Moving docker images from one container registry to another

How to copy Docker Hub images into your private Azure Container Registry (ACR).

Paulo Gomes
2 min readAug 18, 2018

In a business, when consuming public docker images, you may want to sanitise them, running some processes before putting them to use. This process could be used for:

  • Standardising configuration.
  • Installing required software/packages.
  • Checking for vulnerabilities and take snapshots of all dependency versions.
  • Validating OSS License compliance.
  • Scanning for malware.
  • OS-level patching.

Generally that would result in “Golden Images” or simply base images that would be white-listed for internal consumption. I won’t be focusing on why or how to do any of the above, as it could be quite specific. However, below I will just cover the “how to” automate the process of re-tagging public images so you can push them into your internal CR.

0. ACR Log in

In order to make push images into a registry, you need to authenticate against it. For Azure ACR, you can either use the docker login command:

docker login --username USER_NAME --password PASSWORD ACR_NAME.azurecr.io

Or the azure CLI command:

az acr login -n ACR_NAME -g RESOURCE_GROUP_NAME --username USER_NAME --password PASSWORD

1. Pull source images

The re-tagging command takes place locally, so before you can do that, you need to pull the required images locally.

You can either pull all tags of a given image:

docker pull microsoft/dotnet -a

Or make this more storage-and-time efficient, finding the tags you want for that docker image and executing the pull command to download only them.

2. Re-tag images and Push then up

Once you have the required images locally, you can add new tags to them with docker tag. Here’s a bash script to help with that:

Note that I use Go Templates in the docker images command, to build the commands I will need to execute.

For each image found locally based on the original_image that also matches the filter defined, the result will be:

docker tag SOURCE_NAME_AND_TAG TARGET_ACR/SOURCE_NAME_AND_TAG |
docker push TARGET_ACR/SOURCE_NAME_AND_TAG

Then, I “grep out” anything that is contained in the grep_filter. For example, I do not want to push the tag latest, nor any tag containing the words bionic, nanoserver or deps.

As a last thing, I execute all the commands, which will then re-tag and push each one of the images to the private ACR.

Wrap Up

This can be especially handy when you are putting in place an Image Assurance within a company-wide. Note that alternative approaches exist, for example, using the original Dockerfiles (when available) to trigger the process of generating such images. However, I pursued the approach above as it felt easier to automate whilst keeping a direct connection to publicly available docker images.

--

--

Paulo Gomes
Paulo Gomes

Written by Paulo Gomes

Software craftsman on the eternal learning path towards (hopefully) mastery. Security enthusiast keen on SecDevOps. My opinions are my own.

Responses (4)