What to expect when transitioning to MSR4

Migration Path

  • Use our migration guide to transition from MSR2 and MSR3 to MSR4.

  • Tools are provided to migrate repositories and configurations to the new platform.

Project and Repository permissions

  • When migrating repositories from MSR2 and MSR3 the repositories will migrate under a project. The project permissions will be admin.

  • If you need to retain custom permissions from the previous version of MSR, Mirantis will publish a tooling that helps migrate the permissions and validate it shortly.

Image Signing

  • When migrating images which were previously signed the image signing will not be retained. Due to architectural and security differences it will not be possible to migrate this security attribute during the migration. Customers can refer to Signing Artifacts with Cosign for more information on signing artifacts after migration.

Image Signing DCT vs Cosign

  • MSR2 and MSR3 use Docker Content Trust (DCT) for image signing. DCT is based on Notary v1, which uses The Update Framework (TUF) to ensure the integrity and publisher authenticity of container images.

  • MSR4 supports Cosign for image signing and verification. Cosign is part of the Sigstore project and is more modern and widely adopted for cloud-native environments. Unlike DCT, Cosign allows signing without relying on a separate, heavyweight service like Notary and supports keyless signing with OIDC identities. Harbor integrates this natively, providing better interoperability with Kubernetes-native tools and workflows.

Updated APIs and Webhooks

  • While general functionality remains similar, some API endpoints and webhook implementations have changed. Customers may need to adjust their scripts and integrations.

Adaptation for Removed Features

  • Swarm Support: While MSR4 no longer supports Swarm HA clusters, single-instance deployments remain viable for Swarm users. For more information please visit Install MSR single host using Docker Compose.

  • Promotion Policies: Automate promotion workflows through updated CI/CD pipelines.

Authentication

  • SAML support has been removed. Customers should use other supported authentication methods, such as LDAP or OIDC.