bafb64
% CONTAINERS-REGISTRIES.CONF 5 System-wide registry configuration file
a415a1
% Brent Baude
a415a1
% Aug 2017
a415a1
a415a1
# NAME
a415a1
containers-registries.conf - Syntax of System Registry Configuration File
a415a1
a415a1
# DESCRIPTION
a415a1
The CONTAINERS-REGISTRIES configuration file is a system-wide configuration
a415a1
file for container image registries. The file format is TOML.
a415a1
a415a1
Container engines will use the `$HOME/.config/containers/registries.conf` if it exists, otherwise they will use `/etc/containers/registries.conf`
a415a1
a415a1
### GLOBAL SETTINGS
a415a1
a415a1
`unqualified-search-registries`
a415a1
: An array of _host_[`:`_port_] registries to try when pulling an unqualified image, in order.
a415a1
a415a1
`credential-helpers`
a415a1
: An array of default credential helpers used as external credential stores.  Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5).  The credential helpers are set to `["containers-auth.json"]` if none are specified.
a415a1
a415a1
### NAMESPACED `[[registry]]` SETTINGS
a415a1
a415a1
The bulk of the configuration is represented as an array of `[[registry]]`
a415a1
TOML tables; the settings may therefore differ among different registries
a415a1
as well as among different namespaces/repositories within a registry.
a415a1
a415a1
#### Choosing a `[[registry]]` TOML table
a415a1
a415a1
Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
a415a1
a415a1
`prefix`: A prefix of the user-specified image name, i.e. using one of the following formats:
a415a1
  - _host_[`:`_port_]
a415a1
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
a415a1
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
a415a1
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
a415a1
  - [`*.`]_host_
a415a1
a415a1
The user-specified image name must start with the specified `prefix` (and continue
a415a1
with the appropriate separator) for a particular `[[registry]]` TOML table to be
a415a1
considered; (only) the TOML table with the longest match is used. It can
a415a1
also include wildcarded subdomains in the format `*.example.com`.
a415a1
The wildcard should only be present at the beginning as shown in the formats
a415a1
above. Other cases will not work. For example, `*.example.com` is valid but
a415a1
`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
a415a1
a415a1
As a special case, the `prefix` field can be missing; if so, it defaults to the value
a415a1
of the `location` field (described below).
a415a1
a415a1
#### Per-namespace settings
a415a1
a415a1
`insecure`
a415a1
: `true` or `false`.
a415a1
By default, container runtimes require TLS when retrieving images from a registry.
a415a1
If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted
a415a1
certificates are allowed.
a415a1
a415a1
`blocked`
a415a1
: `true` or `false`.
a415a1
If `true`, pulling images with matching names is forbidden.
a415a1
a415a1
#### Remapping and mirroring registries
a415a1
a415a1
The user-specified image reference is, primarily, a "logical" image name, always used for naming
a415a1
the image.  By default, the image reference also directly specifies the registry and repository
a415a1
to use, but the following options can be used to redirect the underlying accesses
a415a1
to different registry servers or locations (e.g. to support configurations with no access to the
a415a1
internet without having to change `Dockerfile`s, or to add redundancy).
a415a1
a415a1
`location`
a415a1
: Accepts the same format as the `prefix` field, and specifies the physical location
a415a1
of the `prefix`-rooted namespace.
a415a1
a415a1
By default, this equal to `prefix` (in which case `prefix` can be omitted and the
a415a1
`[[registry]]` TOML table can only specify `location`).
a415a1
a415a1
Example: Given
a415a1
```
a415a1
prefix = "example.com/foo"
a415a1
location = "internal-registry-for-example.net/bar"
a415a1
```
a415a1
requests for the image `example.com/foo/myimage:latest` will actually work with the
a415a1
`internal-registry-for-example.net/bar/myimage:latest` image.
a415a1
a415a1
With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching,
a415a1
the location can be empty. In such a case,
a415a1
prefix matching will occur, but no reference rewrite will occur. The
a415a1
original requested image string will be used as-is. But other settings like
a415a1
`insecure` / `blocked` / `mirrors` will be applied to matching images.
a415a1
a415a1
Example: Given
a415a1
```
a415a1
prefix = "*.example.com"
a415a1
```
a415a1
requests for the image `blah.example.com/foo/myimage:latest` will be used
a415a1
as-is. But other settings like insecure/blocked/mirrors will be applied to matching images
a415a1
a415a1
`mirror`
a415a1
: An array of TOML tables specifying (possibly-partial) mirrors for the
a415a1
`prefix`-rooted namespace.
a415a1
a415a1
The mirrors are attempted in the specified order; the first one that can be
a415a1
contacted and contains the image will be used (and if none of the mirrors contains the image,
a415a1
the primary location specified by the `registry.location` field, or using the unmodified
a415a1
user-specified reference, is tried last).
a415a1
a415a1
Each TOML table in the `mirror` array can contain the following fields, with the same semantics
a415a1
as if specified in the `[[registry]]` TOML table directly:
a415a1
- `location`
a415a1
- `insecure`
a415a1
a415a1
`mirror-by-digest-only`
a415a1
: `true` or `false`.
