Firewall changes for container image pulls 2024/2025

Updated -

The Red Hat container image registries are changing, and this means docker / podman users who may pull images from the Red Hat registry may need to adjust firewall settings. Please be sure to make this adjustment by April 1st, 2025.

What to change

Quay.io is adding 3 additional endpoints to expand our site reliability and overall availability. As a result customers that have opted to implement allow/block lists with in their firewall systems, will need to adjust these lists to include these 3 additional endpoints.

  • cdn04.quay.io
  • cdn05.quay.io
  • cdn06.quay.io

To avoid problems pulling container images, you will need to allow outbound TCP connections (ports 80 and 443) to these hostnames:

  • cdn.quay.io
  • cdn01.quay.io
  • cdn02.quay.io
  • cdn03.quay.io
  • cdn04.quay.io
  • cdn05.quay.io
  • cdn06.quay.io

This change should be made to any firewall configuration that specifically allows outbound connections to registry.redhat.io or registry.access.redhat.com. After making this change you will be able to continue pulling images from registry.redhat.io and registry.access.redhat.com as before. You do not need a Quay.io login, or to interact with the Quay.io registry directly in any way, in order to continue pulling Red Hat container images.

This change is needed for all products which may pull images from Red Hat registries. Outbound connections to these hosts may already be allowed in your firewall configuration as a result of having previously followed the OpenShift installation instructions, or due to otherwise needing to use the Quay.io registry. Other products synchronizing or downloading container images from the Red Hat registry, such as Red Hat Ansible Automation Platform (AAP) or Red Hat Satellite, may need changes to their relevant firewall or proxy to allow outbound access to the hosts listed above.

We recommend using the hostnames instead of IP addresses when configuring firewall rules. See this article for more information.

Troubleshooting Details

The Red Hat registries, registry.redhat.io and registry.access.redhat.com, return a header in the HTTP 302 redirect response which allows access only to specific content in the Quay.io CDN for a short period of time. Due to this mechanism, no image content can be pulled directly from the Quay.io CDN hosts – it must instead be pulled using a container registry. The Red Hat registries only provide access to Red Hat container images.

Allowing outbound connections to the hostnames mentioned above may resolve the following issues, depending on the characteristics of the firewall you use:

  • Connection refused when pulling images
  • I/O timeout when pulling images
  • ImagePullBackOff status when pulling images within an OpenShift or Kubernetes cluster

Here are example errors you might see from "podman pull" with different firewall configurations:

Trying to pull [...]...
WARN[0033] Failed, retrying in 1s ... (1/3). Error: copying system image from manifest list: parsing image configuration: Get "https://cdn05.quay.io/sha256/[...]": dial tcp [...]: connect: connection refused
WARN[0065] Failed, retrying in 1s ... (2/3). Error: copying system image from manifest list: parsing image configuration: Get "https://cdn05.quay.io/sha256/[...]": dial tcp [...]: connect: connection refused
WARN[0099] Failed, retrying in 1s ... (3/3). Error: copying system image from manifest list: parsing image configuration: Get "https://cdn05.quay.io/sha256/[...]": dial tcp [...]: connect: connection refused
Error: copying system image from manifest list: parsing image configuration: Get "https://cdn05.quay.io/sha256/[...]": dial tcp [...]: connect: connection refused

Getting help

Your Red Hat account team or Red Hat partner is available for guidance. Alternatively, reach out to our support experts: https://access.redhat.com/support/.

Comments