podman: Shortnames are broken in 3.0.0 due to missing list of unqualified-search registries

3.0.0 changelog states that:

Shortname aliasing support has now been turned on by default. All Podman commands that must pull an image will, if a TTY is available, prompt the user about what image to pull.

As described in the RedHat blog about this feature, the user can expect some form of fallback in case no shortname alias is defined:

If no matching alias is found, Podman will now prompt the user to choose one of the unqualified-search registries.

However, because the 3.0.0 installation is missing these registries, pulling python:latest (or any other image not currently included in the shortnames list) results in an unexpected result:

$ podman version
Version:      3.0.0
API Version:  3.0.0
Go Version:   go1.14
Built:        Thu Jan  1 03:00:00 1970
OS/Arch:      linux/amd64
$ podman pull python:latest
Error: error getting default registries to try: short-name "python:latest" did not resolve to an alias and no unqualified-search registries are defined in ""

The package that presumably should ship the registries configuration:

$ dpkg -l | grep containers-common
ii  containers-common                100:1-7                           all          Configuration files for working with image signatures.
$ dpkg -L containers-common
/.
/etc
/etc/containers
/etc/containers/containers.conf
/etc/containers/policy.json
/etc/containers/registries.conf.d
/etc/containers/registries.conf.d/shortnames.conf
/etc/containers/registries.d
/etc/containers/registries.d/default.yaml
/etc/containers/storage.conf
/usr
/usr/share
/usr/share/containers
/usr/share/containers/containers.conf
/usr/share/doc
/usr/share/doc/containers-common
/usr/share/doc/containers-common/changelog.Debian.gz
/usr/share/doc/containers-common/copyright
/usr/share/man
/usr/share/man/man5
/usr/share/man/man5/containers-auth.json.5.gz
/usr/share/man/man5/containers-certs.d.5.gz
/usr/share/man/man5/containers-mounts.conf.5.gz
/usr/share/man/man5/containers-policy.json.5.gz
/usr/share/man/man5/containers-registries.conf.5.gz
/usr/share/man/man5/containers-registries.conf.d.5.gz
/usr/share/man/man5/containers-registries.d.5.gz
/usr/share/man/man5/containers-signature.5.gz
/usr/share/man/man5/containers-storage.conf.5.gz
/usr/share/man/man5/containers-transports.5.gz
/usr/share/man/man5/containers.conf.5.gz
/var
/var/lib
/var/lib/containers
/var/lib/containers/sigstore

It would be nice if this list would be included and contain at least something like:

unqualified-search-registries=["docker.io"]

…to adhere to the principle of least astonishment.

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 6
Comments: 31 (16 by maintainers)

Commits related to this issue

Work around containers/podman#9390 — committed to cirruslabs/cirrus-cli by edigaryev 3 years ago
Stream launched container's logs to the CLI's logger (#291) * Work around containers/podman#9390 * Work around containers/podman#9393 * Stream launched container's logs to the CLI's logger *... — committed to cirruslabs/cirrus-cli by edigaryev 3 years ago

Most upvoted comments

Even better, add a file /etc/containers/registries.conf.d/docker.conf with just the line unqualified-search-registries=["docker.io"]

+49

pgampe on Nov 16, 2021

@rhatdan yours is the principled approach but it’s also ignorant to people who just want to get things done. I lost 20 minutes on this because I didn’t know if docker uses hub.docker.com or docker.io or … as default and neither did I know how to provide the url. Is it url:image:version or url/with/repo/path:image:version, … I never cared and never had to and when searching for a python image, the run instructions usually do not include that part neither.

The current error message is just a terrible time-waster and frustrates the user, especially if he’s trying to migrate from docker where it “just works”. Add a link to an explainer with examples please!

+35

Giszmo on Jul 8, 2021

Quick fix for the majority of users is to alter one line: sudo vim /etc/containers/registries.conf unqualified-search-registries=[“docker.io”]

+30

alexander-manley on Oct 22, 2021

Note that there is a security issue behind these changes: https://www.redhat.com/sysadmin/container-image-short-names

Which distribution are you running on, @Giszmo?

I sympathize with the frustration but our hands are tied. Do you think pointing to the containers-registries.conf(5) man page in the error message would have helped you resolve the issue faster?

For the record, the fix in this case would be adding the following line to /etc/containers/registries.conf: unqualified-search-registries=["docker.io"]

+28

vrothberg on Jul 9, 2021

Right this is a packaging issue with Ubuntu. It should ship /etc/containers/registries.comf

rhatdan on Jul 11, 2021

$ podman --version
podman version 3.0.1
$ podman pull python:latest
Error: error getting default registries to try: short-name "python:latest" did not resolve to an alias and no unqualified-search registries are defined in "/etc/containers/registries.conf"

Is this issue back? Maybe the message should suggest what most people probably want anyway: “Try docker.io/python:latest instead”.

Giszmo on Jul 8, 2021

Should be fixed with podman 100:3.0.0-3. Building on OBS atm: https://build.opensuse.org/package/show/devel:kubic:libcontainers:stable/podman . Will be available hopefully in an hour or less.

I’ll keep the bug open for now. Please close it if this resolves your issue.

lsm5 on Feb 16, 2021