Docker Push and Pull Commands Reference
Share and distribute Docker images with registries
Syntax
The docker push command uploads an image to a registry, and the docker pull command downloads an image from a registry.
Docker registries are repositories for Docker images, allowing you to share and distribute your container images with other users or systems. The docker push and docker pull commands are essential for working with these registries, enabling you to store your images remotely and deploy them across different environments.
Docker Push Command
The docker push command uploads your locally built or modified images to a registry, making them available for others to use.
Pushes an image or a repository to a registry.
docker push [OPTIONS] NAME[:TAG]Common options:
--all-tags,-a: Push all tagged images in the repository--disable-content-trust: Skip image signing (default true)--quiet,-q: Suppress verbose output
Basic example:
docker push myregistry.example.com/myapp:1.0Push Process
When you run the docker push command, Docker performs the following steps:
- Authenticates with the registry (if required)
- Compresses and prepares layers for upload
- Checks which layers already exist in the registry
- Uploads only the layers that don't already exist in the registry
- Uploads the image manifest, which references the layers
The push operation is optimized to only upload layers that don't already exist in the registry, making subsequent pushes of similar images much faster.
Docker Pull Command
The docker pull command downloads images from a registry to your local machine, allowing you to run containers based on those images.
Pulls an image or a repository from a registry.
docker pull [OPTIONS] NAME[:TAG|@DIGEST]Common options:
--all-tags,-a: Download all tagged images in the repository--disable-content-trust: Skip image verification (default true)--platform: Set platform if server is multi-platform capable--quiet,-q: Suppress verbose output
Basic example:
docker pull nginx:latestPull Process
When you run the docker pull command, Docker performs the following steps:
- Authenticates with the registry (if required)
- Downloads the image manifest
- Checks which layers already exist locally
- Downloads only the layers that don't already exist locally
- Decompresses and verifies the layers
- Stores the layers in the local Docker storage
Like pushing, the pull operation is optimized to only download layers that don't already exist locally, making subsequent pulls of similar images much faster.
Docker Registry Concepts
Registry Types
Docker supports several types of registries:
- Docker Hub: Docker's public registry (default)
- Private registries: Self-hosted or vendor-provided private registries
- AWS ECR, Google GCR, Azure ACR: Cloud provider registries
- GitHub Container Registry: GitHub's container registry
Image Naming
Docker image names typically follow this format:
[registry/][namespace/]repository[:tag]For example:
nginx:latest- An image from Docker Hub in the official namespaceusername/myapp:1.0- An image from Docker Hub in a user's namespaceregistry.example.com/team/project:v1.0.0- An image from a private registrygcr.io/project-id/image:tag- An image from Google Container Registry
Authentication
Most registries require authentication before you can push images or pull private images. You can authenticate using the docker login command:
docker login [OPTIONS] [SERVER]For Docker Hub:
docker loginFor a private registry:
docker login registry.example.comExamples
Basic Push and Pull
Tag and push an image to Docker Hub, then pull it back:
# Tag a local image for Docker Hub
docker tag myapp:latest username/myapp:latest
# Push the image to Docker Hub
docker push username/myapp:latest
# Pull the image from Docker Hub
docker pull username/myapp:latestThese commands demonstrate the basic workflow for sharing images via Docker Hub.
Working with Private Registries
Push and pull images using a private registry:
# Log in to the private registry
docker login registry.example.com
# Tag an image for the private registry
docker tag myapp:latest registry.example.com/myteam/myapp:1.0.0
# Push the image to the private registry
docker push registry.example.com/myteam/myapp:1.0.0
# Pull the image from the private registry
docker pull registry.example.com/myteam/myapp:1.0.0This example shows how to authenticate with and use a private Docker registry.
Using Image Digests
Pull a specific image version using its digest:
# Inspect an image to get its digest
docker inspect --format='{{index .RepoDigests 0}}' nginx:latest
# Pull an image using its digest
docker pull nginx@sha256:2ab30d6ac53580a6db8b657abf0f68d75360ff5cc1670a85acb9402a3c7c293eThis example demonstrates how to use image digests for immutable references to specific image versions.
