Container Registries
Where you store and serve OCI images — hosted and self-hosted.
Hosted (free or generous)
- ★ GitHub Container Registry (ghcr.io) — free for public, generous for private with GHA integration. The default for OSS and small / mid teams.
- ★ Docker Hub — original; rate limits on free are real (200 pulls / 6 hr unauth, 200 / 6 hr free auth).
- GitLab Container Registry — bundled with GitLab.
- Cloudflare Container Registry — newer; pairs with Workers / Pages.
- Quay.io (Red Hat) — public + private; free for OSS.
- AWS ECR — pricier but ergonomic on AWS; ECR Public for OSS.
- GCP Artifact Registry — clean; replaces gcr.io.
- Azure Container Registry — Azure-native.
- DigitalOcean Container Registry — small, simple; usually used with DOKS.
- Scaleway / Hetzner / Linode container registries — provider-bundled.
- JFrog Artifactory — enterprise; stores way more than just containers.
Self-hostable
- ★ Harbor (CNCF) — full-featured registry: vuln scanning, signing, replication, RBAC. The default self-host pick.
- Distribution / Docker Registry — the reference implementation; OSS, minimal.
- Quay — open-source version of Quay.io; Red Hat.
- Forgejo / Gitea Package Registry — bundled with the git server; great for small teams.
- Kraken (Uber) — peer-to-peer registry for huge clusters.
- Zot — newer OCI-native, signing-aware registry.
Pull-through caches
- ★ Harbor proxy projects — cache upstream public images so you don't re-pull from Docker Hub on every build.
registry:2in proxy mode — minimal pull-through.- Cloudflare R2 + crane — DIY tier.
- Sonatype Nexus — multi-format proxy (npm, Maven, OCI, etc.).
- JFrog Artifactory — same.
Image signing / supply chain
See Image Supply Chain — Cosign, Sigstore, Notary v2, in-toto, SBOMs.
Patterns to adopt
- ★ Pin by digest in production (
@sha256:...), not tag. Tags are mutable. - Replicate to a second registry (Harbor → ECR or vice versa) for failover.
- Pull-through cache to avoid Docker Hub rate limits.
- Set retention policies — Harbor / GHCR support it; old tags pile up fast.
- Sign images with Cosign and verify on pull / admission.
- Scan before promote — Trivy / Grype on every PR; block high-severity into prod.
Mirroring / cost
- Egress cost matters at scale — every node pull is bandwidth. Locate registries near nodes.
- Image size matters — see Image Building for distroless / chainguard.
- Registry storage rarely goes down on its own — set garbage collection / retention or you'll keep paying.
Pick this if…
- Default for OSS or small team: GitHub Container Registry.
- Self-host with full features: Harbor.
- Tiny self-host, embed in git: Forgejo / Gitea bundled registry.
- Already on AWS / GCP / Azure: the cloud-native registry; pair with VPC endpoints.
- You hit Docker Hub rate limits: add a Harbor proxy project or move base images.
- Air-gapped: Harbor with replication policies.