Install MSR online

Mirantis Secure Registry (MSR) is a containerized application that runs on a swarm managed by Mirantis Kubernetes Engine (MKE). It can be installed on-premises or on a cloud-based infrastructure.

Prerequisite steps

  1. Verify that your infrastructure meets the MSR system requirements.

  2. Update Mirantis Container Runtime (MCR) to the latest version. For details, refer to the section of the MCR installation guide that corresponds with your operating system.

  3. Upgrade MKE to the latest version.


    MKE and MSR must be installed on different nodes, due to the potential for resource and port conflicts. Install MSR on worker nodes that will be managed by MKE. Note also that MSR cannot be installed on a standalone MCR.

Install MSR

  1. Log in to the MKE web UI as an administrator.

  2. In the left-side navigation panel, navigate to <user name> > Admin Settings > Mirantis Secure Registry.

  3. Optional. Provide an external URL for MSR.

  4. Select the MKE worker node where you want to install MSR.

  5. Optional. Enable any of the following options, as required:

    • Assign an MSR replica ID

    • Disable TLS CA certificate for MKE

    • Use a PEM-encoded TLS CA certificate for MKE

  6. A Docker CLI command used to install MSR will display. For example:

    docker run -it --rm \
      mirantis/dtr:2.9.16 install \
      --dtr-external-url <> \
      --ucp-node <mke-node-name> \
      --ucp-username admin \
      --ucp-url <mke-url>
  7. Optional. To run a load balancer that uses HTTP for health probes over port 80 or 443, temporarily reconfigure it to use TCP over a known open port and enter the load balancer IP address as the value of ``–dtr-external-url ``. Once MSR is installed, you can reconfigure the load balancer to meet your requirements.

  8. Run the MSR install command on any node that is both connected to the MKE cluster and running MCR. Running the installation command in interactive TTY (or -it) mode will prompt you for any required additional information.


    MSR will not be installed on the node where you run the install command. MSR will be installed on the MKE worker defined by the --ucp-node flag.

    • To install a different version of MSR, replace 2.9.16 with the required version of MSR in the provided command.

    • MSR is deployed with self-signed certificates by default, so MKE might not be able to successfully pull images from MSR. Use the optional --dtr-external-url <msr-domain>:<port> flag during installation or during a reconfiguration to automatically reconfigure MKE to trust MSR.

    • You can enable browser authentication using client certificates at install time. This bypasses the MSR login page and hides the logout button, thus overriding the requirement that you log in with a user name and password.

  9. Verify that MSR is installed by logging in to the MKE web UI and then navigating to <user name> > Admin Settings > Mirantis Secure Registry. A successful installation will display the MSR fully qualified domain name (FQDN).


    MKE modifies /etc/docker/certs.d for each host and adds the MSR CA certificate. MKE can then pull images from MSR because MCR for each node in the MKE swarm has been configured to trust MSR.

  10. Optional. Reconfigure your load balancer back to your desired protocol and port.

Verify MSR after installation

  1. Log in to the MKE web UI.

  2. From the left-side navigation panel, select Shared Resources > Stacks . You should see MSR listed as a stack.

  3. Verify that the MSR web UI is accessible by navigating either to your MSR IP address or FQDN in a browser window.


    Be sure to prefix the IP address or FQDN with https:// or your browser may not load the web UI.

Configure MSR

  1. Configure the certificates used for TLS communication:

    1. Log in to the MSR web UI.

    2. From the left-side navigation panel, navigate to System and select the General tab.

    3. Scroll down to Domain & Proxies and select Show TLS settings.

    4. Enter your TLS information and click Save.

  2. Configure the storage backend to store your Docker images:

    1. Log in to the MSR web UI.

    2. From the left-side navigation panel, navigate to System and select the Storage tab.

    3. Configure the storage settings as required.

To configure MSR using the CLI, refer to the CLI reference documentation.

Join replicas to the cluster (optional)

To make MSR highly available, you can add additional replicas to your MSR cluster. Adding more replicas allows you to load-balance requests across all replicas, thus enabling MSR to continue working if a replica fails.

For high-availability, you should set 3 or 5 MSR replicas. The replica nodes must be managed by the same MKE.

To join replicas to your MSR cluster:

  1. Download and configure the MKE client bundle.

  2. Run the join command, as in the following example:

    docker run -it --rm \
      mirantis/dtr:2.9.16 join \
      --ucp-node <mke-node-name> \


    The <mke-node-name> following the --ucp-node flag is the target node to install the MSR replica. This is not the MKE manager URL.

    When you join a replica to an MSR cluster, you need to specify the ID of a replica that is already part of the cluster. You can find an existing replica ID by navigating to the Shared Resources > Stacks page in the MKE web UI.

  3. Verify that all replicas are running:

    1. Log in to the MKE web UI.

    2. Select Shared Resources > Stacks. All replicas will display.