Skip to main content
Google Cloud Platform (GCP)
CHAPTER 10

Docker and Container Registry

Updated: May 15, 2026
20 min read

# CHAPTER 10

Docker and Container Registry

1. Introduction

In the previous chapter, we orchestrated containers using GKE, but we relied on pre-built, public images (like Nginx). To run your own custom software in the cloud, you must first master the art of Containerization. You must package your code into an immutable Docker image, and then securely upload that image to a private Google Cloud storage vault. In this chapter, we will demystify Dockerfiles, and learn how to store our proprietary software securely using Google Artifact Registry.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define Docker and the concept of Containerization.
  • Understand the anatomy of a Dockerfile.
  • Differentiate between a Docker Image and a Docker Container.
  • Define the role of Google Artifact Registry.
  • Build, tag, and push a custom Docker image to GCP.

3. Beginner-Friendly Explanation

Imagine moving to a new house.
  • The Old Way (Without Docker): You carry your loose clothes, plates, and books in your hands. You drop things. When you get to the new house, nothing fits in the new cupboards correctly. (This is deploying raw code to a server and fighting dependency errors).
  • The Docker Way: You buy a standard, heavy-duty cardboard box (The Container). You put everything inside. You seal it shut (The Image). The movers don't care if it's books or plates; they just move the box. When it arrives at the new house (GCP), you open it, and everything is exactly where you left it. "It works on my machine" becomes "It works everywhere."

4. Docker Images vs. Containers

  • The Dockerfile: The recipe (e.g., "Take Ubuntu Linux, install Python, copy my code").
  • The Docker Image: The baked cake. An immutable, read-only template created by building the Dockerfile.
  • The Docker Container: The cake being eaten. A running, executing instance of the Docker Image.

5. Google Artifact Registry

Once you build an Image on your laptop, how does GKE get it? You cannot use public Docker Hub for proprietary, top-secret company code. You use Artifact Registry (the modern replacement for Google Container Registry / GCR). Artifact Registry is a highly secure, private vault inside your GCP project designed exclusively to store your Docker images. GKE is natively integrated to pull images directly from this vault.

6. Anatomy of a Dockerfile

Let's look at a simple blueprint for a Node.js web application.
dockerfile
1234567891011121314151617 
# 1. Start with a tiny Linux environment pre-installed with Node.js
FROM node:18-alpine

# 2. Create a working directory inside the container
WORKDIR /app

# 3. Copy our application code from our laptop into the container
COPY . .

# 4. Install the required dependencies
RUN npm install

# 5. Open port 8080
EXPOSE 8080

# 6. Define the command to start the application
CMD ["npm", "start"]

7. Mini Project: Build and Push an Image

Let's package a custom app and push it to Google's secure vault using the Cloud Shell!

Step-by-Step Tutorial:

  1. 1. Open the GCP Console and click the Cloud Shell icon (top right).
  1. 2. Create a simple Python web server file:
echo 'import http.server; import socketserver; socketserver.TCPServer(("", 8080), http.server.SimpleHTTPRequestHandler).serve_forever()' > server.py
  1. 3. Create the Dockerfile:
echo -e 'FROM python:3.9-slim\nCOPY server.py .\nEXPOSE 8080\nCMD ["python", "server.py"]' > Dockerfile
  1. 4. Create the Artifact Registry Vault: Navigate in the console to Artifact Registry > Repositories. Click Create Repository.
  • Name: my-repo
  • Format: Docker
  • Region: us-central1. Click Create.
  1. 5. Authenticate Docker: In Cloud Shell, tell Docker to log in to your new GCP vault:
gcloud auth configure-docker us-central1-docker.pkg.dev
  1. 6. Build & Tag the Image: We must tag the image with the exact URL of the vault. (Replace YOUR_PROJECT_ID with your actual GCP project ID!).
docker build -t us-central1-docker.pkg.dev/YOUR_PROJECT_ID/my-repo/my-custom-app:v1 .
  1. 7. Push to the Vault: Upload the image to GCP!
docker push us-central1-docker.pkg.dev/YOUR_PROJECT_ID/my-repo/my-custom-app:v1
  1. 8. Check the Artifact Registry console. Your custom Docker image is safely stored in the cloud, ready to be deployed to GKE or Cloud Run!

8. Real-World Scenarios

A cybersecurity company utilizes Vulnerability Scanning in Artifact Registry. Every time a developer pushes a new Docker Image to the registry, Google autonomously scans the image layer by layer. If it detects that the underlying Linux base image contains a critical vulnerability (like the Log4j exploit), it flags the image and prevents the CI/CD pipeline from deploying it to the production GKE cluster.

9. Best Practices

  • Use Alpine/Slim Base Images: Never use massive base images like FROM ubuntu (which can be 500MB+) if you don't need them. Use alpine or slim tags (e.g., python:3.9-alpine), which are often under 50MB. This drastically speeds up deployment times and significantly reduces the security attack surface.

10. Security Tips

  • Never Hardcode Secrets: Never write API keys or database passwords inside your Dockerfile or application code! Anyone who gains access to the Artifact Registry can inspect the image layers and steal the keys. Passwords must be injected securely at runtime using GCP Secret Manager.

11. CLI Examples

To pull an image down from your private Artifact Registry to a local machine:
bash
1 
docker pull us-central1-docker.pkg.dev/my-project/my-repo/my-custom-app:v1

12. Exercises

  1. 1. What is the fundamental difference between a Dockerfile and a Docker Image?
  1. 2. Why is Google Artifact Registry preferred over public Docker Hub for enterprise deployments?

13. FAQs

Q: I see tutorials mentioning GCR (Google Container Registry). What is that? A: GCR was Google's original container storage service. It is now completely deprecated. You must use Artifact Registry, which supports Docker images, as well as NPM, Python, and Maven packages!

14. Interview Questions

  • Q: Explain the mechanics of Docker Layer Caching. How does organizing the instruction sequence within a Dockerfile optimize image build times?
  • Q: Detail the architectural workflow required to deploy a proprietary, containerized Node.js application from a developer's local machine to a production GKE cluster, specifically highlighting the role and authentication mechanisms of Google Artifact Registry.

15. Summary

In Chapter 10, we mastered the art of packaging software. We embraced Docker containerization to ensure our application runs identically across all environments. We dissected the anatomy of a Dockerfile, identifying how to layer dependencies onto minimal base images. Finally, we provisioned Google Artifact Registry, authenticating our local Docker daemon to securely build, tag, and push our proprietary, immutable image into a private cloud vault, ready for enterprise orchestration.

16. Next Chapter Recommendation

We have highly available Web Servers running in containers. But web servers are stateless. Where do they save the users' passwords and shopping carts permanently? Proceed to Chapter 11: Cloud SQL and Managed Databases.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Google Kubernetes Engine (GKE)
Next Chapter Cloud SQL and Managed Databases

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 5

Related Quizzes 6