What is the difference between Docker Hub and a private registry?

Docker Hub is a public/private hosted registry with rate limits on free tiers. A private registry (Harbor, AWS ECR, GCR, GHCR) gives you full control over access, retention, and storage — essential for proprietary software that cannot be hosted publicly.

Why should I pin image digests instead of tags?

Tags like 'latest' or 'node:18' are mutable — the underlying image can change without warning. Pinning to a digest (sha256:...) guarantees immutability. Reproducible builds and security audits require exact digest pinning for base images.

What is a multi-arch image?

A container image that supports multiple CPU architectures (amd64, arm64) from a single tag, using a manifest list. Docker automatically pulls the correct architecture for the current platform. Multi-arch images are essential for Apple Silicon compatibility in CI/CD pipelines.

Docker Registry Simulator

DevTools Surf

About Docker Registry Simulator

Docker Registry Simulator preview - Developer Utilities tool

Simulate Docker registry operations (push, pull, list, delete images). Part of the DevTools Surf developer suite. Browse more tools in the Developer Utilities collection.

Use Cases

Plan a container registry retention policy before storage costs escalate
Understand how image layer caching works to optimize CI/CD build speed
Model image promotion workflow from dev to prod registries
Evaluate private registry hosting costs vs managed registry pricing

Tips

Simulate push and pull operations to understand how image layers are deduplicated in a registry — the 'layer reuse' panel shows which layers are shared across images
Use the tag lifecycle panel to model promotion workflows: build tags -> staging -> production with immutable SHA digests
The registry size calculator shows how storage grows as images accumulate — configure a retention policy to prevent unbounded growth

Fun Facts

Docker Hub introduced rate limiting in November 2020: 100 pulls per 6 hours for anonymous users, 200 for free authenticated users. This decision, driven by infrastructure costs from billions of monthly pulls, pushed many teams to migrate to GitHub Container Registry (GHCR) or self-hosted registries.
Container images are content-addressed: each layer is identified by the SHA256 hash of its content. This makes images immutable by design — a tag (like 'latest') is a mutable pointer to an immutable digest, which is why 'always pin to a specific digest, not a tag' is security best practice.
OCI (Open Container Initiative) was founded in 2015 to standardize container image and runtime formats. The OCI Image Specification (OCI-compatible registries) is now supported by Docker Hub, GHCR, AWS ECR, GCR, and all major registries — enabling interoperability.

FAQ

What is the difference between Docker Hub and a private registry?: Docker Hub is a public/private hosted registry with rate limits on free tiers. A private registry (Harbor, AWS ECR, GCR, GHCR) gives you full control over access, retention, and storage — essential for proprietary software that cannot be hosted publicly.
Why should I pin image digests instead of tags?: Tags like 'latest' or 'node:18' are mutable — the underlying image can change without warning. Pinning to a digest (sha256:...) guarantees immutability. Reproducible builds and security audits require exact digest pinning for base images.
What is a multi-arch image?: A container image that supports multiple CPU architectures (amd64, arm64) from a single tag, using a manifest list. Docker automatically pulls the correct architecture for the current platform. Multi-arch images are essential for Apple Silicon compatibility in CI/CD pipelines.

Related Developer Utilities Tools

Collection JSON → cURL Git Diff → HTML Regex Visualizer Makefile Explainer Shell Script Linter GitHub Actions Visualizer HAR File Viewer API Response Mocker