Container Registries

Store, manage, and distribute container images across cloud and self-hosted registries.

When to Use This Skill

Use this skill when:

• Pushing and pulling container images

• Configuring registry authentication

• Setting up image retention policies

• Managing private container registries

• Implementing image scanning and security

Prerequisites

• Docker or Podman installed

• Cloud CLI tools (AWS CLI, az, gcloud) for respective registries

• Appropriate IAM permissions

Docker Hub

Authentication

Login

docker login

Login with token

echo "$DOCKER_TOKEN" | docker login -u username --password-stdin

Push/Pull Images

Tag image

docker tag myapp:latest username/myapp:latest

Push

docker push username/myapp:latest

Pull

docker pull username/myapp:latest

Automated Builds

Configure in Docker Hub UI:

• Connect GitHub/Bitbucket repository

• Set build rules (branch → tag mapping)

• Configure build context and Dockerfile path

Amazon ECR

Setup

Create repository

aws ecr create-repository
--repository-name myapp
--image-scanning-configuration scanOnPush=true
--encryption-configuration encryptionType=AES256

Get registry URI

REGISTRY=$(aws ecr describe-repositories
--repository-names myapp
--query 'repositories[0].repositoryUri'
--output text | cut -d'/' -f1)

Authentication

Login (Docker)

aws ecr get-login-password --region us-east-1 |
docker login --username AWS --password-stdin $REGISTRY

Login with credential helper

Add to ~/.docker/config.json:

{ "credHelpers": { "123456789.dkr.ecr.us-east-1.amazonaws.com": "ecr-login" } }

Push/Pull

Tag and push

docker tag myapp:latest $REGISTRY/myapp:latest docker push $REGISTRY/myapp:latest

Pull

docker pull $REGISTRY/myapp:latest

Lifecycle Policy

Create lifecycle policy

aws ecr put-lifecycle-policy
--repository-name myapp
--lifecycle-policy-text '{ "rules": [ { "rulePriority": 1, "description": "Keep last 10 images", "selection": { "tagStatus": "any", "countType": "imageCountMoreThan", "countNumber": 10 }, "action": { "type": "expire" } } ] }'

Repository Policy

Allow cross-account access

aws ecr set-repository-policy
--repository-name myapp
--policy-text '{ "Version": "2012-10-17", "Statement": [ { "Sid": "CrossAccountPull", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::OTHER_ACCOUNT:root" }, "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ] } ] }'

Azure Container Registry (ACR)

Setup

Create registry

az acr create
--resource-group mygroup
--name myregistry
--sku Standard
--admin-enabled false

Get login server

az acr show --name myregistry --query loginServer -o tsv

Authentication

Login with Azure CLI

az acr login --name myregistry

Login with service principal

docker login myregistry.azurecr.io
-u $SP_APP_ID
-p $SP_PASSWORD

Get access token

az acr login --name myregistry --expose-token

Push/Pull

Tag and push

docker tag myapp:latest myregistry.azurecr.io/myapp:latest docker push myregistry.azurecr.io/myapp:latest

ACR Build (build in cloud)

az acr build
--registry myregistry
--image myapp:latest
--file Dockerfile .

Retention Policy

Enable retention policy

az acr config retention update
--registry myregistry
--status enabled
--days 30
--type UntaggedManifests

Geo-Replication

Enable replication

az acr replication create
--registry myregistry
--location westeurope

List replications

az acr replication list --registry myregistry

Google Container Registry (GCR) / Artifact Registry

Setup (Artifact Registry)

Create repository

gcloud artifacts repositories create myrepo
--repository-format=docker
--location=us-central1
--description="Docker repository"

Authentication

Configure Docker auth

gcloud auth configure-docker us-central1-docker.pkg.dev

Or use credential helper

gcloud auth print-access-token |
docker login -u oauth2accesstoken --password-stdin
https://us-central1-docker.pkg.dev

Push/Pull

Tag for Artifact Registry

docker tag myapp:latest
us-central1-docker.pkg.dev/PROJECT_ID/myrepo/myapp:latest

Push

docker push us-central1-docker.pkg.dev/PROJECT_ID/myrepo/myapp:latest

Pull

docker pull us-central1-docker.pkg.dev/PROJECT_ID/myrepo/myapp:latest

Cleanup Policy

Create cleanup policy

gcloud artifacts repositories set-cleanup-policies myrepo
--location=us-central1
--policy=policy.json

policy.json

{ "name": "delete-old", "action": {"type": "Delete"}, "condition": { "olderThan": "30d", "tagState": "untagged" } }

GitHub Container Registry (GHCR)

Authentication

Login with PAT

echo "$GITHUB_TOKEN" | docker login ghcr.io -u USERNAME --password-stdin

Push/Pull

Tag

docker tag myapp:latest ghcr.io/OWNER/myapp:latest

Push

docker push ghcr.io/OWNER/myapp:latest

Pull

docker pull ghcr.io/OWNER/myapp:latest

Visibility Settings

Configure in GitHub:

• Go to package settings

• Change visibility (public/private)

• Manage access for teams/users

Self-Hosted Registry

Deploy with Docker

Run registry

docker run -d -p 5000:5000
--name registry
-v registry-data:/var/lib/registry
registry:2

Configure TLS

docker run -d -p 443:5000
--name registry
-v /certs:/certs
-v registry-data:/var/lib/registry
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key
registry:2

Harbor Registry

Download Harbor

wget https://github.com/goharbor/harbor/releases/download/v2.9.0/harbor-online-installer-v2.9.0.tgz tar xzvf harbor-online-installer-v2.9.0.tgz

Configure harbor.yml

Set hostname, https certificate, admin password

Install

./install.sh --with-trivy --with-chartmuseum

Image Security

Vulnerability Scanning

ECR - Enable scan on push

aws ecr put-image-scanning-configuration
--repository-name myapp
--image-scanning-configuration scanOnPush=true

Get scan results

aws ecr describe-image-scan-findings
--repository-name myapp
--image-id imageTag=latest

ACR - Scan with Defender

az acr task create
--registry myregistry
--name scan-images
--cmd "mcr.microsoft.com/azure-cli az acr run-scan"

Image Signing

Enable content trust

export DOCKER_CONTENT_TRUST=1

Sign image on push

docker push myregistry/myapp:latest

Verify signature

docker trust inspect myregistry/myapp:latest

Common Issues

Issue: Authentication Expired

Problem: Push/pull fails with auth error Solution: Re-run login command, check credential helper

Issue: Image Not Found

Problem: Pull fails with manifest unknown Solution: Verify tag exists, check registry URL

Issue: Push Permission Denied

Problem: Cannot push to repository Solution: Check IAM permissions, verify repository exists

Issue: Rate Limiting (Docker Hub)

Problem: Too many requests error Solution: Authenticate for higher limits, use pull-through cache

Best Practices

• Enable vulnerability scanning on all repositories

• Implement lifecycle policies to manage storage costs

• Use immutable tags for production images

• Configure cross-region replication for availability

• Use service accounts/principals for CI/CD authentication

• Enable audit logging for compliance

• Implement image signing for supply chain security

• Use pull-through cache to avoid rate limits

Related Skills

• docker-management - Building images

• container-scanning - Security scanning

• aws-iam - AWS permissions