bb3e91
% CONTAINERS-REGISTRIES.CONF 5 System-wide registry configuration file
bb3e91
% Brent Baude
bb3e91
% Aug 2017
bb3e91
bb3e91
# NAME
bb3e91
containers-registries.conf - Syntax of System Registry Configuration File
bb3e91
bb3e91
# DESCRIPTION
bb3e91
The CONTAINERS-REGISTRIES configuration file is a system-wide configuration
bb3e91
file for container image registries. The file format is TOML.
bb3e91
bb3e91
Container engines will use the `$HOME/.config/containers/registries.conf` if it exists, otherwise they will use `/etc/containers/registries.conf`
bb3e91
bb3e91
### GLOBAL SETTINGS
bb3e91
bb3e91
`unqualified-search-registries`
bb3e91
: An array of _host_[`:`_port_] registries to try when pulling an unqualified image, in order.
bb3e91
bb3e91
`credential-helpers`
bb3e91
: An array of default credential helpers used as external credential stores.  Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5).  The credential helpers are set to `["containers-auth.json"]` if none are specified.
bb3e91
bb3e91
### NAMESPACED `[[registry]]` SETTINGS
bb3e91
bb3e91
The bulk of the configuration is represented as an array of `[[registry]]`
bb3e91
TOML tables; the settings may therefore differ among different registries
bb3e91
as well as among different namespaces/repositories within a registry.
bb3e91
bb3e91
#### Choosing a `[[registry]]` TOML table
bb3e91
bb3e91
Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
bb3e91
bb3e91
`prefix`: A prefix of the user-specified image name, i.e. using one of the following formats:
bb3e91
  - _host_[`:`_port_]
bb3e91
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
bb3e91
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
bb3e91
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
bb3e91
  - [`*.`]_host_
bb3e91
bb3e91
The user-specified image name must start with the specified `prefix` (and continue
bb3e91
with the appropriate separator) for a particular `[[registry]]` TOML table to be
bb3e91
considered; (only) the TOML table with the longest match is used. It can
bb3e91
also include wildcarded subdomains in the format `*.example.com`.
bb3e91
The wildcard should only be present at the beginning as shown in the formats
bb3e91
above. Other cases will not work. For example, `*.example.com` is valid but
bb3e91
`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
6ca60b
Note that `*` matches an arbitrary number of subdomains. `*.example.com` will hence
947b07
match `bar.example.com`, `foo.bar.example.com` and so on.
bb3e91
bb3e91
As a special case, the `prefix` field can be missing; if so, it defaults to the value
bb3e91
of the `location` field (described below).
bb3e91
bb3e91
#### Per-namespace settings
bb3e91
bb3e91
`insecure`
bb3e91
: `true` or `false`.
bb3e91
By default, container runtimes require TLS when retrieving images from a registry.
bb3e91
If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted
bb3e91
certificates are allowed.
bb3e91
bb3e91
`blocked`
bb3e91
: `true` or `false`.
bb3e91
If `true`, pulling images with matching names is forbidden.
bb3e91
bb3e91
#### Remapping and mirroring registries
bb3e91
bb3e91
The user-specified image reference is, primarily, a "logical" image name, always used for naming
bb3e91
the image.  By default, the image reference also directly specifies the registry and repository
bb3e91
to use, but the following options can be used to redirect the underlying accesses
bb3e91
to different registry servers or locations (e.g. to support configurations with no access to the
bb3e91
internet without having to change `Dockerfile`s, or to add redundancy).
bb3e91
bb3e91
`location`
bb3e91
: Accepts the same format as the `prefix` field, and specifies the physical location
bb3e91
of the `prefix`-rooted namespace.
bb3e91
bb3e91
By default, this equal to `prefix` (in which case `prefix` can be omitted and the
bb3e91
`[[registry]]` TOML table can only specify `location`).
bb3e91
bb3e91
Example: Given
bb3e91
```
bb3e91
prefix = "example.com/foo"
bb3e91
location = "internal-registry-for-example.net/bar"
bb3e91
```
bb3e91
requests for the image `example.com/foo/myimage:latest` will actually work with the
bb3e91
`internal-registry-for-example.net/bar/myimage:latest` image.
