Docker Registry Connections

Edit pageLast modified: 12 March 2025

The Docker Registry Connections build feature allows TeamCity to automatically sign in to DockerHub or other container registries before the build starts.

Add this feature to:

  • Allow TeamCity monitor and detect Docker/Podman operations (for instance, docker pull and podman run);

  • Automatically log in to an authenticated registry before the build and log out of it after the build.

  • Clean up local (for both Docker and Podman) and pushed to a registry (only for Docker) images;

  • Add the Container Info tab to the Build Results page. The tab provides information on operations related to the container manager used.

    Container Info tab

Logging in and out of repositories and cleaning up images require a configured connection to a Docker registry:

Docker Registry Connectios build feature

note

Docker Registry Connections is a part of the TeamCity-Docker/Podman integration toolset. Refer to this documentation article for information on software requirements, supported environments, and other common aspects of this integration: Integrating TeamCity with Container Managers.

Docker Images Clean-up

Clean-up of the Pushed Images

If you have a build configuration which publishes images, you need to remove them at some point. You can select the corresponding option and instruct TeamCity to remove the images published by a certain build when the build itself is cleaned up.

It works as follows: when an image is published, TeamCity stores the information about the registry of the images published by the build. When the server clean-up is run and it deletes the build, all the configured connections are searched for the address of this registry, and the images published by the build are cleaned up using the credentials specified in the found connection.

Cleaning-up images pushed via Podman is currently enabled only if images were pushed from Linux agents, and only if the --digestfile=<fileName> option was set. Note that the fileName should be a path relative to the checkout directory and should point to the final digest file location (this path should not be modified by further navigation commands).

Clean-up of Images on Build Agent

As part of Free disk space build feature, Docker Registry Connections cleans up images which were created by TeamCity builds on this build agent. The build feature assumes that docker images are stored under

  • /var/lib/docker on Linux

  • %ProgramData% directory on Windows

  • $HOME directory on other systems

The location is important, as the Free disk space feature analyzes which disk volumes should be cleaned for the build. If your docker daemon uses a non-standard location for the images/containers, the location can be specified using teamcity.docker.data.path configuration parameter, preferably in buildAgent.properties file.

Docker Registry Automatic Login/Logout

The Add registry connection button allows you to select those registry connections that should be used to automatically authorize in corresponding registries when a build starts. After a build finishes, TeamCity logs out of those registries.

tip

See also how to use this functionality to double the number of pulls allowed to a Free Docker Hub user profile.

Amazon ECR

A connection to Amazon Elastic Container Registry (ECR) allows storing Docker/Podman images in private AWS registries. For this, such a connection needs to be selected when adding a Docker Registry Connections feature to a build configuration.

Connection settings:

Setting

Description

AWS region

Select an AWS region where the target resources are located.

Credentials type

  • Access key: select to use preconfigured AWS account access keys. You can find them in the Identity and Access Management section of your AWS console.

  • Temporary credentials: get temporary access keys via AWS STS. Such credentials are short-term and do not belong to a specific user.

IAM role ARN

(only for Temporary credentials)

Specify a role to be used for generating temporary credentials. You need to create this role in advance in your AWS console and assign it to all the necessary permissions.

External ID

(only for Temporary credentials)

Specify an external ID. We strongly recommend that you always define it when using temporary credentials. This ensures that only TeamCity will be able to use the specified IAM role.

Default credential provider chain

Enable this option to automatically find access keys according to the default chain.

Access key ID

Specify the access key ID.

See how to get it here.

Secret access key

Specify the secret access key.

See how to get it here.

Registry ID

Enter an ID of your registry or AWS account.

Kotlin DSL

The following Kotlin DSL snippet illustrates how to add a Docker Registry Connections build feature to your build configuration.

import jetbrains.buildServer.configs.kotlin.*

object MyBuildConfig : BuildType({
    name = "Deploy Web (Windows)"

    features {
        dockerRegistryConnections {
            cleanupPushedImages = true
            loginToRegistry = on {
                dockerRegistryId = "PROJECT_EXT_5"
            }
        }
    }
})

tip

To quickly get an ID of a target Docker Registry:

  1. Open project settings and navigate to the Connections settings tab.

  2. Copy a connection ID from the overview table.

    Copy connection ID

See also

Administrator's Guide