user guide - huawei cloud3 docker basics docker is an open-source engine which allows you to create...

Software Repository for Container

User Guide

Issue 01

Date 2020-05-19

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 01 (2020-05-19) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Introduction.............................................................................................................................. 1

2 Permissions Management..................................................................................................... 22.1 Creating a User and Granting SWR Permissions.......................................................................................................... 2

3 Docker Basics............................................................................................................................ 4

4 Image Management................................................................................................................74.1 Uploading an Image Through a Docker Client............................................................................................................. 74.2 Obtaining a Long-Term Valid Docker Login Command.............................................................................................94.3 Uploading an Image Through SWR Console............................................................................................................... 104.4 Setting Image Attributes.................................................................................................................................................... 124.5 Sharing Private Images....................................................................................................................................................... 134.6 Adding a Trigger.................................................................................................................................................................... 154.7 Adding an Image Retention Policy................................................................................................................................. 174.8 Configuring Automatic Image Synchronization Between Regions...................................................................... 194.9 Image Security Scanning.................................................................................................................................................... 204.10 Adding an Image to Favorites........................................................................................................................................ 214.11 Configure an Image Accelerator................................................................................................................................... 224.12 Synchronizing Harbor Images........................................................................................................................................ 23

5 Organization Management.................................................................................................30

6 User Permissions....................................................................................................................33

7 Auditing................................................................................................................................... 387.1 SWR Operations Supported by CTS................................................................................................................................ 387.2 Viewing Logs in CTS.............................................................................................................................................................40

Software Repository for ContainerUser Guide Contents

Issue 01 (2020-05-19) Copyright © Huawei Technologies Co., Ltd. ii

1 Introduction

Software Repository for Container (SWR) provides easy, secure, and reliablemanagement of Docker container images throughout their lifecycles, featuringimage push, pull, and deleting.

Private image repository and fine-grained permission management allow you togrant different access permissions, namely, read, write, and edit, to different users.Triggers enable automatic application update upon image update. Simply set atrigger to the desired image. Every time the image is updated, the applicationdeployed in Cloud Container Engine (CCE) with this image can be automaticallyupdated.

You can use SWR through the SWR console or SWR APIs.

Figure 1-1 How SWR works

Software Repository for ContainerUser Guide 1 Introduction

Issue 01 (2020-05-19) Copyright © Huawei Technologies Co., Ltd. 1

https://console.huaweicloud.com/swr/?locale=en-us#/dashboard

https://support.huaweicloud.com/en-us/api-swr/swr_02_0065.html

2 Permissions Management

2.1 Creating a User and Granting SWR PermissionsThis chapter describes how to use Identity and Access Management (IAM) toimplement fine-grained permissions control for your SWR resources. With IAM,you can:

● Create IAM users for employees based on your enterprise's organizationalstructure. Each IAM user will have their own security credentials for accessingSWR resources.

● Grant only the permissions required for users to perform a specific task.● Entrust a HUAWEI CLOUD account or cloud service to perform efficient O&M

on your SWR resources.

If your HUAWEI CLOUD account does not require individual IAM users forpermissions management, skip this section.

This section describes the procedure for granting permissions (see Figure 2-1).

PrerequisiteLearn about the permissions (see Permissions Management) supported by SWRand choose policies or roles according to your requirements. For the permissions ofother services, see Permissions Policies.

Software Repository for ContainerUser Guide 2 Permissions Management


https://support.huaweicloud.com/en-us/usermanual-iam/iam_01_0001.html

https://support.huaweicloud.com/en-us/productdesc-swr/swr_03_0005.html

https://support.huaweicloud.com/en-us/usermanual-permissions/iam_01_0001.html

Process Flow

Figure 2-1 Process of granting SWR permissions

1. Create a user group and assign permissions to it.Create a user group on the IAM console, and assign the SWR Admin policy tothe group.

2. Create an IAM user and add it to the user group.Create a user on the IAM console and add the user to the group created in 1.

3. Log in and verify permissions.Log in to the SWR console by using the user created in 2, and verify that theuser has corresponding permissions for SWR.– Choose Service List > Software Repository for Container. Click

Organization Management. On the page displayed, click CreateOrganization. If you have sufficient permissions to create anorganization, then your permissions are configured successfully.

Software Repository for ContainerUser Guide 2 Permissions Management





3 Docker Basics

Docker is an open-source engine which allows you to create a lightweight,portable, and self-sufficient container for any application. SWR is compatible withDocker. You can use Docker CLI and native APIs to manage your images.

Installing Docker

Before installing Docker, get a basic understanding of what Docker is and how itworks. For more information, see Docker Documentation.

Docker is compatible with almost all operating systems. Select a Docker versionthat best suits your needs. If you are not sure which Docker community edition touse, see https://docs.docker.com/engine/installation/.

● Before using HUAWEI CLOUD Software Repository for Container (SWR) to store Dockerimages, ensure that the Docker client that will upload images to SWR is updated tov1.11.2 or later.

● If the Docker client is in a private network, bind an elastic IP address (EIP) to the Dockerclient. This EIP will allow the Docker client to download Docker installation packagesfrom the Docker website.

If you are using a Linux operating system, run the following instructions to quicklyinstall Docker.

curl -fsSL get.docker.com -o get-docker.shsh get-docker.sh

Building a Docker Image

This section walks you through the steps of using a Dockerfile to build a Dockerimage for a simple web application. Dockerfile is a text file that contains all theinstructions a user could call on the command line to build an image. A Dockerimage is a stack consisting of multiple layers. Each instruction creates a layer.

