Use a Container Registry Enterprise Edition instance to push, pull, store, and manage container images across environments.
Prerequisites
-
An Alibaba Cloud account is created. Sign up for an Alibaba Cloud account.
-
Docker Engine is installed. Install and use Docker Engine and Docker Compose.
-
OSS is activated. Container Registry Enterprise Edition depends on OSS. Activate OSS.
Step 1: Create an Enterprise Edition instance
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
-
On the Instances page, click Create ACR EE.
-
On the Create ACR EE page, configure the basic information and click Buy Now.
Parameter
Description
Region
Select the instance deployment region.
Specification
Select an instance type. Available types are described in What is Alibaba Cloud Container Registry (ACR)?.
Name
Enter an instance name.
Instance Storage
Valid values: Default and Custom.
-
Default: An OSS bucket is automatically created in your account to store images.
-
Custom: Select an existing OSS bucket to store images.
Select Bucket
Select an existing OSS bucket to store images.
NoteThis parameter is required only when you set Instance Storage to Custom.
Security Scan
Select a scan engine:
-
Trivy Scan Engine: Open source engine. Detects system and application vulnerabilities. Does not support one-click fixes for system vulnerabilities.
-
Security Center Scan Engine: Alibaba Cloud engine. Detects system vulnerabilities, application vulnerabilities, baseline risks, and malicious samples. Supports one-click fixes for system vulnerabilities.
Repository quota
Default: 1,000 (Basic), 3,000 (Standard), 5,000 (Advanced). You can increase the quota as needed.
Namespace quota
Default: 15 (Basic), 25 (Standard), 50 (Advanced). You can increase the quota as needed.
VPC access control quota
Purchase this quota if your service pulls images over a VPC. Billing.
Subscription Duration
You can select 1, 2, 3, or 6 months, or from 1 to 5 years.
NoteAuto-renewal is also available.
Resource Groups
Select an existing Resource Group. You can also click Create Resource Group and, in the dialog box that appears, enter the Resource Group Identifier and Resource Group Name, and then click Confirm.
-
-
On the Confirm Order page, verify the Parameters, review the Terms of Service and Service Level Agreement (SLA), and then click Payment.
-
On the Pay page, review the total cost of the instance at the bottom of the page. If the amount is correct, follow the prompts to complete the payment.
On the Instances page, the status of the new instance is Starting. After about 2 to 3 minutes, the status changes to Running.
Step 2: Get the repository username
-
If you use an Alibaba Cloud account, the account name is your username for the image repository.
-
If you use a RAM user, your username is the part of the UPN before .onaliyun.com. For example, if your RAM user's UPN is 123@123456781011****.onaliyun.com, your username is 123@123456781011****.
Step 3: Set the repository password
Pushing and pulling images requires a fixed credential. Configure access credentials.
Step 4: Create a namespace
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
-
On the Instances page, click the target Enterprise Edition instance.
-
In the left-side navigation pane of the instance details page, choose .
-
On the Namespace page, click Create Namespace.
-
In the Create Namespace sidebar, set the Namespace name, On or Off Automatically Create Repository, and click Confirm.
If you select On Automatically Create Repository, follow the steps below:
UI element
Description
Repository Type
-
Public: By default, users must log in to the Enterprise Edition instance to pull public images. To allow anonymous pulls, you must enable anonymous access for the instance.
We recommend that you set the repository type to Private to ensure data security.
-
Private: To pull private images, users must log in to the Enterprise Edition instance and have the required Pull permissions.
Immutable Image Tags
Flexible. If you select this option, image tags in this repository other than
latestcannot be overwritten, which ensures the consistency of container image tags.Accelerated Image
Specifies whether the feature is Off. If you select the check box, an accelerated image tag with the
_acceleratedsuffix is automatically generated in the repository. -
Step 5: Create an image repository
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
-
On the Instances page, click the target Enterprise Edition instance.
-
In the left-side navigation pane of the instance details page, choose .
-
On the Repositories page, click Create Repository.
-
In the Repository Info wizard, configure Namespace, Repository Name, Repository Type, Image Version, Accelerated Image, Summary, and Description. Then, click Next.
-
In the Code Source wizard, configure Code Source, Build Settings, and Build Rules. Then, click Create Repository.
Parameter
Description
Code Source
Select a code source.
Build Settings
-
Automatically Build Images When Code Changes: Triggers a build on each code commit.
-
Build With Servers Deployed Outside Chinese mainland: Builds images outside Chinese mainland and pushes to your specified region.
-
Build Without Cache: Always pulls a fresh base image. May increase build time.
Build Rules
After creating the repository, configure build rules on the build page. Build repositories and images.
-
Step 6: Configure access control
-
If your Docker client is in a VPC, configure VPC access control to allow it to connect. Configure a VPC access control list.
-
If your Docker client connects over the internet, configure internet access control for the instance.
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.
-
In the left-side navigation pane of the instance details page, choose .
-
On the Access Control page, click the Internet tab, turn on the Enable Access over Internet switch, and then click Add Internet Whitelist.
-
In the Add Internet Whitelist dialog box, enter the CIDR block of your Docker client's host and a description, and then click Confirm.
Docker clients from the specified CIDR block can then access the instance.
ImportantIf you want to allow all Docker clients on the internet to access the instance, you must enable internet access and delete all entries from the internet whitelist. Note: Exposing an instance to the public internet creates a security risk. Proceed with caution.
Step 7: Push and pull an image
Run the following commands from your Docker client.
-
Log on to the image repository:
NoteIf you are pushing to or pulling from a public image repository, you can enable Pull from Anonymous Users on the Overview page of the Container Registry console. This allows you to pull images anonymously without logging in.
docker login --username=<username> <instance_name>-registry.<region>.cr.aliyuncs.comExample:
docker login --username=123@1234567810111213 m**-registry.cn-hangzhou.cr.aliyuncs.comWhen prompted, enter the password from Step 3: Set the repository password. A
login succeededmessage confirms success. -
Push an image.
-
Tag the image:
docker tag <image_id> <instance_name>-registry.<region>.cr.aliyuncs.com/<namespace>/<repository_name>:<image_tag>Example:
docker tag Digest m**-registry.cn-hangzhou.cr.aliyuncs.com/m**/test:latest -
Push the image:
docker push <instance_name>-registry.<region>.cr.aliyuncs.com/<namespace>/<repository_name>:<image_tag>Example:
docker push m**-registry.cn-hangzhou.cr.aliyuncs.com/m**/test:latestOn the Repositories page, click the target repository name and choose Image Version. Verify that the pushed image appears on the Image Version page.
-
-
Pull the image:
docker pull <instance_name>-registry.<region>.cr.aliyuncs.com/<namespace>/<repository_name>:<image_tag>Example:
docker pull m**-registry.cn-hangzhou.cr.aliyuncs.com/m**/test:latestRun
docker imagesto verify the image appears in the output.