Once you’ve made the decision to move your applications and infrastructure to utilise Docker containers, one of the next choices you’ll need to make is where to hold all your Docker images. When we first learn to use containers, the default place to store them tends to be Docker Hub. However, for most modern enterprises, Docker Hub isn’t a viable long-term solution to their container management needs. Here are a few key considerations when choosing your Docker repository provider:-
Docker Hub doesn’t appear to publish public SLA figures and makes no explicit commitment that your Docker images will always be available. When your system becomes dependent on Docker images being available, it’s time to move to a private Docker repository either hosted by yourself, provided by a third party such as Quay, or managed by your cloud provider who can provide published SLA commitments. For example, Amazon’s ECR (Elastic Container Registry) is governed by the AWS availability commitments for its EC2 compute services.
When architecting a highly available Cloud system, consider using more than one Docker repository provider to ensure maximum up-time. If you are using AWS’s ECR or Google’s Container Registry, consider provisioning your repository in multiple Cloud regions to ensure availability of your Docker images even in the event that an entire region is unavailable.
Sometimes your decision about which Docker registry to use will be governed by which Cloud provider you have chosen. Azure Container Registry and Alibaba Cloud’s Container registry offer fully managed private Docker container registries hosted within your cloud infrastructure, each of which supports the core Docker APIs. And, as with AWS and GCPs managed Docker container registries, each can integrate easily with their CI/CD tooling and with common tools such as Github and Bitbucket. The advantage of this is that data need not leave your Cloud account and infrastructure.
The subtleties of the Docker Hub license agreement are such that you should consider carefully whether you are happy to host your Docker containers in their managed repository, even if they are not publicly shared. For open source projects the license agreement is probably acceptable, but at enterprise level there are commercial considerations about Intellectual Property that may mean that a private Docker repository is preferable.
Docker hub provides subscription accounts which allow an introductory level of organisational control and permissions. However, enterprise-ready Docker registries provide greater levels of security management and more granular security permissions that allow you to group container images and restrict read/write access and administrative permissions; Cloud providers also allow integration with your enterprise Identity Provider to allow integrated authentication. Docker Enterprise Edition and some third-party tools such as Aqua and Sonatype’s Nexus tooling can perform image vulnerability scanning on Docker images as they are stored and pulled from the repository to check for CVEs (Common Vulnerabilities and Exposures) in Docker layers or can identify compromised or tampered images.
Third-party private Docker repository tools cost from around $15 a month, usually scaled by the number of active users of the tool, or the number of repositories you wish to host. Your Cloud provider account with AWS, GCP, Alibaba or Azure will often offer the most competitive price for hosting your Docker repository; for example, AWS ECR costs around $0.1 for each 10GB of container storage and no more than $0.009 per GB of image data pulled outside of your AWS account. Consider the costs of data transfer out of and across your Cloud accounts. And, if you need a multi-region Docker repository infrastructure, consider the additional costs for copying and storing images to multiple repositories.
nubeGO are Docker partners and can advise and assist with Docker implementations. At nubeGO, our Cloud Consultants and Cloud Architects can help you define and build your application containers platform. For Docker and Container learning opportunities, find out more about our hands-on Containers workshop. Email us at [email protected] for further information.