Registry & Distribution

Learn about Docker registries, image distribution, and repository management

A Docker registry is a specialized storage and distribution system for Docker images. It functions as a centralized repository where container images can be stored, versioned, and shared among different systems and users. A robust registry solution enables you to:

Store Docker images securely with version control
Distribute images efficiently across development, testing, and production environments
Manage image versions with tagging and metadata
Control access to images through authentication and authorization mechanisms
Track image vulnerabilities and enforce security policies
Optimize storage through deduplication of image layers

Types of Registries

Docker Hub

Public registry service operated by Docker, Inc.
Free tier for public repositories with rate limits (100/200 pulls per 6 hours for anonymous/authenticated users)
Subscription plans for private repositories and higher rate limits
Official images maintained by Docker and verified publishers for trusted content
Automated builds triggered by source code changes in connected repositories
Webhooks for integration with CI/CD pipelines and other systems
Vulnerability scanning for detecting security issues in images
Team management for collaborative development

Private Registry

Self-hosted solution within your own infrastructure
Complete control over data location, retention, and security policies
Network isolation capabilities for air-gapped or high-security environments
Integration with internal systems like LDAP/Active Directory
Customizable storage backends (filesystem, S3, Azure Blob, etc.)
Fine-grained access control policies
No external rate limits or subscription fees
Audit logging for compliance and security tracking
Ability to implement custom validation and security policies

Cloud Provider Registries

AWS Elastic Container Registry (ECR)
- Native integration with AWS IAM for access control
- Lifecycle policies for automatic cleanup
- Cross-region replication for improved availability
- Image scanning with Amazon ECR and integration with Amazon Inspector
Google Container Registry (GCR) / Artifact Registry
- Integration with Google Cloud IAM
- Built-in vulnerability scanning
- Global availability with regional storage
- Integration with Google Cloud Build
Azure Container Registry (ACR)
- Geo-replication across Azure regions
- Integration with Azure Active Directory
- WebHooks for build and deployment automation
- Premium tier offers enhanced throughput and scalability
Digital Ocean Container Registry
- Integration with Digital Ocean Kubernetes
- Regional storage options
- Simple pricing model
GitHub Container Registry (GHCR)
- Tight integration with GitHub Actions
- Fine-grained permissions aligned with GitHub's model
- Anonymous access for public images
- Support for OCI artifacts beyond container images

Working with Docker Hub

Docker Hub is the default registry for Docker, offering a simple workflow for storing and sharing images:

# Login to Docker Hub (credentials stored in ~/.docker/config.json)
docker login
# For specific registry: docker login registry-address

# Pull an image (format: [registry/]repository[:tag])
docker pull nginx:latest
# Specific version
docker pull nginx:1.21.6-alpine
# From another registry
docker pull mcr.microsoft.com/dotnet/aspnet:6.0

# Tag an image for your repository
# Format: docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
docker tag my-app:latest username/my-app:latest
# Adding version tag
docker tag my-app:latest username/my-app:v1.0.3
# Multiple tags for the same image
docker tag my-app:latest username/my-app:stable

# Push to Docker Hub
docker push username/my-app:latest
# Push all tags
docker push --all-tags username/my-app

# Search for images
docker search nginx
# With filter
docker search --filter=stars=100 nginx
# Limit results
docker search --limit=5 nginx

When working with Docker Hub, consider:

Rate limits for pulls (especially in CI/CD environments)
Image access control (public vs. private)
Organization accounts for team collaboration
Automated builds for maintaining up-to-date images

Setting Up a Private Registry

You can run your own registry using the official Docker registry image. A private registry gives you complete control over your image storage and distribution:

# Run a basic local registry
docker run -d -p 5000:5000 --name registry registry:2

# Run a registry with persistent storage
docker run -d -p 5000:5000 --name registry \
  -v /path/to/registry-data:/var/lib/registry \
  registry:2

# Run a registry with custom configuration
docker run -d -p 5000:5000 --name registry \
  -v /path/to/config.yml:/etc/docker/registry/config.yml \
  registry:2

# Tag image for local registry (format: registry-address[:port]/repository[:tag])
docker tag my-app:latest localhost:5000/my-app:latest

# Push to local registry
docker push localhost:5000/my-app:latest

# Pull from local registry
docker pull localhost:5000/my-app:latest

# List images in registry (using API)
curl -X GET http://localhost:5000/v2/_catalog

# List tags for a specific image
curl -X GET http://localhost:5000/v2/my-app/tags/list

For non-localhost registries, you may need to configure Docker daemon to trust an insecure registry by adding it to /etc/docker/daemon.json:

{
  "insecure-registries": ["myregistry.example.com:5000"]
}

For production use, always configure TLS certificates for secure communication.