bb3e91
bb3e91
With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching,
bb3e91
the location can be empty. In such a case,
bb3e91
prefix matching will occur, but no reference rewrite will occur. The
bb3e91
original requested image string will be used as-is. But other settings like
bb3e91
`insecure` / `blocked` / `mirrors` will be applied to matching images.
bb3e91
bb3e91
Example: Given
bb3e91
```
bb3e91
prefix = "*.example.com"
bb3e91
```
bb3e91
requests for the image `blah.example.com/foo/myimage:latest` will be used
bb3e91
as-is. But other settings like insecure/blocked/mirrors will be applied to matching images
bb3e91
bb3e91
`mirror`
bb3e91
: An array of TOML tables specifying (possibly-partial) mirrors for the
947b07
`prefix`-rooted namespace (i.e., the current `[[registry]]` TOML table).
bb3e91
bb3e91
The mirrors are attempted in the specified order; the first one that can be
bb3e91
contacted and contains the image will be used (and if none of the mirrors contains the image,
bb3e91
the primary location specified by the `registry.location` field, or using the unmodified
bb3e91
user-specified reference, is tried last).
bb3e91
947b07
Each TOML table in the `mirror` array can contain the following fields:
947b07
- `location`: same semantics
947b07
as specified in the `[[registry]]` TOML table
947b07
- `insecure`: same semantics
947b07
as specified in the `[[registry]]` TOML table
947b07
- `pull-from-mirror`: `all`, `digest-only` or `tag-only`.  If "digest-only", mirrors will only be used for digest pulls. Pulling images by tag can potentially yield different images, depending on which endpoint we pull from.  Restricting mirrors to pulls by digest avoids that issue.  If "tag-only", mirrors will only be used for tag pulls.  For a more up-to-date and expensive mirror that it is less likely to be out of sync if tags move, it should not be unnecessarily used for digest references.  Default is "all" (or left empty), mirrors will be used for both digest pulls and tag pulls unless the mirror-by-digest-only is set for the primary registry.
947b07
Note that this per-mirror setting is allowed only when `mirror-by-digest-only` is not configured for the primary registry.
bb3e91
bb3e91
`mirror-by-digest-only`
bb3e91
: `true` or `false`.
bb3e91
If `true`, mirrors will only be used during pulling if the image reference includes a digest.
947b07
Note that if all mirrors are configured to be digest-only, images referenced by a tag will only use the primary
947b07
registry.
947b07
If all mirrors are configured to be tag-only, images referenced by a digest will only use the primary
947b07
registry.
947b07
bb3e91
Referencing an image by digest ensures that the same is always used
bb3e91
(whereas referencing an image by a tag may cause different registries to return
bb3e91
different images if the tag mapping is out of sync).
bb3e91
bb3e91
bb3e91
*Note*: Redirection and mirrors are currently processed only when reading images, not when pushing
bb3e91
to a registry; that may change in the future.
bb3e91
bb3e91
#### Short-Name Aliasing
bb3e91
The use of unqualified-search registries entails an ambiguity as it is
bb3e91
unclear from which registry a given image, referenced by a short name,
bb3e91
may be pulled from.
bb3e91
bb3e91
As mentioned in the note at the end of this man page, using short names is
bb3e91
subject to the risk of hitting squatted registry namespaces.  If the
bb3e91
unqualified-search registries are set to `["registry1.com", "registry2.com"]`
bb3e91
an attacker may take over a namespace of registry1.com such that an image may
bb3e91
be pulled from registry1.com instead of the intended source registry2.com.
bb3e91
bb3e91
While it is highly recommended to always use fully-qualified image references,
bb3e91
existing deployments using short names may not be easily changed.  To
bb3e91
circumvent the aforementioned ambiguity, so called short-name aliases can be
bb3e91
configured that point to a fully-qualified image
bb3e91
reference.
bb3e91
bb3e91
Short-name aliases can be configured in the `[aliases]` table in the form of
bb3e91
`"name"="value"` with the left-hand `name` being the short name (e.g., "image")
bb3e91
and the right-hand `value` being the fully-qualified image reference (e.g.,
bb3e91
"registry.com/namespace/image").  Note that neither "name" nor "value" can
bb3e91
include a tag or digest.  Moreover, "name" must be a short name and hence
bb3e91
cannot include a registry domain or refer to localhost.
