Overview
Google Container Registry provides secure, private Docker image storage on Google Cloud Platform.
While Docker provides a central registry to store public images, you may not want your images to be accessible to the world. In this case, you must use a private registry.
The Google Container Registry runs on Google Cloud Platform, so can be relied upon for consistent uptime and security. The registry can be accessed through an HTTPS endpoint, so you can pull images from any machine, whether it's a Google Compute Engine instance or your own hardware.
Pricing
During the beta period you will be charged only for the Google Cloud Storage storage and network egress consumed by your Docker images.
Before you begin
Sign up for a Google Account
If you don't already have a Google Account, you must create one.
Enable billing
You'll need to enable billing in the Developers Console for your project.
Install the gcloud command line interface
The Google Container Registry uses the gcloud command line tool. To
enable gcloud:
- Install the
gcloudtool. -
Enable preview features in the
gcloudtool:$ gcloud components update preview -
Authenticate using your Google Account:
$ gcloud auth login -
Tell the command line interface which Google Developers Console project to use:
$ gcloud config set project PROJECTTo find the value of
PROJECT, visit https://console.developers.google.com/project and refer to the Project ID column.
Install Docker
Follow the instructions on the Docker website to install Docker.
If you're using a Linux-based system such as Ubuntu or Debian (OS X users don't
need to worry about this step) add your username to the docker group so that
you can run Docker without using sudo:
$ sudo usermod -a -G docker ${USER}
You may need to log out and back in after running the command for it to take effect.
Verify that you can run docker run busybox date before continuing to the next
step. You may need to log out and back in after adding yourself to the docker
group.
Preparing your Docker image
The Google Container Registry accepts images built using the
docker build command. For information about docker build, refer to the
Dockerfile Reference on the
Docker website.
Access control
By default, owners and editors of the Google Developers Console project have push and pull access to that project's image bucket (described below); those with project viewer permission can only pull images. To add new members to a project, read Managing project members in the Developers Console help center.
Because adding a user to your project also gives them access to all other
services that are active under that project, you may wish to grant access to the
the storage bucket only. Refer to the
gsutil acl and
gsutil defacl commands for more
information. Image pushes require write access to the bucket; image pulls
require read access.
Pushing to the registry
Before you're able to push a Docker image to any private registry, you must add the registry location and image name as a tag to the image.
Your private registry location
is defined by appending your project's ID to the gcr.io domain, and
replacing dashes in your project ID with underscores. For example, if your
project ID is container-engine-docs, your registry location is:
gcr.io/container_engine_docs
To push to the registry:
-
Add the tag to your image:
$ docker tag user/example-image gcr.io/your_project_id/example-image -
Then, use
gcloudto push the image to the Google Container Engine Registry:$ gcloud preview docker push gcr.io/your_project_id/example-image
The first time an image is pushed, a Google Cloud Storage bucket named
artifacts.your-project-id.appspot.com is created. You can browse this bucket
from the Google Developers Console's
Storage browser page.
This bucket should not be used for any other storage.
Pulling from the registry
Images that have been pushed to your registry can be pulled with the
gcloud preview docker pull command:
$ gcloud preview docker pull gcr.io/your_project_id/example-image
Using the Container Registry with Google Cloud Platform
Images in the Google Container Registry can be easily accessed from any machine. Compute resources in Google Cloud Platform are integrated with the registry for easy access.
Google Compute Engine
In order to pull private images from a Google Compute Engine instance, ensure that your instance has read permission to the image bucket. This is configured correctly by default if your instance and the image bucket are in the same Developers Console project.
In order to push private images from a Google Compute Engine instance, your
instance must have
read-write or full-control permission
to the image bucket.
To start an instance with read-write permission to your storage buckets:
$ gcloud compute instances create INSTANCE \
--scopes https://www.googleapis.com/auth/devstorage.read_write
Container-optimized Compute Engine Instances
To start a container-optimized Google Compute Engine instance using an image in your registry, specify your image URI in the manifest file as follows:
version: v1beta2
containers:
- name: example-image
image: gcr.io/your_project_name/example-image
Then, point to your manifest file when starting your instance:
$ gcloud compute instances create containervm-example \
--image container-vm \
--metadata-from-file google-container-manifest=containers.yaml \
--zone us-central1-a \
--machine-type f1-micro
For more information, read Creating containers at time of instance creation in the Container-optimized Google Compute Engine Images page.
Google Container Engine
When creating pods with Google Container Engine, an image in the Google
Container Registry can be specified using the --image flag as follows:
$ gcloud preview container pods create \
--image gcr.io/your_project_id/example-image --name example-image
For more information about creating pods with Container Engine, read the Pod Operations page.
Support
During this beta period, you can send questions or comments, or report an issue, by emailing gcr-contact@google.com. If a response is requested, we'll get back to you as quickly as possible.