All Products
Search
Document Center

Container Registry:Use the remote replication capability of Harbor to synchronize images on a Harbor registry to a Container Registry Enterprise Edition instance and implement geo-disaster recovery

Last Updated:Dec 09, 2024

This topic describes how to use the remote replication capability of Harbor to synchronize images on a Harbor registry to a Container Registry Enterprise Edition instance and implement geo-disaster recovery of container image repositories.

Note

If you do not want to synchronize images by using the remote replication capability of Harbor or you have high requirements for the synchronization speed, see Migrate images from a self-managed Harbor instance to Container Registry Enterprise Edition within 10 minutes.

Prerequisites

A Container Registry Enterprise Edition instance is created. For more information, see Create a Container Registry Enterprise Edition instance.

Procedure

Synchronize images on a Harbor registry to a Container Registry Enterprise Edition instance

Note

If the Harbor registry is deployed in a data center, you must connect the Harbor registry to the Enterprise Edition instance over the VPC in which the Enterprise Edition instance resides. For more information, see Obtain IP addresses to configure routing rules and implement access to a Container Registry Enterprise Edition instance across regions or from a data center.

Step 1: Create a namespace

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the Container Registry Enterprise Edition instance to which you want to synchronize images.

  5. In the left-side navigation pane of the management page of the Container Registry Enterprise Edition instance, choose Repository > Namespace.

  6. On the Namespace page, click Create Namespace.

  7. In the Create Namespace dialog box, configure the Namespace, Automatically Create Repository, and Default Repository Type parameters. The following table describes the parameters. Then, click OK.

    Parameter

    Description

    Namespace

    Enter the name of the project in Harbor that you want to synchronize. Example: test-project.

    Automatically Create Repository

    Turn on Automatically Create Repository.

    Note

    If you turn off Automatically Create Repository, you must create a repository in the namespace before you synchronize the image.

    Default Repository Type

    Select a repository type. We recommend that you select Private.

Step 2: Configure the destination repository in Harbor

  1. Log on to Harbor.

  2. In the left-side navigation pane, choose Administration > Registries.

  3. On the Registries page, click NEW ENDPOINT. image.png

  4. In the New Registry Endpoint dialog box, configure the parameters. The following table describes the parameters.

    Parameter

    Description

    Provider

    Select Docker Registry from the drop-down list.

    Name

    Enter a name for the new endpoint.

    Description

    Enter a description for the new endpoint.

    Endpoint URL

    Enter the endpoint of the destination repository of the Container Registry Enterprise Edition instance. Make sure that access control is enabled. For more information, see Configure a VPC ACL and Configure Internet access.

    • The Container Registry Enterprise Edition instance is deployed in a VPC.

      Example of the endpoint of the destination repository: https://<Name of the Container Registry Enterprise Edition instance>-registry-vpc.cn-qingdao.cr.aliyuncs.com.

    • The Container Registry Enterprise Edition instance is deployed on the Internet.

      Example of the endpoint of the destination repository: https://<Name of the Container Registry Enterprise Edition instance>-registry.cn-qingdao.cr.aliyuncs.com.

    Access ID

    Enter the login name of the destination repository, which is the same as your Alibaba Cloud account.

    Access Secret

    Enter the password that you use to access the destination repository. For more information, see Use a password.

    image.png

  5. Click TEST CONNECTION. If the Connection tested successfully message appears, the parameters that you entered are valid. Click OK. image.png

Step 3: Configure a synchronization rule

  1. Log on to Harbor.

  2. In the left-side navigation pane, choose Administration > Replications.

  3. On the Replications page, click NEW REPLICATION RULE. image.png

  4. In the New Replication Rule dialog box, configure the parameters. The following table describes the parameters. Then, click SAVE.

    Parameter

    Description

    Name

    Enter a name for the synchronization rule.

    Description

    Enter a description for the synchronization rule.

    Replication mode

    Select Push-based.

    Source resource filter

    Follow the on-screen instructions to configure this parameter. This parameter is used to filter the resources that you want to synchronize. The default value of the Resource parameter in the "Source resource filter" section is All.

    Destination registry

    Select the destination repository that you configured in Step 2.

    Destination

    In the Namespace field, enter the namespace that you created in Step 1 in the Container Registry Enterprise Edition instance. The Flattening parameter is used to simplify the hierarchy of the repository when you replicate images. We recommend that you select Flatten 1 Level. For example, images may be replicated from harbor-project/nginx to acr-ns/nginx after you select Flatten Level 1.

