1CONTAINERS-REGISTRIES.CONF(5)    configuration   CONTAINERS-REGISTRIES.CONF(5)
2
3
4
5Brent Baude Aug 2017
6
7

NAME

9       containers-registries.conf  -  Syntax  of System Registry Configuration
10       File
11
12
13

DESCRIPTION

15       The CONTAINERS-REGISTRIES configuration file is a system-wide  configu‐
16       ration file for container image registries. The file format is TOML.
17
18
19       Container engines will use the $HOME/.config/containers/registries.conf
20       if it exists, otherwise they will use /etc/containers/registries.conf
21
22
23   GLOBAL SETTINGS
24       unqualified-search-registries
25              An array of host[:port] registries to try when  pulling  an  un‐
26              qualified image, in order.
27
28
29       credential-helpers
30              An  array of default credential helpers used as external creden‐
31              tial stores.  Note that  "containers-auth.json"  is  a  reserved
32              value to use auth files as specified in containers-auth.json(5).
33              The credential helpers are set  to  ["containers-auth.json"]  if
34              none are specified.
35
36
37   NAMESPACED [[registry]] SETTINGS
38       The  bulk  of  the  configuration  is represented as an array of [[reg‐
39       istry]] TOML tables; the settings may therefore differ among  different
40       registries  as well as among different namespaces/repositories within a
41       registry.
42
43
44   Choosing a [[registry]] TOML table
45       Given an image name, a single [[registry]] TOML table is  chosen  based
46       on its prefix field.
47
48
49       prefix:  A  prefix  of the user-specified image name, i.e. using one of
50       the following formats:
51         - host[:port]
52         - host[:port]/namespace[/_namespace_…]
53         - host[:port]/namespace[/_namespace_…]/repo
54         - host[:port]/namespace[/_namespace_…]/repo(:_tag|@digest)
55         - [*.]host
56
57
58       The user-specified image name must start with the specified prefix (and
59       continue  with the appropriate separator) for a particular [[registry]]
60       TOML table to be considered; (only) the TOML  table  with  the  longest
61       match  is used. It can also include wildcarded subdomains in the format
62       *.example.com.  The wildcard should only be present at the beginning as
63       shown  in  the  formats  above. Other cases will not work. For example,
64       *.example.com is valid but example.*.com, *.example.com/foo and *.exam‐
65       ple.com:5000/foo/bar:baz are not.  Note that * matches an arbitary num‐
66       ber of subdomains.  *.example.com  will  hence  match  bar.example.com,
67       foo.bar.example.com and so on.
68
69
70       As  a special case, the prefix field can be missing; if so, it defaults
71       to the value of the location field (described below).
72
73
74   Per-namespace settings
75       insecure
76              true or false.  By default, container runtimes require TLS  when
77              retrieving  images from a registry.  If insecure is set to true,
78              unencrypted HTTP as well as TLS connections with untrusted  cer‐
79              tificates are allowed.
80
81
82       blocked
83              true  or  false.  If true, pulling images with matching names is
84              forbidden.
85
86
87   Remapping and mirroring registries
88       The user-specified image reference is,  primarily,  a  "logical"  image
89       name,  always  used for naming the image.  By default, the image refer‐
90       ence also directly specifies the registry and repository  to  use,  but
91       the  following  options can be used to redirect the underlying accesses
92       to different registry servers or locations (e.g. to support  configura‐
93       tions  with  no access to the internet without having to change Docker‐
94       files, or to add redundancy).
95
96
97       location
98              Accepts the same format as the prefix field, and  specifies  the
99              physical location of the prefix-rooted namespace.
100
101
102       By  default,  this equal to prefix (in which case prefix can be omitted
103       and the [[registry]] TOML table can only specify location).
104
105
106       Example: Given
107
108
109              prefix = "example.com/foo"
110              location = "internal-registry-for-example.net/bar"
111
112
113
114       requests for the  image  example.com/foo/myimage:latest  will  actually
115       work  with the internal-registry-for-example.net/bar/myimage:latest im‐
116       age.
117
118
119       With a prefix containing a wildcard in the format: "*.example.com"  for
120       subdomain  matching,  the location can be empty. In such a case, prefix
121       matching will occur, but no reference rewrite will occur. The  original
