Container Registry is deprecated and scheduled for shutdown. After
May 15, 2024, Artifact Registry will host images for the gcr.io
domain in
Google Cloud projects without previous Container Registry usage. After
March 18, 2025, Container Registry will be shut down.
For more information on the deprecation and shutdown timeline, see Container Registry deprecations and prepare for Container Registry shutdown .
Artifact Registry is the recommended service for container image storage and management on Google Cloud. Artifact Registry provides the same container management features as Container Registry and includes additional features and benefits. As a fully-managed service with support for both container images and non-container artifacts, Artifact Registry extends the capabilities of Container Registry.
Summary of new features
Artifact Registry extends the capabilities of Container Registry with the following features:
- Repository-level access control .
- Hosting artifacts in regions to reduce latency and data transfer costs, and to comply with data residency requirements.
- Stream images to Google Kubernetes Engine and Dataproc Serverless to reduce workload startup times.
- Deploying to Cloud Run from source .
- Audit logging for repository activity.
- Enforcement of organization policy, including encryption with customer-managed encryption keys (CMEK) and location constraints .
- Scanning for Go and Java vulnerabilities in addition to OS vulnerabilities in containers.
- Virtual repositories that aggregate multiple repositories behind a single host (Preview).
- Remote repositories that cache artifacts from upstream sources such as Docker Hub or Maven Central (Preview).
See the feature comparison for more details about these features.
Cached Docker Hub images on mirror.gcr.io
Artifact Registry caches frequently-accessed public Docker Hub images on mirror.gcr.io
. For more information on using mirror.gcr.io
, see Pull cached Docker Hub images
.
Choose a transition option
There are two types of repositories you can use to transition to Artifact Registry:
- gcr.io repositories in Artifact Registry
-
Repositories that are mapped to Container Registry
gcr.io
hostnames. Artifact Registry redirectsgcr.io
requests for your Container Registry hosts to corresponding Artifact Registry repositories in the same Google Cloud project.Use
gcr.io
repositories if:- You want to minimize the amount of setup and configuration required to transition your existing images and automation to Artifact Registry.
- You don't need to set up Artifact Registry repositories in a different Google Cloud project or region.
- Standard repositories in Artifact Registry
-
Standard mode Artifact Registry repositories that support all features and are fully independent of any existing Container Registry hosts.
Use standard repositories if:
- You have compliance requirements to store data in a specific region.
Repositories with
gcr.io
domain support are only available in the same multi-regions as Container Registry hosts:asia
,eu
, andus
. - You want to set up your Artifact Registry repositories in a project that is different from the project where you are using Container Registry.
-
You want to redesign how and where you store images. For example:
- Create repositories in the same regions as your other Google Cloud regional resources, including runtimes such as Cloud Run and Google Kubernetes Engine.
- Set up repositories in regions that are closer to your teams. For example,
you can create repositories in Australian regions instead of the
asia
multi-region, or in South American regions instead of theus
multi-region. - Create multiple Docker repositories in the same project and location with
different Identity and Access Management policies. For example, you can set up a development
repository and production repository in the
us-east1
region with different levels of access for developers.
-
You want to create virtual repositories that act as a single endpoint for downloads from multiple upstream standard repositories.
-
You want to use remote repositories to act as proxies for external sources.
- You have compliance requirements to store data in a specific region.
Repositories with
Standard, remote, virtual and gcr.io
repositories can co-exist. For example, you
can create gcr.io
repositories in Artifact Registry to transition your
existing Container Registry setup and create standard repositories for new work.
Use our transition tooling
Use the following tools to identify projects that have Container Registry usage, copy images from Container Registry to Artifact Registry, and automatically migrate multiple projects from Container Registry to Artifact Registry.
- Check Container Registry usage .
- Use our automatic migration tool to migrate projects from Container Registry to Artifact Registry, copy images, and select your preferred transition repository type.
- Copy images from Container Registry to Artifact Registry using the automatic migration tool, gcrane, Docker, or the gcloud CLI.
Feature comparison
The following table summarizes differences between Container Registry and Artifact Registry.
gcr.io
pkg.dev
Artifact Registry can also store images for the gcr.io
domain if
you set up gcr.io repositories
.
- Standard : Stores your artifacts.
- Remote : Caches artifacts requested from an upstream source such as Docker Hub.
- Virtual : Single endpoint multiple upstream repositories.
Container Registry stores images in Cloud Storage buckets in your Google Cloud project and actions such as granting registry-specific permissions must be applied directly to a bucket.
