Background

No matter where you are in the software lifecycle, from coding to operation, you have likely worked with containers. And for good reason: they’re portable, distributable, disposable, scalable, and many other -ables.

As a platform engineer, I've spent a lot of time with colleagues building, deploying, and troubleshooting container images. We've also had a lot of conversations about the software supply chain, software bill of materials (SBOM) generation and usage, and the like.

It occurred to me that many of the issues we encounter stem from a misunderstanding of the fundamental components that we're working with. To this end, I decided to write a series of blog posts that get "back to basics," setting the table for deeper discussions about best practices, the software supply chain, etc.

I decided to start with a series about container image names, since these are widely used but tend to be misunderstood and misinterpreted. As we'll see, this isn't necessarily the fault of the user but of a different operating paradigm than traditional package management.

This series will be three parts:

1. The Registry

2. The Namespace and Repository

3. The Tag and Digest

Join me as we walk through these topics together!

Image Names: An Introduction

When a container runs, it starts with an image. Sometimes, the image is built locally, and sometimes the image is pulled from a registry. In either case, the image is specified using its name.

Image names comprise the following parts:

• registry

• namespace (or group, organization, project, etc.)

• repository

• tag (or digest)

I’ll use the term fully-qualified image name (FQIN) to refer to an image name where all of these parts are specified. (This is borrowed from FQDN, FQCN, and others.)

Here’s a diagram of an example FQIN with the parts labeled:

Throughout this series, we’ll use the following image names as examples.

• python:3

• cgr.dev/chainguard/python

• nvcr.io/nvidia/pytorch:25.03-py3

• registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:ubuntu-x86_64-latest

In today’s article, we’ll learn about the registry.

What is a Registry?

The registry is the first qualifier of an image. Every image has a registry as part of its name, whether explicit or implicit. (We'll cover the "implicit" part in a minute.)

For most registries, this is also the hostname (and, optionally, port) that hosts the registry—in other words, the location where the client goes to initiate a request. There are some exceptions, like pull-through caches, but we can talk about these another time.

If a registry is not specified, the default is docker.io, which corresponds to Docker Hub. (Docker was the first to truly democratize the container ecosystem, so they got to declare the default.) This is a de facto default and not explicitly declared in any standard the author is aware of.

Examining our example image names:

• For python:3, the registry is docker.io.

• For cgr.dev/chainguard/python, the registry is cgr.dev.

• For nvcr.io/nvidia/pytorch:25.03-py3, the registry is nvcr.io.

• For registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:ubuntu-x86_64-latest, the registry is registry.gitlab.com.

The Most Important Point

If you learn only one thing from this series, make it this: the registry is the most important part of the image name. The registry specifies the source of the image: not just the server that happened to host it, but the full provenance of the image.

In my experience, this is the most misunderstood concept about container images. Registries are not interchangeable, and images are not fungible. Absent other information, the same image “name” in two different registries should be assumed to be a different image.

The fact that the concept of a default registry exists contributes to this misconception. It gives the impression that the registry is irrelevant and can safely be replaced with a default.

Let’s take a moment to understand how this is different from most other development ecosystems.

Consider some well-known package managers: pip, npm, Maven, RPM, APT, etc. These package managers are primarily concerned with the name of the package. If more than one repository is specified, these tools will search every repository until they find the first match or the highest semantic version (depending on the tool).

As such, most users are familiar with a model where there is one major “community” repository associated with the tool itself: PyPI for pip, npm for npm, Maven Central for Maven, etc.

Container images, by contrast, follow a model more like Go, where the source repository hostname is part of the module name.

This is a new paradigm for most users.

It confers several benefits. It more concretely specifies the origin of an image, which is important for a secure software supply chain. It reduces the potential for issues like typosquatting. It helps convey the image builder’s intent. (“Is this supposed to be the package we built or the open-source package with the same name?”)

This has important implications for “mirroring” images. However, we won’t dive too deeply into that in this article. For now, keep in mind that the onus is on the consumer to verify that any “mirror” in use actually pulls images from the expected registry and no others.

What Registries are Available?

How many image registries are there? Well, how many stars are in the night sky?

