|
|
bce470 |
% CONTAINERS-REGISTRIES.CONF(5) System-wide registry configuration file
|
|
|
bce470 |
% Brent Baude
|
|
|
bce470 |
% Aug 2017
|
|
|
bce470 |
|
|
|
bce470 |
# NAME
|
|
|
bce470 |
containers-registries.conf - Syntax of System Registry Configuration File
|
|
|
bce470 |
|
|
|
bce470 |
# DESCRIPTION
|
|
|
bce470 |
The CONTAINERS-REGISTRIES configuration file is a system-wide configuration
|
|
|
bce470 |
file for container image registries. The file format is TOML.
|
|
|
bce470 |
|
|
|
bce470 |
Container engines will use the `$HOME/.config/containers/registries.conf` if it exists, otherwise they will use `/etc/containers/registries.conf`
|
|
|
bce470 |
|
|
|
bce470 |
### GLOBAL SETTINGS
|
|
|
bce470 |
|
|
|
bce470 |
`unqualified-search-registries`
|
|
|
bce470 |
: An array of _host_[`:`_port_] registries to try when pulling an unqualified image, in order.
|
|
|
bce470 |
|
|
|
bce470 |
`credential-helpers`
|
|
|
bce470 |
: An array of default credential helpers used as external credential stores. Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5). The credential helpers are set to `["containers-auth.json"]` if none are specified.
|
|
|
bce470 |
|
|
|
bce470 |
### NAMESPACED `[[registry]]` SETTINGS
|
|
|
bce470 |
|
|
|
bce470 |
The bulk of the configuration is represented as an array of `[[registry]]`
|
|
|
bce470 |
TOML tables; the settings may therefore differ among different registries
|
|
|
bce470 |
as well as among different namespaces/repositories within a registry.
|
|
|
bce470 |
|
|
|
bce470 |
#### Choosing a `[[registry]]` TOML table
|
|
|
bce470 |
|
|
|
bce470 |
Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
|
|
|
bce470 |
|
|
|
bce470 |
`prefix`: A prefix of the user-specified image name, i.e. using one of the following formats:
|
|
|
bce470 |
- _host_[`:`_port_]
|
|
|
bce470 |
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
|
|
|
bce470 |
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
|
|
|
bce470 |
- _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
|
|
|
bce470 |
- [`*.`]_host_
|
|
|
bce470 |
|
|
|
bce470 |
The user-specified image name must start with the specified `prefix` (and continue
|
|
|
bce470 |
with the appropriate separator) for a particular `[[registry]]` TOML table to be
|
|
|
bce470 |
considered; (only) the TOML table with the longest match is used. It can
|
|
|
bce470 |
also include wildcarded subdomains in the format `*.example.com`.
|
|
|
bce470 |
The wildcard should only be present at the beginning as shown in the formats
|
|
|
bce470 |
above. Other cases will not work. For example, `*.example.com` is valid but
|
|
|
bce470 |
`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
|
|
|
bce470 |
|
|
|
bce470 |
As a special case, the `prefix` field can be missing; if so, it defaults to the value
|
|
|
bce470 |
of the `location` field (described below).
|
|
|
bce470 |
|
|
|
bce470 |
#### Per-namespace settings
|
|
|
bce470 |
|
|
|
bce470 |
`insecure`
|
|
|
bce470 |
: `true` or `false`.
|
|
|
bce470 |
By default, container runtimes require TLS when retrieving images from a registry.
|
|
|
bce470 |
If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted
|
|
|
bce470 |
certificates are allowed.
|
|
|
bce470 |
|
|
|
bce470 |
`blocked`
|
|
|
bce470 |
: `true` or `false`.
|
|
|
bce470 |
If `true`, pulling images with matching names is forbidden.
|
|
|
bce470 |
|
|
|
bce470 |
#### Remapping and mirroring registries
|
|
|
bce470 |
|
|
|
bce470 |
The user-specified image reference is, primarily, a "logical" image name, always used for naming
|
|
|
bce470 |
the image. By default, the image reference also directly specifies the registry and repository
|
|
|
bce470 |
to use, but the following options can be used to redirect the underlying accesses
|
|
|
bce470 |
to different registry servers or locations (e.g. to support configurations with no access to the
|
|
|
bce470 |
internet without having to change `Dockerfile`s, or to add redundancy).
