registries.conf (3799B)
1 # For more information on this configuration file, see containers-registries.conf(5). 2 # 3 # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES 4 # We recommend always using fully qualified image names including the registry 5 # server (full dns name), namespace, image name, and tag 6 # (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., 7 # quay.io/repository/name@digest) further eliminates the ambiguity of tags. 8 # When using short names, there is always an inherent risk that the image being 9 # pulled could be spoofed. For example, a user wants to pull an image named 10 # `foobar` from a registry and expects it to come from myregistry.com. If 11 # myregistry.com is not first in the search list, an attacker could place a 12 # different `foobar` image at a registry earlier in the search list. The user 13 # would accidentally pull and run the attacker's image and code rather than the 14 # intended content. We recommend only adding registries which are completely 15 # trusted (i.e., registries which don't allow unknown or anonymous users to 16 # create accounts with arbitrary names). This will prevent an image from being 17 # spoofed, squatted or otherwise made insecure. If it is necessary to use one 18 # of these registries, it should be added at the end of the list. 19 # 20 # # An array of host[:port] registries to try when pulling an unqualified image, in order. 21 # unqualified-search-registries = ["example.com"] 22 # 23 # [[registry]] 24 # # The "prefix" field is used to choose the relevant [[registry]] TOML table; 25 # # (only) the TOML table with the longest match for the input image name 26 # # (taking into account namespace/repo/tag/digest separators) is used. 27 # # 28 # # The prefix can also be of the form: *.example.com for wildcard subdomain 29 # # matching. 30 # # 31 # # If the prefix field is missing, it defaults to be the same as the "location" field. 32 # prefix = "example.com/foo" 33 # 34 # # If true, unencrypted HTTP as well as TLS connections with untrusted 35 # # certificates are allowed. 36 # insecure = false 37 # 38 # # If true, pulling images with matching names is forbidden. 39 # blocked = false 40 # 41 # # The physical location of the "prefix"-rooted namespace. 42 # # 43 # # By default, this is equal to "prefix" (in which case "prefix" can be omitted 44 # # and the [[registry]] TOML table can only specify "location"). 45 # # 46 # # Example: Given 47 # # prefix = "example.com/foo" 48 # # location = "internal-registry-for-example.com/bar" 49 # # requests for the image example.com/foo/myimage:latest will actually work with the 50 # # internal-registry-for-example.com/bar/myimage:latest image. 51 # 52 # # The location can be empty if prefix is in a 53 # # wildcarded format: "*.example.com". In this case, the input reference will 54 # # be used as-is without any rewrite. 55 # location = internal-registry-for-example.com/bar" 56 # 57 # # (Possibly-partial) mirrors for the "prefix"-rooted namespace. 58 # # 59 # # The mirrors are attempted in the specified order; the first one that can be 60 # # contacted and contains the image will be used (and if none of the mirrors contains the image, 61 # # the primary location specified by the "registry.location" field, or using the unmodified 62 # # user-specified reference, is tried last). 63 # # 64 # # Each TOML table in the "mirror" array can contain the following fields, with the same semantics 65 # # as if specified in the [[registry]] TOML table directly: 66 # # - location 67 # # - insecure 68 # [[registry.mirror]] 69 # location = "example-mirror-0.local/mirror-for-foo" 70 # [[registry.mirror]] 71 # location = "example-mirror-1.local/mirrors/foo" 72 # insecure = true 73 # # Given the above, a pull of example.com/foo/image:latest will try: 74 # # 1. example-mirror-0.local/mirror-for-foo/image:latest 75 # # 2. example-mirror-1.local/mirrors/foo/image:latest 76 # # 3. internal-registry-for-example.com/bar/image:latest 77 # # in order, and use the first one that exists.