Skip to main content
To run watsonx Orchestrate Developer Edition, you need a collection of Docker images. The ADK provides two official sources: watsonx Orchestrate and myIBM. In some environments, such as airgapped setups, you might prefer to use a third-party or self-hosted image registry like Artifactory. In this case, copy the images from one of the official sources to your preferred registry. Then, use of the Custom Registry method to pull your images for watsonx Orchestrate Developer Edition.

Copying images to the registry

You can copy a Docker image from one registry to another using CLI tools such as Skopeo.
Note:The following examples use Skopeo to demonstrate how to copy container images. For more information about Skopeo, see Skopeo.
Keep in mind that your registry structure must match the one defined in the watsonx Orchestrate Developer Edition compose file. If that’s not possible, update the compose file to reflect your registry layout and use it to install watsonx Orchestrate Developer Edition. For example, the wdu-runtime image reference includes three parts:
  1. The registry URL: ${WDU_REGISTRY:-us.icr.io/watson-orchestrate-private}
  2. The image path: /document-processing/wdu-runtime
  3. The image tag: ${WDU_TAG:-2.4.0}
YAML
wdu-runtime:
    image: ${WDU_REGISTRY:-us.icr.io/watson-orchestrate-private}/document-processing/wdu-runtime:${WDU_TAG:-2.4.0}
When using a custon registry, the registry URL, might be different. The image path and tag should however mirror the first party source.

Authenticating against registries

To copy the images, you first need to authenticate with both the source and target registries: Source registry authentication
  • watsonx Orchestrate account
  • myIBM
1

Get the instance URL

Details on how to do this can be found here
2

Create the registry URL

To create the registry URL:
  1. Replace the https://api prefix with registry.
  2. Replace the /instances/xyz with /cp/wxo-lite.
For example, if your URL is https://api.au-syd.watson-orchestrate.cloud.ibm.com/instances/abc it would become registry.au-syd.watson-orchestrate.cloud.ibm.com/cp/wxo-lite
3

Get the registry username

Your username follows the format wxouser-<instance_id>.For example, if your instance ID is abc, then your username is wxouser-abc.
4

Get the registry password

The password is the api key for the wxo instance. Details on how to find it can be seen here
5

Login to the registry

Use your tool to authenticate to the source registry.Example using Skopeo:
BASH
skopeo login <registry_url> -u <registry_username> -p <registry_password>
Target registry authentication Use your tool to authenticate to the target registry. Example using Skopeo:
BASH
skopeo login <target_registry_url> -u <target_registry_username> -p <target_registry_password>

Copy images from source to target

After you authenticate with both registries, you can copy container images using your tool. Example using Skopeo:
BASH
skopeo copy --multi-arch all docker://<source_registry_url>/<image_path>:<image_tag> docker://<target_registry_url>/<image_path>:<image_tag> --preserve-digests
For example, to copy the wdu-runtime image from myIBM to Artifactory:
BASH
skopeo copy --multi-arch all docker://cp.icr.io/cp/wxo-lite/document-processing/wdu-runtime:2.4.0 docker://<artifactory_url>/document-processing/wdu-runtime:2.4.0 --preserve-digests
Repeat this process for each image listed in your Compose file. Make sure the tags match the version of Developer Edition you want to run:
BASH
mkdir images
cd images
orchestrate server eject -e <path_to_env_file>
mv server.env .env
docker compose \
  --profile "*" \
  config --images

