-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide fallback search registries if the OS does not configure any #777
Comments
podman pull works properly in the shell. can someone help me fix this. |
Edit the /etc/containers/registries.conf and add the following lines to fix this. [registries.search] Save and restart podman and cockpit. |
These sources come from [registries.search]
registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org'] Originally posted by @garrett in #55 (comment) |
I've just installed a fresh Debian 11 in a VM in GNOME Boxes and, indeed, when you install Cockpit-Podman from the backports registry, it pulls in a podman with an unconfigured container registry file. Cockpit Podman should handle an unconfigured registry file in a more graceful way. Eventually, we might want to handle registry editing. Should we handle this as a one-off and make it a click to pre-populate with default registries? If so, which ones? At a minimum, we need to handle the case when the Here are the contents of # For more information on this configuration file, see containers-registries.conf(5).
#
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
# We recommend always using fully qualified image names including the registry
# server (full dns name), namespace, image name, and tag
# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
# When using short names, there is always an inherent risk that the image being
# pulled could be spoofed. For example, a user wants to pull an image named
# `foobar` from a registry and expects it to come from myregistry.com. If
# myregistry.com is not first in the search list, an attacker could place a
# different `foobar` image at a registry earlier in the search list. The user
# would accidentally pull and run the attacker's image and code rather than the
# intended content. We recommend only adding registries which are completely
# trusted (i.e., registries which don't allow unknown or anonymous users to
# create accounts with arbitrary names). This will prevent an image from being
# spoofed, squatted or otherwise made insecure. If it is necessary to use one
# of these registries, it should be added at the end of the list.
#
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
# unqualified-search-registries = ["example.com"]
#
# [[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
# # (only) the TOML table with the longest match for the input image name
# # (taking into account namespace/repo/tag/digest separators) is used.
# #
# # If the prefix field is missing, it defaults to be the same as the "location" field.
# prefix = "example.com/foo"
#
# # If true, unencrypted HTTP as well as TLS connections with untrusted
# # certificates are allowed.
# insecure = false
#
# # If true, pulling images with matching names is forbidden.
# blocked = false
#
# # The physical location of the "prefix"-rooted namespace.
# #
# # By default, this equal to "prefix" (in which case "prefix" can be omitted
# # and the [[registry]] TOML table can only specify "location").
# #
# # Example: Given
# # prefix = "example.com/foo"
# # location = "internal-registry-for-example.net/bar"
# # requests for the image example.com/foo/myimage:latest will actually work with the
# # internal-registry-for-example.net/bar/myimage:latest image.
# location = internal-registry-for-example.com/bar"
#
# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
# #
# # The mirrors are attempted in the specified order; the first one that can be
# # contacted and contains the image will be used (and if none of the mirrors contains the image,
# # the primary location specified by the "registry.location" field, or using the unmodified
# # user-specified reference, is tried last).
# #
# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
# # as if specified in the [[registry]] TOML table directly:
# # - location
# # - insecure
# [[registry.mirror]]
# location = "example-mirror-0.local/mirror-for-foo"
# [[registry.mirror]]
# location = "example-mirror-1.local/mirrors/foo"
# insecure = true
# # Given the above, a pull of example.com/foo/image:latest will try:
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
# # 2. example-mirror-1.local/mirrors/foo/image:latest
# # 3. internal-registry-for-example.net/bar/image:latest
# # in order, and use the first one that exists. |
The standard Arch Linux package also does not configure any registries, which will make it harder to work with the redesign which relies on image searching for creating a new container. Should there be a message when you load the page that no registries have been configured? |
Yes, that seems like a good place for it. In addition to the message, there should be a way to quickly/easily solve it too. Since it affects both Debian and Arch (and possibly others, like Ubuntu, but I haven't checked), I'd consider this something to work on once the create button lands... unless we handle this as a two part solution where the first part is quick:
If solution # 2 is easy enough, we could just skip to that. But I'm assuming solution # 1 would be quick stopgap to prevent a "no images found" issue. |
My opinion, and some notes from IRC discussion:
|
We can add the registries in code if they are empty, but that won't help us as the search api expects registries to be configured or a specific registry provded in the search term as So I'm afraid we have to create a dropin file as:
So this issue is applicable for Debian, Ubuntu & Arch Linux On ubuntu
For debian/ubuntu I found this bug report https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978650 |
As I said, I veto that c-podman creates a config file with We need to make the search dialog requiring you to specify/select a registry, as that's just what a non-monopoly container registry world looks like. As I said, we can of course do an internal fallback and add docker.io and quay.io to the registry selector if the distro does not configure any registry. That should work with the current API (as you would always search within a given explicit registry), doesn't require changing the system configuration files, and the search results should still include the fully qualified name so that the user sees where an image comes from. |
Arch Linux and Debian have no unqualified-search-registries by default which makes our new "Create container" feature not work out of the box and does not allow users to search for an image. So we now provide two fallback container registries: docker.io and quay.io, as podman's search API does not allow us to search for two things at once we search in parallel. Closes: cockpit-project#777
Arch Linux and Debian have no unqualified-search-registries by default which makes our new "Create container" feature not work out of the box and does not allow users to search for an image. So we now provide two fallback container registries: docker.io and quay.io, as podman's search API does not allow us to search for two things at once we search in parallel. Closes: cockpit-project#777
Arch Linux and Debian have no unqualified-search-registries by default which makes our new "Create container" feature not work out of the box and does not allow users to search for an image. So we now provide two fallback container registries: docker.io and quay.io, as podman's search API does not allow us to search for two things at once we search in parallel. Closes: cockpit-project#777
Arch Linux and Debian have no unqualified-search-registries by default which makes our new "Create container" feature not work out of the box and does not allow users to search for an image. So we now provide two fallback container registries: docker.io and quay.io, as podman's search API does not allow us to search for two things at once we search in parallel. Closes: cockpit-project#777
Debian 11, cockpit-podman backports fresh install.
Unable to search for images.
Missing registries entries.
The text was updated successfully, but these errors were encountered: