diff --git a/roles/run-buildset-registry/README.rst b/roles/run-buildset-registry/README.rst
index bcd26de26..2133cdafa 100644
--- a/roles/run-buildset-registry/README.rst
+++ b/roles/run-buildset-registry/README.rst
@@ -2,7 +2,10 @@ Runs a docker registry for the use of this buildset.
 
 This may be used for a single job running on a single node, or it may
 be used at the root of a job graph so that multiple jobs running for a
-single change can share the registry.
+single change can share the registry.  Two registry endpoints are
+provided -- one is a read-only endpoint which acts as a pull-through
+proxy and serves upstream images as well as those which are pushed to
+the registry.  The second is intended only for pushing images.
 
 **Role Variables**
 
@@ -25,6 +28,14 @@ single change can share the registry.
 
       The port on which the registry is listening.
 
+   .. zuul:rolevar:: push_host
+
+      The host (IP address) to use when pushing images to the registry.
+
+   .. zuul:rolevar:: push_port
+
+      The port to use when pushing images to the registry.
+
    .. zuul:rolevar:: username
 
       The username used to access the registry via HTTP basic auth.
diff --git a/roles/run-buildset-registry/tasks/main.yaml b/roles/run-buildset-registry/tasks/main.yaml
index f4cf4fdd4..fffe2cdff 100644
--- a/roles/run-buildset-registry/tasks/main.yaml
+++ b/roles/run-buildset-registry/tasks/main.yaml
@@ -59,9 +59,9 @@
 - name: Decode TLS certificate
   set_fact:
     certificate: "{{ certificate.content | b64decode }}"
-- name: Start a docker registry
+- name: Start a docker proxy
   docker_container:
-    name: buildset_registry
+    name: buildset_proxy
     image: registry:2
     state: started
     restart_policy: always
@@ -80,11 +80,31 @@
       - "{{ buildset_registry_root}}/data:/var/lib/registry"
       - "{{ buildset_registry_root}}/certs:/certs"
       - "{{ buildset_registry_root}}/auth:/auth"
+- name: Start a docker registry
+  docker_container:
+    name: buildset_registry
+    image: registry:2
+    state: started
+    restart_policy: always
+    ports:
+     - "5001:5000"
+    env:
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt
+      REGISTRY_HTTP_TLS_KEY: /certs/domain.key
+      REGISTRY_AUTH: htpasswd
+      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
+      REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
+    volumes:
+      - "{{ buildset_registry_root}}/data:/var/lib/registry"
+      - "{{ buildset_registry_root}}/certs:/certs"
+      - "{{ buildset_registry_root}}/auth:/auth"
 - name: Set registry information fact
   set_fact:
     buildset_registry:
       host: "{{ ansible_host }}"
       port: 5000
+      push_host: "{{ ansible_host }}"
+      push_port: 5001
       username: zuul
       password: "{{ registry_password }}"
       cert: "{{ certificate }}"