Containers are created from container image files. There are container images for most popular software tools and utilities like Ubuntu, Redis, and NGINX.
The same container image with different tags or versions is called a repository. Container repositories and images are stored in a container registry form where they can be shared with the rest of the world or kept private to just you or your organization.
Registries are a vital part of the Docker experience, as they manage the distribution of container images. A container registry controls how container repositories and their images are created, stored, and accessed. In this post, we’ll take a tour of the various options available with Docker registries.
There are two types of registries—registries that are offered only as a hosted service, and registries that you install on your own infrastructure, whether that infrastructure is on-premises or a virtual server in the cloud. Let’s explore each of these options.
Hosted registries - Docker Hub, Quay, GCR, ECR, ACR
Docker Hub is the official hosted registry from Docker. It hosts unlimited public repositories for free, and scans all repositories it hosts. One of the disadvantages of Docker Hub is that it has simple access controls, enabling you to share repositories only with an “organization,” similar to GitHub. It doesn’t support more advanced sharing features like role-based access.
Quay, one of the early container registries, hosts unlimited free public repositories, and has a paid option for private repositories. It uses Clair to scan repositories for vulnerabilities. Quay provides detailed access controls like LDAP authentication as part of its enterprise offering. It also supports Active Directory, and single sign-on via a third-party integration.
The three major IaaS providers also have their own container registries—Amazon’s ECR, Azure’s ACR, and Google Cloud’s GCR. Their main attraction is the deep integration with their respective cloud platforms. They provide fine-grained access controls, and are the best option if you’re already invested in one of these cloud platforms. The one drawback with these solutions is their pricing model. They do not charge per repository, but by the amount of storage and network used. This is not suitable for large teams where repositories are pushed and pulled frequently.
On-premises registries - DTR, Quay, GitLab container registry
You can host your own Docker registry using the open source Docker Distribution tool, or its commercially supported avatar—Docker Trusted Registry (DTR). This option is appropriate when security and compliance is a top concern, and if you want your repositories to stay within the confines of your organization. Unlike Docker Hub, DTR gives you maximum control over how your repositories are stored and shared, but this comes at the cost of having to build out the skills to manage it all in-house.
GitLab container registry was released in mid-2016, and is a great option if you’re already using GitLab’s repository hosting, and CI services. It can be installed on-premises as part of the GitLab Community and Enterprise editions. It shares the same permissions as the GitLab suite of products, enabling users to either “see”, “update”, or “remove” a container registry based on their role. There is also a hosted solution (as part of the hosted GitLab offering).
Quay also offers an on-premises version of its container registry. This comes with advanced features like running multiple instances of Quay for redundancy, and syncing of images across multiple data centers.
Let’s put all of this into a single table for easy comparison:
|Docker hub||Quay||DTR||GCR/ECR/ACR||Gitlab container registry|
|Pricing model||Per registry||Per registry||Part of Docker datacenter||Metered usage||Part of Gitlab licence|
|Default integration with||N/A||CoreOs||N/A||Respective Iaas vendor||Gitlab CI|
In conclusion, the market for container registries is growing and changing by the day. There are many options for capable registries. You can go with the plain-vanilla Docker Hub, or one of the registries that are part of a platform you already use. You can choose to host your own registry, or have it hosted for you. There are nuances that separate each registry, which is what this post attempts to highlight. I hope it helps you in your search for the right container registry.
About the Author
Twain Taylor began his career at Google, where, among other things, he was involved in technical support for the AdWords team. His work involved reviewing stack traces, and resolving issues affecting both customers and the Support team, and handling escalations. Later, he built branded social media applications, and automation scripts to help startups better manage their marketing operations. Today, as a technology journalist he helps IT magazines, and startups change the way teams build and ship applications.
We’re hiring! Check out the careers page for open positions in Amsterdam, London and San Francisco.
As usual, if you want to stay in the loop follow us on twitter @wercker or hop on our public slack channel. If it’s your first time using Wercker, be sure to tweet out your #greenbuilds, and we’ll send you some swag!