The page has been translated by Gen AI.

Container Registry Migration

Container Registry Migration

Overview

  • This document provides the procedures and tasks for using Skopeo to migrate container images located in the SCP (Samsung Cloud Platform) Container Registry to SCP V2.
  • Skopeo is a CLI tool that can copy container images directly between container registries without downloading them.

Constraints

  • Skopeo copies only the container image itself and does not include associated metadata or build history.
  • For a Container Registry that requires authentication, login credentials or an authentication token must be obtained in advance.
  • Configuration is required to allow access to the registry that will be the replication target.
  • A large number of images can affect copy speed.

Preliminary work

  • Bastion host required for Skopeo operations (OS: Ubuntu 24.04 / vCPU: 2 Cores, Memory: 4 GB recommended)

  • Install Skopeo

    sudo apt-get install skopeo

  • Firewall/Security Group

    • Enable communication of the connection/authentication path so that the Bastion Host can access the Container Registry of SCP/SCP v2 (port 443).

  • Issuing an authentication key for source/target Registry access

    • SCP v2 environment
      • The Object storage of SCP v2 can be used by issuing an access key to a user with access permissions.
        1. Click the All Services > Management > IAM menu.
        2. My Info. 2. Click the menu and then click the Authentication Key Management tab.
        3. Modify the Security settings to use the authentication key.
        4. Click the Update button of Security settings.
        5. In the Edit security settings screen, select Auth key for the Authentication method item.
        6. Click the OK button to save.
          • Using IP access control, you can restrict the IPs that can use the authentication key.
          • If set to Enable, you must include the IP addresses of the V1 SKE worker nodes and the V2 SKE worker nodes.
        7. On the Authentication key management tab screen, click the Create auth key button.
        8. Check Permanent for the Expiration period, and enter an appropriate phrase for Purpose.
        9. Click the OK button to create.
        10. Click the generated authentication key to check the access key and secret key.
        11. Click the View button of the Auth key.
        12. Enter the console account password, then click the OK button.
        13. Copy the Access key and Secret key, then record them in a notepad or similar.
    • SCP environment
      • In the SCP environment, you can view the accesskey and secretkey in the user information settings in a similar way.

  • Access control registration

    • To access the Registry in SCP and SCP v2 environments, you must register a Bastion Host in the access control of the Registry details.
    • If you access the v1→ v2 or v1 ← v2 Registry using a VPC Endpoint, add a resource that allows private access > you must add the corresponding VPC Endpoint in the VPC Endpoint.

Container Registry Migration Procedure

1. Create file for authentication: Registry access

  • Configure the auth.json file to access SCP SCR and SCP v2 SCR.
v1_registry='<v1 registry URL>'
v1_accesskey='<v1 accesskey>'
v1_secretkey='<v1 secretkey>'
v1_auth_b64=$(printf '%s:%s' "$v1_accesskey" "$v1_secretkey" | base64 -w 0)

v2_registry='<v2 registry URL>'
v2_accesskey='<v2 accesskey>'
v2_secretkey='<v2 secretkey>'
v2_auth_b64=$(printf '%s:%s' "$v2_accesskey" "$v2_secretkey" | base64 -w 0)

cat <<EOF > auth.json
{
  "auths": {
    "$v1_registry": {
      "auth": "$v1_auth_b64"
    },
    "$v2_registry": {
      "auth": "$v2_auth_b64"
    }
  }
}
EOF
* Registry URL, accesskey와 secretkey를 실제 값으로 변경 후 사용

2. Login verification

skopeo login <v1 registry URL> --authfile auth.json
skopeo login <v2 registry URL> --authfile auth.json

3. Image information lookup

skopeo inspect docker://<Source Registry 주소>/<Source Image 명> --authfile auth.json
* SCP v2환경에서는 <Registry 주소>/<Repository 명>/<Image 명>을 사용함

4. Execute image copy command

skopeo copy docker://<Source Registry 주소>/<Source Image 명>:<Source Tag 명> docker://<Target Registry 주소>/<Target Image 명>:<Target Tag 명> --authfile auth.json

Note

Format typesExplanation
container-storage:Local container image registry used by podman, cri‑o, buildah, and others.
docker://Docker registry
dir:local directory
docker-archive:Image files created with docker save, etc.
docker-daemon:Image stored in the Docker daemon
oci:OCI
oci-archive:OCI file

5. Check image

skopeo inspect docker://<Target Registry 주소>/<Target Image 명>:<Target Tag 명> --authfile auth.json