Amazon ECR vs. Docker Hub vs. GitHub Container Registry

Andreas Wittig – 28 Sep 2020

Have you worked with a Linux package manager like apt or yum before? A container registry is similar, but instead of packages, it distributes container images. A container registry is a crucial aspect of a containerized workflow and infrastructure. This blog post compares three different container registries: Amazon ECR, Docker Hub, and GitHub Container Registry. I’ve selected those three options out of many because they are following unique approaches.

Amazon ECR vs. Docker Hub vs. GitHub Container Registry

Do you prefer listening to a podcast episode over reading a blog post? Here you go!

What is a container registry?

A container registry is a central place to store and distribute container images. A container image includes all the data needed to start a container—for example, the operating system, libraries, runtime environments, and the application itself.

The concepts behind a container registry

The following command builds an image with the files from the current directory. The build image will use the repository cloudonaut and tags the image with the version 1.0.0.

docker build -t cloudonaut:1.0.0 .

After the build succeeded, you can upload the image to the container registry.

docker push cloudonaut:1.0.0

After that, whenever someone tries to start a container based on that image, the daemon will contact the container registry to pull the required image layers.

Cover of Rapid Docker on AWS

Become a Docker on AWS professional!

Our book Rapid Docker on AWS is designed for DevOps engineers and web developers who want to run dockerized web applications on AWS. We lead you with many examples: From dockerizing your application to Continuous Deployment and Infrastructure as Code on AWS. No prior knowledge of Docker and AWS is required. Get the first chapter for free!

Scenarios

There are different scenarios for using a container registry. I want to introduce three common ones.

Packaging your software into a container image is an excellent way for distribution as users or customers can get up and running quickly. Not only open-source projects but also ISV make use of this approach. In this scenario, you are looking for a public container registry that anyone can access to pull your images. Of course, only your developers - or even better an automated build - are allowed to push images to the registry.

Use a public container registry to distribute software

Whenever you are planning to build a deployment pipeline for continuous deployment, you should start with building the image that will traverse through the pipeline in the following. A private container registry is a perfect place to store the artifact immediately after your pipeline’s build step succeeded. Whenever you deploy a new version of your software to one of your environments (test, prod, etc.), the infrastructure fetches the image from the repository.

Use a private container registry for continuous deployment

Are you developing microservices as a team? Do you need to share your service with other developers or teams so they can run parts of the microservice architecture on their machines? In that scenario, a private container registry allows you to distribute images within your organization.

Use a private container registry for collaboration

In the following, you will learn which container registry fits best for each of the described scenarios.

Amazon ECR

As all major cloud providers do, AWS offers a container registry as a service, as well: Elastic Container Registry (ECR).

The most crucial aspect of ECR is that AWS IAM handles authentication and authorization for the container registry. Therefore, it is easy to access ECR from all the different services AWS provides (ECS, EKS, CodeBuild, and many more). AWS IAM is not easy to use but allows you to define strict access control to your container registry, even with multi-factor authentication (MFA) for push and pull access.

Besides that, ECR offers other security-relevant features:

  1. Immutable Image Tags: By enabling immutable image tags, you ensure that no one can override an image once it has been pushed to the repository.
  2. Image Scanning: If desired, ECR will scan images after they have been pushed to a repository. ECR uses the CVEs database of the open-source project Clair to check images for known security vulnerabilities.

It is essential to mention that Amazon ECR provides private repositories only. It is not possible to pull the images without authentication and authorization.

From my personal experience, I can tell that Amazon ECR is a rock-solid service and the best option to manage images for all container workloads running on AWS. So especially, if you do continuous deployments on AWS, ECR is your go-to service.

Docker Hub

Docker Hub is the most popular container registry, as it is the default registry for Docker. Many open-source projects and ISVs host their container images on Docker Hub.

Because Docker Hub is the default registry, the command to start a container is straightforward.

docker run nginx:latest

Compare that to launching a container based on the same image hosted on ECR.

docker run 111111111111.dkr.ecr.eu-west-1.amazonaws.com/nginx:latest

That’s the power of defaults. On top of that, think of Docker Hub as a marketplace for container images. That’s why I would state that Docker Hub is the best choice for publicly distributing software.

It is important to mention that Docker Hub made some unpleasant announcements recently. First of all, Docker Hub introduced strict rate limits for repositories on a free plan.

