| 192 |
- |
1 |
# For more information on this configuration file, see containers-registries.conf(5).
|
|
|
2 |
#
|
|
|
3 |
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
|
| 203 |
- |
4 |
# We recommend always using fully qualified image names including the registry
|
|
|
5 |
# server (full dns name), namespace, image name, and tag
|
|
|
6 |
# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
|
|
|
7 |
# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
|
|
|
8 |
# When using short names, there is always an inherent risk that the image being
|
|
|
9 |
# pulled could be spoofed. For example, a user wants to pull an image named
|
|
|
10 |
# `foobar` from a registry and expects it to come from myregistry.com. If
|
|
|
11 |
# myregistry.com is not first in the search list, an attacker could place a
|
|
|
12 |
# different `foobar` image at a registry earlier in the search list. The user
|
|
|
13 |
# would accidentally pull and run the attacker's image and code rather than the
|
|
|
14 |
# intended content. We recommend only adding registries which are completely
|
|
|
15 |
# trusted (i.e., registries which don't allow unknown or anonymous users to
|
|
|
16 |
# create accounts with arbitrary names). This will prevent an image from being
|
|
|
17 |
# spoofed, squatted or otherwise made insecure. If it is necessary to use one
|
|
|
18 |
# of these registries, it should be added at the end of the list.
|
| 192 |
- |
19 |
#
|
| 203 |
- |
20 |
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
|
| 192 |
- |
21 |
|
| 203 |
- |
22 |
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "docker.io"]
|
| 192 |
- |
23 |
|
|
|
24 |
# [[registry]]
|
|
|
25 |
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
|
|
|
26 |
# # (only) the TOML table with the longest match for the input image name
|
|
|
27 |
# # (taking into account namespace/repo/tag/digest separators) is used.
|
| 203 |
- |
28 |
# #
|
|
|
29 |
# # The prefix can also be of the form: *.example.com for wildcard subdomain
|
|
|
30 |
# # matching.
|
| 192 |
- |
31 |
# #
|
|
|
32 |
# # If the prefix field is missing, it defaults to be the same as the "location" field.
|
|
|
33 |
# prefix = "example.com/foo"
|
|
|
34 |
#
|
|
|
35 |
# # If true, unencrypted HTTP as well as TLS connections with untrusted
|
|
|
36 |
# # certificates are allowed.
|
|
|
37 |
# insecure = false
|
|
|
38 |
#
|
|
|
39 |
# # If true, pulling images with matching names is forbidden.
|
|
|
40 |
# blocked = false
|
|
|
41 |
#
|
|
|
42 |
# # The physical location of the "prefix"-rooted namespace.
|
|
|
43 |
# #
|
| 203 |
- |
44 |
# # By default, this is equal to "prefix" (in which case "prefix" can be omitted
|
| 192 |
- |
45 |
# # and the [[registry]] TOML table can only specify "location").
|
|
|
46 |
# #
|
|
|
47 |
# # Example: Given
|
|
|
48 |
# # prefix = "example.com/foo"
|
|
|
49 |
# # location = "internal-registry-for-example.net/bar"
|
|
|
50 |
# # requests for the image example.com/foo/myimage:latest will actually work with the
|
|
|
51 |
# # internal-registry-for-example.net/bar/myimage:latest image.
|
| 203 |
- |
52 |
#
|
|
|
53 |
# # The location can be empty iff prefix is in a
|
|
|
54 |
# # wildcarded format: "*.example.com". In this case, the input reference will
|
|
|
55 |
# # be used as-is without any rewrite.
|
| 192 |
- |
56 |
# location = internal-registry-for-example.com/bar"
|
|
|
57 |
#
|
|
|
58 |
# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
|
|
|
59 |
# #
|
|
|
60 |
# # The mirrors are attempted in the specified order; the first one that can be
|
|
|
61 |
# # contacted and contains the image will be used (and if none of the mirrors contains the image,
|
|
|
62 |
# # the primary location specified by the "registry.location" field, or using the unmodified
|
|
|
63 |
# # user-specified reference, is tried last).
|
|
|
64 |
# #
|
|
|
65 |
# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
|
|
|
66 |
# # as if specified in the [[registry]] TOML table directly:
|
|
|
67 |
# # - location
|
|
|
68 |
# # - insecure
|
|
|
69 |
# [[registry.mirror]]
|
|
|
70 |
# location = "example-mirror-0.local/mirror-for-foo"
|
|
|
71 |
# [[registry.mirror]]
|
|
|
72 |
# location = "example-mirror-1.local/mirrors/foo"
|
|
|
73 |
# insecure = true
|
|
|
74 |
# # Given the above, a pull of example.com/foo/image:latest will try:
|
|
|
75 |
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
|
|
|
76 |
# # 2. example-mirror-1.local/mirrors/foo/image:latest
|
| 203 |
- |
77 |
# # 3. internal-registry-for-example.net/bar/image:latest
|
| 192 |
- |
78 |
# # in order, and use the first one that exists.
|
| 203 |
- |
79 |
short-name-mode = "permissive"
|