ae5259
% containers-registries.d 5 Registries.d Man Page
bce470
% Miloslav Trmač
bce470
% August 2016
bce470
bce470
# NAME
bce470
containers-registries.d - Directory for various registries configurations
bce470
bce470
# DESCRIPTION
bce470
bce470
The registries configuration directory contains configuration for various registries
bce470
(servers storing remote container images), and for content stored in them,
bce470
so that the configuration does not have to be provided in command-line options over and over for every command,
bce470
and so that it can be shared by all users of containers/image.
bce470
bce470
By default, the registries configuration directory is `$HOME/.config/containers/registries.d` if it exists, otherwise `/etc/containers/registries.d` (unless overridden at compile-time);
bce470
applications may allow using a different directory instead.
bce470
bce470
## Directory Structure
bce470
bce470
The directory may contain any number of files with the extension `.yaml`,
bce470
each using the YAML format.  Other than the mandatory extension, names of the files
bce470
don’t matter.
bce470
bce470
The contents of these files are merged together; to have a well-defined and easy to understand
bce470
behavior, there can be only one configuration section describing a single namespace within a registry
bce470
(in particular there can be at most one one `default-docker` section across all files,
bce470
and there can be at most one instance of any key under the `docker` section;
bce470
these sections are documented later).
bce470
bce470
Thus, it is forbidden to have two conflicting configurations for a single registry or scope,
bce470
and it is also forbidden to split a configuration for a single registry or scope across
bce470
more than one file (even if they are not semantically in conflict).
bce470
bce470
## Registries, Scopes and Search Order
bce470
bce470
Each YAML file must contain a “YAML mapping” (key-value pairs).  Two top-level keys are defined:
bce470
bce470
- `default-docker` is the _configuration section_ (as documented below)
bce470
   for registries implementing "Docker Registry HTTP API V2".
bce470
bce470
   This key is optional.
bce470
bce470
- `docker` is a mapping, using individual registries implementing "Docker Registry HTTP API V2",
bce470
   or namespaces and individual images within these registries, as keys;
bce470
   the value assigned to any such key is a _configuration section_.
bce470
bce470
   This key is optional.
bce470
bce470
   Scopes matching individual images are named Docker references *in the fully expanded form*, either
bce470
   using a tag or digest. For example, `docker.io/library/busybox:latest` (*not* `busybox:latest`).
bce470
bce470
   More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest),
bce470
   a repository namespace, or a registry host (and a port if it differs from the default).
bce470
bce470
   Note that if a registry is accessed using a hostname+port configuration, the port-less hostname
bce470
   is _not_ used as parent scope.
bce470
bce470
When searching for a configuration to apply for an individual container image, only
bce470
the configuration for the most-precisely matching scope is used; configuration using
bce470
more general scopes is ignored.  For example, if _any_ configuration exists for
bce470
`docker.io/library/busybox`, the configuration for `docker.io` is ignored
bce470
(even if some element of the configuration is defined for `docker.io` and not for `docker.io/library/busybox`).
bce470
bce470
### Built-in Defaults
bce470
38a67a
If no `docker` section can be found for the container image, and no `default-docker` section is configured:
38a67a
38a67a
- The default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user,  will be used for reading and writing signatures.
38a67a
- Sigstore attachments will not be read/written.
bce470
bce470
## Individual Configuration Sections
bce470
bce470
A single configuration section is selected for a container image using the process
bce470
described above.  The configuration section is a YAML mapping, with the following keys:
bce470
38a67a
38a67a
38a67a
- `lookaside-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures).
bce470
38a67a
   This key is optional; if it is missing, `lookaside` below is used.
bce470
38a67a
- `lookaside` defines an URL of the signature storage.
bce470
   This URL is used for reading existing signatures,
38a67a
   and if `lookaside-staging` does not exist, also for adding or removing them.
bce470
bce470
   This key is optional; if it is missing, no signature storage is defined (no signatures
38a67a
   are download along with images, adding new signatures is possible only if `lookaside-staging` is defined).
bce470
38a67a
- `use-sigstore-attachments` specifies whether sigstore image attachments (signatures, attestations and the like) are going to be read/written along with the image.
38a67a
   If disabled, the images are treated as if no attachments exist; attempts to write attachments fail.
bce470
bce470
## Examples
bce470
bce470
### Using Containers from Various Origins
bce470
bce470
The following demonstrates how to to consume and run images from various registries and namespaces:
bce470
bce470
```yaml
bce470
docker:
bce470
    registry.database-supplier.com:
38a67a
        lookaside: https://lookaside.database-supplier.com
bce470
    distribution.great-middleware.org:
38a67a
        lookaside: https://security-team.great-middleware.org/lookaside
bce470
    docker.io/web-framework:
38a67a
        lookaside: https://lookaside.web-framework.io:8080
bce470
```
bce470
bce470
### Developing and Signing Containers, Staging Signatures
bce470
bce470
For developers in `example.com`:
bce470
bce470
- Consume most container images using the public servers also used by clients.
bce470
- Use a separate signature storage for an container images in a namespace corresponding to the developers' department, with a staging storage used before publishing signatures.
bce470
- Craft an individual exception for a single branch a specific developer is working on locally.
bce470
bce470
```yaml
bce470
docker:
bce470
    registry.example.com:
38a67a
        lookaside: https://registry-lookaside.example.com
bce470
    registry.example.com/mydepartment:
38a67a
        lookaside: https://lookaside.mydepartment.example.com
38a67a
        lookaside-staging: file:///mnt/mydepartment/lookaside-staging
bce470
    registry.example.com/mydepartment/myproject:mybranch:
38a67a
        lookaside: http://localhost:4242/lookaside
38a67a
        lookaside-staging: file:///home/useraccount/webroot/lookaside
bce470
```
bce470
bce470
### A Global Default
bce470
bce470
If a company publishes its products using a different domain, and different registry hostname for each of them, it is still possible to use a single signature storage server
bce470
without listing each domain individually. This is expected to rarely happen, usually only for staging new signatures.
bce470
bce470
```yaml
bce470
default-docker:
38a67a
    lookaside-staging: file:///mnt/company/common-lookaside-staging
bce470
```
bce470
bce470
# AUTHORS
bce470
bce470
Miloslav Trmač <mitr@redhat.com>