When using a browser to access a containerized application built from a Nginximage, you will see the default Nginx welcome page. In this section, you build anew image based on the Nginx image to change the welcome message to Hello,SWR!

Software Repository for ContainerUser Guide 3 Docker Basics


https://docs.docker.com

https://docs.docker.com/engine/installation/

Step 1 Log in to the Docker client as the root user.

Step 2 Run the following commands to create an empty file named Dockerfile:

mkdir mynginx

cd mynginx

touch Dockerfile

Step 3 Edit Dockerfile.

vim Dockerfile

Instructions to be added to the Dockerfile:

FROM nginxRUN echo '<h1>Hello,SWR!</h1>' > /usr/share/nginx/html/index.html

In the preceding instructions:

● FROM: creates a layer from the base image. A valid Dockerfile must start witha FROM instruction. In this example, the Nginx image is used as the baseimage.

● RUN: executes a command to create a new layer. One of its syntax forms isRUN <command>. In this example, the echo command is executed to displayHello, SWR!

Save the changes and exit.

Step 4 Run docker build [option] <context path> to build an image.

docker build -t nginx:v3 .

● -t nginx:v3: specifies the image name and tag.● .: indicates the path where the Dockerfile is located. All contents in this path

are packed and sent to the Docker engine to build an image.

Step 5 Run the following command to list images. From the printout, you can find thenewly created nginx image with a tag of v3.

docker images

----End

Creating an Image PackageThis section describes how to compress a Docker image into a .tar or .tar.gzpackage.

Step 1 Log in to the Docker client as the root user.

Step 2 Run the following command to list images.

docker images

Check the name and tag of the image to be compressed.

Step 3 Run the following command to compress the image into a package.

docker save [OPTIONS] IMAGE [IMAGE...]



OPTIONS: can be set to --output or -o, indicating that the image is exported to a file.(Optional)The file should be in either .tar or .tar.gz.

Sample:

$ docker save nginx:latest > nginx.tar$ ls -sh nginx.tar108M nginx.tar

$ docker save php:5-apache > php.tar.gz$ ls -sh php.tar.gz372M php.tar.gz

$ docker save --output nginx.tar nginx$ ls -sh nginx.tar108M nginx.tar

$ docker save -o nginx-all.tar nginx$ docker save -o nginx-latest.tar nginx:latest

----End



4 Image Management

4.1 Uploading an Image Through a Docker ClientThis section walks you through the steps of uploading an image to SWR, namely,running Docker commands to push an image to SWR image repository, taking the2048-demo:v1 image as an example.

NO TICE

● Each image layer uploaded through a Docker client cannot exceed 10 GB.● Your Docker client version must be 1.11.2 or later.

PrerequisiteYou have created an organization in SWR. For details, see Creating anOrganization.

Procedure

Step 1 Access SWR.

1. Log in to the SWR console.2. In the navigation pane, choose My Images and then click Upload Through

Docker Client. On the page displayed, click Generate a temporary Docker

login command and click to copy the command. Then, record the domainname at the end of the docker login command. This is the address of thecurrent image repository.

Figure 4-1 Obtaining a docker login command

Software Repository for ContainerUser Guide 4 Image Management


The docker login command obtained in this step is valid for 24 hours. For details abouthow to obtain a long-term valid docker login command, see Obtaining a Long-TermValid Docker Login Command. For the differences between these two types of logincommands, see What Are the Differences Between Long-Term Valid Docker LoginCommands and Temporary Docker Login Commands.

3. Run the docker login command on your Docker client (a device that hasDocker installed).The message "login succeeded" will be displayed upon a successful login.

Step 2 Tag the 2048-demo:v1 image by running the following command:

docker tag [Image name:tag] [Image repository address]/[Organization name]/[Image name:tag]

Sample docker tag command:

docker tag 2048-demo:v1 swr.cn-north-1.myhuaweicloud.com/group/2048-demo:v1

In the sample command:

● swr.cn-north-1.myhuaweicloud.com is the address of SWR image repository.● group indicates the organization name. When no existing organization

matches this name, SWR automatically creates a new one with this name.● 2048-demo:v1 indicates the image name and tag.

Step 3 Push the image to the image repository by running the following command:

docker push [Image repository address]/[Organization name]/[Image name:tag]

Sample docker push command:

docker push swr.cn-north-1.myhuaweicloud.com/group/2048-demo:v1

The following information will be returned upon a successful push:

6d6b9812c8ae: Pushed 695da0025de6: Pushed fe4c16cbf7a4: Pushed v1: digest: sha256:eb7e3bbd8e3040efa71d9c2cacfa12a8e39c6b2ccd15eac12bdc49e0b66cee63 size: 948

To view the pushed image, refresh the My Images page.

----End

Follow-up Procedure

After uploading an image, you can obtain its address, and then run the dockerpull command to pull the image.

Step 1 Log in to the SWR console.

Step 2 In the navigation pane, choose My Images and click the desired image.

Step 3 In the same row as the desired image tag, click in the Image Pull Commandcolumn to copy the docker pull command.



https://support.huaweicloud.com/en-us/swr_faq/swr_faq_0015.html


Figure 4-2 Obtaining the image address for image pull

----End

4.2 Obtaining a Long-Term Valid Docker LoginCommand

This chapter describes how to obtain a long-term valid docker login commandthat will remain valid for one year.

