Oracle Cloud Infrastructure Registry is an Oracle-managed registry that helps you simplify your development-to-production workflow. Registry makes it easy for you as a developer to store, share, and manage development artifacts like Docker images. And the highly available and scalable architecture of Oracle Cloud Infrastructure (OCI) ensures that you can reliably deploy your applications. You don’t have to worry about operational issues or scaling the underlying infrastructure.
You can use Registry as a private Docker registry for internal use, pushing and pulling Docker images to and from Registry by using the Docker V2 API and the standard Docker CLI. You can also use Registry as a public Docker registry, which lets any user who has internet access and the appropriate URL pull images from public repositories in Registry.
Registry supports private access from other OCI resources in a virtual cloud network (VCN) in the same region through a service gateway. Setting up and using a service gateway on a VCN lets resources (such as worker nodes in clusters managed by Container Engine for Kubernetes) access OCI services such as Registry without exposing them to the public internet. No internet gateway is required, and resources can be in a private subnet and use only private IP addresses.
The following diagram shows a logical representation of Registry.
Figure 1: Logical diagram of Registry
To use Oracle Cloud Infrastructure Registry, you must be part of the admin group or part of a group to which a policy grants the appropriate permissions. Let’s look at the policies, using some example group names.
The following policy lets anyone in the acme-viewers group see a list of all the repositories (repos) in Registry that belong to the tenancy:
allow group acme-viewers to inspect repos in tenancy
The following policy lets anyone in the acme-managers group perform any operation on any repo in Registry that belongs to the tenancy (for example, pull an image, push an image, or create or delete a repo):
allow group acme-managers to manage repos in tenancy
Note: Registry repos are tenancy-level resources. Policies that control access to them must go in the root compartment (that is, the tenancy).
To push or pull an image, users must have an OCI username and auth token.
Oracle Cloud Infrastructure Registry repos can be private or public. Any user who has internet access and the appropriate URL can pull images from a public repo in Registry.
A repo exists within a particular region and tenancy. When you refer to the tenancy that owns a repo, you specify the tenancy’s namespace. The namespace is an auto-generated, random string of alphanumeric characters. For example, the namespace of the acme-dev tenancy might be ansh81vru1zp.
Note: For some older tenancies, the namespace string might be the same as the tenancy name in all lowercase letters (for example, acme-dev). To find out the namespace of the current tenancy, open the Profile menu in the OCI Console and click Tenancy.
If you push an image and include the name of a repo that doesn’t exist, a new private repo is automatically created. For example, if you enter the command docker push
iad.ocir.io/ansh81vru1zp/project02/acme-web-app:7.5.2 and the project02 repo doesn’t exist, a private repo named project02 is created.
If you push an image and don’t include a repo name, the image’s name is used as the name of the repo. For example, if you enter the command like
docker push iad.ocir.io/ansh81vru1zp/acme-web-app:7.5.2, which doesn’t contain a repo name, the image’s name (acme-web-app) is used as the name of a private repo.
Alternatively, you can use the Console to create an empty repo. If you belong to the tenancy’s Administrators group or have been granted the REPOSITORY_MANAGE permission, you can also specify whether the repo is private or public. Any images that you then push to Registry that include that repo in the image name are pushed to that repo.
To create a repo in Oracle Cloud Infrastructure Registry, follow these steps:
In the Console’s navigation menu, go to Developer Services and click Container Registry.
Choose the region in which to create the repo.
Click Create Repository.
In the Create Repository dialog box, enter a name for the repo and specify whether the repo will be public or private. You can make the repo public only if you belong to the tenancy’s Administrators group or have been granted the REPOSITORY_MANAGE permission.
If you make the repo public, any user who has internet access and the appropriate URL can pull images from the repo.
If you make the repo private, you (and users who belong to the tenancy’s Administrators group) can perform any operation on the repo.
Click Submit. The following image shows an example of the steps in this task.
Figure 2: Creating a repo
You use the Docker CLI to push images to and pull images from Oracle Cloud Infrastructure Registry.
To push an image, you first use the
docker tag command to create a copy of the local source image as a new image (the new image is just a reference to the existing source image). As a name for the new image, you specify the fully qualified path to the target location in Registry where you want to push the image, optionally including the name of a repo.
First, create the auth token that you need to push a Docker image to the repo.
Now, let’s build a Docker image by using a sample Python Flask application and then push it to Registry. We use Oracle Cloud Infrastructure Cloud Shell to do this.
git clone https://github.com/stretchcloud/flask-rate-limiter-cors-auth
This directory contains a Dockerfile.
docker build -t flaskapp:latest .
docker login <region-key>.ocir.io, where region-key corresponds to the key for the Registry region that you’re using. For example, docker login iad.ocir.io. See Availability by Region.
docker tag image-id target-tag
For example, you might enter:
docker tag 35255459d043 phx.ocir.io/intprasenjits/demoproject/flaskapp:latest
docker images. Verify that the list of images includes an image with the tag that you specified. The following screenshot shows an example.
docker push target-tag
docker push phx.ocir.io/intprasenjits/demoproject/flaskapp:latest
To pull the image, you use the same Docker CLI.
docker pull region-key.ocir.io/tenancy-namespace/repo-name/image-name:tag
docker pull phx.ocir.io/intprasenjits/demoproject/flaskapp:latest
Run the container:
docker run -d -p 5000:5000 phx.ocir.io/intprasenjits/demoproject/flaskapp
Access the application endpoint:
curl -X GET -H "Content-type: application/json" http://127.0.0.1:5000/ping
That’s how easy it is to use Registry to store your private container images securely and then run them anywhere you want. You can even use the same repo and image to deploy the application on top of Container Engine for Kubernetes. For that, you need to create a secret within Kubernetes by using the auth token, and go from there. To learn more about that, see the documentation.
This post gave you an overview of Oracle Cloud Infrastructure Registry, which is a free service. That means you don’t need to pay for the images that you store in Registry. This post also described how you can create a Docker container image and push and pull that image from Registry securely.
Every use case is different. The only way to know if Oracle Cloud Infrastructure is right for you is to try it. You can select either the Oracle Cloud Free Tier or a 30-day free trial, which includes US$300 in credit to get you started with a range of services, including compute, storage, and networking.