Image Distribution Strategies

Consider these strategies for efficient image distribution:

Use multi-stage builds for smaller images
- Reduce image size by separating build-time and runtime dependencies
- Only include production-necessary components in final image
- Smaller images reduce network transfer time and storage costs
- Example: Build in one stage, copy only compiled artifacts to runtime stage
Implement layer caching
- Order Dockerfile instructions from least to most frequently changed
- Group related commands to optimize layer creation
- Use BuildKit's improved caching capabilities
- Cache dependencies separately from application code
Consider using content-addressable storage
- Deduplicate identical layers across different images
- Reduce overall storage requirements
- Improve pull efficiency for images sharing common layers
- Enable more efficient image distribution
Implement proper image tagging strategies
- Use semantic versioning (major.minor.patch)
- Include build metadata (git commit, build number)
- Use immutable tags for production deployments
- Consider specialized tags for different environments (dev, staging, prod)
- Document your tagging convention for team consistency
Set up registry mirrors for distributed teams
- Reduce external bandwidth usage and improve pull speeds
- Provide redundancy in case of registry outages
- Place mirrors geographically close to consumers
- Configure pull-through caching for frequently used images
- Implement automated synchronization between registries

Securing Your Registry

Proper security is essential for any Docker registry, especially in production environments.

Basic Authentication

Basic authentication provides simple username/password protection for your registry:

# Create auth directory
mkdir -p auth

# Create user with BCrypt hashing (more secure than the default)
docker run --rm --entrypoint htpasswd \
  httpd:2 -Bbn username password > auth/htpasswd

# Add additional users
docker run --rm --entrypoint htpasswd \
  httpd:2 -Bbn another-user another-password >> auth/htpasswd

# Run registry with authentication
docker run -d \
  -p 5000:5000 \
  --name registry \
  -v "$(pwd)"/auth:/auth \
  -v "$(pwd)"/registry-data:/var/lib/registry \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
  registry:2

# Client authentication when pushing/pulling
docker login localhost:5000

Authentication can also be integrated with LDAP, OAuth, or other external providers for enterprise environments.

TLS Configuration

TLS encryption is critical for securing registry communications:

# Generate self-signed certificates (for testing only)
mkdir -p certs
openssl req -newkey rsa:4096 -nodes -sha256 \
  -keyout certs/domain.key -x509 -days 365 \
  -out certs/domain.crt \
  -subj "/CN=localhost"

# For production, use properly signed certificates from a trusted CA
# If using Let's Encrypt:
# certbot certonly --standalone -d registry.example.com

# Run registry with TLS
docker run -d \
  -p 443:5000 \
  --name registry \
  -v "$(pwd)"/certs:/certs \
  -v "$(pwd)"/registry-data:/var/lib/registry \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  registry:2

# Copy cert to Docker trust store (for self-signed certs)
mkdir -p /etc/docker/certs.d/localhost:443
cp certs/domain.crt /etc/docker/certs.d/localhost:443/ca.crt

Storage Configuration

Configure backend storage options for production-grade registry deployment:

# Create a configuration file
cat > config.yml << EOF
version: 0.1
log:
  level: info
storage:
  filesystem:
    rootdirectory: /var/lib/registry
  delete:
    enabled: true
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
auth:
  htpasswd:
    realm: Registry Realm
    path: /auth/htpasswd
EOF

# For S3 storage backend
cat > config-s3.yml << EOF
version: 0.1
storage:
  s3:
    accesskey: AKIAIOSFODNN7EXAMPLE
    secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
    region: us-west-1
    bucket: docker-registry
    encrypt: true
    secure: true
EOF

# Configure registry with storage backend
docker run -d \
  -p 5000:5000 \
  --name registry \
  -v "$(pwd)"/config.yml:/etc/docker/registry/config.yml \
  -v "$(pwd)"/auth:/auth \
  registry:2

Access Control

For more advanced access control:

# Example of role-based access control configuration
cat > config-rbac.yml << EOF
version: 0.1
auth:
  token:
    realm: https://auth.example.com/token
    service: registry.example.com
    issuer: auth-service
    rootcertbundle: /etc/registry/auth-service.crt
EOF

# Run with RBAC configuration
docker run -d \
  -p 5000:5000 \
  --name registry \
  -v "$(pwd)"/config-rbac.yml:/etc/docker/registry/config.yml \
  -v "$(pwd)"/auth-service.crt:/etc/registry/auth-service.crt \
  registry:2

Registry API

The Docker Registry HTTP API provides programmatic access to registry operations. This RESTful API allows you to query, manage, and interact with registry data without using the Docker CLI.

# List repositories (with pagination)
curl -X GET https://registry:5000/v2/_catalog
curl -X GET https://registry:5000/v2/_catalog?n=100  # Limit to 100 results

# List tags for repository (with pagination)
curl -X GET https://registry:5000/v2/repository-name/tags/list
curl -X GET https://registry:5000/v2/repository-name/tags/list?n=20  # Limit to 20 tags

# Check if image exists
curl -I -X HEAD https://registry:5000/v2/repository-name/manifests/tag

# Get image manifest (v2 schema)
curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
  https://registry:5000/v2/repository-name/manifests/tag

# Get image digest
curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
  -I -X HEAD https://registry:5000/v2/repository-name/manifests/tag | grep Docker-Content-Digest

# Delete an image (requires delete enabled in registry config)
# First get the digest, then:
curl -X DELETE https://registry:5000/v2/repository-name/manifests/sha256:digest-value

# Get layer information
curl -X GET https://registry:5000/v2/repository-name/blobs/sha256:layer-digest

# With authentication
curl -u username:password -X GET https://registry:5000/v2/_catalog

# Using token authentication
TOKEN=$(curl -u username:password https://auth.example.com/token?service=registry.example.com | jq -r .token)
curl -H "Authorization: Bearer $TOKEN" https://registry:5000/v2/_catalog

The Registry API enables automation for:

CI/CD pipelines that need to verify image existence
Custom interfaces and management tools
Registry migration scripts
Automated cleanup and maintenance
Integration with other systems

Third-Party Registry Options

Beyond the basic Docker Registry, there are numerous specialized registry solutions available:

Cloud Provider Registries

Amazon Elastic Container Registry (ECR)
- Deeply integrated with AWS services (ECS, EKS, Lambda)
- Private repositories with IAM authentication
- Lifecycle policies for automated image cleanup
- Vulnerability scanning with Amazon Inspector
- Cross-region and cross-account replication
- Pay-as-you-go pricing model
Google Container Registry (GCR) / Artifact Registry
- Native integration with Google Cloud Build and GKE
- Automatic vulnerability scanning
- IAM access controls and audit logging
- Regional storage with global access
- Support for Docker, OCI, and language-specific packages
- Storage pricing + data transfer costs
Azure Container Registry (ACR)
- Integrated with Azure DevOps and AKS
- Premium tier with geo-replication
- Automated builds with Tasks
- Content trust for image signing
- Tiered pricing (Basic, Standard, Premium)
- Webhook support for build and deployment automation
DigitalOcean Container Registry
- Simple integration with DO Kubernetes
- Straightforward pricing by storage tiers
- Global availability
- Integrated vulnerability scanning

Self-Hosted Solutions

Harbor
- Open source, enterprise-focused registry
- Role-based access control
- Policy-based image replication
- Vulnerability scanning integration
- Image signing and verification
- Support for multiple registries and Helm charts
- WebHooks for event notification
- Audit logging for compliance
Nexus Repository
- Multi-format artifact management (not just Docker)
- Support for npm, Maven, NuGet, PyPI, etc.
- Role-based access control
- Component lifecycle management
- Repository health check
- Available in free OSS and commercial editions
- Proxy and cache remote repositories
JFrog Artifactory
- Universal artifact management platform
- High availability configuration
- Advanced security features
- Metadata-based search
- Build integration
- Extensive REST API
- Commercial offering with enterprise support
- Replication and federation capabilities
GitLab Container Registry
- Integrated with GitLab CI/CD
- Built into GitLab installations
- Project-based permissions
- Vulnerability scanning
- Image clean-up policies
- No additional configuration needed with GitLab

Image Signing and Trust

Image signing ensures the authenticity and integrity of container images. Docker Content Trust (DCT) provides a way to verify both the publisher and the content of images.

# Enable Docker Content Trust globally (can also be set per-command)
export DOCKER_CONTENT_TRUST=1

# Generate signing keys (first-time setup)
docker trust key generate my-signing-key

# Add yourself as a signer for a repository
docker trust signer add --key my-signing-key.pub my-name username/image

# Sign image during push (automatically happens with DCT enabled)
docker push username/image:tag

# View trusted data and verification status
docker trust inspect username/image:tag

# View detailed signer information
docker trust inspect --pretty username/image:tag

# Revoke signatures
docker trust revoke username/image:tag

# Work with images without verification temporarily
DOCKER_CONTENT_TRUST=0 docker pull username/image:untrusted-tag

For enterprise environments:

Implement Notary for advanced signing workflows
Set up a secure offline root key
Establish a key rotation policy
Configure CI/CD systems to sign images automatically
Integrate with vulnerability scanning to only sign secure images
Use admission controllers in Kubernetes to verify signatures

DCT creates two types of keys:

Root key: Master key that should be kept securely offline
Repository keys: Used for signing specific repositories

When enabled, Docker will only pull signed images with verified signatures.

Registry Garbage Collection

Registries accumulate unreferenced layers over time as images are updated or deleted. Garbage collection reclaims this storage space by removing "dangling" blobs.

# Run basic garbage collection
docker exec registry registry garbage-collect /etc/docker/registry/config.yml

# Run garbage collection with more verbose output
docker exec registry registry garbage-collect -v /etc/docker/registry/config.yml

# Dry run (simulate garbage collection without deleting)
docker exec registry registry garbage-collect --dry-run /etc/docker/registry/config.yml

# Stop the registry before garbage collection (recommended for production)
docker stop registry
docker run --rm -v registry_volume:/var/lib/registry registry:2 \
  registry garbage-collect /etc/docker/registry/config.yml
docker start registry

Important considerations for garbage collection:

Registry should be in read-only mode during garbage collection to prevent corruption
Deleted manifests may still appear in API results until the registry is restarted
Consider setting up scheduled garbage collection for production registries
Use registry storage quotas to prevent unexpected growth
Monitor storage usage before and after garbage collection
Some storage drivers have specific garbage collection considerations

Example cron job for weekly garbage collection:

0 2 * * 0 docker stop registry && \
  docker run --rm -v registry_data:/var/lib/registry registry:2 \
  registry garbage-collect /etc/docker/registry/config.yml > /var/log/registry-gc.log 2>&1 && \
  docker start registry

Registry Configuration

The Docker Registry is highly configurable through its config.yml file. Below is an annotated example with common configuration options:

version: 0.1
log:
  level: info  # Options: error, warn, info, debug
  formatter: json  # Options: text, json
  fields:
    service: registry
    environment: production

storage:
  # File system storage driver
  filesystem:
    rootdirectory: /var/lib/registry
  # Enable deletion (required for garbage collection)
  delete:
    enabled: true
  # Cache configuration
  cache:
    blobdescriptor: inmemory
  # Storage maintenance options
  maintenance:
    uploadpurging:
      enabled: true
      age: 168h
      interval: 24h
      dryrun: false
  # Storage quota management
  redirect:
    disable: false
  # Alternative: S3 storage
  # s3:
  #   accesskey: AKIAIOSFODNN7EXAMPLE
  #   secretkey: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  #   region: us-west-1
  #   bucket: docker-registry
  #   encrypt: true
  #   secure: true
  #   v4auth: true
  #   chunksize: 5242880
  #   multipartcopychunksize: 33554432
  #   multipartcopymaxconcurrency: 100
  #   multipartcopythresholdsize: 33554432

http:
  addr: :5000
  # TLS configuration
  tls:
    certificate: /certs/domain.crt
    key: /certs/domain.key
  headers:
    X-Content-Type-Options: [nosniff]
  # Rate limiting
  host: https://registry.example.com
  # Request timeouts
  timeout: 1h
  # CORS settings for browser access
  http2:
    disabled: false

auth:
  # Basic authentication with htpasswd
  htpasswd:
    realm: Registry Realm
    path: /auth/htpasswd
  # Alternative: token-based authentication
  # token:
  #   realm: https://auth.example.com/token
  #   service: registry.example.com
  #   issuer: auth-service
  #   rootcertbundle: /etc/registry/auth.crt

middleware:
  registry:
    - name: repository
      options:
        allow:
          - "^approved/.*$"
        