a415a1
If `true`, mirrors will only be used during pulling if the image reference includes a digest.
a415a1
Referencing an image by digest ensures that the same is always used
a415a1
(whereas referencing an image by a tag may cause different registries to return
a415a1
different images if the tag mapping is out of sync).
a415a1
a415a1
Note that if this is `true`, images referenced by a tag will only use the primary
a415a1
registry, failing if that registry is not accessible.
a415a1
a415a1
*Note*: Redirection and mirrors are currently processed only when reading images, not when pushing
a415a1
to a registry; that may change in the future.
a415a1
a415a1
#### Short-Name Aliasing
a415a1
The use of unqualified-search registries entails an ambiguity as it is
a415a1
unclear from which registry a given image, referenced by a short name,
a415a1
may be pulled from.
a415a1
a415a1
As mentioned in the note at the end of this man page, using short names is
a415a1
subject to the risk of hitting squatted registry namespaces.  If the
a415a1
unqualified-search registries are set to `["registry1.com", "registry2.com"]`
a415a1
an attacker may take over a namespace of registry1.com such that an image may
a415a1
be pulled from registry1.com instead of the intended source registry2.com.
a415a1
a415a1
While it is highly recommended to always use fully-qualified image references,
a415a1
existing deployments using short names may not be easily changed.  To
a415a1
circumvent the aforementioned ambiguity, so called short-name aliases can be
a415a1
configured that point to a fully-qualified image
a415a1
reference.
a415a1
a415a1
Short-name aliases can be configured in the `[aliases]` table in the form of
a415a1
`"name"="value"` with the left-hand `name` being the short name (e.g., "image")
a415a1
and the right-hand `value` being the fully-qualified image reference (e.g.,
a415a1
"registry.com/namespace/image").  Note that neither "name" nor "value" can
a415a1
include a tag or digest.  Moreover, "name" must be a short name and hence
a415a1
cannot include a registry domain or refer to localhost.
a415a1
a415a1
When pulling a short name, the configured aliases table will be used for
a415a1
resolving the short name.  If a matching alias is found, it will be used
a415a1
without further consulting the unqualified-search registries list.  If no
a415a1
matching alias is found, the behavior can be controlled via the
a415a1
`short-name-mode` option as described below.
a415a1
a415a1
Note that tags and digests are stripped off a user-specified short name for
a415a1
alias resolution.  Hence, "image", "image:tag" and "image@digest" all resolve
a415a1
to the same alias (i.e., "image").  Stripped off tags and digests are later
a415a1
appended to the resolved alias.
a415a1
a415a1
Further note that drop-in configuration files (see containers-registries.conf.d(5))
a415a1
can override aliases in the specific loading order of the files.  If the "value" of
a415a1
an alias is empty (i.e., ""), the alias will be erased.  However, a given
a415a1
"name" may only be specified once in a single config file.
a415a1
a415a1
a415a1
#### Short-Name Aliasing: Modes
a415a1
a415a1
The `short-name-mode` option supports three modes to control the behaviour of
a415a1
short-name resolution.
a415a1
a415a1
* `enforcing`: If only one unqualified-search registry is set, use it as there
a415a1
  is no ambiguity.  If there is more than one registry and the user program is
a415a1
  running in a terminal (i.e., stdout & stdin are a TTY), prompt the user to
a415a1
  select one of the specified search registries.  If the program is not running
a415a1
  in a terminal, the ambiguity cannot be resolved which will lead to an error.
a415a1
a415a1
* `permissive`: Behaves as enforcing but does not lead to an error if the
a415a1
  program is not running in a terminal.  Instead, fallback to using all
a415a1
  unqualified-search registries.
a415a1
a415a1
* `disabled`: Use all unqualified-search registries without prompting.
a415a1
a415a1
If `short-name-mode` is not specified at all or left empty, default to the
a415a1
`permissive` mode.  If the user-specified short name was not aliased already,
a415a1
the `enforcing` and `permissive` mode if prompted, will record a new alias
a415a1
after a successful pull.  Note that the recorded alias will be written to
a415a1
`/var/cache/containers/short-name-aliases.conf` for root to have a clear
a415a1
separation between possibly human-edited registries.conf files and the
a415a1
machine-generated `short-name-aliases-conf`.  Note that `$HOME/.cache` is used
a415a1
for rootless users.  If an alias is specified in a
a415a1
`registries.conf` file and also the machine-generated
a415a1
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.
a415a1
a415a1
#### Normalization of docker.io references
a415a1
a415a1
The Docker Hub `docker.io` is handled in a special way: every push and pull
a415a1
operation gets internally normalized with `/library` if no other specific
a415a1
namespace is defined (for example on `docker.io/namespace/image`).
a415a1
a415a1
(Note that the above-described normalization happens to match the behavior of
a415a1
Docker.)
