Managing Container Registries
Overview
Manage container registries across Docker Hub, AWS ECR, GCP Artifact Registry, Azure ACR, and self-hosted registries (Harbor, Nexus). Automate image tagging, lifecycle policies, cross-region replication, vulnerability scanning integration, and access control for container image storage and distribution.
Prerequisites
- Docker CLI installed and authenticated to the target registry
- Cloud provider CLI (
aws,gcloud,az) for managed registries - Registry credentials configured (
docker loginor credential helpers) - Understanding of image naming conventions (registry/namespace/image:tag)
- IAM permissions for registry operations (push, pull, delete, admin)
Instructions
- Identify the target registry type: ECR, Artifact Registry, ACR, Docker Hub, or self-hosted
- Configure authentication: set up credential helpers for automated access (
docker-credential-ecr-login,gcloud auth configure-docker) - Define image naming and tagging strategy: use semantic versioning for releases, git SHA for CI builds,
latestonly for development - Create repository/namespace structure organized by team, application, or environment
- Configure lifecycle policies to auto-delete untagged images and images older than retention threshold (e.g., keep last 10 tagged images, delete untagged after 7 days)
- Set up vulnerability scanning: enable automatic scanning on push (ECR scan-on-push, GCP Container Analysis)
- Configure cross-region replication for disaster recovery and latency reduction
- Implement access control: read-only for CI pull, push access for CI build agents, admin for operators
- Generate Terraform/IaC for registry infrastructure and policies
Output
- Terraform/CloudFormation for registry creation with lifecycle and replication policies
- Docker credential helper configuration scripts
- CI/CD pipeline steps for building, tagging, and pushing images
- Lifecycle policy JSON (ECR) or cleanup scripts (Docker Hub, Harbor)
- RBAC configurations for registry access control
Error Handling
| Error | Cause | Solution |
|---|---|---|
denied: requested access to the resource is denied |
Missing push/pull permissions or expired token | Re-authenticate with docker login or refresh credential helper; verify IAM policies |
manifest unknown: manifest unknown |
Image tag does not exist in the registry | Verify image name and tag; check if lifecycle policy deleted the image |
no space left on device during push |
Registry storage quota exceeded | Increase quota, run lifecycle cleanup, or delete unused images |
unauthorized: authentication required |
Credential helper not configured or token expired | Set up credential helper (aws ecr get-login-password, gcloud auth configure-docker) |
toomanyrequests: rate limit exceeded |
Docker Hub pull rate limit hit | Use authenticated pulls, mirror images to private registry, or upgrade Docker Hub plan |
Examples
- "Set up an AWS ECR repository with scan-on-push enabled, lifecycle policy to keep last 20 tagged images, and cross-region replication to us-west-2."
- "Configure GCP Artifact Registry with Docker credential helper and a cleanup policy for images not pulled in 90 days."
- "Create a CI pipeline step that builds a Docker image, tags it with the git SHA and
latest, pushes to ECR, and fails if Critical vulnerabilities are found."
Resources
- AWS ECR: https://docs.aws.amazon.com/AmazonECR/latest/userguide/
- GCP Artifact Registry: https://cloud.google.com/artifact-registry/docs
- Azure ACR: https://learn.microsoft.com/en-us/azure/container-registry/
- Harbor registry: https://goharbor.io/docs/
- Docker Hub: https://docs.docker.com/docker-hub/