Container registries provide a storage location for inactive container images, protecting them and allowing administrators to set policies for managing the images.
Containers, which are lightweight files that contain all the dependencies required to run an application, can be run in multiple environments and transferred between them. Container registries hold repositories that store container images when they’re not being actively run as well as features for developers to automate their container management practices.
See below to learn all about container registry technology and the top container registry providers in the market:
Choosing the right container registry provider
- Top container registry providers
- Container registry comparison
- Container registry features
- Container registry benefits
- Container registry use cases
- What to look for in container registry software
Also read: Top Container Software Solutions
Azure Container Registry
Azure Container Registry is a storage solution offered by cloud provider Microsoft Azure. It supports both Docker and Open Container Initiative (OCI) images. Azure also supports all other OCI artifacts, like non-container images stored in a registry. Admins are able to push and pull artifacts to and from an Azure registry.
Azure Container Registry can be connected to Azure Kubernetes Service and Azure Red Hat OpenShift, two other container solutions. When Azure Kubernetes Service and Azure Container Registry are both running on Azure Stack Hub, users can deploy stored container images to run in AKS.
Geo-replication allows enterprises to replicate registries to other Azure geographic regions, so images can be pulled in the region closest to their container host. The physical proximity may reduce data transfer costs; it also helps resilience if one region has an outage.
Azure has three per-day pricing tiers:
- Basic: $0.167, 10 GB storage
- Standard: $0.667, 100 GB storage
- Premium: $1.667, 500 GB storage
- Integrations with other Azure container solutions
- Geo-replication of registries for increased resilience
- Support for Docker and OCI images and OCI artifacts
Docker Hub is a free, hosted container library for businesses that don’t want to pay for or manage a container registry. It’s ideal for developers who want to collaborate with each other: Docker Hub allows software engineers to publicly share container images and communicate with other developers. But if your company wants more security for container images or doesn’t plan to share with external developers, it can pay the subscription for a private Docker Hub plan.
Hub users also have access to quality images officially provided by Docker. Additionally, they can push and pull images from external vendors whose image quality has been verified by Docker. Consider Docker Hub if your enterprise mainly uses Docker images and your developers want to access community container resources, especially ones with previously verified quality.
Docker offers three paid enterprise plans: Pro, Team, and Business. These include access to Hub.
- Free for small businesses and public container image storage
- Access to official Docker images and verified external vendor images
- Integration with Bitbucket and GitHub
Red Hat Quay
Red Hat offers Quay, a private container registry, for customers’ images and provides integrations with development tools, like GitHub and Bitbucket. Users can deploy new containers by pulling data from these repositories. Red Hat keeps a history of repository tags for two weeks, which developers can use to roll back to a particular image version. If a dev team decides they want to use the version of an image that was changed five days ago in the repository, they can use the tags to do so.
Red Hat uses third-party integrations to scan container images for vulnerabilities. For authentication and access control, Red Hat allows businesses to use existing protocols, like Lightweight Directory Access Control (LDAP) and open authentication (OAuth), and also create permissions for teams to access repositories.
Red Hat supports multiple storage back ends for storing containers. For audits, Quay creates logs of control plane and data plane events, application programming interface (API) actions, and user interface (UI) actions. This increases visibility for admins to see what changes have been made to repositories or images.
Enterprise pricing for Quay is available by contacting Red Hat’s sales team.
- Geo-replication for increased resilience
- Integrations with GitHub and Bitbucket
- Audit logs of control plane, data plane, and API events
Amazon Elastic Container Registry, or ECR, is a registry service provided by AWS. AWS offers a free tier of the registry that provides up to 500 MB of private repository storage. ECR is fully managed and allows dev teams to write code, package it as a Docker image, and store it in the registry. Teams can pull containers from the registry to run in Amazon Elastic Kubernetes Service (EKS) and Elastic Container Service (ECS).
With ECR, developers can set automatic policies that dictate how long a container image should be stored, based on the most accurate version. ECR supports private container registries with permissions that use AWS identity and access management (IAM) to dictate user access to resources. Users and EC2 instances with permission receive access to the images within the repositories.
