►
Description
Quay v3.1 Release Update
Bill Dettelback and Tom McKay
Quay Engineering
OpenShift Commons Briefing
A
A
Everybody
and
welcome
to
another
openshift
Commons
briefing.
This
time
we
have
some
of
the
engineering
team
with
us
from
Red
Hat
to
talk
about
whey,
3.1,
the
most
recent
release
and
some
of
the
things
that
are
coming
and
the
new
features
there,
as
well
as
what's
on
the
roadmap.
So
we
have
bill
beetle
back
and
Tom
McCoy
Nick
a
with
us
from
the
engineering
team
I'm
going
to
let
them
introduce
themselves
and
do
a
little
bit
of
a
demo
and
we'll
have
live
Q&A
at
the
end.
So
please
take
it
away
bill.
B
B
Cool,
so
what
we'll
do
today
is
just
go
through
kind
of
a
real
quick
view
of
what
Quaid
is
for
folks,
who
maybe
have
not
heard
of
quake,
but
we
want
to
spend
most
of
our
time
talking
specifically
about
what
we've
just
released
in
the
3.1
version
that
just
came
out
a
few
weeks
ago.
So
just
a
quick
primer
on
quai
itself
on
the
quay
is
Red
Hat's
Enterprise
container
registry
product.
B
We
offer
Quay
in
really
two
forms:
there's
the
hosted
version,
kwai
tai
o,
as
well
as
as
a
containerized
product
from
Red
Hat
that
you
can
run
on
premise
on
a
public
cloud
or
in
your
own.
In
your
own
data,
centers,
really
kwai
was
built
with
the
intention
to
be
run
at
enterprise
scale.
It
was
built
with
security
in
mind
really
built
with
scale
and
as
much
focus
on
automation
as
possible.
So
twice
been
around
for
a
bunch
of
years.
It's
pretty
battle-hardened
and
we
run
Quay
dot
IO
at
a
pretty
massive
scale.
B
B
You
know
we're
now
seeing
a
lot
of
clients
starting
to
run
an
in-house
not
the
same
scale,
but
enjoying
a
lot
of
the
benefits
of
what
queda
io
can
do
on
premise.
One
of
the
really
exciting
things
that
we're
in
the
process
of
doing
right
now
is
actually
open.
Sourcing,
quick
quite
currently,
is
still
closed
source,
but
we're
changing
that
as
fast
as
we
can
and
hopefully
very
very
soon,
you'll
start
to
hear
announcements
about
that.
B
Bread
obviously
is
very
passionate
about
open
source
and
Quay
falls
into
that
category
of
being
a
product
that
we
want
to
make
sure
that
the
community
is
keenly
involved
with,
and
so,
if
you're
interested
in
the
open
sourcing
initiative,
if
you
want
to
get
involved,
we'd
love
to
have
as
many
people
as
possible,
helping
out
looking
at
quai,
giving
us
suggestions
and
contributing
we've
stood
up
a
Google
Group
they're,
Quay
sig.
You
can
get
on
that
that
the
URLs
probably
little
hard
to
read,
but
these
slides
may
be
available.
B
So
that's
just
a
real
quick
overview
of
Quay.
What
it
is
our
Red
Hat
provides
it
what
it
was
built
for
just
to
kind
of
drill
down
in
a
couple
of
those
areas
to
get
familiar
with
how
Quay
has
been
structured
and
in
the
areas
of
focus
we've
put
into
the
product
over
the
years.
Really,
six
key
areas
right
so
scalability
I
mentioned,
played
out.
Il
is
running
really
at
internet
scale
and
and
we
make
that
really
a
major
part
of
every
decision
we
put
into
the
product.
B
B
So
we
can
actually
make
sure
that
the
containerized
version
that
we
that
people
run
on
premise
is
the
same
bits
that
have
been
run
by
by
large-scale
users
on
the
Internet
there's,
a
huge
focus
on
security
as
well
in
the
quake
product
and
one
of
the
most
visible
areas
of
that
is
a
piece
of
functionality
that
does
vulnerability
scanning.
So
there's
another
open-source
project
called
Claire
that
we
bundle
in
and
so
Claire
is
pre
integrated
into
the
Quai
product.
When
you
upload
a
an
image
into
the
Quay
registry,
you
automatically
get
vulnerability
scanning.
