Skip to main content
Gå til innhold

Container Image registry

We have several types of container image registries available, suitable for different requirements.

AWS ECR Private

Platon uses private Elastic Container Registries as the standard way of automatically storing and delivering images to the PaaS cluster. ECR Private is a fully managed container registry with 99.9% uptime. The registry is automatically created by PaaS Console and managed by Platon team. For more details on how to start pushing images to ECR follow the documentation deploying an example project to PaaS.

Advantages of using ECR private registry:

  • 99.9% uptime
  • automatic configuration of the project towards ECR with PaaS Console
  • PaaS cluster has access to pull images from the registry
  • cleanup policy is defined out of a box
  • images can not overwrite each other because the tags are immutable

GitLab Container Registry

GitLab comes with built-in solution for storing images. The use case for publishing images to Gitlab Container Registry over ECR are:

  • a team does not run images in Platon PaaS
  • a team shares the image with 3rd party outside Sikt
  • a team does not have their own AWS account where they could host ECR registry
  • the built containers are used in another GitLab project's pipelines

The disadvantages of using GitLab Container Registry are:

  • Integration with Platon PaaS must be configured manually
  • GitLab has a downtime every time it is updated (few times a month). This will also affect the Container Registry.

If you think the GitLab Container Registry is a better fit for your project follow the docs.

Artifactory

info

Artifactory will be retired on the 16.03.2026. All teams storing container images in Artifactory should move them to ECR or GitLab Container Registry. The migration should be performed by each team since Platon team does not have knowledge which image belongs to which GitLab project.

It is also possible to use artifactory.sikt.no for storing Docker images. See Artifactory page for more information.

The main use case here is mostly for teams that don't have their own AWS accounts and have need for serving container images used outside of the Platon PaaS.

registry.uninett.no

info

This service will be retired and is replaced by dedicated ECRs per GitLab project and GitLab Container Registry. The ECRs are fully managed by Platon and do not require any set-up by the developer.

This is a Docker registry used by the PaaS. The configuration for pushing images to it are baked into the Platon CI/CD helper scripts and the PaaS is configured to be allowed to pull from this registry in all application namespaces.

Best Practices

Here is a list of things to keep in mind when building containers:

1. Image Tagging

  • Use semantic versioning: 1.0.0, 1.0.1, 2.0.0
  • Tag commits: Use $CI_COMMIT_SHA or $CI_COMMIT_SHORT_SHA for traceability
  • Use labels: Add metadata to images using LABEL in Dockerfile

Example labels:

LABEL no.sikt.gitlab.image.title="My Application"
LABEL no.sikt.gitlab.image.description="Description of the application"
LABEL no.sikt.gitlab.image.version="1.0.0"
LABEL no.sikt.gitlab.image.source="https://gitlab.sikt.no/group/project"

2. Security

  • Scan images for vulnerabilities: Use imagescan component
  • Use specific base image versions: Avoid latest tag in FROM statements
  • Rotate tokens regularly: Update deploy tokens and access tokens periodically
  • Use minimal base images: Alpine, distroless, or scratch images
  • Don't include secrets in images: Use environment variables or secret management

3. Image Size Optimization

  • Multi-stage builds: Separate build and runtime stages
  • Minimize layers: Combine RUN commands
  • Clean up in same layer: Remove temporary files before layer commits
  • .dockerignore file: Exclude unnecessary files from build context

4. Cleanup and Retention

  • ECR Private registry has automatic cleanup policy - only containers running in PaaS are kept.

  • In GitLab Container Registry users must define cleanup policies manually:

    Configure cleanup policies to manage storage:

    Project Settings → Packages and registries → Cleanup policies

    Recommended settings:

    • Keep N tags: Keep last 10 tags
    • Remove tags older than: 90 days
    • Remove tags matching: ^dev-.* (remove development tags)
    • Exclude tags matching: ^v?\d+\.\d+\.\d+$ (keep semantic versions)

5. CI/CD Pipeline Best Practices

  • Use pipeline artifacts: Share built images between stages
  • Parallel builds: Build different images concurrently
  • Run tests before push: Validate images before pushing