cp.icr.io/cp/wxo-lite/tools-runtime:24-09-2025-a515038
docker.io/minio/mc:latest
cp.icr.io/cp/wxo-lite/wxo-server-voice:12-09-2025-0e04772
cp.icr.io/cp/wxo-lite/wxo-agent-gateway:19-10-2025-e48ad3a
docker.io/langfuse/langfuse:3
cp.icr.io/cp/wxo-lite/jaeger-proxy:23-07-2025
cp.icr.io/cp/wxo-lite/wxo-chat:22-09-2025-e35f498
quay.io/coreos/etcd:v3.5.18
cp.icr.io/cp/wxo-lite/wxo-connections:16-09-2025-e33b344
cp.icr.io/cp/wxo-lite/wxo-socket-handler:29-05-2025
cp.icr.io/cp/wxo-lite/wxo-server-db:17-09-2025-8a9aff2
cp.icr.io/cp/wxo-lite/tools-runtime-manager:16-09-2025-cb6b9df
cp.icr.io/cp/wxo-lite/agentops-backend:05-08-2025
cp.icr.io/cp/wxo-lite/document-processing/wdu-runtime:2.7.0
docker.io/redis:7.2
docker.io/minio/mc:latest
docker.io/clickhouse/clickhouse-server:latest
cp.icr.io/cp/wxo-lite/document-processing/wo_doc_processing_service:20250910-165658-290-c566031
cp.icr.io/cp/wxo-lite/document-processing/wo_doc_processing_cache:20250916-master-86-454157f
docker.io/langflowai/langflow:latest
cp.icr.io/cp/wxo-lite/wxo-builder:24-09-2025-f9b68d8
cp.icr.io/cp/wxo-lite/wxo-prompt-optimizer:25-09-2025-c31dc73
cp.icr.io/cp/wxo-lite/document-processing/wo_doc_processing_rag:20250915-main-139-7a36ad3
docker.io/minio/mc:latest
docker.elastic.co/elasticsearch/elasticsearch:8.19.0
docker.io/milvusdb/milvus:v2.5.15
cp.icr.io/cp/wxo-lite/wxo-server-conversation_controller:24-09-2025-17d7c67
cp.icr.io/cp/wxo-lite/ai-gateway:20-08-2025-9ed6d40
cp.icr.io/cp/wxo-lite/document-processing/wdu-models:2.7.0
cp.icr.io/cp/wxo-lite/wxo-server-server:24-09-2025-17d7c67
docker.io/langfuse/langfuse-worker:3
cp.icr.io/cp/wxo-lite/wxo-tempus-runtime:22-09-2025-0bd3f58
cp.icr.io/cp/wxo-lite/document-processing/wo_doc_processing_cache_rds_init:20250916-master-86-454157f
docker.io/jaegertracing/all-in-one:1.69.0
cp.icr.io/cp/wxo-lite/document-processing/wo-doc-processing-infra-standalone:20250910-214413-288-a348dfd9
docker.io/minio/minio:latest
cp.icr.io/cp/wxo-lite/document-processing/wo-doc-processing-infra-pg-init:20250910-214413-288-a348dfd9
cp.icr.io/cp/wxo-lite/wxo-connections-ui:15-09-2025-98aa9da

Open source images

watsonx Orchestrate Developer Edition also depends on several open source images. When using WO_DEVELOPER_EDITION_SOURCE=custom, the ADK looks for these images in the same REGISTRY_URL. To avoid issues, copy the open source images to your custom registry. Alternatively, set the OPENSOURCE_REGISTRY_PROXY flag to point to a public, unauthenticated registry such as docker.io. Two exceptions require special handling: To use a custom registry, either copy these images or override their registry URLs in your environment file:
.env
ETCD_REGISTRY=quay.io
ELASTICSEARCH_REGISTRY=docker.elastic.co

Configuring SSL security

For on-premises (CPD) deployments, ADK uses SSL authentication by default to connect to a registry proxy in your watsonx Orchestrate on-premises environment. You can control this behavior by setting the WO_VERIFY_SSL environment variable. Use this variable to enable or disable SSL authentication.
  • Enable with the system SSL certificate
  • Enable with a custom SSL certificate
  • Disable SSL Security
To enable SSL security using the system’s default SSL certificate, set the WO_VERIFY_SSL environment variable to True:
.env
WO_VERIFY_SSL=True
I