Warning: In correlation with the end of life (EOL) date for MSR 3.1.x, Mirantis stopped maintaining this documentation version as of 2025-09-27. The latest MSR product documentation is available here.

Components

Mirantis Secure Registry (MSR) is a containerized application that runs on a Kubernetes cluster. After deploying MSR, you can use your Docker CLI client to log in, push images, and pull images. For high availability, you can horizontally scale your MSR workloads across multiple Kubernetes worker nodes.

Workloads

Descriptions for each of the workloads that MSR creates during installation are available in the table below.

Caution

Do not use these components in your applications, as they are for internal MSR use only.

MSR installation workloads
Name	Name on Kubernetes	Name on Swarm	Description
API	`deployment/<release-name>-msr-api`	`msr_msr-api-server`	Executes the MSR business logic, serving the MSR web application and API.
Garant	`deployment/<release-name>-msr-garant`	`msr_msr-garant`	Manages MSR authentication.
Jobrunner	`deployment/<release-name>-msr-jobrunner-<deployment>`	`msr_msr-jobrunner`	Runs asynchronous background jobs, including garbage collection and image vulnerability scans.
NGINX	`deployment/<release-name>-msr-nginx`	`msr_msr-nginx`	Receives HTTP and HTTPS requests and proxies those requests to other MSR components.
Notary server	`deployment/<release-name>-msr-notary-server`	`msr_msr-notary-server`	Provides signing and verification for images that are pushed to or pulled from the secure registry.
Notary signer	`deployment/<release-name>-msr-notary-signer`	`msr_msr-notary-signer`	Performs server-side timestamp and snapshot signing for Content Trust metadata.
Registry	`deployment/<release-name>-msr-registry`	`msr_msr-registry`	Implements pull and push functionality for Docker images and manages how images are stored.
RethinkDB	`statefulset/<release-name>-msr-rethinkdb-cluster`, `deployment/<release-name>-msr-rethinkdb-proxy`	`msr_msr-rethinkdb`	Stores persisting repository metadata.
Scanningstore	`statefulset/<release-name>-msr-scanningstore`	`msr_msr-scanningstore`	Stores security scanning data.
eNZi	`deployment/<release-name>-enzi-api`, `statefulset/<release-name>-enzi-worker`	`msr_msr-enzi-api`, `msr_msr-enzi-worker`	Authenticates and authorizes MSR users.

Third-party components
Name	Name on Kubernetes	Description
PostgreSQL	`deployment/postgres-operator`	Manages the security scanning database.
cert-manager	`deployment/cert-manager`, `deployment/cert-manager-caininjector`, `deployment/cert-manager-webhook`	Manages certificates for all MSR components.

Note

Third-party components are present only in Kubernetes deployments. Swarm-based installations include only the components listed in the MSR installation workloads table.
To mitigate the risk of security breaches and exploits, Mirantis strongly recommends upgrading the third-party components to the latest supported version.

The communication flow between MSR workloads is illustrated below:

msr-architecture

Note

The third-party cert-manager component interacts with all of the components displayed in the above diagram.

JobRunner

Descriptions for each of the job types that are run by MSR are available in the table below.

MSR job types
Job type	Description
`analytics_report`	Uploads an analytics report to Mirantis.
`helm_chart_lint`	Lints a Helm chart.
`helm_chart_lint_all`	Lints all charts in all repositories.
`onlinegc`	Performs garbage collection for all types of MSR data and metadata.
`onlinegc_blobs`	Performs garbage collection of orphaned image layer data.
`onlinegc_events`	Performs auto-deletion of repository events.
`onlinegc_joblogs`	Performs auto-deletion of job logs.
`onlinegc_metadata`	Performs garbage collection of image metadata.
`onlinegc_scans`	Performs garbage collection of security scan results for deleted layers.
`poll_mirror`	Pulls tags from remote repositories as determined by mirroring policies.
`push_mirror_tag`	Pushes image tags to remote repositories as determined by mirroring policies.
`scan_check`	Scans image by digest.
`scan_check_all`	Rescans all previously scanned images.
`scan_check_single`	Scans single layer of the image.
`tag_prune`	Deletes tags from remote repositories, as determined by the pruning policies of the repositories.
`update_vuln_db`	Updates vulnerability database (CVE list).
`webhook`	Sends a webhook.