Docker Deep Dive
by Sergey Okinchuk
The Compose Development WorkflowHow Registries Work

Chapter Nine

Registries & Distribution

Getting the slim Driftwood image off the laptop and onto a production host it can trust. How a registry stores and ships images, which registry to put them in, a tagging discipline that survives a release process, one image that runs on both amd64 and arm64, signatures that prove who built the bytes, and a scanner that catches CVEs before they ship.

6 topics

Layer B opens here. Through the first eight chapters Driftwood became a slim, well-built image, but it never left the machine that built it. This chapter follows that image out the door — tagged driftwood/web:1.4.0, built for both amd64 and arm64, scanned, signed, and pushed to a private registry that production hosts pull from by digest.

A registry is the hinge between building an image and running it somewhere else, and most of distribution is understanding that one HTTP service well: what it stores, what a push and a pull actually transfer, how access is scoped, and how a host ends up trusting the exact bytes it pulls. This chapter builds on the manifests and digests from Chapter 2 — it assumes you know an image is named by its content — and turns that into a release pipeline a team can run.

Topics in This Chapter

Topic 53
How Registries Work
Two stores behind one HTTP API — a content-addressed blob store and a manifest store. What push and pull actually transfer, why a second push is tiny, how auth scopes access per repository, and what a pull-through cache buys you.
ConceptRegistry
Topic 54
Docker Hub, Private, and Self-Hosted Registries
The public default, a cloud registry next to your compute, or one you run yourself. Docker Hub's anonymous pull limit, when a managed registry beats self-hosting, and what Harbor adds over the plain registry image.
HostingRegistry
Topic 55
A Tagging Strategy for Releases
Immutable release tags, moving convenience tags, and commit-SHA tags at once. Why re-pushing a version tag breaks every consumer who pinned it, and why production deploys pin a digest while tags stay readable.
VersioningRelease
Topic 56
Multi-Arch Images with buildx
One tag that serves amd64 and arm64 from a single manifest list. buildx and BuildKit builders, QEMU emulation versus native nodes, why a multi-arch build must push, and why arm64 support is no longer optional.
BuildMulti-arch
Topic 57
Image Signing and Provenance
A digest proves integrity, not authenticity. Signing the digest with cosign keyless OIDC, SLSA provenance and SBOM attestations, and why verification has to happen on pull rather than only signing on push.
Supply chainTrust
Topic 58
Vulnerability Scanning
Reading an image's layers for known CVEs with trivy, grype, or docker scout. Why base-image CVEs are inherited, why scanning must be a build gate run on a schedule, and why patching means rebuilding on an updated base.
SecurityCI gate