Container Registry Enterprise Edition is an enterprise-grade platform designed to manage the lifecycle of cloud-native application artifacts, including container images, Helm charts, and Open Container Initiative (OCI) artifacts. You can manage images in a Container Registry Enterprise Edition instance and use images to create applications. This topic describes how to use a Container Registry Enterprise Edition instance to push and pull images.

Prerequisites

Step 1: Create a Container Registry Enterprise Edition instance

  1. Log on to the Container Registry console.
  2. In the top navigation bar, select a region.
  3. On the Instances page, click Create ACR EE.
  4. On the Container Registry Enterprise Edition page, configure the basic information and click Buy Now.
    Parameter Description
    Region The region where the Container Registry Enterprise Edition instance resides.
    Instance Type The instance type of the Container Registry Enterprise Edition instance. For more information, see What is Container Registry?.
    Instance Name The name of the instance.
    Instance Storage Valid values: Default and Custom.
    • Default: By default, an OSS bucket is created in your account to store container images.
    • Custom: You can select an existing OSS bucket to store container images.
    Select Bucket Select an existing OSS bucket to store container images.
    Note This parameter is displayed only when you set the Instance Storage parameter to Custom.
    Security Scan Container Registry Enterprise Edition provides the image security scan feature. It supports the following security scan engines:
    • Trivy Scan Engine: an open source scan engine that can detect system and application vulnerabilities. Trivy scan engines do not allow you to fix system vulnerabilities in a few clicks.
    • Security Center Scan Engine: a scan engine developed by Alibaba Cloud. The engine can detect system and application vulnerabilities, baseline risks, and malicious samples. Security Center scan engines allow you to fix system vulnerabilities in a few clicks.
    Repository Quota The default repository quotas for the Basic Edition, Standard Edition, and Advanced Edition are 1,000, 3,000, and 5,000 separately. You can apply for a quota increase based on your business requirements.
    Namespace Quota The default namespace quotas for the Basic Edition, Standard Edition, and Advanced Edition are 15, 25, and 50 separately. You can apply for a quota increase based on your business requirements.
    Duration You can select 1 Month, 2 Months, 3 Months, or 6 Months. If you require a longer duration, you can select 1 Year, 2 Years, 3 Years, 4 Years, or 5 Years.
    Note You can select to enable auto-renewal.
  5. On the Confirm Order page, verify the configurations, select I have read and agree to Container Registry Enterprise Edition Agreement of Service, and then click Pay.
  6. In the lower-right corner of the Purchase page, view the total fees of the instance. Verify the order information and complete the payment as prompted.

    On the Instances page, the status of the new instance is Starting. The status changes to Running after 2 or 3 minutes.

Step 2: Obtain the username that you use to log on to image repositories

  • If you use an Alibaba Cloud account, the name of the Alibaba Cloud account is the username that you use to log on to image repositories.
  • If you use a RAM user, the string before .onaliyun.com is the username that you use to log on to image repositories. For example, if the name of your RAM user is 123@1234567810111213.onaliyun.com, 123@1234567810111213 is the username that you use to log on to image repositories.

Step 3: Set a password that you use to log on to image repositories

If you want to push and pull images by using a fixed credential, you can configure an access credential. For more information, see Configure an access credential.

Step 4: Create a namespace

  1. Log on to the Container Registry console.
  2. In the top navigation bar, select a region.
  3. On the Instances page, click the Container Registry Enterprise Edition instance for which you want to create a namespace.
  4. On the management page of the Container Registry Enterprise Edition instance, choose Repository > Namespace in the left-side navigation pane.
  5. On the Namespace page, click Create Namespace.
  6. In the Create Namespace dialog box, set the Namespace, Automatically Create Repository, and Default Repository Type parameters. Click Confirm.