I won’t try to maintain an exhaustive list of image registries. (Anyone, anywhere, can host an image registry, much like anyone can host a website.) However, I would like to discuss some general categories of public registries and list some examples. (I won’t go into private registry implementations here.)

Some software vendors host their own registries to distribute their own software. (I include open-source projects under the vendor umbrella term.)

Examples:

• Elastic: docker.elastic.co

• NVIDIA: nvcr.io

• RedHat (UBI): registry.access.redhat.com

• Kubernetes: registry.k8s.io

• Chainguard: cgr.dev

In contrast to vendor-specific registries, community registries provide a space for individual users and organizations to host their images. These registries may provide features like automated vulnerability scans and verified contributor badges.

Examples:

• Docker Hub: docker.io

• Quay: quay.io

Some vendor-maintained registries also host community images, making them a combination of the above categories. For example, cloud providers like Google (gcr.io) and Amazon (public.ecr.aws) distribute their own images and host a selection of community images for use in their cloud environments. GitHub (ghcr.io) and GitLab (registry.gitlab.com) distribute their own images (e.g., servers and CI runners) as well as host images for projects maintained on their platforms.

Which Registry Should I Use?

When deciding on an image to use, the first thing to do is consult the vendor’s documentation. If a vendor builds container images, they will tell you where to find them.

For vendors that host their own registries, like those above, the answer is obvious: use images on the vendor’s registry.

For others, you may have to do some reading. Here are some examples to illustrate the point:

• MongoDB Enterprise images are hosted on Quay.

• Official Ubuntu images are hosted on Docker Hub and ECR.

• Trivy images and databases are hosted on GHCR, Docker Hub, and ECR.

If a vendor does not state that they provide an official image, then any image you find is likely published and supported by the community. In this case, you’ll have to do some research and make a judgment call on which image suits your use case and risk tolerance.

Recommendations

Allow me to provide you with two recommendations, based on my experience as a Platform Engineer.

First, always specify the registry when referencing container images, even when the registry is the default. This ensures that the intent is clear: from what source do you expect this image to come? It can also help debug image pulling issues. Some tools also allow users to specify an alternative default registry (not just a mirror, but a completely different default), which further complicates matters, so explicitly specifying docker.io ensures you get the image you want.

Second, always consult the vendor’s documentation to determine the correct registry. If there is no vendor-provided image, do the necessary research to pick the right image for your use case and risk tolerance.

Scenarios

Let’s talk about some scenarios I’ve encountered that illustrate this point. (Names and details have been changed.)

A developer is building an application that uses nginx as a front-end. Everything works great in their development workspace, but when they deploy into the test environment, their nginx container complains of “unbound variables.” What’s happening?

It turns out, the platform team has configured the test environment to use a custom default registry that is not Docker Hub. This custom registry contains a custom build of nginx, with a custom entrypoint. The developer’s deployment only specified nginx as the image name, omitting the registry. So, the deployment pulled this custom nginx image from the custom default registry, resulting in a failed deployment.

Other variations of this scenario I’ve encountered include:

• Deployments work fine in one environment with a custom default registry, but when deploying to a new environment, images are missing.

• One team’s developer workspaces are configured to use a custom default registry, but when other teams clone the repository, their builds fail due to missing images.

All of these can be avoided by explicitly specifying the registry, rather than relying on the “system default” to point at your preferred location.

Conclusion

I hope you enjoyed this deep dive into a small but important topic: the container image registry.

Let’s take a moment to reflect on what we covered.

• We learned that the registry is the first and most important component of an image name.

• We learned that there are many registries, hosted by different vendors.

• We learned that registries are not interchangeable: different registries host different images.

• We learned that vendors who provide supported images document which registry to use for their images.

• We learned a couple best practices for using and specifying registries.

In my next article, we’ll continue learning about container image names, focusing on the namespace and repository portions. I hope to see you there!

Jason Miller is a Senior Platform Engineer at Clarity Business Solutions. You can find him on LinkedIn.

The mention of any image name, registry, or vendor does not constitute a recommendation or endorsement. These are solely provided as examples for demonstration purposes.