Moving docker images from one container registry to another
How to copy Docker Hub images into your private Azure Container Registry (ACR).
In a business, when consuming public docker images, you may want to sanitise them, running some processes before putting them to use. This process could be used for:
- Standardising configuration.
- Installing required software/packages.
- Checking for vulnerabilities and take snapshots of all dependency versions.
- Validating OSS License compliance.
- Scanning for malware.
- OS-level patching.
Generally that would result in “Golden Images” or simply base images that would be white-listed for internal consumption. I won’t be focusing on why or how to do any of the above, as it could be quite specific. However, below I will just cover the “how to” automate the process of re-tagging public images so you can push them into your internal CR.
0. ACR Log in
In order to make push images into a registry, you need to authenticate against it. For Azure ACR, you can either use the docker login command:
docker login --username USER_NAME --password PASSWORD ACR_NAME.azurecr.io
Or the azure CLI command:
az acr login -n ACR_NAME -g RESOURCE_GROUP_NAME --username USER_NAME --password PASSWORD
1. Pull source images
The re-tagging command takes place locally, so before you can do that, you need to pull the required images locally.
You can either pull all tags of a given image:
Or make this more storage-and-time efficient, finding the tags you want for that docker image and executing the pull command to download only them.
2. Re-tag images and Push then up
Once you have the required images locally, you can add new tags to them with docker tag. Here’s a bash script to help with that:
Note that I use Go Templates in the docker images command, to build the commands I will need to execute.
For each image found locally based on the original_image that also matches the filter defined, the result will be:
docker tag SOURCE_NAME_AND_TAG TARGET_ACR/SOURCE_NAME_AND_TAG |
docker push TARGET_ACR/SOURCE_NAME_AND_TAG
Then, I “grep out” anything that is contained in the grep_filter. For example, I do not want to push the tag latest, nor any tag containing the words bionic, nanoserver or deps.
As a last thing, I execute all the commands, which will then re-tag and push each one of the images to the private ACR.
This can be especially handy when you are putting in place an Image Assurance within a company-wide. Note that alternative approaches exist, for example, using the original Dockerfiles (when available) to trigger the process of generating such images. However, I pursued the approach above as it felt easier to automate whilst keeping a direct connection to publicly available docker images.