Agent Skills: Managing Container Registries

Managing Container Registries

Overview

Manage container registries across Docker Hub, AWS ECR, GCP Artifact Registry, Azure ACR, and self-hosted registries (Harbor, Nexus). Automate image tagging, lifecycle policies, cross-region replication, vulnerability scanning integration, and access control for container image storage and distribution.

Prerequisites

• Docker CLI installed and authenticated to the target registry
• Cloud provider CLI (aws, gcloud, az) for managed registries
• Registry credentials configured (docker login or credential helpers)
• Understanding of image naming conventions (registry/namespace/image:tag)
• IAM permissions for registry operations (push, pull, delete, admin)

Instructions

1. Identify the target registry type: ECR, Artifact Registry, ACR, Docker Hub, or self-hosted
2. Configure authentication: set up credential helpers for automated access (docker-credential-ecr-login, gcloud auth configure-docker)
3. Define image naming and tagging strategy: use semantic versioning for releases, git SHA for CI builds, latest only for development
4. Create repository/namespace structure organized by team, application, or environment
5. Configure lifecycle policies to auto-delete untagged images and images older than retention threshold (e.g., keep last 10 tagged images, delete untagged after 7 days)
6. Set up vulnerability scanning: enable automatic scanning on push (ECR scan-on-push, GCP Container Analysis)
7. Configure cross-region replication for disaster recovery and latency reduction
8. Implement access control: read-only for CI pull, push access for CI build agents, admin for operators
9. Generate Terraform/IaC for registry infrastructure and policies

Output

• Terraform/CloudFormation for registry creation with lifecycle and replication policies
• Docker credential helper configuration scripts
• CI/CD pipeline steps for building, tagging, and pushing images
• Lifecycle policy JSON (ECR) or cleanup scripts (Docker Hub, Harbor)
• RBAC configurations for registry access control

Error Handling

| Error | Cause | Solution | |-------|-------|---------| | denied: requested access to the resource is denied | Missing push/pull permissions or expired token | Re-authenticate with docker login or refresh credential helper; verify IAM policies | | manifest unknown: manifest unknown | Image tag does not exist in the registry | Verify image name and tag; check if lifecycle policy deleted the image | | no space left on device during push | Registry storage quota exceeded | Increase quota, run lifecycle cleanup, or delete unused images | | unauthorized: authentication required | Credential helper not configured or token expired | Set up credential helper (aws ecr get-login-password, gcloud auth configure-docker) | | toomanyrequests: rate limit exceeded | Docker Hub pull rate limit hit | Use authenticated pulls, mirror images to private registry, or upgrade Docker Hub plan |

Examples

• "Set up an AWS ECR repository with scan-on-push enabled, lifecycle policy to keep last 20 tagged images, and cross-region replication to us-west-2."
• "Configure GCP Artifact Registry with Docker credential helper and a cleanup policy for images not pulled in 90 days."
• "Create a CI pipeline step that builds a Docker image, tags it with the git SHA and latest, pushes to ECR, and fails if Critical vulnerabilities are found."

Resources

• AWS ECR: https://docs.aws.amazon.com/AmazonECR/latest/userguide/
• GCP Artifact Registry: https://cloud.google.com/artifact-registry/docs
• Azure ACR: https://learn.microsoft.com/en-us/azure/container-registry/
• Harbor registry: https://goharbor.io/docs/
• Docker Hub: https://docs.docker.com/docker-hub/