|
|
|
bce470 |
|
|
|
bce470 |
`location`
|
|
|
bce470 |
: Accepts the same format as the `prefix` field, and specifies the physical location
|
|
|
bce470 |
of the `prefix`-rooted namespace.
|
|
|
bce470 |
|
|
|
bce470 |
By default, this equal to `prefix` (in which case `prefix` can be omitted and the
|
|
|
bce470 |
`[[registry]]` TOML table can only specify `location`).
|
|
|
bce470 |
|
|
|
bce470 |
Example: Given
|
|
|
bce470 |
```
|
|
|
bce470 |
prefix = "example.com/foo"
|
|
|
bce470 |
location = "internal-registry-for-example.net/bar"
|
|
|
bce470 |
```
|
|
|
bce470 |
requests for the image `example.com/foo/myimage:latest` will actually work with the
|
|
|
bce470 |
`internal-registry-for-example.net/bar/myimage:latest` image.
|
|
|
bce470 |
|
|
|
bce470 |
With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching,
|
|
|
bce470 |
the location can be empty. In such a case,
|
|
|
bce470 |
prefix matching will occur, but no reference rewrite will occur. The
|
|
|
bce470 |
original requested image string will be used as-is. But other settings like
|
|
|
bce470 |
`insecure` / `blocked` / `mirrors` will be applied to matching images.
|
|
|
bce470 |
|
|
|
bce470 |
Example: Given
|
|
|
bce470 |
```
|
|
|
bce470 |
prefix = "*.example.com"
|
|
|
bce470 |
```
|
|
|
bce470 |
requests for the image `blah.example.com/foo/myimage:latest` will be used
|
|
|
bce470 |
as-is. But other settings like insecure/blocked/mirrors will be applied to matching images
|
|
|
bce470 |
|
|
|
bce470 |
`mirror`
|
|
|
bce470 |
: An array of TOML tables specifying (possibly-partial) mirrors for the
|
|
|
bce470 |
`prefix`-rooted namespace.
|
|
|
bce470 |
|
|
|
bce470 |
The mirrors are attempted in the specified order; the first one that can be
|
|
|
bce470 |
contacted and contains the image will be used (and if none of the mirrors contains the image,
|
|
|
bce470 |
the primary location specified by the `registry.location` field, or using the unmodified
|
|
|
bce470 |
user-specified reference, is tried last).
|
|
|
bce470 |
|
|
|
bce470 |
Each TOML table in the `mirror` array can contain the following fields, with the same semantics
|
|
|
bce470 |
as if specified in the `[[registry]]` TOML table directly:
|
|
|
bce470 |
- `location`
|
|
|
bce470 |
- `insecure`
|
|
|
bce470 |
|
|
|
bce470 |
`mirror-by-digest-only`
|
|
|
bce470 |
: `true` or `false`.
|
|
|
bce470 |
If `true`, mirrors will only be used during pulling if the image reference includes a digest.
|
|
|
bce470 |
Referencing an image by digest ensures that the same is always used
|
|
|
bce470 |
(whereas referencing an image by a tag may cause different registries to return
|
|
|
bce470 |
different images if the tag mapping is out of sync).
|
|
|
bce470 |
|
|
|
bce470 |
Note that if this is `true`, images referenced by a tag will only use the primary
|
|
|
bce470 |
registry, failing if that registry is not accessible.
|
|
|
bce470 |
|
|
|
bce470 |
*Note*: Redirection and mirrors are currently processed only when reading images, not when pushing
|
|
|
bce470 |
to a registry; that may change in the future.
|
|
|
bce470 |
|
|
|
bce470 |
#### Short-Name Aliasing
|
|
|
bce470 |
The use of unqualified-search registries entails an ambiguity as it is
|
|
|
bce470 |
unclear from which registry a given image, referenced by a short name,
|
|
|
bce470 |
may be pulled from.