Procedure

Step 1 Obtain the image repository address and the regional project name.

1. Access the My Credentials page.2. In the Projects area on the API Credentials page, check the name of the

project in your current region.For example, in region CN North-Beijing1, the project is called cn-north-1.

Figure 4-3 Region and project

The image repository address format is as follows: swr.regional projectname.myhuaweicloud.com. Therefore, the image repository address for CNNorth-Beijing1 is swr.cn-north-1.myhuaweicloud.com.

Step 2 Obtain the Access Key ID and Secret Access Key (AK/SK).

If you already have an AK/SK, skip this step.

1. Access the My Credentials page.2. In the navigation pane on the left, click Access Keys. Click Create Access Key

to create an access key.



https://console.huaweicloud.com/iam/?locale=en-us#/myCredential

https://console.huaweicloud.com/iam/?locale=en-us#/myCredential

3. Enter the login password and verification code sent to your mailbox or mobilephone.

If you chose IAM User Login on the login page and have not bound any email addressor mobile phone numbers, then just enter the login password for verification.

4. Click OK to download the access key.

Keep the key secure and do not disclose it to any unauthorized personnel.

Step 3 Log in to a Linux PC and run the following command to obtain the login key:

printf "$AK" | openssl dgst -binary -sha256 -hmac "$SK" | od -An -vtx1 | sed's/[ \n]//g' | sed 'N;s/\n//'

In the command, $AK and $SK indicate the AK and SK obtained in Step 2respectively.

Figure 4-4 Sample command output

Step 4 The format of docker login command is as follows:

docker login -u [Regional project name]@[AK] -p [Login key] [Image repositoryaddress]

In the command, the regional project name and image repository address areobtained in Step 1, the AK in Step 2, and the login key in Step 3.

The login key is encrypted and cannot be decrypted. Therefore, it is unable to obtain the SKfrom -p.

The docker login command can be used on other devices.

Step 5 To prevent privacy information leakage, run the history -c command to clearcommand history. In addition, it is advised to obtain the docker login command inthe development environment.

----End

4.3 Uploading an Image Through SWR ConsoleThis section walks you through the steps of uploading an image to SWR throughthe SWR console.



NO TICE

You can upload a maximum of 10 files at a time. Each file, including adecompressed file, cannot exceed 2 GB. Only image files in .tar or .tar.gz can beuploaded through the SWR console.

Prerequisite● You have created an organization in SWR. For details, see Creating an

Organization.● The image has been saved as a .tar or .tar.gz file. For details, see Creating an

Image Package.● The image package is created using Docker 1.11.2 or later.

Procedure


Step 2 In the navigation pane, choose My Images. Then, click Upload Through SWR.

Step 3 On the page displayed, select an organization to which the image is to beuploaded. Then, click Select File to upload the desired image file.

When multiple images are uploaded at the same time, the image files are uploaded one byone in sequence. Concurrent upload is not supported.

Figure 4-5 Uploading an image

Step 4 On the page displayed, click Upload.

When the upload progress is complete, the image is successfully uploaded.

----End



4.4 Setting Image AttributesAfter uploading an image, you can set image attributes, including its type (publicor private), category and description.

Public images can be pulled by all users; while the access of private imagesrequires corresponding permissions. You can add permissions, namely, read, write,and manage, to users for them to access your private images. For details, seeGranting Permissions for a Specific Image.

Procedure



Step 3 On the details page, click Edit in the upper right corner. On the page displayed,set Sharing Type (public or private), Category, and Description, and click OK.

Figure 4-6 Setting image attributes

Table 4-1 Editing an image

Parameter Description

Organization

The organization where the image belongs

Image Image name




SharingType

This parameter can be set to:● Public● PrivateNOTE

Public images can be pulled and used by all users.● If your node and the image repository are in the same region, you can

access the image repository through intranet.● If your node and the image repository are in different regions, the node

must have access to the public network to pull images from the imagerepository.

Category This parameter can be set to:● Application server● Linux● Windows● Arm● Framework & Application● Database● Language● Others

Description

Image description. Enter a maximum of 30,000 characters.

----End

4.5 Sharing Private ImagesYou can share your private images with other users and grant access permissionsto them. The user with whom you shared the image can then log in to SWRconsole to view the image by clicking My Images > Shared Images. On the tabpage, the user can click the target image to check its detailed information such asthe image tag and image pull command.

Constraints

Only the IAM users authorized to manage the private images and accounts canshare images. The users with whom you share your images only have the read-only permission, which only allows them to pull the images.

Procedure





Step 3 On the details page, click the Sharing tab.

Step 4 Click Share Image. In the dialog box displayed, specify the account with whichyou would like to share the image, the validity period of the sharing, and thepermission you grant to the account. Then click OK.

Figure 4-7 Sharing an image

Table 4-2 Sharing an image


ShareWith

Enter an account name to share the image with the account.

Valid Until Set a validity period. If you want the image to be permanentlyaccessible to the account you specified, tick Permanently valid.

Description

Enter a maximum of 1,000 characters.

Permission Only the Pull permission is supported currently.

Step 5 To view all the images you shared, choose My Images in the navigation pane,click the Private Images tab, and tick Display only shared images above theimage list.

