|
 |
22ca95d |
# For more information on this configuration file, see containers-registries.conf(5).
|
|
|
22ca95d |
#
|
|
|
22ca95d |
# There are multiple versions of the configuration syntax available, where the
|
|
|
22ca95d |
# second iteration is backwards compatible to the first one. Mixing up both
|
|
|
22ca95d |
# formats will result in an runtime error.
|
|
|
22ca95d |
#
|
|
|
22ca95d |
# The initial configuration format looks like this:
|
|
|
22ca95d |
#
|
|
|
22ca95d |
# Registries to search for images that are not fully-qualified.
|
|
|
22ca95d |
# i.e. foobar.com/my_image:latest vs my_image:latest
|
|
|
61dd105 |
#
|
|
|
61dd105 |
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES.
|
|
|
61dd105 |
# Pulling an image that is not fully qualified, i.e., one that includes the
|
|
|
61dd105 |
# image name but does not include the registry or tag, is not recommended.
|
|
|
61dd105 |
# There is a risk that the image being pulled could be spoofed. An example
|
|
|
61dd105 |
# of this would be if a user wanted to pull an image named `foobar` from a
|
|
|
61dd105 |
# registry and expect it to come from myregistry.com. If myregistry.com is
|
|
|
61dd105 |
# not first in the search list, an attacker could place a different `foobar`
|
|
|
61dd105 |
# image at a registry earlier in the search list. Now you would accidentally
|
|
|
61dd105 |
# run the attackers code rather than the intended content. Registries that
|
|
|
61dd105 |
# are added to this list should be completely controlled, i.e., not allow
|
|
|
61dd105 |
# unknown/arbitrary users being able to create accounts with arbitrary names
|
|
|
61dd105 |
# to prevent an image from being spoofed, squatted or otherwise made
|
|
|
61dd105 |
# insecure. If it is necessary to use one of these registries, it should be
|
|
|
61dd105 |
# added at the end of the list.
|
|
|
61dd105 |
#
|
|
|
61dd105 |
# It is recommended to use fully-qualified images for pulling as the
|
|
|
61dd105 |
# destination registry is unambiguous. Pulling by digest
|
|
|
61dd105 |
# (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of
|
|
|
61dd105 |
# tags.
|
|
|
61dd105 |
|
|
|
14de4cc |
[registries.search]
|
|
|
61dd105 |
registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
|
|
|
14de4cc |
|
|
|
22ca95d |
# Registries that do not use TLS when pulling images or uses self-signed
|
|
|
22ca95d |
# certificates.
|
|
|
14de4cc |
[registries.insecure]
|
|
|
14de4cc |
registries = []
|
|
|
14de4cc |
|
|
|
22ca95d |
# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify
|
|
|
22ca95d |
# "*", then the docker daemon will only be allowed to pull from registries listed above in the search
|
|
|
22ca95d |
# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it.
|
|
|
22ca95d |
# It is recommended that you use the trust policy file /etc/containers/policy.json to control which
|
|
|
22ca95d |
# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and
|
|
|
22ca95d |
# supports all container runtimes and tools including the docker daemon, cri-o, buildah ...
|
|
|
22ca95d |
# The atomic CLI `atomic trust` can be used to easily configure the policy.json file.
|
|
|
14de4cc |
[registries.block]
|
|
|
14de4cc |
registries = []
|
|
|
22ca95d |
|
|
|
22ca95d |
# The second version of the configuration format allows to specify registry
|
|
|
22ca95d |
# mirrors:
|
|
|
22ca95d |
#
|
|
|
61dd105 |
# NOTE: Please read the note about the risk of unqualified images identified above.
|
|
|
22ca95d |
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
|
|
|
22ca95d |
# unqualified-search-registries = ["example.com"]
|
|
|
22ca95d |
#
|
|
|
22ca95d |
# [[registry]]
|
|
|
22ca95d |
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
|
|
|
22ca95d |
# # (only) the TOML table with the longest match for the input image name
|
|
|
22ca95d |
# # (taking into account namespace/repo/tag/digest separators) is used.
|
|
|
22ca95d |
# #
|
|
|
22ca95d |
# # If the prefix field is missing, it defaults to be the same as the "location" field.
|
|
|
22ca95d |
# prefix = "example.com/foo"
|
|
|
22ca95d |
#
|
|
|
22ca95d |
# # If true, unencrypted HTTP as well as TLS connections with untrusted
|
|
|
22ca95d |
# # certificates are allowed.
|
|
|
22ca95d |
# insecure = false
|
|
|
22ca95d |
#
|
|
|
22ca95d |
# # If true, pulling images with matching names is forbidden.
|
|
|
22ca95d |
# blocked = false
|
|
|
22ca95d |
#
|
|
|
22ca95d |
# # The physical location of the "prefix"-rooted namespace.
|
|
|
22ca95d |
# #
|
|
|
22ca95d |
# # By default, this equal to "prefix" (in which case "prefix" can be omitted
|
|
|
22ca95d |
# # and the [[registry]] TOML table can only specify "location").
|
|
|
22ca95d |
# #
|
|
|
22ca95d |
# # Example: Given
|
|
|
22ca95d |
# # prefix = "example.com/foo"
|
|
|
22ca95d |
# # location = "internal-registry-for-example.net/bar"
|
|
|
22ca95d |
# # requests for the image example.com/foo/myimage:latest will actually work with the
|
|
|
22ca95d |
# # internal-registry-for-example.net/bar/myimage:latest image.
|
|
|
22ca95d |
# location = internal-registry-for-example.com/bar"
|
|
|
22ca95d |
#
|
|
|
22ca95d |
# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
|
|
|
22ca95d |
# #
|
|
|
22ca95d |
# # The mirrors are attempted in the specified order; the first one that can be
|
|
|
22ca95d |
# # contacted and contains the image will be used (and if none of the mirrors contains the image,
|
|
|
22ca95d |
# # the primary location specified by the "registry.location" field, or using the unmodified
|
|
|
22ca95d |
# # user-specified reference, is tried last).
|
|
|
22ca95d |
# #
|
|
|
22ca95d |
# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
|
|
|
22ca95d |
# # as if specified in the [[registry]] TOML table directly:
|
|
|
22ca95d |
# # - location
|
|
|
22ca95d |
# # - insecure
|
|
|
22ca95d |
# [[registry.mirror]]
|
|
|
22ca95d |
# location = "example-mirror-0.local/mirror-for-foo"
|
|
|
22ca95d |
# [[registry.mirror]]
|
|
|
22ca95d |
# location = "example-mirror-1.local/mirrors/foo"
|
|
|
22ca95d |
# insecure = true
|
|
|
22ca95d |
# # Given the above, a pull of example.com/foo/image:latest will try:
|
|
|
22ca95d |
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
|
|
|
22ca95d |
# # 2. example-mirror-1.local/mirrors/foo/image:latest
|
|
|
22ca95d |
# # 3. internal-registry-for-example.net/bar/myimage:latest
|
|
|
22ca95d |
# # in order, and use the first one that exists.
|