Red Hat Quay Release Notes
Red Hat Quay
Abstract
Preface
Red Hat Quay container registry platform provides secure storage, distribution, and governance of containers and cloud-native artifacts on any infrastructure. It is available as a standalone component or as an Operator on OpenShift Container Platform. Red Hat Quay includes the following features and benefits:
- Granular security management
- Fast and robust at any scale
- High velocity CI/CD
- Automated installation and upates
- Enterprise authentication and team-based access control
- OpenShift Container Platform integration
Red Hat Quay is regularly released, containing new features, bug fixes, and software updates. To upgrade Red Hat Quay for both standalone and OpenShift Container Platform deployments, see Upgrade Red Hat Quay.
Red Hat Quay only supports rolling back, or downgrading, to previous z-stream versions, for example, 3.7.2 → 3.7.1. Rolling back to previous y-stream versions (3.7.0 → 3.6.0) is not supported. This is because Red Hat Quay updates might contain database schema upgrades that are applied when upgrading to a new version of Red Hat Quay. Database schema upgrades are not considered backwards compatible.
Downgrading to previous z-streams is neither recommended nor supported by either Operator based deployments or virtual machine based deployments. Downgrading should only be done in extreme circumstances. The decision to rollback your Red Hat Quay deployment must be made in conjunction with the Red Hat Quay support and development teams. For more information, contact Red Hat Quay support.
Documentation for Red Hat Quay is versioned with each release. The latest Red Hat Quay documentation is available from the Red Hat Quay Documentation page. Currently, version 3 is the latest major version.
Prior to version 2.9.2, Red Hat Quay was called Quay Enterprise. Documentation for 2.9.2 and prior versions are archived on the Product Documentation for Red Hat Quay 2.9 page.
Chapter 1. Red Hat Quay release notes
The following sections detail y and z stream release information.
1.1. RHBA-2024:0382 - Red Hat Quay 3.10.3 release
Issued 2024-01-31
Red Hat Quay release 3.10.3 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHBA-2024:0382 advisory.
1.1.1. Red Hat Quay 3.10.3 bug fixes
- PROJQUAY-4849. Previously, the exporter failed to update the lifetime end of child manifests in the main manifest lists. Consequently, this led to exceptions when attemping to pull Docker images by tag after the tag was removed from the database due to garbage collection. This issue has been resolved.
- PROJQUAY-6007. Previously, the Operator would attempt to create a temporary fake route to check if the cluster supported the Route API. This check was unable to be conducted when the route and TLS component were marked as unamanged because these components are supposed to be managed manually by the user. This issue has been resolved.
1.2. RHBA-2024:0102 - Red Hat Quay 3.10.2 release
Issued 2024-01-16
Red Hat Quay release 3.10.2 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHBA-2024:0102 advisory.
1.2.1. Red Hat Quay 3.10.2 new features
With this release, IBM Cloud object storage is now supported. For more information, see IBM Cloud Object Storage.
1.2.2. Red Hat Quay 3.10.2 bug fixes
1.2.3. Known issues
A known issue was discovered when using naming conventions with the following words for repository names:
build
trigger
tag
When these words are used for repository names, users are unable access the repository, and are unable to permanently delete the repository. Attempting to delete these repositories returns the following error:
Failed to delete repository <repository_name>, HTTP404 - Not Found.
There is no workaround for this issue. Users should not use
build
,trigger
, ortag
in their repository names.
1.3. RHBA-2023:7819 - Red Hat Quay 3.10.1 release
Issued 2023-12-14
Red Hat Quay release 3.10.1 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHBA-2023:7819 advisory.
1.3.1. Red Hat Quay 3.10.1 bug fixes
- PROJQUAY-5452 - Breadcrumbs incorrect when visiting a direct link
- PROJQUAY-6333 - [New UI] The user in the team which has "member" or "creator" role can’t see the "Teams and Membership" tab
- PROJQUAY-6336 - Quay 3.10 new UI can’t add normal user to quay new team during Create team wizard
- PROJQUAY-6369 - The search input box doesn’t work in permanently delete default permissions wizard of new UI
1.4. RHBA-2023:7341 - Red Hat Quay 3.10.0 release
Issued 2023-11-28
Red Hat Quay release 3 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHSA-2023:7341 and RHSA-2023:7575 advisories.
1.5. Red Hat Quay release cadence
With the release of Red Hat Quay 3.10, the product has begun to align its release cadence and lifecycle with OpenShift Container Platform. As a result, Red Hat Quay releases are now generally available (GA) within approximately four weeks of the most recent version of OpenShift Container Platform. Customers can not expect the support lifecycle phases of Red Hat Quay to align with OpenShift Container Platform releases.
For more information, see the Red Hat Quay Life Cycle Policy.
1.6. Red Hat Quay new features and enhancements
The following updates have been made to Red Hat Quay.
