6a0200
# For more information on this configuration file, see containers-registries.conf(5).
6a0200
#
6a0200
# There are multiple versions of the configuration syntax available, where the
6a0200
# second iteration is backwards compatible to the first one. Mixing up both
6a0200
# formats will result in an runtime error.
6a0200
#
6a0200
# The initial configuration format looks like this:
6a0200
#
d8f6d1
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
d8f6d1
# Red Hat recommends always using fully qualified image names including the registry server (full dns name),
d8f6d1
# namespace, image name, and tag (ex. registry.redhat.io/ubi8/ubu:latest). When using short names, there is
d8f6d1
# always an inherent risk that the image being pulled could be spoofed. For example, a user wants to.
d8f6d1
# pull an image named `foobar` from a registry and expects it to come from myregistry.com. If myregistry.com
d8f6d1
# is not first in the search list, an attacker could place a different `foobar` image at a registry earlier
d8f6d1
# in the search list. The user would accidentally pull and run the attacker's image and code rather than the
d8f6d1
# intended content. Red Hat recommends only adding registries which are completely trusted, i.e. registries
d8f6d1
# which don't allow unknown or anonymous users to create accounts with arbitrary names. This will prevent
d8f6d1
# an image from being spoofed, squatted or otherwise made insecure.  If it is necessary to use one of these
d8f6d1
# registries, it should be added at the end of the list.
d8f6d1
#
d8f6d1
# It is recommended to use fully-qualified images for pulling as the
d8f6d1
# destination registry is unambiguous. Pulling by digest
d8f6d1
# (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of
d8f6d1
# tags.
d8f6d1
d8f6d1
# The following registries are a set of secure defaults provided by Red Hat.
d8f6d1
# Each of these registries provides container images curated, patched
d8f6d1
# and maintained by Red Hat and its partners
ebe432
#[registries.search]
ebe432
#registries = ['registry.access.redhat.com', 'registry.redhat.io']
ebe432
ebe432
# To ensure compatibility with docker we've included docker.io in the default search list. However Red Hat
ebe432
# does not curate, patch or maintain container images from the docker.io registry.
bae5f5
[registries.search]
ebe432
registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io']
ebe432
d8f6d1
# The following registries entry can be used for convenience but includes
d8f6d1
# container images built by the community. This set of content comes with all
d8f6d1
# of the risks of any user generated content including security and performance
d8f6d1
# issues. To use this list first comment out the default list, then uncomment
d8f6d1
# the following list
ebe432
#[registries.search]
d8f6d1
#registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io', 'quay.io']
bae5f5
6a0200
# Registries that do not use TLS when pulling images or uses self-signed
6a0200
# certificates.
bae5f5
[registries.insecure]
bae5f5
registries = []
bae5f5
6a0200
# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry.  If you specify
6a0200
# "*", then the docker daemon will only be allowed to pull from registries listed above in the search
6a0200
# registries.  Blocked Registries is deprecated because other container runtimes and tools will not use it.
6a0200
# It is recommended that you use the trust policy file /etc/containers/policy.json to control which
6a0200
# registries you want to allow users to pull and push from.  policy.json gives greater flexibility, and
6a0200
# supports all container runtimes and tools including the docker daemon, cri-o, buildah ...
6a0200
# The atomic CLI `atomic trust` can be used to easily configure the policy.json file.
bae5f5
[registries.block]
bae5f5
registries = []
6a0200
6a0200
# The second version of the configuration format allows to specify registry
6a0200
# mirrors:
6a0200
#
6a0200
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
6a0200
# unqualified-search-registries = ["example.com"]
6a0200
#
6a0200
# [[registry]]
6a0200
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
6a0200
# # (only) the TOML table with the longest match for the input image name
6a0200
# # (taking into account namespace/repo/tag/digest separators) is used.
6a0200
# #
6a0200
# # If the prefix field is missing, it defaults to be the same as the "location" field.
6a0200
# prefix = "example.com/foo"
6a0200
#
6a0200
# # If true, unencrypted HTTP as well as TLS connections with untrusted
6a0200
# # certificates are allowed.
6a0200
# insecure = false
6a0200
#
6a0200
# # If true, pulling images with matching names is forbidden.
6a0200
# blocked = false
6a0200
#
6a0200
# # The physical location of the "prefix"-rooted namespace.
6a0200
# #
6a0200
# # By default, this equal to "prefix" (in which case "prefix" can be omitted
6a0200
# # and the [[registry]] TOML table can only specify "location").
6a0200
# #
6a0200
# # Example: Given
6a0200
# #   prefix = "example.com/foo"
6a0200
# #   location = "internal-registry-for-example.net/bar"
6a0200
# # requests for the image example.com/foo/myimage:latest will actually work with the
6a0200
# # internal-registry-for-example.net/bar/myimage:latest image.
6a0200
# location = internal-registry-for-example.com/bar"
6a0200
#
6a0200
# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
6a0200
# #
6a0200
# # The mirrors are attempted in the specified order; the first one that can be
6a0200
# # contacted and contains the image will be used (and if none of the mirrors contains the image,
6a0200
# # the primary location specified by the "registry.location" field, or using the unmodified
6a0200
# # user-specified reference, is tried last).
6a0200
# #
6a0200
# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
6a0200
# # as if specified in the [[registry]] TOML table directly:
6a0200
# # - location
6a0200
# # - insecure
6a0200
# [[registry.mirror]]
6a0200
# location = "example-mirror-0.local/mirror-for-foo"
6a0200
# [[registry.mirror]]
6a0200
# location = "example-mirror-1.local/mirrors/foo"
6a0200
# insecure = true
6a0200
# # Given the above, a pull of example.com/foo/image:latest will try:
6a0200
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
6a0200
# # 2. example-mirror-1.local/mirrors/foo/image:latest
6a0200
# # 3. internal-registry-for-example.net/bar/myimage:latest
6a0200
# # in order, and use the first one that exists.