6a0200
% CONTAINERS-REGISTRIES.D(5) Registries.d Man Page
6a0200
% Miloslav Trmač
6a0200
% August 2016
6a0200
6a0200
# NAME
6a0200
containers-registries.d - Directory for various registries configurations
6a0200
6a0200
# DESCRIPTION
6a0200
6a0200
The registries configuration directory contains configuration for various registries
6a0200
(servers storing remote container images), and for content stored in them,
6a0200
so that the configuration does not have to be provided in command-line options over and over for every command,
6a0200
and so that it can be shared by all users of containers/image.
6a0200
85cf5c
By default, the registries configuration directory is `$HOME/.config/containers/registries.d` if it exists, otherwise `/etc/containers/registries.d` (unless overridden at compile-time);
6a0200
applications may allow using a different directory instead.
6a0200
6a0200
## Directory Structure
6a0200
6a0200
The directory may contain any number of files with the extension `.yaml`,
6a0200
each using the YAML format.  Other than the mandatory extension, names of the files
6a0200
don’t matter.
6a0200
6a0200
The contents of these files are merged together; to have a well-defined and easy to understand
6a0200
behavior, there can be only one configuration section describing a single namespace within a registry
6a0200
(in particular there can be at most one one `default-docker` section across all files,
2d4258
and there can be at most one instance of any key under the `docker` section;
6a0200
these sections are documented later).
6a0200
6a0200
Thus, it is forbidden to have two conflicting configurations for a single registry or scope,
6a0200
and it is also forbidden to split a configuration for a single registry or scope across
6a0200
more than one file (even if they are not semantically in conflict).
6a0200
6a0200
## Registries, Scopes and Search Order
6a0200
6a0200
Each YAML file must contain a “YAML mapping” (key-value pairs).  Two top-level keys are defined:
6a0200
6a0200
- `default-docker` is the _configuration section_ (as documented below)
6a0200
   for registries implementing "Docker Registry HTTP API V2".
6a0200
6a0200
   This key is optional.
6a0200
6a0200
- `docker` is a mapping, using individual registries implementing "Docker Registry HTTP API V2",
6a0200
   or namespaces and individual images within these registries, as keys;
6a0200
   the value assigned to any such key is a _configuration section_.
6a0200
6a0200
   This key is optional.
6a0200
6a0200
   Scopes matching individual images are named Docker references *in the fully expanded form*, either
6a0200
   using a tag or digest. For example, `docker.io/library/busybox:latest` (*not* `busybox:latest`).
6a0200
6a0200
   More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest),
6a0200
   a repository namespace, or a registry host (and a port if it differs from the default).
6a0200
6a0200
   Note that if a registry is accessed using a hostname+port configuration, the port-less hostname
6a0200
   is _not_ used as parent scope.
6a0200
6a0200
When searching for a configuration to apply for an individual container image, only
6a0200
the configuration for the most-precisely matching scope is used; configuration using
6a0200
more general scopes is ignored.  For example, if _any_ configuration exists for
6a0200
`docker.io/library/busybox`, the configuration for `docker.io` is ignored
6a0200
(even if some element of the configuration is defined for `docker.io` and not for `docker.io/library/busybox`).
6a0200
379816
### Built-in Defaults
379816
379816
If no `docker` section can be found for the container image, and no `default-docker` section is configured,
379816
the default directory, `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for unprivileged user,  will be used for reading and writing signatures.
379816
6a0200
## Individual Configuration Sections
6a0200
6a0200
A single configuration section is selected for a container image using the process
6a0200
described above.  The configuration section is a YAML mapping, with the following keys:
6a0200
6a0200
- `sigstore-staging` defines an URL of of the signature storage, used for editing it (adding or deleting signatures).
6a0200
6a0200
   This key is optional; if it is missing, `sigstore` below is used.
6a0200
6a0200
- `sigstore` defines an URL of the signature storage.
6a0200
   This URL is used for reading existing signatures,
6a0200
   and if `sigstore-staging` does not exist, also for adding or removing them.
6a0200
6a0200
   This key is optional; if it is missing, no signature storage is defined (no signatures
6a0200
   are download along with images, adding new signatures is possible only if `sigstore-staging` is defined).
6a0200
379816
6a0200
## Examples
6a0200
6a0200
### Using Containers from Various Origins
6a0200
6a0200
The following demonstrates how to to consume and run images from various registries and namespaces:
6a0200
6a0200
```yaml
6a0200
docker:
6a0200
    registry.database-supplier.com:
6a0200
        sigstore: https://sigstore.database-supplier.com
6a0200
    distribution.great-middleware.org:
6a0200
        sigstore: https://security-team.great-middleware.org/sigstore
6a0200
    docker.io/web-framework:
6a0200
        sigstore: https://sigstore.web-framework.io:8080
6a0200
```
6a0200
6a0200
### Developing and Signing Containers, Staging Signatures
6a0200
6a0200
For developers in `example.com`:
6a0200
6a0200
- Consume most container images using the public servers also used by clients.
2d4258
- Use a separate signature storage for an container images in a namespace corresponding to the developers' department, with a staging storage used before publishing signatures.
6a0200
- Craft an individual exception for a single branch a specific developer is working on locally.
6a0200
6a0200
```yaml
6a0200
docker:
6a0200
    registry.example.com:
6a0200
        sigstore: https://registry-sigstore.example.com
6a0200
    registry.example.com/mydepartment:
6a0200
        sigstore: https://sigstore.mydepartment.example.com
6a0200
        sigstore-staging: file:///mnt/mydepartment/sigstore-staging
6a0200
    registry.example.com/mydepartment/myproject:mybranch:
6a0200
        sigstore: http://localhost:4242/sigstore
6a0200
        sigstore-staging: file:///home/useraccount/webroot/sigstore
6a0200
```
6a0200
6a0200
### A Global Default
6a0200
6a0200
If a company publishes its products using a different domain, and different registry hostname for each of them, it is still possible to use a single signature storage server
6a0200
without listing each domain individually. This is expected to rarely happen, usually only for staging new signatures.
6a0200
6a0200
```yaml
6a0200
default-docker:
6a0200
    sigstore-staging: file:///mnt/company/common-sigstore-staging
6a0200
```
6a0200
6a0200
# AUTHORS
6a0200
6a0200
Miloslav Trmač <mitr@redhat.com>