adds description for hosts.toml

mikebrow · dmcgowan · commit aeee0934435e · 2021-05-12T09:31:25.000-07:00
Signed-off-by: Mike Brown <brownwm@us.ibm.com> (cherry picked from commit b59e297) Signed-off-by: Derek McGowan <derek@mcg.dev>
diff --git a/docs/hosts.md b/docs/hosts.md
@@ -0,0 +1,273 @@
+
+# Registry Configuration - Introduction
+
+Configuring registries will be done by specifying (optionally) a `hosts.toml` file for
+each desired registry host in a configuration directory. **Updates under this directory
+do not require restarting the containerd daemon.**
+
+## Specifying the Configuration Directory
+
+## Using Host Namespace Configs with CTR
+
+When pulling via `ctr` use the `--hosts-dir` option:
+```
+ctr images pull --hosts-dir "/etc/containerd/certs.d"
+```
+
+## CRI
+_The old CRI config pattern for specifying registry.mirrors and registry.configs has
+been **DEPRECATED**._ You should now point your registry `config_path` to path where your
+`hosts.toml` files are located.
+
+Modify your `config.toml` (default location: `/etc/containerd/config.toml`) as follows:
+```toml
+[plugins."io.containerd.grpc.v1.cri".registry]
+   config_path = "/etc/containerd/certs.d"
+```
+
+## Support for Docker's Certificate File Pattern
+
+If no hosts.toml configuration exists in the host directory, it will fallback to check
+certificate files based on [Docker's certificate file pattern](https://docs.docker.com/engine/reference/commandline/dockerd/#insecure-registries)
+(".crt" files for CA certificates and ".cert"/".key" files for client certificates).
+
+## Registry Host Namespace
+
+A registry host is the location where container images and artifacts are sourced.  These
+registry hosts may be local or remote and are typically accessed via http/https using the
+[OCI distribution specification](https://github.com/opencontainers/distribution-spec/blob/main/spec.md).
+A registry mirror is not a registry host but these mirrors can also be used to pull content.
+Registry hosts are typically refered to by their internet domain names, aka. registry
+host names. For example, docker.io, quay.io, gcr.io, and ghcr.io.
+
+A registry host namespace is, for the purpose of containerd registry configuration, a
+path to the `hosts.toml` file specified by the registry host name, or ip address, and an
+optional port identifier. When makeing a pull request for an image the format is
+typically as follows:
+```
+pull [registry_host_name|IP address][:port][/v2][/org_path]<image_name>[:tag|@DIGEST]
+```
+
+The registry host namespace portion is `[registry_host_name|IP address][:port]`. Example
+tree for docker.io:
+
+```
+$ tree /etc/containerd/certs.d
+/etc/containerd/certs.d
+└── docker.io
+    └── hosts.toml
+```
+
+The `/v2` portion of the pull request format shown above refers to the version of the
+distribution api. If not included in the pull request, `/v2` is added by default for all
+clients compliant to the distribution specification linked above.
+
+For example when pulling image_name:tag from a private registry named myregistry.io over
+port 5000:
+```
+pull myregistry.io:5000/image_name:tag
+```
+The pull will resolve to `https://myregistry.io:5000/v2/image_name:tag`
+
+# Registry Configuration - Examples
+
+### Simple (default) Host Config for Docker
+Here is a simple example for a default registry hosts configuration. Set
+`config_path = "/etc/containerd/certs.d"` in your config.toml for containerd.
+Make a directory tree at the config path that includes `docker.io` as a directory
+representing the host namespace to be configured. Then add a `hosts.toml` file
+in the `docker.io` to configure the host namespace. It should look like this:
+
+```
+$ tree /etc/containerd/certs.d
+/etc/containerd/certs.d
+└── docker.io
+    └── hosts.toml
+
+$ cat /etc/containerd/certs.d/docker.io/hosts.toml
+server = "https://docker.io"
+
+[host."https://registry-1.docker.io"]
+  capabilities = ["pull", "resolve"]
+```
+
+### Setup a Local Mirror for Docker
+
+```
+server = "https://registry-1.docker.io"    # Exclude this to not use upstream
+
+[host."https://public-mirror.example.com"]
+  capabilities = ["pull"]                  # Requires less trust, won't resolve tag to digest from this host
+[host."https://docker-mirror.internal"]
+  capabilities = ["pull", "resolve"]
+  ca = "docker-mirror.crt"                 # Or absolute path /etc/containerd/certs.d/docker.io/docker-mirror.crt
+```
+
+### Bypass TLS Verification Example
+
+To bypass the TLS verification for a private registry at `192.168.31.250:5000`
+
+Create a path and `hosts.toml` text at the path "/etc/containerd/certs.d/docker.io/hosts.toml" with following or similar contents:
+
+```toml
+server = "https://registry-1.docker.io"
+
+[host."http://192.168.31.250:5000"]
+  capabilities = ["pull", "resolve", "push"]
+  skip_verify = true
+```
+
+# hosts.toml Content Description - Detail
+
+For each registry host namespace directory in your registry `config_path` you may
+include a `hosts.toml` configuration file. The following root level toml fields
+apply to the registry host namespace:
+
+*** Note: All paths specified in the `hosts.toml` file may be absolute or relative
+to the `hosts.toml` file.