----End



4.6 Adding a TriggerSWR works with Cloud Container Engine (CCE) and Cloud Container Instance(CCI) to achieve automatic application update. When images are updated, thesenew images can be automatically deployed to update the applications that usethese images. The only thing you need to do is to add a trigger to the desiredimages. In this way, every time the images are updated, they will triggerautomatic operations like updating the applications deployed with these images.

Prerequisite

A containerized application has been created on CCE or CCI from an image inSWR.

To create an application on CCE, see Creating a Deployment or Creating aStatefulSet. To create an application on CCI, see Deployment.

Procedure


Step 2 In the navigation pane on the left, choose My Images, and click the desired imageto enter its details page.

Step 3 Click the Triggers tab, then click Add Trigger. On the page displayed, configurethe following parameters according to Table 4-3 and click OK.

Figure 4-8 Adding a trigger



https://support.huaweicloud.com/en-us/usermanual-cce/cce_01_0047.html



https://support.huaweicloud.com/en-us/usermanual-cci/cci_01_0011.html#section0

Table 4-3 Trigger


Name The name should be 1 to 64 characters, starting with a letter. Onlyletters, digits, underscores (_), and hyphens (-) are allowed. Thename cannot end with an underscore or hyphen. Consecutiveunderscores or hyphens are not allowed and an underscore cannotbe placed next to a hyphen.

Condition The following trigger conditions are supported:● All tags: Trigger when any image tags are generated or

updated.● Specific tag: Trigger when a specific image tag is generated or

updated.● Tags matching regular expression: Trigger when an image tag

that matches the specified regular expression is generated orupdated.

Operation Operation that will be triggered when the conditions you set aremet. Currently, only application update is supported. You need tospecify the application to be updated and the container image ofthe application.

Status Select Enable.

TriggerType

Select CCE or CCI.NOTE

Currently, the CCI trigger type is supported only in CN North–Beijing1 andCN North–Beijing4 regions.

Application

Select the container whose image is to be updated.

----End

Verifying the TriggerIn this example, the condition All tags is selected. Therefore, the applicationdeployment will be triggered when any image tags are generated or updated.

Push an image with a new tag to the SWR repository. You can view the new imagetag on the image details page.

Figure 4-9 Viewing the new image tag



● When the Trigger Type is set to CCE, log in to the CCE console. In thenavigation pane on the left, choose Workloads. Click the target workload toenter its detailed page.On the Pods tab page, you can see that an application pod is being createdfrom the image with the new tag. When the creation is complete, theapplication has been updated.

Figure 4-10 CCE application updated

Access the application using the access address displayed on the Services tabpage. Then you can view the updated application information.

● When the Trigger Type is set to CCI, log in to the CCI console. In thenavigation pane on the left, choose Workloads > Deployments. Click thetarget Deployment to enter its detailed page.In the Pod List, you can see that an application pod is being created. Whenthe creation is complete, the application has been updated.

Figure 4-11 CCI application updated

Access the application using the access address displayed in the AccessSettings area. Then you can view the updated application information.

4.7 Adding an Image Retention PolicyYou can add a retention policy to an image in SWR to automatically delete imagetags that might not be in use anymore. The policy takes effect immediately afteryou set it. There are two types of policies:

● Number of days: Image tags are retained based on how many days it hasbeen since they were pushed to SWR. Any tags pushed to SWR more than acertain number of days ago are deleted.

● Number of tags: Image tags are retained based on how many tags have beenpushed to SWR. Any tags pushed in excess of a certain number of tags aredeleted on a first-in-first-out basis.

You can configure filters for your retention policy to prevent certain image tagsfrom being affected by the retention policy.

ConstraintCurrently, only one policy can be configured for each image. If you want to add anew retention policy, the existing policy must be deleted first.



Procedure


Step 2 In the navigation pane on the left, choose My Images, and click the desired imageto enter its details page.

Step 3 On the Retention tab page, click Add Retention Policy. Configure the policybased on Table 4-4 and click OK.

Figure 4-12 Adding an image retention policy

Table 4-4 Adding an image retention policy


PolicyType

There are two types of retention policies:● Number of days: Keep only image tags that have been pushed

to SWR within a certain number of days.● Number of tags: Keep only a certain number of the most

recent image tags. You can set filtering criteria for a retentionpolicy. Image tags meetings the criteria will not be affected bythis policy.

CountLimit

● When you set Policy Type to Number of days, the valueindicates how many days an image tag can be stored. The valueshould be an integer ranging from 1 to 365.

● When you set Policy Type to Number of tags, the valueindicates the maximum number of the most recent image tagsto be retained. The value should be an integer ranging from 1to 1000.

Tag Filter Enter image tags that you do not want this retention policy toapply to.




RegularExpressionFilter

Enter a regular expression. Image tags meeting this regularexpression will not be affected by this retention policy.

When a retention policy is added, SWR immediately applies the policy and displaysdeleted image tags (if any) in the Retention Logs area.

Figure 4-13 Viewing the retention policy and logs

----End

4.8 Configuring Automatic Image SynchronizationBetween Regions

Newly pushed images can be automatically synchronized to image repositories inother regions.

After you configure automatic image synchronization, image updates will also besynchronized to target repositories. However, images pushed to repositories beforeautomatic image synchronization was enabled will not be automatically synchronized.

For details on how to synchronize existing images pushed before you set the automaticsynchronization, see Can Existing Images be Automatically Synchronized.

Constraints

Only accounts and users with administrator permissions can configure automaticimage synchronization.