|
|
|
bce470 |
|
|
|
bce470 |
As mentioned in the note at the end of this man page, using short names is
|
|
|
bce470 |
subject to the risk of hitting squatted registry namespaces. If the
|
|
|
bce470 |
unqualified-search registries are set to `["registry1.com", "registry2.com"]`
|
|
|
bce470 |
an attacker may take over a namespace of registry1.com such that an image may
|
|
|
bce470 |
be pulled from registry1.com instead of the intended source registry2.com.
|
|
|
bce470 |
|
|
|
bce470 |
While it is highly recommended to always use fully-qualified image references,
|
|
|
bce470 |
existing deployments using short names may not be easily changed. To
|
|
|
bce470 |
circumvent the aforementioned ambiguity, so called short-name aliases can be
|
|
|
bce470 |
configured that point to a fully-qualified image
|
|
|
bce470 |
reference.
|
|
|
bce470 |
|
|
|
bce470 |
Short-name aliases can be configured in the `[aliases]` table in the form of
|
|
|
bce470 |
`"name"="value"` with the left-hand `name` being the short name (e.g., "image")
|
|
|
bce470 |
and the right-hand `value` being the fully-qualified image reference (e.g.,
|
|
|
bce470 |
"registry.com/namespace/image"). Note that neither "name" nor "value" can
|
|
|
bce470 |
include a tag or digest. Moreover, "name" must be a short name and hence
|
|
|
bce470 |
cannot include a registry domain or refer to localhost.
|
|
|
bce470 |
|
|
|
bce470 |
When pulling a short name, the configured aliases table will be used for
|
|
|
bce470 |
resolving the short name. If a matching alias is found, it will be used
|
|
|
bce470 |
without further consulting the unqualified-search registries list. If no
|
|
|
bce470 |
matching alias is found, the behavior can be controlled via the
|
|
|
bce470 |
`short-name-mode` option as described below.
|
|
|
bce470 |
|
|
|
bce470 |
Note that tags and digests are stripped off a user-specified short name for
|
|
|
bce470 |
alias resolution. Hence, "image", "image:tag" and "image@digest" all resolve
|
|
|
bce470 |
to the same alias (i.e., "image"). Stripped off tags and digests are later
|
|
|
bce470 |
appended to the resolved alias.
|
|
|
bce470 |
|
|
|
bce470 |
Further note that drop-in configuration files (see containers-registries.conf.d(5))
|
|
|
bce470 |
can override aliases in the specific loading order of the files. If the "value" of
|
|
|
bce470 |
an alias is empty (i.e., ""), the alias will be erased. However, a given
|
|
|
bce470 |
"name" may only be specified once in a single config file.
|
|
|
bce470 |
|
|
|
bce470 |
|
|
|
bce470 |
#### Short-Name Aliasing: Modes
|
|
|
bce470 |
|
|
|
bce470 |
The `short-name-mode` option supports three modes to control the behaviour of
|
|
|
bce470 |
short-name resolution.
|
|
|
bce470 |
|
|
|
bce470 |
* `enforcing`: If only one unqualified-search registry is set, use it as there
|
|
|
bce470 |
is no ambiguity. If there is more than one registry and the user program is
|
|
|
bce470 |
running in a terminal (i.e., stdout & stdin are a TTY), prompt the user to
|
|
|
bce470 |
select one of the specified search registries. If the program is not running
|
|
|
bce470 |
in a terminal, the ambiguity cannot be resolved which will lead to an error.
|
|
|
bce470 |
|
|
|
bce470 |
* `permissive`: Behaves as enforcing but does not lead to an error if the
|
|
|
bce470 |
program is not running in a terminal. Instead, fallback to using all
|
|
|
bce470 |
unqualified-search registries.
|
|
|
bce470 |
|
|
|
bce470 |
* `disabled`: Use all unqualified-search registries without prompting.
