Adding images to your namespace in Container Registry
You can securely store and share Docker images with other users by adding images to your namespaceA collection of repositories that store images in a registry. A namespace is associated with an IBM Cloud account, which can include multiple namespaces. in IBM Cloud® Container Registry.
Every image that you want to add to your namespace must exist on your local computer first. You can either download (pull) an image from another repository to your local computer, or build your own image from a DockerfileA text file that contains instructions to build a Docker image.
by using the Docker build
command. To add an image to your namespace, you must upload (push) the local image to your namespace in IBM Cloud Container Registry.
Do not put personal information in your container images, namespace names, description fields, or in any image configuration data (for example, image names or image labels).
Pulling images from another registry
You can pull (download) an image from any private or public registryA storage and distribution service that contains public or private images that are used to create containers. source, and then tag it for later use in IBM Cloud Container Registry.
Before you begin, complete the following tasks.
-
Install the CLI to work with images in your namespace.
-
Make sure that you can run Docker commands without root permissions. If your Docker client is set up to require root permissions, you must run
ibmcloud login
,ibmcloud cr login
,docker pull
, anddocker push
commands withsudo
.If you change your permissions to run Docker commands without root privileges, you must run the
ibmcloud login
command again.
-
Download the image, see Pull an image in the Getting Started documentation.
If you get an
unauthorized: authentication required
or adenied: requested access to the resource is denied
message, run theibmcloud cr login
command.
After you pull an image and tag it for your namespace, you can upload (push) the image from your local computer to your namespace.
If you deploy a workload that pulls an image from Container Registry and your pods fail with an ImagePullBackOff status, see Why do images fail to pull from registry with ImagePullBackOff or authorization errors? for assistance.
Pushing Docker images to your namespace
You can push (upload) an image to your namespace in IBM Cloud Container Registry to store and share your image with other users.
Before you begin, complete the following tasks.
-
Install the CLI to work with images in your namespace.
-
Pull or build an image on your local computer and tag the image with your namespace information.
-
Make sure that you can run Docker commands without root permissions. If your Docker client is set up to require root permissions, you must run
ibmcloud login
,ibmcloud cr login
,docker pull
, anddocker push
commands withsudo
.If you change your permissions to run Docker commands without root privileges, you must run the
ibmcloud login
command again.
IBM Cloud Container Registry supports other clients as well as Docker. To log in by using other clients, see Accessing your namespaces interactively.
To upload (push) an image, complete the following steps:
-
Log in to the CLI by running the
ibmcloud cr login
command.ibmcloud cr login
You must log in if you pull an image from your private IBM Cloud Container Registry.
If you have a problem when you try to log in, see Why can't I log in to Container Registry? for assistance.
-
To view all namespaces that are available in your account, run the
ibmcloud cr namespace-list
command. -
Upload the image to your namespace.
If you get an
unauthorized: authentication required
or adenied: requested access to the resource is denied
message, run theibmcloud cr login
command.
After you push your image to IBM Cloud Container Registry, you can do one of the following tasks.
- Manage security with Vulnerability Advisor to find information about potential security issues and vulnerabilities.
- Create a cluster and use this image to deploy a container to the cluster in IBM Cloud Kubernetes Service.
Copying images between registries
You can pull an image from a registry in one region and push it to a registry in another region so that you can share the image with users in both regions.
Before you begin, complete the following tasks.
-
Install the CLI to work with images in your namespace.
-
Make sure that you can run Docker commands without root permissions. If your Docker client is set up to require root permissions, you must run
ibmcloud login
,ibmcloud cr login
,docker pull
, anddocker push
commands withsudo
.If you change your permissions to run Docker commands without root privileges, you must run the
ibmcloud login
command again.
To copy an image between two registries, complete the following steps:
- Pull an image from a registry.
- Push the image to another registry. Make sure that you use the correct domain name for the new region you're targeting.
After you copy your image, you can do one of the following tasks.
- Manage image security with Vulnerability Advisor to find information about potential security issues and vulnerabilities.
- Create a cluster and use this image to deploy a container to the cluster in IBM Cloud Kubernetes Service.
Creating images that refer to a source image
Create an image by using the ibmcloud cr image-tag
command.
In the region that you're logged in to, create an image in IBM Cloud Container Registry that refers to an existing image in the same region. This action is supported for source images that are created by using supported versions of Docker Engine, see Support for Docker.
New images that are created by using this mechanism do not retain signatures. If you require the new image to be signed, do not use this mechanism.
