summaryrefslogtreecommitdiff
path: root/data/templates/containers
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-04-29 19:52:46 +0200
committerChristian Poessinger <christian@poessinger.com>2022-04-29 19:52:46 +0200
commit8ec6910fb8386a6c9a70aeef85f3b1fa3b7279d2 (patch)
tree263e46afa482c4ac5ef14c9be2758d4fbf7ed7c1 /data/templates/containers
parent80ecb1b7aaab47edeb355c3b74a763e940d88179 (diff)
downloadvyos-1x-8ec6910fb8386a6c9a70aeef85f3b1fa3b7279d2.tar.gz
vyos-1x-8ec6910fb8386a6c9a70aeef85f3b1fa3b7279d2.zip
T2216: containers need to be added via "add container image" in advance before using them
Diffstat (limited to 'data/templates/containers')
-rw-r--r--data/templates/containers/registries.conf.j227
-rw-r--r--data/templates/containers/registry.tmpl5
-rw-r--r--data/templates/containers/storage.conf.j2 (renamed from data/templates/containers/storage.tmpl)0
3 files changed, 27 insertions, 5 deletions
diff --git a/data/templates/containers/registries.conf.j2 b/data/templates/containers/registries.conf.j2
new file mode 100644
index 000000000..4057bb452
--- /dev/null
+++ b/data/templates/containers/registries.conf.j2
@@ -0,0 +1,27 @@
+### Autogenerated by /usr/libexec/vyos/conf_mode/containers.py ###
+
+# For more information on this configuration file, see containers-registries.conf(5).
+#
+# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
+# We recommend always using fully qualified image names including the registry
+# server (full dns name), namespace, image name, and tag
+# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
+# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
+# When using short names, there is always an inherent risk that the image being
+# pulled could be spoofed. For example, a user wants to pull an image named
+# `foobar` from a registry and expects it to come from myregistry.com. If
+# myregistry.com is not first in the search list, an attacker could place a
+# different `foobar` image at a registry earlier in the search list. The user
+# would accidentally pull and run the attacker's image and code rather than the
+# intended content. We recommend only adding registries which are completely
+# trusted (i.e., registries which don't allow unknown or anonymous users to
+# create accounts with arbitrary names). This will prevent an image from being
+# spoofed, squatted or otherwise made insecure. If it is necessary to use one
+# of these registries, it should be added at the end of the list.
+#
+# An array of host[:port] registries to try when pulling an unqualified image, in order.
+# unqualified-search-registries = ["example.com"]
+
+{% if registry is vyos_defined %}
+unqualified-search-registries = {{ registry }}
+{% endif %}
diff --git a/data/templates/containers/registry.tmpl b/data/templates/containers/registry.tmpl
deleted file mode 100644
index 0cbd9ecc2..000000000
--- a/data/templates/containers/registry.tmpl
+++ /dev/null
@@ -1,5 +0,0 @@
-### Autogenerated by /usr/libexec/vyos/conf_mode/containers.py ###
-
-{% if registry is vyos_defined %}
-unqualified-search-registries = {{ registry }}
-{% endif %}
diff --git a/data/templates/containers/storage.tmpl b/data/templates/containers/storage.conf.j2
index 3a69b7252..3a69b7252 100644
--- a/data/templates/containers/storage.tmpl
+++ b/data/templates/containers/storage.conf.j2