122       requested  image string will be used as-is. But other settings like in‐
123       secure / blocked / mirrors will be applied to matching images.
124
125
126       Example: Given
127
128
129              prefix = "*.example.com"
130
131
132
133       requests for the image blah.example.com/foo/myimage:latest will be used
134       as-is. But other settings like insecure/blocked/mirrors will be applied
135       to matching images
136
137
138       mirror An array of TOML tables  specifying  (possibly-partial)  mirrors
139              for the prefix-rooted namespace.
140
141
142       The  mirrors  are  attempted in the specified order; the first one that
143       can be contacted and contains the image will be used (and  if  none  of
144       the  mirrors  contains the image, the primary location specified by the
145       registry.location field, or using the unmodified user-specified  refer‐
146       ence, is tried last).
147
148
149       Each TOML table in the mirror array can contain the following fields: -
150       location: same semantics as specified in the [[registry]] TOML table -
151       insecure: same semantics as specified in the [[registry]] TOML table -
152       pull-from-mirror: all, digest-only  or  tag-only.   If  "digest-only",
153       mirrors  will  only be used for digest pulls. Pulling images by tag can
154       potentially yield different images, depending on which endpoint we pull
155       from.   Restricting  mirrors  to pulls by digest avoids that issue.  If
156       "tag-only", mirrors will only be used for tag pulls.  For a more up-to-
157       date  and  expensive mirror that it is less likely to be out of sync if
158       tags move, it should not be unnecessarily used for  digest  references.
159       Default  is "all" (or left empty), mirrors will be used for both digest
160       pulls and tag pulls unless the mirror-by-digest-only  is  set  for  the
161       primary  registry.   Note  that this per-mirror setting is allowed only
162       when mirror-by-digest-only is not configured for the primary registry.
163
164
165       mirror-by-digest-only
166              true or false.  If  true,  mirrors  will  only  be  used  during
167              pulling  if the image reference includes a digest.  Note that if
168              all mirrors are configured to be digest-only, images  referenced
169              by a tag will only use the primary registry.  If all mirrors are
170              configured to be tag-only, images referenced by  a  digest  will
171              only use the primary registry.
172
173
174       Referencing  an  image  by  digest ensures that the same is always used
175       (whereas referencing an image by a tag may cause  different  registries
176       to return different images if the tag mapping is out of sync).
177
178
179       Note: Redirection and mirrors are currently processed only when reading
180       images, not when pushing to a registry; that may change in the future.
181
182
183   Short-Name Aliasing
184       The use of unqualified-search registries entails an ambiguity as it  is
185       unclear  from which registry a given image, referenced by a short name,
186       may be pulled from.
187
188
189       As mentioned in the note at the end of this man page, using short names
190       is subject to the risk of hitting squatted registry namespaces.  If the
191       unqualified-search  registries  are  set  to  ["registry1.com",   "reg‐
192       istry2.com"]  an  attacker  may  take over a namespace of registry1.com
193       such that an image may be pulled from registry1.com instead of the  in‐
194       tended source registry2.com.
195
196
197       While it is highly recommended to always use fully-qualified image ref‐
198       erences, existing deployments using  short  names  may  not  be  easily
199       changed.   To circumvent the aforementioned ambiguity, so called short-
200       name aliases can be configured that point to  a  fully-qualified  image
201       reference.
202
203
204       Short-name aliases can be configured in the [aliases] table in the form
205       of "name"="value" with the left-hand name being the short  name  (e.g.,
206       "image")  and the right-hand value being the fully-qualified image ref‐
207       erence  (e.g.,  "registry.com/namespace/image").   Note  that   neither
208       "name"  nor "value" can include a tag or digest.  Moreover, "name" must
209       be a short name and hence cannot include a registry domain or refer  to
210       localhost.
211
212
213       When  pulling  a  short name, the configured aliases table will be used
214       for resolving the short name.  If a matching alias is found, it will be
