ae5259
% CONTAINERS-REGISTRIES.CONF 5 System-wide registry configuration file
bce470
% Brent Baude
bce470
% Aug 2017
bce470
bce470
# NAME
bce470
containers-registries.conf - Syntax of System Registry Configuration File
bce470
bce470
# DESCRIPTION
bce470
The CONTAINERS-REGISTRIES configuration file is a system-wide configuration
bce470
file for container image registries. The file format is TOML.
bce470
bce470
Container engines will use the `$HOME/.config/containers/registries.conf` if it exists, otherwise they will use `/etc/containers/registries.conf`
bce470
bce470
### GLOBAL SETTINGS
bce470
bce470
`unqualified-search-registries`
bce470
: An array of _host_[`:`_port_] registries to try when pulling an unqualified image, in order.
bce470
bce470
`credential-helpers`
bce470
: An array of default credential helpers used as external credential stores.  Note that "containers-auth.json" is a reserved value to use auth files as specified in containers-auth.json(5).  The credential helpers are set to `["containers-auth.json"]` if none are specified.
bce470
bce470
### NAMESPACED `[[registry]]` SETTINGS
bce470
bce470
The bulk of the configuration is represented as an array of `[[registry]]`
bce470
TOML tables; the settings may therefore differ among different registries
bce470
as well as among different namespaces/repositories within a registry.
bce470
bce470
#### Choosing a `[[registry]]` TOML table
bce470
bce470
Given an image name, a single `[[registry]]` TOML table is chosen based on its `prefix` field.
bce470
bce470
`prefix`: A prefix of the user-specified image name, i.e. using one of the following formats:
bce470
  - _host_[`:`_port_]
bce470
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]
bce470
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_
bce470
  - _host_[`:`_port_]`/`_namespace_[`/`_namespace_…]`/`_repo_(`:`_tag|`@`_digest_)
bce470
  - [`*.`]_host_
bce470
bce470
The user-specified image name must start with the specified `prefix` (and continue
bce470
with the appropriate separator) for a particular `[[registry]]` TOML table to be
bce470
considered; (only) the TOML table with the longest match is used. It can
bce470
also include wildcarded subdomains in the format `*.example.com`.
bce470
The wildcard should only be present at the beginning as shown in the formats
bce470
above. Other cases will not work. For example, `*.example.com` is valid but
bce470
`example.*.com`, `*.example.com/foo` and `*.example.com:5000/foo/bar:baz` are not.
38a67a
Note that `*` matches an arbitrary number of subdomains. `*.example.com` will hence
38a67a
match `bar.example.com`, `foo.bar.example.com` and so on.
bce470
bce470
As a special case, the `prefix` field can be missing; if so, it defaults to the value
bce470
of the `location` field (described below).
bce470
bce470
#### Per-namespace settings
bce470
bce470
`insecure`
bce470
: `true` or `false`.
bce470
By default, container runtimes require TLS when retrieving images from a registry.
bce470
If `insecure` is set to `true`, unencrypted HTTP as well as TLS connections with untrusted
bce470
certificates are allowed.
bce470
bce470
`blocked`
bce470
: `true` or `false`.
bce470
If `true`, pulling images with matching names is forbidden.
bce470
bce470
#### Remapping and mirroring registries
bce470
bce470
The user-specified image reference is, primarily, a "logical" image name, always used for naming
bce470
the image.  By default, the image reference also directly specifies the registry and repository
bce470
to use, but the following options can be used to redirect the underlying accesses
bce470
to different registry servers or locations (e.g. to support configurations with no access to the
bce470
internet without having to change `Dockerfile`s, or to add redundancy).
bce470
bce470
`location`
bce470
: Accepts the same format as the `prefix` field, and specifies the physical location
bce470
of the `prefix`-rooted namespace.
bce470
bce470
By default, this equal to `prefix` (in which case `prefix` can be omitted and the
bce470
`[[registry]]` TOML table can only specify `location`).
bce470
bce470
Example: Given
bce470
```
bce470
prefix = "example.com/foo"
bce470
location = "internal-registry-for-example.net/bar"
bce470
```
bce470
requests for the image `example.com/foo/myimage:latest` will actually work with the
bce470
`internal-registry-for-example.net/bar/myimage:latest` image.
