When you decide to start using Docker Trusted Registry on a production setting, you should configure it for high availability.
The next step is creating a backup policy and disaster recovery plan.
Docker Trusted Registry persists:
This data is persisted on the host where DTR is running, using named volumes. Learn more about DTR named volumes.
DTR also persists Docker images on the filesystem of the host running DTR, or on a cloud provider, depending on the way DTR is configured.
To perform a backup of a DTR node, use the backup
command. This
command creates a backup of DTR:
These files are added to a tar archive, and the result is streamed to stdout.
The backup command does not create a backup of Docker images. You should implement a separate backup policy for the Docker images, taking in consideration whether your DTR installation is configured to store images on the filesystem or using a cloud provider.
The backup command also doesn’t create a backup of the users and organizations. That data is managed by UCP, so when you create a UCP backup you’re creating a backup of the users and organizations metadata.
When creating a backup, the resulting .tar file contains sensitive information like private keys. You should ensure the backups are stored securely.
You can check the reference documentation, for the backup command to learn about all the available flags.
As an example, to create a backup of a DTR node, you can use:
$ docker run -i --rm docker/dtr backup \
--ucp-url <ucp-url> \
--ucp-insecure-tls \
--existing-replica-id <replica-id> \
--ucp-username <ucp-admin> \
--ucp-password <ucp-password> > /tmp/backup.tar
Where:
--ucp-url
is the address of UCP,--ucp-insecure-tls
is to trust the UCP TLS certificate,--existing-replica-id
is the id of the replica to backup,--ucp-username
, and --ucp-password
are the credentials of a UCP administrator.To validate that the backup was correctly performed, you can print the contents of the tar file created:
$ tar -tf /tmp/backup.tar
You can restore a DTR node from a backup using the restore
command.
This command performs a fresh installation of DTR, and reconfigures it with
the configuration created during a backup.
The command starts by installing DTR, restores the configurations stored on
etcd, and then restores the repository metadata stored on RethinkDB. You
can use the --config-only
option, to only restore the configurations stored
on etcd.
This command does not restore Docker images. You should implement a separate restore procedure for the Docker images stored in your registry, taking in consideration whether your DTR installation is configured to store images on the filesystem or using a cloud provider.
You can check the reference documentation, for the backup command to learn about all the available flags.
As an example, to install DTR on the host and restore its state from an existing backup:
# Install and restore configurations from an existing backup
$ docker run -i --rm \
docker/dtr restore \
--ucp-url <ucp-url> \
--ucp-insecure-tls \
--ucp-username <ucp-admin> \
--ucp-password <ucp-password> \
--dtr-external-url <dtr-url> < /tmp/backup.tar
Where:
--ucp-url
is the address of UCP,--ucp-insecure-tls
is to trust the UCP TLS certificate,--ucp-username
, and --ucp-password
are the credentials of a UCP administrator,--dtr-external-url
is the domain name or ip where DTR can be reached.