Currently, automatic image synchronization is only supported for CN North-Beijing1, CN North-Beijing4, CN East-Shanghai1, CN East-Shanghai2, CN South-Guangzhou, AP-Hong Kong, and AP-Singapore.




Procedure


Step 2 In the navigation pane, choose My Images and click the image you wish to keepsynchronized.

Step 3 On the image details page, click Synchronize Image in the upper right corner.Add the target region and organization. Then click OK.

Figure 4-14 Configuring automatic image synchronization

● Target Region: The target region in image synchronization, for example, CNSouth-Guangzhou.

● Target Organization: The target organization to which images aresynchronized.

● Overwrite Existing Image: Selecting this option indicates that anyunidentical images having the same name in the target organization will beoverwritten. Deselecting this option indicates that any unidentical imageshaving the same name in the target organization will not be overwritten, andyou will be notified their existence.

Step 4 On the Synchronization Records tab page of image details page, you can viewthe details of each synchronization task, such as the start time, image tag, taskstatus, type, duration, target region and organization, and task operator.

----End

4.9 Image Security ScanningYou can scan your private images in SWR for vulnerabilities in just a few clicks.Solutions are provided to help you keep your images safe.

Procedure




Step 2 In the navigation pane on the left, choose My Images, and click the image youwish to scan to enter its details page.

Step 3 On the Image Tags tab page, click Scan in the Operation column of the desiredimage tag.

Step 4 On the dialogue box displayed, click Scan at the upper right corner, and wait forthe scanning results.

Figure 4-15 Image security scanning results

● Vulnerability Name: the name of the vulnerability found on the image● Severity Level: how severe a vulnerability is. You can determine whether

immediate action is required for a vulnerability based on its severity level.● Software Information: version information about the software affected by

the vulnerability● Solution: solution to the vulnerability. Click the link in the Solution column to

view the solution.

----End

4.10 Adding an Image to FavoritesSWR provides rich public image resources, including official Docker images. Youcan add official Docker images to My Favorites for ease of use.



Procedure


Step 2 In the navigation pane on the left, choose Image Resources > Image Center.

Step 3 In the image list, click to add an image to favorites.

After adding the image to favorites, you can view it on My Favorites.

----End

4.11 Configure an Image AcceleratorSWR provides you with image accelerators for image pull. The accelerators can beused by configuring the daemon configuration file /etc/docker/daemon.json.

NO TICE

● Currently, image accelerators are available only for the Docker Hub imagesources outside Chinese mainland.

● Your Docker client version must be 1.11.2 or later.

Procedure


Step 2 On the navigation pane, choose Image Resources > Image Center.

Step 3 Click Image Accelerator. In the displayed dialog box, you can obtain the imageaccelerator address and details on how to configure the image accelerator.



Figure 4-16 Image accelerator

----End

4.12 Synchronizing Harbor ImagesHarbor is an open source cloud native registry that stores, signs, and scanscontainer images for vulnerabilities. For details, see https://goharbor.io/.

This section introduces how to synchronize images from Harbor to HUAWEICLOUD SWR.

Configuring and Running swr-harbor_sync_tool

Step 1 Log in to a user host. The host must have access to the Harbor registry. Run thefollowing command to download Harbor image synchronization tool:docker pull swr.cn-north-1.myhuaweicloud.com/swr/swr_harbor_sync:v4.0

Step 2 Configure Docker daemon. (Normally, the configuration file is in the /lib/systemd/system/docker.service directory.)

1. Add the following information to ExecStart in the configuration file to enablea remote Docker API that will accept requests from the swr-harbor_sync_tool:-H=tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

The line followed by the newly added information must end with a backslash(\).



https://goharbor.io/

2. Check the access protocol enabled for Harbor. When HTTP is enabled orWhen HTTPS is enabled without HTTPS certificate, add the followinginformation to ExecStart in the configuration file.--insecure-registry=#Domain name or IP address of the Harbor server#

Example:--insecure-registry=10.10.10.10

The line followed by the previous information must end with a backslash (\).

Check whether insecure-registries are contained in the /etc/docker/daemon.json file. If it exists, ensure that the IP address in insecure-registryof the /lib/systemd/system/docker.service file is the same as that in theinsecure-registries of the /etc/docker/daemon.json file.

If there are multiple insecure-registry entries in the /lib/systemd/system/docker.service file, configure them as follows:

3. Run the following command to restart the Docker service:systemctl daemon-reloadsystemctl restart docker

If the Docker service cannot be restarted, run the service docker restartcommand.

4. Verify whether the parameters take effect.

a. Run the following command to view the Docker process:ps -ef|grep docker

b. Check whether the process contains the following parameters:--insecure-registry=Domain name or IP address of the Harbor server -H=tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

Example command output



If the preceding parameters are displayed, the configuration is successful.

Step 3 Configure and run swr-harbor_sync_tool.

1. Create a configuration file named app.conf in any directory and configurevariables. The template is as follows:ImageOverwrite=falseNamespaceMap=harbor_project1:swr_namespace1;harbor_project2:swr_namespace2HWAuthMethod=AKSKHWAK=XXXXXXXXXXXXXHWSK=XXXXXXXXXXXXXXXXXXXXXHWDomain=sunXXXXXXHWUser=XXXXXXHWPassword=XXXXXXXRegionName=cn-north-1HarborUser=adminHarborPassword=******HarborAddr=mango.nat300.topHarborProtocol=https

Table 4-5 Parameter description


ImageOverwrite Whether to overwrite the imagewith the same name duringautomatic image synchronization.The default value is false, whichmeans that the image with thesame name will not be overwrittenduring synchronization.

