Search

Red Hat Quay Release Notes

download PDF
Red Hat Quay 3

Red Hat Quay

Red Hat OpenShift Documentation Team

Abstract

Red Hat Quay Release Notes

Preface

Red Hat Quay container registry platform provides secure storage, distribution, and governance of containers and cloud-native artifacts on any infrastructure. It is available as a standalone component or as an Operator on OpenShift Container Platform. Red Hat Quay includes the following features and benefits:

  • Granular security management
  • Fast and robust at any scale
  • High velocity CI/CD
  • Automated installation and upates
  • Enterprise authentication and team-based access control
  • OpenShift Container Platform integration

Red Hat Quay is regularly released, containing new features, bug fixes, and software updates. To upgrade Red Hat Quay for both standalone and OpenShift Container Platform deployments, see Upgrade Red Hat Quay.

Important

Red Hat Quay only supports rolling back, or downgrading, to previous z-stream versions, for example, 3.7.2 → 3.7.1. Rolling back to previous y-stream versions (3.7.0 → 3.6.0) is not supported. This is because Red Hat Quay updates might contain database schema upgrades that are applied when upgrading to a new version of Red Hat Quay. Database schema upgrades are not considered backwards compatible.

Downgrading to previous z-streams is neither recommended nor supported by either Operator based deployments or virtual machine based deployments. Downgrading should only be done in extreme circumstances. The decision to rollback your Red Hat Quay deployment must be made in conjunction with the Red Hat Quay support and development teams. For more information, contact Red Hat Quay support.

Documentation for Red Hat Quay is versioned with each release. The latest Red Hat Quay documentation is available from the Red Hat Quay Documentation page. Currently, version 3 is the latest major version.

Note

Prior to version 2.9.2, Red Hat Quay was called Quay Enterprise. Documentation for 2.9.2 and prior versions are archived on the Product Documentation for Red Hat Quay 2.9 page.

Chapter 1. Red Hat Quay release notes

The following sections detail y and z stream release information.

1.1. RHBA-2024:6048 - Red Hat Quay 3.12.2 release

Issued 2024-09-3

Red Hat Quay release 3.12.2 is now available with Clair 4.7.4. The bug fixes that are included in the update are listed in the RHBA-2024:6048 advisory.

1.2. RHBA-2024:5039 - Red Hat Quay 3.12.1 release

Issued 2024-08-14

Red Hat Quay release 3.12.1 is now available with Clair 4.7.4. The bug fixes that are included in the update are listed in the RHBA-2024:5039 advisory.

1.2.1. Red Hat Quay 3.12.2 bug fixes

  • PROJQUAY-7598. Invalid manifests are now returned when using the API.
  • PROJQUAY-7689. Previously, there was a bug affecting STSS3Storage engines, in which a config error was returned. This bug has been resolved.

1.2.2. Red Hat Quay 3.12.1 new features

With this release, NetApp ONTAP S3 object storage is now supported. For more information, see NetApp ONTAP S3 object storage.

1.2.3. Red Hat Quay 3.12.1 known issues

When using NetApp ONTAP S3 object storage, images with large layer sizes fail to push. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-7462).

1.2.4. Red Hat Quay 3.12.1 bug fixes

  • PROJQUAY-7177. Previously, global read-only superusers could not obtain resources from an organization when using the API. This issue has been resolved.
  • PROJQUAY-7446. Previously, global read-only superusers could not obtain correct information when using the listRepos API endpoints. This issue has been resolved.
  • PROJQUAY-7449. Previously, global read-only superusers could not use some superuser API endpoints. This issue has been resolved.
  • PROJQUAY-7487. Previously, when a repository had multiple notifications enabled, the wrong type of event notification could be triggered. This issue has been resolved.
  • PROJQUAY-7491. When using NetAPP’s OnTAP S3 implementation, the follow errors could be returned: presigned URL request computed using signature-version v2 is not supported by ONTAP-S3. This error occurred because boto iterates over a map of authentications if none is requested, and returns v2 because it is ordered earlier than v4. This issue has been fixed, and the error is no longer returned.
  • PROJQUAY-7578. On the 3.12.1 UI, the release notes pointed to Red Hat Quay’s 3.7 release. This has been fixed, and they now point to the current version.

1.2.5. Upgrading to Red Hat Quay 3.12.1

For information about upgrading standalone Red Hat Quay deployments, see Standalone upgrade.

For information about upgrading Red Hat Quay on OpenShift Container Platform, see Upgrading the Red Hat Quay Operator.

1.3. RHBA-2024:4525 - Red Hat Quay 3.12.0 release

Issued 2024-07-23

Red Hat Quay release 3.12 is now available with Clair 4.7.4. The bug fixes that are included in the update are listed in the RHBA-2024:4525 advisory. For the most recent compatibility matrix, see Quay Enterprise 3.x Tested Integrations.

1.4. Red Hat Quay release cadence

With the release of Red Hat Quay 3.10, the product has begun to align its release cadence and lifecycle with OpenShift Container Platform. As a result, Red Hat Quay releases are now generally available (GA) within approximately four weeks of the most recent version of OpenShift Container Platform. Customers can not expect the support lifecycle phases of Red Hat Quay to align with OpenShift Container Platform releases.

