Hide
Tools

Google Container Registry

Overview

Google Container Registry provides secure, private Docker image storage on Google Cloud Platform.

While Docker provides a central registry to store public images, you may not want your images to be accessible to the world. In this case, you must use a private registry.

The Google Container Registry runs on Google Cloud Platform, so can be relied upon for consistent uptime and security. The registry can be accessed through an HTTPS endpoint, so you can pull images from any machine, whether it's a Google Compute Engine instance or your own hardware.

Pricing

During the beta period you will be charged only for the Google Cloud Storage storage and network egress consumed by your Docker images.

Before you begin

Sign up for a Google Account

If you don't already have a Google Account, you must create one.

Enable billing

You'll need to enable billing in the Developers Console for your project.

Install the gcloud command line interface

The Google Container Registry uses the gcloud command line tool. To enable gcloud:

  1. Install the gcloud tool.
  2. Enable preview features in the gcloud tool:

    $ gcloud components update preview
    
  3. Authenticate using your Google Account:

    $ gcloud auth login
    
  4. Tell the command line interface which Google Developers Console project to use:

    $ gcloud config set project PROJECT
    

    To find the value of PROJECT, visit https://console.developers.google.com/project and refer to the Project ID column.

Install Docker

Follow the instructions on the Docker website to install Docker.

If you're using a Linux-based system such as Ubuntu or Debian (OS X users don't need to worry about this step) add your username to the docker group so that you can run Docker without using sudo:

$ sudo usermod -a -G docker ${USER}

You may need to log out and back in after running the command for it to take effect.

Verify that you can run docker run busybox date before continuing to the next step. You may need to log out and back in after adding yourself to the docker group.

Preparing your Docker image

The Google Container Registry accepts images built using the docker build command. For information about docker build, refer to the Dockerfile Reference on the Docker website.

Access control

By default, owners and editors of the Google Developers Console project have push and pull access to that project's image bucket (described below); those with project viewer permission can only pull images. To add new members to a project, read Managing project members in the Developers Console help center.

Because adding a user to your project also gives them access to all other services that are active under that project, you may wish to grant access to the the storage bucket only. Refer to the gsutil acl and gsutil defacl commands for more information. Image pushes require write access to the bucket; image pulls require read access.

Pushing to the registry

Before you're able to push a Docker image to any private registry, you must add the registry location and image name as a tag to the image.

Your private registry location is defined by appending your project's ID to the gcr.io domain, and replacing dashes in your project ID with underscores. For example, if your project ID is container-engine-docs, your registry location is:

gcr.io/container_engine_docs

To push to the registry:

  1. Add the tag to your image:

    $ docker tag user/example-image gcr.io/your_project_id/example-image
    
  2. Then, use gcloud to push the image to the Google Container Engine Registry:

    $ gcloud preview docker push gcr.io/your_project_id/example-image
    

The first time an image is pushed, a Google Cloud Storage bucket named artifacts.your-project-id.appspot.com is created. You can browse this bucket from the Google Developers Console's Storage browser page. This bucket should not be used for any other storage.

Pulling from the registry

Images that have been pushed to your registry can be pulled with the gcloud preview docker pull command:

$ gcloud preview docker pull gcr.io/your_project_id/example-image

Using the Container Registry with Google Cloud Platform

Images in the Google Container Registry can be easily accessed from any machine. Compute resources in Google Cloud Platform are integrated with the registry for easy access.

Google Compute Engine

In order to pull private images from a Google Compute Engine instance, ensure that your instance has read permission to the image bucket. This is configured correctly by default if your instance and the image bucket are in the same Developers Console project.

In order to push private images from a Google Compute Engine instance, your instance must have read-write or full-control permission to the image bucket.

To start an instance with read-write permission to your storage buckets:

$ gcloud compute instances create INSTANCE \
    --scopes https://www.googleapis.com/auth/devstorage.read_write

Container-optimized Compute Engine Instances

To start a container-optimized Google Compute Engine instance using an image in your registry, specify your image URI in the manifest file as follows:

version: v1beta2
containers:
  - name: example-image
    image: gcr.io/your_project_name/example-image

Then, point to your manifest file when starting your instance:

$ gcloud compute instances create containervm-example \
    --image container-vm \
    --metadata-from-file google-container-manifest=containers.yaml \
    --zone us-central1-a \
    --machine-type f1-micro

For more information, read Creating containers at time of instance creation in the Container-optimized Google Compute Engine Images page.

Google Container Engine

When creating pods with Google Container Engine, an image in the Google Container Registry can be specified using the --image flag as follows:

$ gcloud preview container pods create \
    --image gcr.io/your_project_id/example-image --name example-image

For more information about creating pods with Container Engine, read the Pod Operations page.

Support

During this beta period, you can send questions or comments, or report an issue, by emailing gcr-contact@google.com. If a response is requested, we'll get back to you as quickly as possible.