B
So
let's,
if
there's
any
known
issues
with
that
image
and
then,
if
things
change
over
time,
you
get
a
real-time
view
of
the
of
the
the
vulnerabilities
on
your
container
image.
The
security's
big
builds
have
been
a
big
part
of
cuidado,
as
well
as
well
as
red
hat
equaiiy,
so
being
able
to
integrate
with
existing
build
infrastructure
like
git,
also
having
its
own
built-in
build
infrastructure
at
quai
dot
IO,
where
you
can
give
us
a
docker
file
and
we'll
create
the
image
for
you
within
our
platform
directly
so
fairly
powerful
stuff.
B
But
we've
got
a
features
built
into
quaid
to
make
sure
that
if
you've
got
quite
installed
in
one
location,
we
can
get
your
content
distributed
out
to
other
regions
very
easily,
using
the
tools
of
the
platform
directly
not
having
to
do
a
lot
of
work
yourself,
quais
been
blind
by
its
nature,
extremely
integratable,
so
it's
been
designed
with
an
API
first
mentality.
Most
of
the
things
about
all
the
things
you
can
do
in
the
UI.
B
You
can
do
through
API
so
and
we
have
customers
that
give
a
lot
of
automation
through
the
UI
to
the
api's.
We've
also
have
done
a
lot
of
work
to
do
the
authentication,
integration
and
authorization
integration,
but
things
like
Google
github
and
all
that,
so
you
should
be
able
to
take
Red
Hat
away
and
put
it
into
your
existing
on-premise
environments
and
integrate
with
a
vast
majority
of
the
identity
management
systems.
You
have.
B
Lastly,
I'll
just
call
out
the
access
control
so
again,
kWe
has
a
strong
focus
on
ensuring
that
people
get
just
the
information
that
they're
allowed
to
have,
and
this
speaks
to
the
fact
that
we
do
run
this
at
scale.
So
access
control,
our
back
authentication,
is
all
built
into
the
platform,
so
you
can
set
up
organizations
and
teams
and
users
in
whatever
combination
you
want.
That
makes
sense
for
your
business.
B
A
couple
of
real
marquee
features,
probably
the
biggest
marquee
feature
which
we're
going
to
show
you
in
a
few
minutes
is
repository
mirroring
and
so
repository
mirroring
I'll
get
into
more
details
about
that,
but
this
effectively
allows
you
to
sync
images
between
individual
repos
across
registries
and
that
registry
doesn't
even
have
to
be
Quay.
So
there's
there's
a
bunch
of
use
cases
there,
which
we'll
get
into
the
setup
operator
is
a
feature
that
we've
rolled
out
in
3-1.
B
It's
been,
it's
been
pretty
cool
to
see
that
evolve
and
that's
available
I'll
get
into
that
in
a
little
more
detail
in
a
second
we've
also
added
the
ability
to
create
read-only
repositories,
and
so
this
is
a
new
feature
where
we,
then
it's
state
to
the
repositories
themselves,
and
you
can
indicate
what
state
you
want
the
repository
to
be
in,
and
you
can
change
that
state
over
time.
Again.
This
more
details
on
that.
B
This
is
an
operator
that
you
can
get
today.
It's
on
the
community
of
practice
site
there
at
that
URL.
This
is
an
operator
that
was
built
by
our
consulting
team,
and
it
was
designed
to
give
you
really
a
single
touch:
delivery
of
a
working
quai
environment
with
claire
on
on
an
open
or
open
ship
cluster,
and
so
it
does
everything
for
you.
You
can
get
a
very
simple
out-of-the-box
environment
with
all
sensible
defaults.
You
can
also
go
in
and
you
can
modify
the
custom
resource
to,
for
example,
use
an
existing
Postgres
database.
B
You
may
have
in
your
environment
or
or
other
sorts
of
overrides
you
want.
You
don't
want
the
operator
to
provision,
but
if
you
just
want
to
get
a
standalone
environment,
it's
really
really
good
at
that.
We
have
rolled
this
out
as
a
dev
preview
and
that's
primarily
because
it
is
pretty
new,
it's
still
being
maintained
by
the
community.
We
are
looking
to
bring
this
into
the
quake
product
and
have
it
maintained
by
engineering,
but
will
quickly
be
rolling
this
into
a
tech
preview
and
eventually
a
ga
feature.
