Today we're launching the DanubeData Container Registry, a managed OCI v2 image registry hosted at cr.danubedata.ro. Push from your laptop or CI, pull from anywhere — including Rapids serverless containers, VPS instances, or your own Kubernetes cluster.
Every DanubeData account gets a free Starter tier (500 MB of storage, one repository). Paid tiers start at €3.99/month for 5 GB. No per-pull fees, no rate limits beyond your plan, no transatlantic data hops.
Why we built it
If you're shipping containers in 2026, you've probably hit at least one of these:
- Docker Hub rate limits. Anonymous pulls capped at 100 per six hours per IP. CI workers behind a shared NAT consume that budget in minutes. Free authenticated pulls aren't much better.
- Cross-region latency. Your app runs in Frankfurt; your registry sits in
us-east-1. Every cold start pulls hundreds of MB across the Atlantic. - Compliance ambiguity. A US-based image registry stores your private build artifacts — including secrets baked into layers, internal API surface, and version history — on infrastructure subject to the CLOUD Act.
- Implementation drudgery. Self-hosting Distribution + a token service + storage backend + TLS + GC + multi-tenancy is a four-month project before you ship any actual product.
We built the registry because every one of those problems was costing our customers time, money, or both. Now it's a checkbox in your dashboard.
What you get
| Feature | What it means |
|---|---|
| Per-tenant isolation | Repositories namespaced under your team slug. Cross-team pulls return 401; the /v2/_catalog endpoint is scoped to your team only — never the cluster-wide catalog. |
| Scoped access keys | Per-environment or per-CI keys, push+pull or pull-only. Revoke any time; new tokens fail within five minutes. |
| Vault-signed JWTs | Short-lived (5-min TTL) bearer tokens signed by a Vault-managed RSA keypair. Rotation built in and audit-logged. |
| Auto-wired to Rapids | Every team is provisioned an internal pull credential the moment a Rapid is created. Pick "DanubeData Container Registry" as the image source — no imagePullSecret plumbing. |
| OCI v2 compatible | Upstream CNCF Distribution code. Docker, podman, buildah, skopeo, Kaniko, Buildpacks all work out of the box. Same SDKs you're already using. |
| Ceph-backed EU storage | Blobs and manifests live in our self-hosted Ceph cluster in Falkenstein, Germany. Bucket encryption uses Vault-managed SSE keys. |
| Garbage collection | Daily GC reclaims storage from unreferenced blobs. Trigger it manually any time from the dashboard. |
| EU-resident data | Image data, audit logs, and credentials stay in Germany. GDPR-compliant by design — no transatlantic data hops. |
Pricing
Plans are storage-and-repo bound. No per-pull fees, no rate limits beyond your tier, no egress surprises.
| Plan | Storage | Repositories | Price |
|---|---|---|---|
| Starter | 500 MB | 1 | Free |
| Basic | 5 GB | 5 | €3.99 / month |
| Professional | 100 GB | Unlimited | €14.99 / month |
| Custom | Larger quotas | Unlimited | Talk to us |
Every account starts on Starter. Need more storage? Upgrade in one click from console.danubedata.ro/registry/subscription — the new rate applies on the next hourly billing tick.
Push your first image
The flow is identical to any other OCI-compatible registry. Generate a token in the dashboard, then:
echo "$REGISTRY_TOKEN" | docker login cr.danubedata.ro -u you@example.com --password-stdin
docker tag my-app:latest cr.danubedata.ro/your-team/my-app:latest
docker push cr.danubedata.ro/your-team/my-app:latest
The username can be anything — your email, your team name, a CI handle. We identify the key by the token alone, the same way DigitalOcean's registry does. Customers told us two-field credentials were friction; now there's one secret to manage.
Pull from Rapids without lifting a finger
If you're using Rapids, the registry just works. We provision an internal pull credential automatically the first time a Rapid is created in your team. When you point a Rapid at cr.danubedata.ro/your-team/my-app:latest, pick "DanubeData Container Registry" as the credential source — that's it.
No imagePullSecret to copy-paste. No risk of hardcoding a token in your gitops repo. No round-trip across regions: blobs travel between Ceph and the Rapids pods inside the same EU cluster.
What it's not (yet)
We're shipping a deliberately focused v1. A few features that we know are useful but aren't in scope today:
- Image vulnerability scanning. Coming. For now, run
trivy image cr.danubedata.ro/team/foo:taglocally or in your CI. - Cross-team sharing. Repositories are strictly per-team. If two teams need the same image, push it to both — or contact us about an organisation-level plan.
- Pull-through cache for upstream registries. If you're looking for a Docker Hub cache, that's a separate product (let us know if you want one).
- Image promotion / staging environments. Use distinct tags or repository paths in your team namespace.
Anything in this list you'd use today? Tell us — it helps us prioritise.
Getting started
- Create a DanubeData account (Starter tier included free).
- Open Container Registry → Access Keys → New access key.
- Copy the
cr_…token shown once. - Run the three Docker commands above, substituting your team name.
That's the whole flow. From signup to your first docker push in under 90 seconds, no DevOps engineer required.
Want to read more before you sign up? The solution page goes deeper on the architecture, and the customer docs cover access keys, GC, and the Rapids integration end-to-end.
Welcome to a registry that lives where your apps live. Push your first image today.