a415a1
a415a1
This means that a pull of `docker.io/alpine` will be internally translated to
a415a1
`docker.io/library/alpine`. A pull of `docker.io/user/alpine` will not be
a415a1
rewritten because this is already the correct remote path.
a415a1
a415a1
Therefore, to remap or mirror the `docker.io` images in the (implied) `/library`
a415a1
namespace (or that whole namespace), the prefix and location fields in this
a415a1
configuration file must explicitly include that `/library` namespace. For
a415a1
example `prefix = "docker.io/library/alpine"` and not `prefix =
a415a1
"docker.io/alpine"`. The latter would match the `docker.io/alpine/*`
a415a1
repositories but not the `docker.io/[library/]alpine` image).
a415a1
a415a1
### EXAMPLE
a415a1
a415a1
```
a415a1
unqualified-search-registries = ["example.com"]
a415a1
a415a1
[[registry]]
a415a1
prefix = "example.com/foo"
a415a1
insecure = false
a415a1
blocked = false
a415a1
location = "internal-registry-for-example.com/bar"
a415a1
a415a1
[[registry.mirror]]
a415a1
location = "example-mirror-0.local/mirror-for-foo"
a415a1
a415a1
[[registry.mirror]]
a415a1
location = "example-mirror-1.local/mirrors/foo"
a415a1
insecure = true
a415a1
```
a415a1
Given the above, a pull of `example.com/foo/image:latest` will try:
a415a1
    1. `example-mirror-0.local/mirror-for-foo/image:latest`
a415a1
    2. `example-mirror-1.local/mirrors/foo/image:latest`
a415a1
    3. `internal-registry-for-example.net/bar/image:latest`
a415a1
a415a1
in order, and use the first one that exists.
a415a1
a415a1
## VERSION 1 FORMAT - DEPRECATED
a415a1
VERSION 1 format is still supported but it does not support
a415a1
using registry mirrors, longest-prefix matches, or location rewriting.
a415a1
a415a1
The TOML format is used to build a simple list of registries under three
a415a1
categories: `registries.search`, `registries.insecure`, and `registries.block`.
a415a1
You can list multiple registries using a comma separated list.
a415a1
a415a1
Search registries are used when the caller of a container runtime does not fully specify the
a415a1
container image that they want to execute.  These registries are prepended onto the front
a415a1
of the specified container image until the named image is found at a registry.
a415a1
a415a1
Note that insecure registries can be used for any registry, not just the registries listed
a415a1
under search.
a415a1
a415a1
The `registries.insecure` and `registries.block` lists have the same meaning as the
a415a1
`insecure` and `blocked` fields in the current version.
a415a1
a415a1
### EXAMPLE
a415a1
The following example configuration defines two searchable registries, one
a415a1
insecure registry, and two blocked registries.
a415a1
a415a1
```
a415a1
[registries.search]
a415a1
registries = ['registry1.com', 'registry2.com']
a415a1
a415a1
[registries.insecure]
a415a1
registries = ['registry3.com']
a415a1
a415a1
[registries.block]
a415a1
registries = ['registry.untrusted.com', 'registry.unsafe.com']
a415a1
```
a415a1
a415a1
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
a415a1
We recommend always using fully qualified image names including the registry
a415a1
server (full dns name), namespace, image name, and tag
a415a1
(e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
a415a1
always an inherent risk that the image being pulled could be spoofed. For
a415a1
example, a user wants to pull an image named `foobar` from a registry and
a415a1
expects it to come from myregistry.com. If myregistry.com is not first in the
a415a1
search list, an attacker could place a different `foobar` image at a registry
a415a1
earlier in the search list. The user would accidentally pull and run the
a415a1
attacker's image and code rather than the intended content. We recommend only
a415a1
adding registries which are completely trusted, i.e. registries which don't
a415a1
allow unknown or anonymous users to create accounts with arbitrary names. This
a415a1
will prevent an image from being spoofed, squatted or otherwise made insecure.
a415a1
If it is necessary to use one of these registries, it should be added at the
a415a1
end of the list.
a415a1
a415a1
It is recommended to use fully-qualified images for pulling as
a415a1
the destination registry is unambiguous. Pulling by digest
a415a1
(i.e., quay.io/repository/name@digest) further eliminates the ambiguity of
a415a1
tags.
a415a1
a415a1
# SEE ALSO
a415a1
 containers-auth.json(5) containers-certs.d(5)
a415a1
a415a1
# HISTORY
a415a1
Dec 2019, Warning added for unqualified image names by Tom Sweeney <tsweeney@redhat.com>
a415a1
a415a1
Mar 2019, Added additional configuration format by Sascha Grunert <sgrunert@suse.com>
a415a1
a415a1
Aug 2018, Renamed to containers-registries.conf(5) by Valentin Rothberg <vrothberg@suse.com>
a415a1
a415a1
Jun 2018, Updated by Tom Sweeney <tsweeney@redhat.com>
a415a1
a415a1
Aug 2017, Originally compiled by Brent Baude <bbaude@redhat.com>