Docker Images

Certified images

All the Docker images used by this operator are based on Red Hat UBI and have been certified by Red Hat. The advantages of using UBI based images are:

• Immutability: UBI images are built to be secure and stable, reducing the risk of unintended changes or vulnerabilities due to mutable base layers.

• Small size: The UBI and variants used by this operator are designed to be lightweight, containing only the essential packages. This can lead to smaller container image sizes, resulting in faster build times, reduced storage requirements, and quicker image pulls.

• Security and compliance: Regular CVE scanning and vulnerability patching help maintain compliance with industry standards and security best practices.

• Enterprise-grade support: UBI images are maintained and supported by Red Hat, ensuring timely security updates and long-term stability.

List of compatible images

MariaDB Enterprise Kubernetes Operator is compatible with the following Docker images:

Refer to the registry documentation to .

MariaDB Enterprise Server Tiered Images.

To accommodate diverse operational requirements, the MariaDB Server container images utilize a multi-tiered strategy offering three distinct flavors: minimal and standard. The minimal tier serves as the highly secure default, providing a heavily reduced footprint tailored for automated, operator-driven environments. For broader enterprise workloads requiring additional storage engines, plugins, and in-container debugging utilities, the standard tier balances comprehensive capabilities with strict security hardening.

Hardened images

Enterprise images are specifically "hardened" to optimize security and resource efficiency. Because containers are fundamentally designed to run a single application and its required dependencies, the hardening process strips away any operating system components that are unnecessary for MariaDB to function. As a result, these hardened images contain significantly fewer binaries and files, and are strictly configured to execute as a non-root user to minimize potential attack surfaces.

The following section provides a high-level overview detailing the specific components that are retained and removed across both image tiers.

Working With Air-Gapped Environments

This section outlines several methods for pulling official MariaDB container images from docker.mariadb.com and making them available in your private container registry. This is often necessary for air-gapped, offline, or secure environments.

Option 1: Direct Pull, Tag, and Push

This method is ideal for a "bastion" or "jump" host that has network access to both the public internet (specifically docker.mariadb.com) and your internal private registry.

1. Log in to both registries. You will need a MariaDB token for the public registry and your credentials for the private one. Refer to the .

2. Pull the required image. Pull the official MariaDB Enterprise Kubernetes Operator image from its public registry.

3. Tag the image for your private registry. Create a new tag for the image that points to your private registry's URL and desired repository path.

Option 2: Using a Proxy or Caching Registry

Many modern container registries can be configured to function as a pull-through cache or proxy for public registries. When an internal client requests an image, your registry pulls it from the public source, stores a local copy, and then serves it. This automates the process after initial setup.

You can use as a pull-through cache (Harbor calls this Replication Rules).

Option 3: Offline Transfer using docker save and docker push

This method is designed for fully air-gapped environments where no single machine has simultaneous access to the internet and the private registry.

On the Internet-Connected Machine

1. Log in and pull the image.

2. Save the image to a tar archive. This command packages the image into a single, portable file.

   Use a tool like scp or sftp or a USB drive to copy the generated .tar archives from the internet-connected machine to your isolated systems.

On the Machine with Private Registry Access

1. Load the image from the archive.

2. Log in to your private registry.

3. Tag the loaded image. The image loaded from the tar file will retain its original tag. You must re-tag it for your private registry.

Option 4: For OpenShift, you can use OpenShift Disconnected Installation Mirroring

Refer to the

Option 5: Offline Transfer for containerd Environments

This method is for air-gapped environments that use containerd as the container runtime (common in Kubernetes) and do not have the Docker daemon. It uses the ctr command-line tool to import, tag, and push images. ⚙️

1. On the Bastion Host (with Internet)

First, on a machine with internet access, you'll pull the images and export them to portable archive files.

1. Pull the Container Image Use the ctr image pull command to download the required image from its public registry.

   Note: If your bastion host uses Docker, you can use docker pull instead as we did in Option 3.

2. Export the Image to an Archive Next, export the pulled image to a .tar file using ctr image export

Repeat this process for all the container images you need to transfer.

2. Transfer the Archives

Use a tool like scp or sftp or a USB drive to copy the generated .tar archives from the bastion host to your isolated systems.

3. On the Isolated Host

Finally, on the isolated system, you will import the archives into containerd.

1. Importing for Kubernetes (Important!) ⚙️ If the images need to be available to Kubernetes, you must import them into the k8s.io namespace by adding the -n=k8s.io flag.

2. Verify the Image Check that containerd recognizes the newly imported image.

   You can also verify that the Container Runtime Interface (CRI) sees it by running:

Important Note

The examples above use the mariadb-enterprise-operator:25.8.0 image. You must repeat the chosen process for all required container images. A complete list is available

Additional Resources

_{This page is: Copyright © 2025 MariaDB. All rights reserved.}