bce470
bce470
With a `prefix` containing a wildcard in the format: "*.example.com" for subdomain matching,
bce470
the location can be empty. In such a case,
bce470
prefix matching will occur, but no reference rewrite will occur. The
bce470
original requested image string will be used as-is. But other settings like
bce470
`insecure` / `blocked` / `mirrors` will be applied to matching images.
bce470
bce470
Example: Given
bce470
```
bce470
prefix = "*.example.com"
bce470
```
bce470
requests for the image `blah.example.com/foo/myimage:latest` will be used
bce470
as-is. But other settings like insecure/blocked/mirrors will be applied to matching images
bce470
bce470
`mirror`
bce470
: An array of TOML tables specifying (possibly-partial) mirrors for the
38a67a
`prefix`-rooted namespace (i.e., the current `[[registry]]` TOML table).
bce470
bce470
The mirrors are attempted in the specified order; the first one that can be
bce470
contacted and contains the image will be used (and if none of the mirrors contains the image,
bce470
the primary location specified by the `registry.location` field, or using the unmodified
bce470
user-specified reference, is tried last).
bce470
38a67a
Each TOML table in the `mirror` array can contain the following fields:
38a67a
- `location`: same semantics
38a67a
as specified in the `[[registry]]` TOML table
38a67a
- `insecure`: same semantics
38a67a
as specified in the `[[registry]]` TOML table
38a67a
- `pull-from-mirror`: `all`, `digest-only` or `tag-only`.  If "digest-only", mirrors will only be used for digest pulls. Pulling images by tag can potentially yield different images, depending on which endpoint we pull from.  Restricting mirrors to pulls by digest avoids that issue.  If "tag-only", mirrors will only be used for tag pulls.  For a more up-to-date and expensive mirror that it is less likely to be out of sync if tags move, it should not be unnecessarily used for digest references.  Default is "all" (or left empty), mirrors will be used for both digest pulls and tag pulls unless the mirror-by-digest-only is set for the primary registry.
38a67a
Note that this per-mirror setting is allowed only when `mirror-by-digest-only` is not configured for the primary registry.
bce470
bce470
`mirror-by-digest-only`
bce470
: `true` or `false`.
bce470
If `true`, mirrors will only be used during pulling if the image reference includes a digest.
38a67a
Note that if all mirrors are configured to be digest-only, images referenced by a tag will only use the primary
38a67a
registry.
38a67a
If all mirrors are configured to be tag-only, images referenced by a digest will only use the primary
38a67a
registry.
38a67a
bce470
Referencing an image by digest ensures that the same is always used
bce470
(whereas referencing an image by a tag may cause different registries to return
bce470
different images if the tag mapping is out of sync).
bce470
bce470
bce470
*Note*: Redirection and mirrors are currently processed only when reading images, not when pushing
bce470
to a registry; that may change in the future.
bce470
bce470
#### Short-Name Aliasing
bce470
The use of unqualified-search registries entails an ambiguity as it is
bce470
unclear from which registry a given image, referenced by a short name,
bce470
may be pulled from.
bce470
bce470
As mentioned in the note at the end of this man page, using short names is
bce470
subject to the risk of hitting squatted registry namespaces.  If the
bce470
unqualified-search registries are set to `["registry1.com", "registry2.com"]`
bce470
an attacker may take over a namespace of registry1.com such that an image may
bce470
be pulled from registry1.com instead of the intended source registry2.com.
bce470
bce470
While it is highly recommended to always use fully-qualified image references,
bce470
existing deployments using short names may not be easily changed.  To
bce470
circumvent the aforementioned ambiguity, so called short-name aliases can be
bce470
configured that point to a fully-qualified image
bce470
reference.
bce470
bce470
Short-name aliases can be configured in the `[aliases]` table in the form of
bce470
`"name"="value"` with the left-hand `name` being the short name (e.g., "image")
bce470
and the right-hand `value` being the fully-qualified image reference (e.g.,
bce470
"registry.com/namespace/image").  Note that neither "name" nor "value" can
bce470
include a tag or digest.  Moreover, "name" must be a short name and hence
bce470
cannot include a registry domain or refer to localhost.
