A container image is a copy of a container— the files and components within it that make up an application— which can then be multiplied for scaling out quickly, or moved to other systems as needed. Once a container image is created, it forms a kind of template which can then be used to create new apps, or expand on and scale an existing app.
When working with container images, you need somewhere to save and access them as they are created and that’s where a container registry comes in. The registry essentially acts as a place to store container images and share them out via a process of uploading to (pushing) and downloading from (pulling). Once the image is on another system, the original application contained within it can be run on that system as well.
In addition to container images, registries also store application programming interface (API) paths and access control parameters.
There are two types of container registry: public and private.
Public registries are great for individuals or small teams that want to get up and running with their registry as quickly as possible. They are basic in their abilities/offerings and are easy to use.
New and smaller organizations can take advantage of standard and open source images to start and can grow from there. As they grow, however, there are security issues like patching, privacy, and access control that can arise.
Private registries provide a way to incorporate security and privacy into enterprise container image storage, either hosted remotely or on-premises. A company can choose to create and deploy their own container registry, or they can choose a commercially-supported private registry service. These private registries often come with advanced security features and technical support, with a great example being Red Hat® Quay.
A major advantage of a private container registry is the ability to control who has access to what, scan for vulnerabilities and patch as needed, and require authentication of images as well as users.
Some important things to to look for when choosing a private container registry service for your enterprise:
- Support for multiple authentication systems
- Role-based access control management (RBAC)
- Vulnerability scanning capabilities
- Ability to record usage in auditable logs so that activity can be traced to a single user
- Optimized for automation
Role-based access control allows the assignment of abilities within the registry based on the user’s role. For instance, a developer would need access to upload to, as well as download from, the registry, while a team member or tester would only need access to download.
For organizations with a user management system like AD or LDAP, that system can be linked to the container registry directly and used for RBAC.
A private registry keeps images with vulnerabilities, or those from an unauthorized user, from getting into a company’s system. Regular scans can be performed to find any security issues and then patch as needed.
A private registry also allows for authentication measures to be put in place to verify the container images stored on it. With such measures in place, an image must be digitally "signed" by the person uploading it before it can be uploaded to the registry. This allows that activity to be tracked, as well as preventing the upload should the user not be authorized to do so. Images can also be tagged at various stages so they can be reverted back to, if needed.
Red Hat Quay is a private container image registry that enables you to build, distribute, and deploy containers with the storage you need to scale quickly. It analyzes your images for security vulnerabilities using Clair, identifying potential issues and addressing them before they become security risks.
Red Hat Quay ensures your apps are stored privately with powerful access and authentication settings that you can control, as well as the following features and benefits:
- Compatibility with multiple storage backends and identity providers
- Logging and auditing
- A flexible and extensible API
- Intuitive user interface (UI)
- Time machine, allowing users to view all tags in the repository for up to 2 weeks and revert tags to a previous state
- Automated software deployments using robot accounts
- BitTorrent downloads to decrease wait times
- Geosynchronous replication for redundancy and to increase the speed of downloads
- Automatic and continuous image garbage collection to efficiently use resources for active objects without the need for downtime or read-only mode
Red Hat Quay is also backed by Red Hat’s team of technical experts and support services, which have decades of enterprise customer service experience to draw from in supporting your enterprise.