►
Description
In this briefing, Red Hat's Joey Schorr gave a in-depth introduction on and demonstration of Quay, CoreOs’ Application Registry for Kubernetes with OpenShift. Quay is an container registry for building, storing, and distributing your private containers to your servers.
A
A
It
is
specifically
with
openshift
in
this,
because
it's
pretty
standard
the
way
that
you
would
use
it
as
you
would
with
any
project,
but
I
really
wanted
to
let
you
start
introducing
some
of
the
products
and
offerings
and
projects
from
the
core
OS
team
to
the
open
ship,
Commons
community.
So
I'm
really
pleased
to
have
Joey
with
us
today
and
hopefully
a
lot
more
of
the
core
OS
team
showing
up
in
upcoming
room
Commons
briefing,
so
Joey
I'm
going
to
let
you
take
it
away
and
introduce
yourself
and
we'll
have
live
Q&A
at
the
end.
B
You
so
much
well,
my
name
is
Joey
sure
I
said
I'm
a
senior
principal
engineer
on
the
cui
team,
formerly
of
core
OS
now
of
RedHat
I'm,
also
the
tech
lead
of
Quay
and
the
former
co-founder
of
quake
back
in
the
day.
A
couple
years
ago-
and
today
I'll
be
talking
about
Quay
how
it
is
a
enterprise
grade
container
registry.
B
It
can
be
used
with
openshift
to
store,
manage
and
push
and
pull
your
container
images
I'm
just
going
to
dive
right
in
give
a
little
bit
of
background
and
then
give
a
little
bit
of
an
in-depth
demo.
If
at
any
time
you
have
any
questions,
please
don't
hesitate
to
put
them
into
the
chat
if
they
will
answer
them
at
the
end
and
if
they're
showstoppers
I
said
then
we'll
answer
them
along
the
way.
B
So,
let's
dive
in
and
so
a
little
bit
of
background
Quay
is
a
secure,
distributed
registry
to
build
and
deploy
your
container
images.
It
speaks
the
container
registry
protocols,
docker,
v1
and
v2.
You
can
use
it
with
any
dr.
CLI
and
you
can
of
course
use
it
with
openshift
to
store
your
container
images
and
manage
them
there.
There
are
two
tiers
that
we
support.
We
have
weighted
I/o,
which
is
our
SAS
version.
You
can
go
to
quit.
I
do
right
now
create
a
free
account
and
start
pushing
and
pulling
images.
B
In
fact,
if
you'd
like
to
follow
along
once,
I
start
my
demo,
that's
a
good
way
to
see
and
play
with
the
tool
as
I
walk
through
it.
We
also
have
Quay
enterprise,
and
that
is
just
a
version
that
runs
on
your
own
hardware
and,
along
with
that,
we
support.
We
have
provides
support
and
maintenance
an
interesting
little
tidbit.
B
Quit
audio
is
actually
just
a
Kuei
enterprise
that
we
run
on
AWS,
so
anything
you
can
do
in
quit
at
I/o,
you
can
do
in
Quay,
Enterprise
and
features
that
are
we
release
are
of
course
released
for
both
because
they
are
the
same
on
those
features
list.
Some
of
our
top
features
that
we'd
like
to
discuss
about
is
a
vulnerability
scanning.
So,
every
time
you
push
an
image
to
Quay,
it
is
automatically
and
continuously
scan
for
vulnerabilities.
B
We
give
you
complete
visibility
into
those
issues
we
also
provide,
and
this
is
unique
to
us
how
to
fix
them.
So
we
tell
you:
are
there
fixes
available
for
these
vulnerabilities
and,
if
so,
which
layer
introduce
those
vulnerabilities
I'll
be
giving
a
quick
overview
of
that
short
and
shortly
thereafter
we
provide
automated
geographic
replication.
B
So
if
you're
running
Quay
Enterprise
in
your
own
hardware-
and
you
want
to
have
your
images
replicated
to
multiple
regions
or
multiple
storage
systems,
you
can
set
up
quite
an
surprise
to
do
so,
and
images
pushed
in,
say:
New
York
can
be
replicated
to
say
San,
Francisco
or
Berlin
or
wherever
your
data
centers
may
be
located.