    Trigger Mode

    Select a trigger mode. We recommend that you select Event Based to synchronize image changes in Harbor.

    Bandwidth

    Specify a value for this parameter to limit the maximum network bandwidth during synchronization. The default value is -1, which specifies that no limit is imposed on the maximum network bandwidth.

    image.png

  5. In the Name column of the Replications page, select the rule that you created in the previous step and click REPLICATE. This way, existing images on the Harbor registry are replicated to the Container Registry Enterprise Edition instance. When the status of the replication task becomes Succeeded, the synchronization task is complete. Subsequent changes to the image repository in Harbor are synchronized to the Container Registry Enterprise Edition instance in the event-based trigger mode. image.png

Configure a custom endpoint to implement geo-disaster recovery

Container Registry Enterprise Edition supports the custom endpoint feature that allows you to add custom endpoints and SSL certificates to Container Registry Enterprise Edition instances. This way, you can use the custom endpoints to access the Container Registry Enterprise Edition instances over HTTPS.

You can use the following disaster recovery solutions based on your network environments.

Solution 1: If the Harbor registry is deployed on Alibaba Cloud, the business accesses the Container Registry Enterprise Edition instance over the Internet

In this example, the Container Registry Enterprise Edition instance is deployed in the China (Hangzhou) region, and the Harbor registry is deployed in the China (Zhangjiakou) region. The instances have the same endpoint. PrivateZone is configured for the instances. For information about how to configure PrivateZone, see Use a custom domain name to access a Container Registry Enterprise Edition instance.

The following table describes the basic information about the Container Registry Enterprise Edition instance and the Harbor registry.

Instance ID

Public Endpoint

Name of the associated VPC

Custom endpoint

ACR-A

a-registry.cn-hangzhou.cr.aliyuncs.com

vpc-aaaaa

cross-region.registry.io

Harbor-B

-

vpc-bbbbb

cross-region.registry.io

If the Harbor registry in the China (Zhangjiakou) region fails and the business cannot push images to and pull image from the registry, you can modify the PrivateZone resolution configuration of the custom endpoint to pull the synchronized image from the Container Registry Enterprise Edition instance across regions. Procedure:

  1. Log on to the Alibaba Cloud DNS console.

  2. In the left-side navigation pane, click Private DNS (PrivateZone).

  3. On the Built-in Authoritative Module tab, enter the custom endpoint cross-region.registry.io to search for zones. Two zones are displayed. Click the zone that is associated with the vpc-bbbbb VPC.

  4. On the Resource Record Settings tab, find the record that you want to edit and click Edit in the Actions column.

  5. In the Edit Record panel, configure the parameters. The following table describes the parameters. Then, click OK.

    Parameter

    Description

    Record Type

    Select CNAME.

    Hostname

    Set this parameter to @.

    Record Value

    Set this parameter to the public endpoint of the Container Registry Enterprise Edition instance: a-registry.cn-hangzhou.cr.aliyuncs.com.

    TTL

    Retain the default value.

Solution 2: If the Harbor registry is not deployed on Alibaba Cloud, the business accesses the Container Registry Enterprise Edition instance over the Internet

Set the custom endpoint of the Container Registry Enterprise Edition instance to the endpoint of the Harbor registry. Example: www.ha****.com. For more information, see Use a custom domain name to access a Container Registry Enterprise Edition instance.

If the Harbor registry fails and the business cannot push and pull images, you must modify the DNS resolution settings of the endpoint of the Harbor registry and allow the endpoint (for example, www.harbor.com) of the Harbor registry to be resolved to the public IP address of the Container Registry Enterprise Edition instance. This way, the business can access the Container Registry Enterprise Edition instance over the Internet to push and pull images.

Solution 3: If the Harbor registry is not deployed on Alibaba Cloud, the business accesses the Container Registry Enterprise Edition instance over the VPC

If the Harbor registry fails and the business cannot push and pull images, you must obtain the IP address of the Container Registry Enterprise Edition instance and configure a routing rule and DNS resolution which allow the endpoint (for example, www.harbor.com) of the Harbor registry to be resolved to the IP address of the Container Registry Enterprise Edition instance. This way, the business can access the Container Registry Enterprise Edition instance over the VPC to push and pull images. For more information, see Obtain IP addresses to configure routing rules and implement access to a Container Registry Enterprise Edition instance across regions or from a data center.