# Reporting metrics
reporting:
  bugsnag:
    apikey: XYZ123EXAMPLE
    releasestage: production
    endpoint: https://notify.bugsnag.com

# Redis for distributed locking and caching
redis:
  addr: redis:6379
  password: secret
  db: 0
  dialtimeout: 10ms
  readtimeout: 10ms
  writetimeout: 10ms
  pool:
    maxidle: 16
    maxactive: 64
    idletimeout: 300s

# Event notifications (webhooks)
notifications:
  endpoints:
    - name: webhook
      url: http://webhook-service:8000/notify
      headers:
        Authorization: [Bearer <token>]
      timeout: 500ms
      threshold: 5
      backoff: 1s
      ignoredmediatypes:
        - application/octet-stream
      ignore:
        mediatypes:
          - application/octet-stream
        actions:
          - pull

Common configuration use cases:

High Availability Setup: Configure multiple registry instances with shared storage
Performance Optimization: Adjust cache settings and implement Redis
Security Hardening: Configure TLS, authentication, and authorization
Storage Management: Set up quotas, garbage collection, and storage drivers
Integration: Configure webhooks for event notifications
Compliance: Enable audit logging and access controls

Best Practices

Implementing these best practices will help you manage your container registry effectively and securely:

Tagging Strategy

Use semantic versioning (SemVer)
- Format: MAJOR.MINOR.PATCH (e.g., 1.2.3)
- MAJOR: Breaking changes
- MINOR: New features, backward compatible
- PATCH: Bug fixes, backward compatible
Include build information
- Add build numbers or timestamps
- Format examples:
  - 1.2.3-build.456
  - 1.2.3-20230415.1
  - 1.2.3-alpha.1, 1.2.3-beta.2, 1.2.3-rc.1
Never use "latest" in production
- "latest" is mutable and unpredictable
- Makes rollbacks difficult or impossible
- Complicates auditing and versioning
- Obscures which version is actually running
Tag with git commit hashes
- Provides direct traceability to source code
- Format example: 1.2.3-a7ff23e
- Helpful for debugging specific versions
- Can automate in CI/CD pipelines
Consider using digest references
- Immutable and tamper-evident
- Format: image@sha256:digest
- Guarantees exact image content
- Can be used with vulnerability scanners
- Best for security-critical deployments
Implement tag lifecycle policies
- Automate cleanup of old tags
- Preserve important historical versions
- Document retention policies

Security

Regular vulnerability scanning
- Integrate scanners like Trivy, Clair, or Anchore
- Block deployment of vulnerable images
- Configure scheduled rescans of existing images
- Track CVEs and patch affected images
Image signing
- Implement Docker Content Trust
- Use Notary for advanced signing workflows
- Enforce signature verification on pull
- Store root keys securely offline
- Rotate signing keys periodically
Access control
- Implement principle of least privilege
- Use namespaces for project isolation
- Configure role-based access control
- Audit user access regularly
- Implement approval workflows for sensitive repositories
Audit logging
- Log all registry operations
- Capture who, what, when information
- Store logs securely and immutably
- Set up alerts for suspicious activities
- Retain logs for compliance requirements
- Forward logs to SIEM systems
Regular garbage collection
- Schedule routine garbage collection
- Monitor storage utilization
- Configure retention policies
- Implement image lifecycle management
- Remove untagged and outdated images
Network security
- Use TLS 1.2+ for all registry traffic
- Implement proper certificate management
- Consider network segmentation
- Use VPNs or private endpoints for access

