Docker Architecture & Internals
Docker Hub and Image Registries — Public vs Private
Distributing image binaries and authenticating pulls securely.
Interview: Crucial for DevOps pipelines, deployment automation, security compliance, and Kubernetes private image pull integrations.
Introduction
Building container images locally is only the first step. To deploy these images across testing, staging, and production servers, they must be uploaded to a central server known as a Container Registry.
Registries store compiled image binaries (organized as layers and manifest files) and expose APIs that allow developers and orchestrators to search, download (pull), and upload (push) images.
Why It Matters
Enterprise security requires strict isolation of internal code. While public registries are useful for base dependencies, proprietary application images must be hosted in private registries with robust role-based access control (RBAC).
Registry Types
There are two primary categories of registries in the container ecosystem:
• Public Registries: Public libraries like Docker Hub, Quay.io, or GitHub Container Registry (ghcr.io). Anyone can pull images from these, but they enforce strict rate limiting for anonymous users.
• Private Registries: Secured enterprise registries. These can be cloud-managed services (like AWS Elastic Container Registry (ECR), Google Artifact Registry, or Azure Container Registry (ACR)) or self-hosted instances (like Harbor or the official Docker Registry container).
Authentication Mechanisms
When you run docker login, the client authenticates against the registry's OAuth or basic auth endpoint. Upon success, the registry issues an authentication token.
This token is stored locally on the client host in ~/.docker/config.json. Modern security standards recommend configuring credentials helpers (like docker-credential-osxkeychain or docker-credential-secretservice) so passwords are not stored in plaintext files.
Practical Example
Let's deploy a local, private container registry on our machine, tag an image, and push it to the registry:
What just happened? We spun up a private registry API server on port 5000. By renaming the local image tag prefix to localhost:5000/, the Docker daemon automatically routed the push payload to our local server instead of Docker Hub.
Quick Quiz
Q1: If a Kubernetes pod fails to pull an image with "ErrImagePull", what is the most likely cause?
A) The container did not run as root.
B) The image tag was not uploaded, or the cluster does not have authorization (secret keycard) to pull from the private registry.
C) The registry container runs cgroups v1.
D) The pod does not have an IP address.
Answer: B — Private registries require credentials. Without configuring secret keys inside Kubernetes, pulls will be rejected.
Scenario-Based Challenge
Production Scenario:
You are deploying a Kubernetes application to a new AWS cluster. The application image is stored in AWS Elastic Container Registry (ECR). The pods fail to start, displaying ImagePullBackOff. How do you resolve this securely?
Since the registry is private, Kubernetes must authenticate. You have two secure solutions:
1. **IAM Role Association (Recommended):** Attach an IAM role to the Kubernetes Node Groups allowing ECR read permissions (AmazonEC2ContainerRegistryReadOnly). The node's kubelet will automatically exchange IAM credentials for ECR tokens behind the scenes.
2. **Kubernetes ImagePullSecrets:** Generate a Docker registry secret using AWS credentials and link it to the pod manifest:
kubectl create secret docker-registry ecr-secret --docker-server=...
Then add imagePullSecrets: [{name: ecr-secret}] to your Deployment spec.
Interview Questions
1. Where does the Docker daemon look for authentication credentials when pulling an image?
The daemon reads the client's config file located at ~/.docker/config.json. If a credential helper is specified, it executes the helper program to retrieve the credential token securely from the system keychain or cloud API.
2. What is a Docker Image Manifest?
A JSON document stored in the registry that describes the image. It contains details about the image layers, their cryptographic hashes (hashes), sizes, target CPU architecture, and configuration parameters.
Production Considerations
When running high-volume CI/CD pipelines, anonymous pulls from Docker Hub will hit rate limit blocks (currently 100 pulls per 6 hours). Ensure all production nodes and build systems authenticate using credentials, or configure a local pull-through cache (caching proxy) to store frequently used public layers locally.