xavier collantes

Docker Image Storage Options

By Xavier Collantes

1/25/2025

Docker Registry Storage
When building containerized applications, choosing the right Docker image registry is crucial for your deployment pipeline, security, and operational costs. After given experience with multiple cloud providers, I have identified the key factors that determine which registry solution fits different use cases.

Why Docker Image Storage Matters

Docker registries serve as the central hub for your container images, similar to how GitHub stores your source code. The choice impacts:
  • Security - Vulnerability scanning and access controls features
  • Developer - Integration with existing processes; you can upload to a registry and pull from many different tools
  • Operations - Backup and easy to roll back to last good version as image
  • $$$ - Cost of the registry

Docker Hub: The Default Choice

Docker Hub Logo
Docker Hub is the default public registry that most developers start with because it is easy to setup. Docker Hub handles most of the behind the scenes work for you such as authentication, vulnerability scanning, and build automation.
Pros:
  • Zero setup - Works out of the box with Docker CLI
  • Free tier available - Unlimited public repos, 1 private repo free
  • Automated builds - GitHub Actions integration
  • Community support - Extensive documentation and tutorials
  • Global CDN - Fast pulls from anywhere
Cons:
  • Rate limiting - 100 pulls per 6 hours for anonymous users, 200 for free accounts
  • Limited private repos - Only 1 free private repository
  • Basic security features - Vulnerability scanning only on paid plans
  • No fine-grained access control - Team management requires paid plans
Best For:
  • Public projects
  • Getting started with Docker

In my startup experience, we quickly create a paid tier account because it is required for more than one team member.

docker hub auth.

Bash
1docker login
2
3# push to docker hub.
4docker tag my-app:latest username/my-app:latest
5docker push username/my-app:latest
6
7# pull from docker hub.
8docker pull username/my-app:latest
9
docker hub auth. hosted withby Xavier
Getting started with Docker Hub

Google Artifact Registry

Google Cloud Logo
Pros:
  • Advanced vulnerability scanning - Continuous security analysis
  • Global availability - Multi-region replication built-in
  • GKE integration - Seamless Google Kubernetes Engine deployment
  • Binary Authorization - Deploy-time security policies
  • Granular IAM - Fine-grained access control with Google IAM
  • Automatic garbage collection - Configurable cleanup policies
Cons:
  • Google Cloud ecosystem - Requires GCP account and billing
  • Cost complexity - Storage, operations, and egress charges
  • GCP-specific tooling - Best experience requires Google Cloud SDK for working on local machine and Google Auth
Best For:
  • Google Cloud Platform users
  • Organizations requiring advanced security

Google Cloud authentication.

Bash
1gcloud auth configure-docker
2
3# Create Artifact Registry repository.
4gcloud artifacts repositories create my-repo --repository-format=docker --location=us-central1
5
6# Push to Artifact Registry.
7docker tag my-app:latest us-central1-docker.pkg.dev/PROJECT-ID/my-repo/my-app:latest
8docker push us-central1-docker.pkg.dev/PROJECT-ID/my-repo/my-app:latest
9
Google Cloud authentication. hosted withby Xavier

There is a auto-clean up feature but it's not intuitive. You need to set a rule for KEEP limit to 2 (if you want 2 latest images) and another rule for DELETE to delete images immediately. The KEEP rule will be override the DELETE rule.

You may run into issues with auth CLI, run `gcloud auth configure-docker` again.

Getting started with Artifact Registry

AWS Elastic Container Registry (ECR)

AWS ECR Logo
AWS ECR is Amazon's fully managed container registry service.
Pros:
  • Built-in security - Vulnerability scanning, image signing, encryption at rest
  • No limits on repositories - Create as many private repos as needed
  • Lifecycle policies - Automatic image cleanup to control costs
  • Cross-region replication - Multi-region availability
  • Fine-grained permissions - Resource-level IAM policies
Cons:
  • Complex pricing model - Storage + data transfer costs can add up
  • Learning curve - Requires some AWS IAM knowledge for managing permissions
Best For:
  • AWS-based applications
  • Enterprise teams already using AWS
  • Multi-region deployments within AWS
Bash
1# AWS ECR authentication
2aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-west-2.amazonaws.com
3
4# Create repository
5aws ecr create-repository --repository-name my-app --region us-west-2
6
7# Push to ECR
8docker tag my-app:latest 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-app:latest
9docker push 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-app:latest
10
11# Configure lifecycle policy
12aws ecr put-lifecycle-policy --repository-name my-app --lifecycle-policy-text file://policy.json
13
snippet hosted withby Xavier
Getting started with ECR

Performance Optimization Tips

Multi-Stage Builds

Reduce final image size by using multi-stage builds which allows for the use of the build image to be discarded after the build is complete.

Regional Proximity

Choose registry regions close to deployment. This can be chosen in providers such as AWS ECR, Google Artifact Registry, and Azure ACR.

Lifecycle Policies

Automatically clean up old images. Docker programs running on machines may not delete old images and images can pile up GBs of unused images.

Keep Your Images Small

Keep your images small by using multi-stage builds and other techniques to reduce the size of the final image.
Clean up your code repository to remove any unused files and dependencies which may be included in the final image.

Leaving unused assets or accidentally committing the `node_modules` dependency will bloat your image size which you will pay money for.

multi-stage build example.

dockerfile
1FROM node:16 AS builder
2WORKDIR /app
3COPY package*.json ./
4RUN npm ci --only=production
5
6# 2nd image.
7FROM node:16-alpine
8WORKDIR /app
9COPY --from=builder /app/node_modules ./node_modules
10COPY . .
11EXPOSE 3000
12CMD ["node", "server.js"]
13
multi-stage build example. hosted withby Xavier

The Bottom Line

The right Docker registry choice depends on your specific requirements.
The container registry landscape continues evolving with new security features, performance improvements, and pricing models. Regularly evaluate your choice as your application requirements and team size grow.
Remember: the best registry is one that integrates seamlessly with your existing development and deployment workflows while meeting your security, performance, and budget requirements.

Further Reading

Docker Registry Documentation
AWS ECR Best Practices
Google Artifact Registry Documentation
Harbor Project
Container Security Best Practices
Docker Hub Pricing

Related Articles

Related by topics:

devops
cloud
infrastructure
aws
Docker Commands Cheat Sheet

Advanced learning and reference for Docker commands for containerization.

By Xavier Collantes12/21/2024
docker
containers
devops
+4
Mount AWS EBS Volumes on Linux

Step-by-step guide to attach, format, and mount EBS volumes on Linux instances.

By Xavier Collantes3/28/2024
aws
cloud
linux
+4
Network Debugging: Ports to Packet Traces

My scripts and tools for diagnosing connectivity issues.

By Xavier Collantes9/24/2025
networking
debugging
architecture
+9
HomeFeedback