Step 5: Create an image repository

  1. Log on to the Container Registry console.
  2. In the top navigation bar, select a region.
  3. On the Instances page, click the Container Registry Enterprise Edition instance for which you want to create an image repository.
  4. On the management page of the Container Registry Enterprise Edition instance, choose Repository > Repositories in the left-side navigation pane.
  5. On the Repositories page, click Create Repository.
  6. In the Repository Info step, set the Namespace, Repository Name, Repository Type, Tags, Accelerated Image, Summary, and Description parameters, and click Next.
  7. In the Code Source step, configure the Code Source, Build Settings, and Build Rules parameters, and click Create Repository.
    Parameter Description
    Code Source The code source.
    Build Settings
    • Automatically Build Images When Code Changes: An image is automatically built when code is committed from a branch.
    • Intelligently Build Overseas Sources: Images are built on servers outside the Chinese mainland and then pushed to the repository in the specified region.
    • Build Without Cache: The system pulls the dependent base image for every image to be built. This may prolong the build time.
    Build Rules After the repository is created, you can go to the Build page to create build rules. For more information, see Create a repository and build images.

Step 6: Configure access control

  • If your Docker client uses a virtual private cloud (VPC), you must configure access to the Container Registry Enterprise Edition instance over VPCs to allow the client to connect to the instance. For more information, see Configure access over VPCs.
  • If your Docker client uses the Internet, you must configure the access to the Container Registry Enterprise Edition instance over the Internet to allow the client to connect to the instance. In this example, Internet access is enabled.
  1. Log on to the Container Registry console.
  2. In the top navigation bar, select a region.
  3. On the Instances page, click the required Container Registry Enterprise Edition instance.
  4. On the management page of the Container Registry Enterprise Edition instance, choose Repository > Access Control in the left-side navigation pane.
  5. On the Access Control page, click the Internet tab, turn on the Access Portal switch, and then click Add Internet Whitelist.
  6. In the Add Internet Whitelist dialog box, enter the CIDR block and description of your Docker client, and then click Confirm.
    After the CIDR block is added, the Docker clients whose IP addresses fall within the CIDR block can access the Container Registry Enterprise Edition instance.
    Notice If you want to allow all Docker clients to access the Container Registry Enterprise Edition instance over the Internet, clear the whitelist that controls Internet access. After you clear the whitelist, the Container Registry Enterprise Edition instance is completely exposed to the Internet and may be attacked. Proceed with caution.

Step 7: Push and pull an image

The following commands must be run on the Docker client. Install and configure the Docker client in advance.

  1. Run the following command to log on to the image repository:
    Note If you push images to or pull images from a public image repository, you can turn on the Pull from Anonymous Users switch on the Overview page in the Container Registry console. Then, you can push images to or pull images from the public image repository anonymously without logging on to the console. 
    docker login --username=<Username for logging on to the image repository> <Name of the Container Registry Enterprise Edition instance>-registry.<Region ID of the Container Registry Enterprise Edition instance>.cr.aliyuncs.com
    Example:
     docker login --username=123@1234567810111213 m**-registry.cn-hangzhou.cr.aliyuncs.com

    At the command prompt, enter the logon password that is specified in Step 3: Set a password that you use to log on to image repositories. If login succeeded is displayed, the logon is successful.

  2. Push an image.
    1. Run the following command to tag the image: 
      docker tag <Image ID> <Name of the Container Registry Enterprise Edition instance>-registry.<Region ID of the Container Registry Enterprise Edition instance>.cr.aliyuncs.com/<Name of the Namespace>/<Name of the image repository>:<Tag of the image>
      Example:
      docker tag Digest m**-registry.cn-hangzhou.cr.aliyuncs.com/m**/test:latest
    2. Run the following command to push the image to the Container Registry Enterprise Edition instance: 
      docker push <Name of the Container Registry Enterprise Edition instance>-registry.<Region ID of the Container Registry Enterprise Edition instance>.cr.aliyuncs.com/<Name of the Namespace>>/<Name of the image repository>:<Tag of the image>
      Example:
      docker push m**-registry.cn-hangzhou.cr.aliyuncs.com/m**/test:latest
      On the Repositories page, click the name of the image repository. On the page that appears, click Tags. If the image name appears on the Tags page, the image is pushed to the image repository.
  3. Run the following command to pull an image: 
    docker pull <Name of the Container Registry Enterprise Edition instance>-registry.<Region ID of the Container Registry Enterprise Edition instance>.cr.aliyuncs.com/<Name of the namespace>/<Name of the image repository>:<Tag of the image>
    Example:
    docker pull m**-registry.cn-hangzhou.cr.aliyuncs.com/m**/test:latest
    Run the docker images command. If the image is displayed in the command output, the image is pulled from the image repository.