Efficiency

Layer caching
- Optimize Dockerfiles for cache utilization
- Use BuildKit's improved caching
- Implement shared build caches in CI/CD
- Configure appropriate cache lifetimes
- Consider remote caching for distributed teams
Optimized storage backends
- Choose appropriate backend for scale (S3, Azure Blob, etc.)
- Configure compression settings
- Implement data deduplication where available
- Monitor storage performance metrics
- Implement lifecycle policies for automated management
Pull-through caching
- Set up proxy registries for frequently used images
- Cache external images locally to reduce bandwidth
- Configure appropriate cache TTL values
- Schedule cache warming for critical images
- Implement health checks for upstream registries
Load balancing
- Distribute registry load across multiple instances
- Implement round-robin or other load balancing strategies
- Configure connection draining for maintenance
- Monitor per-instance performance metrics
- Set up high availability clusters
Geographic distribution
- Deploy registries close to users/clusters
- Implement registry replication across regions
- Use content delivery networks where appropriate
- Configure smart routing based on client location
- Synchronize metadata between distributed instances

Distribution Strategies

Best practices for image distribution:

Use semantic versioning for tags
- Follow MAJOR.MINOR.PATCH convention
- Include metadata like build number, git hash
- Document tagging policies for all users
Implement CI/CD pipelines for automatic pushes
- Build and push on every commit or PR merge
- Configure pipeline-specific credentials
- Implement quality gates before pushing
- Tag with both version and git hash for traceability
Scan images for vulnerabilities before distribution
- Integrate scanning tools in CI/CD pipeline
- Block distribution of images with critical vulnerabilities
- Generate bill of materials for compliance
- Implement continuous rescanning of existing images
Implement image promotion workflows across environments
- Use separate repositories or tags for dev/staging/prod
- Implement explicit promotion process
- Never rebuild for promotion - use the same image
- Maintain promotion audit trail
- Implement approval gates for production promotion
Automate cleanup of old images
- Implement retention policies based on age or count
- Preserve images deployed to production
- Run garbage collection regularly
- Maintain audit trail of deleted images
- Consider legal/compliance requirements for retention
Document image usage and requirements
- Include README in image repositories
- Document environment variables and volumes
- Specify resource requirements
- Include health check information
- Document upgrade procedures
- List compatible versions of dependencies

Working with Image Layers

Understanding Layers

Each instruction in Dockerfile creates a layer
- Every RUN, COPY, ADD command creates a new layer
- Other instructions create metadata-only changes
- Layers represent filesystem differences
- Maximum of 127 layers per image (practical limit)
- Older images may use different layering technology
Layers are cached and reused
- Unchanged layers use cache during builds
- Cache invalidation occurs at first change
- All subsequent layers must be rebuilt
- Order instructions from least to most frequently changed
- Use .dockerignore to prevent cache invalidation
Efficient distribution relies on layer sharing
- Common layers are stored once on disk
- Images with same base share foundation layers
- Registry transfers only missing layers
- Improves pull performance and reduces storage
- Enables efficient large-scale deployments
Base images form common foundation layers
- Choose appropriate base images for sharing
- Consider using organization-specific base images
- Standardizing on base images increases sharing
- Update base images regularly for security patches
- Track base image usage across organization
Only changed layers are transferred during pulls
- Docker client checks which layers it already has
- Registry serves only missing layers
- Layers are verified by content-addressable hashes
- Network transfer is minimized
- Consider squashing for production if sharing isn't beneficial

Layer Management

# View image layers and sizes
docker history my-image:latest

# View detailed layer information including SHA256 digests
docker history --no-trunc my-image:latest

# See layer details including mount points and driver data
docker inspect my-image:latest

# Extract a specific layer (advanced)
LAYER_ID=$(docker inspect my-image:latest | jq -r '.[0].RootFS.Layers[2]')
mkdir -p /tmp/extracted-layer
docker save my-image:latest | tar -xf - -C /tmp
tar -xf /tmp/$LAYER_ID/layer.tar -C /tmp/extracted-layer

# Analyze image layers with dive tool
docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock wagoodman/dive:latest my-image:latest

Layer Optimization

Group related commands to reduce layer count
Use multi-stage builds to eliminate build-only layers
Remove temporary files in the same layer they're created
Consider squashing layers for production images
Use appropriate base images to maximize layer sharing

Multi-Registry Operations

Working with multiple registries is common in enterprise environments, where you might have internal registries for development and external registries for distribution.

# Log in to multiple registries (credentials stored separately)
docker login registry1.example.com
docker login registry2.example.com

# Verify logged-in registries
cat ~/.docker/config.json | jq '.auths'

# Pull from one registry and push to another
docker pull registry1.example.com/app:latest
docker tag registry1.example.com/app:latest registry2.example.com/app:latest
docker push registry2.example.com/app:latest

# Copy all tags from one registry to another
SOURCE_REPO="registry1.example.com/app"
DEST_REPO="registry2.example.com/app"

# Get all tags for a repository
TAGS=$(curl -s -X GET https://registry1.example.com/v2/app/tags/list | jq -r '.tags[]')

for TAG in $TAGS; do
  docker pull $SOURCE_REPO:$TAG
  docker tag $SOURCE_REPO:$TAG $DEST_REPO:$TAG
  docker push $DEST_REPO:$TAG
done

# Use skopeo to copy images between registries without docker daemon
skopeo copy \
  docker://registry1.example.com/app:latest \
  docker://registry2.example.com/app:latest

# Use registry credentials from environment variables
export REGISTRY1_USERNAME="user1"
export REGISTRY1_PASSWORD="pass1"
export REGISTRY2_USERNAME="user2"
export REGISTRY2_PASSWORD="pass2"

docker login -u $REGISTRY1_USERNAME -p $REGISTRY1_PASSWORD registry1.example.com
docker login -u $REGISTRY2_USERNAME -p $REGISTRY2_PASSWORD registry2.example.com

When working with multiple registries, consider:

Implementing a registry of registries (federation)
Setting up synchronization between registries
Managing credentials securely
Implementing consistent naming conventions across registries
Tracking image provenance as images move between registries

Image Mirroring and Caching

Registry mirrors can improve pull performance, reduce external bandwidth usage, and provide redundancy. They work by caching images from upstream registries locally.

# Configure registry mirror in /etc/docker/daemon.json
{
  "registry-mirrors": [
    "https://mirror1.example.com",
    "https://mirror2.example.com"
  ]
}

# Restart Docker daemon to apply changes
sudo systemctl restart docker

To set up your own registry mirror with pull-through caching:

# Run a registry with pull-through cache
docker run -d -p 5000:5000 --name registry-mirror \
  -v /path/to/data:/var/lib/registry \
  -e REGISTRY_PROXY_REMOTEURL=https://registry-1.docker.io \
  registry:2

# For multiple upstream registries, use a config file
cat > config.yml << EOF
version: 0.1
proxy:
  remoteurl: https://registry-1.docker.io
  username: [username]  # Optional
  password: [password]  # Optional
EOF

docker run -d -p 5000:5000 --name registry-mirror \
  -v /path/to/config.yml:/etc/docker/registry/config.yml \
  registry:2

# Test the mirror
docker pull localhost:5000/library/ubuntu:latest

Benefits of registry mirrors:

Reduced external bandwidth consumption
Faster image pulls for frequently used images
Protection against upstream registry outages
Rate limit avoidance (particularly for Docker Hub)
Ability to audit and control image usage

For large organizations, consider:

Hierarchical mirroring architecture
Geographic distribution of mirrors
Automatic health checking and failover
Monitoring of cache hit/miss ratios
Periodic purging of unused cached images

Advanced Topics

Content Trust

Sign and verify images
- Implement Notary for signature management
- Configure separate keys for different environments
- Document key management procedures
- Implement hardware security modules for key storage
- Set up automated signing in CI/CD pipelines
Ensure image authenticity
- Verify publisher identity
- Confirm content hasn't been modified
- Check signature freshness and expiry
- Implement chain of trust validation
- Integrate with secure software supply chain
Prevent tampering
- Store signatures separately from images
- Use threshold signing for critical images
- Implement key rotation procedures
- Monitor for unauthorized signature attempts
- Log all verification activities
Enable in daemon.json
{ "content-trust": { "trust-pinning": { "official-library-images": true, "root-keys": { "docker.io/myorg/*": ["key1", "key2"] } } } }
Verify before deployment
- Add verification steps in deployment pipelines
- Block deployment of unsigned images
- Implement policy controllers in Kubernetes
- Document verification requirements
- Add signature metadata to deployment artifacts

