On Fri, Sep 22, 2023 at 9:01 PM Rahaman, Ronald O <rrahaman6@gatech.edu> wrote:

Hi all,

Can you confirm that, in rootless, users cannot override /etc/containers/registries.conf with ~/.config/containers/registries.conf ? We’d like to be able to whitelist registries for our site.

Yes, users can override system configurations in their home directory. As outlined in the man pages [1], the config in the home directory will be loaded _instead_ of the system configuration in /etc. That means it will override and not add to the system configuration.

Kind regards,

Valentin

[1] https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md

As an example, suppose I have this in /etc/containers/registries.conf. The intent is to blacklist all of docker.io; and whitelilst docker.io/ubuntu. I’ve found it works as intended.

[[registry]]

location="docker.io"

blocked=true

[[registry]]

location="docker.io/ubuntu"

blocked=false

I want to confirm that a user can’t whitelist additional registries in ~/.config/containers/registries.conf with something like

[[registry]]

location="docker.io/unsafe-namespace"

blocked=false

I’ve tested this myself, and it seems like users can’t override. But I’d like to be 100% sure.

Thanks,

Ron

--------

Ron Rahaman

Research Scientist II, Research Software Engineer

Partnership for an Advanced Computing Environment (PACE)

Georgia Institute of Technology

_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io