Pull and push images

Just as with Docker Hub, interactions with MSR consist in the following:

  • docker login <msr-url> authenticates the user on MSR

  • docker pull <image>:<tag> pulls an image from MSR

  • docker push <image>:<tag> pushes an image to MSR

Pull an image


It is only necessary to authenticate using docker login before pulling a private image.

  1. If you need to pull a private image, log in to MSR:

    docker login <registry-host-name>
  2. Pull the required image:

    docker pull <registry-host-name>/<namespace>/<repository>:<tag>

Push an image

Before you can push an image to MSR, you must create a repository and tag your image.

  1. Create a repository for the required image.

  2. Tag the image using the host name, namespace, repository name, and tag:

    docker tag <image-name> <registry-host-name>/<namespace>/<repository>:<tag>
  3. Log in to MSR:

    docker login <registry-host-name>
  4. Push the image to MSR:

    docker push <registry-host-name>/<namespace>/<repository>:<tag>
  5. Verify that the image successfully pushed:

    1. Log in to the MSR web UI.

    2. In the left-side navigation panel, click Repositories.

    3. Select the relevant repository.

    4. Navigate to the Tags tab.

    5. Verify that the required tag is listed on the page.

Windows image limitations

The base layers of the Microsoft Windows base images have redistribution restrictions. When you push a Windows image to MSR, Docker only pushes the image manifest and the layers that are above the Windows base layers. As a result:

  • When a user pulls a Windows image from MSR, the Windows base layers are automatically fetched from Microsoft.

  • Because MSR does not have access to the image base layers, it cannot scan those image layers for vulnerabilities. The Windows base layers are, however, scanned by Docker Hub.

On air-gapped or similarly limited systems, you can configure Docker to push Windows base layers to MSR by adding the following line to C:\ProgramData\docker\config\daemon.json:

"allow-nondistributable-artifacts": ["<msr-host-name>:<msr-port>"]


For production environments, Mirantis does not recommend configuring Docker to push Windows base layers to MSR.