Podman Registry Configurations
Tags: podman
Config Location
| Class | File |
|---|---|
| System | /etc/containers/registries.conf |
| /etc/containers/registries.conf.d/*.conf | |
| User | ~/.config/containers/registries.conf |
| System configurations can be done in the primary Conf file or you can make more specific ones in the include dir. |
Setting shortnames
unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']Allow insecure
[[registry]]location="localhost:5000"insecure=trueAdding a registry
[[registry]]location="registry.contoso.com"blocked=falseBlocking registry
[[registry]]location="registry.hub.docker.com"blocked=trueWhitelisting registries
==This is how to actually secure things==, but it appears to be a won’t fix Registry White Lists in registries.conf · Issue #548 · containers/image · GitHub
Result
> podman pull redhat/ubi8✔ docker.io/redhat/ubi8:latestTrying to pull docker.io/redhat/ubi8:latest...Error: initializing source docker://redhat/ubi8:latest: registry docker.io is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.dBlocking namespace
[[registry]]]location="registry.example.org"prefix="registry.example.org/example"blocked=trueBlocking image
prefix="registry.example.org/namespace/image"Mirror a registry
Let’s assume that we are running our workload in an air-gapped environment. All our servers are disconnected from the internet. There are many reasons for that. We may be running on the edge or running in a highly security-sensitive environment that forbids us from connecting to the internet. In this case, we cannot connect to the original registry but need to run a registry that mirrors the local network’s contents.
A registry mirror is a registry that will be contacted before attempting to pull from the original one. It’s a common use case and one of the oldest feature requests in the container ecosystem.
With this configuration, when pulling the Universal Base Image via podman pull ubi8, the image would be pulled from the mirror instead of Red Hat’s container registry.
[[registry]]location="registry.example.com"[[registry.mirror]]location="mirror-1.com"[[registry.mirror]]location="mirror-2.com"[[registry.mirror]]location="mirror-3.com"Remapping references
As we explored above, a prefix is used to select a specific [registry] in the registries.conf. While prefixes are a powerful means to block specific namespaces or certain images from being pulled, they can also be used to remap entire images. Similar to mirrors, we can use a prefix to pull from a different registry and a different namespace.
To illustrate what I mean by remapping, let’s consider that we run in an air-gapped environment. We cannot access container registries since we are disconnected from the internet. Our workload is using images from Quay.io, Docker Hub, and Red Hat’s container registry. While we could have one network-local mirror per registry, we could also just use one with the following config.
[[registry]]prefix="quay.io"location="internal.registry.mirror/quay"
[[registry]]prefix="docker.io"location="internal.registry.mirror/docker"
[[registry]]prefix="registry.access.redhat.com"location="internal.registry.mirror/redhat"A podman pull quay.io/buildah/stable:latest will now instead pull internal.registry.mirror/quay/buildah/stable:latest. However, the pulled image will remain quay.io/buildah/stable:latest since the remapping and mirroring happen transparently to Podman and the other container tools.
- https://www.redhat.com/sysadmin/manage-container-registries
- https://github.com/containers/image/issues/548