Red Hat Quay Release Notes

Red Hat Quay 3

Red Hat Quay

Red Hat OpenShift Documentation Team

Abstract

Red Hat Quay Release Notes

Preface

Red Hat Quay container registry platform provides secure storage, distribution, and governance of containers and cloud-native artifacts on any infrastructure. It is available as a standalone component or as an Operator on OpenShift Container Platform. Red Hat Quay includes the following features and benefits:

  • Granular security management
  • Fast and robust at any scale
  • High velocity CI/CD
  • Automated installation and upates
  • Enterprise authentication and team-based access control
  • OpenShift Container Platform integration

Red Hat Quay is regularly released, containing new features, bug fixes, and software updates. To upgrade Red Hat Quay for both standalone and OpenShift Container Platform deployments, see Upgrade Red Hat Quay.

Important

Red Hat Quay only supports rolling back, or downgrading, to previous z-stream versions, for example, 3.7.2 → 3.7.1. Rolling back to previous y-stream versions (3.7.0 → 3.6.0) is not supported. This is because Red Hat Quay updates might contain database schema upgrades that are applied when upgrading to a new version of Red Hat Quay. Database schema upgrades are not considered backwards compatible.

Downgrading to previous z-streams is neither recommended nor supported by either Operator based deployments or virtual machine based deployments. Downgrading should only be done in extreme circumstances. The decision to rollback your Red Hat Quay deployment must be made in conjunction with the Red Hat Quay support and development teams. For more information, contact Red Hat Quay support.

Documentation for Red Hat Quay is versioned with each release. The latest Red Hat Quay documentation is available from the Red Hat Quay Documentation page. Currently, version 3 is the latest major version.

Note

Prior to version 2.9.2, Red Hat Quay was called Quay Enterprise. Documentation for 2.9.2 and prior versions are archived on the Product Documentation for Red Hat Quay 2.9 page.

Chapter 1. Red Hat Quay release notes

The following sections detail y and z stream release information.

1.1. RHBA-2024:0382 - Red Hat Quay 3.10.3 release

Issued 2024-01-31

Red Hat Quay release 3.10.3 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHBA-2024:0382 advisory.

1.1.1. Red Hat Quay 3.10.3 bug fixes

  • PROJQUAY-4849. Previously, the exporter failed to update the lifetime end of child manifests in the main manifest lists. Consequently, this led to exceptions when attemping to pull Docker images by tag after the tag was removed from the database due to garbage collection. This issue has been resolved.
  • PROJQUAY-6007. Previously, the Operator would attempt to create a temporary fake route to check if the cluster supported the Route API. This check was unable to be conducted when the route and TLS component were marked as unamanged because these components are supposed to be managed manually by the user. This issue has been resolved.

1.2. RHBA-2024:0102 - Red Hat Quay 3.10.2 release

Issued 2024-01-16

Red Hat Quay release 3.10.2 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHBA-2024:0102 advisory.

1.2.1. Red Hat Quay 3.10.2 new features

With this release, IBM Cloud object storage is now supported. For more information, see IBM Cloud Object Storage.

1.2.2. Red Hat Quay 3.10.2 bug fixes

1.2.3. Known issues

  • A known issue was discovered when using naming conventions with the following words for repository names:

    buildtriggertag

    When these words are used for repository names, users are unable access the repository, and are unable to permanently delete the repository. Attempting to delete these repositories returns the following error: Failed to delete repository <repository_name>, HTTP404 - Not Found.

    There is no workaround for this issue. Users should not use build, trigger, or tag in their repository names.

1.3. RHBA-2023:7819 - Red Hat Quay 3.10.1 release

Issued 2023-12-14

Red Hat Quay release 3.10.1 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHBA-2023:7819 advisory.

1.3.1. Red Hat Quay 3.10.1 bug fixes

  • PROJQUAY-5452 - Breadcrumbs incorrect when visiting a direct link
  • PROJQUAY-6333 - [New UI] The user in the team which has "member" or "creator" role can’t see the "Teams and Membership" tab
  • PROJQUAY-6336 - Quay 3.10 new UI can’t add normal user to quay new team during Create team wizard
  • PROJQUAY-6369 - The search input box doesn’t work in permanently delete default permissions wizard of new UI

1.4. RHBA-2023:7341 - Red Hat Quay 3.10.0 release

Issued 2023-11-28

Red Hat Quay release 3 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHSA-2023:7341 and RHSA-2023:7575 advisories.

1.5. Red Hat Quay release cadence

With the release of Red Hat Quay 3.10, the product has begun to align its release cadence and lifecycle with OpenShift Container Platform. As a result, Red Hat Quay releases are now generally available (GA) within approximately four weeks of the most recent version of OpenShift Container Platform. Customers can not expect the support lifecycle phases of Red Hat Quay to align with OpenShift Container Platform releases.

For more information, see the Red Hat Quay Life Cycle Policy.

1.6. Red Hat Quay new features and enhancements

The following updates have been made to Red Hat Quay.

1.6.1. IBM Power, IBM Z, IBM® LinuxONE support

With this release, IBM Power (ppc64le), IBM Z (s390x), and IBM® LinuxONE (s390x) architectures are supported.

1.6.2. Namespace auto-pruning

With Red Hat Quay 3.10, Red Hat Quay administrators can set up auto-pruning policies on namespaces (both users and organization). This feature allows for image tags to be automatically deleted within a namespace based on specified criteria. For this release, two policies have been added:

  • Auto-pruning images based on the number of tags.
  • Auto-pruning based on the age of a tag.

The auto-pruning feature allows Red Hat Quay organization owners to stay below the storage quota by automatically pruning content based on one of the aforementioned policies.

For more information about implementing this feature, see Red Hat Quay namespace auto-pruning overview.

1.6.3. Red Hat Quay UI v2 enhancements

In Red Hat Quay 3.8, a new UI was introduced as a technology preview feature. With Red Hat Quay 3.10, the following enhancements have been made to the UI v2:

  • With this update, a Settings page has been added for Red Hat Quay organizations. Red Hat Quay administrators can edit their preferences, billing information, and set organization types from this page.
  • With this update, a Settings page has been added for Red Hat Quay repositories. This page must be enabled by setting FEATURE_UI_V2_REPO_SETTINGS to true in your config.yaml file. This page allows users to create and set robot permissions, create events and notifications, set repository visibility, and delete repositories.
  • With this update, bulk managing robot account repository access is available on the Red Hat Quay v2 UI. Users can now easily add a robot account to multiple repositories using the v2 UI.
  • With this update, the default user repository, or namespace, now includes a Robot accounts tab. This allows users to easily create their own robot accounts.
  • With this update, the following alert messages have been added to confirm either the creation, or failure, of robot accounts and permission updates:

    • Successfully updated repository permission
    • Successfully created robot account with robot name: <organization_name> + <robot_name>

      Alternatively, you can receive the following error if you try to create a robot account with the same name as another: Error creating robot account

    • Successfully deleted robot account
  • With this update, a Teams and membership page has been added to the v2 UI. Red Hat Quay administrators can perform the following actions from this page:

    • Create new teams
    • Manage or create new team members
    • Set repository permissions
    • Search for specific teams
    • View teams, members of a team, or collaborators of a team
  • With this update, a Default permissions page has be been added to the v2 UI. This page allows Red Hat Quay administrators to set repository permissions.
  • With this update, a Tag History page has been added to the v2 UI. Additionally, Red Hat Quay administrators can add and manage labels for repositories, and set expiration dates for specified tags in a repository.

For more information about navigating the v2 UI and enabling, or using, these features, see Using the Red Hat Quay v2 UI.

1.6.4. Garbage collection of manifests for Clair

Previously, Clair’s indexer database was continually growing as it added storage when new manifests and layers were uploaded. This could cause the following issues for Red Hat Quay deployments:

  • Increased storage requirements
  • Performance issues
  • Increased storage management burden, requiring that administrators would monitor usage and develop a scaling strategy

With this update, a new configuration field, SECURITY_SCANNER_V4_MANIFEST_CLEANUP, has been added. When this field is set to true, the Red Hat Quay garbage collector removes manifests that are not referenced by other tags or manifests. As a result, manifest reports are removed from Clair’s database.

1.6.5. Managing Red Hat Quay robot accounts

Prior to Red Hat Quay 3, all users were able to create robot accounts with unrestricted access. With this release, Red Hat Quay administrators can manage robot accounts by disallowing users to create new robot accounts.

For more information, see Disabling robot accounts

1.7. New Red Hat Quay configuration fields

The following configuration fields have been added to Red Hat Quay 3.

1.7.1. Clair garbage collection of manifests configuration field

  • SECURITY_SCANNER_V4_MANIFEST_CLEANUP. When set to true the Red Hat Quay garbage collector removes manifests that are not referenced by other tags or manifests.

    Default: True

1.7.2. Disabling robot accounts configuration field

  • ROBOTS_DISALLOW: When set to true, robot accounts are prevented from all interactions, as well as from being created

    Default: False

1.7.3. Namespace auto-pruning configuration field

The following configuration fields have been added for the auto-pruning feature:

  • FEATURE_AUTO_PRUNE: When set to True, enables functionality related to the auto-pruning of tags.

    Default: False

1.7.4. Red Hat Quay v2 UI repository settings configuration field

  • FEATURE_UI_V2_REPO_SETTINGS: When set to True, enables repository settings in the Red Hat Quay v2 UI.

    Default: False

1.8. Red Hat Quay Operator

The following updates have been made to the Red Hat Quay Operator:

  • The config editor has been removed from the Red Hat Quay Operator on OpenShift Container Platform deployments. As a result, the quay-config-editor pod no longer deploys, and users cannot check the status of the config editor route. Additionally, the Config Editor Endpoint no longer generates on the Red Hat Quay Operator Details page.

    Users with existing Red Hat Quay Operators who are upgrading from 3.7, 3.8, or 3.9 to 3 must manually remove the Red Hat Quay config editor by removing the deployment, route, service, and secret objects. For information about this procedure, see Removing config editor objects on Red Hat Quay Operator.

    By default, the config editor was deployed for every QuayRegistry instance, which made it difficult to establish an audit trail over the registry’s configuration. Anyone with access to the namespace, config editor secret, and config editor route could use the editor to make changes to Red Hat Quay’s configuration, and their identity was no logged in the system. Removing the config editor forces all changes through the config bundle property of the QuayRegistry resource, which points to a secret, which is then subject to native Kubernetes auditing and logging.

1.9. Red Hat Quay 3.10 known issues and limitations

The following sections note known issues and limitations for Red Hat Quay 3.

1.9.1. Red Hat Quay 3.10 known issues

  • There is a known issue with the auto-pruning feature when pushing image tags with Cosign signatures. In some scenarios, for example, when each image tag uses a different Cosign key, the auto-pruner worker removes the image signature and only keeps the image tag. This occurs because Red Hat Quay considers image tags and the signature as two tags. The expected behavior of this feature is that the auto-pruner should consider the image tag and signature as one item, calculate only the image tag, and when the auto-pruner worker is configured in such a way that the tag is pruned, it also prunes the signature. This will be fixed in a future version of Red Hat Quay. (PROJQUAY-6380)
  • Currently, auditing for auto-pruning policy operations, including creating, updating, or deleting policies, is unavailable. This is a known issue and will be fixed in a future release of Red Hat Quay. (PROJQUAY-6228)
  • Currently, the the auto-pruning worker prunes ReadOnly and mirror repositories, in addition to normal repositories. ReadOnly and mirror repositories should not be pruned automatically. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6235)
  • When upgrading the Red Hat Quay Operator from versions 3.7, 3.8, or 3.9 to 3, users must manually remove the Red Hat Quay config editor by removing the deployment, route, service, and secret objects. For information about this procedure, see Removing config editor objects on Red Hat Quay Operator.
  • When creating a new team using the Red Hat Quay v2 UI, users are unable to add normal users to the new team while. This only occurs while setting up the new team. As a workaround, you can add users after the team has been created. Robot accounts are unaffected by this issue. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6336)
  • Sometimes, when creating a new default permission setting, the Create default permission button is disabled. As a workaround, you can try adjusting the Applied to setting in the Create default permission wizard. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-6341)

