Set up high availability

Mirantis Secure Registry is designed to scale horizontally as your usage increases. You can add more replicas to make MSR scale to your demand and for high availability.

All MSR replicas run the same set of services and changes to their configuration are automatically propagated to other replicas.

To make MSR tolerant to failures, add additional replicas to the MSR cluster.

MSR replicas

Failures tolerated

1

0

3

1

5

2

7

3

When sizing your MSR installation for high-availability, follow these rules of thumb:

  • Don’t create a MSR cluster with just two replicas. Your cluster won’t tolerate any failures, and it’s possible that you experience performance degradation.

  • When a replica fails, the number of failures tolerated by your cluster decreases. Don’t leave that replica offline for long.

  • Adding too many replicas to the cluster might also lead to performance degradation, as data needs to be replicated across all replicas.

To have high-availability on MKE and MSR, you need a minimum of:

  • 3 dedicated nodes to install MKE with high availability,

  • 3 dedicated nodes to install MSR with high availability,

  • As many nodes as you want for running your containers and applications.

You also need to configure the MSR replicas to share the same object storage.

Join more MSR replicas

To add replicas to an existing MSR deployment:

  1. Use ssh to log into any node that is already part of MKE.

  2. Run the MSR join command:

    docker run -it --rm \
      mirantis/dtr:2.9.16 join \
      --ucp-node <mke-node-name> \
      --ucp-insecure-tls
    

    Where the --ucp-node is the hostname of the MKE node where you want to deploy the MSR replica. --ucp-insecure-tls tells the command to trust the certificates used by MKE.

  3. If you have a load balancer, add this MSR replica to the load balancing pool.

Remove existing replicas

To remove a MSR replica from your deployment:

  1. Use ssh to log into any node that is part of MKE.

  2. Run the MSR remove command:

    docker run -it --rm \
    mirantis/dtr:2.9.16 remove \
    --ucp-insecure-tls
    

    You will be prompted for:

    • Existing replica id: the id of any healthy MSR replica of that cluster

    • Replica id: the id of the MSR replica you want to remove. It can be the id of an unhealthy replica

    • MKE username and password: the administrator credentials for MKE

If you’re load-balancing user requests across multiple MSR replicas, don’t forget to remove this replica from the load balancing pool.