Skip to content

Add ability to configure registry-specific proxy in registries.conf #650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cyqsimon wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Add ability to configure registry-specific proxy in registries.conf #650

cyqsimon wants to merge 9 commits into from
+183 −5

Conversation

@cyqsimon
Copy link

@cyqsimon cyqsimon commented Feb 10, 2026
edited
Loading

Closes #624.

Checklist

  • impl
  • tests
  • docs

@github-actions github-actions bot added the image Related to "image" package label Feb 10, 2026
mtrmac
mtrmac reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/containers/container-libs/blob/main/CONTRIBUTING.md#sign-your-prs please, we can’t really even look at code with unclear copyright status.

@cyqsimon
Copy link
Author

cyqsimon commented Feb 10, 2026

https://github.com/containers/container-libs/blob/main/CONTRIBUTING.md#sign-your-prs please, we can’t really even look at code with unclear copyright status.

Sorry about that. Was planning to do an interactive rebase when things are ready, so I didn't bother.

Will fix tomorrow.

@cyqsimon cyqsimon force-pushed the registries-proxy-config branch from 27a5643 to f82f918 Compare February 11, 2026 12:51
@packit-as-a-service
Copy link

packit-as-a-service bot commented Feb 11, 2026

Packit jobs failed. @containers/packit-build please check.

1 similar comment
@packit-as-a-service
Copy link

packit-as-a-service bot commented Feb 11, 2026

Packit jobs failed. @containers/packit-build please check.

@cyqsimon
Registries proxy config: initial impl
4278ca8 
Signed-off-by: cyqsimon <28627918+cyqsimon@users.noreply.github.com>
@cyqsimon
Registries proxy config: add tests
bc60b07 
Signed-off-by: cyqsimon <28627918+cyqsimon@users.noreply.github.com>
@cyqsimon cyqsimon force-pushed the registries-proxy-config branch from f82f918 to bc60b07 Compare February 11, 2026 13:01
@cyqsimon
Copy link
Author

cyqsimon commented Feb 11, 2026

Still missing a test in docker_image_src_test.go to test mirrors' proxy config. I'll work on that tomorrow.

mtrmac
mtrmac reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

I agree this makes sense to do for Podman accessed through the remote API, and the config file addition looks good.

image/pkg/sysregistriesv2/system_registries_v2_test.go Outdated

registries, err := GetRegistries(sys)
require.NoError(t, err)
require.Equal(t, 2, len(registries))
Copy link
Contributor

@mtrmac mtrmac Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Non-blocking: I suspect right now all of this could be a single assert.Equal against a literal, instead of 10 individual checks. But add the *net.URL field first before trying that transformation.)

@cyqsimon
Copy link
Author

cyqsimon commented Feb 12, 2026

Thanks a lot for the very detailed review! This is actually my first proper exercise in production Go so I really appreciate the constructive criticism.

I'm more of a Rust guy, and coming into Go I have to say the verbose error handling and the lack of ADT (and hence the presence of invalid states) really irks me. On the other hand, the freedom to just pass around "dangling" references without having to worry about lifetimes is a nice convenience.

Anyways I digress. Please give me a moment to go through all the recommendations.

@cyqsimon
Refactor ParseProxy
2baeda7 
Signed-off-by: cyqsimon <28627918+cyqsimon@users.noreply.github.com>
@cyqsimon
Improve code comments
8ace4f7 
- Rewrite comments for `registryProxy` to make it more appropriate for its layer
- Make comments regarding loading registry config more substantive

Signed-off-by: cyqsimon <28627918+cyqsimon@users.noreply.github.com>
@cyqsimon
Use RFC2606 *.test domains for tests
c5c234e 
Signed-off-by: cyqsimon <28627918+cyqsimon@users.noreply.github.com>
@cyqsimon cyqsimon force-pushed the registries-proxy-config branch from 1746c98 to 963a509 Compare February 12, 2026 06:27
cyqsimon
cyqsimon commented Feb 12, 2026
View reviewed changes
@cyqsimon
Parse proxy URL during normalization; make ParseProxy private
28a6cf0 
Signed-off-by: cyqsimon <28627918+cyqsimon@users.noreply.github.com>
@cyqsimon
Inline testProxyForRegistry in favour of a table-driven test
d606a57 
Signed-off-by: cyqsimon <28627918+cyqsimon@users.noreply.github.com>
@cyqsimon
Make registry-specific proxy takes precedence over proxy env vars
5f58f16 
Because it has a narrower scope than the globally scoped env vars.

