They play an essential role in any successful container management strategy. They make it easier for your developers to store, manage and deploy container images. And they integrate seamlessly into your Continuous Integration (CI) and Continuous Delivery (CD) workflows.
Container registries are a centralized point for pushing and pulling your images. They provide reliable, consistent and efficient access to your container images and a range of other built-in features.
In this guide, you’ll learn about the different types of container registry, important housekeeping steps to maintaining your own registry and registry features that help ensure image security and integrity.
What Is a Container Registry?
A container registry is a catalog of storage locations where you can push and pull container images.
However, the actual physical locations where images are stored are known as repositories. Each repository stores a collection of related images with the same name.
Each image within a repository represents a different version of the same container deployment. For example, on popular container registry Docker Hub, nginx is the name of the repository that contains different versions of the Docker image for open-source web server installation NGINX.
A specific image is identified by either its tag or its own unique reference.
The three main types of container registry are as follows.
Docker’s own official image resource is a quick and easy starting point for those who are new to container registries.
It provides access to more than 100,000 off-the-shelf images, shared by software vendors, open-source projects and Docker’s community of users. These include a wide variety of operating systems, application frameworks, database management systems and DevOps tools for immediate deployment or use as your own parent images.
As well as free access to its publicly available repositories, Docker Hub also offers a paid container registry service for your own private use.
A self-hosted registry is a more advanced solution for organizations that prefer to host their container images on their own on-premises infrastructure— typically because of security, compliance or lower latency requirements.
The self-hosted model gives you complete control over how you manage your images. However, to run your own self-hosted registry, you’ll need to implement a registry server solution, such as Docker Trusted Registry, Harbor and Portus, requiring complex setup and ongoing operational management.
Third-Party Registry Services
Third-party registry services are fully managed offerings that also give you control over how you manage your images—but without the operational headache of running your own on-premises registry.
What’s more, they offer more advanced features, which can help keep your image inventory secure.
Third-party registry services include Amazon ECR , Azure Container Registry and Google Container Registry, which are geared towards the public cloud, and hybrid-cloud solutions such as GitLab Container Registry and JFrog’s own container registry service.
Container images are made up of a series of intermediate images, known as layers, which package up all installations, dependencies, processes and application code required to configure a fully operational container environment.
Container registries make efficient use of storage space by sharing any layers that are common to more than one image.
Nevertheless, your registry can quickly grow out of control as it accumulates an unmanageable number of images you no longer need.
These often include test images, which developers have forgotten to remove, and also orphan images—container images that have been untagged as a result of pushing a modified image to the same repository with the same tag.
So, to keep your registry down to a manageable size, you should periodically clean up your images.
You can typically delete an individual image by specifying its tag, its timestamp or the image’s own unique reference, known as a digest. Alternatively, you can delete an entire repository.
When you delete an image, your registry server purges all layers that are unique to that image and all tags that reference it.
Unique Checksum Referencing
In addition to the layers that make up an image build, each container image includes a manifest. This is essentially a description of the image in JSON format, comprising information about that image, such as tags and details on how to configure the container for different types of host platform.
The digest for a container image is simply a SHA-256 hash of its manifest. This ensures every image has a unique reference. So if someone tampers with your image, even if they use the same image tag, the digest will change.
Consequently, if you pull images by digest, you can guarantee the same version of the image and avoid potential security issues.
A Docker Hub listing for the Alpine latest tag, showing the abbreviated digest for each image
With a public registry, such as Docker Hub, you have to put your trust in image publishers who may not maintain high standards of security. As a result, images could contain malicious or outdated code. Not only that, but such registries support only basic security tools.
Third-party registry services, on the other hand, tend to offer a wide range of built-in capabilities, which can help keep your images secure.
These typically include:
- Image scanning to identify compromises and unpatched vulnerabilities.
- Strict governance, such as role-based access control (RBAC) and compliance monitoring.
- Digital signing, image authentication and other tamper-protection features.
- Segregated registries for use in development, test and production.
Similar tools are also available for use on self-hosted registries, but generally require installation of external software solutions.