215       used without further consulting the unqualified-search registries list.
216       If no matching alias is found, the behavior can be controlled  via  the
217       short-name-mode option as described below.
218
219
220       Note that tags and digests are stripped off a user-specified short name
221       for alias resolution.  Hence, "image", "image:tag"  and  "image@digest"
222       all  resolve  to the same alias (i.e., "image").  Stripped off tags and
223       digests are later appended to the resolved alias.
224
225
226       Further note that  drop-in  configuration  files  (see  containers-reg‐
227       istries.conf.d(5))  can  override aliases in the specific loading order
228       of the files.  If the "value" of an alias  is  empty  (i.e.,  ""),  the
229       alias  will  be  erased.  However, a given "name" may only be specified
230       once in a single config file.
231
232
233   Short-Name Aliasing: Modes
234       The short-name-mode option supports three modes to control  the  behav‐
235       iour of short-name resolution.
236
237
238enforcing: If only one unqualified-search registry is set, use
239                it as there is no ambiguity.  If there is more than  one  reg‐
240                istry  and  the  user  program is running in a terminal (i.e.,
241                stdout & stdin are a TTY), prompt the user to  select  one  of
242                the  specified  search registries.  If the program is not run‐
243                ning in a terminal, the ambiguity  cannot  be  resolved  which
244                will lead to an error.
245
246permissive: Behaves as enforcing but does not lead to an error
247                if the program is not running in a terminal.   Instead,  fall‐
248                back to using all unqualified-search registries.
249
250disabled:   Use   all  unqualified-search  registries  without
251                prompting.
252
253
254
255       If short-name-mode is not specified at all or left  empty,  default  to
256       the  permissive mode.  If the user-specified short name was not aliased
257       already, the enforcing and permissive mode if prompted, will  record  a
258       new  alias  after a successful pull.  Note that the recorded alias will
259       be written to /var/cache/containers/short-name-aliases.conf for root to
260       have  a  clear separation between possibly human-edited registries.conf
261       files and the  machine-generated  short-name-aliases-conf.   Note  that
262       $HOME/.cache is used for rootless users.  If an alias is specified in a
263       registries.conf  file  and  also  the   machine-generated   short-name-
264       aliases.conf, the short-name-aliases.conf file has precedence.
265
266
267   Normalization of docker.io references
268       The  Docker  Hub  docker.io is handled in a special way: every push and
269       pull operation gets internally normalized with  /library  if  no  other
270       specific  namespace  is defined (for example on docker.io/namespace/im‐
271       age).
272
273
274       (Note that the above-described normalization happens to match  the  be‐
275       havior of Docker.)
276
277
278       This  means  that  a pull of docker.io/alpine will be internally trans‐
279       lated to docker.io/library/alpine. A pull of docker.io/user/alpine will
280       not be rewritten because this is already the correct remote path.
281
282
283       Therefore,  to  remap  or  mirror the docker.io images in the (implied)
284       /library namespace (or that whole namespace), the prefix  and  location
285       fields in this configuration file must explicitly include that /library
286       namespace. For example prefix = "docker.io/library/alpine" and not pre‐
287       fix = "docker.io/alpine". The latter would match the docker.io/alpine/*
288       repositories but not the docker.io/[library/]alpine image).
289
290
291   EXAMPLE
292              unqualified-search-registries = ["example.com"]
293
294              [[registry]]
295              prefix = "example.com/foo"
296              insecure = false
297              blocked = false
298              location = "internal-registry-for-example.com/bar"
299
300              [[registry.mirror]]
301              location = "example-mirror-0.local/mirror-for-foo"
302
303              [[registry.mirror]]
304              location = "example-mirror-1.local/mirrors/foo"
305              insecure = true
306
307
308
309       Given the above, a pull of example.com/foo/image:latest will try:
310           1. example-mirror-0.local/mirror-for-foo/image:latest
311           2. example-mirror-1.local/mirrors/foo/image:latest
312           3. internal-registry-for-example.net/bar/image:latest
313
314
315       in order, and use the first one that exists.
316
317

VERSION 1 FORMAT - DEPRECATED

319       VERSION 1 format is still supported but it does not support using  reg‐
320       istry mirrors, longest-prefix matches, or location rewriting.
321
322
323       The  TOML  format  is  used  to build a simple list of registries under
324       three  categories:  registries.search,  registries.insecure,  and  reg‐
325       istries.block.   You  can  list multiple registries using a comma sepa‐
326       rated list.
327
328
329       Search registries are used when the caller of a container runtime  does
330       not fully specify the container image that they want to execute.  These
331       registries are prepended onto the front of the specified container  im‐
332       age until the named image is found at a registry.
333
334
335       Note  that  insecure  registries can be used for any registry, not just
336       the registries listed under search.
337
338
339       The registries.insecure and registries.block lists have the same  mean‐
340       ing as the insecure and blocked fields in the current version.
341
342
343   EXAMPLE
344       The  following example configuration defines two searchable registries,
345       one insecure registry, and two blocked registries.
346
347
348              [registries.search]
349              registries = ['registry1.com', 'registry2.com']
350
351              [registries.insecure]
352              registries = ['registry3.com']
353
354              [registries.block]
355              registries = ['registry.untrusted.com', 'registry.unsafe.com']
356
357
358
359

NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES

361       We recommend always using fully qualified  image  names  including  the
362       registry  server (full dns name), namespace, image name, and tag (e.g.,
363       registry.redhat.io/ubi8/ubi:latest). When using short names,  there  is
364       always  an  inherent risk that the image being pulled could be spoofed.
365       For example, a user wants to pull an image named foobar from a registry
366       and  expects  it  to come from myregistry.com. If myregistry.com is not
367       first in the search list, an attacker could place  a  different  foobar
368       image at a registry earlier in the search list. The user would acciden‐
369       tally pull and run the attacker's image and code rather  than  the  in‐
370       tended  content.  We  recommend  only  adding registries which are com‐
371       pletely trusted, i.e. registries which don't allow unknown or anonymous
372       users to create accounts with arbitrary names. This will prevent an im‐
373       age from being spoofed, squatted or otherwise made insecure.  If it  is
374       necessary to use one of these registries, it should be added at the end
375       of the list.
376
377
378       It is recommended to use fully-qualified images for pulling as the des‐
379       tination   registry   is   unambiguous.   Pulling   by   digest  (i.e.,
380       quay.io/repository/name@digest) further  eliminates  the  ambiguity  of
381       tags.
382
383
384

SEE ALSO

386       containers-auth.json(5) containers-certs.d(5)
387
388
389

HISTORY

391       Dec  2019,  Warning  added  for  unqualified image names by Tom Sweeney
392       tsweeney@redhat.com ⟨mailto:tsweeney@redhat.com⟩
393
394
395       Mar 2019, Added  additional  configuration  format  by  Sascha  Grunert
396       sgrunert@suse.com ⟨mailto:sgrunert@suse.com⟩
397
398
399       Aug 2018, Renamed to containers-registries.conf(5) by Valentin Rothberg
400       vrothberg@suse.com ⟨mailto:vrothberg@suse.com⟩
401
402
403       Jun    2018,    Updated    by    Tom    Sweeney     tsweeney@redhat.com
404       ⟨mailto:tsweeney@redhat.com⟩
405
406
407       Aug   2017,   Originally  compiled  by  Brent  Baude  bbaude@redhat.com
408       ⟨mailto:bbaude@redhat.com⟩
409
410
411
412registry                          System-wide    CONTAINERS-REGISTRIES.CONF(5)
Impressum