1.6.1. IBM Power, IBM Z, IBM® LinuxONE support
With this release, IBM Power (ppc64le), IBM Z (s390x), and IBM® LinuxONE (s390x) architectures are supported.
1.6.2. Namespace auto-pruning
With Red Hat Quay 3.10, Red Hat Quay administrators can set up auto-pruning policies on namespaces (both users and organization). This feature allows for image tags to be automatically deleted within a namespace based on specified criteria. For this release, two policies have been added:
- Auto-pruning images based on the number of tags.
- Auto-pruning based on the age of a tag.
The auto-pruning feature allows Red Hat Quay organization owners to stay below the storage quota by automatically pruning content based on one of the aforementioned policies.
For more information about implementing this feature, see Red Hat Quay namespace auto-pruning overview.
1.6.3. Red Hat Quay UI v2 enhancements
In Red Hat Quay 3.8, a new UI was introduced as a technology preview feature. With Red Hat Quay 3.10, the following enhancements have been made to the UI v2:
- With this update, a Settings page has been added for Red Hat Quay organizations. Red Hat Quay administrators can edit their preferences, billing information, and set organization types from this page.
-
With this update, a Settings page has been added for Red Hat Quay repositories. This page must be enabled by setting
FEATURE_UI_V2_REPO_SETTINGS
totrue
in yourconfig.yaml
file. This page allows users to create and set robot permissions, create events and notifications, set repository visibility, and delete repositories. - With this update, bulk managing robot account repository access is available on the Red Hat Quay v2 UI. Users can now easily add a robot account to multiple repositories using the v2 UI.
- With this update, the default user repository, or namespace, now includes a Robot accounts tab. This allows users to easily create their own robot accounts.
With this update, the following alert messages have been added to confirm either the creation, or failure, of robot accounts and permission updates:
- Successfully updated repository permission
Successfully created robot account with robot name: <organization_name> + <robot_name>
Alternatively, you can receive the following error if you try to create a robot account with the same name as another: Error creating robot account
- Successfully deleted robot account
With this update, a Teams and membership page has been added to the v2 UI. Red Hat Quay administrators can perform the following actions from this page:
- Create new teams
- Manage or create new team members
- Set repository permissions
- Search for specific teams
- View teams, members of a team, or collaborators of a team
- With this update, a Default permissions page has be been added to the v2 UI. This page allows Red Hat Quay administrators to set repository permissions.
- With this update, a Tag History page has been added to the v2 UI. Additionally, Red Hat Quay administrators can add and manage labels for repositories, and set expiration dates for specified tags in a repository.
For more information about navigating the v2 UI and enabling, or using, these features, see Using the Red Hat Quay v2 UI.
1.6.4. Garbage collection of manifests for Clair
Previously, Clair’s indexer database was continually growing as it added storage when new manifests and layers were uploaded. This could cause the following issues for Red Hat Quay deployments:
- Increased storage requirements
- Performance issues
- Increased storage management burden, requiring that administrators would monitor usage and develop a scaling strategy
With this update, a new configuration field, SECURITY_SCANNER_V4_MANIFEST_CLEANUP
, has been added. When this field is set to true
, the Red Hat Quay garbage collector removes manifests that are not referenced by other tags or manifests. As a result, manifest reports are removed from Clair’s database.
1.6.5. Managing Red Hat Quay robot accounts
Prior to Red Hat Quay 3, all users were able to create robot accounts with unrestricted access. With this release, Red Hat Quay administrators can manage robot accounts by disallowing users to create new robot accounts.
For more information, see Disabling robot accounts
1.7. New Red Hat Quay configuration fields
The following configuration fields have been added to Red Hat Quay 3.
1.7.1. Clair garbage collection of manifests configuration field
SECURITY_SCANNER_V4_MANIFEST_CLEANUP. When set to
true
the Red Hat Quay garbage collector removes manifests that are not referenced by other tags or manifests.Default:
True
1.7.2. Disabling robot accounts configuration field
ROBOTS_DISALLOW: When set to
true
, robot accounts are prevented from all interactions, as well as from being createdDefault:
False
1.7.3. Namespace auto-pruning configuration field
The following configuration fields have been added for the auto-pruning feature:
FEATURE_AUTO_PRUNE: When set to
True
, enables functionality related to the auto-pruning of tags.Default:
False
1.7.4. Red Hat Quay v2 UI repository settings configuration field
FEATURE_UI_V2_REPO_SETTINGS: When set to
True
, enables repository settings in the Red Hat Quay v2 UI.Default:
False
1.8. Red Hat Quay Operator
The following updates have been made to the Red Hat Quay Operator:
The config editor has been removed from the Red Hat Quay Operator on OpenShift Container Platform deployments. As a result, the
quay-config-editor
pod no longer deploys, and users cannot check the status of the config editor route. Additionally, the Config Editor Endpoint no longer generates on the Red Hat Quay Operator Details page.Users with existing Red Hat Quay Operators who are upgrading from 3.7, 3.8, or 3.9 to 3 must manually remove the Red Hat Quay config editor by removing the
deployment
,route,
service
, andsecret
objects. For information about this procedure, see Removing config editor objects on Red Hat Quay Operator.By default, the config editor was deployed for every
QuayRegistry
instance, which made it difficult to establish an audit trail over the registry’s configuration. Anyone with access to the namespace, config editor secret, and config editor route could use the editor to make changes to Red Hat Quay’s configuration, and their identity was no logged in the system. Removing the config editor forces all changes through the config bundle property of theQuayRegistry
resource, which points to a secret, which is then subject to native Kubernetes auditing and logging.
1.9. Red Hat Quay 3.10 known issues and limitations
The following sections note known issues and limitations for Red Hat Quay 3.
1.9.1. Red Hat Quay 3.10 known issues
- There is a known issue with the auto-pruning feature when pushing image tags with Cosign signatures. In some scenarios, for example, when each image tag uses a different Cosign key, the auto-pruner worker removes the image signature and only keeps the image tag. This occurs because Red Hat Quay considers image tags and the signature as two tags. The expected behavior of this feature is that the auto-pruner should consider the image tag and signature as one item, calculate only the image tag, and when the auto-pruner worker is configured in such a way that the tag is pruned, it also prunes the signature. This will be fixed in a future version of Red Hat Quay. (PROJQUAY-6380)
- Currently, auditing for auto-pruning policy operations, including creating, updating, or deleting policies, is unavailable. This is a known issue and will be fixed in a future release of Red Hat Quay. (PROJQUAY-6228)
-
Currently, the the auto-pruning worker prunes
ReadOnly
and mirror repositories, in addition to normal repositories.ReadOnly
and mirror repositories should not be pruned automatically. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6235) -
When upgrading the Red Hat Quay Operator from versions 3.7, 3.8, or 3.9 to 3, users must manually remove the Red Hat Quay config editor by removing the
deployment
,route,
service
, andsecret
objects. For information about this procedure, see Removing config editor objects on Red Hat Quay Operator. - When creating a new team using the Red Hat Quay v2 UI, users are unable to add normal users to the new team while. This only occurs while setting up the new team. As a workaround, you can add users after the team has been created. Robot accounts are unaffected by this issue. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6336)
- Sometimes, when creating a new default permission setting, the Create default permission button is disabled. As a workaround, you can try adjusting the Applied to setting in the Create default permission wizard. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6341)
1.9.2. Red Hat Quay 3.10 limitations
In this release, the following features are not supported on IBM Power (ppc64le) and IBM Z (s390x):
- Geo-Replication
- IPv6 Single stack/ Dual Stack
- Mirror registry
- Quay config editor - Mirror, MAG, Kinesis, Keystone, GitHub Enterprise, OIDC
- RedHat Quay V2 User Interface
Deploy Red Hat Quay - High Availability is supported but the following is not:
- Backing up and restoring on a standalone deployment
- Migrating a standalone to operator deployment
-
Robot accounts are mandatory for repository mirroring. Setting the
ROBOTS_DISALLOW
configuration field totrue
breaks mirroring configurations. This will be fixed in a future version of Red Hat Quay
1.10. Red Hat Quay bug fixes
- PROJQUAY-6184. Add missing props for Create robot account modal
- PROJQUAY-6048. Poor UI performance with quotas enabled
- PROJQUAY-6010. Registry quota total worker fails to start due to import
- PROJQUAY-5212. Quay 3.8.1 can’t mirror OCI images from Docker Hub
- PROJQUAY-2462. Consider changing the type of the removed_tag_expiration_s from integer to bigint
- PROJQUAY-2803. Quay should notify Clair when manifests are garbage collected
- PROJQUAY-5598. Log auditing tries to write to the database in read-only mode
- PROJQUAY-4126. Clair database growing
- PROJQUAY-5489. Pushing an artifact to Quay with oras binary results in a 502
- PROJQUAY-3906. Quay can see the push image on Console after push image get error "Quota has been exceeded on namespace"
1.11. Red Hat Quay feature tracker
New features have been added to Red Hat Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.
Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Red Hat Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Red Hat Quay, refer to Table 1.1. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.
Table 1.1. Technology Preview tracker
Feature | Quay 3.10 | Quay 3.9 | Quay 3.8 |
---|---|---|---|
General Availability | - | - | |
General Availability | - | - | |
General Availability | General Availability | - | |
General Availability | General Availability | - | |
General Availability | General Availability | - | |
Technology Preview | Technology Preview | Technology Preview | |
General Availability | General Availability | General Availability | |
General Availability | General Availability | General Availability | |
General Availability | General Availability | General Availability | |
General Availability | General Availability | General Availability | |
General Availability | General Availability | General Availability | |
General Availability | General Availability | General Availability | |
General Availability | General Availability | General Availability | |
General Availability | General Availability | General Availability | |
Technology Preview | Technology Preview | Technology Preview |