How to Choose a Container Registry: The Top 9 Picks
Learn what to look for when choosing the right container registry along with our top nine picks for your software development needs.
Join the DZone community and get the full member experience.
Join For FreeThe invention of the open-source Docker Engine in 2013 resulted in containerization being one of the first steps towards modernizing the process of developing cloud applications. Before the invention of the Docker Engine, you had to configure applications for a specific computer/hardware. The downside of this approach was that it could be time-consuming to move an application from one server to another if the need arose.
But, with the launch of the Docker Registry, the longstanding challenge of managing and organizing container registries was solved. In fact, the Docker Registry rapidly became the software industry standard. Today, container registries help firms to collect, store, and deliver container images for different phases through their software development process within a central location.
In this article, we outline the core features you need to know to help you choose the right container registry for your software development needs.
Table of Contents
- What is a Container Registry?
- How Do I Choose the Right Container Registry?
- What are the Top Container Registries Available?
- 1. Amazon Elastic Container Registry (ECR)
- 2. Azure Container Registry (ACR)
- 3. Docker Hub Container Registry
- 4. GitHub Package Registry
- 5. GitLab Container Registry
- 6. Google Artifact Registry (GAR)
- 7. Harbor Container Registry
- 8. Red Hat Quay
- 9. Sonatype Nexus Repository OSS
- Conclusion
What Is a Container Registry?
A container registry is a highly scalable server-side application that allows CI/CD systems, developers, and testers to store images created during app development. The images stored in a container registry are for Kubernetes, DevOps, and container-based app development. Examples include Docker Hub, Amazon ECR, and Azure.
How Do I Choose the Right Container Registry?
The market is not short of options when it comes to choosing a container registry, which can make choosing one a difficult task. But, before you set out to pick one, the core questions you need to consider beforehand are:
- Do I want to host additional artifacts in addition to container images? Some container registries support other types of files such as Java, Node.js, or even Python packages. On the other hand, some only support container images.
- Do I need extra security? A feature that only a few container registries offer is a vulnerability scan whenever you push an image to the registry.
- Should I go with an on-prem or hosted container registry?
If you decide to migrate from one container to another, the task is relatively easy in case you change your mind.
What Are the Top Container Registries Available?
1. Amazon Elastic Container Registry (ECR)
Amazon’s ECR can be configured to support private and public Docker registries. These registries can be used with AWS IAM to control users' access levels, services, and applications. Essentially, you can define which users have access to the protected container images.
AWS ECR also comes equipped with vulnerability image scanning, making it an essential feature for DevSecOps. This is because it uses the Common Vulnerabilities and Exposures (CVEs) database from Clair to assess the severity of issues found. Another great feature of AWS ECR is the Immutable Image tags. When enabled, this feature ensures that no one can override an image once it has been pushed to the container registry.
You can find the Pricing information for Amazon Elastic Container Registry (AWS ECR) here.
2. Azure Container Registry (ACR)
Microsoft’s Azure Container Registry is based on Docker Registry 2.0, where authentication is managed by Azure RBAC. Azure’s container registry comes with features that most competitors are not offering yet, such as;
- Automatic purging of old images
- Retention policy for untagged manifests
- Content trust
It is important to note that content trust is based on a concept created by Docker in that it allows you to sign images that you push to your Azure Container Registry.
Essentially, applications/users that may use your image can configure their clients to only pull signed images. Meanwhile, the Docker client can verify the integrity of the image so they can be assured the image has been published by you and has not been modified after it was published. Other than hosting Docker container images, the Azure Container Registry supports OCI Images, OCI Artifacts, and Helm charts.
When it comes to pricing information, Microsoft plays it differently as it uses a tier system, for more information, visit this link.
3. Docker Hub Container Registry
Docker Hub is probably the most popular container registry as it is the default Docker Repository. It functions as a marketplace for public container images which makes it the best choice if you decide to publicly distribute an image. Interestingly, Docker Hub’s free option was very attractive for a while until some users started to abuse it to mine cryptocurrencies with the auto-build feature.