B
I'll
talk
about
repository
state
as
well,
so
we
we
now
support
three
different
states
on
each
of
your
repos.
So,
prior
to
three
one,
we
had
a
single
state
for
all
repos.
We
now
call
that
normal.
So
if
you
don't
do
anything
when
you
install
three
one
or
upgrade
to
three
one,
all
of
your
repositories
are
marked
as
normal
state,
but
now
what
you
can
do
is
you
can
indicate
that
they
are
either
a
mirrored
repository
or
a
read-only
repository
for
a
read-only
repository.
B
It
does
what
you'd
expect
it
effectively
allows
you
to
lock
that
repo
for
updates.
This
is
pretty
handy
for
repos.
Maybe
you
want
to
archive
from
the
way
you
don't
want
people
to
be
able
to
change
them,
or
you
want
to
have
something
where
it's
temporarily
just
frozen.
You
can
do
that
now
by
just
marking
the
read-only
mirrored
there's
a
state
that
you
can
also
indicate,
and
when
you
indicate
your
repository
is
mirrored,
you
actually
can
go
in
there
and
configure
how
the
mirroring
is
going
to
take
place.
B
We'll
look
at
that
in
a
minute,
but
one
of
the
key
things
about
a
mirror
depository
is
that
you
cannot
push
into
a
mirrored
repository
by
definition.
It
is
mirroring
from
a
source,
so
we
don't
want
people
to
be
able
to
push
content
in
on
the
side.
They're,
just
they're
just
a
point
they're
the
point
out,
so
let's
talk
a
little
bit
about
what
repository
mirroring
is
and
how
we
built
it.
So
there's
a
new
tab
on
the
on
the
UI
that
you'll
see
here
around
setting
up
a
repo
repo
mirror.
B
This
tab
will
show
up.
The
contents
of
the
tab
will
show
up
when
you,
when
you
set
the
repo
mirror
to
mirror
repo
status,
to
mirror
what
we've
done
is.
We've
used
the
Quai
worker
framework
to
basically
create
workers
that
will
do
this
mirroring
for
you
and
you
can
see
the
green
shot
on
the
left,
just
some
of
the
fields
you
can
put
in
there.
So
you
can
put
in
registry
information
how
you
want
to
connect
to
that
external
registry.
What
repo
name
you
want!
B
What
robot
account
you
want
to
use
to
write
into
your
clay
environment
if
your
repo
you're
mirroring
is
private,
you'll
need
a
robot
account
for
that
and
then
what's
really
interesting
is
you
can
specify
a
tag
pattern?
So
it's
effectively
like
a
glob
of
tag,
information
that
you
can
give
it's
not
a
full
regular
expression,
it's
more
just
of
a
glob,
but
you
can
basically
get
a
pattern
around
just
those
tags
you
want.
So,
for
example,
you
could
repo
me
or
just
production
tags.
B
We
are
using
I
should
just
call
us
while
we
are
using
scope,
EO,
which
is
another
project-
that
red
hats
pretty
pretty
strongly
backing
around,
how
the
data
gets
moved
between
environments-
oh,
that
was
a
that
was
a
really
nice
synergy
there
with
the
scope.
Eo
team
I
want
to
spend
a
minute
to
clarify
how
repository
mirroring
as
a
feature
lines
up
with
the
geo
replication
feature
in
quei.
So
if
you're
familiar
with
quai
already,
you
know
we
have
a
feature
called
geo.
Replication
that's
been
around
for
a
while
repo
mirroring,
doesn't
deprecated
that
feature.
B
It
doesn't
replace
that
feature.
It's
actually
a
different
use
case.
That's
enhancing
what
we
can
do
now.
So
the
way
to
think
of
geo
replication
is
even
though
you're
across
geographies.
You
still
have
a
single
quai
environment
and
the
images
are
being
logically
spread
across
those
regions
when
you
are
in
a
different
region
and
us
for
an
image
that
may
not
be
locally
stored
in
your
region.
Geo
replication
brings
that
image
over
for
you
automatically.
So
you
know,
you're
getting
a
local
copy
repository
marrying
is
quite
different.
