Managing Container Registries

Overview

Manage container registries across Docker Hub, AWS ECR, GCP Artifact Registry, Azure ACR, and self-hosted registries (Harbor, Nexus). Automate image tagging, lifecycle policies, cross-region replication, vulnerability scanning integration, and access control for container image storage and distribution.

Prerequisites

• Docker CLI installed and authenticated to the target registry
• Cloud provider CLI (aws, gcloud, az) for managed registries
• Registry credentials configured (docker login or credential helpers)
• Understanding of image naming conventions (registry/namespace/image:tag)
• IAM permissions for registry operations (push, pull, delete, admin)

Instructions

1. Identify the target registry type: ECR, Artifact Registry, ACR, Docker Hub, or self-hosted
2. Configure authentication: set up credential helpers for automated access (docker-credential-ecr-login, gcloud auth configure-docker)
3. Define image naming and tagging strategy: use semantic versioning for releases, git SHA for CI builds, latest only for development
4. Create repository/namespace structure organized by team, application, or environment
5. Configure lifecycle policies to auto-delete untagged images and images older than retention threshold (e.g., keep last 10 tagged images, delete untagged after 7 days)
6. Set up vulnerability scanning: enable automatic scanning on push (ECR scan-on-push, GCP Container Analysis)
7. Configure cross-region replication for disaster recovery and latency reduction
8. Implement access control: read-only for CI pull, push access for CI build agents, admin for operators
9. Generate Terraform/IaC for registry infrastructure and policies

Output

• Terraform/CloudFormation for registry creation with lifecycle and replication policies
• Docker credential helper configuration scripts
• CI/CD pipeline steps for building, tagging, and pushing images
• Lifecycle policy JSON (ECR) or cleanup scripts (Docker Hub, Harbor)
• RBAC configurations for registry access control

Error Handling

Error	Cause	Solution
denied: requested access to the resource is denied	Missing push/pull permissions or expired token	Re-authenticate with docker login or refresh credential helper; verify IAM policies
manifest unknown: manifest unknown	Image tag does not exist in the registry	Verify image name and tag; check if lifecycle policy deleted the image
no space left on device during push	Registry storage quota exceeded	Increase quota, run lifecycle cleanup, or delete unused images
unauthorized: authentication required	Credential helper not configured or token expired	Set up credential helper (aws ecr get-login-password, gcloud auth configure-docker)
toomanyrequests: rate limit exceeded	Docker Hub pull rate limit hit	Use authenticated pulls, mirror images to private registry, or upgrade Docker Hub plan

Examples

• "Set up an AWS ECR repository with scan-on-push enabled, lifecycle policy to keep last 20 tagged images, and cross-region replication to us-west-2."
• "Configure GCP Artifact Registry with Docker credential helper and a cleanup policy for images not pulled in 90 days."
• "Create a CI pipeline step that builds a Docker image, tags it with the git SHA and latest, pushes to ECR, and fails if Critical vulnerabilities are found."

Resources

• AWS ECR: https://docs.aws.amazon.com/AmazonECR/latest/userguide/
• GCP Artifact Registry: https://cloud.google.com/artifact-registry/docs
• Azure ACR: https://learn.microsoft.com/en-us/azure/container-registry/
• Harbor registry: https://goharbor.io/docs/
• Docker Hub: https://docs.docker.com/docker-hub/