For many organizations adopting containers for the first time, the registry service they use can be a bit of an after-thought. After all, with so many free or inexpensive choices like Docker Hub or Quay.io that are hosted for you “by the professionals”, why would one even bother to set up a private container registry?
Here are the top 6 reasons why you should set up a container image registry such as VMware Harbor on your own infrastructure, even if you don’t control the entire software supply chain for your applications, which is often the case for teams using open source applications.
Cost Savings – When you host your own registry, you pay only for the storage your container images consume, and the bandwidth used when you push or pull the images to your server. For teams who maintain numerous Docker images which are relatively small in size individually, running your own registry server can be more cost effective than choosing a plan from the Docker Hub or Quay.io that bills you based on the number of private repositories you need.
Speed – You can set up a private registry closer to your build and run environment, even on the same LAN if necessary. If you use AWS or a comparable cloud computing service for your development environment and/or production workloads, you can store your images in the same region or availability zone as your Docker daemons, saving AWS bandwidth costs. It can be a lot speedier to set up dev/test environments if your developers’ laptops can download container images from behind your firewall, thereby increasing productivity.
Security – Although it generally isn’t a best practice to hard code secrets, or access credentials into your Dockerfile, it can be inevitably necessary, especially for some applications that were not architected for a cloud-native environment. Your customized Dockerfiles and Docker images probably give away a lot of information about your infrastructure – which can make you a target for hackers. While you can use private repos on the Docker Hub or equivalent, a simple user error such as a developer who erroneously sets a repo to “public” could be catastrophic.
Control – Some organizations’ security policies require proprietary code to remain on-premise, to protect intellectual property, comply with client requirements, and/or industry regulations. A private container image registry can help you achieve this, without sacrificing usability. The Docker engine, and other OCI-compliant container runtimes are fully compatible with registries such as VMware Harbor you can host within your own environment. Simply use the docker login command to pass your login credentials to the trusted registry, and away you go.
Redundancy – If you’re a startup or small business that relies heavily on public images on the Docker Hub, you can set up a private registry server such as VMware Harbor as a “registry mirror.” In case the Docker Hub goes down (it has before), your deployment scripts and CI/CD pipelines can still access the cached images pulled from the Docker Hub at a prior point in time. If one machine in your infrastructure has already requested an image with that particular tag, it will be available to all your other machines as well. Your team can avoid disruptions and keep working, even in the event of a Docker Hub outage.
Enterprise Features – The major commercial container image registries do not include enterprise-level features such as LDAP/AD integration or vulnerability scanning. These features are usually limited to those companies’ higher-end offerings sold through a sales rep, such as Docker EE or Quay.io Enterprise. Complete solutions like Docker EE are ideal for larger organizations who need to manage an end-to-end DevOps lifecycle, but may be too complex for smaller teams. Combining an open-source registry server like VMware Harbor, with a management GUI such as Portainer may be a good alternative if that’s the case. Despite being free software, you can still enjoy advanced features such as robust role-based access control and security scanning for your images, powered by Clair.
If you want to set up your own private container image registry, on-premise or the cloud provider of your choice, contact our infrastructure architects who would be pleased to scope out a solution and assist you with your requirements. We also provide consulting on securely deploying containerized applications, and optimizing infrastructure spend to get more “bang for your buck” from your bare metal hardware or infrastructure-as-a-service provider.
