Fix registries.conf file to correctly pass the unqualified-search-registries

2020-04-29 15:54:28 -04:00 · 2020-04-29 15:54:28 -04:00 · b039ee7cbb
commit b039ee7cbb
parent cc4e04b2f5
3 changed files with 18 additions and 89 deletions
--- a/containers-registries.conf.5.md
+++ b/containers-registries.conf.5.md
@ -13,11 +13,6 @@ Container engines will use the `$HOME/.config/containers/registries.conf` if it
 # FORMATS
 ## VERSION 2
 VERSION 2 is the latest format of the `registries.conf` and is currently in
 beta. This means in general VERSION 1 should be used in production environments
 for now.
 ### GLOBAL SETTINGS
 `unqualified-search-registries`
@ -154,39 +149,6 @@ Given the above, a pull of `example.com/foo/image:latest` will try:
 in order, and use the first one that exists.
 ## VERSION 1
 VERSION 1 can be used as alternative to the VERSION 2, but it does not support
 using registry mirrors, longest-prefix matches, or location rewriting.
 The TOML format is used to build a simple list of registries under three
 categories: `registries.search`, `registries.insecure`, and `registries.block`.
 You can list multiple registries using a comma separated list.
 Search registries are used when the caller of a container runtime does not fully specify the
 container image that they want to execute.  These registries are prepended onto the front
 of the specified container image until the named image is found at a registry.
 Note that insecure registries can be used for any registry, not just the registries listed
 under search.
 The `registries.insecure` and `registries.block` lists have the same meaning as the
 `insecure` and `blocked` fields in VERSION 2.
 ### EXAMPLE
 The following example configuration defines two searchable registries, one
 insecure registry, and two blocked registries.
 ```
 [registries.search]
 registries = ['registry1.com', 'registry2.com']
 [registries.insecure]
 registries = ['registry3.com']
 [registries.block]
 registries = ['registry.untrusted.com', 'registry.unsafe.com']
 ```
 # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
 We recommend always using fully qualified image names including the registry
 server (full dns name), namespace, image name, and tag
--- a/registries.conf
+++ b/registries.conf
@ -1,60 +1,25 @@
 # For more information on this configuration file, see containers-registries.conf(5).
 #
 # There are multiple versions of the configuration syntax available, where the
 # second iteration is backwards compatible to the first one. Mixing up both
 # formats will result in an runtime error.
 #
 # The initial configuration format looks like this:
 #
 # Registries to search for images that are not fully-qualified.
 # i.e. foobar.com/my_image:latest vs my_image:latest
 #
 # NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
 # We recommend always using fully qualified image names including the registry
 # server (full dns name), namespace, image name, and tag
-# (e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is
+# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
-# always an inherent risk that the image being pulled could be spoofed. For
+# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
-# example, a user wants to pull an image named `foobar` from a registry and
+# When using short names, there is always an inherent risk that the image being
-# expects it to come from myregistry.com. If myregistry.com is not first in the
+# pulled could be spoofed. For example, a user wants to pull an image named
-# search list, an attacker could place a different `foobar` image at a registry
+# `foobar` from a registry and expects it to come from myregistry.com. If
-# earlier in the search list. The user would accidentally pull and run the
+# myregistry.com is not first in the search list, an attacker could place a
-# attacker's image and code rather than the intended content. We recommend only
+# different `foobar` image at a registry earlier in the search list. The user
-# adding registries which are completely trusted, i.e. registries which don't
+# would accidentally pull and run the attacker's image and code rather than the
-# allow unknown or anonymous users to create accounts with arbitrary names. This
+# intended content. We recommend only adding registries which are completely
-# will prevent an image from being spoofed, squatted or otherwise made insecure.
+# trusted (i.e., registries which don't allow unknown or anonymous users to
-# If it is necessary to use one of these registries, it should be added at the
+# create accounts with arbitrary names). This will prevent an image from being
-# end of the list.
+# spoofed, squatted or otherwise made insecure.  If it is necessary to use one
 # of these registries, it should be added at the end of the list.
 #
 # It is recommended to use fully-qualified images for pulling as the
 # destination registry is unambiguous. Pulling by digest
 # (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of
 # tags.
 [registries.search]
 # registries = []
 # Registries that do not use TLS when pulling images or uses self-signed
 # certificates.
 [registries.insecure]
 registries = []
 # Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry.  If you specify
 # "*", then the docker daemon will only be allowed to pull from registries listed above in the search
 # registries.  Blocked Registries is deprecated because other container runtimes and tools will not use it.
 # It is recommended that you use the trust policy file /etc/containers/policy.json to control which
 # registries you want to allow users to pull and push from.  policy.json gives greater flexibility, and
 # supports all container runtimes and tools including the docker daemon, cri-o, buildah ...
 # The atomic CLI `atomic trust` can be used to easily configure the policy.json file.
 [registries.block]
 registries = []
 # The second version of the configuration format allows to specify registry
 # mirrors:
 #
 # NOTE: Please read the note about the risk of unqualified images identified above.
 # # An array of host[:port] registries to try when pulling an unqualified image, in order.
 unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
-#
+
 # [[registry]]
 # # The "prefix" field is used to choose the relevant [[registry]] TOML table;
 # # (only) the TOML table with the longest match for the input image name
--- a/skopeo.spec
+++ b/skopeo.spec
@ -46,7 +46,7 @@ Epoch: 1
 Epoch: 2
 %endif
 Version: 0.2.0
-Release: 0.3.dev.git%{shortcommit0}%{?dist}
+Release: 0.4.dev.git%{shortcommit0}%{?dist}
 Summary: Inspect container images and repositories on registries
 License: ASL 2.0
 URL: %{git0}
@ -436,10 +436,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_datadir}/%{name}/test
 %changelog
 * Wed Apr 29 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:0.2.0-0.4.dev.git2415f3f
 - Fix registries.conf file to correctly pass the unqualified-search-registries
 * Sat Apr 25 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1:0.2.0-0.3.dev.gitb230a50
 - autobuilt b230a50
 * Fri Apr 24 2020 Dan Walsh <dwalsh@fedoraproject.org> - 1:0.2.0-0.2.dev.git2415f3f
 - Update registries.conf to use version 2 definitions
 - Update containers.conf to include latest changes
 - Update seccomp.json to allow a few more syscalls for contaners within containers.