We
provide
a
very
tight
integration
with
build
image
triggers.
B
So
if
you
have
source
code
in
a
get
VCS
like
github
or
bitbucket
or
get
lab
or
just
even
your
own
get,
you
can
set
it
up
so
that
quai
will
automatically
build
a
new
version
of
your
application.
Every
time
we
push
occurs
either
to
specific
branches
or
in
general,
and
then
those
images
will
automatically
be
placed
and
tagged
in
to
your
repositories.
There's
similar
functionality
built
into
OpenShift,
and
so
you
can
use
this
as
a
way
of
tying
together
which
chip
builds
with
your
builds
from
external
sources
or
doing
just
so
just
directly.
B
On
quick
and
then
a
feature
that
is
very
unique
to
Quay
is
something
we
call
image
time
machine
which
allows
you
to
view
history
of
your
images
and
your
tags
that
you've
pushed
and
quickly
and
easily
switch
between
those
I'll
be
showing
that
off
in
a
minute
as
well
so
diving
in
to
a
bit
of
some
of
our
features.
Before
we
start
the
demo
image
vulnerability
scanning
ensures
your
containers
are
secure.
We
continually
scan
your
images
as
I
said,
and
we
provide
really
great
UI
and
information
around.
B
You
know
what
vulnerabilities
have
been
detected
and
where
they
occurred,
and
even
if
there
are
solutions
to
those
vertical
tees
in
by
upgrading
your
packages
in
more
in
terms
of
general
differentiators
of
Quay
versus
other
registry
products
that
are
on
the
market,
we
provide
connections
to
various
identity
providers
if
you're
using
Quay
enterprise.
So
if
you
have
a
LDAP
or
Keystone
or
some
of
those
other
hope
open
identity
providers,
you
can
hook
them
in
and
your
doctor
CLI
log
and
we'll
go
through
that
provider.
We
provide,
of
course,
Claire,
which
is
our
security
scanning
back-end.
B
It
provides
high
integrity
for
images.
It's
resilient,
it's
by
its
high
availability
by
default,
as
I
said,
it
supports
automatic,
Geographic,
replication
and
time
machine.
One
unique
feature
that
waste
on
supports
on
outside
of
other
registries
is
continuous,
garbage
collection.
So,
unlike
say,
dr.
trusted
registry,
whenever
an
image
is
pushed
the
Quai
as
soon
as
it's
unreferenced,
it
will
be
garbage
collected
in
the
background
with
no
downtime
no
read-only
requirements.
Things
like
that.
B
B
So
if
you're
doing
a
doctor
login
on
your
computer-
and
you
have
say
an
LDAP
password
or
another
form
of
password
there,
you
can,
instead
of
having
you
be
stored,
plain
plain
text
on
your
computer,
you
can
encrypt
it
and
Quay
will
allow
you
to
have
just
that
encrypted
version
with
the
keys
and
ever
leave
and
Quay.
We
have
very
fine
logging
and
auditing
system.this
Allah
means
that
every
action
taken
in
the
entire
registry
is
audited
and
logged.
B
So
if
you
need
to
go
back
and
say
if
we
change
this
permission
on
this
day,
you
can
find
that
out.
We
have
a
very
fine
green
ACL
model,
quays
built
around
it's
all
system
which
provides
very
fine-grained
access,
control
and
very
fine-grained
permissions.
We
support
teams
and
organizations,
namespaces
robot
or
sort
of
what
we
call
robots,
which
are
service
accounts
and
integration
with
various
Roth
providers,
both
as
an
auth
provider
itself,
as
well
as
taking
in
identity.
So
you
can
set
up
your
off,
however,
you
see
fit
and
then
a
really
cool
feature.
B
One
of
my
favorites
is
torrent
distribution
if
you're
using
Quay
or
Quay,
o
work--we
enterprise
and
you're
deploying
images
to
a
lot
of
machines
in
a
cluster.
That's
geographically
farther
away
from
storage.
