What Is It?
Private Container Registry is a fully managed, OCI-compliant registry for storing and managing Docker container images and OCI artifacts. The service provides authenticated access over the public internet with encryption at rest, token-based access control, and optional vulnerability scanning. IONOS operates the underlying infrastructure with automatic security patches and updates. Supports standard Docker CLI and Docker Registry HTTP API V2 workflows.
Quick Facts
| Aspect | Details |
|---|---|
| Type | Managed OCI-compliant container registry |
| Compliance | OCI (Open Container Initiative) standard |
| Authentication | Token-based with registry or repository scopes |
| Encryption | Automatic encryption at rest (platform-managed keys) |
| Vulnerability Scanning | Optional add-on (CVE database scanning with CVSS ratings) |
| Location | Specific IONOS data center region (immutable after creation) |
| Management | DCD, Cloud API, DevOps Tools, Docker CLI |
What You Can Do
Store Container Images
Push Docker images and OCI artifacts to private repositories with authenticated access. Create multiple repositories per registry for logical separation by project, environment, or team.
Token-Based Access Control
Generate unlimited or limited-scope tokens for push, pull, list, or delete operations. Scope tokens to entire registry or specific repositories. Configure optional expiry dates and disable tokens as needed without deleting them.
Vulnerability Scanning
Enable optional scanning of every pushed artifact against CVE databases. Receive severity ratings (CVSS 0-10 scale) and searchable results. Registry automatically rescans when new vulnerability definitions are published.
Note: Scanning cannot be disabled once enabled.
Garbage Collection
Schedule weekly garbage collection to clean up unreferenced image layers and free storage. Configure day and time for automatic runs.
Note: Registry is read-only during garbage collection.
Docker CLI Integration
Use standard Docker commands (login, push, pull, delete) with full Docker Registry HTTP API V2 compatibility. Integrate seamlessly with CI/CD pipelines without custom adapters.
Multi-Repository Management
Host many separate repositories within a single registry. Organize images by application, microservice, or deployment stage. Note: Fine-grained repository-level access control is not available; token permissions apply at the registry level..
Best For
| Scenario | Why It Fits |
|---|---|
| Kubernetes deployments | Store images for Managed Kubernetes or Red Hat OpenShift clusters |
| CI/CD pipelines | Integrate with automated build and deployment workflows |
| Microservices architectures | Separate repositories per service with independent access control |
| Secure software supply chain | Vulnerability scanning identifies CVEs before deployment |
| Multi-environment deployments | Organize images by dev, staging, production with repository scopes |
| Team collaboration | Token-based access control for different roles and permissions |
Consider Alternatives If
| If You Need... | Consider | Why |
|---|---|---|
| Public container image hosting | Docker Hub, GitHub Container Registry | No authentication required for public access |
| Self-hosted registry with full control | Harbor on Compute Engine | Custom configuration and user-managed infrastructure |
| Artifact storage beyond containers | IONOS Cloud Object Storage | General-purpose object storage for any artifact type |
Key Considerations
Billing & Costs
- Main billing: EUR 0.04 per GB of storage per 30 days
- Storage: Based on total image storage consumed
- Vulnerability scanning: Optional add-on (EUR 0.02 per GB per 30 days)
- Data transfer: Network traffic (image push/pull) is not charged
Limitations
- Location immutability: Registry location cannot be changed after creation
- Encryption keys: Platform-managed only (cannot supply customer-managed keys)
- Vulnerability scanning: Cannot be disabled once enabled
- Garbage collection downtime: Registry is read-only during scheduled runs
- No anonymous access: All operations require token authentication
- No geo-replication: Single-region deployment (location selected at creation)
Management Options
- Data Center Designer (DCD): Create registries, manage repositories, generate tokens, configure garbage collection
- Cloud API: Programmatic access for registry lifecycle, token management, vulnerability scan results
- Docker CLI: Standard docker login, push, pull, tag, rm commands
- CI/CD integration: Jenkins, GitLab CI, GitHub Actions, CircleCI via Docker CLI