From a43d85dc67c2ff360a43f555192da37f0d143834 Mon Sep 17 00:00:00 2001 From: Jindrich Novy Date: Thu, 1 Jul 2021 12:42:28 +0200 Subject: [PATCH] skopeo-1.3.1-3.el9 - update registries.conf to be consistent with upstream - Related: #1970747 Signed-off-by: Jindrich Novy --- registries.conf | 87 +++++++++++++++---------------------------------- skopeo.spec | 6 +++- 2 files changed, 31 insertions(+), 62 deletions(-) diff --git a/registries.conf b/registries.conf index 4a82bbc..f9626f8 100644 --- a/registries.conf +++ b/registries.conf @@ -1,72 +1,33 @@ # For more information on this configuration file, see containers-registries.conf(5). # -# There are multiple versions of the configuration syntax available, where the -# second iteration is backwards compatible to the first one. Mixing up both -# formats will result in an runtime error. -# -# The initial configuration format looks like this: -# # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES -# Red Hat recommends always using fully qualified image names including the registry server (full dns name), -# namespace, image name, and tag (ex. registry.redhat.io/ubi8/ubu:latest). When using short names, there is -# always an inherent risk that the image being pulled could be spoofed. For example, a user wants to. -# pull an image named `foobar` from a registry and expects it to come from myregistry.com. If myregistry.com -# is not first in the search list, an attacker could place a different `foobar` image at a registry earlier -# in the search list. The user would accidentally pull and run the attacker's image and code rather than the -# intended content. Red Hat recommends only adding registries which are completely trusted, i.e. registries -# which don't allow unknown or anonymous users to create accounts with arbitrary names. This will prevent -# an image from being spoofed, squatted or otherwise made insecure. If it is necessary to use one of these -# registries, it should be added at the end of the list. -# -# It is recommended to use fully-qualified images for pulling as the -# destination registry is unambiguous. Pulling by digest -# (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of -# tags. - -# The following registries are a set of secure defaults provided by Red Hat. -# Each of these registries provides container images curated, patched -# and maintained by Red Hat and its partners -#[registries.search] -#registries = ['registry.access.redhat.com', 'registry.redhat.io'] - -# To ensure compatibility with docker we've included docker.io in the default search list. However Red Hat -# does not curate, patch or maintain container images from the docker.io registry. -[registries.search] -registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io'] - -# The following registries entry can be used for convenience but includes -# container images built by the community. This set of content comes with all -# of the risks of any user generated content including security and performance -# issues. To use this list first comment out the default list, then uncomment -# the following list -#[registries.search] -#registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io', 'quay.io'] - -# Registries that do not use TLS when pulling images or uses self-signed -# certificates. -[registries.insecure] -registries = [] - -# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify -# "*", then the docker daemon will only be allowed to pull from registries listed above in the search -# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it. -# It is recommended that you use the trust policy file /etc/containers/policy.json to control which -# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and -# supports all container runtimes and tools including the docker daemon, cri-o, buildah ... -# The atomic CLI `atomic trust` can be used to easily configure the policy.json file. -[registries.block] -registries = [] - -# The second version of the configuration format allows to specify registry -# mirrors: +# We recommend always using fully qualified image names including the registry +# server (full dns name), namespace, image name, and tag +# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., +# quay.io/repository/name@digest) further eliminates the ambiguity of tags. +# When using short names, there is always an inherent risk that the image being +# pulled could be spoofed. For example, a user wants to pull an image named +# `foobar` from a registry and expects it to come from myregistry.com. If +# myregistry.com is not first in the search list, an attacker could place a +# different `foobar` image at a registry earlier in the search list. The user +# would accidentally pull and run the attacker's image and code rather than the +# intended content. We recommend only adding registries which are completely +# trusted (i.e., registries which don't allow unknown or anonymous users to +# create accounts with arbitrary names). This will prevent an image from being +# spoofed, squatted or otherwise made insecure. If it is necessary to use one +# of these registries, it should be added at the end of the list. # # # An array of host[:port] registries to try when pulling an unqualified image, in order. + unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "quay.io", "docker.io"] -# + # [[registry]] # # The "prefix" field is used to choose the relevant [[registry]] TOML table; # # (only) the TOML table with the longest match for the input image name # # (taking into account namespace/repo/tag/digest separators) is used. +# # +# # The prefix can also be of the form: *.example.com for wildcard subdomain +# # matching. # # # # If the prefix field is missing, it defaults to be the same as the "location" field. # prefix = "example.com/foo" @@ -80,7 +41,7 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access. # # # The physical location of the "prefix"-rooted namespace. # # -# # By default, this equal to "prefix" (in which case "prefix" can be omitted +# # By default, this is equal to "prefix" (in which case "prefix" can be omitted # # and the [[registry]] TOML table can only specify "location"). # # # # Example: Given @@ -88,6 +49,10 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access. # # location = "internal-registry-for-example.net/bar" # # requests for the image example.com/foo/myimage:latest will actually work with the # # internal-registry-for-example.net/bar/myimage:latest image. +# +# # The location can be empty iff prefix is in a +# # wildcarded format: "*.example.com". In this case, the input reference will +# # be used as-is without any rewrite. # location = internal-registry-for-example.com/bar" # # # (Possibly-partial) mirrors for the "prefix"-rooted namespace. @@ -109,6 +74,6 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access. # # Given the above, a pull of example.com/foo/image:latest will try: # # 1. example-mirror-0.local/mirror-for-foo/image:latest # # 2. example-mirror-1.local/mirrors/foo/image:latest -# # 3. internal-registry-for-example.net/bar/myimage:latest +# # 3. internal-registry-for-example.net/bar/image:latest # # in order, and use the first one that exists. short-names-mode = "enforcing" diff --git a/skopeo.spec b/skopeo.spec index 9cfc595..83db154 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -30,7 +30,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl Epoch: 1 Name: skopeo Version: 1.3.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -241,6 +241,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/%{name}/test %changelog +* Thu Jul 01 2021 Jindrich Novy - 1:1.3.1-3 +- update registries.conf to be consistent with upstream +- Related: #1970747 + * Thu Jul 01 2021 Jindrich Novy - 1:1.3.1-2 - consume content from the release-1.3 upstream branch - Related: #1970747