The page has been translated by Gen AI.

Container Registry Migration

Container Registry Migration

Overview

  • Guide the procedures and tasks for using Skopeo to migrate Container Images located in SCP (Samsung Cloud Platform)’s Container Registry to SCP V2.
  • Skopeo is a CLI tool that can directly copy container images between container registries without downloading them.

Constraints

  • Skopeo only copies the container image itself, and does not include associated metadata or build history.
  • For Container Registries that require authentication, login credentials or an authentication token are required in advance.
  • Settings are required to allow access to the registry that is the target of replication.
  • If the image is large in quantity, it may affect copy speed.

Pre-work

  • Bastion Host for Skopeo operation (OS:Ubuntu 24.04 / vCPU:2Cores, Memory: 4GB recommended) required

  • Skopeo install

    sudo apt-get install skopeo

  • Firewall/Security Group

    • Make the connection/authentication path communication possible (443 Port) so that the Bastion Host can access the SCP/SCP v2 Container Regstry.

  • Issue authentication key for accessing source/target Registry

    • SCP v2 environment
      • SCP v2’s Object storage can be used by issuing an access key to a user with access permissions.
        1. All Services > Management > IAM Click the menu.
        2. My Info. Click the menu and click the Authentication Key Management tab.
        3. Modify the Security settings to use the authentication key.
        4. Click the Update button of Security settings.
        5. In the Edit security settings screen, select Auth key for the Authentication method item.
        6. Click the OK button to save.
          • If you use IP access control, you can restrict the IPs that can use the authentication key.

  • If set to Enable, you must include the IP addresses of V1 SKE’s worker nodes and V2 SKE’s worker nodes. 7. Authentication key management on the tab screen, click the Create auth key button. 8. Check Permanent for Expiration period, and enter an appropriate phrase for Purpose. 9. Click the OK button to create. 10. Click the generated authentication key to verify the access key and secret key. 11. Click the View button of the Auth key. 12. Enter the console account password and then click the OK button. 13. Copy the Access key and Secret key, then record them in a notepad, etc.

    • SCP environment
      • In the SCP environment, you can check the accesskey and secretkey in a similar way in the user information settings.

  • Access control registration

    • To access the Registry of SCP and SCP v2 environments, you need to register a Bastion Host in the access control of the Registry details. v1→ v2 or v1 ← v2 Registry when accessing using a VPC Endpoint, add a resource that allows private access > you must add the corresponding VPC Endpoint in the VPC Endpoint.

Container Registry Migration Procedure

1. Creating files for authentication: for Registry access

  • Configure the auth.json file to access SCP SCR and SCP v2 SCR.
v1_registry='<v1 registry URL>'
v1_accesskey='<v1 accesskey>'
v1_secretkey='<v1 secretkey>'
v1_auth_b64=$(printf '%s:%s' "$v1_accesskey" "$v1_secretkey" | base64 -w 0)

v2_registry='<v2 registry URL>'
v2_accesskey='<v2 accesskey>'
v2_secretkey='<v2 secretkey>'
v2_auth_b64=$(printf '%s:%s' "$v2_accesskey" "$v2_secretkey" | base64 -w 0)

cat <<EOF > auth.json
{
  "auths": {
    "$v1_registry": {
      "auth": "$v1_auth_b64"
    },
    "$v2_registry": {
      "auth": "$v2_auth_b64"
    }
  }
}
EOF
* Registry URL, change accesskey and secretkey to actual values before use

2. Login verification

skopeo login <v1 registry URL> --authfile auth.json
skopeo login <v2 registry URL> --authfile auth.json

3. Image Information Retrieval

skopeo inspect docker://<Source Registry address>/<Source Image name> --authfile auth.json
* In SCP v2 environment, use <Registry address>/<Repository name>/<Image name>

4. Image Copy Command Execution

skopeo copy docker://<Source Registry address>/<Source Image name>:<Source Tag name> docker://<Target Registry address>/<Target Image name>:<Target Tag name> --authfile auth.json

Note

Format TypeDescription
container-storage:local container image storage used by podman, cri-o, buildah, etc.
docker://Docker registry
dir:Local directory
docker-archive:image file created with docker save, etc.
docker-daemon:image stored inside the docker daemon
oci:OCI
oci-archive:OCI file

5. Image Check

skopeo inspect docker://<Target Registry address>/<Target Image name>:<Target Tag name> --authfile auth.json