Container Images for IBM Z and LinuxONE

Please see the Container News section below (December 16) for a message about log4j vunlerabilities.

This is a channel of open source container images available for use, free of charge, that can be pulled and managed through the common graphical and command line interfaces that support containerized workloads.

These images run in both the Linux, and zCX environments of z/OS on IBM Z. All of these images are OCI-compliant, and built for deployment in a local environment. If you are looking for Kubernetes or OpenShift enabled container images, you can visit the IBM cloud or Red Hat Marketplace and search for IBM Z.

Several steps have been taken to ensure the veracity of these container images:

  • The images are built from source - they are not assembled from images hosted at other registries.
  • Build tests from the originating project are run when the container image is built.
  • Container images are scanned for known vulnerabilities and the reports are provided at the image's associated web page.
  • The hash for each container image is published. This helps users avoid pulling an unintended version of a particular image.

Terms of Use

IBM Open Source Container Image Agreement

These container images are third party offerings made available through this registry as a convenience to Client.  Each of these third party  offerings are "Separately Licensed Code" (or "non-IBM Product(s)" under IBM's Customer Relationship Agreement and Cloud Services Agreement) made available by the third party to Client under the terms of the applicable third party license agreement(s), and not any agreement Client may have with IBM.   Client may proceed with downloading the container images if such third-party license terms are acceptable.  If these third-party terms are not acceptable, Client may not download or otherwise use or execute the container images.

IBM support of the container images is available only through a separate open source service and support contract.  A vulnerability report prepared as a result of a static code analysis may be included in the image posting. No other analysis, certification, testing or verification has been or will be performed by IBM on the images included in the container.

 NOTE:  With respect to the Separately Licensed Code and any analysis of the code provided by IBM: (a) IBM provides it to Client   WITHOUT WARRANTIES OF ANY KIND AND DISCLAIMS ANY AND ALL EXPRESS AND IMPLIED WARRANTIES AND CONDITIONS INCLUDING, BUT NOT LIMITED TO, THE WARRANTY OF TITLE, NON-INFRINGEMENT OR NON-INTERFERENCE, AND THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE; and (b) IBM is not liable for any direct, indirect, incidental, special, exemplary, punitive or consequential damages including, but not limited to, lost data, lost savings, and lost profits.

IBM Open Source Container Image Agreement (February 2021)

By checking the "I Agree" box and clicking the "Proceed ..." button below, you agree that (1) you have had the opportunity to review the agreement and (2) you agree to be bound by its terms. If you disagree, do not proceed.

Getting Started

This collection of container images is hosted at the IBM Cloud Container Registry ( An IBM Cloud ID is required to pull images from the registry. Any type of IBM Cloud ID will work, including "lite" IDs with no associated cost. If you don't have an ID already, please visit and create one.

You are welcome to browse the set of available images here without an IBM Cloud ID, but the ID is required at docker/podman login time.

User credentials

All container image registries require users log in, and as mentioned above, ICR requires an IBM Cloud ID. IBM Cloud makes extensive use of keys and passphrases for user authentication. You can manage your identity keys from the IBM Cloud web site using the Manage pulldown to navigate to the Access (IAM) interface. From there, choose API keys, and then Create an IBM Cloud API key. You should see a window for naming and describing your access key.

Once you enter a name and description, the IBM Cloud will generate the key, and give you 5 minutes to download the file (named apikey.json), or cut/paste the text of the key to a file of your choice. Save this file to a safe place and give it a useful name. Should you ever lose it, use the API keys interface to delete it and define a new one to remain secure. This key is alone is what identifies you to ICR.

The contents of the key file looks like this:

    "name": "Sample IAMAPIKEY",
    "description": "A sample IBM Cloud API key",
    "createdAt": "2021-02-08T20:01+0000",
    "apikey": "B08t7_qWo60P123456789IXybgvgGqAty8ULka8ZnMAT"



The apikey text highlighted in blue above is the key string needed for authenticating to ICR.

The IBMCLOUD Command Line Interfaces

The IBM Cloud has a command line interface (CLI) that provides many of the same functions that can be found on the web. If you are familiar with the ibmcloud CLI, feel free to use it. It is not required to use the ICR registry from a container CLI like Docker or Podman, and we will not be using it in any of our best practices.

Pulling an Image From the ibmz Namespace at ICR

Once you have your IAMAPIKEY credentials created, you're ready to log in to ICR and pull images. The process is effectively the same as for any other registry. Simply log into the ICR global region at, with a user name of iamapikey. When ICR sees this userid, it will expect to receive an apikey for your IBM cloud userid at the password prompt. If you have multiple keys generated for your userid, any of them should work.

After logging in to ICR, simply pull the image using the fully qualified path to the image you want. We recommend using the pull string provided in the details page for the specific image of interest. Note that while it is possible to pull an image by name and version (tag), we recommend using the full sha256 hash for the image digest to be sure you get exactly the image you request.

Here is an example login and pull command:

> docker login -u iamapikey
Password:             <-Paste the text of your apikey here
Login Succeeded

> docker pull
sha256:4419e017475e4082f8a03574f2b74195a689650c3f1ed8962874783e3dd4bf4a: Pulling from ibmz/kafka
d777bd6e5a8d: Already exists 
c2fc12e4949d: Already exists 
a15ab9f4a460: Already exists 
cd76eb949805: Pull complete 
Digest: sha256:4419e017475e4082f8a03574f2b74195a689650c3f1ed8962874783e3dd4bf4a
Status: Downloaded newer image for


Once you have the image pulled to your environment, you are free to use it as documented.

Be in Touch

To request a new image for the registry, or report a problem, please open an issue at

Container News

May 27, 2022

December 16, 2021

October 29, 2021

March 2, 2021