Docker Registries – Aqua Security

On this page, you’ll learn everything you need to know about Docker logs

: Docker Registry

• What is a Docker log?

Common DockerHub Operations

• Other public registries

Using DockerHub private registries

• Common

operations for managing a

• local

registry

• digestWhat

is a

• Docker

registry

? A Docker registry

is a storage and distribution system for named Docker images. The same image can have several different versions, identified by their tags.

A Docker registry

is organized into Docker repositories, where a repository contains all versions of a specific image. Logging allows Docker users to pull images locally, as well as submit new images to the registry (with appropriate access permissions where appropriate).

By default, the Docker engine interacts with DockerHub, Docker’s public ledger instance. However, it is possible to run the open source Docker registry/distribution locally, as well as a commercially supported version called Docker Trusted Registry. Other public records are available online.

To extract an image from a local registry,

you can run a command similar to

: docker pull my-registry:9000/foo/bar:2.1 where it extracts the version of

foo/bar image labeled 2.1 from our local registry located at my-registry domain, port 9000.

If you used DockerHub instead, and 2.1 was also the latest version, You can run this command to extract the same image locally

: Docker pull foo/bar

For more information, see Docker documentation: About the registry › and distribution ›

DockerHub

DockerHub

is a hosted registry solution from Docker Inc. In addition to public and private repositories, it also provides automated builds, organization accounts, and integration with source control solutions such as Github and Bitbucket.

Anyone running Docker can access a public repository and image names include the organization/user name. For example, docker pull jenkins/jenkins will pull the image from the Jenkins CI server with the latest tag of the Jenkins organization. There are hundreds of thousands of public images available. Private repositories restrict access to the repository creator or members of your organization.

DockerHub supports official repositories, including security-verified images and best practices. These do not require an organization/user name, for example, docker pull nginx will extract the latest image from the Nginx load balancer.

DockerHub can perform automated image builds if the DockerHub repository is linked to a source control repository that contains a build context (Dockerfile and all files in the same folder). A commit to the source repository will trigger a build in DockerHub.

For more information, see Docker documentation: Configure automated Docker builds ›

DockerHub can also automatically scan images in private repositories for vulnerabilities, producing a report detailing the vulnerabilities found in each image layer, by severity (critical, major, or minor).

For more information, see Docker documentation: Docker Security Analysis ›

Note that several private repositories, parallel builds, and image security scanning are only available with paid subscriptions

.

For more information, see Docker documentation: Docker Hub overview ›

Other public

records

Other companies host paid online Docker logs for public use. Cloud providers such as AWS and Google, which also offer container hosting services, market the high availability of their records.

• Amazon Elastic Container Registry (ECR) integrates with the AWS Identity and Access Management (IAM) service for authentication. It only supports private repositories and does not provide automated image creation.
• Google Container Registry (GCR) authentication is based on permissions from Google’s Cloud Storage service. It only supports private repositories and provides automated image builds through integration with Google Cloud Source Repositories, GitHub, and Bitbucket.
• Azure Container Registry (ACR) supports multi-region registries and authenticates with Active Directory. It only supports private repositories and does not provide automated image creation.
• CoreOS Quay supports OAuth and LDAP authentication. It offers private and public repositories (free) (paid), automatic security scanning, and automated image builds through integration with GitLab, GitHub, and Bitbucket.
• Private Docker Registry supports OAuth, LDAP, and Active Directory authentication. It offers private and public repositories, free up to 3 repositories (private or public).

Common operations with

DockerHub

Common operations that use

DockerHub include: Log in to DockerHub: When you run the DockerHub

• login, you will be prompted for your DockerHub ID and password

. Search for an image in a public

• repository: Use the Docker Search command with a search term to search for all images in public repositories (including official ones) that match that term.
• Extracting an existing image: Use docker pull and specify the name of the image. By default, the most recent version is retrieved, but this behavior can be overridden by specifying a different image label/version. For example, to extract Ubuntu version 14.04 (previous)

image:docker pull ubuntu:14.04 Inserting a

• local image: You can insert an image by running the docker push command. For example, to insert the (latest) local version of

my-image in my registry:docker push my-username/my-image

• Create a new organization: This must be done from a browser. Go to DockerHub, click Organizations, and then click Create Organization and fill in the necessary data.