You
can
use
our
CLI
tooling
and
actually
pull
images
via
torrent
and
the
blobs
will
be
shared
amongst
all
your
machines
in
your
cluster.
B
The
further
dive
in
as
I
said,
we
support,
build
triggers,
so
you
can
see
here
you
can
set
up
a
build
trigger
on
github
push,
bitbucket
get
lab
or
the
enterprise
versions
thereof,
or
even
custom
get
and
every
time
I
push
occurs
to
either
any
branch
and
tag
or
anyone
that
matches
a
regular
expression.
You
will
get
a
build
automatically
kicked
off
and
that
build
will
in
turn,
push
the
image
to
your
repository.
B
B
Your
tags
includes
all
of
your
images
that
have
been
included
in
there
and,
if
you
need
to,
you,
can
actually
revert
backwards
in
time.
In
case
you've
made
a
mistake.
So
if
you
pushed
a
broken
image
to
your
latest
tag,
well
just
revert
it
back
in
history
and
now
you're
as
if
it's
never
happened.
So
excuse
me.
We
also
provide
a
really
cool
feature,
called
squashing
images.
So,
typically,
if
you
have
a
container
image
in
docker,
you
have
multiple
layers
as
an
example.
B
On
the
right
hand,
side
you
can
see,
you
may
have
a
debian
layer
with
you
know,
Emacs
in
it
and
Apache
and
then
a
container,
but
you
want
to
be
able
to
just
retrieve
the
whole
image
at
once.
So
Quade
provides
the
ability
to
squash
those
images
in
real
time
in
its
without
having
to
do
any
pre-processing
steps
and
retrieve
the
whole
image
as
a
single
layer
which
reduces
HTTP,
round-trips
image,
size
and
accelerates
the
fetch.
B
On
the
audit
side,
we
have
usage
logs,
as
I
said,
so,
every
action
taking
in
the
entire
registry
is
audited.
So
you
can
see
on
the
side
we
leash
go
all
the
events
broken
down
by
category
in
color
we
showed
when
it
occurred,
who
performed
it.
This
includes
everything
from
pushes
and
pulls
permission
changes
billed
events
tagged
changes
even
changing
the
description
of
a
repository,
very
fine-grain
and
very
powerful
for
audit
ability.
So
I'm
going
to
jump
right
into
a
demo
here,
because
I
gave
a
summary
and
overview
of
a
lot
of
really
cool
features.
B
But
it's
you
know
the
proof
is
in
the
pudding
as
they
say
so.
I'm
gonna
make
this
full
screen.
So
this
is
the
quay
UI
when
you
land
in,
as
you
can
see
here,
I
have
a
variety
of
repositories,
a
repo
of
course
holding
a
number
of
container
images,
and
you
can
see
that
I'm
part
of
a
number
of
users
and
organizations
like
github
Quay
supports
both
user
name
spaces.
In
this
case
my
user
is
dev
table
as
well
as
organizational
namespaces.
So
you
can
see
here
on
the
right.
B
I'm
part
of
four
organizations-
PT
library
by
and
large
and
seven
small
and
at
anytime
I-
can
see
the
repositories
that
have
been
granted
access
to
me
as
part
of
those
organizations
and
namespaces.
So
you
can
see
here
in
the
by
and
large
I
have
access
to
a
few
repos
under
my
own
name,
namespace
I
have
access
to
a
few
repos,
and
you
can
see
here
also
a
few
starred
with
us
diving
into
a
repository
itself.
We
can
see
the
overview
screen.
B
I
have
an
activity
view
just
I've
kind
of
like
the
github
activity
you
sees
what's
been
going
on
in
the
repo
what
bills
have
been
run
and
then
the
description
which,
of
course,
you
know,
supports
markdown
in
all
of
its
glory.
So
I,
can
you
know
gold
this
here
and
see
if
it
changes
in
nice
and
well.
If
I'm
going
to
the
tags
view,
this
is
kind
of
the
heart
and
soul
of
the
of
the
UI
view
we
can
see
here
all
the
tags
for
my
within
my
repository
I
can
see.
B
I
have
a
prod
on
the
latest
AG
when
it
was
last
modified.
This
is
a
Carini's
cam
which,
in
this
case,
has
been
cubed
the
size
of
my
image
when
it
expires,
which
I'll
talk
about
in
a
moment
and
then
which
image
it
applies
to
and
from
within
the
cui
UI.
You
can
actually
take
a
lot
of
pretty
powerful
operations.
So,
for
example,
if
I
don't
like
this
latest
tag,
I
can
just
you
know,
delete
it
BAM
and
now
it's
gone.
B
Let's
say
I
actually
want
to
add
a
new
tag
to
this
product
and
be
like
another
tag
rageh,
so
you
need
the
type
and
yeah
you
can
see.
I
have
another
tag
there.
This
blue
line
indicates
that
they
refer
to
the
same
image,
so
at
any
time
I
can
see
not
only
which
tags
live
in
my
repository,
but
I
can
also
see
which
ones
point
to
the
same
image.
I
can
also
do
things
like
edit.
The
labels
on
this
change
of
expiration
add
additional
tags.
B
If
I
hit
expand
here,
you
can
see
that
the
image
itself,
as
well
as
any
labels
labels,
are
pretty
interesting.
If
you've
ever
used
a
label
in
the
dockerfile,
then
it
will
show
up
here
as
well.
I
can
add
a
new
label
here,
just
by
hit
and
edit
it
and
then
could
be
like
Oh
equals
bar
damn.
It
will
have
a
label
there,
and
so
you
can
attach
arbitrary
metadata
to
your
tags
and
you
can
then
query
it
using
our
API
now.
One
interesting
feature
I
alluded
to
earlier
was
time
machine.
B
B
You
know
last
month
when
I
generated
this
database,
and
then
you
can
see
here
just
today
during
the
demo
I
deleted
this
tag
latest
tag,
so
we
can
see
if
latest
was
gone
and
then
I
added
another
tag
to
this
image,
and
so
I
have
the
full
history
here
of
all
my
tags,
and
we
can
see
that
this
latest
tag
is
gray
because
it
no
longer
exists.
Well,
let's
say
I
didn't
need
to
do
that.
Oops.
That
was
a
mistake.
B
Well,
I
could
just
hit
restore
and
now
latest
has
been
recreated
pointing
to
that
tag
or
that
image
rather
and
now
going
back
to
my
tags,
page
we
can
see
latest
has
been
returned.
So
if
you
make
mistakes
in
quake,
you
overwrite
an
image
or
which
is
me
a
tag
or
you
accidentally
delete
something
within
the
configure
time
machine
window
you
can
just
bring
it
back
on
quai
by
default.
The
time
machine
window
is
two
weeks,
but
you
can
configure
that
under
your
namespace
settings
and
you
can
make
it
as
long
as
your
shortage.
B
You,
like
now
I've
been
taking
a
few
op
operations
in
here
because
I'm
the
administrator
of
this
repository,
we
go
into
the
settings
here.
You
can
see.
I
am
the
admin,
but
let's
say
I
wanted
to
give
someone
else.
The
ability
to
make
changes
in
here
it's
just
as
simple
as
typing
in
their
username.
So
let's
say
I
wanted
them.
They
have.
The
public
user
have
write
access.
Ok
now
they
have
write
access.
Likewise,
I
can
make
them
read
access
only
or
X
I
want
them
to
be
an
administrator.
B
B
Kwe
supports
service
accounts
in
the
name
of
robots,
but
in
this
case
I
have
a
DT,
robot
and
I
can
say,
give
it
read-only
access,
and
now
this
robot
account
will
be
able
to
pull
this
repository,
but
not
make
any
changes
and,
unlike
users,
robots
can
actually
have
a
token
which
can
be
regenerated.
So
let's
say
this
token:
somehow
it
gets
leaked
where
it
we
lose.
We
lose
track
of
it.
Well,
I
can
just
hit
regenerate
and
bam.
