This topic describes key concepts in Container Registry to help you get started with container image management.
Container Registry organizes resources in a hierarchy: an instance contains one or more namespaces, each namespace contains one or more image repositories, and each repository stores container images identified by tags.
Container image
A container image is the standard packaging format for an application. Use a Dockerfile to package an application and all its dependencies into an image, push the image to an image repository, and pull it in a test or production environment to start containers.
Container Registry instance
A Container Registry instance is the top-level resource that hosts your image repositories. Before creating an image repository, create a Container Registry instance. Log in to the instance to manage images in its repositories. After modifying an image, push it to the repository again. Alternatively, use the image build feature to build an image directly in your data center and push it to the repository.
Addresses of container images
The address format differs between Container Registry Enterprise Edition and Container Registry Personal Edition.
| Edition | Address format |
|---|---|
| Enterprise Edition | instance-registry.cn-hangzhou.cr.aliyuncs.com/namespace/repository:tag |
| Personal Edition | registry.cn-hangzhou.aliyuncs.com/namespace/repository:tag |
The address components are:
| Component | Description |
|---|---|
instance |
The name of the Container Registry Enterprise Edition instance. You can configure a custom domain name for the instance to access it from any region. For more information, see Use a custom domain name to access a Container Registry Enterprise Edition instance. |
namespace |
The name of the namespace. |
repository |
The name of the image repository. Container Registry Personal Edition supports only tier-1 repository names. Container Registry Enterprise Edition supports multi-tier repository names, for example, agent/client/prod. |
tag |
The image tag, such as v1. This field is optional. The default value is latest. |
Dockerfile
A Dockerfile is a text document that defines how to build a container image. It contains the instructions and descriptions required for the build. Tools such as Docker read these instructions to automatically build container images.
OCI standard
The Open Container Initiative (OCI) standard consists of two specifications:
-
Runtime Specification (runtime-spec)
-
Image Specification (image-spec): unifies the container image format across container tools, so standard container images work in any OCI-compliant software and environment.
OCI artifact
An OCI artifact is any data package stored in a container registry using the OCI Artifact specification. Beyond container images, you can package data such as Helm charts and Cloud Native Application Bundles (CNAB) into OCI-compliant artifacts based on OCI manifests and OCI indexes. This lets Container Registry store, manage, and distribute different artifact types from a single location. Container Registry Enterprise Edition supports OCI artifacts. For more information, see Push and pull a custom OCI artifact.
Helm chart
Helm is a package manager for Kubernetes that manages charts and their releases.
A chart is a collection of files that describes a set of related Kubernetes resources—including images, dependencies, and resource definitions—required to run an application. For example, a chart can describe WordPress and MySQL resources, or the resource definitions for an etcd cluster.
Container Registry Enterprise Edition can host Helm charts. For more information, see Push and pull Helm charts.
Cloud-native delivery chain
A cloud-native delivery chain lets you combine image building, image scanning, image geo-replication, and image distribution into a single automated pipeline. Delivery chains are secure, auditable, and traceable. Push a source code change and the chain automatically builds, scans, distributes, and deploys the image to all target regions. Container Registry Enterprise Edition supports cloud-native delivery chains. For more information, see Create a delivery chain.
RAM-based access control
Resource Access Management (RAM) is Alibaba Cloud's identity and access control service. Within one Alibaba Cloud account, create multiple RAM users to represent employees, systems, or applications in your organization, and grant each user only the permissions they need.
RAM user
A RAM user is a principal with a fixed identity and credentials. A RAM user can represent a person or an application. Grant different image permissions to different RAM users to enforce least-privilege access. For more information, see Configure policies for RAM users to access Container Registry.
OSS
Object Storage Service (OSS) is a secure, cost-effective, and highly reliable Alibaba Cloud storage service for large volumes of unstructured data. OSS provides RESTful API operations that work independently of the OSS console, so you can access your data from any application at any time.
OSS bucket
An OSS bucket is a container for storing objects in OSS. All objects reside in a bucket. Configure each bucket with a region, an access control list (ACL), and a storage class to match your data requirements. Container Registry Enterprise Edition stores container images in OSS buckets. You can create custom OSS buckets. To use a custom OSS bucket, see Use RAM to grant permissions to access custom OSS buckets.