Network Configuration
      Back to home
      1. Help Center
      2. Network Configuration

      How to use Testcontainers Cloud with internal Docker registries?

      Instructions for users who need to pull images from a ‘private’ registry that is not accessible from the public internet. Docker Hub, Amazon ECR, GCR, etc users *do not* need to use this feature, as these registries are exposed to the public internet

      This feature requires version v1.2.0+ of the Testcontainers Cloud Desktop/agent application. 

      Testcontainers Cloud Desktop usage:

      Set per-user configuration in the ~/.testcontainers.properties file:

      cloud.private_registry.proxy.url = https://private.registry.example.com:8999

      enables images such as [private.registry.example.com:8999/prefix/name](<http://private.registry.example.com:8999/prefix/name>) to be pulled.

      cloud.private_registry.proxy.allowed_image_name_globs = *,*/*

      or

      cloud.private_registry.proxy.allowed_image_name_globs = somepath/*,otherpath/namedimage

      comma separated list of globs for images allow-listed for pulls (*,*/* means all). We recommend keeping the allow-list as small as possible.

      Updates will be loaded on startup so you need to Restart Testcontainers Cloud application

      agent CLI usage:

      Add flags to the CLI invocation:

      --private-registry-url=https://private.registry.example.com:8999

      enables images such as [private.registry.example.com:8999/prefix/name](<http://private.registry.example.com:8999/prefix/name>) to be pulled.

      --private-registry-allowed-image-name-globs=*,*/*

      or

      --private-registry-allowed-image-name-globs=somepath/*,otherpath/namedimage

      comma separated list of globs for images allow-listed for pulls (*,*/* means all). We recommend keeping the allow-list as small as possible.

      Current limitations:

      • At present, only a single private registry can be allow-listed for proxying.
      • Image pull is supported, but push will be prevented.
      • Proxying must be configured on a per-machine basis, but we expect this to later be configurable organisation-wide
      • Credentials/tokens for all public/private docker registries are visible to the Testcontainers library and Testcontainers Cloud (data is proxied but not stored).
      • Images pulled from private registries are cached within users’ Testcontainers Cloud VM, which is deleted automatically after being idle for approximately 30 minutes.

      💡 As security measures, agent will only allow proxying to a single configured registry host, restricts HTTP verbs to HEAD/GET, and only allows requests which match an allowlist of paths (the path allowlist is based on the images which agent is configured to allow).

      At present these settings are configured on a per-installation basis, but we expect these to become centrally configurable at a later date.