1.9.2. Red Hat Quay 3.10 limitations

  • In this release, the following features are not supported on IBM Power (ppc64le) and IBM Z (s390x):

    • Geo-Replication
    • IPv6 Single stack/ Dual Stack
    • Mirror registry
    • Quay config editor - Mirror, MAG, Kinesis, Keystone, GitHub Enterprise, OIDC
    • RedHat Quay V2 User Interface
    • Deploy Red Hat Quay - High Availability is supported but the following is not:

      • Backing up and restoring on a standalone deployment
      • Migrating a standalone to operator deployment
  • Robot accounts are mandatory for repository mirroring. Setting the ROBOTS_DISALLOW configuration field to true breaks mirroring configurations. This will be fixed in a future version of Red Hat Quay

1.10. Red Hat Quay bug fixes

  • PROJQUAY-6184. Add missing props for Create robot account modal
  • PROJQUAY-6048. Poor UI performance with quotas enabled
  • PROJQUAY-6010. Registry quota total worker fails to start due to import
  • PROJQUAY-5212. Quay 3.8.1 can’t mirror OCI images from Docker Hub
  • PROJQUAY-2462. Consider changing the type of the removed_tag_expiration_s from integer to bigint
  • PROJQUAY-2803. Quay should notify Clair when manifests are garbage collected
  • PROJQUAY-5598. Log auditing tries to write to the database in read-only mode
  • PROJQUAY-4126. Clair database growing
  • PROJQUAY-5489. Pushing an artifact to Quay with oras binary results in a 502
  • PROJQUAY-3906. Quay can see the push image on Console after push image get error "Quota has been exceeded on namespace"

1.11. Red Hat Quay feature tracker

New features have been added to Red Hat Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.

Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Red Hat Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Red Hat Quay, refer to Table 1.1. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.

Table 1.1. Technology Preview tracker

FeatureQuay 3.10Quay 3.9Quay 3.8

Disabling robot accounts

General Availability

-

-

Red Hat Quay namespace auto-pruning overview

General Availability

-

-

Single site geo-replication removal

General Availability

General Availability

-

Splunk log forwarding

General Availability

General Availability

-

Nutanix Object Storage

General Availability

General Availability

-

FEATURE_UI_V2

Technology Preview

Technology Preview

Technology Preview

FEATURE_LISTEN_IP_VERSION

General Availability

General Availability

General Availability

LDAP_SUPERUSER_FILTER

General Availability

General Availability

General Availability

LDAP_RESTRICTED_USER_FILTER

General Availability

General Availability

General Availability

FEATURE_SUPERUSERS_FULL_ACCESS

General Availability

General Availability

General Availability

GLOBAL_READONLY_SUPER_USERS

General Availability

General Availability

General Availability

FEATURE_RESTRICTED_USERS

General Availability

General Availability

General Availability

RESTRICTED_USERS_WHITELIST

General Availability

General Availability

General Availability

Red Hat Quay as proxy cache for upstream registries

General Availability

General Availability

General Availability

Java scanning with Clair

Technology Preview

Technology Preview

Technology Preview

Legal Notice

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.