This topic describes how to use the remote replication capability of Harbor to synchronize images on a Harbor registry to a Container Registry Enterprise Edition instance and implement geo-disaster recovery of container image repositories.
If you do not want to synchronize images by using the remote replication capability of Harbor or you have high requirements for the synchronization speed, see Migrate images from a self-managed Harbor instance to Container Registry Enterprise Edition within 10 minutes.
Prerequisites
A Container Registry Enterprise Edition instance is created. For more information, see Create a Container Registry Enterprise Edition instance.
Procedure
Synchronize images on a Harbor registry to a Container Registry Enterprise Edition instance
If the Harbor registry is deployed in a data center, you must connect the Harbor registry to the Enterprise Edition instance over the VPC in which the Enterprise Edition instance resides. For more information, see Obtain IP addresses to configure routing rules and implement access to a Container Registry Enterprise Edition instance across regions or from a data center.
Step 1: Create a namespace
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Container Registry Enterprise Edition instance to which you want to synchronize images.
In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose .
On the Namespace page, click Create Namespace.
In the Create Namespace dialog box, configure the Namespace, Automatically Create Repository, and Default Repository Type parameters. The following table describes the parameters. Then, click OK.
Parameter
Description
Namespace
Enter the name of the project in Harbor that you want to synchronize. Example: test-project.
Automatically Create Repository
Turn on Automatically Create Repository.
NoteIf you turn off Automatically Create Repository, you must create a repository in the namespace before you synchronize the image.
Default Repository Type
Select a repository type. We recommend that you select Private.
Step 2: Configure the destination repository in Harbor
Log on to Harbor.
In the left-side navigation pane, choose
.On the Registries page, click NEW ENDPOINT.
In the New Registry Endpoint dialog box, configure the parameters. The following table describes the parameters.
Parameter
Description
Provider
Select Docker Registry from the drop-down list.
Name
Enter a name for the new endpoint.
Description
Enter a description for the new endpoint.
Endpoint URL
Enter the endpoint of the destination repository of the Container Registry Enterprise Edition instance. Make sure that access control is enabled. For more information, see Configure a VPC ACL and Configure Internet access.
The Container Registry Enterprise Edition instance is deployed in a VPC.
Example of the endpoint of the destination repository:
https://<Name of the Container Registry Enterprise Edition instance>-registry-vpc.cn-qingdao.cr.aliyuncs.com
.The Container Registry Enterprise Edition instance is deployed on the Internet.
Example of the endpoint of the destination repository:
https://<Name of the Container Registry Enterprise Edition instance>-registry.cn-qingdao.cr.aliyuncs.com
.
Access ID
Enter the login name of the destination repository, which is the same as your Alibaba Cloud account.
Access Secret
Enter the password that you use to access the destination repository. For more information, see Use a password.
Click TEST CONNECTION. If the Connection tested successfully message appears, the parameters that you entered are valid. Click OK.
Step 3: Configure a synchronization rule
Log on to Harbor.
In the left-side navigation pane, choose
.On the Replications page, click NEW REPLICATION RULE.
In the New Replication Rule dialog box, configure the parameters. The following table describes the parameters. Then, click SAVE.
Parameter
Description
Name
Enter a name for the synchronization rule.
Description
Enter a description for the synchronization rule.
Replication mode
Select Push-based.
Source resource filter
Follow the on-screen instructions to configure this parameter. This parameter is used to filter the resources that you want to synchronize. The default value of the Resource parameter in the "Source resource filter" section is All.
Destination registry
Select the destination repository that you configured in Step 2.
Destination
In the Namespace field, enter the namespace that you created in Step 1 in the Container Registry Enterprise Edition instance. The Flattening parameter is used to simplify the hierarchy of the repository when you replicate images. We recommend that you select Flatten 1 Level. For example, images may be replicated from harbor-project/nginx to
acr-ns/nginx
after you select Flatten Level 1.Trigger Mode
Select a trigger mode. We recommend that you select Event Based to synchronize image changes in Harbor.
