BestHub
Sign in
Cloud Native 12 min read

Master Docker & Containerd Image Push/Pull: Secure Registry Configuration

This guide explains how to configure Docker and Containerd to correctly set image push and pull parameters for both HTTP and HTTPS registries, covering insecure registry settings, certificate management, host resolution, and command‑line examples using docker, ctr, crictl, and nerdctl to ensure efficient and secure container image handling.

Linux Ops Smart Journey
Linux Ops Smart Journey
Linux Ops Smart Journey
Master Docker & Containerd Image Push/Pull: Secure Registry Configuration

Docker Image Push/Pull Configuration

In the era of containerization, Docker and Containerd are the two mainstream container runtimes. Proper configuration of image push/pull parameters can greatly improve deployment efficiency and system stability.

container diagram
container diagram

Configure insecure registries (HTTP)

Add insecure registry entries to the Docker daemon configuration:

"insecure-registries": ["x.x.x.x:8021", "x.x.x.x:5000"],

Reload the Docker daemon:

sudo kill -1 $(ps -ef | grep [d]ockerd | awk '{print $2}')

Verify the settings:

sudo docker info | awk '/Insecure Registries/,/Registry Mirrors/ {print $0}' | grep -v :$

Push and pull images (HTTP registry)

sudo docker push 192.168.32.127:5000/library/hello-world:latest
sudo docker pull 192.168.32.127:5000/library/hello-world:latest

Configure HTTPS registry for Docker

1. Add a host entry for the registry domain:

cat <<'EOF' | sudo tee -a /etc/hosts
192.168.32.127 harbor.jiaxzeng.com
EOF

2. Place the registry certificates under /etc/docker/certs.d/harbor.jiaxzeng.com:

sudo mkdir -p /etc/docker/certs.d/harbor.jiaxzeng.com
# copy ca.crt, server.cert, server.key into this directory

3. Log in to the registry (password will be stored unencrypted unless a credential helper is configured): sudo docker login harbor.jiaxzeng.com -u admin 4. Push and pull images using the HTTPS registry:

sudo docker push harbor.jiaxzeng.com/library/hello-world:latest
sudo docker pull harbor.jiaxzeng.com/library/hello-world:latest

Tip: Docker certificate directories must be placed under /etc/docker/certs.d/registry_address.

Containerd Image Push/Pull Configuration

Containerd typically uses the ctr, crictl, and nerdctl commands. Below are the configurations for each.

ctr (HTTP registry)

sudo ctr image push 192.168.32.127:5000/library/hello-world:latest --plain-http
sudo ctr image pull 192.168.32.127:5000/library/hello-world:latest --plain-http

Tip: The --plain-http flag is required for both push and pull operations.

crictl (HTTP registry)

Check the registry configuration path used by containerd:

sudo grep config_path $(ps -ef | grep "[c]ontainerd " | awk '{print $NF}')

Create the registry configuration directory and hosts.toml file:

sudo mkdir -p /etc/containerd/certs.d/192.168.32.127:5000
cat <<EOF | sudo tee /etc/containerd/certs.d/192.168.32.127:5000/hosts.toml > /dev/null
server = "http://192.168.32.127:5000"
[host."http://192.168.32.127:5000"]
  capabilities = ["pull", "resolve", "push"]
  skip_verify = true
EOF

Pull an image (crictl has no push command; use ctr or nerdctl instead):

sudo crictl pull 192.168.32.127:5000/library/hello-world:latest

Tip: crictl does not support push; use ctr or nerdctl for pushing images.

crictl (HTTPS registry)

Configure certificates for the HTTPS registry:

sudo mkdir -p /etc/containerd/certs.d/harbor.jiaxzeng.com
# copy ca.crt, tls.crt, tls.key into this directory

Create hosts.toml with HTTPS settings:

cat <<EOF | sudo tee /etc/containerd/certs.d/harbor.jiaxzeng.com/hosts.toml > /dev/null
server = "https://harbor.jiaxzeng.com"
[host."https://harbor.jiaxzeng.com"]
  capabilities = ["pull", "resolve", "push"]
  capath = "/etc/containerd/certs.d/harbor.jiaxzeng.com/ca.crt"
  client = {cert = "/etc/containerd/certs.d/harbor.jiaxzeng.com/tls.cert", key = "/etc/containerd/certs.d/harbor.jiaxzeng.com/tls.key"}
EOF
sudo crictl pull harbor.jiaxzeng.com/library/hello-world:latest

nerdctl (HTTP and HTTPS registries)

nerdctl reads the same configuration directory as containerd ( /etc/containerd/certs.d). The setup is identical to the crictl configuration, except that a hosts.toml file is not required for HTTPS when the certificates are placed correctly.

Push and pull examples (HTTP):

sudo nerdctl push 192.168.32.127:5000/library/hello-world:latest
sudo nerdctl pull 192.168.32.127:5000/library/hello-world:latest

Push and pull examples (HTTPS):

sudo nerdctl push harbor.jiaxzeng.com/library/hello-world:latest
sudo nerdctl pull harbor.jiaxzeng.com/library/hello-world:latest
Docker vs Containerd diagram
Docker vs Containerd diagram
Containerd configuration diagram
Containerd configuration diagram

Conclusion

Whether you are a dedicated Docker user or exploring Containerd, mastering image push/pull configuration is essential. Proper settings improve deployment speed, enhance security, and increase system stability, helping you advance further in your containerization journey.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Cloud NativeDockerpush-pullImage Registry
Linux Ops Smart Journey
Written by

Linux Ops Smart Journey

The operations journey never stops—pursuing excellence endlessly.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment