Docker registries are collections of versioned repositories where users can upload and share Docker images. Apart from the well-known public repositories like Docker Hub, there also exist other lesser known repositories, some of them specialized, both offered as a service as well as deployable on-premises.
Some hosted registries have the option of private repositories, like Docker Hub, which offers one free private repository for each user and more for paid users. Docker Hub is modeled along the lines of Github, offering collaboration, organizations, and groups within organizations. It also has good integration with Github and Bitbucket. Docker Hub does not have finer grained control for access permissions, and neither does it support integration with common enterprise authentication/authorization systems like LDAP and Active Directory.
With most cloud platform providers offering container hosting support, registries are the next logical feature for them. AWS has the EC2 Container Registry (ECR) and Google Cloud Platform has its Google Container Registry. Amazon’s ECR integrates with its Elastic Container Service (ECS) and comes with the scalability of AWS as well as private hosting options. Google’s service has multiple security features like time-based tokens for authentication and encrypted storage for all images.
There are various registries that can be used either as a hosted service or hosted on-premises. Among these are:
- Quay.io by CoreOS. This has a free model for public repositories and a paid model for private repositories, with the pricing varying based on the number of repositories. Quay has the concept of organization and teams and related access controls. It also has a GUI for workflow and image lifecycle viewing, with webhooks and event notifications that are helpful while building a software delivery pipeline. Authentication support includes Dex (an OpenID and OAuth 2.0 provider), LDAP and OpenStack's Keystone. The on-premises version of Quay is called Quay Enterprise.
- Artifactory by JFrog. Artifactory is relatively expensive compared to others. It supports LDAP as well as SAML authentication and user/group level permissions.
- Gitlab container registry. Since this is built by Gitlab, it has good compatibility with Gitlab’s tools and workflow like Gitlab CI and enables storing Docker images in the same dimension as the source code for a project.
Some registries are focused on specifics like security. FlawCheck is such an example that has vulnerability scanning for Docker images. VMware’s Harbor is an open source image hosting registry that has security and identity management. Harbor can integrate with existing systems like LDAP. Its security focus extends to features like activity auditing.
Sonatype’s Nexus includes support for, among other things, Docker repositories and can be used as a registry.
Community comments
Retention?
by Andrea Ratto,
Re: Retention?
by zhang henry,
Re: Retention?
by Baruch Sadogursky,
Azure Container Registry
by Glenn Scott,
List is not complete
by Emma Müller,
Image replication
by zhang henry,
That's all you have to say about Artifactory? Someone didn't do their homework!
by Baruch Sadogursky,
Retention?
by Andrea Ratto,
Your message is awaiting moderation. Thank you for participating in the discussion.
Most solutions lack configurable retention and will require to hack some script to avoid filling up disk space indefinitely.
Azure Container Registry
by Glenn Scott,
Your message is awaiting moderation. Thank you for participating in the discussion.
azure.microsoft.com/en-us/services/container-re...
List is not complete
by Emma Müller,
Your message is awaiting moderation. Thank you for participating in the discussion.
This list seems not to be complete.
You are missing the private-docker-registry.com on the overview.
The service is specifically design for enterprises and doesn't have any artificial restriction on amount of private registries, users, teams or namespaces. There is also support for federated identity with LDAP, Active Directory, OAuth, SAML.
Image replication
by zhang henry,
Your message is awaiting moderation. Thank you for participating in the discussion.
VMware's Harbor can also replicate images between registry instances, from data center to another, from on-prem to public cloud. This is unique and powerful.
Re: Retention?
by zhang henry,
Your message is awaiting moderation. Thank you for participating in the discussion.
VMware's Harbor can delete images and recycle disk space.
Re: Retention?
by Baruch Sadogursky,
Your message is awaiting moderation. Thank you for participating in the discussion.
Artifactory excels in that - to help you keep your Docker registries nice and clean, Artifactory has an internal mechanism limiting the number of your tags (versions) for particular images that’s really easy to configure. You might also be interested to know that Artifactory’s garbage collector automatically cleans up any unreferenced Docker layers. These are layers that are not used by any image as a result of Docker tags being removed (whether due to the limit on tags or by intentional deletion). And all of this “spring cleaning” of your Docker registries is done transparently and automatically, behind the scenes, without any downtime.
That's all you have to say about Artifactory? Someone didn't do their homework!
by Baruch Sadogursky,
Your message is awaiting moderation. Thank you for participating in the discussion.
Your, how to say, concise, comment on Artifactory is lacking. Let me fix that.
Artifactory is the only truly universal artifact repository that is also a fully-pledged Docker registry with unique set of capabilities. For example, it is the only hybrid solution, in which you can select, whether you want to have your registry on-prem or in the cloud, or maybe both, replicating between each other. Speaking about cloud, you can get Artifactory as a service in a region of your choice on AWS or GCP (and stay tuned for Azure). It's extremely important both to save money (usually in-region traffic is free, you so you can pull and push images between your CI server, registry and runtime enviroment for free if they are all in the same region) and for the speed of your builds, docker images are huge, locality matters! Locality can also be a reason for selecting on-prem version of Artifactory if your CI/CD pipeline is all on-prem.
And back to the universal theme, you always build something to contain in your containers, Artifactory is a single tool to use for both the images and what's inside the images, and, more importantly, trace the relationships between those cascading builds - Artifactory provides full traceability of your Docker images produced by your CI server. The build information includes the produced artifacts, used dependencies, captured environment information, custom metadata and much more.
You can also see a visual representation of the Docker image (much like docker history command) without need to pull the images, right in your docker registry! By connecting JFrog Xray to it you won't only see the history of the image (its layers), but also information about security venerabilities, licenses and version information about any file in any depth inside your docker image layers.
Now, for your comment about LDAP and SAML, another interesting usecase is NOT being dependent on the organizational LDAP and SAML, because you might not want your Docker builds to grind to a halt if your LDAP or SAML server is unavailable. To remove this dependency, you can authenticate your build server’s user by creating an API key for it and authenticate using that. You can create an API key through the the User Profile page in Artifactory, or via the REST API. The API key can be passed in as an X-JFrog-Art-Api header element in the API call (as shown in the example below) or it can replace the password when using basic authentication.
Well, you got the idea. There is a lot to say about Artifactory as Docker image registry except of "expensive".