From b039ee7cbba371b200ae877d5fc57aab9378a6fd Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 29 Apr 2020 15:54:28 -0400 Subject: [PATCH] Fix registries.conf file to correctly pass the unqualified-search-registries --- containers-registries.conf.5.md | 38 -------------------- registries.conf | 63 ++++++++------------------------- skopeo.spec | 6 ++-- 3 files changed, 18 insertions(+), 89 deletions(-) diff --git a/containers-registries.conf.5.md b/containers-registries.conf.5.md index bb34906..f0542ba 100644 --- a/containers-registries.conf.5.md +++ b/containers-registries.conf.5.md @@ -13,11 +13,6 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it # FORMATS -## VERSION 2 -VERSION 2 is the latest format of the `registries.conf` and is currently in -beta. This means in general VERSION 1 should be used in production environments -for now. - ### GLOBAL SETTINGS `unqualified-search-registries` @@ -154,39 +149,6 @@ Given the above, a pull of `example.com/foo/image:latest` will try: in order, and use the first one that exists. -## VERSION 1 -VERSION 1 can be used as alternative to the VERSION 2, but it does not support -using registry mirrors, longest-prefix matches, or location rewriting. - -The TOML format is used to build a simple list of registries under three -categories: `registries.search`, `registries.insecure`, and `registries.block`. -You can list multiple registries using a comma separated list. - -Search registries are used when the caller of a container runtime does not fully specify the -container image that they want to execute. These registries are prepended onto the front -of the specified container image until the named image is found at a registry. - -Note that insecure registries can be used for any registry, not just the registries listed -under search. - -The `registries.insecure` and `registries.block` lists have the same meaning as the -`insecure` and `blocked` fields in VERSION 2. - -### EXAMPLE -The following example configuration defines two searchable registries, one -insecure registry, and two blocked registries. - -``` -[registries.search] -registries = ['registry1.com', 'registry2.com'] - -[registries.insecure] -registries = ['registry3.com'] - -[registries.block] -registries = ['registry.untrusted.com', 'registry.unsafe.com'] -``` - # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES We recommend always using fully qualified image names including the registry server (full dns name), namespace, image name, and tag diff --git a/registries.conf b/registries.conf index e3da7db..26e285d 100644 --- a/registries.conf +++ b/registries.conf @@ -1,60 +1,25 @@ # For more information on this configuration file, see containers-registries.conf(5). # -# There are multiple versions of the configuration syntax available, where the -# second iteration is backwards compatible to the first one. Mixing up both -# formats will result in an runtime error. -# -# The initial configuration format looks like this: -# -# Registries to search for images that are not fully-qualified. -# i.e. foobar.com/my_image:latest vs my_image:latest -# # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES # We recommend always using fully qualified image names including the registry # server (full dns name), namespace, image name, and tag -# (e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is -# always an inherent risk that the image being pulled could be spoofed. For -# example, a user wants to pull an image named `foobar` from a registry and -# expects it to come from myregistry.com. If myregistry.com is not first in the -# search list, an attacker could place a different `foobar` image at a registry -# earlier in the search list. The user would accidentally pull and run the -# attacker's image and code rather than the intended content. We recommend only -# adding registries which are completely trusted, i.e. registries which don't -# allow unknown or anonymous users to create accounts with arbitrary names. This -# will prevent an image from being spoofed, squatted or otherwise made insecure. -# If it is necessary to use one of these registries, it should be added at the -# end of the list. +# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., +# quay.io/repository/name@digest) further eliminates the ambiguity of tags. +# When using short names, there is always an inherent risk that the image being +# pulled could be spoofed. For example, a user wants to pull an image named +# `foobar` from a registry and expects it to come from myregistry.com. If +# myregistry.com is not first in the search list, an attacker could place a +# different `foobar` image at a registry earlier in the search list. The user +# would accidentally pull and run the attacker's image and code rather than the +# intended content. We recommend only adding registries which are completely +# trusted (i.e., registries which don't allow unknown or anonymous users to +# create accounts with arbitrary names). This will prevent an image from being +# spoofed, squatted or otherwise made insecure. If it is necessary to use one +# of these registries, it should be added at the end of the list. # -# It is recommended to use fully-qualified images for pulling as the -# destination registry is unambiguous. Pulling by digest -# (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of -# tags. - -[registries.search] -# registries = [] - -# Registries that do not use TLS when pulling images or uses self-signed -# certificates. -[registries.insecure] -registries = [] - -# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify -# "*", then the docker daemon will only be allowed to pull from registries listed above in the search -# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it. -# It is recommended that you use the trust policy file /etc/containers/policy.json to control which -# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and -# supports all container runtimes and tools including the docker daemon, cri-o, buildah ... -# The atomic CLI `atomic trust` can be used to easily configure the policy.json file. -[registries.block] -registries = [] - -# The second version of the configuration format allows to specify registry -# mirrors: -# -# NOTE: Please read the note about the risk of unqualified images identified above. # # An array of host[:port] registries to try when pulling an unqualified image, in order. unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io'] -# + # [[registry]] # # The "prefix" field is used to choose the relevant [[registry]] TOML table; # # (only) the TOML table with the longest match for the input image name diff --git a/skopeo.spec b/skopeo.spec index 3d8f408..6af2bae 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -46,7 +46,7 @@ Epoch: 1 Epoch: 2 %endif Version: 0.2.0 -Release: 0.3.dev.git%{shortcommit0}%{?dist} +Release: 0.4.dev.git%{shortcommit0}%{?dist} Summary: Inspect container images and repositories on registries License: ASL 2.0 URL: %{git0} @@ -436,10 +436,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/%{name}/test %changelog +* Wed Apr 29 2020 Dan Walsh - 1:0.2.0-0.4.dev.git2415f3f +- Fix registries.conf file to correctly pass the unqualified-search-registries + * Sat Apr 25 2020 RH Container Bot - 1:0.2.0-0.3.dev.gitb230a50 - autobuilt b230a50 -* Fri Apr 24 2020 Dan Walsh - 1:0.2.0-0.2.dev.git2415f3f - Update registries.conf to use version 2 definitions - Update containers.conf to include latest changes - Update seccomp.json to allow a few more syscalls for contaners within containers.