B
Now
the
token
has
been
changed
and
all
of
the
existing
ones
have
become
invalid,
a
small
but
very
powerful
feature
and
while
I've
been
making
all
of
these
ECL
changes.
Of
course,
it's
all
been
audited.
So
going
to
my
usage
logs
here,
you
can
see
all
of
the
changes
that
I've
been
making,
while
just
even
talking
about
this
demo
have
shown
up
right
here
in
my
audit
logs.
Do
we
can
see
from
the
description
change
from
right
at
the
beginning
of
my
demo,
I
added
some
tags
change
them
around
added
the
label.
B
You
know
changed
some
permissions
and
everything
shows
up
into
this
audit
log
and
what's
been
classified
in
this
beautiful
graph
and
at
any
time
if
I
want
to
I
can
be
like.
Oh
did,
I
change
any
labels,
yes,
I
did
so.
This
is
very
powerful
for
system
administrators
who
might
want
to
know
what's
going
on
in
there
in
their
registry
or
in
specific
repository
things
like
that
now
going
quickly
back
to
the
tags
page
here,
there's
also
a
column
that
I
didn't
alluded
to
earlier,
which
was
the
expires
column.
B
This
tie
is
very
specifically
into
time
machine.
Let's
say:
I
have
this
latest
tag
here
and
I
wanted
to
expire
next
week
by
setting
an
expiration
on
this
in
seven
days.
That
tag
will
be
automatically
deleted,
but
because
it's
in
Time
Machine,
if
I
then
wish
to
oops
I
didn't
mean
it
to
expire.
I
can
then
just
go
back.
I
can
bring
it
back
from
the
dead
or
has
it
work,
but
expiration
is
really
powerful.
If
you
have
a
CI
system
or
a
build
system,
that's
constantly
building
new
images
and
pushing
new
tags.
B
You
can
set
an
automatic
expiration
and
then,
if
you
decide
to
use
a
tag
in
production,
you
can
remove
the
expiration
and
that
way,
you're
not
over
populating.
Your
repository,
the
security
scan
column,
of
course,
points
to
the
street
e
status.
Now
I'm
running
this
demo
as
part
of
a
local
instance
and
I'm
not
running
Claire
as
part
of
my
local
instance,
so
I'm
gonna
show
off
the
security
part
in
on
a
live
image.
Doing
it
live
on
kway
teow.
So
there's
this
Kwai
slash
based
lets
Redis,
which
is
an
old
Redis
image.
B
We
now
keep
around
for
demo
purposes.
As
you
can
see
here.
This
tag
has
been
pushed
very
long
time
ago
so
long
ago.
In
fact,
that
we
don't
even
have
the
last
modified
date
and
you
can
see
that
there
are
16
high
vulnerabilities
in
this
pretty
bad.
You
can
also
see
that
there's
396
fixable.
So,
unlike
other
security
solutions
on
the
market,
we
not
only
provide
what
the
security
vulnerabilities
are,
but
whether
there
are
any
fixable
basically
are.
Is
there
actionable
solutions
that
can
be
taken
to
solve
the
security
holes
that
are
in
your
container?
B
So
if
I
hover
over
the
security
scan,
we
can
see
here.
This
tag
has
491
vulnerabilities
across
56
packages.
That's
pretty
bad.
I
probably
should
find
out.
What's
going
on
so
I
will
click
here
and
dive
in
and
once
you
click
into
the
security
scanning
view,
you
get
this
beautiful
UI.
It
provides
a
lot
of
information
in
a
small
space,
so
I'll
go
over
quickly.
You
can
see
here
that
we've
detected
491
vulnerabilities
patches
are
available
for
396
the
good
chunk
of
them.
B
We
break
down
the
verne
abilities
by
severity
level,
so
you
can
see
here.
I
have
16
high
and
256
medium,
though
the
vast
majority
or
over
half
of
these
are
pretty
important
to
fix
and
then
193
low
level
ones
scrolling
down.
We
can
see
we
show
all
of
the
vulnerabilities
by
CVE
number.
We
show
we
default
sort
by
severity,
so
we
can
see
here
a
few
10
out
of
tens.
These
are
pretty
bad
in
fact,
I'll
get
into
why
they're
so
bad.
B
B
So
when
you
know,
if
you
upgrade
bash
from
four
point,
three,
seven
seven
to
one
to
one
to
one
point
one,
this
will
be
fixed,
so
you
have
intelligence
on
how
to
move
forward
and
fixes
this
problem,
and
then
we
also
show
which
image
layer
in
the
actual
overall
image
introduced
this
vert
ability.
So
if
you're
not
sure
weird
fix
your
packages,
you
can
actually
do
so.
Opening
up
this
CVE
will
provide
further
details.
B
Do
we
can
see
here
we
have
the
access
vector
information
from
CDSs
and
in
fact
we
also
have
the
description,
information
and,
of
course,
looking
at
this,
we
can
see
that
this
is
actually
shell
shock,
which
is
one
of
them.
Most
me
one
of
the
most
major
vulnerabilities
that
came
out
over
the
last
few
years
and
that's
why
it's
rated
as
a
10
out
of
10
if
I
want
more
information
on
the
CV
I
can
just
click
on
this
little
link
here,
and
it
will
take
me
directly
to
deceiving
you
description
on
the
distros
provider.
B
We
support
as
distros
right
now,
ubuntu
debian,
RAV
hat,
of
course,
oracle
and
alpine.
So
we
support
all
of
the
major
container
base
districts
for
this
and
we're
adding
more
every
time.
This
is.
This
is
actually
powered
by
open
source
project
which
we
might
do
another
community
session
about,
and
we
also
provide
the
ability
to
filter
down
and
see
only
the
ones
that
are
fixable,
so
we
can
see
if
there's,
of
course,
quite
a
lot
another
tab
we
provide
on
the
security
scan.
B
Is
the
package
you
so,
unlike
the
vulnerability
view,
this
of
course
breaks
down
your
security
report
by
packages.
Do
we
can
see
here
that
we
that
is
detected
151
packages
in
this
container
image?
There
always
are
a
lot
more
than
you
initially
would
suspect,
and
we
can
see
here
that
8
have
high-level
variable
use
and
37
of
media.
Looking
at
the
package
table
itself,
we
can
see
the
package
names,
what
version
they
are
and
their
own
abilities
now.
This
is
very
these.
Next
two
columns
are
the
most
important
in
my
opinion.
B
They
show
what
vulnerabilities
will
exist
after
upgrading
this
package
to
the
latest
version
and
likewise,
as
a
result,
we
create
an
upgrade
impact
score
and
we
sort.
So
if
you
have
very
little
time-
and
you
have
to
fix
just
the
most
important
Vernor
abilities
in
your
in
your
container,
you
can
actually
just
upgrade
these
packages
and
you'll
get
the
most
bang
for
your
proverbial
buck
and
being
able
to
say
well.
B
If
I
hook
great,
open
ssl,
then
all
the
identified
vulnerabilities
really
fixed,
including
all
these
high
ones,
but
upgrade
bash
likewise,
so
these
are
the
most
important
ones
to
be
fixed
and
then,
if
I
scroll
down,
you
can
see,
you
know
the
the
upgrading
impact
that
becomes
lower
and
lower
until
the
point
where
basically
there
are
no
vulnerabilities
or
there
is
no
upgrade
impact
now.
This
is
all
very
useful
information
to
be
able
to
see
after
you've
pushed
an
image.
B
Well,
what
happens
if
you
have
an
image
in
the
security
system
and
a
new
vulnerability
is
detected?
Are
you
gonna
have
to
go
check
every
image?
Well,
actually,
no,
as
alluded
to
earlier,
we
support
notifications
on
repositories
in
quick,
so
I
can
create
a
notification
on
my
repository
choose
my
event.
Now
you
can
see
here.
There
are
a
variety
of
events
as
I
spoke
to
earlier,
but
the
one
I
all
I'll
speak
to
now
is
package
vulnerability
found
so
I
choose
that
and
then
I
choose
what
with
a
minimum
severity
level.
B
So
let's
say
I
choose
medium.
Now,
anytime.