+
+## server field
+`server` specifies the default server for this registry host namespace. When
+`host`(s) are specified, the hosts are tried first in the order listed.
+```
+server = "https://docker.io"
+```
+
+## capabilities field
+
+`capabilities` is an optional setting for specifying what operations a host is
+capable of performing. Include only the values that apply.
+```
+capabilities =  ["pull", "resolve", "push"]
+```
+
+capabilities (or Host capabilities) represent the capabilities of the registry host.
+This also represents the set of operations for which the registry host may be trusted
+to perform.
+
+For example, pushing is a capability which should only be performed on an upstream
+source, not a mirror.
+
+Resolving (the process of converting a name into a digest)
+must be considered a trusted operation and only done by
+a host which is trusted (or more preferably by secure process
+which can prove the provenance of the mapping).
+
+A public mirror should never be trusted to do a resolve action.
+
+| Registry Type    | Pull | Resolve | Push |
+|------------------|------|---------|------|
+| Public Registry  | yes  | yes     | yes  |
+| Private Registry | yes  | yes     | yes  |
+| Public Mirror    | yes  | no      | no   |
+| Private Mirror   | yes  | yes     | no   |
+
+## ca field
+
+`ca` (Certificate Authority Certification) can be set to a path or an array of
+paths each pointing to a ca file for use in authenticating with the registry
+namespace.
+```
+ca = "/etc/certs/mirror.pem"
+```
+or
+```
+ca = ["/etc/certs/test-1-ca.pem", "/etc/certs/special.pem"]
+```
+
+## client field
+
+`client` certificates are configured as follows
+
+`a path`:
+```
+client = "/etc/certs/client.pem"
+```
+
+`an array of paths`:
+```
+client = ["/etc/certs/client-1.pem", "/etc/certs/client-2.pem"]
+```
+
+`an array of pairs of paths`:
+```
+client = [["/etc/certs/client.cert", "/etc/certs/client.key"],["/etc/certs/client.pem", ""]]
+```
+
+## skip_verify field
+
+`skip_verify` set this flag to `true` to skip the registry certificate
+verification for this registry host namespace. (Defaults to `false`)
+```
+skip_verify = false
+```
+
+## header fields (in the toml table format)
+
+`[header]` contains some number of keys where each key is to one of a string or
+
+`an array of strings as follows`:
+```
+[header]
+  x-custom-1 = "custom header"
+```
+
+`or`
+```
+[header]
+  x-custom-1 = ["custom header part a","part b"]
+```
+
+`or`
+```
+[header]
+  x-custom-1 = "custom header",
+  x-custom-1-2 = "another custom header"
+```
+
+## host field(s) (in the toml table format)
+
+`[host]."https://namespace"` and `[host].http://namespace` entries in the
+`hosts.toml` configuration are registry namespaces used in lieu of the default
+registry host namespace. These hosts are sometimes called mirrors because they
+may contain a copy of the container images and artifacts you are attempting to
+retrieve from the default registry. Each `host`/`mirror` namespace is also
+configured in much the same way as the default registry namespace. Notably the
+`server` is not specified in the `host` description because it is specified in
+the namespace. Here are a few rough examples configuring host mirror namespaces
+for this registry host namespace:
+```
+[host."https://mirror.registry"]
+  capabilities = ["pull"]
+  ca = "/etc/certs/mirror.pem"
+  skip_verify = false
+  [host."https://mirror.registry".header]
+    x-custom-2 = ["value1", "value2"]
+
+[host."https://mirror-bak.registry/us"]
+  capabilities = ["pull"]
+  skip_verify = true
+
+[host."http://mirror.registry"]
+  capabilities = ["pull"]
+
+[host."https://test-1.registry"]
+  capabilities = ["pull", "resolve", "push"]
+  ca = ["/etc/certs/test-1-ca.pem", "/etc/certs/special.pem"]
+  client = [["/etc/certs/client.cert", "/etc/certs/client.key"],["/etc/certs/client.pem", ""]]
+
+[host."https://test-2.registry"]
+  client = "/etc/certs/client.pem"
+
+[host."https://test-3.registry"]
+  client = ["/etc/certs/client-1.pem", "/etc/certs/client-2.pem"]
+```
+
+**Further, recursion is not supported in the specification of host mirror
+namespaces in the hosts.toml file. Thus the following is not allowed/supported:**
+```
+[host."http://mirror.registry"]
+  capabilities = ["pull"]
+  [host."http://double-mirror.registry"]
+    capabilities = ["pull"]
+```
