image: port registries.conf to pkg/configfile

common/libimage/runtime.go

@@ -48,21 +48,6 @@ type RuntimeOptions struct {
 	SystemContext *types.SystemContext
 }
 
-// setRegistriesConfPath sets the registries.conf path for the specified context.
-func setRegistriesConfPath(systemContext *types.SystemContext) {
-	if systemContext.SystemRegistriesConfPath != "" {
-		return
-	}
-	if envOverride, ok := os.LookupEnv("CONTAINERS_REGISTRIES_CONF"); ok {
-		systemContext.SystemRegistriesConfPath = envOverride
-		return
-	}
-	if envOverride, ok := os.LookupEnv("REGISTRIES_CONFIG_PATH"); ok {
-		systemContext.SystemRegistriesConfPath = envOverride
-		return
-	}
-}
-
 // Runtime is responsible for image management and storing them in a containers
 // storage.
 type Runtime struct {
@@ -119,8 +104,6 @@ func RuntimeFromStore(store storage.Store, options *RuntimeOptions) (*Runtime, e
 		systemContext.BigFilesTemporaryDir = tmpdir
 	}
 
-	setRegistriesConfPath(&systemContext)
-
 	return &Runtime{
 		store:         store,
 		systemContext: systemContext,

common/libimage/runtime_test.go

@@ -39,7 +39,7 @@ func testNewRuntime(t *testing.T, options ...testNewRuntimeOptions) *Runtime {
 	// Make sure that the tests do not use the host's registries.conf.
 	systemContext := &types.SystemContext{
 		SystemRegistriesConfPath:    "testdata/registries.conf",
-		SystemRegistriesConfDirPath: "/dev/null",
+		SystemRegistriesConfDirPath: t.TempDir(),
 	}
 
 	if len(options) == 1 {

common/pkg/auth/auth.go

@@ -393,7 +393,7 @@ func Logout(systemContext *types.SystemContext, opts *LogoutOptions, args []stri
 func defaultRegistryWhenUnspecified(systemContext *types.SystemContext) (string, error) {
 	registriesFromFile, err := sysregistriesv2.UnqualifiedSearchRegistries(systemContext)
 	if err != nil {
-		return "", fmt.Errorf("getting registry from registry.conf, please specify a registry: %w", err)
+		return "", fmt.Errorf("getting registry from registries.conf, please specify a registry: %w", err)
 	}
 	if len(registriesFromFile) == 0 {
 		return "", errors.New("no registries found in registries.conf, a registry must be provided")

image/docs/containers-registries.conf.5.md

@@ -9,7 +9,46 @@ containers-registries.conf - Syntax of System Registry Configuration File
 The CONTAINERS-REGISTRIES configuration file is a system-wide configuration
 file for container image registries. The file format is TOML.
 
-Container engines will use the `$HOME/.config/containers/registries.conf` if it exists, otherwise they will use `/etc/containers/registries.conf`
+By default, the configuration is read from `$XDG_CONFIG_HOME/containers/registries.conf` (or from `$HOME/.config/containers/registries.conf` if `$XDG_CONFIG_HOME` is unset), if it exists; otherwise from `/etc/containers/registries.conf`;  otherwise from `/usr/share/containers/registries.conf`. Applications may allow using a different configuration path instead.
+
+If `CONTAINERS_REGISTRIES_CONF` is set, it specifies the configuration file to use,
+unless overridden by application-specific configuration. If the environment variable
+is set then the following drop-in directories will not be read.
+
+In addition to registries.conf, drop-in files using the same format from the following directories are also read:
+ - `$XDG_CONFIG_HOME/containers/registries.conf.d` (or from `$HOME/.config/containers/registries.conf.d` if `$XDG_CONFIG_HOME` is unset)
+ - `/etc/containers/registries.conf.d`
+ - `/etc/containers/registries.rootful.conf.d` (only when running as uid 0)
+ - `/etc/containers/registries.rootless.conf.d` (only when running as uid > 0)
+ - `/etc/containers/registries.rootless.conf.d/$UID` (only when running as uid > 0)
+ - `/usr/share/containers/registries.rootful.conf.d` (only when running as uid 0)
+ - `/usr/share/containers/registries.rootless.conf.d` (only when running as uid > 0)
+ - `/usr/share/containers/registries.rootless.conf.d/$UID` (only when running as uid > 0)
+
+The files must be using the `.conf` suffix, directories or files with other suffixes will be ignored.
+All files from these paths will be first collected and then sorted in alpha-numerical order.
+If the same filename is used twice then only the first match from the directory list above is
+being used. Then the files will be parsed in the sorted order.
+
+For example consider these files:
+
+- `/usr/share/containers/registries.rootless.conf.d/50-middle.conf`
+- `/etc/containers/registries.rootless.conf.d/20-first.conf`
+- `/etc/containers/registries.rootless.conf.d/70-last.conf`
+
+They will be read in the order of `20-first.conf`, `50-middle.conf`, `70-last.conf`,
+the directory path itself does not matter for the order, only the basename.
+
+Specified fields in a conf file will overwrite any previous setting.
+For instance, setting the `unqualified-search-registries` in
+`/etc/containers/registries.conf.d/myregistries.conf` will overwrite previous
+settings in `/etc/containers/registries.conf`.  The `[[registry]]` tables merged
+by overwriting existing items if the prefixes are identical while new ones are
+added.
+
+If `CONTAINERS_REGISTRIES_CONF_OVERRIDE` is set, it specifies an additional path that is being read last,
+unless overridden by application-specific configuration.
+
 