|
|
|
bce470 |
|
|
|
bce470 |
If `short-name-mode` is not specified at all or left empty, default to the
|
|
|
bce470 |
`permissive` mode. If the user-specified short name was not aliased already,
|
|
|
bce470 |
the `enforcing` and `permissive` mode if prompted, will record a new alias
|
|
|
bce470 |
after a successful pull. Note that the recorded alias will be written to
|
|
|
bce470 |
`/var/cache/containers/short-name-aliases.conf` for root to have a clear
|
|
|
bce470 |
separation between possibly human-edited registries.conf files and the
|
|
|
bce470 |
machine-generated `short-name-aliases-conf`. Note that `$HOME/.cache` is used
|
|
|
bce470 |
for rootless users. If an alias is specified in a
|
|
|
bce470 |
`registries.conf` file and also the machine-generated
|
|
|
bce470 |
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.
|
|
|
bce470 |
|
|
|
bce470 |
#### Normalization of docker.io references
|
|
|
bce470 |
|
|
|
bce470 |
The Docker Hub `docker.io` is handled in a special way: every push and pull
|
|
|
bce470 |
operation gets internally normalized with `/library` if no other specific
|
|
|
bce470 |
namespace is defined (for example on `docker.io/namespace/image`).
|
|
|
bce470 |
|
|
|
bce470 |
(Note that the above-described normalization happens to match the behavior of
|
|
|
bce470 |
Docker.)
|
|
|
bce470 |
|
|
|
bce470 |
This means that a pull of `docker.io/alpine` will be internally translated to
|
|
|
bce470 |
`docker.io/library/alpine`. A pull of `docker.io/user/alpine` will not be
|
|
|
bce470 |
rewritten because this is already the correct remote path.
|
|
|
bce470 |
|
|
|
bce470 |
Therefore, to remap or mirror the `docker.io` images in the (implied) `/library`
|
|
|
bce470 |
namespace (or that whole namespace), the prefix and location fields in this
|
|
|
bce470 |
configuration file must explicitly include that `/library` namespace. For
|
|
|
bce470 |
example `prefix = "docker.io/library/alpine"` and not `prefix =
|
|
|
bce470 |
"docker.io/alpine"`. The latter would match the `docker.io/alpine/*`
|
|
|
bce470 |
repositories but not the `docker.io/[library/]alpine` image).
|
|
|
bce470 |
|
|
|
bce470 |
### EXAMPLE
|
|
|
bce470 |
|
|
|
bce470 |
```
|
|
|
bce470 |
unqualified-search-registries = ["example.com"]
|
|
|
bce470 |
|
|
|
bce470 |
[[registry]]
|
|
|
bce470 |
prefix = "example.com/foo"
|
|
|
bce470 |
insecure = false
|
|
|
bce470 |
blocked = false
|
|
|
bce470 |
location = "internal-registry-for-example.com/bar"
|
|
|
bce470 |
|
|
|
bce470 |
[[registry.mirror]]
|
|
|
bce470 |
location = "example-mirror-0.local/mirror-for-foo"
|
|
|
bce470 |
|
|
|
bce470 |
[[registry.mirror]]
|
|
|
bce470 |
location = "example-mirror-1.local/mirrors/foo"
|
|
|
bce470 |
insecure = true
|
|
|
bce470 |
```
|
|
|
bce470 |
Given the above, a pull of `example.com/foo/image:latest` will try:
|
|
|
bce470 |
1. `example-mirror-0.local/mirror-for-foo/image:latest`
|
|
|
bce470 |
2. `example-mirror-1.local/mirrors/foo/image:latest`
|
|
|
bce470 |
3. `internal-registry-for-example.net/bar/image:latest`
|
|
|
bce470 |
|
|
|
bce470 |
in order, and use the first one that exists.
|
|
|
bce470 |
|
|
|
bce470 |
## VERSION 1 FORMAT - DEPRECATED
|
|
|
bce470 |
VERSION 1 format is still supported but it does not support
|
|
|
bce470 |
using registry mirrors, longest-prefix matches, or location rewriting.
|
|
|
bce470 |
|
|
|
bce470 |
The TOML format is used to build a simple list of registries under three
|
|
|
bce470 |
categories: `registries.search`, `registries.insecure`, and `registries.block`.