Signed-off-by: cyqsimon <28627918+cyqsimon@users.noreply.github.com>
@cyqsimon cyqsimon force-pushed the registries-proxy-config branch from 2b4c1b3 to 5f58f16 Compare February 12, 2026 07:25
@cyqsimon
Copy link
Author

cyqsimon commented Feb 12, 2026
edited
Loading

Still missing a test in docker_image_src_test.go to test mirrors' proxy config. I'll work on that tomorrow.

I've been attempting to write this test for a couple of hours now and I've found it to be particularly difficult to set up. At this point, given the minimal amount of additional logic in docker_image_src.go, I would prefer to just give up and forgo this test. Sorry, I tried.

What do you think?

@mtrmac
Copy link
Contributor

mtrmac commented Feb 12, 2026

I've been attempting to write this test for a couple of hours now and I've found it to be particularly difficult to set up. At this point, given the minimal amount of additional logic in docker_image_src.go, I would prefer to just give up and forgo this test. Sorry, I tried.

I think that’s fine.

Generally the code in c/image/docker has fairly light unit test coverage… we test the principal operations against real registries in Skopeo tests, but we don’t track test coverage for that. So I don’t think it’s very reasonable to demand a much higher standard.

(Also, it would be easy enough to split the http.Client creation part from detectPropertiesHelper for an isolated unit test, but actually testing that newImageSourceAttempt correctly works together with detectPropertiesHelper to set the proxy field, across the sync.Once, would probably require fairly invasive changes and a good structure, where the tests don’t hard code a lot of knowledge about that interaction, is not obvious to me.)

cyqsimon
cyqsimon commented Feb 13, 2026
View reviewed changes
image/docs/containers-registries.conf.5.md
Comment on lines 122 to 132

Each TOML table in the `mirror` array can contain the following fields:
- `location`: same semantics
as specified in the `[[registry]]` TOML table
- `insecure`: same semantics
as specified in the `[[registry]]` TOML table
- `proxy`: same semantics
as specified in the `[[registry]]` TOML table
- `pull-from-mirror`: `all`, `digest-only` or `tag-only`. If "digest-only", mirrors will only be used for digest pulls. Pulling images by tag can potentially yield different images, depending on which endpoint we pull from. Restricting mirrors to pulls by digest avoids that issue. If "tag-only", mirrors will only be used for tag pulls. For a more up-to-date and expensive mirror that it is less likely to be out of sync if tags move, it should not be unnecessarily used for digest references. Default is "all" (or left empty), mirrors will be used for both digest pulls and tag pulls unless the mirror-by-digest-only is set for the primary registry.
Note that this per-mirror setting is allowed only when `mirror-by-digest-only` is not configured for the primary registry.

Copy link
Author

@cyqsimon cyqsimon Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this list gets formatted correctly but that change would not belong here.

@cyqsimon
Add registry-specific proxy docs to manual
af0e3ea 
Signed-off-by: cyqsimon <28627918+cyqsimon@users.noreply.github.com>
@cyqsimon cyqsimon force-pushed the registries-proxy-config branch from 96e3dcc to af0e3ea Compare February 13, 2026 03:23
@cyqsimon
Copy link
Author

cyqsimon commented Feb 13, 2026

Okay I think all is good now. Please see if you're happy with this current state, and let me know if you would like me to do any sort of rebase and/or squash.

@cyqsimon cyqsimon marked this pull request as ready for review February 13, 2026 03:25
@cyqsimon cyqsimon requested a review from mtrmac February 13, 2026 03:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtrmac mtrmac Awaiting requested review from mtrmac

Assignees

No one assigned

Labels

image Related to "image" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Configure registry-specific HTTP proxy in registries.conf

2 participants

@cyqsimon @mtrmac