bb3e91
bb3e91
When pulling a short name, the configured aliases table will be used for
bb3e91
resolving the short name.  If a matching alias is found, it will be used
bb3e91
without further consulting the unqualified-search registries list.  If no
bb3e91
matching alias is found, the behavior can be controlled via the
bb3e91
`short-name-mode` option as described below.
bb3e91
bb3e91
Note that tags and digests are stripped off a user-specified short name for
bb3e91
alias resolution.  Hence, "image", "image:tag" and "image@digest" all resolve
bb3e91
to the same alias (i.e., "image").  Stripped off tags and digests are later
bb3e91
appended to the resolved alias.
bb3e91
bb3e91
Further note that drop-in configuration files (see containers-registries.conf.d(5))
bb3e91
can override aliases in the specific loading order of the files.  If the "value" of
bb3e91
an alias is empty (i.e., ""), the alias will be erased.  However, a given
bb3e91
"name" may only be specified once in a single config file.
bb3e91
bb3e91
bb3e91
#### Short-Name Aliasing: Modes
bb3e91
bb3e91
The `short-name-mode` option supports three modes to control the behaviour of
bb3e91
short-name resolution.
bb3e91
bb3e91
* `enforcing`: If only one unqualified-search registry is set, use it as there
bb3e91
  is no ambiguity.  If there is more than one registry and the user program is
bb3e91
  running in a terminal (i.e., stdout & stdin are a TTY), prompt the user to
bb3e91
  select one of the specified search registries.  If the program is not running
bb3e91
  in a terminal, the ambiguity cannot be resolved which will lead to an error.
bb3e91
bb3e91
* `permissive`: Behaves as enforcing but does not lead to an error if the
bb3e91
  program is not running in a terminal.  Instead, fallback to using all
bb3e91
  unqualified-search registries.
bb3e91
bb3e91
* `disabled`: Use all unqualified-search registries without prompting.
bb3e91
bb3e91
If `short-name-mode` is not specified at all or left empty, default to the
bb3e91
`permissive` mode.  If the user-specified short name was not aliased already,
bb3e91
the `enforcing` and `permissive` mode if prompted, will record a new alias
bb3e91
after a successful pull.  Note that the recorded alias will be written to
bb3e91
`/var/cache/containers/short-name-aliases.conf` for root to have a clear
bb3e91
separation between possibly human-edited registries.conf files and the
bb3e91
machine-generated `short-name-aliases-conf`.  Note that `$HOME/.cache` is used
bb3e91
for rootless users.  If an alias is specified in a
bb3e91
`registries.conf` file and also the machine-generated
bb3e91
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.
bb3e91
bb3e91
#### Normalization of docker.io references
bb3e91
bb3e91
The Docker Hub `docker.io` is handled in a special way: every push and pull
bb3e91
operation gets internally normalized with `/library` if no other specific
bb3e91
namespace is defined (for example on `docker.io/namespace/image`).
bb3e91
bb3e91
(Note that the above-described normalization happens to match the behavior of
bb3e91
Docker.)
bb3e91
bb3e91
This means that a pull of `docker.io/alpine` will be internally translated to
bb3e91
`docker.io/library/alpine`. A pull of `docker.io/user/alpine` will not be
bb3e91
rewritten because this is already the correct remote path.
bb3e91
bb3e91
Therefore, to remap or mirror the `docker.io` images in the (implied) `/library`
bb3e91
namespace (or that whole namespace), the prefix and location fields in this
bb3e91
configuration file must explicitly include that `/library` namespace. For
bb3e91
example `prefix = "docker.io/library/alpine"` and not `prefix =
bb3e91
"docker.io/alpine"`. The latter would match the `docker.io/alpine/*`
bb3e91
repositories but not the `docker.io/[library/]alpine` image).
bb3e91
bb3e91
### EXAMPLE
bb3e91
bb3e91
```
bb3e91
unqualified-search-registries = ["example.com"]
bb3e91
bb3e91
[[registry]]
bb3e91
prefix = "example.com/foo"
bb3e91
insecure = false
bb3e91
blocked = false
bb3e91
location = "internal-registry-for-example.com/bar"
bb3e91
bb3e91
[[registry.mirror]]
bb3e91
location = "example-mirror-0.local/mirror-for-foo"
bb3e91
bb3e91
[[registry.mirror]]
bb3e91
location = "example-mirror-1.local/mirrors/foo"
bb3e91
insecure = true
947b07
947b07
[[registry]]
947b07
location = "registry.com"
947b07
947b07
[[registry.mirror]]
947b07
location = "mirror.registry.com"
bb3e91
```
bb3e91
Given the above, a pull of `example.com/foo/image:latest` will try:
947b07
947b07
1. `example-mirror-0.local/mirror-for-foo/image:latest`
947b07
2. `example-mirror-1.local/mirrors/foo/image:latest`
947b07
3. `internal-registry-for-example.net/bar/image:latest`
bb3e91
bb3e91
in order, and use the first one that exists.
