Docker Trusted Registry (DTR) is part of the Docker Enterprise suite, the enterprise-grade Containers-as-a-Service (CaaS) platform from Docker, Inc.. It's aimed at enterprises running a cluster of Docker hosts in their own data centers or in any cloud. Docker Enterprise comes with a comprehensive management suite called Universal Control Plane (UCP), which provides an interface to administer all the resources in your Docker cluster – the host servers, images, containers, networks, volumes, and everything else. Docker Enterprise also provides DTR, which is a secure, scalable image registry.

DTR runs over HTTPS and is a clustered service, so you can deploy multiple registry servers across your cluster for scalability and failover. You can use local storage or cloud storage for DTR, so if you run in Azure the images can be persisted in Azure storage with practically unlimited capacity. Like Docker Hub you can create organizations for shared repositories, but with DTR, you manage authentication by creating your own user accounts or by plugging into a Lightweight Directory Access Protocol (LDAP) service (like Active Directory). Then you can configure role-based access control for fine-grained permissions.

Security scanning is also available in DTR, a feature that scans the binaries inside your images to check for known vulnerabilities. You can configure scans to run whenever an image is pushed, or build a schedule. Scheduled scans can alert you when a new vulnerability is found in one of the dependencies for an old image. The DTR UI lets you drill down into the details of the vulnerability and see the exact file and the exact exploit:

There is one other major security feature that is only available in Docker Enterprise, content trust. Docker content trust lets users digitally sign images to capture an approval workflow – so QA and security teams can run an image version through their test suites and sign it to confirm that they approve a release candidate for production. Those signatures are stored in DTR. UCP can be configured to only run images which have been signed by certain teams, so you get close control over what software your cluster will run, together with an audit trail proving who built and approved the software.

Docker Enterprise has a rich suite of features which can be accessed through friendly web UIs, as well as through the usual Docker command line. Security, reliability, and scalability are major factors in the feature set, which makes it a good choice for enterprise users looking for a standard way to manage images, containers, and Docker hosts. I will cover UCP in Chapter 8, Administering and Monitoring Dockerized Solutions, and DTR in Chapter 9, Understanding the Security Risks and Benefits of Docker.