  • 100 pulls for unauthenticated users per 6 hours.
  • 200 pulls for authenticated users per 6 hours.

Introducing this rate limit broke many deployment pipelines, including one of ours. On top of that, Docker Hub announced a strict retention policy. In the future, Docker Hub will delete images that haven’t been accessed within the last six months. Again, the restriction applies to repositories that are running on the free plan only.

Unluckily, both changes make hosting public repositories on Docker Hub less convenient.

Besides hosting public repositories, Docker Hub offers private repositories as well. However, the pricing model is not compelling. ECR and GitHub Container Registry are better options in that scenario.

GitHub Container Registry

As of today, the GitHub Container Registry is still in beta. But it seems to become a good choice for organizations using GitHub to collaborate on source code already. The GitHub Container Registry supports both: public and private repositories.

Accessing the GitHub Container Registry is quite simple for anyone with access to GitHub. All you need to do is create a personal access token. That’s all you need to authenticate for the container registry. A seamless experience for developers.

It is worth mentioning that the GitHub Container Registry integrates well with GitHub Actions (CI/CD). I’ve created a Hello World example repository to evaluate the service. As expected, I enjoyed the developer experience very much. On top of that, accessing the container registry from GitHub Actions does not incur any data transfer charges.

By the way, GitHub Container Registry provides public repositories. However, anyone who wants to download your container image needs to authenticate with a GitHub user account. Docker Hub allows unauthenticated access as well.

I recommend using the GitHub Container Registry to distribute container images within a team of software developers or an organization. For example, to share pre-build services of a microservice architecture. Also, if you are using GitHub Actions for CI/CD, the integration with GitHub Container Registry might be a pro argument as well.

Comparison

The following tables compare all three options: Amazon ECR, Docker Hub, and GitHub Container Registry.

Amazon ECR Docker Hub GitHub Container Registry
Public Repository ❌ no ✅ yes ✅ yes
Private Repository ✅ yes ✅ yes ✅ yes
Pricing (Public Repository) $0 $0
Pricing (Private Repository) 💰
Storage: $0.10 per GB, Data Transfer: $0.09 per GB1
💰💰💰
>= $7 per user/month2
💰💰
Storage: $0.25 per per GB, Outgoing Data Transfer: $0.50 per GB3
Authentication AWS IAM Password or Access Token Personal Access Token (PAT)
MFA for Image Push/Pull ✅ yes ❌ no ❌ no
SLA Availability ✅ 99.9%4 ❌ n/a ⚠️ n/a during beta
General Available ✅ yes ✅ yes ⚠️ beta
Immutable Images ✅ yes ❌ no ❌ no
Image Scanning ✅ yes ❌ no5 ❌ no
Regions Choose between one of 25 regions worldwide ⚠️ unknown ⚠️ unknown
Rate Limits Pull: 1,000 per second, Push: 10 per second6 Pull: 100/200 (Free Plan), unlimited (Paid Plan) n/a

Summary

There is no one size fits all solution. Choose the container registry based on your needs for a specific scenario. It is not a big deal to use more than one container registry. Amazon ECR shines for container-based workloads running on AWS. Docker Hub is still the best choice for distributing software publicly. And GitHub Container Registry extends the place where you store your source code with a container registry to store your build artifacts.

Tags: aws container ecr
Andreas Wittig

Andreas Wittig

I’m an independent consultant, technical writer, and programming founder. All these activities have to do with AWS. I’m writing this blog and all other projects together with my brother Michael.

In 2009, we joined the same company as software developers. Three years later, we were looking for a way to deploy our software—an online banking platform—in an agile way. We got excited about the possibilities in the cloud and the DevOps movement. It’s no wonder we ended up migrating the whole infrastructure of Tullius Walden Bank to AWS. This was a first in the finance industry, at least in Germany! Since 2015, we have accelerated the cloud journeys of startups, mid-sized companies, and enterprises. We have penned books like Amazon Web Services in Action and Rapid Docker on AWS, we regularly update our blog, and we are contributing to the Open Source community. Besides running a 2-headed consultancy, we are entrepreneurs building Software-as-a-Service products.

We are available for projects.

You can contact me via Email, Twitter, and LinkedIn.

Briefcase icon
Hire me