The New Stack has written about container registries in the past and will do so again. As vendors pitch their stories to us, we have been asking ourselves, is this a unique category, or just a functionality within a larger product?
This question came into focus while reviewing Codenvy’s updated container ecosystem map, which included a section called “Artifact and Image Registry.” That could be a very large space, depending on how it is defined. For example, Codenvy includes Twistlock in this category, although its primary function is to scan an image registry rather than store it. Furthermore, while repository manager Artifactory is included in Codenvy’s category, Sonatype is not, although it too can be integrated into a continuous delivery pipeline.
Narrowly speaking, Docker says its Registry 2.0 “is a storage and content delivery system, holding named Docker images, available in different tagged versions.” Parsing that definition a bit, an image registry is both a host and a server for container images. While not perfect, let’s use this as a working definition of a container registry.
Images can be hosted by a cloud provider or within a private data center. Either way, the cost of storing the images may be significant. Docker’s Trusted Registry can be used in both environments, while CoreOS‘s Quay.io is a cloud-hosted version and its Enterprise Registry can be used for infrastructure. The table below provides several other examples.
A core component of the image registry is the actual registry server. The cost associated with maintaining a registry server is another consideration when selecting an image registry to use. Although open source Docker Registry is technically free, it is often bundled with other services (e.g., Docker Distribution) or enhanced (e.g., VMware’s Harbor and SUSE’s Portus). One problem we have with the term “container registry” is that it is relatively easy to include it into a product dealing with a larger scope of services. For example, although GitLab now includes Docker Registry in its offering, we wouldn’t include it in this category, but instead, we’d classify it as a source code manager like its peers GitHub and Atlassian’s BitBucket. Similarly, Containers as a Service (CaaS) provider Alauda integrates image services with the customers’ continuous deployment pipelines. AWS and Google both bundle a branded registry into their CaaS offering.
A secure hosting environment prevents third-parties from threatening image integrity. And certain aspects of security. Controlling what types of people and services have access to the images is another aspect of a secure image registry. Access control differentiates public registries like Docker Hub from a private registry like that offered by FlawCheck. Another characteristic of many private registries is that they scan images and verify their integrity. FlawCheck does this, along with many other services.
Although this article considers vulnerability scanning as a separate service, we’d be remiss not to namedrop the following: image registries. Shouldn’t BanyanOps, Docker Security Scanning, Clair from CoreOS, the Vulnerability Advisor capability within IBM‘s Containers on Bluemix, Twistlock Trust, and Aqua Security’s Peekr.
Container Image Registries
|EC2 Container Registry||AWS||A fully-managed container registry to store, manage, and deploy Docker container images. It is included in ECS and integrates with AWS Identity and Access Management.|
|Enterprise Registry||CoreOS||Provides a secure registry on an enterprise’s infrastructure.|
|Quay.io||CoreOS||Provides secure hosting for private Docker repositories.|
|Docker Distribution||Docker||A toolset to pack, ship, store and deliver content. It supersedes the docker/docker-registry project. Its main product is the Docker Registry 2.0 implementation for storing and distributing Docker images.|
|Docker Hub||Docker||A cloud-based registry service for building and shipping application or service containers. It provides a centralized resource for container image discovery, distribution and change management.|
|Docker Trusted Registry||Docker||Allows users to store and manage Docker images on premise or in a virtual private cloud.|
|Dockyard||N/A||An image hub for Docker, rkt or other container engines.|
|FlawCheck||FlawCheck||Provides secure, private Docker image storage on AWS. FlawCheck Private Registry inspects containers for vulnerabilities and malware.|
|Google Container Registry||A cloud-hosted container registry, which hosts Docker containers.|
|Private Image Registry Service||IBM||IBM Containers on Bluemix provides a private Docker image registry service for hosting private images. The private registry supports group access policies to allow teams to share private images.|
|Portus||SUSE||Portus acts both as an authorization server and user interface for Docker registry (v2).|
|Harbor||VMware||Project Harbor is an enterprise-class registry server. It extends the open source Docker Registry server by adding more functionalities usually required by an enterprise. Harbor is designed to be deployed in a private environment of an organization.|
As stated earlier, container registries are being packaged as part of larger deployment pipelines. In these cases, they are being positioned as just another artifact repository. Thus, Artifactory is included as part of Mesosphere‘s Velocity, and Nexus is being pushed as a Docker Hub alternative. As can be seen in the chart below, 80 percent of Docker users consider it to be a packaging format. If this is the case, perhaps image registries are are just another type of package manager. See this CloudMunch article for more discussion about whether DevOps should think of its processes as being image-driven or build-driven.
Although container registries are not by themselves storage or security for containers, expect to read about how they fit into the larger picture in the upcoming fourth installment of our ebook series.
Feature Image: Wiggins Branch of the Forrest County Cooperative, via New Old Stock.