bce470
bce470
When pulling a short name, the configured aliases table will be used for
bce470
resolving the short name.  If a matching alias is found, it will be used
bce470
without further consulting the unqualified-search registries list.  If no
bce470
matching alias is found, the behavior can be controlled via the
bce470
`short-name-mode` option as described below.
bce470
bce470
Note that tags and digests are stripped off a user-specified short name for
bce470
alias resolution.  Hence, "image", "image:tag" and "image@digest" all resolve
bce470
to the same alias (i.e., "image").  Stripped off tags and digests are later
bce470
appended to the resolved alias.
bce470
bce470
Further note that drop-in configuration files (see containers-registries.conf.d(5))
bce470
can override aliases in the specific loading order of the files.  If the "value" of
bce470
an alias is empty (i.e., ""), the alias will be erased.  However, a given
bce470
"name" may only be specified once in a single config file.
bce470
bce470
bce470
#### Short-Name Aliasing: Modes
bce470
bce470
The `short-name-mode` option supports three modes to control the behaviour of
bce470
short-name resolution.
bce470
bce470
* `enforcing`: If only one unqualified-search registry is set, use it as there
bce470
  is no ambiguity.  If there is more than one registry and the user program is
bce470
  running in a terminal (i.e., stdout & stdin are a TTY), prompt the user to
bce470
  select one of the specified search registries.  If the program is not running
bce470
  in a terminal, the ambiguity cannot be resolved which will lead to an error.
bce470
bce470
* `permissive`: Behaves as enforcing but does not lead to an error if the
bce470
  program is not running in a terminal.  Instead, fallback to using all
bce470
  unqualified-search registries.
bce470
bce470
* `disabled`: Use all unqualified-search registries without prompting.
bce470
bce470
If `short-name-mode` is not specified at all or left empty, default to the
bce470
`permissive` mode.  If the user-specified short name was not aliased already,
bce470
the `enforcing` and `permissive` mode if prompted, will record a new alias
bce470
after a successful pull.  Note that the recorded alias will be written to
bce470
`/var/cache/containers/short-name-aliases.conf` for root to have a clear
bce470
separation between possibly human-edited registries.conf files and the
bce470
machine-generated `short-name-aliases-conf`.  Note that `$HOME/.cache` is used
bce470
for rootless users.  If an alias is specified in a
bce470
`registries.conf` file and also the machine-generated
bce470
`short-name-aliases.conf`, the `short-name-aliases.conf` file has precedence.
bce470
bce470
#### Normalization of docker.io references
bce470
bce470
The Docker Hub `docker.io` is handled in a special way: every push and pull
bce470
operation gets internally normalized with `/library` if no other specific
bce470
namespace is defined (for example on `docker.io/namespace/image`).
bce470
bce470
(Note that the above-described normalization happens to match the behavior of
bce470
Docker.)
bce470
bce470
This means that a pull of `docker.io/alpine` will be internally translated to
bce470
`docker.io/library/alpine`. A pull of `docker.io/user/alpine` will not be
bce470
rewritten because this is already the correct remote path.
bce470
bce470
Therefore, to remap or mirror the `docker.io` images in the (implied) `/library`
bce470
namespace (or that whole namespace), the prefix and location fields in this
bce470
configuration file must explicitly include that `/library` namespace. For
bce470
example `prefix = "docker.io/library/alpine"` and not `prefix =
bce470
"docker.io/alpine"`. The latter would match the `docker.io/alpine/*`
bce470
repositories but not the `docker.io/[library/]alpine` image).
