Hey, there. Hope all is well, all things considered. Sorry you're running into this frustration with out-of-the-box podman. For what it's worth, I'm very new to containers (from an implementation and practical standpoint), and when I also ran into this problem (today), I found it frustrating.
It seems that the intent with the podman package is not to provide a registries.conf file by default. Why? I could speculate on the reasons: security, being one, since supply-chain poisoning is possible; there not being a "centralized" authority for containers, like there are for things like distribution updates, &c; the idea that the user will need to configure specifics and may not want to pull container images from the outside world (which I feel is both reasonable, but also kind of not). This conclusion is based on reading the contents of the containers- registries.conf manual page (man 5 containers-registries.conf) and looking at the following post out on GitHub: https://github.com/containers/podman/issues/8896 . First, podman will apparently look in two places for configuration files: /home/<username>/.config/containers (principal) /etc/containers (fallback) My guess would be that you would create a registries.conf file in ~/.config/containers if you wanted to have default registry search domains that you use for containers. Aside from giving you, the user, complete control over the registries that you want to use for your container template searches, it also means no modifications or assumptions required for the base system configuration. If you want the "Big Three" repositories, you can do the following: if [ ! -d ~/.config/containers ]; then mkdir ~/.config/containers/ touch ~/.config/containers/registries.conf echo unqualified-search-registries=["registry.access.redhat.com", "registry.fedoraproject.org", "docker.io"] > ~/.config/containers/registries.conf elif [ ! -f ~/.config/containers/registries.conf ]; then touch ~/.config/containers/registries.conf echo unqualified-search-registries=["registry.access.redhat.com", "registry.fedoraproject.org", "docker.io"] > ~/.config/containers/registries.conf fi This will: - Create the directory "containers" in "~/.config" if it doesn't exist. - Create the file "registries.conf" file with the Red Hat, Fedora, and Docker registries in "~/.config/containers". - If, instead, the directory does exist, but the "registries.conf" file does not, it will create the "registries.conf" file in "~/.config/containers" with with Red Hat, Fedora, and Docker registries. At this point, doing a "podman search nginx" or other, unqualified search (a search that doesn't specify any other elements except the package name) should work. However, it will display contributed packages, not necessarily official packages. There is also a general warning about using registries.conf to perform searches that don't specify the registry or use potentially insecure sources of images. In short, it's a security risk: (from the containers-registries.conf man 5 page:) "NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES We recommend always using fully qualified image names including the registry server (full DNS name), namespace, image name, and tag (e.g., registry.redhat.io/ubi8/ubi:latest). When using short names, there is always an inherent risk that the image being pulled could be spoofed. For example, a user wants to pull an image named foobar from a registry and expects it to come from myregistry.com. If myregistry.com is not first in the search list, an attacker could place a different foobar image at a registry earlier in the search list. The user would accidentally pull and run the attacker's image and code rather than the intended content. We recommend only adding registries which are completely trusted, i.e. registries which don't allow unknown or anonymous users to create accounts with arbitrary names. This will prevent an image from being spoofed, squatted or otherwise made insecure. If it is necessary to use one of these registries, it should be added at the end of the list." "It is recommended to use fully-qualified images for pulling as the destination registry is unambiguous. Pulling by digest (i.e., quay.io/repository/name@digest) further eliminates the ambiguity of tags." The way to perform a search that uses fully qualification and works is similar to: $ podman search <flags> <repository.tld>/<namespace>/<package> For example, to only get official packages for MediaWiki: $ podman search --filter=is-official docker.io/mediawiki Which should return: NAME DESCRIPTION docker.io/library/mediawiki MediaWiki is a free software open source wik... All this being said, I do believe that it would be reasonable to expect example configuration files be available in /usr/share/containers and/or in /etc/containers much as some other packages provide example configurations. This may or may not be a package maintainer responsibility to ensure that this gets it, but having clearly-described and available would help individuals understand the implications more. Either way, hope this helps you solve and/or understand the issue a bit more. In this case, even with a workaround, there's still an issue, especially for people just coming to containers; I feel that an enhancement is in order in this regard. Best wishes! ** Bug watch added: github.com/containers/podman/issues #8896 https://github.com/containers/podman/issues/8896 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2062838 Title: podman ignoring /etc/containers/registries.conf and .conf.d when in rootless mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2062838/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