Cross-region replication allows businesses to replicate their repositories in another region to protect their container images in case the storage in their region fails. This setting is configured separately for each region.
After the free tier limits, storage in private repositories is $0.10/GB/month. Users also pay for data transfer from pushed and pulled images; costs vary based on region.
- Available integrations with Amazon EKS and ECS
- Automated storage policies for image versions
- AWS IAM for user access to private registries
Also read: Best Container Security Tools
Harbor Container Registry
Harbor is an open-source container registry that runs on Kubernetes environments and systems that support Docker. Harbor uses open-source third-party solutions Trivy and Clair to perform static vulnerability scans on container images and artifacts. The vulnerabilities column within a chosen repository lists the scanning status of each artifact. Admins can select one artifact to scan or select all the artifacts in the repository. Harbor has six different colors that indicate whether a vulnerability has been detected and its severity.
Harbor’s integrations with Notary and Cosign increase the validity of images pulled from the registry: Notary and Cosign verify and sign container images and artifacts. Admins can set Harbor to only pull images verified by one or both of the tools.
Harbor’s documentation lists what permissions users have, depending on their role in a registry project, so admins know exactly what each member is able to view. Harbor gives businesses multiple options for authentication: database authentication is managed directly within Harbor; LDAP/Active Directory authentication is managed through an external LDAP or AD provider; and OIDC Provider authentication is managed by an external OIDC provider.
- Integrations with open-source vulnerability scanners and detailed vulnerability records
- Integrations with signature verification tools
- Multiple options for user authentication
Container registry comparison
|Free (tier or solution)||Integration with GitHub or BitBucket||Supports OCI artifacts|
|Azure Container Registry||X||✅||✅|
|Red Hat Quay||X||✅||✅|
|Harbor Container Registry||✅||✅||✅|
- Offering both public and private registries: Generally, companies should choose private registries, which provide greater security for their container images.
- Storing multiple versions of container images: If an enterprise wants to return to a previous state of an image, its engineers can pull that image from registry storage.
- Integrating with other development tools: GitHub and Bitbucket, where developers collaborate on code within repositories, are popular examples.
- Authenticating registry users: Data within containers should be protected, which means restricting user access to images and verifying user identities.
Increased development flexibility: Registries help developers reap the benefits of container flexibility: images can be pulled from a registry and run in multiple environments. Because containers package all of an application’s dependencies in one isolated location, they can run on multiple operating systems. This flexibility helps businesses and teams that use different operating systems and platforms run critical workloads.
Streamline development workflow: Registry integrations with development tools, like GitHub, give dev teams the convenience of working on code in a separate repository and then pushing it to the container registry. Integrations with other software give developers more flexibility in creating and storing container images.
Speed deployment: Developers can tighten deployment windows for container applications with capabilities such as single command deployment and local pull notifications.
“With its standardized architecture and virtualized, automated testing environment, the VW Group reduced costs for system tests by 50%. It also improved cross-team and partner collaboration with its new platform and agile processes. The group plans to enhance and expand its Red Hat software environment to support current and future innovation. It is evaluating the creation of an end-to-end integration test process for its Car.Software organization, with a goal to move from code commit to deployment in customer cars in just 24 hours.” –case study of the Volkswagen Group Electric Development department, using Red Hat solutions, including Quay container registry
“The system platform containerizes applications by service and function and manages them on Azure Kubernetes Service (hereafter, AKS), which is a Kubernetes managed service. The core engines of the e-services are geocoding and geospatial information retrieval, which also run as container applications.” -Koji Kagaya, senior engineer at UPWARD, in a case study on Azure services and how they assisted UPWARD in updating its infrastructure, including automated application deployment with Azure Container Registry and GitHub to “reduce work load and ensure scalability.”
Look for container registry security features based on your business requirements. If your enterprise is in an industry like health care or financial services and will be running critical applications in containers, choose a registry that will store images using additional security features.
Choose a provider that supports configurable and flexible access controls. Containers can hold important application data, and your company should restrict who has access to them.
If your dev teams design and share container images within a tool like GitHub or Bitbucket, choose a solution that integrates with one or more, so developers can continue working in applications they already use to develop containers.
Read next: The Containerization Market