What is a Registry

A container registry is an HTTP service that stores and distributes container images. When you run docker pull nginx, the Docker client contacts a registry (Docker Hub by default), downloads the image manifest, and then downloads each layer not already cached locally.

How it works

Registries implement the OCI Distribution Specification — a REST API for pushing, pulling, and managing images. Images are organized by repository (library/nginx) and identified by tag (1.25) or digest (sha256:abc...).

Pulling: the client requests the manifest (which lists layer digests), checks local cache, and downloads only missing layers in parallel. Subsequent pulls of different tags that share layers download nothing — the layers are already there.

Pushing: the client uploads new layers, then uploads the manifest referencing them. The registry deduplicates layers by digest — if another image already pushed the same layer, it is stored only once.

Common registries: Docker Hub (default, public images), GitHub Container Registry (ghcr.io), Amazon ECR, Google Artifact Registry, Azure Container Registry. You can also run a private registry with the open-source registry:2 image.

Why it matters

Registries are the distribution mechanism for container images. They enable CI/CD pipelines to build once and deploy to any environment. Layer deduplication and content-addressable storage make distribution efficient. Authentication and access control (per-repository tokens, IAM integration) secure production images.

See How Container Images Work for the pull/push protocol in detail.