100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is a Docker Registry?

Learn what a Docker registry is, how images are stored and pulled, tags vs digests, and private registry options — for DevOps interviews.

easyQ31 of 224 in DevOps Est. time: 5 minsLast updated:
Open Code Lab

Expected Interview Answer

A Docker registry is a storage and distribution service for container images, organized into repositories and tags, that lets teams push built images and pull them down on any other host, such as a CI runner or a production node.

A registry stores images as content-addressable layers plus a manifest describing which layers and configuration make up a given tag, so identical layers across different images are stored only once and transferred only once per host. Docker Hub is the default public registry, but organizations commonly run private registries such as Amazon ECR, Google Artifact Registry, GitHub Container Registry, or a self-hosted Harbor instance to control access and keep proprietary images out of the public internet. Authentication via docker login and per-repository access control determine who can push or pull a given image, and image tags plus digests let consumers pin to an exact, immutable version rather than a mutable moving tag. CI/CD pipelines typically build an image, push it to a registry tagged with a commit SHA or version, and then have the deployment target pull that exact tag, giving a clean separation between build and deploy.

  • Central, versioned storage for container images
  • Enables the same image to run identically on any pulling host
  • Access control keeps private images restricted to authorized users
  • Content-addressable layers avoid redundant storage and transfer

AI Mentor Explanation

A registry is like a national cricket board’s central equipment warehouse where every certified bat model is cataloged, versioned by manufacturing batch, and stored once even if a hundred teams request the same batch. A team pushes a newly approved bat design to the warehouse after certification, and any franchise around the country can pull an identical, verified copy for their players. Access badges determine which manufacturers are allowed to upload new designs versus which teams can only request existing ones. Requesting bat batch #47 always returns the exact same certified bat, never a different one, just as a pinned image tag guarantees an exact version.

Step-by-Step Explanation

  1. Step 1

    Build and tag the image

    docker build produces an image tagged with the target registry path, e.g. registry.example.com/app:1.2.0.

  2. Step 2

    Authenticate to the registry

    docker login supplies credentials so the push/pull is authorized against that repository.

  3. Step 3

    Push the image

    docker push uploads only the layers the registry does not already have, keyed by content hash.

  4. Step 4

    Pull on the target host

    Any authorized host runs docker pull to fetch the identical image, verified by digest, for deployment.

What Interviewer Expects

  • Understanding that a registry stores images as content-addressable layers plus manifests
  • Knowledge of public vs private registries (Docker Hub, ECR, GHCR, Harbor)
  • Awareness of tags vs digests for mutable vs immutable references
  • Understanding of the typical build-push-pull CI/CD flow

Common Mistakes

  • Confusing a registry with a repository (a registry hosts many repositories)
  • Assuming :latest is a stable, reproducible reference
  • Forgetting registries need authentication and access control
  • Not knowing layer deduplication reduces storage and transfer

Best Answer (HR Friendly)

A Docker registry is where we store and version our built container images, similar to how a package manager stores libraries. Our CI pipeline builds an image, tags it with the commit version, and pushes it to a private registry, and then our deployment process simply pulls that exact tagged image, so what we tested is exactly what runs in production.

Code Example

Tag, push, and pull from a registry
# Authenticate to a private registry
docker login registry.example.com

# Tag a locally built image for that registry
docker tag myapp:1.2.0 registry.example.com/team/myapp:1.2.0

# Push the image (uploads only new layers)
docker push registry.example.com/team/myapp:1.2.0

# Pull the exact same image on another host
docker pull registry.example.com/team/myapp:1.2.0

Follow-up Questions

  • What is the difference between Docker Hub and a private registry?
  • How does a tag differ from an image digest?
  • How does layer deduplication reduce storage in a registry?
  • How would you secure a private registry against unauthorized pulls?

MCQ Practice

1. What does a Docker registry primarily store?

A registry stores and distributes container images, keyed by repository and tag, as content-addressable layers.

2. Which of these is an example of a private container registry?

Amazon ECR, along with GHCR and Harbor, are private registries teams use to control access to their images.

3. Why is an image digest more reliable than a mutable tag like :latest?

A digest is a content hash that always resolves to the exact same image, unlike a tag which can be reassigned to different content.

Flash Cards

What is a Docker registry?A storage and distribution service for container images, organized by repository and tag.

Name two private registry options.Amazon ECR, Google Artifact Registry, GitHub Container Registry, or self-hosted Harbor.

Why prefer a digest over :latest?A digest is immutable and guarantees the exact same image content every pull.

What command uploads an image to a registry?docker push, after docker login and docker tag.

1 / 4

Continue Learning