Container registries are centralized repositories for storing, managing, and distributing container images, serving as the critical bridge between image builds and deployments. These registries implement the OCI Distribution Specification, ensuring interoperability across tools and platforms while providing features like access control, vulnerability scanning, image signing, geo-replication, and OCI artifact storage. Whether using public registries like Docker Hub or private registries like ECR and Harbor, understanding authentication methods, tagging strategies, and lifecycle management is essential for secure and efficient container operations. A key insight: always reference images by digest rather than tags in production to guarantee immutable deployments, and leverage pull-through caches to avoid rate limits and reduce latency.
What This Cheat Sheet Covers
This topic spans 16 focused tables and 135 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Popular Registry Providers
Choosing the right registry depends on your cloud ecosystem, security requirements, and whether you need public distribution, private internal hosting, or self-hosted control. All major modern registries implement the OCI Distribution Specification, making images portable across providers.
| Provider | Example | Description |
|---|---|---|
docker pull nginx:latestdocker push myuser/myapp:1.0 | • Most widely used public registry with official vendor images, Docker Verified Publishers, AI model catalog, and MCP server catalog • Rate limits: 100 pulls/6h per IP (unauthenticated), 200/6h (free authenticated), unlimited (Pro/Team/Business). | |
docker pull ghcr.io/owner/image:tagdocker login ghcr.io -u user -p $GITHUB_TOKEN | • Integrated with GitHub Actions • uses GITHUB_TOKEN or personal access tokens for auth • supports public images without authentication, Helm charts, and other OCI artifacts. | |
aws ecr get-login-password | docker logindocker push 123456.dkr.ecr.us-east-1.amazonaws.com/repo:tag | • AWS-managed registry with IAM-based access control • auth tokens expire after 12 hours • supports OCI 1.1 with Referrers API, vulnerability scanning via Amazon Inspector, and lifecycle policies. | |
az acr login --name myregistrydocker push myregistry.azurecr.io/image:tag | • Enterprise-grade registry with geo-replication, private endpoints, and RBAC • supports service principals, managed identities, and admin credentials • integrates with AKS seamlessly and supports OCI artifacts including Helm, Bicep, and WASM. | |
gcloud auth configure-docker us-docker.pkg.devdocker push us-docker.pkg.dev/project/repo/image:tag | • Successor to GCR • supports Docker, Helm, Maven, npm, Python, and more • fine-grained IAM, vulnerability scanning via Binary Authorization, CMEK encryption, and multi-region replication. | |
docker login harbor.example.comdocker push harbor.example.com/library/app:v1 | • CNCF-graduated open-source registry with RBAC, multi-tenancy, replication, webhooks, and Trivy scanning • supports OCI v2.0, auto-SBOM generation on push, and Harbor Satellite for edge deployments. | |
docker login mycompany.jfrog.iodocker push mycompany.jfrog.io/docker/image:tag | • Universal artifact manager supporting Docker, Helm, Maven, npm, and 30+ package types • OCI v1.1 compliant with Referrers API; enterprise features include advanced RBAC, AQL query language, and CDN distribution. |