# Managed Images

The Managed Image Registry enables containerization of the dependencies for a given model. Docker images that contain the dependencies for models can be swapped to match the requirements of the model being used.

Manaed Images created in a workspace are not bound to that workspace and are available to all other workspaces on the same RIME instance.

Managed Images can be created by any user account. Managed Images can only be deleted by user accounts with the Organization Administrator [role](userroles.md).

RIME provides a set of base images that are built to address a given set of use cases. Users can build a managed image from a base image.

The Managed Image Registry operates on [AWS ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html).

*NOTE*: as of version 0.13.0, the Managed Images feature is enabled by default in our Terraform module.

Configuration for this feature uses the `image_registry_config` of the `rime` Terraform module:

```
module "rime" {
  ...
  image_registry_config = {
    enable                       = true
    allow_external_custom_images = true
    repository_prefix            = ""
  }
  ...
}
```

The value of the `repository_prefix` variable specifies a string that identifies repositories that are managed by the Managed Image Registry. Repositories without the string specified by `repository_prefix` are not acted upon by the Managed Image Registry.


## ECR permissions for the Managed Image Registry

Permissions for Managed Images can be applied automatically by a user with the Organziation administrator [role](userroles.md) when applying the RIME Terraform module.

```
ecr:CreateRepository
ecr:DeleteRepository
ecr:DescribeImages
ecr:PutLifecyclePolicy
ecr:ListImages
```

These permissions enable the registry server to create and modify repositories with names containing the string specified in `repository_prefix`. Additionally, the registry server requires `ecr:GetAuthorizationToken` for all resources in order to authorize itself.

Jobs executed by the registry server use the following permissions to build new images:

```
ecr:BatchGetImage
ecr:BatchCheckLayerAvailability
ecr:CompleteLayerUpload
ecr:GetDownloadUrlForLayer
ecr:InitiateLayerUpload
ecr:PutImage
ecr:UploadLayerPart
```

These permissions enable these jobs to pull and push new images to the repositories created with prefix `repository_prefix`. These jobs also require the `ecr:GetAuthorizationToken` permission for all resources in order to authorize themeselves.

## Managed Image management 

The [RIME Python SDK](../python_library/python-sdk.rst) provides calls for creating, altering, and deleting Managed Images.

### Creating a Managed Image

Create a new Managed Image with the <a href="../python_library/python-sdk.html#rime_sdk.Client.create_managed_image">`Client.create_managed_image()`</a> call in the RIME SDK. To use a base image, specify values for the `image_type` and `python_version` parameters.

### Deleting a Managed Image

1.  Sign in to a user account that has administrative privileges for an RI
    Platform instance.  
    >   The Workspaces page appears.
2.  Select a workspace.
    >   The Workspace summary page appears.
3.  Click the *Settings* icon in the lower left corner.
    >   The Workspace page appears.
4.  Click *Managed Images*.
    >   The Managed Images pane appears.
5.  From the three-dot menu at the right of a Managed Image, click *Remove*.
    >   A confirmation dialog box appears.
6.  Click *Remove image*.

The Managed Image is removed from the RIME instance.

<!-- Stubbed out, content moved to mimgoverview.md -->