bb3e91
947b07
Note that a mirror is associated only with the current `[[registry]]` TOML table. If using the example above, pulling the image `registry.com/image:latest` will hence only reach out to `mirror.registry.com`, and the mirrors associated with `example.com/foo` will not be considered.
947b07
bb3e91
## VERSION 1 FORMAT - DEPRECATED
bb3e91
VERSION 1 format is still supported but it does not support
bb3e91
using registry mirrors, longest-prefix matches, or location rewriting.
bb3e91
bb3e91
The TOML format is used to build a simple list of registries under three
bb3e91
categories: `registries.search`, `registries.insecure`, and `registries.block`.
bb3e91
You can list multiple registries using a comma separated list.
bb3e91
bb3e91
Search registries are used when the caller of a container runtime does not fully specify the
bb3e91
container image that they want to execute.  These registries are prepended onto the front
bb3e91
of the specified container image until the named image is found at a registry.
bb3e91
bb3e91
Note that insecure registries can be used for any registry, not just the registries listed
bb3e91
under search.
bb3e91
bb3e91
The `registries.insecure` and `registries.block` lists have the same meaning as the
bb3e91
`insecure` and `blocked` fields in the current version.
bb3e91
bb3e91
### EXAMPLE
bb3e91
The following example configuration defines two searchable registries, one
bb3e91
insecure registry, and two blocked registries.
bb3e91
bb3e91
```
bb3e91
[registries.search]
bb3e91
registries = ['registry1.com', 'registry2.com']
bb3e91
bb3e91
[registries.insecure]
bb3e91
registries = ['registry3.com']
bb3e91
bb3e91
[registries.block]
bb3e91
registries = ['registry.untrusted.com', 'registry.unsafe.com']
bb3e91
```
bb3e91
bb3e91
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
bb3e91
We recommend always using fully qualified image names including the registry
bb3e91
server (full dns name), namespace, image name, and tag
bb3e91
(e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
bb3e91
always an inherent risk that the image being pulled could be spoofed. For
bb3e91
example, a user wants to pull an image named `foobar` from a registry and
bb3e91
expects it to come from myregistry.com. If myregistry.com is not first in the
bb3e91
search list, an attacker could place a different `foobar` image at a registry
bb3e91
earlier in the search list. The user would accidentally pull and run the
bb3e91
attacker's image and code rather than the intended content. We recommend only
bb3e91
adding registries which are completely trusted, i.e. registries which don't
bb3e91
allow unknown or anonymous users to create accounts with arbitrary names. This
bb3e91
will prevent an image from being spoofed, squatted or otherwise made insecure.
bb3e91
If it is necessary to use one of these registries, it should be added at the
bb3e91
end of the list.
bb3e91
bb3e91
It is recommended to use fully-qualified images for pulling as
bb3e91
the destination registry is unambiguous. Pulling by digest
bb3e91
(i.e., quay.io/repository/name@digest) further eliminates the ambiguity of
bb3e91
tags.
bb3e91
bb3e91
# SEE ALSO
bb3e91
 containers-auth.json(5) containers-certs.d(5)
bb3e91
bb3e91
# HISTORY
bb3e91
Dec 2019, Warning added for unqualified image names by Tom Sweeney <tsweeney@redhat.com>
bb3e91
bb3e91
Mar 2019, Added additional configuration format by Sascha Grunert <sgrunert@suse.com>
bb3e91
bb3e91
Aug 2018, Renamed to containers-registries.conf(5) by Valentin Rothberg <vrothberg@suse.com>
bb3e91
bb3e91
Jun 2018, Updated by Tom Sweeney <tsweeney@redhat.com>
bb3e91
bb3e91
Aug 2017, Originally compiled by Brent Baude <bbaude@redhat.com>