Mirror images to another registry¶
Mirantis Secure Registry allows you to create mirroring policies for a repository. When an image gets pushed to a repository and meets the mirroring criteria, MSR automatically pushes it to a repository in a remote Mirantis Secure Registry or Hub registry.
This not only allows you to mirror images but also allows you to create image promotion pipelines that span multiple MSR deployments and datacenters.
In this example we will create an image mirroring policy such that:
Developers iterate and push their builds to
msr-example.com/dev/websitethe repository in the MSR deployment dedicated to development.
When the team creates a stable build, they make sure their image is tagged with
When a stable build is pushed to
msr-example.com/dev/website, it will automatically be pushed to
qa-example.com/qa/website, mirroring the image and promoting it to the next stage of development.
With this mirroring policy, the development team does not need access to the QA cluster, and the QA team does not need access to the development cluster.
You need to have permissions to push to the destination repository in order to set up the mirroring policy.
Configure your repository connection¶
Once you have created a repository, navigate to the repository page on the web interface, and select the Mirrors tab.
Click New mirror to define where the image will be pushed if it meets the mirroring criteria.
Under Mirror direction, choose Push to remote registry. Specify the following details:
You can choose between Mirantis Secure Registry and
Docker Hub. If you choose MSR, enter your MSR URL.
Otherwise, Docker Hub defaults to
Username and password or access token
Your credentials in the remote repository you wish to push to. To use an access token instead of your password, see authentication token.
Show advanced settings
Enter the TLS details for the remote repository or check
Skip TLS verification. If the MSR remote repository is
using self-signed TLS certificates or certificates signed by your own
certificate authority, you also need to provide the public key
certificate for that CA. You can retrieve the certificate by accessing
Make sure the account you use for the integration has permissions to write to the remote repository.
Click Connect to test the integration.
In this example, the image gets pushed to the
of a MSR deployment available at
qa-example.com using a service
account that was created just for mirroring images between repositories.
Next, set your push triggers. MSR allows you to set your mirroring policy based on the following image attributes:
Whether the tag name equals, starts with, ends with, contains, is one of, or is not one of your specified string values
Copy image to remote repository if Tag name ends in
Whether the image has a given component and the component name equals, starts with, ends with, contains, is one of, or is not one of your specified string values
Copy image to remote repository if Component name starts with
Whether the image has vulnerabilities – critical, major, minor, or all – and your selected vulnerability filter is greater than or equals, greater than, equals, not equals, less than or equals, or less than your specified number
Copy image to remote repository if Critical vulnerabilities =
Whether the image uses an intellectual property license and is one of or not one of your specified words
Copy image to remote repository if License name =
You can choose to keep the image tag, or transform the tag into something more meaningful in the remote registry by using a tag template.
In this example, if an image in the
dev/website repository is tagged
with a word that ends in
stable, MSR will automatically push that
image to the MSR deployment available at
qa-example.com. The image
is pushed to the
qa/example repository and is tagged with the
timestamp of when the image was promoted.
Everything is set up! Once the development team pushes an image that
complies with the policy, it automatically gets promoted to
qa/example in the remote trusted registry at
When an image is pushed to another registry using a mirroring policy, scanning and signing data is not persisted in the destination repository.
If you have scanning enabled for the destination repository, MSR is going to scan the image pushed. If you want the image to be signed, you need to do it manually.