As a result, they set some limits on Docker’s pull/push image and a rethink of how they monetize Docker Hub. You can read more about the changes to the rate limits in this article, and the shift to Docker Hub auto builds here. One way to avoid Docker’s pull image rate limit is by using a caching proxy.
In terms of pricing, the tier system allows you to unlock some specific features with a paid plan. However, the overall cost won't be as effective as using some of the other solutions such as AWS ECR or Microsoft’s Azure Container Registry.
To learn more about Docker Hub’s pricing, check out their website here.
4. GitHub Package Registry
In May 2019, GitHub launched its package registry solution. Owing to the success of this package registry solution, they released support for container images in September 2020, first as a beta option. A notable aspect of GitHub’s container registry is the fact that it offers a seamless experience, especially for developers. Basically, authentication is managed with a personal access token, and that's all you need.
Another option is using a public repository, although in this case, you need your users to authenticate with a GitHub user account. Overall, GitHub Packages is certainly not the container registry packed with the most features. However, its pricing is competitive if you intend to use GitHub Actions because you don’t get charged for ingress. Here’s a more detailed look at GitHub Packages’ features and pricing, visit this link.
5. GitLab Container Registry
GitLab has its own container registry that’s free to use and supports Docker container images as well as Helm Chart (still in beta). It can be self-hosted if you use the self-hosted version of GitLab or cloud-based through GitLab.com. One of GitLab Container Registry’s great features is its cleanup policy that removes tags matching a certain regex pattern.
Alternatively, you can try their Package Registry which is also free and supports Composer, Conan, Generic, Maven, npm, NuGet, PyPI, and RubyGem. Without a doubt, it is a great option to consider if you already use GitLab for your project repository.
6. Google Artifact Registry (GAR)
Previously Google Container Registry (GCR) was the recommended option, but since summer 2021, Google has been asking their clients to transition to the Google Artifact Registry because GCR only receives critical security fixes. Essentially, the Google Artifact Registry is their new way to handle container images and non-container artifacts such as Maven, npm, Python, Apt, or even Yum packages.
Primarily, GAR can be easily integrated with CI/CD pipelines to streamline the build and deployment of containers. Additionally, it also provides a scan for vulnerabilities in images that you can manually enable.
7. Harbor Container Registry
Created in 2014 and switched to an open-source model in 2016, Harbor is surely one of the most successful open-source projects by VMware. Harbor is a container registry that needs to be installed, configured, and managed by the user. Easy to deploy with its Docker container, you can use it with any Linux distribution that supports Docker. Note that you can also deploy Harbor with a Helm Chart on your Kubernetes Cluster.
The Harbor container registry also supports most of the features you expect to get from a container registry such as;
- Vulnerability scanning
- Garbage collection
- Cross-region replication
- Content trust
Overall, it is a solid option to consider if you plan on hosting your container registry.
8. Red Hat Quay
Originally created in 2012, Quay has seen major changes in the past few years. Firstly, this container registry was purchased by CoreOS in 2014, and later by RedHat in 2018.
It can be quite confusing to understand the difference between Quay, Project Quay, or Red Hat Quay. Here’s a brief look at what each one entails:
- Project Quay: standalone container registry which is the open-source distribution of Red Hat Quay comparable to Sonatype Nexus Repository OSS or Harbor.
- Red Hat Quay.io: enterprise solution, hosted on Red Hat's cloud that is priced per number of private repositories. However, the public repositories are still free.
- Red Hat Quay: enterprise container registry for private-cloud deployments available through Red Hat OpenShift as a built-in Operator.
Essentially, Quay offers a variety of products for different environments, all rich in features such as security scanning (using Clair), repository mirroring, audit logging, etc.
You can find the pricing details for Red Hat Quay.io here.
9. Sonatype Nexus Repository OSS
Similar to Harbor, Nexus Repository is another self-hosted container registry solution that supports other language packages as well. Sonatype has a Docker image that allows you to deploy it easily in your infrastructure. This container registry offers a pro version of its Nexus Repository which offers a few extra features. You can read about it here.
This can be a good option to choose if you are hoping to self-host a package/container registry since it provides rich documentation that will cover many many scenarios.