For more information, see the Red Hat Quay Life Cycle Policy.

1.5. Red Hat Quay documentation changes

The following documentation changes have been made with the Red Hat Quay 3 release:

  • The Use Red Hat Quay guide now includes accompanying API procedures for basic operations, such as creating and deleting repositories and organizations by using the API, access management, and so on.

1.6. Red Hat Quay new features and enhancements

The following updates have been made to Red Hat Quay.

1.6.1. Splunk event collector enhancements

With this update, Red Hat Quay administrators can configure their deployment to forward action logs directly to a Splunk HTTP Event Collector (HEC). This enhancement enables seamless integration with Splunk for comprehensive log management and analysis.

For more information, see Configuring action log storage for Splunk.

1.6.2. API token ownership

Previously, when a Red Hat Quay organization owner created an API OAuth token, and that API OAuth token was used by another organization member, the action was logged to the creator of the token. This was undesirable for auditing purpose, notably in restricted environments where only dedicated registry administrators are organization owners.

With this release, organization administrators can now assign OAuth API tokens to be created by other users with specific permissions. This allows the audit logs to be reflected accurately when the token is used by a user that has no organization administrative permissions to create an OAuth API token.

For more information, see Reassigning an OAuth access token.

1.6.3. Image expiration notification

Previously, Red Hat Quay administrators and users had no way of being alerted when an image was about to expire. With this update, an event can be configured to notify users when an image is about to expire. This helps Red Hat Quay users avoid unexpected pull failures.

Image expiration event triggers can be configured to notify users through email, Slack, webhooks, and so on, and can be configured at the repository level. Triggers can be set for images expiring in any amount of days, and can work in conjunction with the auto-pruning feature.

For more information, see Creating an image expiration notification.

1.6.4. Red Hat Quay auto-pruning enhancements

With the release of Red Hat Quay 3.10, a new auto-pruning feature was released. With that feature, Red Hat Quay administrators could set up auto-pruning policies on namespaces for both users and organizations so that image tags were automatically deleted based on specified criteria. In Red Hat Quay 3.11, this feature was enhanced so that auto-pruning policies could be set up on specified repositories.

With this release, default auto-pruning policies can now be set up at the registry level. Default auto-pruning policies set up at the registry level can be configured on new and existing organizations. This feature saves Red Hat Quay administrators time, effort, and storage by enforcing registry-wide rules.

Red Hat Quay administrators must enable this feature by updating their config.yaml file to include the DEFAULT_NAMESPACE_AUTOPRUNE_POLICY configuration field and one of number_of_tags or creation_date methods. Currently, this feature cannot be enabled by using the v2 UI or the API.

For more information, see Red Hat Quay auto-pruning overview.

1.6.5. Open Container Initiative 1.1 implementation

Red Hat Quay now supports the Open Container Initiative (OCI) 1.1 distribution spec version 1.1. Key highlights of this update include support for the following areas:

  • Enhanced capabilities for handling various types of artifacts, which provides better flexibility and compliance with OCI 1.1.
  • Introduction of new reference types, which allows more descriptive referencing of artifacts.
  • Introduction of the referrers API, which aids in the retrieval and management of referrers, which helps improve container image management.
  • Enhance UI to better visualize referrers, which makes it easier for users to track and manage dependencies.

For more information about OCI spec 1.1, see OCI Distribution Specification.

For more information about OCI support and Red Hat Quay, see Open Container Initiative support.

1.6.6. Metadata support through annotations

Some OCI media types do not utilize labels and, as such, critical information such as expiration timestamps are not included. With this release, Red Hat Quay now supports metadata passed through annotations to accommodate OCI media types that do not include these labels for metadata transmission. Tools such as ORAS (OCI Registry as Storage) can now be used to embed information with artifact types to help ensure that images operate properly, for example, to expire.

For more information about OCI media types and how adding an annotation with ORAS works, see Open Container Initiative support.

1.6.7. Red Hat Quay v2 UI enhancements

The following enhancements have been made to the Red Hat Quay v2 UI.

1.6.7.1. Robot account creation enhancement
  • When creating a robot account with the Red Hat Quay v2 UI, administrators can now specify that the kubernetes runtime use a secret only for a specific organization or repository. This option can be selected by clicking the name of your robot account on the v2 UI, and then clicking the Kubernetes tab.

1.7. New Red Hat Quay configuration fields

The following configuration fields have been added to Red Hat Quay 3.

1.7.1. OAuth access token reassignment configuration field

The following configuration field has been added for reassigning OAuth access tokens:

FieldTypeDescription

FEATURE_ASSIGN_OAUTH_TOKEN

Boolean

Allows organization administrators to assign OAuth tokens to other users.

Example OAuth access token reassignment YAML

# ...
FEATURE_ASSIGN_OAUTH_TOKEN: true
# ...

1.7.2. Notification interval configuration field

The following configuration field has been added to enhance Red Hat Quay notifications:

Field

Type

Description

NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES

Integer

The interval, in minutes, that defines the frequency to re-run notifications for expiring images. By default, this field is set to notify Red Hat Quay users of events happening every 5 hours.