Before you begin, complete the following tasks.
- Install the CLI to work with images in your namespace.
- Ensure that you have access to a private namespace in IBM Cloud Container Registry that contains a source image to which you want to refer another image.
To create an image from a source image, complete the following steps.
-
Log in to the CLI by running the
ibmcloud cr login
command.ibmcloud cr login
-
Run the following command to add the new reference, where
SOURCE_IMAGE
is the name of your source image andTARGET_IMAGE
is the name of your target image. The source and target images must be in the same region.SOURCE_IMAGE
must be in the formatrepository:tag
orrepository@digest
andTARGET_IMAGE
must be in the formatrepository:tag
, for example,us.icr.io/namespace/image:latest
.To find the names of your images, run
ibmcloud cr image-list
. Combine the content of the Repository column (repository
) and Tag column (tag
) separated by a colon (:
) to create the image name in the formatrepository:tag
. To identify your image by digest, run theibmcloud cr image-digests
command. Combine the content of the Repository column (repository
) and the Digest column (digest
) separated by an at (@
) symbol to create the image name in the formatrepository@digest
. If the list images command times out, see Why is it timing out when I list images? for assistance.ibmcloud cr image-tag [SOURCE_IMAGE] [TARGET_IMAGE]
-
Verify that the new image was created by running the following command, and check that the image is shown in the list with the same image digest as the source image.
ibmcloud cr image-list
Building Docker images to use them with your namespace
You can build a Docker image directly in IBM Cloud or create your own Docker image on your local computer and upload (push) it to your namespace in IBM Cloud Container Registry.
Before you begin, complete the following tasks.
-
Install the CLI to work with images in your namespace.
-
Make sure that you can run Docker commands without root permissions. If your Docker client is set up to require root permissions, you must run
ibmcloud login
,ibmcloud cr login
,docker pull
, anddocker push
commands withsudo
.If you change your permissions to run Docker commands without root privileges, you must run the
ibmcloud login
command again.
A Docker image is the basis for every container that you create. An image is created from a Dockerfile, which is a file that contains instructions to build the image. A Dockerfile might reference build artifacts in its instructions that are stored separately, such as an app, the configuration of the app, and its dependencies.
If you want to take advantage of IBM Cloud compute resources and internet connection or Docker is not installed on your workstation, build your image directly in IBM Cloud. If you need to access resources in your build that are on servers that are behind your firewall, build your image locally.
To build your own Docker image, complete the following steps:
-
Create a local directory where you want to store the build context. The build context contains your Dockerfile and related build artifacts, such as the app code. Navigate to this directory in a command-line window.
-
Create a Dockerfile.
-
Create a Dockerfile in your local directory.
touch Dockerfile
-
Use a text editor to open the Dockerfile. At a minimum, you must add the base image to build your image from. Replace
<source_image>
and<tag>
with the image repository and tag that you want to use. If you're using an image from another private registry, define the full path to the image in IBM Cloud Container Registry.FROM <source_image>:<tag>
For example, to create a Dockerfile that is based on the public IBM WebSphere Application Server Liberty (
ibm/liberty
) image, use the following command.FROM icr.io/ibm/liberty:latest LABEL description="This is my test Dockerfile" EXPOSE 9080
This example adds a label to the image metadata and exposes port 9080. For more Dockerfile instructions that you can use, see the Dockerfile reference.
-
-
Decide on a name for your image. The image name must be in the following format, where
<my_namespace>
is your namespace information,<repo_name>
is the name of your repository, and<tag>
is the version that you want to use for your image:<region>.icr.io/<my_namespace>/<repo_name>:<tag>
To find your namespace, run the
ibmcloud cr namespace-list
command. -
Take note of the path to the directory that contains your Dockerfile. If you run the commands in the following steps while your working directory is set to where your build context is stored, you can replace
<directory>
with a period (.). -
Build and test your image locally before you push it to IBM Cloud.
-
Build the image from your Dockerfile on your local computer and tag it with your image name, where
<image_name>
is the name of your image and<directory>
is the path to the directory.docker build -t <image_name> <directory>
-
Optional: Test your image on your local computer before you push it to your namespace.
docker run <image_name>
Replace
<image_name>
with the name of your image. -
After you create your image and tag it for your namespace, you can push your image to your namespace in IBM Cloud Container Registry.
-
To use Vulnerability Advisor to check the security of your image, see Managing image security with Vulnerability Advisor.
