Configure MSR for a cloud storage provider (S3)¶
You can configure MSR to store Docker images on Amazon S3 or on any other file servers with an S3-compatible API.
All S3-compatible services store files in “buckets”, to which you can authorize users to read, write, and delete files. Whenever you integrate MSR with such a service, MSR sends all read and write operations to the S3 bucket where the images then persist.
Note
The instructions offered below pertain specifically to the configuration of MSR to Amazon S3. They can, however, also serve as a guide for how to configure MSR to other available cloud storage providers.
Create a bucket on Amazon S3¶
Before you configure MSR you must first create a bucket on Amazon S3. To optimize pulls and pushes, Mirantis suggests that you create the S3 bucket in the AWS region that is physically closest to the servers on which MSR is set to run.
Create an S3 bucket.
Create a new IAM user for the MSR integration.
Apply an IAM policy that has the following limited user permissions:
Access to the newly-created bucket
Ability to read, write, and delete files
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::<bucket-name>" }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::<bucket-name>/*" } ] }
Configure MSR on Amazon S3¶
Kubernetes deployments¶
Add the following values to the custom resource manifest. If you are using IAM role authentication, do not include the lines for
accesskey
andsecretkey
. Running Kubernetes on AWS requires that you includev4auth: true
.spec: registry: storage: backend: "s3" s3: region: <region> bucket: <bucket-name> accesskey: <access-key> secretkey: <secret-key> v4auth: true persistentVolume: size: <size>
Apply the changes to the custom resource:
kubectl apply -f cr-sample-manifest.yaml
Verify completion of the reconciliation process for the custom resource:
kubectl get msrs.msr.mirantis.com kubectl get rethinkdbs.rethinkdb.com
Set
registry.storage.backend
tos3
.Specify
registry.storage.s3.region
andregistry.storage.s3.bucket
.If you are not using IAM role authentication, you must also set
registry.storage.s3.accesskey
andregistry.storage.s3.secretkey
.To activate the new storage configuration settings, issue the helm upgrade command.
Example configuration command at install time:
helm install msr msrofficial/msr \
--version 1.0.0 \
--set registry.storage.backend=s3 \
--set registry.storage.s3.accesskey=<> \
--set registry.storage.s3.secretkey=<> \
--set registry.storage.s3.region=us-east-2 \
--set registry.storage.s3.bucket=testing-msr-kube
Example configuration command at time of upgrade:
helm upgrade msr msrofficial/msr \
--version 1.0.0 \
--set registry.storage.backend=s3 \
--set registry.storage.s3.accesskey=<> \
--set registry.storage.s3.secretkey=<> \
--set registry.storage.s3.region=us-east-2 \
--set registry.storage.s3.bucket=testing-msr-kube
Swarm deployments¶
Update your
values.yaml
file to include the following values.Note
If you are using IAM role authentication, do not include the lines that set the
accesskey
andsecretkey
values.registry: storage: backend: 's3' s3: region: <region> bucket: <bucket-name> accesskey: <access-key> secretkey: <secret-key>
The following parameters are available for configuration in the
registry.storage.s3
section of the custom resource manifest, Helm chart, or
Swarm cluster values.yaml
file:
Field |
Description |
Level |
---|---|---|
|
AWS Access Key. |
Standard |
|
AWS Secret key. |
Standard |
|
The AWS region in which your bucket exists. |
Standard |
|
The endpoint for S3 compatible storage services. |
Standard |
|
The name of the bucket in which image data is stored. |
Standard |
|
Indicates whether images are stored in encrypted format. |
Advanced |
|
The KMS key ID to use for encryption of images. |
Advanced |
|
Indicates whether to use HTTPS for data transfers to the bucket. |
Advanced |
|
Indicates whether to use AWS Signature Version 4 to authenticate requests. |
Advanced |
|
The default part size for multipart uploads. |
Advanced |
|
A prefix that is applied to all object keys to allow you to segment data in your bucket if necessary. |
Advanced |
|
The S3 storage class applied to each registry file. Valid options are “STANDARD” and “REDUCED_REDUNDANCY”. |
Advanced |
MSR supports the following S3 regions:
us-east-1 |
us-east-2 |
us-west-1 |
us-west-2 |
eu-west-1 |
eu-west-2 |
eu-central-1 |
ap-south-1 |
ap-southeast-1 |
ap-southeast-2 |
ap-northeast-1 |
ap-northeast-2 |
sa-east-1 |
cn-north-1 |
us-gov-west-1 |
ca-central-1 |
Restore MSR with your previous settings¶
Restore MSR with S3 settings¶
To restore MSR using your previously configured S3 settings, use restore.
Restore MSR with non-S3 cloud storage provider settings¶
For S3-compatible cloud storage providers other than Amazon S3, configure the
following parameters in the registry.storage
section of the custom resource
manifest, Helm chart, or Swarm cluster values.yaml
file:
Field |
Description |
Level |
---|---|---|
|
The name of the Azure Storage Account. |
Standard |
|
The Primary or Secondary Key for the Storage Account. |
Standard |
|
The name of the Azure root storage container in which image data is stored. |
Standard |
|
The domain name suffix for the Storage API endpoint. |
Advanced |
Field |
Description |
Level |
---|---|---|
|
OpenStack user name. |
Standard |
|
OpenStack user name. |
Standard |
|
OpenStack password. |
Standard |
|
The name of the Swift container in which to store the registry images. |
Standard |
|
The contents of a service account private key file in JSON format that is used for Service Account Authentication. |
Advanced |
|
OpenStack tenant name. |
Advanced |
|
OpenStack tenant ID. |
Advanced |
|
OpenStack domain name for Identity v3 API. |
Advanced |
|
OpenStack domain id for Identity v3 API. |
Advanced |
|
OpenStack trust ID for Identity v3 API. |
Advanced |
|
Skips TLS server certificate verification. |
Advanced |
|
Data segments for the Swift Dynamic Large Objects. |
Advanced |
|
A prefix that is applied to all Swift object keys that allows you to segment data in your container, if necessary. |
Advanced |
|
The secret key used to generate temporary URLs. |
Advanced |
|
The access key to generate temporary URLs. |
Advanced |
|
Specifies the OpenStack Auth version. |
Advanced |
|
The endpoint type used when connecting to Swift. |
Advanced |
Field |
Description |
Level |
---|---|---|
|
The name of the Google Cloud Storage bucket in which image data is stored. |
Standard |
|
The contents of a service account private key file in JSON format that is used for Service Account Authentication. |
Advanced |
|
The root directory tree in which all registry files are stored. The prefix is applied to all Google Cloud Storage keys, to allow you to segment data in your bucket as necessary. |
Advanced |
|
The chunk size used for uploading large blobs. |
Advanced |
Field |
Description |
Level |
---|---|---|
|
Access key ID. |
Standard |
|
Access key secret. |
Standard |
|
The ID of the OSS region in which you would like to store objects. |
Standard |
|
The name of the OSS bucket in which to store objects. |
Standard |
|
The endpoint domain name for accessing OSS. |
Advanced |
|
Indicates whether to use the internal endpoint instead of the public endpoint, for OSS access. |
Advanced |
|
Indicates whether to encrypt your data on the server side. |
Advanced |
|
Indicates whether to transfer data to the bucket over HTTPS. |
Advanced |
|
The default part size for multipart uploads. |
Advanced |
|
A prefix that is applied to all object keys that allows you to segment data in your bucket, if necessary. |
Advanced |