circle-info
Webinar | Deploy MariaDB Cloud in Your Microsoft Azure Account. Retain Control.
Watch Nowarrow-up-right
search
Download MariaDBContact Us

Docker Images

Lists and describes the specific Docker images used by the Operator, including MariaDB Enterprise Server, MaxScale, and supporting sidecars.

Developing Applications with MariaDB & Containers via Docker

Watch the Webinararrow-up-right

hashtag
Certified images

All the Docker images used by this operator are based on Red Hat UBIarrow-up-right and have been certified by Red Hatarrow-up-right. The advantages of using UBI based images are:

  • Immutability: UBI images are built to be secure and stable, reducing the risk of unintended changes or vulnerabilities due to mutable base layers.

  • Small size: The UBI minimalarrow-up-right and microarrow-up-right variants used by this operator are designed to be lightweight, containing only the essential packages. This can lead to smaller container image sizes, resulting in faster build times, reduced storage requirements, and quicker image pulls.

  • Security and compliance: Regular CVE scanning and vulnerability patching help maintain compliance with industry standards and security best practices.

  • Enterprise-grade support: UBI images are maintained and supported by Red Hat, ensuring timely security updates and long-term stability.

hashtag
List of compatible images

MariaDB Enterprise Kubernetes Operator is compatible with the following Docker images:

Component
Image
Supported Tags
CPU Architecture

MariaDB Enterprise Kubernetes Operator

docker.mariadb.com/mariadb-enterprise-operator

26.3.1 26.3.0 25.10.4 25.10.3 25.10.2 25.10.1 25.10.0 25.8.0

amd64 arm64 ppc64le

MariaDB Enterprise Server

docker.mariadb.com/enterprise-server

11.8.6-3 11.8.5-2 11.8.3-1 11.4.10-7 11.4.9-6 11.4.8-5 11.4.7-4.3 11.4.7-4.2 11.4.7-4.1 10.6.25-21 10.6.24-20 10.6.23-19 10.6.22-18.1

amd64 arm64 ppc64le

MariaDB Enterprise Server (tiered)

docker.mariadb.com/enterprise-server

11.8.6-3.1 11.8.6-3.1-minimal 11.8.6-3.1-standard 11.8-minimal 11.8-standard 11.8 11.4.10-7.1-minimal 11.4.10-7.1-standard 11.4.10-7.1 11.4-minimal 11.4-standard 11.4 10.6.25-21.1-minimal 10.6.25-21.1-standard 10.6.25-21.1 10.6-minimal 10.6-standard 10.6

amd64 arm64 ppc64le

MaxScale Enterprise

docker.mariadb.com/maxscale

25.10.1 25.10.0 25.01.4 25.01.3-1 25.01

amd64 arm64 ppc64le

MaxScale

mariadb/maxscale

23.08.9-ubi 23.08-ubi 24.02.5-ubi 24.02-ubi

amd64 arm64

MariaDB Prometheus Exporter

mariadb/mariadb-prometheus-exporter-ubi

1.1.0

amd64 arm64 ppc64le

MaxScale Prometheus Exporter

mariadb/maxscale-prometheus-exporter-ubi

1.1.0

amd64 arm64 ppc64le

MariaDB Enterprise nslcd sidecar

docker.mariadb.com/nslcd

0.9.10-13

amd64 arm64 ppc64le

Refer to the registry documentation to access docker.mariadb.com with your customer credentials.

hashtag
MariaDB Enterprise Server Tiered Images.

To accommodate diverse operational requirements, the MariaDB Server container images utilize a multi-tiered strategy offering three distinct flavors: minimal and standard. The minimal tier serves as the highly secure default, providing a heavily reduced footprint tailored for automated, operator-driven environments. For broader enterprise workloads requiring additional storage engines, plugins, and in-container debugging utilities, the standard tier balances comprehensive capabilities with strict security hardening.

Tier
Description
Target

minimal

The minimal tier of the MariaDB Enterprise Docker image offers an image where whole parts of the filesystem have been removed. This includes many MariaDB utility binaries, CLI binaries, utilities and irrelevant packages.

Ideal for highly secure environments and strict compliance use cases requiring a heavily reduced attack surface and minimal storage footprint.

standard

The standard tier of the MariaDB Enterprise Docker image comes with additional storage engines and plugins, while not sacrificing on security and size.

Designed for general enterprise workloads that require a balance of comprehensive database capabilities and an optimized, secure footprint.

circle-info

The tiered images are based on ubi-microarrow-up-right.

hashtag
Hardened images

Enterprise images are specifically "hardened" to optimize security and resource efficiency. Because containers are fundamentally designed to run a single application and its required dependencies, the hardening process strips away any operating system components that are unnecessary for MariaDB to function. As a result, these hardened images contain significantly fewer binaries and files, and are strictly configured to execute as a non-root user to minimize potential attack surfaces.

The following section provides a high-level overview detailing the specific components that are retained and removed across both image tiers.

Component

minimal

standard

MariaDB Enterprise Server

coreutils

mariadb-backup

mariadb-dump

mariadb-binlog

mariadb-tzinfo-to-sql

boost-program-options

jemalloc

MariaDB utilities

System Perl

S3 Engine

Cracklib Password Plugin

Hashicorp Key Plugin

LDAP/PAM Plugin Dependencies

Spider Engine

RocksDB Engine

Package Manager

Docs & Formatting

Unnecessary Binaries

gosu

hashtag
Working With Air-Gapped Environments

This section outlines several methods for pulling official MariaDB container images from docker.mariadb.com and making them available in your private container registry. This is often necessary for air-gapped, offline, or secure environments.

hashtag
Option 1: Direct Pull, Tag, and Push

This method is ideal for a "bastion" or "jump" host that has network access to both the public internet (specifically docker.mariadb.com) and your internal private registry.

  1. Log in to both registries. You will need a MariaDB token for the public registry and your credentials for the private one. Refer to the official documentationarrow-up-right.

  2. Pull the required image. Pull the official MariaDB Enterprise Kubernetes Operator image from its public registry.

  3. Tag the image for your private registry. Create a new tag for the image that points to your private registry's URL and desired repository path.

  4. Push the re-tagged image. Push the newly tagged image to your private registry.

hashtag
Option 2: Using a Proxy or Caching Registry

Many modern container registries can be configured to function as a pull-through cache or proxy for public registries. When an internal client requests an image, your registry pulls it from the public source, stores a local copy, and then serves it. This automates the process after initial setup.

You can use Harborarrow-up-right as a pull-through cache (Harbor calls this Replication Rules).

hashtag
Option 3: Offline Transfer using docker save and docker push

This method is designed for fully air-gapped environments where no single machine has simultaneous access to the internet and the private registry.

hashtag
On the Internet-Connected Machine

  1. Log in and pull the image.

  2. Save the image to a tar archive. This command packages the image into a single, portable file.

    Use a tool like scp or sftp or a USB drive to copy the generated .tar archives from the internet-connected machine to your isolated systems.

hashtag
On the Machine with Private Registry Access

  1. Load the image from the archive.

  2. Log in to your private registry.

  3. Tag the loaded image. The image loaded from the tar file will retain its original tag. You must re-tag it for your private registry.

  4. Push the image to your private registry.

hashtag
Option 4: For OpenShift, you can use OpenShift Disconnected Installation Mirroring

Refer to the official Red Hat documentationarrow-up-right

hashtag
Option 5: Offline Transfer for containerd Environments

This method is for air-gapped environments that use containerd as the container runtime (common in Kubernetes) and do not have the Docker daemon. It uses the ctr command-line tool to import, tag, and push images. ⚙️

hashtag
1. On the Bastion Host (with Internet)

First, on a machine with internet access, you'll pull the images and export them to portable archive files.

  1. Pull the Container Image Use the ctr image pull command to download the required image from its public registry.

    Note: If your bastion host uses Docker, you can use docker pull instead as we did in Option 3.

  2. Export the Image to an Archive Next, export the pulled image to a .tar file using ctr image export. The format is ctr image export <output-filename> <image-name>.

    Note: To find the exact image name as containerd sees it, run ctr image ls. The Docker equivalent for this step is docker save <image-name> -o <output-filename>.

Repeat this process for all the container images you need to transfer.

hashtag
2. Transfer the Archives

Use a tool like scp or sftp or a USB drive to copy the generated .tar archives from the bastion host to your isolated systems.

hashtag
3. On the Isolated Host

Finally, on the isolated system, you will import the archives into containerd. Official Docsarrow-up-right

  1. Importing for Kubernetes (Important!) ⚙️ If the images need to be available to Kubernetes, you must import them into the k8s.io namespace by adding the -n=k8s.io flag.

  2. Verify the Image Check that containerd recognizes the newly imported image.

    You can also verify that the Container Runtime Interface (CRI) sees it by running:

hashtag
Important Note

The examples above use the mariadb-enterprise-operator:25.8.0 image. You must repeat the chosen process for all required container images. A complete list is available here

hashtag
Additional Resources

This page is: Copyright © 2025 MariaDB. All rights reserved.

spinner
PreviousCustomer access to docker.mariadb.comNextInstallation

Last updated

Was this helpful?