Pushing images by using an API key
Create a service ID that uses an API keyA unique code that is passed to an API to identify the calling application or user. An API key is used to track and control how the API is being used, for example, to prevent malicious use or abuse of the API. to push images to IBM Cloud Container Registry.
Complete the following steps:
- Create a service ID, see Creating and working with service IDs.
- Create a policy that gives the service ID permission to access the registry, for example, Administrator and Manager roles, see Managing IAM access for Container Registry.
- Create an API key, see Creating an API key for a service ID.
- Use the API key to log in to registry so that you can push images to the registry, see Automating access to IBM Cloud Container Registry.
- Push your images, see Pushing Docker images to your namespace.
You can now use clusters to pull the images, see Building containers from images.
Removing tags from images in your private repository
You can remove a tag, or tags, from an image in your private IBM Cloud repository, and leave the underlying image and any other tags in place by using the
ibmcloud cr image-untag
command.
If multiple tags exist for the same image digest within a repository and you want to remove the underlying image and all its tags, see Deleting images from your private IBM Cloud repository.
To remove a tag, or tags, by using the CLI, complete the following steps:
-
Log in to IBM Cloud by running the
ibmcloud login
command. -
To remove a tag, run the following command, where
IMAGE
is the name of the image that you want to remove, in the formatrepository:tag
. If a tag is not specified in the image name, the command fails. You can delete the tags for multiple images by listing each private IBM Cloud registry path in the command with a space between each path.ibmcloud cr image-untag IMAGE
To find the names of your images, run
ibmcloud cr image-list
. Combine the content of the Repository column (repository
) and Tag column (tag
) separated by a colon (:
) to create the image name in the formatrepository:tag
. -
Verify that the tag was removed by running the following command, and check that the tag does not show in the list.
ibmcloud cr image-list
If the list images command times out, see Why is it timing out when I list images? for assistance.
Deleting images from your private repository
You can delete unwanted images from your private IBM Cloud repository by using either the IBM Cloud console or the CLI.
If you want to delete a private repository and its associated images, see Deleting a private repository and any associated images.
Deleting an image that is being used by an existing deployment might cause scale-up, reschedule, or both, to fail.
If you want to restore a deleted image, you can list the contents of the trash by running the ibmcloud cr trash-list
command and restore a selected image
by running the ibmcloud cr image-restore
command.
Where multiple tags exist for the same image digest within a repository, the ibmcloud cr image-rm
command removes the underlying image and all its tags.
If the same image exists in a different repository or namespace, the copy of the image is not removed. If you want to remove a tag from an image and leave the underlying image and any other tags in place, see Removing tags from images in your private repository command.
Deleting images from your private repository in the CLI
You can delete unwanted images and all their tags from your private IBM Cloud repository by using the CLI.
Deleting an image that is being used by an existing deployment might cause scale-up, reschedule, or both, to fail.
If you want to restore a deleted image, you can list the contents of the trash by running the ibmcloud cr trash-list
command and restore a selected image
by running the ibmcloud cr image-restore
command.
To delete an image by using the CLI, complete the following steps:
-
Log in to IBM Cloud by running the
ibmcloud login
command. -
To delete an image, run the following command, where
IMAGE
is the name of the image that you want to remove, in the formatrepository@digest
orrepository:tag
. If a tag is not specified in the image name, the image taggedlatest
is deleted by default. You can delete multiple images by listing each private IBM Cloud registry path in the command with a space between each path.ibmcloud cr image-rm IMAGE
To find the names of your images, run
ibmcloud cr image-list
. Combine the content of the Repository column (repository
) and Tag column (tag
) separated by a colon (:
) to create the image name in the formatrepository:tag
. To identify your image by digest, run theibmcloud cr image-digests
command. Combine the content of the Repository column (repository
) and the Digest column (digest
) separated by an at (@
) symbol to create the image name in the formatrepository@digest
. If the list images command times out, see Why is it timing out when I list images? for assistance. -
Verify that the image was deleted by running the following command, and check that the image does not show in the list.
ibmcloud cr image-list
Deleting images from your private repository in the console
You can delete unwanted images and all their tags from your private IBM Cloud image repository by using the IBM Cloud console.
Deleting an image that is being used by an existing deployment might cause scale-up, reschedule, or both, to fail.
If you want to restore a deleted image, you can list the contents of the trash by running the ibmcloud cr trash-list
command and restore a selected image
by running the ibmcloud cr image-restore
command.