B
B
Just
a
real
quick
table
here:
I
won't
belabor
the
point
here,
but
just
if
you
kind
of
look
down
here,
you
can
see
the
differences
between
the
two
features
really
around,
but
geo
replication
we're
talking
about
sharing
the
global
registry,
logically
across
different
regions,
whereas
a
repo
mirroring
it's
about
having
separate
registries.
So
this
would
be
just
a
acqu,
a
registry
mirroring
a
different
way
registry
or
Quay
registry
mirroring,
say
a
Red
Hat
registry
or
docker.
It
doesn't
really
matter.
The
whole
point
is
where
we're
mirroring
into
Quay
from
a
different
environment
I'm.
B
Also,
the
push
is
another
key
thing,
as
well
being
able
to
push
into
those
registries
with
geo
replication
enabled
I
have
full
push
ability
across
both
sides
and
replication
sorts
out.
What
needs
to
be
done,
whereas
with
repo
mirroring,
we
allow
you
to
only
push
at
the
source
registry.
You
can't
actually
push
into
the
mirror
registry.
B
A
C
So
yeah
the
repo
mirroring
demo
I'm
just
gonna,
go
over
a
quick
use
case.
So
I
is
a
customer.
I
want
to
get
the
latest
versions
of
s
CD
and
so
I've
done
that
I've
created
a
repo
and
I
manually,
used
docker
or
pod
Man
or
scope.
Eo
I
grabbed
a
couple
images,
2.2,
2
and
2.2
2-1,
and
that
quickly
realized
that
I
didn't
want
to
keep
up
with.
That,
so
add
my
existing
mirror.
Again.
C
This
is
the
new
tab
and
the
mirroring
feature
is
just
that.
It
is
a
feature
so
in
the
configuration
app,
which
is
the
setup
tool
which
sort
of
facilitates
the
ease
of
use
of
creating
the
config
demo
that
the
Quai
container
is
used.
There
is
explicitly
a
checkbox
in
there
where
you
can
turn
it
on
so
I'm.
Quite
a
tile
example,
for
example,
it's
using
the
same
container
image
that
the
on-premise
customers
get
so
quite
IO
is
in
fact
a
quite
enterprise
running
at
scale,
but
in
Quetta
IO.
C
We
have
not
enabled
that
feature
you
when
you
install
it
locally,
configure
it
locally.
You
can
enable
it,
and
it's
only
this
tab
here.
The
mirroring
tab
will
only
show
up
when
that
configuration
is
enabled,
and
so
just
going
over
quickly.
Here
you
know,
by
an
external
repository
pointing
to
registry,
to
access
to
read
comm,
you
see,
I,
don't
have
any
credentials.
This
registry
does
not
require
credentials
if
I
wanted
to
go
to
registry
that
Red
Hat
I
owe
which
does
require
credentials.
I
could
specify
them.
C
This
is
the
user.
Again,
remember:
scope,
EO
behind-the-scenes
is
doing
the
copy
for
us,
so
it's
copying
literally
scope,
EO
copy
from
the
remote
source,
du
Quai
on
Prem
and
the
user
that
scope
EO
uses.
Is
this
robot
user
I
can
choose
whether
or
not
I
want
to
verify
the
tls
of
the
external
registry,
for
example,
if
I'm
running
a
local
standalone
registry
as
a
developer
and
I
want
to
copy
stuff
from
there,
I
may
not
have
setup
certs
the
proxy.
C
These
are
trickle
down
to
environment
variables,
just
like
you'd
expect
running
at
the
command
line,
and
then
we
have
some
information
here.
This
says
about
the
last
state,
so
the
last
sync
I
did
did
in
fact
succeed.
If
the
sync
was
running,
it
would
give
an
indication
of
the
timeout
I
think
it
set
the
three
hours.
C
This
is
just
sort
of
a
safety
precaution
and
if
you
have
our
sink
a
mirror
running
and
it's
stopped
running
for
some
reason
after
the
time
limit,
the
job
will
be
picked
back
up,
it'll
be
put
back
in
the
queue
as
available
and
again
this
is
a
config,
but
we
allow
three
failures
so
we'll
try
to
sync.
If
that
fails,
there's
a
network
hiccup,
whatever
you'll,
get
two
more
tries
and
then,
after
that
it
won't
automatically
run
and
you'll
have
to
come
in
and,
for
example,
sync
manually
which
sort
of
resets
things.
