Docker Community Forums

Share and learn in the Docker community.

Having trouble figuring out deployment with registries

I have a dockerized app that I’m looking to deploy, and these are my requirements:

  • Images are published somewhere
  • App servers retrieve images from somewhere
  • Images are only accessible to authorized app servers (i.e. non-public)

So the obvious candidate for somewhere would appear to be a docker registry. But after looking at some options (standalone Docker registry, Docker Hub, Amazon ECR) I found that the third requirement would be surprisingly awkward to implement:

There seems to be no way to authorize app servers that does not require them to have a full account with the registry (or even their parent platform, e.g. Amazon AWS).

The deployment tutorials I’ve looked at just tell you to “docker login” on the app server - but why would I want to authorize full (write) access to the repository if I only want to pull images?

For finer grained access control, I (or the admins deploying my app) would have to have a separate, read-only account with the registry, which seems unreasonable to me.

I was kind of expecting there to be a mechanism along the lines of deployment keys in Github or Bitbucket, where you can just authorize read-only access without requiring say e.g. a Github account (let alone my Github account).

I’m starting to think that a registry is not really suited for this kind of deployment at all - even though all those deployment guides just tell you to “docker pull” and be on your way.

So is there something I am missing here?

Do people just use other distribution mechanisms for this kind of deployment?