Quay Repositories

Creating an image repository

  • Click on the Create New Repository button.

create repo

  • Select the organization from the drop-down list, name the repository kafka, and set the visibility to public.

repo config

  • Click Create Public Repository.

Push (and tag) an image into the repository

  • Pull an image from the public registry by running the podman pull command followed by the name of the image.

podman pull quay.io/strimzi/kafka:latest-kafka-3.2.1

  • Tag the image with a name and a version number using the podman tag command.

podman tag quay.io/strimzi/kafka:latest-kafka-3.2.1 ${QUAY_HOSTNAME}/olleb/kafka:3.2.1

  • Sign into our Quay repository using your account credentials, if you are not already signed in.

podman login ${QUAY_HOSTNAME}

  • Push the image to the Quay repository using the podman push command.

podman push ${QUAY_HOSTNAME}/olleb/kafka:3.2.1

  • Verify that the image has been successfully pushed into our Quay repository by checking that the image is listed.

image pushed

Inspecting image layers

  • Navigate to the olleb/kafka repository.

  • Click on the Tags icon.

  • Click on the SHA256 value located under MANIFEST section of the 3.2.1 tag to view the layers dashboard.

image pushed2
img layers

Pull an image from the repository

  • From the Quay dashboard, locate and select the olleb/kafka repository.

  • Click on the Tags tab.

  • Select any of the repository's tags by clicking on it, click on the Fetch Tag icon.

fetchtagpre

  • Select Podman Pull (by tag) from the Image Format drop-down menu and click on the Copy Command button.

fetchtag

  • Switch to a terminal, paste the command you copied from the Quay UI, and then execute it. Make sure you have Podman installed on your system. Since we created the repository as Public, no login is required to pull the image.

Image rollback

Quay provides us with a convenient way to review the history of tags associated with an image repository.

  • Create a new image repository as already explained. In this case, create a public repository named olleb/rollback on Quay.

  • Build an image, tag it and push it.

echo "FROM scratch" > Containerfile.rbk
podman build . -t rollback:1.0 -f Containerfile.rbk

podman tag localhost/rollback:1.0 ${QUAY_HOSTNAME}/olleb/rollback:latest
podman push ${QUAY_HOSTNAME}/olleb/rollback:latest

  • Verify that the image has been pushed into Quay repository. Check also the manifest digest and the layers.

rblatest1
rblayers1

  • Add a new layer to the Containerfile, rebuild the image, and overwrite the old one by tagging and pushing it with the same remote tag.

echo "LABEL org.opencontainers.image.authors=[email protected]" >> Containerfile.rbk
podman build . -t rollback:2.0 -f Containerfile.rbk

podman tag localhost/rollback:2.0 ${QUAY_HOSTNAME}/olleb/rollback:latest
podman push ${QUAY_HOSTNAME}/olleb/rollback:latest

  • Verify that the new image has been pushed to the Quay repository and check its manifest digest and layers in the Quay UI. You should observe that the manifest digest and layers are different from the previous image.

rblatest2
rblayers2

  • To rollback the image to the previous one, navigate to the Quay UI and click on the Tag History option for the repository. From there, select the tag for the previous image that you want to rollback to.

taghistory

  • Click on Revert to …​.

revert

  • Click on the Restore Tag button. This will restore the image for that tag to the previous image.

restoretag

  • To verify that the image has been restored to the previous one in the tag history, go to the Tag History section in the Quay UI and check that the restored tag has the same manifest digest and layers as the previous image that was reverted to.

restored

Image expiration

To configure an image tag to expire from Quay on a specific time and date, follow these steps:

  • Create a new image repository as already explained. I created the olleb/expiration repository.

  • Build a 1.0 image, tag it and push it to the olleb/expiration repository.

echo "FROM scratch" > Containerfile.exp
podman build . -t exp:1.0 -f Containerfile.exp

podman tag localhost/exp:1.0 ${QUAY_HOSTNAME}/olleb/expiration:1.0
podman push ${QUAY_HOSTNAME}/olleb/expiration:1.0

  • The label quay.expires-after is used to indicate the expiration time for the tag. The value of the label can be specified in a number of different formats, including a specific time and date, a relative time offset from the time of image creation, or a relative time offset from the time of tag creation. In this case, we will use the relative time offset of 5m, which specifies that the image should expire 5 minutes after it is tagged with the 2.0 and latest tags.

echo "LABEL org.opencontainers.image.authors=[email protected]" >> Containerfile.exp
echo "LABEL quay.expires-after=5m" >> Containerfile.exp
podman build . -t exp:2.0 -f Containerfile.exp

podman tag localhost/exp:2.0 ${QUAY_HOSTNAME}/olleb/expiration:2.0
podman push ${QUAY_HOSTNAME}/olleb/expiration:2.0

podman tag localhost/exp:2.0 ${QUAY_HOSTNAME}/olleb/expiration:latest
podman push ${QUAY_HOSTNAME}/olleb/expiration:latest

  • We now have two images and three tags in our olleb/expiration repository. The 1.0 image has a 1.0 tag, the 2.0 image has 2.0 and latest tags. The latest and the 2.0 tag are marked as expiring soon.

exp1

After 5 minutes, both tags will be removed from the repository automatically.

taghistoryautodeleted

  • Select the 1.0 tag, in the Actions drop-down list, select Change Tags Expiration. Set the desired Expiration Date.

expirationdatetag
Alternatively, the expiration can also be set by clicking on the Options icon and selecting Change Expiration.

When the tag is about to expire, a message will be displayed:

abouttoexpire
By default, the minimum expiration time is one hour and the maximum is 104 weeks (approximately 2 years) at the time of this writing. If you want to allow for earlier or later minimum expiration times, you can set the LABELED_EXPIRATION_MINIMUM property to a different time value, such as 60s (seconds), 5m (minutes), 24h (hours), 7d (days), or 2w (weeks). This configuration must be placed in the Config Bundle Secret of your registry instance. An example of how to do this is explained in section 2.5.1 Configuring allowed OCI artifact types.

When the tag expires, it is deleted automatically.

tagexpireddeleted

Note that even though the tag is deleted, we can still restore the image. The reason is that when a tag is deleted and there are no other tags pointing to the same image, the image is not immediately deleted. Instead, it is marked for garbage collection, which by default occurs after 14 days (2w). Quay has a garbage collection worker enabled by default which runs periodically and removes the expired images when the configured Time Machine amount of time has passed.

As we stored the image inside olleb organization, we can check that value by browsing to /organization/olleb?tab=settings.

orgexptime

If the image stored is under the user account instead on an organization, the value can be found under user settings

The Time Machine amount time can be modified by changing the value of the TAG_EXPIRATION_OPTIONS array property, which must include the default expiration value DEFAULT_TAG_EXPIRATION in the list. An example of how to modify this value is explained in section 2.5.1 Configuring allowed OCI artifact types.

For example, with the following custom configuration:

expcfg

we will see:

customtm