Container Registries

Docker Command Overview and Hub Access

There are several publically available container registries, and Docker Hub is one of them. Docker Hub is often the originating source of container images for official images including: Linux operating systems, minimal python images, and more. When pulling images from Docker Hub, it is best only use Trusted Content including: Official Image, Verified Publisher, and Sponsored OSS. This minimizes the risk of security vulnerabilities and malicious software distirbution. To maintain compatability with the ifarm and farm environment we have built a base container from the official AlmaLinux/9-base:9.5 from the AlmaLinux source on Docker Hub. Our base container is quite large, but contains most - if not all - the tools you'd expect to have for developing code in python, CERN ROOT, etc.

⚠️ If something is missing you require from jlab-base, email the maintainers of the repository, and it will likely be added.

Creating a DockerHub Account

While JLab users often work with internal containers, understanding DockerHub is essential when exploring or building off external images.

Step 1: Create an Account

Visit https://hub.docker.com/
Create a free account with your email and password
Log in using the docker command:

docker login

You will be prompted for your DockerHub username and password. This allows you to pull private images or publish to your own namespace.

Step 2: Searching for Images

You can search for containers from the command line or through the web interface. Notice the OFFICIAL column with [OK] for official images.

docker search almalinux
docker search rootproject/root

When browsing DockerHub:

Prefer official repositories (marked with a verified badge)
Look for images maintained by known scientific projects (e.g., CERN, ROOT, Geant4)
Where possible, check the Dockerfile and last updated date to help determine trustworthiness

Accessing JLab’s Internal Registry

Jefferson Lab maintains a private container registry for trusted base images. To push or pull from this internal registry, you'll need to authenticate using a GitLab API token.

Step-by-Step: Log In to `codecr.jlab.org`

Visit the GitLab site hosted at:
code.jlab.org/
Sign in to the registry using your JLab CUE username and the token:
Follow the steps to generate log into GitLab and create a GitLab personal access token.
https://code.jlab.org/-/profile/
- Open the Access Tokens section to create a new access key
- Scope: ✅ read_registry and write_registry
- Name it something like podman-auth-token
Add your Access Token to access the registry with

podman login codecr.jlab.org
Username: YOUR_CUE_USERNAME
Password: <paste your token>

⚠️ Access tokens are rotated regularly. You will need to add new tokens as old ones expire. Do not share this access token or save it to any public facing repository. This will configure your local container engine to interact with the JLab registry.

Final Thoughts

By understanding how to search for containers, log in to trusted registries, and identify the difference between DockerHub and codecr.jlab.org, you’ll be better prepared to:

Select secure, up-to-date base images
Build consistent environments for analysis and publication
Integrate your work into Slurm batch pipelines or CVMFS-aware jobs

Docker Command Overview and Hub Access​

Creating a DockerHub Account​

Step 1: Create an Account​

Step 2: Searching for Images​

Accessing JLab’s Internal Registry​

Step-by-Step: Log In to codecr.jlab.org​

Final Thoughts​