Pull and push images

You interact with Mirantis Secure Registry in the same way you interact with Docker Hub or any other registry:

  • docker login <msr-url>: authenticates you on MSR

  • docker pull <image>:<tag>: pulls an image from MSR

  • docker push <image>:<tag>: pushes an image to MSR

Pull an image

Pulling an image from Mirantis Secure Registry is the same as pulling an image from Docker Hub or any other registry. Since MSR is secure by default, you always need to authenticate before pulling images.

In this example, MSR can be accessed at msr-example.com, and the user was granted permissions to access the nginx and wordpress repositories in the library organization.

Click on the repository name to see its details.

To pull the latest tag of the library/wordpress image, run:

docker login msr-example.com
docker pull msr-example.com/library/wordpress:latest

Push an image

Before you can push an image to MSR, you need to create a repository to store the image. In this example the full name of our repository is msr-example.com/library/wordpress.

Tag the image

In this example we’ll pull the wordpress image from Docker Hub and tag with the full MSR and repository name. A tag defines where the image was pulled from, and where it will be pushed to.

# Pull from Docker Hub the latest tag of the wordpress image
docker pull wordpress:latest

# Tag the wordpress:latest image with the full repository name we've created in MSR
docker tag wordpress:latest msr-example.com/library/wordpress:latest

Push the image

Now that you have tagged the image, you only need to authenticate and push the image to MSR.

docker login msr-example.com
docker push msr-example.com/library/wordpress:latest

On the web interface, navigate to the Tags tab on the repository page to confirm that the tag was successfully pushed.

Windows images

The base layers of the Microsoft Windows base images have restrictions on how they can be redistributed. When you push a Windows image to MSR, Docker only pushes the image manifest and all the layers on top of the Windows base layers. The Windows base layers are not pushed to MSR. This means that:

  • MSR won’t be able to scan those images for vulnerabilities since MSR doesn’t have access to the layers (the Windows base layers are scanned by Docker Hub, however).

  • When a user pulls a Windows image from MSR, the Windows base layers are automatically fetched from Microsoft and the other layers are fetched from MSR.

This default behavior is recommended for Mirantis Container Runtime installations, but for air-gapped or similarly limited setups Docker can optionally optionally also push the Windows base layers to MSR.

To configure Docker to always push Windows layers to MSR, add the following to your C:\ProgramData\docker\config\daemon.json configuration file:

"allow-nondistributable-artifacts": ["<msr-domain>:<msr-port>"]

Where to go next