• Creating a new repository: This must be done from a browser. Go to DockerHub, click the Create drop-down menu, and select Create Repository. Fill in the required data. You can now start submitting images to this repository.
• Create an automated build: This must be done from a browser. First, link your Github or Bitbucket account to DockerHub, navigating to your profile settings, then click Linked Accounts and Services. Select Public & Private Access (required) and authorize. Then click the Create drop-down menu, select Create automated build, and select which source repository you want to create images from.

For more information, see Docker documentation: Docker Hub overview ›, Repositories in Docker

Hub › and Set up automated builds in Docker Hub ›

Private logs

Use cases for running a local (internal to organization) private registry include:

Distributing images within

• an isolated network (not sending images) over the Internet)
• Creating faster CI/CD pipelines (extracting and sending images from the internal network), including faster deployments in on-premises environments
• Deploying a new image to a large cluster of machines
• Tight control of where images

are stored Running a private system of record, especially when delivery to production depends on it, requires operational skills such as ensuring availability, record recording and processing, monitoring and security. A solid understanding of http and network communications in general is also important.

Some vendors provide their own open-source Docker registry extensions. These can help alleviate some of the above operational concerns:

Docker

• Trusted Registry is the commercially supported version of Docker Inc, providing high availability through replication, image auditing, security signing and scanning, LDAP integration, and Active Directory integration.
• Harbor is an open source offering from VMWare that also provides high availability through replication, image auditing, LDAP integration, and Active Directory.
• GitLab Container Registry is tightly integrated with the GitLab CI workflow, with minimal configuration.
• JFrog Artifactory for strong artifact management (not only Docker images but any artifact).

For more information, see Docker Documentation: About Registry ›

Common

Operations

for Managing a Local Registry Common

operations required to manage a local registry installation

include:

• Start logging: The registry is itself a Docker image that must be run as a container using docker run. For example, to run based on default settings and forward requests on host port 5001 to container port 5000 (the default port that the registry will listen on)

:d ocker run -d -p 5001:5000 -name registry registry:2

By default, log data is retained as a Docker volume. To specify a particular storage location on the host (for example, an SSD or SAN file system), use the link mount option

: -v <host location>:<container location>

• Automatically restart the registry: To keep the log running when the host reboots or simply because the log container stopped, Just add the -restart=always option to the command.

Stop logging: Stopping logging

• is simply a matter of stopping the running log container with the docker stop registry command. To actually remove the container also run:

docker rm -v registry

Note that the open source Docker registry comes with a set of default settings for logging, storage, authentication, middleware, reporting, http, notifications, health checks, and more. These can be replaced individually by passing specific environment variables to the registry start command. For example, the following command instructs the registry to listen for requests on container port 5001 instead of the default port 5000.

docker run -d -e REGISTRY_HTTP_ADDR=0.0.0.0:5001 -p 5001:5001 -name registry registry:2

The other option is to completely override the configuration settings with a YAML file. It must also be mounted as a volume in the container, for example

: docker run -d -p 5001:5000 -v config.yml:/etc/docker/registry/config.yml -name registry registry:2

For more information, see Docker documentation: Deploy a log server › and Configure a registry ›

Summary

A Docker registry

is a system for versioning, storing, and distributing Docker images. DockerHub is a hosted registry that is used by default when installing the Docker engine, but there are other hosted registries available for public use, such as AWS and Google’s own logs.

It is also possible to host a local log for isolation and/or tighter integration with CI/CD workflows. Extensions to the open-source Docker registry, such as Docker’s own Trusted Registry or VMWare’s Harbor, can help alleviate some of the operational burden of running a local registry.

Image repositories within a registry can be public (anyone can download them) or private (access restricted to the user or organization that owns them).

The following tutorials teach you more about

Docker logs: Docker Security Scanning Tutorial by: Docker

Length: Short

It can help you learn: How to scan images in private repositories to verify that they are free of known vulnerabilities or security exposures, and report scan results for each image tag

.

Tutorial steps:

Opt for Docker security

• analysis. View the results of the Docker

security analysis. The Docker

• security

analysis process. Frequently asked questions.

The following videos can help you learn more about Docker logs: