BestHub
Sign in
Cloud Native 12 min read

Master Docker & Containerd Image Push/Pull: Secure Registry Configuration

This guide explains how to configure Docker and Containerd to correctly set image push and pull parameters for both HTTP and HTTPS registries, covering insecure registry settings, certificate management, host resolution, and command‑line examples using docker, ctr, crictl, and nerdctl to ensure efficient and secure container image handling.

Linux Ops Smart Journey
Linux Ops Smart Journey
Linux Ops Smart Journey
Master Docker & Containerd Image Push/Pull: Secure Registry Configuration

Docker Image Push/Pull Configuration

In the era of containerization, Docker and Containerd are the two mainstream container runtimes. Proper configuration of image push/pull parameters can greatly improve deployment efficiency and system stability.

container diagram
container diagram

Configure insecure registries (HTTP)

Add insecure registry entries to the Docker daemon configuration:

<code>"insecure-registries": ["x.x.x.x:8021", "x.x.x.x:5000"],</code>

Reload the Docker daemon:

<code>sudo kill -1 $(ps -ef | grep [d]ockerd | awk '{print $2}')</code>

Verify the settings:

<code>sudo docker info | awk '/Insecure Registries/,/Registry Mirrors/ {print $0}' | grep -v :$</code>

Push and pull images (HTTP registry)

<code>sudo docker push 192.168.32.127:5000/library/hello-world:latest</code>
<code>sudo docker pull 192.168.32.127:5000/library/hello-world:latest</code>

Configure HTTPS registry for Docker

1. Add a host entry for the registry domain:

<code>cat <<'EOF' | sudo tee -a /etc/hosts
192.168.32.127 harbor.jiaxzeng.com
EOF</code>

2. Place the registry certificates under

/etc/docker/certs.d/harbor.jiaxzeng.com

:

<code>sudo mkdir -p /etc/docker/certs.d/harbor.jiaxzeng.com
# copy ca.crt, server.cert, server.key into this directory</code>

3. Log in to the registry (password will be stored unencrypted unless a credential helper is configured):

<code>sudo docker login harbor.jiaxzeng.com -u admin</code>

4. Push and pull images using the HTTPS registry:

<code>sudo docker push harbor.jiaxzeng.com/library/hello-world:latest</code>
<code>sudo docker pull harbor.jiaxzeng.com/library/hello-world:latest</code>

Tip: Docker certificate directories must be placed under

/etc/docker/certs.d/registry_address

.

Containerd Image Push/Pull Configuration

Containerd typically uses the

ctr

,

crictl

, and

nerdctl

commands. Below are the configurations for each.

ctr (HTTP registry)

<code>sudo ctr image push 192.168.32.127:5000/library/hello-world:latest --plain-http</code>
<code>sudo ctr image pull 192.168.32.127:5000/library/hello-world:latest --plain-http</code>

Tip: The

--plain-http

flag is required for both push and pull operations.

crictl (HTTP registry)

Check the registry configuration path used by containerd:

<code>sudo grep config_path $(ps -ef | grep "[c]ontainerd " | awk '{print $NF}')</code>

Create the registry configuration directory and

hosts.toml

file:

<code>sudo mkdir -p /etc/containerd/certs.d/192.168.32.127:5000
cat <<EOF | sudo tee /etc/containerd/certs.d/192.168.32.127:5000/hosts.toml > /dev/null
server = "http://192.168.32.127:5000"
[host."http://192.168.32.127:5000"]
  capabilities = ["pull", "resolve", "push"]
  skip_verify = true
EOF</code>

Pull an image (crictl has no push command; use

ctr

or

nerdctl

instead):

<code>sudo crictl pull 192.168.32.127:5000/library/hello-world:latest</code>

Tip: crictl does not support push; use ctr or nerdctl for pushing images.

crictl (HTTPS registry)

Configure certificates for the HTTPS registry:

<code>sudo mkdir -p /etc/containerd/certs.d/harbor.jiaxzeng.com
# copy ca.crt, tls.crt, tls.key into this directory</code>

Create

hosts.toml

with HTTPS settings:

<code>cat <<EOF | sudo tee /etc/containerd/certs.d/harbor.jiaxzeng.com/hosts.toml > /dev/null
server = "https://harbor.jiaxzeng.com"
[host."https://harbor.jiaxzeng.com"]
  capabilities = ["pull", "resolve", "push"]
  capath = "/etc/containerd/certs.d/harbor.jiaxzeng.com/ca.crt"
  client = {cert = "/etc/containerd/certs.d/harbor.jiaxzeng.com/tls.cert", key = "/etc/containerd/certs.d/harbor.jiaxzeng.com/tls.key"}
EOF</code>
<code>sudo crictl pull harbor.jiaxzeng.com/library/hello-world:latest</code>

nerdctl (HTTP and HTTPS registries)

nerdctl reads the same configuration directory as containerd (

/etc/containerd/certs.d

). The setup is identical to the crictl configuration, except that a

hosts.toml

file is not required for HTTPS when the certificates are placed correctly.

Push and pull examples (HTTP):

<code>sudo nerdctl push 192.168.32.127:5000/library/hello-world:latest</code>
<code>sudo nerdctl pull 192.168.32.127:5000/library/hello-world:latest</code>

Push and pull examples (HTTPS):

<code>sudo nerdctl push harbor.jiaxzeng.com/library/hello-world:latest</code>
<code>sudo nerdctl pull harbor.jiaxzeng.com/library/hello-world:latest</code>
Docker vs Containerd diagram
Docker vs Containerd diagram
Containerd configuration diagram
Containerd configuration diagram

Conclusion

Whether you are a dedicated Docker user or exploring Containerd, mastering image push/pull configuration is essential. Proper settings improve deployment speed, enhance security, and increase system stability, helping you advance further in your containerization journey.

cloud nativeDockercontainerdPush PullImage Registry
Linux Ops Smart Journey
Written by

Linux Ops Smart Journey

The operations journey never stops—pursuing excellence endlessly.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment