Docker Hub and Registries

Docker registries store and distribute container images. Docker Hub is the default public registry, but many organizations use private registries for proprietary images.

What is a Registry?

A registry is a storage and distribution service for Docker images. It's like a package repository (npm, PyPI) but for container images.

┌─────────────────────────────────────────────────────────────┐
│                      Docker Registry                         │
│  ┌───────────────┐ ┌───────────────┐ ┌───────────────┐      │
│  │   nginx       │ │    redis      │ │   postgres    │      │
│  │   :latest     │ │   :alpine     │ │   :15         │      │
│  │   :1.25       │ │   :7.2        │ │   :14         │      │
│  └───────────────┘ └───────────────┘ └───────────────┘      │
│                                                              │
│  ┌───────────────┐ ┌───────────────┐ ┌───────────────┐      │
│  │  myorg/app    │ │  myorg/api    │ │  myorg/web    │      │
│  │   :v1.0       │ │   :prod       │ │   :staging    │      │
│  └───────────────┘ └───────────────┘ └───────────────┘      │
└─────────────────────────────────────────────────────────────┘

Docker Hub

Docker Hub (hub.docker.com) is the largest and default registry:

Features

• Official Images: Curated images from Docker and partners
• Verified Publishers: Images from verified software vendors
• Community Images: User-contributed images
• Automated Builds: Build images from source repositories
• Webhooks: Trigger actions when images are pushed

Account Types

Type	Repositories	Pulls	Features
Free	Unlimited public, 1 private	Limited	Basic
Pro	Unlimited public & private	Higher	Advanced
Team	Unlimited	Higher	Collaboration

Searching for Images

Using Docker Hub Website

1. Visit hub.docker.com
2. Search for the image you need
3. Check: stars, pulls, last updated, official status
4. Review documentation and tags

Using the CLI

# Search for images
docker search nginx

# Output:
NAME                     DESCRIPTION                                     STARS     OFFICIAL
nginx                    Official build of Nginx.                        18945     [OK]
bitnami/nginx            Bitnami nginx Docker Image                      150
linuxserver/nginx        An Nginx container...                           189

# Limit results
docker search --limit 5 python

# Filter by stars
docker search --filter stars=100 mysql

Pulling Images

Download images from a registry:

# Pull latest tag (default)
docker pull nginx

# Pull specific tag
docker pull nginx:1.25

# Pull specific digest
docker pull nginx@sha256:abc123...

# Pull from different registry
docker pull gcr.io/google-containers/nginx

# Pull all tags (use carefully!)
docker pull -a nginx

Pull Process

1. Docker contacts registry
2. Registry returns image manifest
3. Docker checks local cache for layers
4. Downloads only missing layers
5. Assembles image locally

Pushing Images

Upload images to a registry:

# 1. Log in to Docker Hub
docker login

# 2. Tag your image with your username
docker tag myapp:latest username/myapp:v1.0

# 3. Push to registry
docker push username/myapp:v1.0

# Push all tags
docker push -a username/myapp

Naming for Push

Images must be named correctly for their destination:

# Docker Hub (default)
username/repository:tag

# Private registry
registry.example.com/repository:tag

# Cloud registries
gcr.io/project-id/image:tag          # Google
ecr.aws/account-id/image:tag         # AWS
azurecr.io/registry/image:tag        # Azure

Authentication

# Login to Docker Hub
docker login
# Enter username and password

# Login to private registry
docker login registry.example.com

# Login with credentials directly (less secure)
docker login -u username -p password

# Login with token (recommended for CI/CD)
echo $DOCKER_TOKEN | docker login -u username --password-stdin

# View stored credentials
cat ~/.docker/config.json

# Logout
docker logout
docker logout registry.example.com

Private Registries

Popular Options

Registry	Provider	Best For
Amazon ECR	AWS	AWS-integrated deployments
Google GCR	Google Cloud	GCP workloads
Azure ACR	Microsoft	Azure deployments
GitHub Packages	GitHub	GitHub-integrated workflows
GitLab Registry	GitLab	GitLab CI/CD
Harbor	Self-hosted	Enterprise on-premises

Using Private Registries

# AWS ECR
aws ecr get-login-password | docker login --username AWS --password-stdin 123456.dkr.ecr.us-east-1.amazonaws.com

# Google GCR
gcloud auth configure-docker
docker push gcr.io/my-project/my-image:tag

# Azure ACR
az acr login --name myregistry
docker push myregistry.azurecr.io/my-image:tag

Running Your Own Registry

Docker provides an official registry image:

# Start a local registry
docker run -d -p 5000:5000 --name registry registry:2

# Tag an image for local registry
docker tag myapp localhost:5000/myapp:v1.0

# Push to local registry
docker push localhost:5000/myapp:v1.0

# Pull from local registry
docker pull localhost:5000/myapp:v1.0

Persistent Registry with Storage

docker run -d \
  -p 5000:5000 \
  --name registry \
  -v /path/to/registry:/var/lib/registry \
  registry:2

Image Tags Best Practices

Semantic Versioning

myapp:1.0.0          # Major.Minor.Patch
myapp:1.0            # Major.Minor
myapp:1              # Major only

Environment Tags

myapp:latest         # Most recent build
myapp:stable         # Production-ready
myapp:dev            # Development version
myapp:staging        # Staging environment

Git-Based Tags

myapp:main           # Main branch
myapp:abc1234        # Git commit SHA
myapp:pr-123         # Pull request build

Avoid These Mistakes

• Don't rely solely on latest tag
• Don't overwrite existing version tags
• Don't use mutable tags in production
• Do use digests for production deployments

Registry Security

Access Control

• Use private repositories for sensitive images
• Implement role-based access control
• Rotate access tokens regularly

Image Scanning

# Docker Hub automatic scanning
# Enable in repository settings

# Scan locally with Docker Scout
docker scout cves myimage:tag

Content Trust

# Enable image signing
export DOCKER_CONTENT_TRUST=1

# Now only signed images can be pulled/pushed
docker pull nginx  # Verifies signatures

Key Takeaways

• Docker Hub is the default public registry
• Use docker search and docker pull to find and download images
• Log in with docker login before pushing images
• Tag images correctly for their destination registry
• Private registries offer better control for organizations
• Follow tagging conventions for versioning
• Enable image scanning for security
• Consider running your own registry for full control