Quay Enterprise now supports Docker v2

December 18, 2015 · By Quentin Machu

Just one month after our Docker Registry v1/v2 support announcement for Quay Hosted, CoreOS is delighted to announce Quay Enterprise v1.14.0. This new release introduces Docker Registry v2 support and makes Quay Enterprise fully backward and forward compatible with both protocols, making Quay the easiest place to keep your containers. Push and pull your images securely with any version of Docker Engine (≥0.10) and enjoy the performance boost that registry v2 delivers.

Still want to use registry v1 for all or some of your Docker clients? We’ve got your back! It is also possible to configure Quay Enterprise to prevent specific versions (or ranges) from using v2.

Furthermore, Quay Enterprise’s user interface is now significantly faster thanks to HTTP/2 support.

Finally, numerous issues have been fixed around user, image and repository deletions, ACI volumes, builder failures, and minor interface corrections. We also enhanced several internal components in order to make Quay Enterprise an even more stable place for your production environment.

CoreOS and the Quay team wish you a wonderful holiday season!

v1.quay.io for Docker Engine < 1.9

December 4, 2015 · By Joey Schorr

Since the release of Quay's support for the Docker Registry V2 API, we've received reports of unpredictable client behavior from customers running Docker Engine versions 1.5.0 to 1.8.3. Docker Engines older than 1.5.0 and newer than 1.8.3 are unaffected.

The cause is a bug in the Docker Engine, which is triggered when concurrent pulls are made against Docker registries supporting the Docker Registry V2 APIs.

Ideally, we could work around this inside Quay without changes to customer configuration. Unfortunately, there is no metadata or header available from the Docker Engine that Quay can use to detect these broken versions and avoid the bug.

There are two ways to avoid this bug. The best solution is to upgrade to the latest version of the Docker Engine (currently Docker 1.9.1) as soon as possible. Quay works with many enterprises every day, and we realize that an upgrade isn’t always possible. To support these users, we are also offering an alternative Quay endpoint, accessed by v1.quay.io, that contains a patch to avoid the bug.

Each machine using this endpoint will need two simple configuration tweaks, described below.

Using v1.quay.io

First, you will need to re-login via the docker CLI to v1.quay.io. The credentials are the same. If you are programmatically generating credentials, you can simply replace the hostname in your .dockercfg.

$ docker login v1.quay.io
Username: username+robotaccount
Password: (existing password)
Email: (blank)

Second, use v1.quay.io in place of quay.io in all docker pull and docker push commands:

$ docker pull v1.quay.io/mynamespace/myimage:tag
$ docker push v1.quay.io/mynamespace/myimage:tag

With these steps customers can ensure consistent and safe concurrent pulls of their Docker images from the Quay container registry.

Docker Version Quay Hostname
Older than 1.5.0 quay.io
1.5.0 - 1.8.3 v1.quay.io
1.9.0+ quay.io

Quay Support for Docker V2 and V1

November 19, 2015 · By Jake Moshenko

In our effort to make Quay the easiest place to host your containers, Quay is happy to announce support for the Docker V2 registry protocol, while maintaining full backward and forward compatibility with the existing V1 protocol. Starting today Docker is deprecating push support of clients 1.5 and earlier in Docker Hub, yet rest assured that your existing images will remain fully accessible in Quay, to both old and new versions of Docker.

With today’s announcement, you will be able to use both old and new clients on all of our images, despite the format used when the image was pushed. New versions of Docker will benefit from a performance boost when pulling or pushing.

Use any Image Format with Quay

In the spirit of openness, we want Quay to be your home for any type of image, whether it is Docker V1 or V2, rkt, appc, or another container format.

Take advantage of the bidirectional support by moving your V1 container images from Docker Hub to Quay, which will allow you to keep using older Docker clients (v0.10+ supported) without issue. First, register a new account and follow this process for each container:

$ docker pull username/container
$ docker tag username/container quay.io/username/container
$ docker push quay.io/username/container

Quay Enterprise users will gain support for Docker V2 in the next major release.

Want to learn more about Quay, CoreOS and Tectonic? Join us at Tectonic Summit on December 2nd and 3rd in NYC. Request your invite here.

Security Scanning in Beta, Powered by Clair

November 13, 2015 · By Joey Schorr

Today we are releasing a new feature in beta, Security Scanning. Quay Security Scanning will automatically detect and report vulnerabilities in your containers. We have already scanned millions of containers on Quay with this feature, and found that nearly 80% are subject to major vulnerabilities, such as Heartbleed.

Security Scanning is powered by our open source vulnerability analysis tool, Clair. You can read about Clair on the CoreOS blog. We are open sourcing Clair in order to be transparent about the vulnerabilities we are looking for, as well as assist other container registry vendors to provide this type of transparency to their users.

In practice, every time an image is pushed into Quay, the analysis system will check for vulnerabilities, flag it in the interface, and send a notification. It will include a level of the vulnerability – high, medium or low – with a description and packages that are installed. A link is included to the vulnerability’s source information, which generally includes steps required to patch the vulnerability.

For a quick overview of the feature and how it works, please check out the following steps.

How to See Your Vulnerable Images

repository tags

Starting today, the vulnerability status can be seen as a new column entitled “Security Scan” in the tags view. This column will show Passed if no vulnerabilities were detected in the tag’s image. Quay Security Scanning will scan and will rate any vulnerabilities found in containers as high, medium or low.

repository tags with critical vulnerability

Results of your proactive security scans can be viewed by tag for each of your repositories.

If the tag has a vulnerability, the highest priority vulnerability will be shown (color coded), along with the total number of vulnerabilities detected. Clicking on the vulnerability information will bring up the full vulnerability list:

image security

On the vulnerability list, you can see the full information for each vulnerability, including its priority, its description and a link to its source information.

image packages

Finally, we’ve added another panel for viewing the full list of detected packages in a container image, including their versions and source OS.

How to Setup Notifications

To react quickly to identified vulnerabilities, notifications can be configured for email, Slack, generic webhooks, and more. These settings are configurable per repository so each development team can choose how to be notified and the level of severity they care about.

Next Steps

Security Scanning is currently in beta, so please provide your feedback by emailing support. Additionally, support for Quay Enterprise is coming soon, but not part of this release.

Try security scanning today by logging into Quay.io.

Quay Enterprise v1.13.3 Released

November 10, 2015 · By Jimmy Zelinskie

Some customers were reporting issues while upgrading to the previous versions of Quay Enterprise. We worked with them to diagnose a root cause. The culmination of this work is our latest minor release, v1.13.3, which users should upgrade to if they're having issues upgrading to any of the previous v1.13 releases.

Quay Enterprise v1.13 contains long-running migrations and should be updated during a maintenance window where administrators will have several hours of time to dedicate to the database migrating. Quay Enterprise will not be available while these migrations run.