bce470
bce470
### EXAMPLE
bce470
bce470
```
bce470
unqualified-search-registries = ["example.com"]
bce470
bce470
[[registry]]
bce470
prefix = "example.com/foo"
bce470
insecure = false
bce470
blocked = false
bce470
location = "internal-registry-for-example.com/bar"
bce470
bce470
[[registry.mirror]]
bce470
location = "example-mirror-0.local/mirror-for-foo"
bce470
bce470
[[registry.mirror]]
bce470
location = "example-mirror-1.local/mirrors/foo"
bce470
insecure = true
38a67a
38a67a
[[registry]]
38a67a
location = "registry.com"
38a67a
38a67a
[[registry.mirror]]
38a67a
location = "mirror.registry.com"
bce470
```
bce470
Given the above, a pull of `example.com/foo/image:latest` will try:
38a67a
38a67a
1. `example-mirror-0.local/mirror-for-foo/image:latest`
38a67a
2. `example-mirror-1.local/mirrors/foo/image:latest`
38a67a
3. `internal-registry-for-example.net/bar/image:latest`
bce470
bce470
in order, and use the first one that exists.
bce470
38a67a
Note that a mirror is associated only with the current `[[registry]]` TOML table. If using the example above, pulling the image `registry.com/image:latest` will hence only reach out to `mirror.registry.com`, and the mirrors associated with `example.com/foo` will not be considered.
38a67a
bce470
## VERSION 1 FORMAT - DEPRECATED
bce470
VERSION 1 format is still supported but it does not support
bce470
using registry mirrors, longest-prefix matches, or location rewriting.
bce470
bce470
The TOML format is used to build a simple list of registries under three
bce470
categories: `registries.search`, `registries.insecure`, and `registries.block`.
bce470
You can list multiple registries using a comma separated list.
bce470
bce470
Search registries are used when the caller of a container runtime does not fully specify the
bce470
container image that they want to execute.  These registries are prepended onto the front
bce470
of the specified container image until the named image is found at a registry.
bce470
bce470
Note that insecure registries can be used for any registry, not just the registries listed
bce470
under search.
bce470
bce470
The `registries.insecure` and `registries.block` lists have the same meaning as the
bce470
`insecure` and `blocked` fields in the current version.
bce470
bce470
### EXAMPLE
bce470
The following example configuration defines two searchable registries, one
bce470
insecure registry, and two blocked registries.
bce470
bce470
```
bce470
[registries.search]
bce470
registries = ['registry1.com', 'registry2.com']
bce470
bce470
[registries.insecure]
bce470
registries = ['registry3.com']
bce470
bce470
[registries.block]
bce470
registries = ['registry.untrusted.com', 'registry.unsafe.com']
bce470
```
bce470
bce470
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
bce470
We recommend always using fully qualified image names including the registry
bce470
server (full dns name), namespace, image name, and tag
bce470
(e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
bce470
always an inherent risk that the image being pulled could be spoofed. For
bce470
example, a user wants to pull an image named `foobar` from a registry and
bce470
expects it to come from myregistry.com. If myregistry.com is not first in the
bce470
search list, an attacker could place a different `foobar` image at a registry
bce470
earlier in the search list. The user would accidentally pull and run the
bce470
attacker's image and code rather than the intended content. We recommend only
bce470
adding registries which are completely trusted, i.e. registries which don't
bce470
allow unknown or anonymous users to create accounts with arbitrary names. This
bce470
will prevent an image from being spoofed, squatted or otherwise made insecure.
bce470
If it is necessary to use one of these registries, it should be added at the
bce470
end of the list.
bce470
bce470
It is recommended to use fully-qualified images for pulling as
bce470
the destination registry is unambiguous. Pulling by digest
bce470
(i.e., quay.io/repository/name@digest) further eliminates the ambiguity of
bce470
tags.
bce470
bce470
# SEE ALSO
bce470
 containers-auth.json(5) containers-certs.d(5)
bce470
bce470
# HISTORY
bce470
Dec 2019, Warning added for unqualified image names by Tom Sweeney <tsweeney@redhat.com>
bce470
bce470
Mar 2019, Added additional configuration format by Sascha Grunert <sgrunert@suse.com>
bce470
bce470
Aug 2018, Renamed to containers-registries.conf(5) by Valentin Rothberg <vrothberg@suse.com>
bce470
bce470
Jun 2018, Updated by Tom Sweeney <tsweeney@redhat.com>
bce470
bce470
Aug 2017, Originally compiled by Brent Baude <bbaude@redhat.com>