Docs
/
Docker Kubernetes
Chapter 7
07 — Registry & Image Management
Docker Hub
# Login
docker login
# Push image
docker tag my-app:latest username/my-app:1.0.0
docker push username/my-app:1.0.0
# Pull image
docker pull username/my-app:1.0.0
Private Registries
| Registry | Provider | Best For |
|---|---|---|
| ECR | AWS | AWS workloads |
| ACR | Azure | Azure workloads |
| GCR/Artifact Registry | GCP | GCP workloads |
| GitHub Container Registry | GitHub | Open source, GitHub Actions |
| Docker Hub | Docker | Public images, small teams |
AWS ECR
# Login
aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
# Create repository
aws ecr create-repository --repository-name my-app
# Tag and push
docker tag my-app:latest 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:1.0.0
docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/my-app:1.0.0
GitHub Container Registry
echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
docker tag my-app:latest ghcr.io/username/my-app:1.0.0
docker push ghcr.io/username/my-app:1.0.0
Tagging Strategies
# Semantic version + latest
docker build -t my-app:1.2.3 -t my-app:1.2 -t my-app:1 -t my-app:latest .
# Git SHA (traceable to exact commit)
docker build -t my-app:$(git rev-parse --short HEAD) .
# Branch + SHA
docker build -t my-app:main-abc1234 .
# CI build number
docker build -t my-app:build-${BUILD_NUMBER} .
Best practice: Use immutable tags (1.2.3, git SHA) for production. Avoid relying on latest.
Image Scanning
# Docker Scout (built-in)
docker scout cves my-app:latest
docker scout recommendations my-app:latest
# Trivy (popular open-source scanner)
trivy image my-app:latest
# Snyk
snyk container test my-app:latest
Image Size Optimization
# Check image size
docker images my-app
docker history my-app:latest # Size per layer
# Tips:
# 1. Use alpine base images
FROM node:20-alpine # ~180MB vs node:20 ~1GB
# 2. Multi-stage builds (copy only what's needed)
# 3. Minimize layers (combine RUN commands)
RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
# 4. Use .dockerignore
# 5. Don't install dev dependencies in production
RUN npm ci --only=production
Key Takeaways
- Use private registries (ECR, GCR, ACR) for production images
- Tag with semantic version + git SHA — never rely solely on
latest - Scan images for vulnerabilities before deploying (Trivy, Docker Scout, Snyk)
- Optimize image size: alpine base, multi-stage builds, .dockerignore
- Enable image signing for supply chain security in production