All Products
Search
Document Center

Container Registry:Push and pull images

Last Updated:May 26, 2026

Use a Container Registry Enterprise Edition instance to push, pull, store, and manage container images across environments.

Prerequisites

Step 1: Create an Enterprise Edition instance

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click Create ACR EE.

  5. On the Create ACR EE page, configure the basic information and click Buy Now.

    Parameter

    Description

    Region

    Select the instance deployment region.

    Specification

    Select an instance type. Available types are described in What is Alibaba Cloud Container Registry (ACR)?.

    Name

    Enter an instance name.

    Instance Storage

    Valid values: Default and Custom.

    • Default: An OSS bucket is automatically created in your account to store images.

    • Custom: Select an existing OSS bucket to store images.

    Select Bucket

    Select an existing OSS bucket to store images.

    Note

    This parameter is required only when you set Instance Storage to Custom.

    Security Scan

    Select a scan engine:

    • Trivy Scan Engine: Open source engine. Detects system and application vulnerabilities. Does not support one-click fixes for system vulnerabilities.

    • Security Center Scan Engine: Alibaba Cloud engine. Detects system vulnerabilities, application vulnerabilities, baseline risks, and malicious samples. Supports one-click fixes for system vulnerabilities.

    Repository quota

    Default: 1,000 (Basic), 3,000 (Standard), 5,000 (Advanced). You can increase the quota as needed.

    Namespace quota

    Default: 15 (Basic), 25 (Standard), 50 (Advanced). You can increase the quota as needed.

    VPC access control quota

    Purchase this quota if your service pulls images over a VPC. Billing.

    Subscription Duration

    You can select 1, 2, 3, or 6 months, or from 1 to 5 years.

    Note

    Auto-renewal is also available.

    Resource Groups

    Select an existing Resource Group. You can also click Create Resource Group and, in the dialog box that appears, enter the Resource Group Identifier and Resource Group Name, and then click Confirm.

  6. On the Confirm Order page, verify the Parameters, review the Terms of Service and Service Level Agreement (SLA), and then click Payment.

  7. On the Pay page, review the total cost of the instance at the bottom of the page. If the amount is correct, follow the prompts to complete the payment.

    On the Instances page, the status of the new instance is Starting. After about 2 to 3 minutes, the status changes to Running.

Step 2: Get the repository username

  • If you use an Alibaba Cloud account, the account name is your username for the image repository.

  • If you use a RAM user, your username is the part of the UPN before .onaliyun.com. For example, if your RAM user's UPN is 123@123456781011****.onaliyun.com, your username is 123@123456781011****.

Step 3: Set the repository password

Pushing and pulling images requires a fixed credential. Configure access credentials.

Step 4: Create a namespace

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the target Enterprise Edition instance.

  5. In the left-side navigation pane of the instance details page, choose Repository > Namespace.

  6. On the Namespace page, click Create Namespace.

  7. In the Create Namespace sidebar, set the Namespace name, On or Off Automatically Create Repository, and click Confirm.

    If you select On Automatically Create Repository, follow the steps below:

    UI element

    Description

    Repository Type

    • Public: By default, users must log in to the Enterprise Edition instance to pull public images. To allow anonymous pulls, you must enable anonymous access for the instance.

      We recommend that you set the repository type to Private to ensure data security.
    • Private: To pull private images, users must log in to the Enterprise Edition instance and have the required Pull permissions.

    Immutable Image Tags

    Flexible. If you select this option, image tags in this repository other than latest cannot be overwritten, which ensures the consistency of container image tags.

    Accelerated Image

    Specifies whether the feature is Off. If you select the check box, an accelerated image tag with the _accelerated suffix is automatically generated in the repository.

Step 5: Create an image repository

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the target Enterprise Edition instance.

  5. In the left-side navigation pane of the instance details page, choose Repository > Repositories.

  6. On the Repositories page, click Create Repository.

  7. In the Repository Info wizard, configure Namespace, Repository Name, Repository Type, Image Version, Accelerated Image, Summary, and Description. Then, click Next.

  8. In the Code Source wizard, configure Code Source, Build Settings, and Build Rules. Then, click Create Repository.

    Parameter

    Description

    Code Source

    Select a code source.

    Build Settings

    • Automatically Build Images When Code Changes: Triggers a build on each code commit.

    • Build With Servers Deployed Outside Chinese mainland: Builds images outside Chinese mainland and pushes to your specified region.

    • Build Without Cache: Always pulls a fresh base image. May increase build time.

    Build Rules

    After creating the repository, configure build rules on the build page. Build repositories and images.

Step 6: Configure access control

  • If your Docker client is in a VPC, configure VPC access control to allow it to connect. Configure a VPC access control list.

  • If your Docker client connects over the internet, configure internet access control for the instance.

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the Enterprise Edition instance that you want to manage.

  5. In the left-side navigation pane of the instance details page, choose Repository > Access Control.

  6. On the Access Control page, click the Internet tab, turn on the Enable Access over Internet switch, and then click Add Internet Whitelist.

  7. In the Add Internet Whitelist dialog box, enter the CIDR block of your Docker client's host and a description, and then click Confirm.

    Docker clients from the specified CIDR block can then access the instance.

    Important

    If you want to allow all Docker clients on the internet to access the instance, you must enable internet access and delete all entries from the internet whitelist. Note: Exposing an instance to the public internet creates a security risk. Proceed with caution.

Step 7: Push and pull an image

Run the following commands from your Docker client.

  1. Log on to the image repository:

    Note

    If you are pushing to or pulling from a public image repository, you can enable Pull from Anonymous Users on the Overview page of the Container Registry console. This allows you to pull images anonymously without logging in.

    docker login --username=<username> <instance_name>-registry.<region>.cr.aliyuncs.com

    Example:

    docker login --username=123@1234567810111213 m**-registry.cn-hangzhou.cr.aliyuncs.com

    When prompted, enter the password from Step 3: Set the repository password. A login succeeded message confirms success.

  2. Push an image.

    1. Tag the image:

      docker tag <image_id> <instance_name>-registry.<region>.cr.aliyuncs.com/<namespace>/<repository_name>:<image_tag>

      Example:

      docker tag Digest m**-registry.cn-hangzhou.cr.aliyuncs.com/m**/test:latest
    2. Push the image:

      docker push <instance_name>-registry.<region>.cr.aliyuncs.com/<namespace>/<repository_name>:<image_tag>

      Example:

      docker push m**-registry.cn-hangzhou.cr.aliyuncs.com/m**/test:latest

      On the Repositories page, click the target repository name and choose Image Version. Verify that the pushed image appears on the Image Version page.

  3. Pull the image:

    docker pull <instance_name>-registry.<region>.cr.aliyuncs.com/<namespace>/<repository_name>:<image_tag>

    Example:

    docker pull m**-registry.cn-hangzhou.cr.aliyuncs.com/m**/test:latest

    Run docker images to verify the image appears in the output.