skopeo-1.3.1-3.el9

- update registries.conf to be consistent with upstream
- Related: #1970747

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
Jindrich Novy 2021-07-01 12:42:28 +02:00
parent c8f3cc4baa
commit a43d85dc67
2 changed files with 31 additions and 62 deletions

View File

@ -1,73 +1,34 @@
# For more information on this configuration file, see containers-registries.conf(5). # For more information on this configuration file, see containers-registries.conf(5).
# #
# There are multiple versions of the configuration syntax available, where the
# second iteration is backwards compatible to the first one. Mixing up both
# formats will result in an runtime error.
#
# The initial configuration format looks like this:
#
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
# Red Hat recommends always using fully qualified image names including the registry server (full dns name), # We recommend always using fully qualified image names including the registry
# namespace, image name, and tag (ex. registry.redhat.io/ubi8/ubu:latest). When using short names, there is # server (full dns name), namespace, image name, and tag
# always an inherent risk that the image being pulled could be spoofed. For example, a user wants to. # (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
# pull an image named `foobar` from a registry and expects it to come from myregistry.com. If myregistry.com # quay.io/repository/name@digest) further eliminates the ambiguity of tags.
# is not first in the search list, an attacker could place a different `foobar` image at a registry earlier # When using short names, there is always an inherent risk that the image being
# in the search list. The user would accidentally pull and run the attacker's image and code rather than the # pulled could be spoofed. For example, a user wants to pull an image named
# intended content. Red Hat recommends only adding registries which are completely trusted, i.e. registries # `foobar` from a registry and expects it to come from myregistry.com. If
# which don't allow unknown or anonymous users to create accounts with arbitrary names. This will prevent # myregistry.com is not first in the search list, an attacker could place a
# an image from being spoofed, squatted or otherwise made insecure. If it is necessary to use one of these # different `foobar` image at a registry earlier in the search list. The user
# registries, it should be added at the end of the list. # would accidentally pull and run the attacker's image and code rather than the
# # intended content. We recommend only adding registries which are completely
# It is recommended to use fully-qualified images for pulling as the # trusted (i.e., registries which don't allow unknown or anonymous users to
# destination registry is unambiguous. Pulling by digest # create accounts with arbitrary names). This will prevent an image from being
# (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of # spoofed, squatted or otherwise made insecure. If it is necessary to use one
# tags. # of these registries, it should be added at the end of the list.
# The following registries are a set of secure defaults provided by Red Hat.
# Each of these registries provides container images curated, patched
# and maintained by Red Hat and its partners
#[registries.search]
#registries = ['registry.access.redhat.com', 'registry.redhat.io']
# To ensure compatibility with docker we've included docker.io in the default search list. However Red Hat
# does not curate, patch or maintain container images from the docker.io registry.
[registries.search]
registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io']
# The following registries entry can be used for convenience but includes
# container images built by the community. This set of content comes with all
# of the risks of any user generated content including security and performance
# issues. To use this list first comment out the default list, then uncomment
# the following list
#[registries.search]
#registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io', 'quay.io']
# Registries that do not use TLS when pulling images or uses self-signed
# certificates.
[registries.insecure]
registries = []
# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify
# "*", then the docker daemon will only be allowed to pull from registries listed above in the search
# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it.
# It is recommended that you use the trust policy file /etc/containers/policy.json to control which
# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and
# supports all container runtimes and tools including the docker daemon, cri-o, buildah ...
# The atomic CLI `atomic trust` can be used to easily configure the policy.json file.
[registries.block]
registries = []
# The second version of the configuration format allows to specify registry
# mirrors:
# #
# # An array of host[:port] registries to try when pulling an unqualified image, in order. # # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "quay.io", "docker.io"] unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.redhat.com", "registry.centos.org", "quay.io", "docker.io"]
#
# [[registry]] # [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table; # # The "prefix" field is used to choose the relevant [[registry]] TOML table;
# # (only) the TOML table with the longest match for the input image name # # (only) the TOML table with the longest match for the input image name
# # (taking into account namespace/repo/tag/digest separators) is used. # # (taking into account namespace/repo/tag/digest separators) is used.
# # # #
# # The prefix can also be of the form: *.example.com for wildcard subdomain
# # matching.
# #
# # If the prefix field is missing, it defaults to be the same as the "location" field. # # If the prefix field is missing, it defaults to be the same as the "location" field.
# prefix = "example.com/foo" # prefix = "example.com/foo"
# #
@ -80,7 +41,7 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
# #
# # The physical location of the "prefix"-rooted namespace. # # The physical location of the "prefix"-rooted namespace.
# # # #
# # By default, this equal to "prefix" (in which case "prefix" can be omitted # # By default, this is equal to "prefix" (in which case "prefix" can be omitted
# # and the [[registry]] TOML table can only specify "location"). # # and the [[registry]] TOML table can only specify "location").
# # # #
# # Example: Given # # Example: Given
@ -88,6 +49,10 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
# # location = "internal-registry-for-example.net/bar" # # location = "internal-registry-for-example.net/bar"
# # requests for the image example.com/foo/myimage:latest will actually work with the # # requests for the image example.com/foo/myimage:latest will actually work with the
# # internal-registry-for-example.net/bar/myimage:latest image. # # internal-registry-for-example.net/bar/myimage:latest image.
#
# # The location can be empty iff prefix is in a
# # wildcarded format: "*.example.com". In this case, the input reference will
# # be used as-is without any rewrite.
# location = internal-registry-for-example.com/bar" # location = internal-registry-for-example.com/bar"
# #
# # (Possibly-partial) mirrors for the "prefix"-rooted namespace. # # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
@ -109,6 +74,6 @@ unqualified-search-registries = ["registry.fedoraproject.org", "registry.access.
# # Given the above, a pull of example.com/foo/image:latest will try: # # Given the above, a pull of example.com/foo/image:latest will try:
# # 1. example-mirror-0.local/mirror-for-foo/image:latest # # 1. example-mirror-0.local/mirror-for-foo/image:latest
# # 2. example-mirror-1.local/mirrors/foo/image:latest # # 2. example-mirror-1.local/mirrors/foo/image:latest
# # 3. internal-registry-for-example.net/bar/myimage:latest # # 3. internal-registry-for-example.net/bar/image:latest
# # in order, and use the first one that exists. # # in order, and use the first one that exists.
short-names-mode = "enforcing" short-names-mode = "enforcing"

View File

@ -30,7 +30,7 @@ go build -buildmode pie -compiler gc -tags="rpm_crashtraceback libtrust_openssl
Epoch: 1 Epoch: 1
Name: skopeo Name: skopeo
Version: 1.3.1 Version: 1.3.1
Release: 2%{?dist} Release: 3%{?dist}
Summary: Inspect container images and repositories on registries Summary: Inspect container images and repositories on registries
License: ASL 2.0 License: ASL 2.0
URL: %{git0} URL: %{git0}
@ -241,6 +241,10 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%{_datadir}/%{name}/test %{_datadir}/%{name}/test
%changelog %changelog
* Thu Jul 01 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.1-3
- update registries.conf to be consistent with upstream
- Related: #1970747
* Thu Jul 01 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.1-2 * Thu Jul 01 2021 Jindrich Novy <jnovy@redhat.com> - 1:1.3.1-2
- consume content from the release-1.3 upstream branch - consume content from the release-1.3 upstream branch
- Related: #1970747 - Related: #1970747