Transitioning the Red Hat container registry

Red Hat has seen significant adoption of our container ecosystem since we began shipping Red Hat Enterprise Linux with support for Linux containers more than four years ago. To support our existing users and users to come, we will be transitioning our product portfolio and customers to a new container registry for Red Hat container images available at registry.redhat.io over the next year. We have several reasons to make this change, and we’re also taking a number of steps to make the move away from registry.access.redhat.com as minimally disruptive as possible.

A Unified Experience to Access Content

We reached a major step in improving the access and usability of our container content with the release of the Red Hat Container Catalog. The Red Hat Container Catalog user interface effectively brings together everything required to leverage our container ecosystem, right at our users’ fingertips.

Backing the catalog are multiple registries, with different requirements for accessing content. This ranges from registries that require no authentication to registries that require attaching entitlements with subscription-manager to pull images. As we transition to registry.redhat.io, our goal is to have a uniform experience for all of our registries that uses industry standard Open Authorization (OAuth).

Clear Ts & Cs Lead to Better Support

The primary value we bring to our images can be summarized by quality of testing, product stability, clearly defined life cycles, and our Container Health Index scores. The proliferation of container technologies, with a wide variety of update and support policies, has made it necessary for our customers to distinguish between supported and unsupported offerings.

To help solve this, the new registry requires accepting Red Hat’s terms and conditions, and authentication to access content. This provides a clear separation for users consuming supported products and those participating in our development program.

The Details

The new registry at registry.redhat.io will be using standard OAuth mechanisms for authentication. This is the most common means across the container ecosystem and will “just work” for most users. Customers using the container command line tools shipped with Red Hat Enterprise Linux will be able to use `podman login` and `docker login`, respectively, and our standard Customer Portal credentials will provide unified access to our container images.

We are also implementing a User Interface (UI) to generate service account tokens that will be leveraged by our container platform, Red Hat OpenShift. These tokens can also be leveraged in an environment where interactive users’ credentials are not ideal, such as as a CI/CD job or pipeline that needs to access our container images.

The current registry, at registry.access.redhat.com, will eventually be retired; however, no immediate action is required for existing OpenShift and Red Hat Enterprise Linux deployments. New installs of OpenShift 3.11 will default to the new registry for both images and image streams, and we plan to produce tooling to aid existing deployments to migrate at a later time. Further communications and details around the retirement of registry.access.redhat.com will be available via our normal channels on the Customer Portal.

A note on the Red Hat Quay container registry

Separately, you also may be familiar with Red Hat Quay, a container registry that is also a part of the Red Hat product portfolio (standalone or integrated). Quay is expected to see future enhancements and continued integration with OpenShift in future releases. Users of the Red Hat Quay registry will not be impacted by this Red Hat Registry transition.

Wrap Up

We are excited to continually improve the experience and quality of our container technologies. Further documentation around the new registry is available here.

Note: This post was edited on April 23, 2019 to update the information about retiring the current registry.