Docker registry integration

Link Docker Hub, GitHub Container Registry, DigitalOcean Registry, or Quay so Docker Services can pull private images.

Written By Zoro

Last updated 3 days ago

Docker Services pull images at deploy time

Public images often need no credentials. Private images require a registry connection under Integrations so Worker Nodes can authenticate.

See Docker services under Services in the sidebar for how image URLs and variables fit the Service model.

Before you start

  • You have push access to the registry (to verify image names and tags) and permission to create read tokens or robot accounts.
  • You know the exact image reference the Service uses (registry/image:tag).
  • Read Integration permissions and prerequisites for secret handling.

1. Add a registry in Integrations

  1. Open Integrations (or Settings β†’ Integrations).
  2. Find the Docker (or Container registry) card and open Settings or Connect registry.
  3. Enter a short name you will recognize in the UI.
  4. Choose registry type (Docker Hub, GitHub, DigitalOcean, Quay, or the option that matches your host).
  5. Provide username and password fields as prompted. For most providers the password is a personal access token or access token, not your interactive login password.

Expected outcome: The registry appears in the list and Docker Services can select it when you configure a private image.

Docker Hub

  1. Docker Hub β†’ Account Settings β†’ Personal access tokens β†’ Generate new token.
  2. Name it (for example dFlow pull), set expiry if required, grant Read (or Read & Write only if you also push from automation).
  3. Copy the token once; store it in a password manager.

In dFlow, registry type Docker, username is your Docker Hub username, password is the token.

GitHub Container Registry (ghcr.io)

  1. GitHub β†’ Settings β†’ Developer settings β†’ Personal access tokens (fine-grained or classic, per org policy).
  2. Grant scopes that allow read access to packages (for classic tokens, read:packages; add repo if the registry and repo linkage require it).

Use registry type GitHub (or GitHub Container Registry if labeled), username is your GitHub username, password is the token.

DigitalOcean Container Registry

  1. DigitalOcean API β†’ Tokens β†’ Generate New Token with read access to registry resources (labels vary).
  2. Copy the token once.

Select DigitalOcean as registry type and paste the token in the password field as the UI directs.

Quay.io

  1. Quay Account Settings β†’ create an encrypted password or robot account with read on the repositories you deploy.
  2. Use username and password from that robot or credential.

Choose Quay as the registry type in dFlow.

Use the registry on a Docker Service

  1. Open the Application β†’ Environment β†’ Docker Service.
  2. Set image to the full reference your registry expects.
  3. Pick the registry account you created under Integrations when the Service is private.

After changes, Redeploy so pulls run with the new credentials.

Permission and pull errors

SymptomWhat to check
unauthorized or denied on pullToken expired, wrong username, or missing read on that repository or namespace.
manifest unknownWrong image name, tag, or architecture; confirm in the registry UI.
Rate limitingAuthenticate (Docker Hub and others); retry after backoff.

Credential storage and Organisation boundaries are covered under Security best practices under Security and Team Management in the sidebar and Tenant access model under Security and Team Management in the sidebar.

Related