C
If
it
succeeds
and
then
there's
this
area
here,
you
can
see
tags
and
there
are
wild
cards.
So
in
this
case,
I
am
sinking
three
to
explicitly
and
also
three
to
dot
and
then
zero
to
nine.
So
they'll
pick
up
three
2.0.1,
two
etc.
If
they
exist,
the
existence
of
the
tags
is
not
a
failure.
That
just
means
that
the
tag
doesn't
exist
so
we'll
try
to
sink
we'll,
pull
down
the
list
of
tags
and
compare
them
against
this
list
of
expressions
effectively
and
I'm.
C
Gonna
switch
over
to
the
log
view
just
kind
of
the
get
the
history
and
again
the
logs.
This
is
the
this
tab
here.
The
usage
logs,
so
auditing
is
a
big
part
of
Quay,
and
here
you
know
this
is
just
a
demo
example.
So,
if
I
created
it
today,
these
are
the
events
in
this
repository.
Obviously,
in
a
production
environment
you'd
have
the
pull
logs
the
if
I
change
the
mirror,
config.
That
information
will
show
up
here
as
well.
C
So
you
get
a
full
in
sight
of
what's
happening
and
you
can
see
here
if
I
go
scroll
down,
there's
this
load
more
logs
and
because
I
have
a
bunch
of
logs
I've,
already
clicked
through
that
half
dozen
times.
So
this
is
the
beginning
of
the
repo
and
I
see
there's
some
blue
Dean's
questions,
but
let
me
just
get
to
the
demo
and
not
pop
over
back
over
to
that
screen.
C
C
Eyo
output,
though
I
have
debug
logs
on
so
there's
a
little
bit
more
verbosity
here,
but
we
captured
the
standard
and
the
standard
error
of
the
Skokie
Oh
run,
and
so
if
there
is
an
issue,
for
example,
if
you
don't
have
a
proxy
set
up
or
bad
credentials,
you
know
I
didn't
enter
your
credentials
correctly
or
CLS's
not
set
up.
That
would
show
up
here
very
clearly.
The
goal
here
for
the
logs
is
to
give
you,
the
user
customer
enough
information
to
figure
out
why
the
mirror
didn't
work.
C
So
you
see
a
bunch
of
tags
at
this
point.
I
realize
I
didn't
want
that
many
tags
and
I
added
a
notification
for
package
of
ulnar
abilities
and
then
I
changed
the
tag
pattern
and
you
can
see
now
I
just
get
three
2.5
7
and
9
and
those
are,
and
then
this
ran
on
a
schedule.
I
have
a
set
up
for
every
10
minutes,
that's
disabled!
Right
now!
You
can
see.
C
C
C
So
at
the
beginning
you
know,
I
have
all
these
tags
that
were
pulled
in
okay,
but
then
I
updated
the
tag
pattern
to
reduce
that
set,
and
you
can
see
that
all
the
non
matching,
in
other
words
the
patterns,
so
I'm,
pulling
explicitly
from
the
upstream,
with
a
certain
subset
of
tags
and
any
tags
that
don't
match
that
subset
currently
in
the
repo
will
get
deleted.
Now
remember
in
quake,
things
aren't
entirely
deleted.
So
there
is
our
time
machine
concept.
C
C
No
I
should
have
been
an
undelete,
so
I
switch
it
back
to
a
normal
mode.
This
should
be
a
fully
regular
repo
with
all
the
you
know,
benefits
all
the
bells
and
whistles
of
regular
repo,
maybe
I'm,
just
not
remembering
where
how
to
undelete
but
effectively.
If
I
needed
an
emergency
situation
to
get
this
specific
tag,
I
should
be
able
to
come,
switch
back
to
normal,
come
here
and
basically
recreate
this
tag
and
I
think
that
is
it.
C
Let
me
switch
so
let's
edit
them
apart,
but
if
you
want
to
try
it
out,
of
course
you
can
go
to
quite
at
I/o.
You
can
set
up
a
free
account
on
clay
that
I
Oh,
which
just
lets
you
have
public
repositories
on
private
repos.
You
can
sign
up
there
as
well
or
a
paid
subscription,
but
for
the
on
premise
again:
the
kwai
tai
o
image
is
the
same
as
the
quite
enterprise.
So
the
features
you
see
there
will
be
available
in
play
on
premise
as
well.
