Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Docker Registries and the Five Problems You Encounter

DZone's Guide to

Docker Registries and the Five Problems You Encounter

As containers in general, and Docker in particular, grow, here are a few concerns to keep in mind when managing your images.

· Integration Zone
Free Resource

Modernize your application architectures with microservices and APIs with best practices from this free virtual summit series. Brought to you in partnership with CA Technologies.

Containers are not new. They have been around for more than 15 years, and recently, the rapid adoption of Docker has made it the gold standard of container technology. Docker has revolutionized enterprise-level component management, and the number of microservices running in Docker containers continues to grow.

As Docker images accumulate in corporate systems, managing them poses several challenges for the DevOps teams that must manage their flow and usage throughout the organization; challenges related to sharing images efficiently to maximize reuse of code, security and access control, basic searches for images, and more. Some may claim that a file system adequately addresses these challenges, but the capabilities of a file system do not come near those of an advanced repository manager that is an organization's secure, private Docker registry.

A Single Access Point for Docker Images

First and foremost, organizations developing software need to share their images internally in order to maximize the reuse of their codebase. It is just as critical for developers to be working under the same environment as it is for them to have an easy means of sharing images within their team and the organization as a whole.

A repository manager is a single access point for all of an organization's Docker images. Some of them even support any number of Docker registries, giving software development organizations an easy way to keep all of their Docker images organized and easily accessible among team members. By giving developers and DevOps teams a single URL through which to access their Docker images — effectively, a private Docker registry — sharing and managing access between teams within an organization becomes very easy.

Secure Private Docker Registries With Granular Access Control

Once the issue of sharing images is solved, the issue of access control arises. Developers may not want to share every image with everyone else in the organization. There must be security protocols in place to restrict each developer's access to authorized Docker registries, whether it is for downloading images and their dependencies or for uploading and storing images that the developer has built.

A repository manager addresses these concerns through several layers of security giving organizations granular access control over who can access what. At the highest level, support for common security protocols such as LDAP, SAML, and Crowd give organizations control over access to different servers in the first place — before we even talk about access to the Docker registries themselves. Then, a detailed permission-based system lets organizations control to which Docker registry developers can deploy images, from which registry they can access images, whether they can annotate images with properties or delete them altogether. Finally, features like virtual repositories and include/exclude expressions provide access control at any level of granularity, from a complete repository down to of a single artifact.

Keep Your Docker Registry Always Up and Always On

Docker Hub is the primary public Docker registry, and most developers using Docker are likely to be using it as a critical resource. But what level of stability and reliability does Docker Hub guarantee? And what happens when the network gets congested or (gasp!) goes down?

A repository manager makes sure organizations can always access images downloaded from Docker Hub (or from any other remote Docker registry) by caching images locally. Not only does this make the organization independent of both Docker Hub and the external network, but it also reduces network traffic because any component only needs to be downloaded once to make it available to all developers.

"But," you say, "what happens if the repository manager itself, or the hardware on which it's running, goes down?" Well, we're all human, things can happen. But repository managers also come in a superhuman form and can be deployed in a high-availability configuration. That means a redundant network architecture (two or more servers) with no single-point-of-failure that promises it will nearly always be up and available giving organizations access to both to their internal Docker images as well as to those downloaded from external resources.

Docker Registry with High Availability

This example shows JFrog Artifactory, a universal artifact repository, configured as a redundant cluster of servers to provide high availability for Docker registries.

Find Any Docker Image Any Time

With sharing, security and availability solved, the number of Docker registries and images used by an organization can get so big that finding that "one special" Docker image becomes a challenge. That's why repository managers offer different ways to search for images based on any combination of inherent attributes such as name, version, timestamp, and checksum. And if you really want to pull out the big guns, the more advanced repository managers offer a proprietary query language that offers a simple way to formulate complex queries that can find just about anything, anywhere, based on any number of search criteria.

You Can't Please Everybody... Or Can You?

Different organizations have a diverse collection of policies regarding how they manage the workflow around their Docker registries. These can include scheduling different tasks on the upload or download of images, notifying administrators about users accessing particular repositories, cleanup and maintenance procedures, and more. For example, an organization may require that all Docker images downloaded from an external source be run through a security scan before being stored in the local cache, or an administrator should be notified if a user deletes any artifacts from a specific path in one of the Docker registries.

User plugins offer a way to cater to nearly any specific requirement. These present a long list of entry points that effectively extend repository manager's REST API, providing a simple and effective way to implement complex behavior, thus allowing organizations to implement virtually any workflow around their repositories.

As microservices take hold of the software industry, use of container technology, with Docker in the lead, will continue to rise. More and more organizations are developing images and housing them within Docker registries, and different repository managers available on the market are trying to meet the challenge of managing images in an enterprise environment.

Docker (the company itself) offers solutions, such as Docker Hub and a variety of other options to manage both Docker images and Docker containers at runtime. Other companies, such as Quay, also offer repository management solutions focused exclusively or primarily on Docker. But there are also more advanced solutions, such as JFrog Artifactory, that work seamlessly with the Docker client by fully supporting the Docker Registry API, and can therefore step in behind the scenes, allowing developers and DevOps to continue business (and development) as usual while solving many issues that arise from managing the multitude of Docker images that an enterprise needs to work with. 

Related Refcard:

The Integration Zone is proudly sponsored by CA Technologies. Learn from expert microservices and API presentations at the Modernizing Application Architectures Virtual Summit Series.

Topics:
docker containers ,docker images ,high availability ,container technology

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}