rpms/skopeo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix registries.conf file to correctly pass the unqualified-search-registries

Browse Source
This commit is contained in:
Daniel J Walsh 2020-04-29 15:54:28 -04:00
parent cc4e04b2f5
commit b039ee7cbb
No known key found for this signature in database
GPG Key ID: A2DF901DABE2C028
3 changed files with 18 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
containers-registries.conf.5.md
View File

@ -13,11 +13,6 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it
# FORMATS
## VERSION 2
VERSION 2 is the latest format of the `registries.conf` and is currently in
beta. This means in general VERSION 1 should be used in production environments
for now.
### GLOBAL SETTINGS
`unqualified-search-registries`
@ -154,39 +149,6 @@ Given the above, a pull of `example.com/foo/image:latest` will try:
in order, and use the first one that exists.
## VERSION 1
VERSION 1 can be used as alternative to the VERSION 2, but it does not support
using registry mirrors, longest-prefix matches, or location rewriting.
The TOML format is used to build a simple list of registries under three
categories: `registries.search`, `registries.insecure`, and `registries.block`.
You can list multiple registries using a comma separated list.
Search registries are used when the caller of a container runtime does not fully specify the
container image that they want to execute. These registries are prepended onto the front
of the specified container image until the named image is found at a registry.
Note that insecure registries can be used for any registry, not just the registries listed
under search.
The `registries.insecure` and `registries.block` lists have the same meaning as the
`insecure` and `blocked` fields in VERSION 2.
### EXAMPLE
The following example configuration defines two searchable registries, one
insecure registry, and two blocked registries.
```
[registries.search]
registries = ['registry1.com', 'registry2.com']
[registries.insecure]
registries = ['registry3.com']
[registries.block]
registries = ['registry.untrusted.com', 'registry.unsafe.com']
```
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
We recommend always using fully qualified image names including the registry
server (full dns name), namespace, image name, and tag

63
registries.conf
View File

@ -1,60 +1,25 @@
# For more information on this configuration file, see containers-registries.conf(5).
#
# There are multiple versions of the configuration syntax available, where the
# second iteration is backwards compatible to the first one. Mixing up both
# formats will result in an runtime error.
#
# The initial configuration format looks like this:
#
# Registries to search for images that are not fully-qualified.
# i.e. foobar.com/my_image:latest vs my_image:latest
#
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
# We recommend always using fully qualified image names including the registry
# server (full dns name), namespace, image name, and tag
# (e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
# always an inherent risk that the image being pulled could be spoofed. For
# example, a user wants to pull an image named `foobar` from a registry and
# expects it to come from myregistry.com. If myregistry.com is not first in the
# search list, an attacker could place a different `foobar` image at a registry
# earlier in the search list. The user would accidentally pull and run the
# attacker's image and code rather than the intended content. We recommend only
# adding registries which are completely trusted, i.e. registries which don't
# allow unknown or anonymous users to create accounts with arbitrary names. This
# will prevent an image from being spoofed, squatted or otherwise made insecure.
# If it is necessary to use one of these registries, it should be added at the
# end of the list.
# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
# When using short names, there is always an inherent risk that the image being
# pulled could be spoofed. For example, a user wants to pull an image named
# `foobar` from a registry and expects it to come from myregistry.com. If
# myregistry.com is not first in the search list, an attacker could place a
# different `foobar` image at a registry earlier in the search list. The user
# would accidentally pull and run the attacker's image and code rather than the
# intended content. We recommend only adding registries which are completely
# trusted (i.e., registries which don't allow unknown or anonymous users to
# create accounts with arbitrary names). This will prevent an image from being
# spoofed, squatted or otherwise made insecure. If it is necessary to use one
# of these registries, it should be added at the end of the list.
#
# It is recommended to use fully-qualified images for pulling as the
# destination registry is unambiguous. Pulling by digest
# (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of
# tags.
[registries.search]
# registries = []
# Registries that do not use TLS when pulling images or uses self-signed
# certificates.
[registries.insecure]
registries = []
# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify
# "*", then the docker daemon will only be allowed to pull from registries listed above in the search
# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it.
# It is recommended that you use the trust policy file /etc/containers/policy.json to control which
# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and
# supports all container runtimes and tools including the docker daemon, cri-o, buildah ...
# The atomic CLI `atomic trust` can be used to easily configure the policy.json file.
[registries.block]
registries = []
# The second version of the configuration format allows to specify registry
# mirrors:
#
# NOTE: Please read the note about the risk of unqualified images identified above.
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
#
# [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
# # (only) the TOML table with the longest match for the input image name

6
skopeo.spec
View File

@ -46,7 +46,7 @@ Epoch: 1
Epoch: 2
%endif
Version: 0.2.0
Release: 0.3.dev.git%{shortcommit0}%{?dist}
Release: 0.4.dev.git%{shortcommit0}%{?dist}
Summary: Inspect container images and repositories on registries
License: ASL 2.0
URL: %{git0}
@ -436,10 +436,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%{_datadir}/%{name}/test
%changelog
* Wed Apr 29 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:0.2.0-0.4.dev.git2415f3f
- Fix registries.conf file to correctly pass the unqualified-search-registries
* Sat Apr 25 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:0.2.0-0.3.dev.gitb230a50
- autobuilt b230a50
* Fri Apr 24 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:0.2.0-0.2.dev.git2415f3f
- Update registries.conf to use version 2 definitions
- Update containers.conf to include latest changes
- Update seccomp.json to allow a few more syscalls for contaners within containers.