There
is
a
new
vulnerability
discovered
in
a
an
image
in
this
repository
that
has
a
medium
severity
or
higher
I
will
be
notified
and
I
can
actually
choose
say
to
be
notified
by
slack,
and
then
you
can
choose
to
put
your
room
in,
but
there's
one
other
key
aspect
that
this
provides.
This
not
only
applies
to
new
vulnerabilities.
Does
an
example
when
I
believe
it
was
when
shellshock
originally
came
out.
It
was
listed
as
a
medium
level
of
vulnerability.
B
Well,
once
the
extent
of
the
damage
was
discovered,
it
was
actually
it
actually
was
upgraded
to
a
high
or
even
critical
level.
Broader
building.
Now,
if
I
had
configured
my
severity
level
as
say,
critical
I
would
not
have
been
notified.
Initially
a
shell
shock,
but
once
the
shell
shock
vulnerability
was
reclassified.
B
I
received
a
note
of
notification
because
Claire
and
quai
security
scanner
will
send
out
a
notification,
if
not
only
for
new
vulnerabilities
but
rotor
abilities
that
have
jumped
in
severity,
even
if
you've,
even
if
the
Vernor
ability
has
been
out
for
years,
there's
a
very
good
way
for
you
to
keep
track
of
the
security
state
of
your
container
images
across
your
entire
platform
and
not
have
to
worry
that.
Oh
an
image
that
I
created
six
years
ago
is
that
vulnerable
to
something
came
out
since
they
came
out
today
or
that
became
more
critical
today.
B
If
it
is,
you
will
be
notified.
So
that's
a
notification
since
very,
very
powerful.
Now
going
to
back
to
our
repository
screen,
we
spoke
a
lot
about
permissions
on
repositories.
But
what
happens
if
I
don't
want
to
add
individual
users
to
my
repository
permissions
that
can
get
tedious
and
overdrawn.
Instead,
I
can
use
an
organization.
B
Let's
say:
I
have
this
by
and
large
organization
with
a
couple
of
repositories
in
it.
Under
the
organization
I
have
teams
and
in
teams
you
can
collect
users
you
can
Clouseau
collect
robot
accounts,
give
them
a
name.
They
readers
or
synced,
and
then
you
can
specify
in
repositories
that
you
want
a
particular
team
to
have
our
permission.
So
let's
say
I
go
to
my
Ford
repo
and
I
want
my
word.
Repo
to
have
access
I
want
I,
want
a
team
of
users
to
have
access
to
my
word.
Repo
well,
I
can
just
grant
they.
B
The
readers
team
read
access.
Likewise,
if
I
need
a
new
team,
say
I,
don't
know
writers
create
that
team
and
then
I
can
grant
it
say,
write
access
and
if
and
if
I
go
into
the
writers
team,
I
can
add,
say
myself.
I
can
also
add
a
robot
I
can
even
invite
somebody
like
I,
don't
know,
perhaps
I
so
self
do
the
team
and
then,
if
I,
hit,
enter
and
I
invited
via
email
they'll
be
receiving.
B
In
my
invite
to
join
this
team
and
organization
teams
are
also
really
powerful
because
they
give
you
an
overview
of
all
the
permissions
in
your
entire
organization.
So
if
I
want
to
I
click,
the
members
view
here
and
see
here
all
the
members
of
my
organization's
team
aims
which
teams
they're
part
of
and
if
there
are
any
repo
permission,
direct
repository
versions
and
hey.
Let's
say
public
is
no
longer
a
member
of
my
organization.
B
Well,
I'll
just
remove
them
and
now
he's
the
removed
from
all
teams,
and
all
repositories
in
my
organization
can
no
longer
has
any
access.
You
can
also
invite
individual
collaborators
or
contributors
to
be
part
of
your
repositories.
So
if
I
go
to
the
collaborators
view
here,
you
can
see
that
this
outside
world
user
has
direct
permissions
on
one
repository
under
this
organization,
he's
not
part
of
a
particular
team,
but
he
was
granted
access
on
a
one-off
basis.
