install-man: man

* We are actively inviting new [security advisors](https://github.com/containerd/project/blob/main/GOVERNANCE.md#security-advisors) to join the team.

* [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md),

* [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS),

* and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md)

Configuring registries will be done by specifying (optionally) a `hosts.toml` file for

each desired registry host in a configuration directory. **Note**: Updates under this directory

do not require restarting the containerd daemon.

When pulling via `ctr` use the `--hosts-dir` option:

_The old CRI config pattern for specifying registry.mirrors and registry.configs has

been **DEPRECATED**._ You should now point your registry `config_path` to the path where your

`hosts.toml` files are located.

Modify your `config.toml` (default location: `/etc/containerd/config.toml`) as follows:

[plugins."io.containerd.grpc.v1.cri".registry]

config_path = "/etc/containerd/certs.d"

If no hosts.toml configuration exists in the host directory, it will fallback to check

certificate files based on [Docker's certificate file pattern](https://docs.docker.com/engine/reference/commandline/dockerd/#insecure-registries)

(".crt" files for CA certificates and ".cert"/".key" files for client certificates).

A registry host is the location where container images and artifacts are sourced. These

registry hosts may be local or remote and are typically accessed via http/https using the

[OCI distribution specification](https://github.com/opencontainers/distribution-spec/blob/main/spec.md).

A registry mirror is not a registry host but these mirrors can also be used to pull content.

Registry hosts are typically refered to by their internet domain names, aka. registry

host names. For example, docker.io, quay.io, gcr.io, and ghcr.io.

A registry host namespace is, for the purpose of containerd registry configuration, a

path to the `hosts.toml` file specified by the registry host name, or ip address, and an

optional port identifier. When making a pull request for an image the format is

typically as follows:

The registry host namespace portion is `[registry_host_name|IP address][:port]`. Example

tree for docker.io:

The `/v2` portion of the pull request format shown above refers to the version of the

distribution api. If not included in the pull request, `/v2` is added by default for all

clients compliant to the distribution specification linked above.

For example when pulling image_name:tag from a private registry named myregistry.io over

port 5000:

The pull will resolve to `https://myregistry.io:5000/v2/image_name:tag`

When performing image operations via `ctr` use the --help option to get a list of options you can set for specifying credentials:

Although we have deprecated the old CRI config pattern for specifying registry.mirrors

and registry.configs you can still specify your credentials via

[CRI config](https://github.com/containerd/containerd/blob/master/docs/cri/registry.md#configure-registry-credentials).

Additionally, the containerd CRI plugin implements/supports the authentication parameters passed in through CRI pull image service requests.

For example, when containerd is the container runtime implementation for `Kubernetes`, the containerd CRI plugin receives

authentication credentials from kubelet as retrieved from

[Kubernetes Image Pull Secrets](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)

Here is a simple example for a default registry hosts configuration. Set

`config_path = "/etc/containerd/certs.d"` in your config.toml for containerd.

Make a directory tree at the config path that includes `docker.io` as a directory

representing the host namespace to be configured. Then add a `hosts.toml` file

in the `docker.io` to configure the host namespace. It should look like this:

To bypass the TLS verification for a private registry at `192.168.31.250:5000`

Create a path and `hosts.toml` text at the path "/etc/containerd/certs.d/docker.io/hosts.toml" with following or similar contents:

server = "https://registry-1.docker.io"

[host."http://192.168.31.250:5000"]

capabilities = ["pull", "resolve", "push"]

skip_verify = true

For each registry host namespace directory in your registry `config_path` you may

include a `hosts.toml` configuration file. The following root level toml fields

apply to the registry host namespace:

**Note**: All paths specified in the `hosts.toml` file may be absolute or relative

to the `hosts.toml` file.

`server` specifies the default server for this registry host namespace. When

`host`(s) are specified, the hosts are tried first in the order listed.

`capabilities` is an optional setting for specifying what operations a host is

capable of performing. Include only the values that apply.

capabilities (or Host capabilities) represent the capabilities of the registry host.

This also represents the set of operations for which the registry host may be trusted

to perform.

For example, pushing is a capability which should only be performed on an upstream

source, not a mirror.

Resolving (the process of converting a name into a digest)

must be considered a trusted operation and only done by

a host which is trusted (or more preferably by secure process

which can prove the provenance of the mapping).

A public mirror should never be trusted to do a resolve action.

| Registry Type | Pull | Resolve | Push |

|------------------|------|---------|------|

| Public Registry | yes | yes | yes |

| Private Registry | yes | yes | yes |

| Public Mirror | yes | no | no |

| Private Mirror | yes | yes | no |

`ca` (Certificate Authority Certification) can be set to a path or an array of

paths each pointing to a ca file for use in authenticating with the registry

namespace.

or

`client` certificates are configured as follows

a path:

an array of paths:

an array of pairs of paths:

`skip_verify` set this flag to `true` to skip the registry certificate

verification for this registry host namespace. (Defaults to `false`)

`[header]` contains some number of keys where each key is to one of a string or

an array of strings as follows:

or

or

`[host]."https://namespace"` and `[host].http://namespace` entries in the

`hosts.toml` configuration are registry namespaces used in lieu of the default

registry host namespace. These hosts are sometimes called mirrors because they

may contain a copy of the container images and artifacts you are attempting to

retrieve from the default registry. Each `host`/`mirror` namespace is also

configured in much the same way as the default registry namespace. Notably the

`server` is not specified in the `host` description because it is specified in

the namespace. Here are a few rough examples configuring host mirror namespaces

for this registry host namespace:

**Note**: Recursion is not supported in the specification of host mirror

namespaces in the hosts.toml file. Thus the following is not allowed/supported: