engine: configure registry push/pull with containerd#24213
engine: configure registry push/pull with containerd#24213dvdksn wants to merge 1 commit intodocker:mainfrom
Conversation
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
dvdksn
force-pushed
the
disable-push-registry
branch
from
49a658a to
0ed696e
Compare
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review Summary
This is a well-written documentation page that clearly explains how to configure per-registry behavior using hosts.toml files with the containerd image store.
Strengths:
- Clear structure with progressive examples (disable push → mirror → internal-only)
- Proper front matter with all required fields
- Accurate technical content with correct file paths and TOML syntax
- Good use of tables for reference information
- Appropriate callout explaining security limitations
- Helpful section explaining interaction with daemon.json settings
- Links to related documentation are valid
No issues found. The page follows Docker's documentation style guide and provides users with the information they need to configure registry access.
| ## hosts.toml format | ||
|
|
||
| Each `hosts.toml` file configures the behavior for one registry. The `server` | ||
| field sets the upstream registry URL. The `[host]` section configures specific |
There was a problem hiding this comment.
The host acts as additional endpoints to try before the default endpoint. While it is true that is configures the endpoint, the ordering of these is important. In these examples, the server value and host both having the same value means the endpoint gets added twice, as a mirror and as a the default.
Every option under host can be defined at the top level for the "default" configuration. Unless configured multiple endpoints, host is not needed.
| server = "https://registry-1.docker.io" | ||
|
|
||
| [host."https://registry-1.docker.io"] | ||
| capabilities = ["pull", "resolve"] |
There was a problem hiding this comment.
This should just be defined outside of host, as this is defined, the default server would be given the default capabilities which includes push.
| capabilities = ["pull", "resolve"] | ||
|
|
||
| [host."https://registry-1.docker.io"] | ||
| capabilities = ["pull", "resolve", "push"] |
There was a problem hiding this comment.
Same here, if this is intending to default capabilities of the default endpoint, it should go right under server
| access to all public registries: | ||
|
|
||
| ```toml {title="/etc/docker/certs.d/docker.io/hosts.toml"} | ||
| server = "https://registry-1.docker.io" |
There was a problem hiding this comment.
This is not the correct way to only support an internal registry. This server can just be set to the internal registry and no host provided at all.
| | --------------------------------------- | ---------------------------- | | ||
| | `docker.io/myorg/myimage:latest` | `docker.io/` | | ||
| | `registry.example.com/myimage:latest` | `registry.example.com/` | | ||
| | `registry.example.com:5000/myimage:tag` | `registry.example.com:5000/` | |
There was a problem hiding this comment.
Windows would define as registry.example.com_5000_
| │ └── hosts.toml | ||
| └── registry.example.com:5000/ | ||
| └── hosts.toml | ||
| ``` |
There was a problem hiding this comment.
The _default directory is worth mentioning as well, this allows a global default cache/mirror to be used. Either by setting server to override the default endpoint for all or adding a host entry which could always be tried first.
|
Sorry our docs can be a bit confusing and the use of it with "default" and "host" is a bit hard to follow. The idea was that the simple cases would just be updating defaults and possibly adding some mirrors. The amount of "features" that could be support via different permutations is part of the design, but not done in the easiest follow way. Parts of this are mentioned in https://github.com/containerd/containerd/blob/main/docs/hosts.md though. |
2 participants
Signed-off-by: David Karlsson 35727626+dvdksn@users.noreply.github.com