If you’re working with container images on Red Hat Enterprise Linux 7.1 or Red Hat Enterprise Linux Atomic Host, you might have noticed that the search and pull behavior of the included docker tool works slightly differently than it does if you’re working with that of the upstream project. This is intentional.

When we started the planning process for containers in RHEL 7.1, we had 3 goals in mind:

Give control over the search path to the end-user administrator Enable a federated approach to search and discovery of docker-formatted container images Support the ability for Red Hat customers to consume container images and other content included as part of their Red Hat Subscription

The changes we implemented, which are , affect three different areas of the tool:

1. Additional registries for search and pull

The new  ‘–add-registry’ option adds an additional registry to the list used when searching for an image. This allows the local administrator to expand “docker search” to include private and corporate registries. Search will query all registries on the list in parallel; the order does not matter here.

The same list is also used for “docker pull” of short-names. A short-name is an image name without an explicit registry, for example “docker pull rhel”. When working with short-names the order becomes very important.

How pull works across multiple registries

Red Hat recommends using fully qualified image names; this is especially important in Dockerfile FROM statements in an enterprise setting. A fully qualified image name (FQIN) can be made up of 3 parts:

[registry_hostname[:port]/][user_name/](repository_name:version_tag)

It is common that users will use image short-names for convenience. When pulling a short-name, the tool iterates over the list of configured registries and expands short-names locally for each of the configured registries. It then tries to pull the image registry by registry, until it finds a match. In this case, order matters as it starts with the first entry and then pulls from the next, with docker.io being the last. What gets pulled is always the expanded, fully qualified name.

The Red Hat default config in ‘/etc/sysconfic/docker’ adds ‘registry.access.redhat.com’, which is the authoritative source for official Red Hat content. The default docker.io search path is hardcoded and remains enabled.

2) Representation of search results and fully qualified image names

The output of ‘docker search’ in Red Hat Enterprise Linux always lists the fully qualified image name. This is consistent with the recommendations to always use fully qualified names. It also avoids any ambiguity about the namespace in a federated model and can be especially useful when multiple private registries are used in an organization. Search results are aggregated in a single list, grouped by registry. The default sort is by star-count, then alphabetically.

In addition, it explicitly adds the name of the registry index in which the image was found. For example, Red Hat partners can choose to list certified content in the Red Hat catalog without limiting their options for distributing the content through their own registry.

3) Ability to block registries

Some organizations have strict policies on what content can and cannot be consumed when building applications, and many customers have asked for a way to control container image consumption to help them comply with regulations. The new  ‘–block-registry’  options allows an admin to blacklist a registry. This affects the search, resolution of short-names, and pulling of fully qualified names.

To establish Enterprise-level content control, an organization might use ‘–add-registry’ and ‘–block-registry’ together in this way: limit access to private registries only by explicitly adding ‘–add-registry’ and ‘–block-registry *’ in  /etc/sysconfig/docker.

In addition, the Red Hat Enterprise Linux docker tool will also ask the user for confirmation before pushing an image to the public registry in order to avoid accidentally publishing private content.

Red Hat continues to work within the upstream Docker community to make this behavior part of the mainline.

Pulling it all together

The first thing I do is make sure that I’m running the latest version. The current version of the RHEL package at the time of this posting is docker-1.5.0-28.el7. To get the latest, run ‘yum update’ (RHEL) or ‘atomic host upgrade’ (Atomic). Note that while the Red Hat images are fully supported, these changes to the tool are still experimental and we expect that behavior will change over time as the upstream project evolves.

With the default config in Red Hat Enterprise Linux 7.1, a search for the rhel-tools container looks like this:

# docker search rhel-tools

endpoint security 6     eset endpoint security 32 bit

close