NamespaceMap Mapping between the Harborproject name and Huawei SWRorganization name.The format is harbor projectname:HUAWEI CLOUD SWRorganization name. If there aremultiple key-value pairs, separatethem by semicolons (;).Example:harbor_project1:swr_namespace1;harbor_project2:swr_namespace2




HWAuthMethod Set this parameter to either AKSK orPassword. If the value is AKSK, useHWAK and HWSK forauthentication. If the value isPassword, use HWDmain, HWUser,and HWPassword forauthentication.

HWAK HUAWEI CLOUD AK. For detailsabout how to obtain an AK, seeObtaining a Long-Term ValidDocker Login Command.

HWSK HUAWEI CLOUD SK. For detailsabout how to obtain an SK, seeObtaining a Long-Term ValidDocker Login Command.

HWDomain HUAWEI CLOUD account name.

HWUser HUAWEI CLOUD IAM username. If itis left blank, the account permissionis used by default.

HWPassword HUAWEI CLOUD account password.

RegionName Region name. An image can besynchronized to only one of thefollowing regions:– CN North-Beijing1 (cn-north-1)– CN East-Shanghai2 (cn-east-2)– CN South-Guangzhou (cn-

south-1)– AP-Hong Kong (ap-southeast-1)

HarborUser Harbor username.

HarborPassword Harbor account password.

HarborAddr Harbor domain name or IP address.

HarborProtocol Harbor protocol. Value: HTTP orHTTPS.

2. In the directory where app.conf is located, run the following command to run

a container:docker run -d --privileged=true -v /var:/var -p #Specified external access port of swr-harbor_sync_tool#:5000 --env-file=#Path of the configuration file# --restart=always #Name of newly pulled image#:#Tag of the newly pulled image#

Example:docker run -d --privileged=true -v /var/log:/var/log -p 19876:5000 --env-file=app.conf --restart=always swr.cn-north-1.myhuaweicloud.com/swr/swr_harbor_sync:v4.0



Ensure that Harbor is started. If not, run the ./install.sh command in the Harborinstallation directory.

When containers are running, container logs are stored in the /var/log/swr_harbor_sync. running.log is a service log file. projectname-running.logis a log file containing synchronization status of the corresponding Harborproject. projectname-success.log is a log file containing synchronizationsuccess of the corresponding Harbor project.If the configurations in the app.conf file are incorrect, modify theconfiguration file and stop the container that is just started. Run a newcontainer.

Step 4 Configure Harbor.

1. Add an endpoint to the notifications.endpoints section in the harbor/common/templates/registry/config.yml file. The format is as follows: - name: swr-harbor_sync_tool disabled: false url: http://10.10.10.10:19876/service/notifications timeout: 3000ms threshold: 5 backoff: 1s

Replace 10.10.10.10:19876 with the IP address of the host where swr-harbor_sync_tool is deployed (do not use 127.0.0.1) and external access portthat the service exposes on the host.Ensure that the format of the new configuration is the same as that of thedefault endpoint, as shown in the following figure. If the numbers of spacesbefore each line are different, Harbor fails to be restarted.

2. Restart Harbor.In the harbor installation directory, run the ./install.sh command to startHarbor. Run the docker ps command to check whether all harbor containersare up.



After Harbor is restarted successfully, any images that are pushed to theHarbor repository are automatically synchronized to the HUAWEI CLOUDSWR repository.

----End

Use swr-harbor_sync_tool1. After swr-harbor_sync_tool starts, it automatically synchronizes images in

Harbor repositories to HUAWEI CLOUD SWR repositories.– Procedure for automatic synchronization:

i. When you run the docker push command to push an image toHarbor, a request is automatically sent to swr-harbor_sync_tool bythe Harbor notification feature (configured endpoints of the Harborservice). The request contains the name and tag of the image pushedand project name.

ii. After receiving the notification, swr-harbor_sync_tool queries theNamespaceMap in its configuration file app.conf.○ If the target Harbor project name exists in the configuration file

and the corresponding HUAWEI CLOUD SWR organization nameis correct, 1.iii will be performed.

○ If the target Harbor project name does not exist in theconfiguration file, the image will not be synchronized.

iii. swr-harbor_sync_tool pulls from Harbor an image with the name andtag specified in the request. The pulled image will then be taggedwith corresponding HUAWEI CLOUD image tag and pushed to theHUAWEI CLOUD namespace that is specific to the region andHUAWEI CLOUD account in the configuration file app.conf.

iv. swr-harbor_sync_tool deletes the pulled image and tagged image.– After the synchronization, the name and tag of the image on HUAWEI

CLOUD should be the same as those on Harbor. If not, the causes mightbe:

i. The Harbor project name and HUAWEI CLOUD SWR organizationname required in automatic synchronization are not configured inthe configuration file.

ii. The HUAWEI CLOUD SWR organization name has been occupied byanother HUAWEI CLOUD user, in which case parameterNamespaceMap in the configuration file needs to be modified.

If the synchronization fails, check the cause in the log file in /var/log/swr_harbor_sync.

2. Manually synchronize all images in the specified Harbor project to thespecified HUAWEI CLOUD namespace.– Run the following command to make a request:

curl -X POST -H 'Projectname:## Harbor project name ##' -H 'Namespace:## HUAWEI CLOUD SWR organization name ##' -H 'HarborUser:## Harbor username ##' -H 'HarborPassword:##Harbor account password ##' -H 'HWAuthMethod:## HUAWEI CLOUD authentication mode ##' -H 'HWAK:##HUAWEI CLOUD AK##' -H 'HWSK:##HUAWEI CLOUD SK##' -H 'HWDomain:## HUAWEI CLOUD account name ##' -H 'HWUser:# HUAWEI CLOUD username #' -H 'HWPassword:## HUAWEI CLOUD account password ##' -H 'RegionName:##HUAWEI CLOUD Region name ##' -H 'ImageOverwrite:## Whether to overwrite images with identical names. Value: true or false##' http://##IP address of the host



where swr-harbor_sync_tool is located##:## Port where swr-harbor_sync_tool is located ##/service/synchronization/namespace

– Example:curl -X POST -H 'Projectname:harbor_project_name' -H 'Namespace:huaweicloud_namespace_name' -H 'HarborUser:harbor_user' -H 'HarborPassword:harbor_password' -H 'HWAuthMethod:huawei_auth_method' -H 'HWAK:huawei_ak' -H 'HWSK:huawei_sk' -H 'HWDomain:huaweicloud_domain_name' -H 'HWUser:huaweicloud_user_name' -H 'HWPassword:huaweicloud_password' -H 'RegionName:cn-north-1' -H 'ImageOverwrite:false' http://127.0.0.1:19876/service/synchronization/namespace

i. After receiving the request, swr-harbor_sync_tool checks whether theHarbor project is a public project.

○ For a public project, the swr-harbor_sync_tool does notauthenticate the Harbor username or password.

○ For a private project, the swr-harbor_sync_tool authenticates theHarbor username and password (harbor_user:harbor_password).

ii. If the value of HWAuthMethod is AKSK, HWAK and HWSK will beused for authentication. If the value of HWAuthMethod is Passwordand the value of HWUser is left blank, authenticate the HUAWEICLOUD account and password (abcXXX:xyzXXX). If the value ofHWAuthMethod is Password and the value of HWUser is not leftblank, authenticate the HUAWEI CLOUD account, username, anduser password (abcXXX:bbbXXX:xyzXXX). In addition, check whetherthe RegionName and Namespace are available.

If all the information is correct, swr-harbor_sync_tool synchronizes allthe images in the library project of Harbor to the namespace(domain_library) in the image repository of the cn-north-1 region. Ifthe value of ImageOverwrite is false, the original image will not beoverwritten.

The request IP address is 127.0.0.1, because the request instance is runningon the host where swr-harbor_sync_tool is deployed.

Common Exceptions1. The Harbor project name is incorrect.

2. The HUAWEI CLOUD SWR organization name has been occupied by otherHUAWEI CLOUD users. When using automatic image synchronization, modifyparameter NamespaceMap in the configuration file. When synchronizingimages manually, specify the value of parameter Namespace again.

3. The HUAWEI CLOUD account name, username, or password is incorrect.

4. The HUAWEI CLOUD region name is incorrect.

5. The Harbor account or password is incorrect.

6. The host where swr-harbor_sync_tool is running cannot access Harbor or SWRdue to network disconnection.

If the synchronization fails, check the cause in projectname-running.log of thecorresponding project in /var/log/swr_harbor_sync. If no errors are found, checkwhether configurations made in Step 1 and 3 in Configuring and Running swr-harbor_sync_tool are correct.



5 Organization Management

Organizations are used to isolate image repositories. With each organization beinglimited to one company or department, images can be managed in a centralizedand efficient manner. An image name only needs to be unique within anorganization. The same IAM user can access different organizations as long as theIAM user has sufficient permissions. You can grant different permissions, namely,read, write, and manage, to IAM users in the same account. For details, see UserPermissions.

Figure 5-1 Organization

Software Repository for ContainerUser Guide 5 Organization Management


Creating an OrganizationYou can create organizations based on the organizational structure of yourenterprise to facilitate image resource management. Create an organizationbefore pushing an image.


Step 2 In the navigation pane, choose Organization Management and then click CreateOrganization. On the page that is displayed, specify Organization Name andclick OK.

Figure 5-2 Creating an organization

----End

Viewing the Images of an OrganizationAfter creating an organization and pushing images into it, you can view the imagelist of the organization.


Step 2 In the navigation pane, choose Organization Management. On the pagedisplayed, click the desired organization in the list.

Step 3 To view the images of this organization, click the Images tab.



Figure 5-3 Viewing the images of an organization

----End



6 User Permissions

If you have the administrator permission of SWR, skip this chapter. For details ongranting permissions, see Creating a User and Granting SWR Permissions.

You can add permissions to IAM users in SWR by using either of the followingmethods:

● Grant permissions on an image details page to allow IAM users to read,write, and manage a specific image.

● Grant permissions on an organization details page to allow IAM users toread, write, and manage all the images in an organization.

Figure 6-1 User permissions

● Read: Users can only pull images.● Write: Users can pull and push images, add triggers, and edit image

attributes.

Software Repository for ContainerUser Guide 6 User Permissions


● Manage: Users can pull and push images, delete images or tags, edit imageattributes, grant permissions, add triggers, and share images with other users.

Uploading images on the SWR console requires the write or manage permission for theorganization to which images are uploaded. Write and manage permissions added onimage details pages do not enable users to upload images.