Bandwidth
Specify a value for this parameter to limit the maximum network bandwidth during synchronization. The default value is -1, which specifies that no limit is imposed on the maximum network bandwidth.
In the Name column of the Replications page, select the rule that you created in the previous step and click REPLICATE. This way, existing images on the Harbor registry are replicated to the Container Registry Enterprise Edition instance. When the status of the replication task becomes Succeeded, the synchronization task is complete. Subsequent changes to the image repository in Harbor are synchronized to the Container Registry Enterprise Edition instance in the event-based trigger mode.
Configure a custom endpoint to implement geo-disaster recovery
Container Registry Enterprise Edition supports the custom endpoint feature that allows you to add custom endpoints and SSL certificates to Container Registry Enterprise Edition instances. This way, you can use the custom endpoints to access the Container Registry Enterprise Edition instances over HTTPS.
You can use the following disaster recovery solutions based on your network environments.
Solution 1: If the Harbor registry is deployed on Alibaba Cloud, the business accesses the Container Registry Enterprise Edition instance over the Internet
In this example, the Container Registry Enterprise Edition instance is deployed in the China (Hangzhou) region, and the Harbor registry is deployed in the China (Zhangjiakou) region. The instances have the same endpoint. PrivateZone is configured for the instances. For information about how to configure PrivateZone, see Use a custom domain name to access a Container Registry Enterprise Edition instance.
The following table describes the basic information about the Container Registry Enterprise Edition instance and the Harbor registry.
Instance ID | Public Endpoint | Name of the associated VPC | Custom endpoint |
ACR-A | a-registry.cn-hangzhou.cr.aliyuncs.com | vpc-aaaaa | cross-region.registry.io |
Harbor-B | - | vpc-bbbbb | cross-region.registry.io |
If the Harbor registry in the China (Zhangjiakou) region fails and the business cannot push images to and pull image from the registry, you can modify the PrivateZone resolution configuration of the custom endpoint to pull the synchronized image from the Container Registry Enterprise Edition instance across regions. Procedure:
Log on to the Alibaba Cloud DNS console.
In the left-side navigation pane, click Private DNS (PrivateZone).
On the Built-in Authoritative Module tab, enter the custom endpoint
cross-region.registry.io
to search for zones. Two zones are displayed. Click the zone that is associated with thevpc-bbbbb
VPC.On the Resource Record Settings tab, find the record that you want to edit and click Edit in the Actions column.
In the Edit Record panel, configure the parameters. The following table describes the parameters. Then, click OK.
Parameter
Description
Record Type
Select CNAME.
Hostname
Set this parameter to @.
Record Value
Set this parameter to the public endpoint of the Container Registry Enterprise Edition instance:
a-registry.cn-hangzhou.cr.aliyuncs.com
.TTL
Retain the default value.
Solution 2: If the Harbor registry is not deployed on Alibaba Cloud, the business accesses the Container Registry Enterprise Edition instance over the Internet
Set the custom endpoint of the Container Registry Enterprise Edition instance to the endpoint of the Harbor registry. Example: www.ha****.com. For more information, see Use a custom domain name to access a Container Registry Enterprise Edition instance.
If the Harbor registry fails and the business cannot push and pull images, you must modify the DNS resolution settings of the endpoint of the Harbor registry and allow the endpoint (for example, www.harbor.com
) of the Harbor registry to be resolved to the public IP address of the Container Registry Enterprise Edition instance. This way, the business can access the Container Registry Enterprise Edition instance over the Internet to push and pull images.
Solution 3: If the Harbor registry is not deployed on Alibaba Cloud, the business accesses the Container Registry Enterprise Edition instance over the VPC
If the Harbor registry fails and the business cannot push and pull images, you must obtain the IP address of the Container Registry Enterprise Edition instance and configure a routing rule and DNS resolution which allow the endpoint (for example, www.harbor.com
) of the Harbor registry to be resolved to the IP address of the Container Registry Enterprise Edition instance. This way, the business can access the Container Registry Enterprise Edition instance over the VPC to push and pull images. For more information, see Obtain IP addresses to configure routing rules and implement access to a Container Registry Enterprise Edition instance across regions or from a data center.