUNDLE |
Provide a file containing additional CA certificates for MSR service containers to use when verifying TLS server certificates. |
|
$DEBUG |
Enable debug mode for additional logs. |
|
$MSR_CA |
Use a PEM-encoded TLS CA certificate for MSR. By default MSR generates a
self-signed TLS certificate during deployment. You can use your own root
CA public certificate with |
|
$MSR_CERT |
Use a PEM-encoded TLS certificate for MSR. By default MSR generates a
self-signed TLS certificate during deployment. You can use your own
public key certificate with |
|
$MSR_EXTERNAL_URL |
URL of the host or load balancer clients use to reach MSR. When you use
this flag, users are redirected to MKE for logging in. Once
authenticated they are redirected to the URL you specify in this flag.
If you do not use this flag, MSR is deployed without single sign-on with
MKE. Users and teams are shared but users log in separately into the two
applications. You can enable and disable single sign-on within your MSR
system settings. Format |
|
$MSR_KEY |
Use a PEM-encoded TLS private key for MSR. By default MSR generates a
self-signed TLS certificate during deployment. You can use your own TLS
private key with |
|
$MSR_STORAGE_VOLUME |
Customize the volume to store Docker images. By default MSR creates a
volume to store the Docker images in the local filesystem of the node
where MSR is running, without high-availability. Use this flag to
specify a full path or volume name for MSR to store images. For
high-availability, make sure all MSR replicas can read and write data on
this volume. If you are using NFS, use |
|
$ENABLE_CLIENT_CERT_AUTH |
Enables TLS client certificate authentication. Use
|
|
$MSR_PPROF |
Enables pprof profiling of the server. Use |
|
$MSR_EXTENDED_HELP |
Display extended help text for a given command. |
|
$MSR_HTTP_PROXY |
The HTTP proxy used for outgoing requests. |
|
$MSR_HTTPS_PROXY |
The HTTPS proxy used for outgoing requests. |
|
$LOG_HOST |
The syslog system to send logs to. The endpoint to send logs to. Use
this flag if you set |
|
$LOG_LEVEL |
Log level for all container logs when logging to syslog. Default: INFO. The supported log levels are debug, info, warn, error, or fatal. |
|
$LOG_PROTOCOL |
The protocol for sending logs. Default is internal. By default, MSR
internal components log information using the logger specified in the
Docker daemon in the node where the MSR replica is deployed. Use this
option to send MSR logs to an external syslog system. The supported
values are |
|
$NFS_OPTIONS |
Pass in NFS volume options verbatim for the replica specified in the
|
|
$NFS_STORAGE_URL |
Use NFS to store Docker images following this format: |
|
$NOCOLOR |
Disable output coloring in logs. |
|
$MSR_NO_PROXY |
List of domains the proxy should not be used for. When using
|
|
$MSR_OVERLAY_SUBNET |
The subnet used by the dtr-ol overlay network. Example: |
|
$REPLICA_HTTP_PORT |
The public HTTP port for the MSR replica. Default is |
|
$REPLICA_HTTPS_PORT |
The public HTTPS port for the MSR replica. Default is |
|
$MSR_INSTALL_REPLICA_ID |
Assign a 12-character hexadecimal ID to the MSR replica. Random by default. |
|
$RETHINKDB_CACHE_MB |
The maximum amount of space in MB for RethinkDB in-memory cache used by
the given replica. Default is auto. Auto is |
|
$UCP_CA |
Use a PEM-encoded TLS CA certificate for MKE. Download the MKE TLS CA
certificate from |
|
$UCP_INSECURE_TLS |
Disable TLS verification for MKE. The installation uses TLS but always
trusts the TLS certificate used by MKE, which can lead to
man-in-the-middle attacks. For production deployments, use |
|
$UCP_NODE |
The hostname of the MKE node to use to deploy MSR. Random by default. You can find the hostnames of the nodes in the cluster in the MKE web interface, or by running docker node ls command on an MKE manager node. Note that MKE and MSR must not be installed on the same node, and you should instead install MSR on worker nodes that will be managed by MKE. |
|
$UCP_PASSWORD |
The MKE administrator password. |
|
$UCP_URL |
The MKE URL including domain and port. |
|
$UCP_USERNAME |
The MKE administrator username. |