But
let's
say
I
no
longer
want
him
to
be
in
here.
B
Well,
I
can
remove
him
as
well
and
now
is
no
longer
again
have
access
organizations
also
provide
some
other
really
powerful
features,
I'm
not
going
to
go
too
deeply
into
them
because
we're
a
little
short
on
time,
but
one
of
the
ones
is
being
able
to
see
the
users
logs.
So,
just
like
I
was
able
to
see
the
oceans
logs
for
a
particular
repository.
I
can
see
the
usage
logs
for
all
of
the
repositories
all
of
the
actions
taking
across
the
entire
organization.
B
A
So
far,
I
don't
see
any
questions
in
the
Q&A,
but
something
has
just
popped
up
here.
Are
there
any
plans
to
replace
the
current
open
ship
registry
bikeway?
Is
there
a
CLI
rest
for
Quay
administration
or
just
via
the
UI
and
for
the
first
one?
Everything
with
our
existing
registry
will
probably
stay
the
same
and
be
available
out
of
the
box
as
it
is
and
I
don't
think
we
have
a
roadmap
yet
for
how
the
integration
is
going
to
be
with
Quay.
So
we'll
just.
A
B
That's
so
yeah.
The
roadmap
of
the
open
ship
registry
and
versus
Quay
is
still
in
early
discussions,
but
since
Quay
speaks
the
doctor
protocol,
you
can
use
way
kind
of
out
of
the
box
with
openshift
speaking
to
the
CLI
question.
So
every
operation,
that's
taken
in
quei
that
I
showed
into
you
I
today,
is
backed
by
a
full
restful
api.
In
fact,
the
UI
front-end
is
actually
speaking
that
rest
api
to
the
backend
when
I
was
doing
the
demo
and
we
provide
support
for
OAuth.
B
So
if
I
were
to
go
to
this
applications,
tab
here,
I
can
create
a
waffle.
Occation
and
I
can
even
generate
access
token.
To
talk
to
that
application.
You
can
also
do
a
proper
oo
flow.
Let's
say
I
wanted
to
have
the
ability
to
creat
repositories
and
administer
them
and
view
all
these
I'll
generate
an
access
token.
Now,
I
have
to
sign
in
to
do
that.
In
order
to
do
so
once
you've
created
that
access
token,
you
can
then
call
our
API
for
those
who
are
interested.
B
It
is
that
Docstoc
wait
at
I/o,
slash
API
is
our
documentation
and
if
I
go
to
the
API
Explorer
here,
then
a
little
load
up
take
a
few
seconds
to
do.
It
will
actually
show
all
of
the
operations
you
can
perform
against
way,
and
this
is
every
operation
that
the
UI
can
perform.
Permissions
organizations
repositories,
notifications,
robot
account
management,
searching
security,
scan
information,
tagging
team
management,
everything,
and
so,
if
you
want
to
have
custom
tooling
in
order
to
manage
quai,
you
can
absolutely
do
so.
A
Right
you're
making
them
cheer
in
the
in
the
chat,
so
you've
made
some
folks
very
happy
and
I
think
you've
made
a
lot
of
us
very
happy
coming
on
board
and
this
it's
been
pretty
useful.
I
know
I
do
know
of
a
number
of
customers
who
are
already
using
quai
and
openshift,
one
of
whom
will
be
talking
about
it
at
the
upcoming
OpenShift
commons.
Gathering
cisco
is
going
to
talk
about
their
implementation
that
and
they've
been
using
way
so
there's
good
precedence.
A
A
Note
I
don't
see
any
other
questions
coming
in
and
we
will
probably
do
a
few
more
quail
related
talks
in
the
coming
months
as
well,
and
please,
if
you
can
join
us
at
the
open
chef,
Commons
gathering
on
May
7th
at
Red
Hat
summit
would
be
happy
to
have.
You
participate
in
those
conversations
there
as
well
and
I,
think
they'll
coerce,
Joey
and
a
number
of
the
folks
from
the
core
OS
team
to
join
us,
as
they
are
all
mostly
based
in
the
San
Francisco
Bay
Area.