Moving docker images from one container registry to another

How to copy Docker Hub images into your private Azure Container Registry (ACR).

Paulo Gomes
Aug 18, 2018 · 2 min read

In a business, when consuming public docker images, you may want to sanitise them, running some processes before putting them to use. This process could be used for:

  • Standardising configuration.
  • Installing required software/packages.
  • Checking for vulnerabilities and take snapshots of all dependency versions.
  • Validating OSS License compliance.
  • Scanning for malware.
  • OS-level patching.

Generally that would result in “Golden Images” or simply base images that would be white-listed for internal consumption. I won’t be focusing on why or how to do any of the above, as it could be quite specific. However, below I will just cover the “how to” automate the process of re-tagging public images so you can push them into your internal CR.

0. ACR Log in

In order to make push images into a registry, you need to authenticate against it. For Azure ACR, you can either use the docker login command:

docker login --username USER_NAME --password PASSWORD ACR_NAME.azurecr.io

Or the azure CLI command:

az acr login -n ACR_NAME -g RESOURCE_GROUP_NAME --username USER_NAME --password PASSWORD

1. Pull source images

The re-tagging command takes place locally, so before you can do that, you need to pull the required images locally.

You can either pull all tags of a given image:

docker pull microsoft/dotnet -a

Or make this more storage-and-time efficient, finding the tags you want for that docker image and executing the pull command to download only them.

2. Re-tag images and Push then up

Once you have the required images locally, you can add new tags to them with docker tag. Here’s a bash script to help with that:

Note that I use Go Templates in the docker images command, to build the commands I will need to execute.

For each image found locally based on the original_image that also matches the filter defined, the result will be:

docker tag SOURCE_NAME_AND_TAG TARGET_ACR/SOURCE_NAME_AND_TAG |
docker push TARGET_ACR/SOURCE_NAME_AND_TAG

Then, I “grep out” anything that is contained in the grep_filter. For example, I do not want to push the tag latest, nor any tag containing the words bionic, nanoserver or deps.

As a last thing, I execute all the commands, which will then re-tag and push each one of the images to the private ACR.

Wrap Up

This can be especially handy when you are putting in place an Image Assurance within a company-wide. Note that alternative approaches exist, for example, using the original Dockerfiles (when available) to trigger the process of generating such images. However, I pursued the approach above as it felt easier to automate whilst keeping a direct connection to publicly available docker images.

Paulo Gomes

Written by

Software craftsman on the eternal learning path towards (hopefully) mastery. Security enthusiast keen on SecDevOps. My opinions are my own.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade