1CONTAINERS-REGISTRIES.CONF(5) configuration CONTAINERS-REGISTRIES.CONF(5)
2Brent Baude Aug 2017
6
9 containers-registries.conf - Syntax of System Registry Configuration
10 File
11
15 The CONTAINERS-REGISTRIES configuration file is a system-wide configu‐
16 ration file for container image registries. The file format is TOML.
17 Container engines will use the $HOME/.config/containers/registries.conf
20 if it exists, otherwise they will use /etc/containers/registries.conf
21 GLOBAL SETTINGS
24 unqualified-search-registries
25 An array of host[:port] registries to try when pulling an un‐
26 qualified image, in order.
27 credential-helpers
30 An array of default credential helpers used as external creden‐
31 tial stores. Note that "containers-auth.json" is a reserved
32 value to use auth files as specified in containers-auth.json(5).
33 The credential helpers are set to ["containers-auth.json"] if
34 none are specified.
35 NAMESPACED [[registry]] SETTINGS
38 The bulk of the configuration is represented as an array of [[reg‐
39 istry]] TOML tables; the settings may therefore differ among different
40 registries as well as among different namespaces/repositories within a
41 registry.
42 Choosing a [[registry]] TOML table
45 Given an image name, a single [[registry]] TOML table is chosen based
46 on its prefix field.
47 prefix: A prefix of the user-specified image name, i.e. using one of
50 the following formats:
51 - host[:port]
52 - host[:port]/namespace[/_namespace_…]
53 - host[:port]/namespace[/_namespace_…]/repo
54 - host[:port]/namespace[/_namespace_…]/repo(:_tag|@digest)
55 - [*.]host
56 The user-specified image name must start with the specified prefix (and
59 continue with the appropriate separator) for a particular [[registry]]
60 TOML table to be considered; (only) the TOML table with the longest
61 match is used. It can also include wildcarded subdomains in the format
62 *.example.com. The wildcard should only be present at the beginning as
63 shown in the formats above. Other cases will not work. For example,
64 *.example.com is valid but example.*.com, *.example.com/foo and *.exam‐
65 ple.com:5000/foo/bar:baz are not. Note that * matches an arbitrary
66 number of subdomains. *.example.com will hence match bar.example.com,
67 foo.bar.example.com and so on.
68 As a special case, the prefix field can be missing; if so, it defaults
71 to the value of the location field (described below).
72 Per-namespace settings
75 insecure
76 true or false. By default, container runtimes require TLS when
77 retrieving images from a registry. If insecure is set to true,
78 unencrypted HTTP as well as TLS connections with untrusted cer‐
79 tificates are allowed.
80 blocked
83 true or false. If true, pulling images with matching names is
84 forbidden.
85 Remapping and mirroring registries
88 The user-specified image reference is, primarily, a "logical" image
89 name, always used for naming the image. By default, the image refer‐
90 ence also directly specifies the registry and repository to use, but
91 the following options can be used to redirect the underlying accesses
92 to different registry servers or locations (e.g. to support configura‐
93 tions with no access to the internet without having to change Docker‐
94 files, or to add redundancy).
95 location
98 Accepts the same format as the prefix field, and specifies the
99 physical location of the prefix-rooted namespace.
100 By default, this is equal to prefix (in which case prefix can be omit‐
103 ted and the [[registry]] TOML table can only specify location).
104 Example: Given
107 prefix = "example.com/foo"
110 location = "internal-registry-for-example.com/bar"
111 requests for the image example.com/foo/myimage:latest will actually
115 work with the internal-registry-for-example.com/bar/myimage:latest im‐
116 age.
117 With a prefix containing a wildcard in the format: "*.example.com" for
120 subdomain matching, the location can be empty. In such a case, prefix
121 matching will occur, but no reference rewrite will occur. The original
122 requested image string will be used as-is. But other settings like in‐
123 secure / blocked / mirrors will be applied to matching images.
124 Example: Given
127 prefix = "*.example.com"
130 requests for the image blah.example.com/foo/myimage:latest will be used
134 as-is. But other settings like insecure/blocked/mirrors will be applied
135 to matching images
136 mirror An array of TOML tables specifying (possibly-partial) mirrors
139 for the prefix-rooted namespace (i.e., the current [[registry]]
140 TOML table).
141 The mirrors are attempted in the specified order; the first one that
144 can be contacted and contains the image will be used (and if none of
145 the mirrors contains the image, the primary location specified by the
146 registry.location field, or using the unmodified user-specified refer‐
147 ence, is tried last).
148 Each TOML table in the mirror array can contain the following fields: -
151 location: same semantics as specified in the [[registry]] TOML table -
152 insecure: same semantics as specified in the [[registry]] TOML table -
153 pull-from-mirror: all, digest-only or tag-only. If "digest-only",
154 mirrors will only be used for digest pulls. Pulling images by tag can
155 potentially yield different images, depending on which endpoint we pull
156 from. Restricting mirrors to pulls by digest avoids that issue. If
157 "tag-only", mirrors will only be used for tag pulls. For a more up-to-
158 date and expensive mirror that it is less likely to be out of sync if
159 tags move, it should not be unnecessarily used for digest references.
160 Default is "all" (or left empty), mirrors will be used for both digest
161 pulls and tag pulls unless the mirror-by-digest-only is set for the
162 primary registry. Note that this per-mirror setting is allowed only
163 when mirror-by-digest-only is not configured for the primary registry.
164 mirror-by-digest-only
167 true or false. If true, mirrors will only be used during
168 pulling if the image reference includes a digest. Note that if
169 all mirrors are configured to be digest-only, images referenced
170 by a tag will only use the primary registry. If all mirrors are
171 configured to be tag-only, images referenced by a digest will
172 only use the primary registry.
173 Referencing an image by digest ensures that the same is always used
176 (whereas referencing an image by a tag may cause different registries
177 to return different images if the tag mapping is out of sync).
178 Note: Redirection and mirrors are currently processed only when reading
181 a single image, not when pushing to a registry nor when doing any other
182 kind of lookup/search on a on a registry. This may change in the fu‐
183 ture.
184 Short-Name Aliasing
187 The use of unqualified-search registries entails an ambiguity as it is
188 unclear from which registry a given image, referenced by a short name,
189 may be pulled from.
190 As mentioned in the note at the end of this man page, using short names
193 is subject to the risk of hitting squatted registry namespaces. If the
194 unqualified-search registries are set to ["registry1.com", "reg‐
195 istry2.com"] an attacker may take over a namespace of registry1.com
196 such that an image may be pulled from registry1.com instead of the in‐
197 tended source registry2.com.
198 While it is highly recommended to always use fully-qualified image ref‐
201 erences, existing deployments using short names may not be easily
202 changed. To circumvent the aforementioned ambiguity, so called short-
203 name aliases can be configured that point to a fully-qualified image
204 reference.
205 Short-name aliases can be configured in the [aliases] table in the form
208 of "name"="value" with the left-hand name being the short name (e.g.,
209 "image") and the right-hand value being the fully-qualified image ref‐
210 erence (e.g., "registry.com/namespace/image"). Note that neither
211 "name" nor "value" can include a tag or digest. Moreover, "name" must
212 be a short name and hence cannot include a registry domain or refer to
213 localhost.
214 When pulling a short name, the configured aliases table will be used
217 for resolving the short name. If a matching alias is found, it will be
218 used without further consulting the unqualified-search registries list.
219 If no matching alias is found, the behavior can be controlled via the
220 short-name-mode option as described below.
221 Note that tags and digests are stripped off a user-specified short name
224 for alias resolution. Hence, "image", "image:tag" and "image@digest"
225 all resolve to the same alias (i.e., "image"). Stripped off tags and
226 digests are later appended to the resolved alias.
227 Further note that drop-in configuration files (see containers-reg‐
230 istries.conf.d(5)) can override aliases in the specific loading order
231 of the files. If the "value" of an alias is empty (i.e., ""), the
232 alias will be erased. However, a given "name" may only be specified
233 once in a single config file.
234 Short-Name Aliasing: Modes
237 The short-name-mode option supports three modes to control the behav‐
238 iour of short-name resolution.
239 • enforcing: If only one unqualified-search registry is set, use
242 it as there is no ambiguity. If there is more than one reg‐
243 istry and the user program is running in a terminal (i.e.,
244 stdout & stdin are a TTY), prompt the user to select one of
245 the specified search registries. If the program is not run‐
246 ning in a terminal, the ambiguity cannot be resolved which
247 will lead to an error.
248 • permissive: Behaves as enforcing but does not lead to an error
250 if the program is not running in a terminal. Instead, fall‐
251 back to using all unqualified-search registries.
252 • disabled: Use all unqualified-search registries without
254 prompting.
255 If short-name-mode is not specified at all or left empty, default to
259 the permissive mode. If the user-specified short name was not aliased
260 already, the enforcing and permissive mode if prompted, will record a
261 new alias after a successful pull. Note that the recorded alias will
262 be written to /var/cache/containers/short-name-aliases.conf for root to
263 have a clear separation between possibly human-edited registries.conf
264 files and the machine-generated short-name-aliases-conf. Note that
265 $HOME/.cache is used for rootless users. If an alias is specified in a
266 registries.conf file and also the machine-generated short-name-
267 aliases.conf, the short-name-aliases.conf file has precedence.
268 Normalization of docker.io references
271 The Docker Hub docker.io is handled in a special way: every push and
272 pull operation gets internally normalized with /library if no other
273 specific namespace is defined (for example on docker.io/namespace/im‐
274 age).
275 (Note that the above-described normalization happens to match the be‐
278 havior of Docker.)
279 This means that a pull of docker.io/alpine will be internally trans‐
282 lated to docker.io/library/alpine. A pull of docker.io/user/alpine will
283 not be rewritten because this is already the correct remote path.
284 Therefore, to remap or mirror the docker.io images in the (implied)
287 /library namespace (or that whole namespace), the prefix and location
288 fields in this configuration file must explicitly include that /library
289 namespace. For example prefix = "docker.io/library/alpine" and not pre‐
290 fix = "docker.io/alpine". The latter would match the docker.io/alpine/*
291 repositories but not the docker.io/[library/]alpine image).
292 EXAMPLE
295 unqualified-search-registries = ["example.com"]
296 [[registry]]
298 prefix = "example.com/foo"
299 insecure = false
300 blocked = false
301 location = "internal-registry-for-example.com/bar"
302 [[registry.mirror]]
304 location = "example-mirror-0.local/mirror-for-foo"
305 [[registry.mirror]]
307 location = "example-mirror-1.local/mirrors/foo"
308 insecure = true
309 [[registry]]
311 location = "registry.com"
312 [[registry.mirror]]
314 location = "mirror.registry.com"
315 Given the above, a pull of example.com/foo/image:latest will try:
319 1. example-mirror-0.local/mirror-for-foo/image:latest
322 2. example-mirror-1.local/mirrors/foo/image:latest
324 3. internal-registry-for-example.com/bar/image:latest
326 in order, and use the first one that exists.
330 Note that a mirror is associated only with the current [[registry]]
333 TOML table. If using the example above, pulling the image reg‐
334 istry.com/image:latest will hence only reach out to mirror.reg‐
335 istry.com, and the mirrors associated with example.com/foo will not be
336 considered.
337
340 VERSION 1 format is still supported but it does not support using reg‐
341 istry mirrors, longest-prefix matches, or location rewriting.
342 The TOML format is used to build a simple list of registries under
345 three categories: registries.search, registries.insecure, and reg‐
346 istries.block. You can list multiple registries using a comma sepa‐
347 rated list.
348 Search registries are used when the caller of a container runtime does
351 not fully specify the container image that they want to execute. These
352 registries are prepended onto the front of the specified container im‐
353 age until the named image is found at a registry.
354 Note that insecure registries can be used for any registry, not just
357 the registries listed under search.
358 The registries.insecure and registries.block lists have the same mean‐
361 ing as the insecure and blocked fields in the current version.
362 EXAMPLE
365 The following example configuration defines two searchable registries,
366 one insecure registry, and two blocked registries.
367 [registries.search]
370 registries = ['registry1.com', 'registry2.com']
371 [registries.insecure]
373 registries = ['registry3.com']
374 [registries.block]
376 registries = ['registry.untrusted.com', 'registry.unsafe.com']
377
382 We recommend always using fully qualified image names including the
383 registry server (full dns name), namespace, image name, and tag (e.g.,
384 registry.redhat.io/ubi8/ubi:latest). When using short names, there is
385 always an inherent risk that the image being pulled could be spoofed.
386 For example, a user wants to pull an image named foobar from a registry
387 and expects it to come from myregistry.com. If myregistry.com is not
388 first in the search list, an attacker could place a different foobar
389 image at a registry earlier in the search list. The user would acciden‐
390 tally pull and run the attacker's image and code rather than the in‐
391 tended content. We recommend only adding registries which are com‐
392 pletely trusted, i.e. registries which don't allow unknown or anonymous
393 users to create accounts with arbitrary names. This will prevent an im‐
394 age from being spoofed, squatted or otherwise made insecure. If it is
395 necessary to use one of these registries, it should be added at the end
396 of the list.
397 It is recommended to use fully-qualified images for pulling as the des‐
400 tination registry is unambiguous. Pulling by digest (i.e.,
401 quay.io/repository/name@digest) further eliminates the ambiguity of
402 tags.
403
407 containers-auth.json(5) containers-certs.d(5)
408
412 Dec 2019, Warning added for unqualified image names by Tom Sweeney
413 tsweeney@redhat.com ⟨mailto:tsweeney@redhat.com⟩
414 Mar 2019, Added additional configuration format by Sascha Grunert
417 sgrunert@suse.com ⟨mailto:sgrunert@suse.com⟩
418 Aug 2018, Renamed to containers-registries.conf(5) by Valentin Rothberg
421 vrothberg@suse.com ⟨mailto:vrothberg@suse.com⟩
422 Jun 2018, Updated by Tom Sweeney tsweeney@redhat.com
425 ⟨mailto:tsweeney@redhat.com⟩
426 Aug 2017, Originally compiled by Brent Baude bbaude@redhat.com
429 ⟨mailto:bbaude@redhat.com⟩
430registry System-wide CONTAINERS-REGISTRIES.CONF(5)