- For backwards compatibility, you can set up gcr.io repositories
. The initial setup
includes automatic creation of Artifact Registry repositories for each
Container Registry host in your project and redirection of
gcr.io
to the corresponding Artifact Registry repositories. - For all push and pull requests to the
pkg.dev
domain, the repository must already exist.
In Artifact Registry, there are no Cloud Storage buckets to manage in your Google Cloud projects. You perform image management actions directly on a repository.
- Grant access using Cloud Storage roles.
- You can restrict access to all images stored in a multi-region, but
not individual repositories. For example, you can restrict access to
us.gcr.io
in the projectmy-project
, but you cannot grant specific permissions for images underus.gcr.io/my-project/team1
andus.gcr.io/my-project/team2
- Grant access using Artifact Registry roles .
- You can restrict access
to individual repositories. For example, you can separately control
access to images in
us-docker.pkg.dev/my-project/team1
andus-docker.pkg.dev/my-project/team2
- Grant conditional access with IAM and repository tags
If you click a Container Registry repository, you are directed to the list of images in the Container Registry section of the Google Cloud console.
gcloud container images
commands. Commands support shortened digests. If you don't specify the
full digest string, Container Registry attempts to locate the correct image
based on the partial string. There is no REST or RPC API for Container Registry.
gcloud artifacts docker
commands. Commands don't support shortened digests. For a comparison of Container Registry and Artifact Registry gcloud CLI commands, see the gcloud CLI command comparison .
Artifact Registry provides a REST and RPC API for managing repositories and artifacts.
gcr
topic.gcr
topic. If you create repositories
in the same project as your existing Container Registry service, your
existing Pub/Sub configuration works automatically. To learn more, see Configuring Pub/Sub notifications .
mirror.gcr.io
is a pull-through cache
that stores
the most frequently requested Docker Hub images across all users. mirror.gcr.io
is in now
hosted on Artifact Registry.mirror.gcr.io
is in now
hosted on Artifact Registry. No action is required unless you are using mirror.gcr.io
in a VPC Service Controls perimeter. For more
information on using mirror.gcr.io
in a VPC Service Controls
perimeter, see Use Artifact Registry with VPC Service Controls
.- On-demand scanning
-
- The Google Cloud CLI command gcloud artifacts docker images scan scans for vulnerabilities in local images or images in the Container Registry.
- The Google Cloud CLI command gcloud artifacts docker images list-vulnerabilities returns vulnerability scanning results.
- Scans return OS and language package vulnerability information for images in Container Registry with supported operating systems .
- Automatic scanning
-
- The Google Cloud CLI command gcloud container images includes flags for viewing scan results, including vulnerabilities and other metadata.
- Scans only return OS vulnerability information for images in Container Registry with supported operating systems .
- On-demand scanning
-
- The Google Cloud CLI command gcloud artifacts docker images scan scans for vulnerabilities in local images or images in the Artifact Registry.
- The Google Cloud CLI command gcloud artifacts docker images list-vulnerabilities returns vulnerability scanning results.
- Scans return OS and language package vulnerability information for images in Artifact Registry with supported operating systems .
- Automatic scanning
-
- The Google Cloud CLI command gcloud artifacts docker images includes flags for viewing scan results, including vulnerabilities and other metadata.
- Scans return OS vulnerability information for images in Artifact Registry with supported operating systems and language package vulnerability information for both supported and unsupported operating systems.
gcloud command comparison
The following table summarizes Container Registry commands and the equivalent Artifact Registry commands in the gcloud CLI. Click a link in the table to view reference page for the command.
The table does not include all available Artifact Registry commands that
have no equivalent in Container Registry. See the gcloud artifacts
documentation for the full Artifact Registry command reference.
Operation | Container Registry | Artifact Registry |
---|---|---|
Create a repository
|
Not applicable. | gcloud artifacts repositories create
|
Delete a repository
|
Not applicable. | gcloud artifacts repositories delete
|
List images
|
gcloud container images list
|
gcloud artifacts docker images list
|
List tags
|
gcloud container images list-tags
|
gcloud artifacts docker tags list
|
Add a tag
|
gcloud container images add-tag
|
gcloud artifacts docker tags add
|
Delete a tag
|
gcloud container images untag
|
gcloud artifacts docker tags delete
|
Describe images
|
gcloud container images describe
|
gcloud artifacts docker images list --include-tags
|