Comparison
AMAZON ECR | AZURE CR | DOCKER HUB | GOOGLE AR | GITHUB PACKAGES | GITLAB CR | HARBOR | REDHAT QUAY | SONATYPE NEXUS REPOSITORY | |
---|---|---|---|---|---|---|---|---|---|
Pricing | Storage: free (for 1year with AWS Free Usage Tier) until 0.5GB then $0.10 per GB/mo Data Transfer ingress: $0.09 per GB/mo |
Storage: $0.167 per day for 10GB under the Basic tier $0.667 per day for 100GB under the Standard tier $1.667 per day for 500GB under Premium tier |
Their pricing isn't based on storage.3 | Storage: free until 0.5GB then $0.10 per GB/mo Data Transfer ingress: potentially free, see network egress pricing info. |
Storage: 500MB for Free tier 2GB for Pro tier 2GB for Team tier 50GB for Enterprise Tier $0.25/GB for additional storage Data Transfer ingress: Free if used through GitHub Actions otherwise 1GB/month (Free tier) 10GB/month (Pro tier) 10GB/month (Team tier) 100GB/month (Enterprise tier) $0.5/GB for additional transfer |
Free | Free (needs to be self-hosted) | Red Hat Quay.io: $15/mo for 5 private repos. $30/mo for 10 private repos $60/mo for 20 private repos $125/mo for 50 private repos. |
Free (needs to be self-hosted) |
Support language packages (npm, Maven, yum, etc.) | ╳ (AWS CodeArtifact will help with that) | ╳ (but support OCI artifacts) | ╳ |
✓ |
✓ |
✓ |
╳ (but support OCI artifacts) | ╳ (but support OCI artifacts) |
✓ |
Authentication | AWS IAM | Azure RBAC | Password or Access Token | GCP IAM | Access token | Personal Access Token or Deploy Token | AD, LDAP, RBAC, and OIDC | LDAP, Keystone, OIDC, Google and Github | Atlassian Crowd, LDAP, RUT, SAML |
Cross-region replication | ✓ |
✓ (only available with Premium tier) | ╳ |
✓ |
╳ |
╳ (not available on their SaaS but available on their Self-Hosted solution) | ✓ |
✓ |
✓ |
MFA for Image Push/Pull | ╳ |
╳ |
✓ (beta) |
╳ |
╳ |
╳ |
✓ |
╳ |
╳ |
SLA Availability | 99.9% | 99.9% | n/a | 99.9% | n/a | n/a | self-hosted | n/a | self-hosted |
Garbage collection | ✓ |
✓ |
╳ |
╳ |
╳ |
✓ |
✓ |
✓(tag expiration) |
✓ |
Image Scanning | ✓ Free |
✓ Free |
✓ (free but limited see pricing plan) |
✓($0.26/image) |
╳ |
✓ (only with Ultimate tier) |
✓ |
✓ |
╳ |
Rate Limits - Pull - Push |
- 120 000/minute - 120 000/minute1 |
- up to 10 000/minute depending on the tier used. - up to 2000/minute depending on the tier used.2 |
- up to 1 440/minute depending on the tier used. - Unknown4 |
- 60 000/minute - 18 000/minute5 |
n/a | n/a | self-hosted | n/a | self-hosted |
1 https://docs.aws.amazon.com/AmazonECR/latest/userguide/service-quotas.html
3 https://www.docker.com/pricing
4 https://www.docker.com/pricing
5 https://cloud.google.com/artifact-registry/quotas
6 Package Registry: https://docs.gitlab.com/ee/user/packages/package_registry/
7 If you have multiple Harbor instances: https://goharbor.io/docs/2.3.0/administration/configuring-replication/
Conclusion
All in all, the key factor you need to consider is Network-close deployment since it is critical to minimizing cost and latency when using a container registry.
Preferably, we always advise our clients to use the container registry offered by their cloud provider. For instance, if your infrastructure is entirely based on AWS, we will advise you to use AWS ECR.
This is due to the fact, all cloud resources share a common authentication model and images will be pulled quicker as they won't need to travel long distances from different cloud providers.
Published at DZone with permission of Florian Pialoux. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments