Registries, tags & sharing images
push, pull, and how tags work.
A registry is where images live so others (and other machines) can pull them. Docker Hub is the default public registry, which is why docker run nginx just works — it pulls from there. To share an image you built, you tag it with a destination and push it. Pulling and pushing are the two verbs, and a login sits in front of anything private.
$ docker login registry.internal # authenticate once$ docker tag payments-api:1.0 registry.internal/team/payments-api:1.0$ docker push registry.internal/team/payments-api:1.0$ docker pull registry.internal/team/payments-api:1.0 # from any machine
How a tag is put together
A full image reference is [registry/][namespace/]name:tag. Leave the registry off and Docker assumes docker.io; leave the namespace off for official images and it assumes library. So nginx is really docker.io/library/nginx:latest spelled short. To push somewhere specific you include the registry host in the tag, which is what the tag command above does.
Private registries
Organizations usually run a private registry for internal images — a self-hosted registry, a cloud one, or the registry built into GitLab. It keeps proprietary images off public infrastructure, lets you enforce access control, and can act as a pull-through cache so a Docker Hub outage or rate limit does not stop your builds. Pulling and pushing work the same; you just log in and use the registry’s hostname in the tag.