DTR architectureEstimated reading time: 3 minutes
This topic applies to Docker Enterprise.
The Docker Enterprise platform business, including products, customers, and employees, has been acquired by Mirantis, inc., effective 13-November-2019. For more information on the acquisition and how it may affect you and your business, refer to the Docker Enterprise Customer FAQ.
Docker Trusted Registry (DTR) is a containerized application that runs on a Docker Universal Control Plane cluster.
Once you have DTR deployed, you use your Docker CLI client to login, push, and pull images.
Under the hood
For high-availability you can deploy multiple DTR replicas, one on each UCP worker node.
All DTR replicas run the same set of services and changes to their configuration are automatically propagated to other replicas.
DTR internal components
When you install DTR on a node, the following containers are started:
|dtr-api-<replica_id>||Executes the DTR business logic. It serves the DTR web application, and API|
|dtr-garant-<replica_id>||Manages DTR authentication|
|dtr-jobrunner-<replica_id>||Runs cleanup jobs in the background|
|dtr-nginx-<replica_id>||Receives http and https requests and proxies them to other DTR components. By default it listens to ports 80 and 443 of the host|
|dtr-notary-server-<replica_id>||Receives, validates, and serves content trust metadata, and is consulted when pushing or pulling to DTR with content trust enabled|
|dtr-notary-signer-<replica_id>||Performs server-side timestamp and snapshot signing for content trust metadata|
|dtr-registry-<replica_id>||Implements the functionality for pulling and pushing Docker images. It also handles how images are stored|
|dtr-rethinkdb-<replica_id>||A database for persisting repository metadata|
|dtr-scanningstore-<replica_id>||Stores security scanning data|
All these components are for internal use of DTR. Don’t use them in your applications.
Networks used by DTR
To allow containers to communicate, when installing DTR the following networks are created:
|dtr-ol||overlay||Allows DTR components running on different nodes to communicate, to replicate DTR data|
Volumes used by DTR
DTR uses these named volumes for persisting data:
|dtr-ca-<replica_id>||Root key material for the DTR root CA that issues certificates|
|dtr-notary-<replica_id>||Certificate and keys for the Notary components|
|dtr-postgres-<replica_id>||Vulnerability scans data|
|dtr-registry-<replica_id>||Docker images data, if DTR is configured to store images on the local filesystem|
|dtr-nfs-registry-<replica_id>||Docker images data, if DTR is configured to store images on NFS|
You can customize the volume driver used for these volumes, by creating the volumes before installing DTR. During the installation, DTR checks which volumes don’t exist in the node, and creates them using the default volume driver.
By default, the data for these volumes can be found at
By default, Docker Trusted Registry stores images on the filesystem of the node where it is running, but you should configure it to use a centralized storage backend.
DTR supports these storage backends:
- Amazon S3
- Google Cloud Storage
- OpenStack Swift
- Microsoft Azure
How to interact with DTR
DTR has a web UI where you can manage settings and user permissions.
You can push and pull images using the standard Docker CLI client or other tools that can interact with a Docker registry.