Pulling Multiple Tags
Pull all tags for a repository:
# Pull all tags for the nginx repository
docker pull --all-tags nginx
# List all pulled tags
docker images nginxThe --all-tags option allows you to pull every tag in a repository with a single command.
Pushing Multiple Tags
Create multiple tags for an image and push them all:
# Tag an image with multiple tags
docker tag myapp:latest username/myapp:latest
docker tag myapp:latest username/myapp:1.0.0
docker tag myapp:latest username/myapp:stable
# Push all tags to Docker Hub
docker push --all-tags username/myappThis example shows how to create and push multiple tags for the same image.
Platform-Specific Pulls
Pull an image for a specific platform:
# Pull the arm64 version of the image
docker pull --platform linux/arm64 nginx:latest
# Pull the amd64 version of the image
docker pull --platform linux/amd64 nginx:latestThe --platform option allows you to pull images for specific architectures, which is useful for cross-platform development.
Cloud Provider Registries
Working with AWS ECR, Google GCR, and Azure ACR:
# AWS ECR
aws ecr get-login-password | docker login --username AWS --password-stdin 012345678910.dkr.ecr.us-east-1.amazonaws.com
docker push 012345678910.dkr.ecr.us-east-1.amazonaws.com/myapp:latest
# Google GCR
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin gcr.io
docker push gcr.io/myproject/myapp:latest
# Azure ACR
az acr login --name myregistry
docker push myregistry.azurecr.io/myapp:latestThis example demonstrates authentication and usage for the three major cloud provider container registries.
Best Practices
- Use specific tags: Avoid using the
latesttag for production deployments. Use specific version tags or image digests instead for better reproducibility. - Implement a tagging strategy: Develop a consistent tagging strategy that conveys information about the image content, version, or build number.
- Consider semantic versioning: Use semantic versioning (e.g., v1.2.3) for your image tags to clearly communicate compatibility and change significance.
- Store credentials securely: Use Docker credential helpers or environment variables to avoid storing plain-text passwords in your Docker configuration.
- Use multi-arch images: For public images, consider building and pushing multi-architecture images to support different platforms.
- Implement image scanning: Scan your images for vulnerabilities before pushing them to your registry.
- Use content trust: Enable Docker Content Trust to sign and verify your images for enhanced security.
- Set up CI/CD pipelines: Automate your image build, test, and push processes using CI/CD pipelines.
- Use registry proxies or mirrors: For frequently used images, consider setting up a registry mirror to improve pull performance and reduce external bandwidth usage.
- Implement retention policies: Set up retention policies in your registry to automatically clean up old or unused images.
Common Issues and Troubleshooting
If you encounter authentication problems when pushing or pulling images:
- Ensure you've logged in with
docker login - Check your Docker configuration in
~/.docker/config.json - For cloud registries, ensure your credentials haven't expired
- Confirm you have the necessary permissions in the registry
If you experience network problems when pushing or pulling:
- Check your internet connection
- Verify that your firewall allows Docker to access the registry
- If using a proxy, ensure Docker is configured to use it
- Try using the
--verboseflag to get more information
If you run out of disk space when pulling images:
- Use
docker system dfto check Docker's disk usage - Run
docker system pruneto remove unused data - Consider pulling only the specific tags you need, not
--all-tags - Use smaller base images when building your own images
Different registries can have specific requirements or limitations:
- Docker Hub may have rate limits for anonymous or free accounts
- Self-hosted registries might have TLS certificate issues
- Cloud provider registries often require special authentication methods
- Some registries may enforce image size limits
Notes and Limitations
- Docker Hub has pull rate limits for anonymous and free accounts. Consider authenticating or using a paid account for production environments.
- Image layers are uploaded and downloaded individually, so large images with many layers might take longer to push or pull.
- The
--all-tagsoption can consume significant bandwidth and storage if a repository has many tags. - Docker Content Trust is not enabled by default and requires additional setup.
- When pulling by digest, you must use the exact digest format. Tags can be updated to point to different images, but digests are immutable.
- Images built for a specific platform (e.g., linux/amd64) may not run on other platforms without emulation or multi-platform support.
- Docker credentials are stored in
~/.docker/config.jsonby default. Secure this file appropriately. - Some registries may have retention policies that automatically delete older tags or unused images.
- Network bandwidth can significantly impact push and pull performance, especially for large images.