Registry API

RESTful API
- Well-documented endpoints
- Standard HTTP status codes
- JSON response format
- Authentication with Bearer tokens
- Rate limiting and throttling controls
Image manipulation
- Push and pull operations
- Layer uploads and downloads
- Cross-repository blob mounting
- Image manifest management
- Content addressable blob storage
Repository management
- List and search repositories
- Tag management operations
- Access control configuration
- Repository metadata handling
- Namespace organization
Catalog operations
- Paginated repository listing
- Search and filtering capabilities
- Metadata aggregation
- Tag enumeration
- Cross-repository operations
Webhook integration
- Event-based notifications
- Customizable event filtering
- Delivery retry mechanisms
- Authentication for webhook endpoints
- Webhook delivery logging and auditing

Garbage Collection

# Run basic garbage collection
docker exec -it registry \
  registry garbage-collect /etc/docker/registry/config.yml

# Detailed garbage collection with verbose output
docker exec -it registry \
  registry garbage-collect -v /etc/docker/registry/config.yml

# Run garbage collection with dry run to preview deletions
docker exec -it registry \
  registry garbage-collect --dry-run /etc/docker/registry/config.yml 2>&1 | tee gc-preview.log

# Analyze how much space would be freed
docker exec -it registry \
  registry garbage-collect --dry-run /etc/docker/registry/config.yml 2>&1 | \
  grep "blob eligible for deletion" | \
  awk '{sum+=$7} END {print "Total bytes to be freed: " sum}'

# Run garbage collection and restart registry to apply changes
docker exec -it registry \
  registry garbage-collect /etc/docker/registry/config.yml
docker restart registry

Advanced Storage Management

Implement storage quotas per repository/namespace
Configure automated pruning policies
Set up storage analytics and monitoring
Implement data compression for storage efficiency
Configure cross-region replication for disaster recovery

Troubleshooting

Common registry issues and solutions:

Authentication failures
- Check credentials in ~/.docker/config.json
- Verify token expiration and refresh if needed
- Confirm user has appropriate permissions
- Inspect registry logs for auth errors
- Test authentication with curl directly:
  curl -u username:password https://registry:5000/v2/
Network connectivity
- Verify firewall and proxy settings
- Check DNS resolution for registry hostname
- Test basic connectivity with ping/telnet
- Inspect registry logs for connection errors
- Check Docker daemon network configuration
- Verify network policies allow registry traffic
- Test with curl bypassing proxy:
  curl -v --noproxy '*' https://registry:5000/v2/
Certificate issues
- Ensure proper TLS configuration
- Verify certificate validity period
- Check certificate chain is complete
- Confirm hostname matches certificate CN/SAN
- Add CA certificates to trusted store
- For self-signed certs, configure Docker client:
  mkdir -p /etc/docker/certs.d/registry:5000 cp ca.crt /etc/docker/certs.d/registry:5000/
Storage problems
- Check disk space and quotas
- Verify filesystem permissions
- Inspect storage driver logs
- Run filesystem checks on storage volumes
- Monitor I/O performance metrics
- Consider storage backend scalability
- Run diagnostic commands:
  df -h /var/lib/registry ls -la /var/lib/registry docker exec registry du -sh /var/lib/registry
Rate limiting
- Be aware of registry pull limits (especially Docker Hub)
- Implement authenticated pulls to increase limits
- Configure registry mirrors to cache images
- Use pull-through cache for frequently used images
- Distribute pulls across multiple accounts if necessary
- Monitor rate limit headers:
  docker pull nginx 2>&1 | grep RateLimit
Layer availability
- Ensure all layers are accessible
- Check for incomplete uploads or transfers
- Verify storage backend integrity
- Run registry garbage collection with dry-run
- Re-push images if layers are corrupted
- Restore from backups if necessary
- Test layer download directly:
  curl -H "Authorization: Bearer $TOKEN" \ https://registry:5000/v2/repo/blobs/sha256:digest
Performance issues
- Monitor registry resource usage
- Configure appropriate cache settings
- Implement efficient storage backends
- Scale registry horizontally if needed
- Use CDN for large-scale distribution
- Analyze registry metrics:
  docker exec registry cat /proc/loadavg docker stats registry
Registry corruption
- Back up registry data before repairs
- Verify filesystem integrity
- Re-index corrupted repositories
- Consider rebuilding registry from scratch
- Implement regular integrity checks

Edit this page

Security

Learn about Docker security best practices, configurations, and tools

Optimization

Learn how to optimize Docker images, containers, and overall Docker performance