# Deploying from a Container Registry

Treza Enclaves support deploying any publicly accessible Docker image directly from a container registry such as Docker Hub, GitHub Container Registry (GHCR), or any other OCI-compliant public registry. This is the fastest way to get an enclave running — no build step, no credentials, just an image URI.

***

### How It Works

```
Public Container Registry
(Docker Hub, GHCR, etc.)
          │
          ▼
    Treza Platform
    (image URI passed to provider)
          │
          ▼
    Treza Enclave
    (image pulled and deployed into isolated enclave)
```

#### Step-by-step

1. **Name your enclave** — Give it a name and optional description.
2. **Select Container Registry** as the deployment source.
3. **Enter your image URI** — Provide the full image reference, e.g. `nginx:alpine` or `ghcr.io/my-org/my-image:latest`.
4. **Configure your enclave** — Set the provider region and any other settings.
5. **Deploy** — Treza provisions your enclave and pulls the image directly at runtime. No pre-build step is required.

***

### Image URI Format

| Format                         | Example                                    | Notes                              |
| ------------------------------ | ------------------------------------------ | ---------------------------------- |
| `image`                        | `hello-world`                              | Pulls `latest` from Docker Hub     |
| `image:tag`                    | `nginx:alpine`                             | Specific tag from Docker Hub       |
| `registry/image:tag`           | `ghcr.io/my-org/app:v1.2.0`                | Fully qualified registry reference |
| `registry/namespace/image:tag` | `registry.example.com/team/service:stable` | Custom registry with namespace     |

> **Note:** The image must be publicly accessible. For private registries that require authentication, see Deploying from a Private Registry.

***

### Supported Registries

Any OCI-compliant public registry is supported, including:

* **Docker Hub** — `docker.io` (default when no registry prefix is specified)
* **GitHub Container Registry** — `ghcr.io`
* **Google Container Registry** — `gcr.io`
* **Amazon ECR Public** — `public.ecr.aws`
* **Quay.io** — `quay.io`
* Any self-hosted public OCI registry

***

### Enclave Statuses

| Status           | Description                                                               |
| ---------------- | ------------------------------------------------------------------------- |
| `PENDING_DEPLOY` | Deployment has been queued                                                |
| `DEPLOYING`      | Enclave infrastructure is being provisioned and the image is being pulled |
| `DEPLOYED`       | Enclave is live and running                                               |
| `FAILED`         | Deployment encountered an error — check the **Infrastructure** log tab    |

***

### Using the CLI

```bash
treza enclave create \
  --name my-enclave \
  --provider aws-nitro \
  --source-type registry \
  --image nginx:alpine
```

For interactive prompts, omit the flags:

```bash
treza enclave create
```

***

### Finding Images

You can search Docker Hub directly from the Treza platform when entering your image URI. Start typing an image name and select from the results, or enter any fully qualified URI manually.

Popular images to get started:

| Image              | Description                                   |
| ------------------ | --------------------------------------------- |
| `hello-world`      | Minimal test image to verify the enclave runs |
| `nginx:alpine`     | Lightweight web server                        |
| `node:20-alpine`   | Node.js runtime                               |
| `python:3.12-slim` | Python runtime                                |

***

### Security

* Images are pulled at deployment time from the public registry. The image digest is locked and recorded at the time of deployment.
* Once inside the enclave, the image runs in a hardware-isolated environment (AWS Nitro Enclaves) with no persistent external network access unless explicitly configured.
* Attestation PCR values reflect the exact image that was deployed, allowing any third party to independently verify the enclave workload.

***

### Troubleshooting

#### Deployment failed: image not found

Verify the image URI is correct and the image is publicly accessible. Try pulling it locally first:

```bash
docker pull nginx:alpine
```

If the pull succeeds locally but the enclave deployment fails, the image may require authentication — use Private Registry deployment instead.

#### Deployment failed: unsupported architecture

Ensure the image supports the `linux/amd64` architecture. Some images are only built for `arm64`. Check the image's Docker Hub page under **OS/Arch** tags.

***

### Related

* Deploying from a GitHub Repository
* Deploying from a Private Registry
* Enclave Lifecycle
* Enclave Logs