Container Registry

1. Overview

  • Container Registry is a private container image registry that runs on Google Cloud. 
  • Container Registry supports Docker Image Manifest V2 and OCI image formats.
  • Many use Dockerhub as a central registry for storing public Docker images.
  • To control access to images, use a private registry such as Container Registry.
  • Container Registry can be assessed through secure HTTPS endpoints, which allows users to push, pull, and manage images from any system, VM instance, or hardware. 
  • Docker credential helper command-line tool can be used to configure Docker to authenticate directly with Container Registry.
  • Registries in Container Registry are named by the host and project ID. 
  • Locations correspond to the multi-regions for Cloud Storage storage buckets. 
  • When an image is pushed to a registry with a new hostname, Container Registry creates a storage bucket in the specified multi-region. 
  • Cloud Storage bucket is the underlying storage for the registry. 
  • Within a project, all registries with the same hostname share one storage bucket.
  • A registry can contain many images, and these images may have different versions. 
  • To identify a specific version of the image within a registry, specify the image's tag or digest. 
  • Tags are unique to one image within a registry. 
  • Digests are automatically generated, are unique to a version of an image, and have the form @[IMAGE_DIGEST], where [IMAGE_DIGEST] is the sha256 hash value of the image contents.
  • If a project is scoped to a domain, the project ID includes the name of the domain followed by a colon (:). 
  • Because of how Docker treats colons, replace the colon character with a forward slash when specifying an image digest in Container Registry.
  • The URL https://[HOSTNAME]/[PROJECT-ID]/[IMAGE] is a URL for that registry in the Cloud Console. 
  • These links can be visited by any authenticated user who has permission to access the registry. 
  • Container Registry stores its tags and layer files for container images in a Cloud Storage bucket in the same project as the registry. 
  • Access to the bucket is configured using Cloud Storage's identity and access management (IAM) settings.
  • By default, project Owners and Editors have push and pull permissions for that project's Container Registry bucket. 
  • Project Viewers have pull permission only.
  • Before pushing or pulling images, configure authentication.
  • Configure Docker to use the gcloud command-line tool to authenticate requests to Container Registry
  • Container Registry also supports advanced authentication methods using access tokens or JSON key files.
  • Docker needs access to Container Registry to push and pull images. 
  • Use the Docker credential helper command-line tool to configure Container Registry credentials for use with Docker.
  • Credential helper fetches Container Registry credentials, either automatically, or from a location specified using its --token-source flag, then writes them to Docker's configuration file. 
  • Docker command-line tool, docker, can be used to interact directly with Container Registry.
  • When Container Registry API is enabled, Container Registry adds a service account to the project. 
  • Container Registry service account enables  Container Registry to perform its service duties on the project. 
  • Google owns the Container Registry service account account, but it is specific to a project and is listed in the Service Accounts and IAM sections of the Cloud Console.
  • If the Container Registry service account is deleted or its permissions changed, certain Container Registry features will not work correctly. 
  • Container Registry service account roles should not be modified or the account deleted.
  • The mirror.gcr.io registry is a global Container Registry mirror for Docker Hub's official repositories.
  • Using the mirror can speed up pulls for Docker Hub repositories. 
  • When mirror.gcr.io, is used, the client first attempts to pull Docker Hub official images from the Container Registry mirror.
  • Pub/Sub can be used to get notifications about changes to container images.
  • Compute Engine instances and Google Kubernetes Engine clusters can push and pull Container Registry images based on Cloud Storage scopes on the instances.
  • Images stored in Container Registry can be deployed to the App Engine flexible environment.
  • Container Registry works with several popular continuous delivery systems.
  • Container Registry can be integrated with external services.
  • docker login can be used to authenticate directly with Container Registry.