openshift-docs/modules/machineconfig-modify-registry.adoc

// Module included in the following assemblies:
//
// * installing/post_installation_configuration/machine-configuration-tasks.adoc

[id="machineconfig-modify-registry_{context}"]
= Configuring container image registry settings

Settings that define the registries that {product-title} uses to get container images
are held in the `/etc/containers/registries.conf` file by default. In that file,
you can set registries to not require authentication (insecure), point to
mirrored registries, or set which registries are searched for unqualified
container image requests.

Rather than change `registries.conf` directly, you can drop configuration files
into the `/etc/containers/registries.d` directory that are then automatically
appended to the system's existing `registries.conf` settings.

This procedure describes how to create a `registries.d` file
(`/etc/containers/registries.s/99-worker-unqualified-search-registries.conf`)
that adds `quay.io` as an unqualified search registry (one that {product-title}
can search when it tries to pull an image name that does not include the registry name).
It includes base64-encoded content that you can examine as follows:

[source,terminal]
----
$ echo dW5xdWFsaWZpZWQtc2VhcmNoLXJlZ2lzdHJpZXMgPSBbJ3JlZ2lzdHJ5LmFjY2Vzcy5yZWRoYXQuY29tJywgJ2RvY2tlci5pbycsICdxdWF5LmlvJ10K | base64 -d
unqualified-search-registries = ['registry.access.redhat.com', 'docker.io', 'quay.io']
----

See the `containers-registries.conf` man page for the format for the
`registries.conf` and `registries.d` directory files.

.Prerequisites
* Have a running {product-title} cluster (version 4.4 or later).
* Log in to the cluster as a user with administrative privileges.

.Procedure

. Create a YAML file (`myregistry.yaml`) to hold the contents of the
`/etc/containers/registries.d/99-worker-unqualified-search-registries.conf`
file, including the encoded base64 contents for that file. For example:
+
[source,terminal]
----
$ cat > /tmp/myregistry.yaml <<EOF
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 99-worker-unqualified-search-registries
spec:
  config:
    ignition:
      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:text/plain;charset=utf-8;base64,dW5xdWFsaWZpZWQtc2VhcmNoLXJlZ2lzdHJpZXMgPSBbJ3JlZ2lzdHJ5LmFjY2Vzcy5yZWRoYXQuY29tJywgJ2RvY2tlci5pbycsICdxdWF5LmlvJ10K
        filesystem: root
        mode: 0420
        path: /etc/containers/registries.d/99-worker-unqualified-search-registries.conf
EOF
----

. Apply the MachineConfig to the pool:
+
[source,terminal]
----
$ oc apply -f /tmp/myregistry.yaml
----

. Check that the new MachineConfig has been applied and that the nodes
are not in a degraded state. It might take a few minutes.
The worker pool will show the updates in progress, as each machine successfully
has the new MachineConfig applied:
+
[source,terminal]
----
$ oc get machineconfigpool
NAME   CONFIG             UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
master rendered-master-35 True    False    False    3            3                 3                   0                    34m
worker rendered-worker-d8 False   True     False    3            1                 1                   0                    34m
----
. To check that the change was applied, you can log in to a worker node:
+
[source,terminal]
----
$ oc get node | grep worker
ip-10-0-0-1.us-east-2.compute.internal   Ready    worker   39m   v0.0.0-master+$Format:%h$
$ oc debug node/ip-10-0-0-1.us-east-2.compute.internal
Starting pod/ip-10-0-141-142us-east-2computeinternal-debug ...
...
sh-4.2# chroot /host
sh-4.4# cat /etc/containers/registries.d/99-worker-unqualified-search-registries.conf
unqualified-search-registries = ['registry.access.redhat.com', 'docker.io', 'quay.io']
sh-4.4# exit
----