 ### GLOBAL SETTINGS
 
@@ -284,24 +323,6 @@ The format of `$image_reference` is `$repo{:$tag|@$digest}`.
 
 Additional Layer Stores can use this helper binary to access the private registry.
 
-## VERSION 1 FORMAT - DEPRECATED
-VERSION 1 format is still supported but it does not support
-using registry mirrors, longest-prefix matches, or location rewriting.
-
-The TOML format is used to build a simple list of registries under three
-categories: `registries.search`, `registries.insecure`, and `registries.block`.
-You can list multiple registries using a comma separated list.
-
-Search registries are used when the caller of a container runtime does not fully specify the
-container image that they want to execute.  These registries are prepended onto the front
-of the specified container image until the named image is found at a registry.
-
-Note that insecure registries can be used for any registry, not just the registries listed
-under search.
-
-The `registries.insecure` and `registries.block` lists have the same meaning as the
-`insecure` and `blocked` fields in the current version.
-
 ### EXAMPLE
 The following example configuration defines two searchable registries, one
 insecure registry, and two blocked registries.

image/docs/containers-registries.conf.d.5

@@ -0,0 +1 @@
+.so man5/containers-registries.conf.5

image/pkg/cli/environment/environment.go

@@ -11,6 +11,10 @@ import (
 // context, unless already set.  Possible values are, in priority and only if
 // set, the CONTAINERS_REGISTRIES_CONF or REGISTRIES_CONFIG_PATH environment
 // variable.
+//
+// Deprecated: The registries.conf parsing code in pkg/sysregistriesv2 already
+// reads CONTAINERS_REGISTRIES_CONF. REGISTRIES_CONFIG_PATH should not be used
+// anymore.
 func UpdateRegistriesConf(sys *types.SystemContext) error {
 	if sys == nil {
 		return errors.New("internal error: UpdateRegistriesConf: nil argument")

image/pkg/sysregistriesv2/shortnames_test.go

@@ -117,7 +117,7 @@ func TestResolveShortNameAlias(t *testing.T) {
 	}
 
 	InvalidateCache()
-	conf, err := tryUpdatingCache(sys, newConfigWrapper(sys))
+	conf, err := tryUpdatingCache(newConfigWrapper(sys))
 	require.NoError(t, err)
 	assert.Len(t, conf.aliasCache.namedAliases, 4)
 	assert.Len(t, conf.partialV2.Aliases, 0) // This is an implementation detail, not an API guarantee.
@@ -172,7 +172,7 @@ func TestAliasesWithDropInConfigs(t *testing.T) {
 	}
 
 	InvalidateCache()
-	conf, err := tryUpdatingCache(sys, newConfigWrapper(sys))
+	conf, err := tryUpdatingCache(newConfigWrapper(sys))
 	require.NoError(t, err)
 	assert.Len(t, conf.aliasCache.namedAliases, 8)
 	assert.Len(t, conf.partialV2.Aliases, 0) // This is an implementation detail, not an API guarantee.