B
A
B
A
B
Yeah,
actually,
yes,
so
actually
well,
they
didn't
asked.
Another
question:
I
think
is
important
to
get
out
is
just
around
operator
mirror
so
DNA
and
asked
if
we
supported
the
mirroring
of
app
registries,
which
are
typically
used
these
days
to
store
operators,
we
actually
aren't
so
the
repo
mirroring
function
is
just
for
container
images.
It's
not
four
registries.
This
time,
it's
something
we're
looking
at,
probably
will
probably
stick
with
container
images
for
the
time
being,
but
the
whole
discussion
around
the
management
of
the
app
registry
is
something
that
we're
looking
at
pretty
carefully
and
I.
B
C
Yeah
and
I
think
I
shouldn't
have
to
that.
I
believe
that
you're
from
line
doesn't
need
to
conclude
the
registry
that
you
can
config
and
because
you
have
you
owned
the
Quai
on-premise
if
I
wanted
so,
for
example,
I
mirrored
rel,
7,
/
@
çd,
now
I
mirrored
it
to
admin
/
@
çd,
but
since
it's
my
own
Quay
I
could
make
a
namespace
called
rel
7
and
have
mirrored
sed
rate
into
there.
C
So,
if
I
had
a
from
line
that
said
well,
7
/
sed
as
long
as
I'm
configured
in
that
build
environment,
that
the
registry
is
Quay,
now
not
registry,
that
red
head
that
IO,
for
example,
then
that
would
just
I
wouldn't
have
to
change.
My
doctor.
I
could
be
wrong
in
that,
but
I'm
I
seem
to
remember.
I
could
do
that
set
up
a
default
registry
for
the
builds
that
make
sense.
D
Hey
Thomas
its
Fernando
here:
oh
thanks
for
lunch,
your
answers,
but
as
I
say
most
developers
and
also
Cuban
accent,
vitamins
they
usually
have
the
full
registry
names.
They
usually
don't
you
walk
with
the
default.
Has
history
so
I
know
I
could
change
the
default
I'd
astray,
but
if
my
developers,
my
users,
aren't
using
it
it's.
A
A
D
C
It's
still
going
to
be
a
different
from
line
time
period,
how
its
solved
I!
Guess
there
a
solution?
And
that's
that's
good
question,
and
these
are
questions.
I'd
love
to
see
threads
started
on
the
quay,
sig
it's
and
it's
a
new
Google
Group
and
we'll
try
to
get
the
conversations
going
there.
Also
around
Claire
we're
going
to
try
to
get
the
Claire
community
also
to
start
joining
in
the
conversations
there
but
good
question.
Yeah.
C
C
There's.
No
caching,
there's
no!
No
proxy
XS
pecs
in
that
regard
in
Satellite,
sixes,
tooling
pulp-free,
which
is
will
be
in
the
newer
version
of
satellite
six
has
some
of
those
features
available.
I,
don't
know
if
there's
an
expose
them
in
satellite
six.
The
current
satellite
six
versions
act
very
similarly
to
what
I
just
described
here
with
quays
repository
mirroring.
C
I
fully
understand
what
you're
thinking,
for
example,
an
open
ship.
There
are
image
streams
which
are
effectively
a
shallow
representation
right
just
has
the
metadata
and
when
you
and
is
an
option
when
you
have,
when
you
want
to
access
an
image,
it
will
go
back
to
the
original
source
and
provide
that,
and
that
is
not
what
we've
setup
in
quite
I,
fully
understand
the
use
cases
yeah.
Then
it's
a
very
powerful
feature.
I
agree.
A
Perfect
I
think
we're
at
we've
answered
all
of
the
questions
that
people
have
popped
in
I'm,
really
going
to
encourage
everybody
to
join
the
Google
group
and
I
will
post
this
video
on
blog
got
openshift
comm
shortly,
probably
in
the
next
day
or
so,
and
there
is
a
mailing
list.
That
is
basically
the
google
group.
A
The
thanks,
Thomas
and
thanks
bill
for
taking
the
time
today
and
thanks
everybody
for
joining
us
and
giving
us
your
feedback.
It
was
great
to
hear
from
you
all
great
suggestions
and
good
feedback,
so
looking
forward
to
seeing
people
migrate
to
the
new
version
and
give
us
even
more
feedback
thanks
all.