|
|
|
bce470 |
You can list multiple registries using a comma separated list.
|
|
|
bce470 |
|
|
|
bce470 |
Search registries are used when the caller of a container runtime does not fully specify the
|
|
|
bce470 |
container image that they want to execute. These registries are prepended onto the front
|
|
|
bce470 |
of the specified container image until the named image is found at a registry.
|
|
|
bce470 |
|
|
|
bce470 |
Note that insecure registries can be used for any registry, not just the registries listed
|
|
|
bce470 |
under search.
|
|
|
bce470 |
|
|
|
bce470 |
The `registries.insecure` and `registries.block` lists have the same meaning as the
|
|
|
bce470 |
`insecure` and `blocked` fields in the current version.
|
|
|
bce470 |
|
|
|
bce470 |
### EXAMPLE
|
|
|
bce470 |
The following example configuration defines two searchable registries, one
|
|
|
bce470 |
insecure registry, and two blocked registries.
|
|
|
bce470 |
|
|
|
bce470 |
```
|
|
|
bce470 |
[registries.search]
|
|
|
bce470 |
registries = ['registry1.com', 'registry2.com']
|
|
|
bce470 |
|
|
|
bce470 |
[registries.insecure]
|
|
|
bce470 |
registries = ['registry3.com']
|
|
|
bce470 |
|
|
|
bce470 |
[registries.block]
|
|
|
bce470 |
registries = ['registry.untrusted.com', 'registry.unsafe.com']
|
|
|
bce470 |
```
|
|
|
bce470 |
|
|
|
bce470 |
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
|
|
|
bce470 |
We recommend always using fully qualified image names including the registry
|
|
|
bce470 |
server (full dns name), namespace, image name, and tag
|
|
|
bce470 |
(e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
|
|
|
bce470 |
always an inherent risk that the image being pulled could be spoofed. For
|
|
|
bce470 |
example, a user wants to pull an image named `foobar` from a registry and
|
|
|
bce470 |
expects it to come from myregistry.com. If myregistry.com is not first in the
|
|
|
bce470 |
search list, an attacker could place a different `foobar` image at a registry
|
|
|
bce470 |
earlier in the search list. The user would accidentally pull and run the
|
|
|
bce470 |
attacker's image and code rather than the intended content. We recommend only
|
|
|
bce470 |
adding registries which are completely trusted, i.e. registries which don't
|
|
|
bce470 |
allow unknown or anonymous users to create accounts with arbitrary names. This
|
|
|
bce470 |
will prevent an image from being spoofed, squatted or otherwise made insecure.
|
|
|
bce470 |
If it is necessary to use one of these registries, it should be added at the
|
|
|
bce470 |
end of the list.
|
|
|
bce470 |
|
|
|
bce470 |
It is recommended to use fully-qualified images for pulling as
|
|
|
bce470 |
the destination registry is unambiguous. Pulling by digest
|
|
|
bce470 |
(i.e., quay.io/repository/name@digest) further eliminates the ambiguity of
|
|
|
bce470 |
tags.
|
|
|
bce470 |
|
|
|
bce470 |
# SEE ALSO
|
|
|
bce470 |
containers-auth.json(5) containers-certs.d(5)
|
|
|
bce470 |
|
|
|
bce470 |
# HISTORY
|
|
|
bce470 |
Dec 2019, Warning added for unqualified image names by Tom Sweeney <tsweeney@redhat.com>
|
|
|
bce470 |
|
|
|
bce470 |
Mar 2019, Added additional configuration format by Sascha Grunert <sgrunert@suse.com>
|
|
|
bce470 |
|
|
|
bce470 |
Aug 2018, Renamed to containers-registries.conf(5) by Valentin Rothberg <vrothberg@suse.com>
|
|
|
bce470 |
|
|
|
bce470 |
Jun 2018, Updated by Tom Sweeney <tsweeney@redhat.com>
|
|
|
bce470 |
|
|
|
bce470 |
Aug 2017, Originally compiled by Brent Baude <bbaude@redhat.com>
|