Configure MSR for S3-compatible cloud storage providers¶
You can configure MSR to store Docker images on Amazon S3 or any other file servers with an S3-compatible API, such as Cleversafe or Minio.
Amazon S3 and compatible services store files in buckets, and users have permissions to read, write, and delete files from those buckets. When you integrate MSR with Amazon S3, MSR sends all read and write operations to the S3 bucket so that the images are persisted in that location.
Prepare your environment¶
Create a bucket on Amazon S3 as described in the Creating a bucket official AWS documentation.
Note
To ensure fast pulls and pushes, create the S3 bucket in the region that is closest to the servers on which you are running MSR.
MSR supports the following S3 regions:
us-east-1
us-east-2
us-west-1
us-west-2
eu-west-1
eu-west-2
eu-central-1
ap-south-1
ap-southeast-1
ap-southeast-2
ap-northeast-1
ap-northeast-2
sa-east-1
cn-north-1
us-gov-west-1
ca-central-1
Create a new IAM user specifically for the MSR integration, applying an IAM policy that restricts the user to the following permissions:
Bucket access
Read, write, and delete files
Example user policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::<bucket-name>" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::<bucket-name>/*" } ] }
Configure MSR¶
Log in to the MSR web UI as an administrator.
Navigate to System > Storage in the left-side navigation panel.
Select the Amazon S3 option in the details pane.
Adjust the S3 Settings.
Toggle the Send data slider to the right to configure MSR to redirect clients each time a pull operation occurs.
Enter the pertinent information into the provided fields.
Field
Description
AWS Region Name
AWS region that hosts your S3 bucket.
S3 Bucket Name
Name of the S3 bucket in which the images are stored.
Region Endpoint
Endpoint name for the AWS region that hosts your S3 bucket.
Root Directory
Path to the location in the S3 bucket within which the images are stored.
Access key
AWS access key to use to access the S3 bucket.
Note
If you are using an IAM policy, leave the AWS access key field empty.
Secret Key
AWS secret key you can use to access the S3 bucket.
Note
If you are using an IAM policy, leave the AWS secret key field empty.
Click Show advanced settings.
Toggle the Signature version 4 auth slider to the right to configure MSR to authenticate requests with AWS signature version 4.
Toggle the Use HTTPS slider to the right to configure MSR to secure all requests using the HTTPS protocol.
Toggle the Skip TLS slider to the right to configure MSR to encrypt all traffic and not to verify the TLS certificate in use by the storage backend.
If pertinent, in the Root CA Certificate field, enter the public key certificate of the root certificate authority that issued the storage backend certificate.
Click Submit to validate the configuration settings and save the changes.
Configure your clients¶
Whenever you push or pull an image using MSR, the software redirects the requests to the storage backend.
If MSR is configured for TLS verification and the TLS certificate in use by your storage backend is not globally trusted, you must configure all Mirantis Container Runtime instances that push or pull from MSR to trust that certificate.
If MSR is configured to skip TLS verification, you must also configure all Mirantis Container Runtime instances that push or pull from MSR to skip TLS verification. To do this, add MSR to the list of insecure registries when starting Docker.
Restore MSR with S3¶
To restore MSR using your previously configured S3 settings, use the restore command with the --dtr-use-default-storage option to maintain your metadata.