To delete an image by using the IBM Cloud console, complete the following steps:
- Log in to the IBM Cloud console https://cloud.ibm.com/login with your IBMid.
- If you have multiple IBM Cloud accounts, from the account menu, select the account and region that you want to use.
- Click the Navigation menu icon, then click Container Registry.
- Click Images. A list of your images is displayed.
- In the row that contains the image that you want to delete, select the checkbox.
- Click Delete Image.
Listing images in the trash
You can list deleted images that are in the trash and see when they expire.
To find out which images are in the trash, you can use the ibmcloud cr trash-list
command. Images are stored in the trash for 30 days.
To list the images in the trash, complete the following steps:
-
Log in to IBM Cloud by running the
ibmcloud login
command. -
List the images in the trash by running the following command:
ibmcloud cr trash-list
-
List only the images in the trash for the namespace that you're interested in by running the following command, where
<namespace>
is your namespace:ibmcloud cr trash-list --restrict <namespace>
Restoring images
You can restore images from the trash. Deleted images are stored in the trash for 30 days.
You can restore an image from the trash by running the ibmcloud cr image-restore
command. To find out which images are in the trash, run the ibmcloud cr trash-list
command.
You can restore images by running the ibmcloud cr image-restore
command. You can use the following options:
<repo>@<digest>
restores the digest and all its tags in the repository that aren't already in the live repository, see Restoring images by digest.<repo>:<tag>
restores the tag, see Restoring images by tag.
Restoring images by digest
When you restore an image by digest, the digest is copied from the trash into your live repository, and all the tags for the digest in the repository are restored. The digest continues to show in the trash because a copy is restored.
To restore an image by digest from the trash, complete the following steps:
-
Log in to IBM Cloud by running the
ibmcloud login
command. -
List the images in the trash by running the following command:
ibmcloud cr trash-list
A table is displayed that shows the items in the trash. The table shows the digest, the days until expiry, and the tags for that digest.
-
Note the digest for the image that you want to restore.
-
Run the following command to restore the image to your repository. Where
<dns>
is the domain name,<namespace>
is the namespace,<repo>
is the repository, and<digest>
is the digest of the image that you want to restore.ibmcloud cr image-restore <dns>/<namespace>/<repo>@<digest>
If some tags aren't restored, see Why aren't all the tags restored when I restore by digest? for assistance.
In your live repository, you can pull the image by digest. If you run the
ibmcloud cr image-digests
command, the image shows in the output.
Restoring images by tag
When you restore an image by tag, only that specific tag is moved out of the trash into your live repository.
To restore an image by tag from the trash, complete the following steps:
-
Log in to IBM Cloud by running the
ibmcloud login
command. -
List the images in the trash by running the following command:
ibmcloud cr trash-list
A table is displayed that shows the items in the trash. The table shows the digest, the days until expiry, and the tags for that digest.
-
For the image that you want to restore, make a note of the digest up to, but not including, the at sign (
@
). This section of the digest is<dns>/<namespace>/<repo>
, where<dns>
is the domain name,<namespace>
is the namespace, and<repo>
is the repository. -
For the image that you want to restore, make a note of the tag,
<tag>
. -
Run the following command to restore the image to your repository, where
<dns>/<namespace>/<repo>
is the name of the image that you want to restore and<tag>
is the tag.ibmcloud cr image-restore <dns>/<namespace>/<repo>:<tag>
In your live repository, you can pull the image by tag.
If you get an error when you're restoring an image that says that the tagged image exists, see Why do I get an error when I'm restoring an image? for assistance.
If you run the
ibmcloud cr trash-list
command, the digest and any other tags show in the output, but the tag is no longer displayed.
Deleting a private repository and any associated images
You can delete private repositories that are no longer required, and any associated images, by using the IBM Cloud console.
When you delete a repository, all images in that repository are deleted. This action can't be undone.
Before you begin, you must back up any images that you want to keep.
To delete a private repository by using the IBM Cloud console, complete the following steps:
-
Log in to the IBM Cloud console https://cloud.ibm.com/login with your IBMid.
-
If you have multiple IBM Cloud accounts, from the account menu, select the account and region that you want to use.
-
Click the Navigation menu icon, then click Container Registry.
-
Click Repositories. A list of your private repositories is displayed.
-
In the row that contains the private repository that you want to delete, select the checkbox.
Ensure that the correct repository is selected because this action can't be undone.
-
Click Delete Repository.