Docker Images

Developing Applications with MariaDB & Containers via Docker

Watch the Webinar

Certified images

All the Docker images used by this operator are based on Red Hat UBI and have been certified by Red Hat. The advantages of using UBI based images are:

• Immutability: UBI images are built to be secure and stable, reducing the risk of unintended changes or vulnerabilities due to mutable base layers.

• Small size: The UBI minimal and micro variants used by this operator are designed to be lightweight, containing only the essential packages. This can lead to smaller container image sizes, resulting in faster build times, reduced storage requirements, and quicker image pulls.

• Security and compliance: Regular CVE scanning and vulnerability patching help maintain compliance with industry standards and security best practices.

• Enterprise-grade support: UBI images are maintained and supported by Red Hat, ensuring timely security updates and long-term stability.

List of compatible images

MariaDB Enterprise Operator is compatible with the following Docker images:

Refer to the registry documentation to access docker.mariadb.com with your customer credentials.

Working With Air-Gapped Environments

This section outlines several methods for pulling official MariaDB container images from docker.mariadb.com and making them available in your private container registry. This is often necessary for air-gapped, offline, or secure environments.

Option 1: Direct Pull, Tag, and Push

This method is ideal for a "bastion" or "jump" host that has network access to both the public internet (specifically docker.mariadb.com) and your internal private registry.

1. Log in to both registries. You will need a MariaDB token for the public registry and your credentials for the private one. Refer to the official documentation.

   Copy

   # Log in to the official MariaDB registry
   docker login docker.mariadb.com
   
   # Log in to your private registry
   docker login <private-registry-url>

2. Pull the required image. Pull the official MariaDB Enterprise Operator image from its public registry.

   Copy

   docker pull docker.mariadb.com/mariadb-enterprise-operator:25.8.0

3. Tag the image for your private registry. Create a new tag for the image that points to your private registry's URL and desired repository path.

   Copy

   docker tag docker.mariadb.com/mariadb-enterprise-operator:25.8.0 <private-registry-url>/mariadb/mariadb-enterprise-operator:25.8.0

4. Push the re-tagged image. Push the newly tagged image to your private registry.

   Copy

   docker push <private-registry-url>/mariadb/mariadb-enterprise-operator:25.8.0

Option 2: Using a Proxy or Caching Registry

Many modern container registries can be configured to function as a pull-through cache or proxy for public registries. When an internal client requests an image, your registry pulls it from the public source, stores a local copy, and then serves it. This automates the process after initial setup.

You can use Harbor as a pull-through cache (Harbor calls this Replication Rules).

Option 3: Offline Transfer using docker save and docker push

This method is designed for fully air-gapped environments where no single machine has simultaneous access to the internet and the private registry.

On the Internet-Connected Machine

1. Log in and pull the image.

   Copy

   docker login docker.mariadb.com
   docker pull docker.mariadb.com/mariadb-enterprise-operator:25.8.0

2. Save the image to a tar archive. This command packages the image into a single, portable file.

   Copy

   docker save [docker.mariadb.com/mariadb-enterprise-operator:25.8.0 -o mariadb-enterprise-operator_25.8.0.tar

   Use a tool like scp or sftp or a USB drive to copy the generated .tar archives from the internet-connected machine to your isolated systems.

On the Machine with Private Registry Access

1. Load the image from the archive.

   Copy

   docker load -i mariadb-enterprise-operator_25.8.0.tar

2. Log in to your private registry.

   Copy

   docker login <private-registry-url>

3. Tag the loaded image. The image loaded from the tar file will retain its original tag. You must re-tag it for your private registry.

   Copy

   docker tag docker.mariadb.com/mariadb-enterprise-operator:25.8.0 <private-registry-url>/mariadb/mariadb-enterprise-operator:25.8.0

4. Push the image to your private registry.

   Copy

   docker push <private-registry-url>/mariadb/mariadb-enterprise-operator:25.8.0

Option 4: For OpenShift, you can use OpenShift Disconnected Installation Mirroring

Refer to the official Red Hat documentation

Option 5: Offline Transfer for containerd Environments

This method is for air-gapped environments that use containerd as the container runtime (common in Kubernetes) and do not have the Docker daemon. It uses the ctr command-line tool to import, tag, and push images. ⚙️

1. On the Bastion Host (with Internet)

First, on a machine with internet access, you'll pull the images and export them to portable archive files.

1. Pull the Container Image Use the ctr image pull command to download the required image from its public registry.

   Copy

   ctr image pull docker.mariadb.com/mariadb-enterprise-operator:25.8.0

   Note: If your bastion host uses Docker, you can use docker pull instead as we did in Option 3.

2. Export the Image to an Archive Next, export the pulled image to a .tar file using ctr image export. The format is ctr image export <output-filename> <image-name>.

   Copy

   ctr image export mariadb-enterprise-operator-25.8.0.tar docker.mariadb.com/mariadb-enterprise-operator:25.8.0

   Note: To find the exact image name as containerd sees it, run ctr image ls. The Docker equivalent for this step is docker save <image-name> -o <output-filename>.

Repeat this process for all the container images you need to transfer.

2. Transfer the Archives

Use a tool like scp or sftp or a USB drive to copy the generated .tar archives from the bastion host to your isolated systems.

3. On the Isolated Host

Finally, on the isolated system, you will import the archives into containerd. Official Docs

1. Importing for Kubernetes (Important!) ⚙️ If the images need to be available to Kubernetes, you must import them into the k8s.io namespace by adding the -n=k8s.io flag.

   Copy

   ctr -n=k8s.io image import mariadb-enterprise-operator-25.8.0.tar

2. Verify the Image Check that containerd recognizes the newly imported image.

   Copy

   ctr image ls

   You can also verify that the Container Runtime Interface (CRI) sees it by running:

   Copy

   crictl images

Important Note

The examples above use the mariadb-enterprise-operator:25.8.0 image. You must repeat the chosen process for all required container images. A complete list is available here

Additional Resources

_{This page is: Copyright © 2025 MariaDB. All rights reserved.}