Granting Permissions for a Specific ImageTo allow IAM users of your account to read, write, and manage a specific image,add corresponding permissions to them on the details page of this image.



Step 3 On the image details page, click the Permissions tab.

Figure 6-2 Permissions management

Step 4 Click Add Permission. On the page displayed, click Read, Write, or Manage in therow of the desired IAM username. Click OK to confirm.



Figure 6-3 Granting permissions for a specific image

----End

Modifying or Deleting Permissions for a Specific ImageYou can also modify or delete user permissions on the image details page.

● To modify permissions, click Modify at the row of the desired username onthe Permissions tab page. Select a permission in the drop-down list ofPermission, and click Save in the Operation column.

Figure 6-4 Modifying permissions for a specific image

● To delete permissions, click Delete in the row of the desired username on thePermissions tab page. In the dialog box displayed, enter DELETE as promptedand click Yes.



Figure 6-5 Deleting permissions for a specific image

Granting Permissions for an OrganizationTo allow IAM users of your account to read, write, and manage a specific image,add corresponding permissions to them on the details page of this image.

Only accounts and IAM users with the Manage permission can add permissionsfor other users.


Step 2 In the navigation pane, choose Organization Management. Then click

in the row of the desired organization.

Step 3 On the Users tab page, click Add Permission. In the dialog box displayed, selectpermissions for the IAM user and click OK.

Figure 6-6 Adding permissions for an organization

----End

Modifying or Deleting Permissions for an OrganizationYou can also modify and delete user permissions of an organization.



● To modify permissions, click Modify in the row of the desired username onthe Users tab page. Select a permission in the drop-down list of Permission,and click Save in the Operation column.

Figure 6-7 Modifying permissions for an organization

● To delete permissions, click Delete in the row of the desired username on theUsers tab page. In the dialog box displayed, enter DELETE as prompted andclick Yes.

Figure 6-8 Deleting permissions for an organization



7 Auditing

7.1 SWR Operations Supported by CTSCloud Trace Service (CTS) records operations on cloud service resources, allowingyou to query, audit, and backtrack the resource operation requests initiated fromthe management console or open APIs as well as responses to the requests.

Table 7-1 SWR operations that can be recorded by CTS

Operation Resource Type Trace Name

Granting permissionsfor an organization

usernamespaceauth createUserNamespaceAuth

Modifyingpermissions for anorganization

usernamespaceauth updateUserNamespaceAuth

Deleting permissionsfor an organization

usernamespaceauth deleteUserNamespaceAuth

Creating a softwarepackage

package createPackage

Modifying a softwarepackage

package updatePackage

Deleting a softwarepackage

package deletePackage

Creating a repository repository createRepository

Modifying arepository

repository updateRepository

Deleting a repository repository deleteRepository

Creating a version version createVersion

Software Repository for ContainerUser Guide 7 Auditing



Modify a version version updateVersion

Deleting a version version deleteVersion

Uploading an imagepackage

image uploadImagePackage

Uploading a file file uploadFile

Downloading a file file downloadFile

Deleting a file file deleteFile

Creating anorganization

usernamespace createUserNamespace

Deleting anorganization

usernamespace deleteUserNamesapce

Adding an image tofavorites

usercollections createUserCollections

Removing an imagefrom favorites

usercollections deleteUserCollections

Creating a trigger trigger createTrigger

Modifying a trigger trigger updateTrigger

Deleting a trigger trigger deleteTrigger

Granting permissionsfor an imagerepository

userrepositoryauth createUserRepositoryAuth

Modifyingpermissions for animage repository

userrepositoryauth updateUserRepositoryAuth

Deleting permissionsfor an imagerepository

userrepositoryauth deleteUserRepositoryAuth

Creating an imagerepository

imagerepository createImageRepository

Modifying an imagerepository

imagerepository updateImageRepository

Deleting an imagerepository

imagerepository deleteImageRepository

Deleting an imagetag

imagetag deleteImageTag

Generating a logincommand

dockerlogincmd createDockerConfig




Creating a sharedimage

imagerepositoryaccess-domain

createImageRepositoryAccess-Domain

Modifying a sharedimage


updateImageRepositoryAc-cessDomain

Deleting a sharedimage


deleteImageRepositoryAccess-Domain

7.2 Viewing Logs in CTS

ScenariosAfter you enable CTS, the system starts recording operations on SWR resources.CTS stores operation records for the last seven days.

Procedure

Step 1 Log in to the console.

Step 2 Click in the upper left corner and select a region.

Step 3 Click Service List, and choose Management & Deployment > Cloud TraceService.

Step 4 In the navigation pane, choose Trace List.

Step 5 On the Trace List page, query traces based on the search criteria. The trace listsupports four filter types:● Trace Type: The options are Management and Data.● Trace Source, Resource Type, and Search By

Select the search criteria from the drop-down lists. Select SWR from the TraceSource drop-down list.If you select Trace name from the Search By drop-down list, specify the tracename.If you select Resource ID from the Search By drop-down list, select or enter aspecific resource ID.If you select Resource name from the Search By drop-down list, select orenter a specific resource name.

● Operator: Select a specific operator at user level rather than account level.● Trace Status: Select All trace statuses, normal, warning, or incident.

Step 6 On the left of the target record, click to view details.

Step 7 Click View Trace in the Operation column. In the dialog box, the trace structuredetails are displayed.

----End



user guide - huawei cloud3 docker basics docker is an open-source engine which allows you to create...

Documents