Container Registry

Store, manage, and secure your container images with the Namespace Container Registry.

The Namespace Container Registry is a fully managed private container registry. It seamlessly integrates with Namespace products and requires zero configuration to start using it.

The Namespace Container Registry supports Open Container Initiative (OCI) standards and the Docker Registry HTTP API V2. This allows you to use Docker CLI commands (e.g., push, pull) or your preferred Docker tools to interact with the Namespace Container Registry, maintaining your existing development workflow.

The repository name of the Namespace Container Registry is nscr.io.

Working with Namespace Container Registry

Using Namespace CLI

To start using the Container Registry, you need to install the Namespace CLI and log in to Namespace. This command will open your default browser to authenticate against Namespace.

$ nsc login

nsc CLI natively supports the Namespace Container Registry. For example, when you are using Namespace Build Clusters to build container images, it can automatically publish images to the private registry if --push CLI flag is specified:

$ nsc build . --name app --push

The built image will be named nscr.io/8enum0hp1l5ii/app tag.

Note that 8enum0hp1l5ii is an example ID. You will see your workspace ID.


Using Docker CLI

You can use the Namespace Container Registry with the Docker CLI (or any other tools that use Docker credentials storage).

For this, you need to be logged in to Namespace and then set the Namespace credential helper using the following command:

$ nsc docker login
You are now logged into your workspace container registry:
Run your first build with:
  $ nsc build . -n test -p
Visit our docs for more details on Remote Builds:

The command above automatically updates your default Docker config.json file and prints your Workspace registry endpoint.

Afterward, you can interact with Namespace Container Registry using the Docker CLI tool.

For example, push a local image to Namespace Container Registry:

# Tag the image with the Namespace Container Registry repository if the image
# has a different repository.
$ docker tag IMAGE_NAME:latest nscr.io/8enum0hp1l5ii/IMAGE_NAME:latest
# Push the image to the Namespace Container Registry
$ docker push nscr.io/8enum0hp1l5ii/IMAGE_NAME:latest

Or pull an existing image from the Namespace Container Registry:

$ docker pull nscr.io/8enum0hp1l5ii/IMAGE_NAME:latest
latest: Pulling from nscr.io/8enum0hp1l5ii/IMAGE_NAME:latest
3f9582a2cbe7: Pull complete
9a8c6f286718: Pull complete
e81b85700bc2: Pull complete
73ae4d451120: Pull complete
6058e3569a68: Pull complete
3a1b8f201356: Pull complete
Digest: sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2
Status: Downloaded newer image for nscr.io/8enum0hp1l5ii/IMAGE_NAME:latest

Using Namespace GitHub actions

To use the Namespace Container Registry from your GitHub Action workflows, you must configure your GitHub environment.

Namespace provides a GitHub action to configure access to Namespace and configure your Docker CLI to interact with the Container Registry - namespacelabs/nscloud-setup.

For example:

    runs-on: ubuntu-latest
	  # Set permissions for GitHub OIDC token authentication
      id-token: write
      - name: Configure access to Namespace
        uses: namespacelabs/nscloud-setup@v0
      # Use Namespace or Docker CLI to interact with the registry.

From Namespace Instances

Namespace instances can access the Namespace Container Registry without additional setup. Both, Docker and Kubernetes are preconfigured with the appropriate credentials.

For example:

$ nsc ssh 2sol83knhtiqm
2sol83knhtiqm:~# docker pull nscr.io/8enum0hp1l5ii/IMAGE_NAME:latest
Digest: sha256:aa0afebbb3cfa473099a62c4b32e9b3fb73ed23f2a75a65ce1d4b4f55a5c2ef2
Status: Downloaded newer image for nscr.io/8enum0hp1l5ii/IMAGE_NAME:latest
2sol83knhtiqm:~# kubectl run --image nscr.io/8enum0hp1l5ii/IMAGE_NAME:latest test
pod/test created
2sol83knhtiqm:~# kubectl get pod
test   1/1     Running   0        29s

Advanced: Direct access

You can access Namespace Container Registry directly through HTTP calls. To authorize incoming traffic, it employs Basic access authentication. The expected user name is token, while the password is a workspace access token. That is, the registry expects an Authorization header with the content Basic base64(token:access_token).

Accessing Namespace Container Registry directly is an advanced feature. Please reach out to support@namespace.so so we can discuss how to best support your usecase.

What's Next?