Example notification re-run YAML

# ...
NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES: 10
# ...

1.7.3. Registry auto-pruning configuration fields

The following configuration fields have been added to Red Hat Quay auto-pruning feature:

Field

Type

Description

NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES

Integer

The interval, in minutes, that defines the frequency to re-run notifications for expiring images.

Default: 300

DEFAULT_NAMESPACE_AUTOPRUNE_POLICY

Object

The default organization-wide auto-prune policy.

    .method: number_of_tags

Object

The option specifying the number of tags to keep.

    .value: <integer>

Integer

When used with method: number_of_tags, denotes the number of tags to keep.

For example, to keep two tags, specify 2.

    .method: creation_date

Object

The option specifying the duration of which to keep tags.

    .value: <integer>

Integer

When used with creation_date, denotes how long to keep tags.

Can be set to seconds (s), days (d), months (m), weeks (w), or years (y). Must include a valid integer. For example, to keep tags for one year, specify 1y.

AUTO_PRUNING_DEFAULT_POLICY_POLL_PERIOD

Integer

The period in which the auto-pruner worker runs at the registry level. By default, it is set to run one time per day (one time per 24 hours). Value must be in seconds.

Example registry auto-prune policy by number of tags

DEFAULT_NAMESPACE_AUTOPRUNE_POLICY:
  method: number_of_tags
  value: 10

Example registry auto-prune policy by creation date

DEFAULT_NAMESPACE_AUTOPRUNE_POLICY:
  method: creation_date
  value: 1y

1.7.4. Vulnerability detection notification configuration field

The following configuration field has been added to notify users on detected vulnerabilities based on security level:

Field

Type

Description

NOTIFICATION_MIN_SEVERITY_ON_NEW_INDEX

String

Set minimal security level for new notifications on detected vulnerabilities. Avoids creation of large number of notifications after first index. If not defined, defaults to High. Available options include Critical, High, Medium, Low, Negligible, and Unknown.

Example image vulnerability notification YAML

NOTIFICATION_MIN_SEVERITY_ON_NEW_INDEX: High

1.7.5. OCI referrers API configuration field

The following configuration field allows users to list OCI referrers of a manifest under a repository by using the v2 API:

Field

Type

Description

FEATURE_REFERRERS_API

Boolean

Enables OCI 1.1’s referrers API.

Example OCI referrers enablement YAML

# ...
FEATURE_REFERRERS_API: True
# ...

1.7.6. Disable strict logging configuration field

The following configuration field has been added to address when external systems like Splunk or ElasticSearch are configured as audit log destinations but are intermittently unavailable. When set to True, the logging event is logged to the stdout instead.

Field

Type

Description

ALLOW_WITHOUT_STRICT_LOGGING

Boolean

When set to True, allows you to use any registry action when you are unable to write to the audit log.

Example strict logging YAML

# ...
ALLOW_WITHOUT_STRICT_LOGGING: True
# ...

1.7.7. Clair indexing layer size configuration field

The following configuration field has been added for the Clair security scanner, which allows Red Hat Quay administrators to set a maximum layer size allowed for indexing.

Field

Type

Description

SECURITY_SCANNER_V4_INDEX_MAX_LAYER_SIZE

String

The maximum layer size allowed for indexing. If the layer size exceeds the configured size, the Red Hat Quay UI returns the following message: The manifest for this tag has layer(s) that are too large to index by the Quay Security Scanner.
Example: 8G

1.8. API endpoint enhancements

1.8.1. New changeOrganizationQuota and createOrganizationQuota endpoints:

The following optional API field has been added to the changeOrganizationQuota and createOrganizationQuota endpoints:

NameDescriptionSchema

limits
optional

Human readable storage capacity of the organization. Accepts SI units like Mi, Gi, or Ti, as well as non-standard units like GB or MB. Must be mutually exclusive with limit_bytes.

string

Use this field to set specific limits when creating or changing an organization’s quote limit. For more information about these endpoints, see changeOrganizationQuota and createOrganizationQuota.

1.8.2. New referrer API endpoint

The following API endpoint allows use to obtain referrer artifact information:

Type

Name

Description

Schema

path

orgname
required

The name of the organization

string

path

repository
required

The full path of the repository. e.g. namespace/name

string

path

referrers
required

Looks up the OCI referrers of a manifest under a repository.

string

To use this field, you must generate a v2 API OAuth token and set FEATURE_REFERRERS_API: true in your config.yaml file. For more information, see Creating an OCI referrers OAuth access token.

1.9. Red Hat Quay 3.12 known issues and limitations

The following sections note known issues and limitations for Red Hat Quay 3.

1.9.1. Red Hat Quay v2 UI known issues

The Red Hat Quay team is aware of the following known issues on the v2 UI:

  • PROJQUAY-6910. The new UI can’t group and stack the chart on usage logs
  • PROJQUAY-6909. The new UI can’t toggle the visibility of the chart on usage log
  • PROJQUAY-6904. "Permanently delete" tag should not be restored on new UI
  • PROJQUAY-6899. The normal user can not delete organization in new UI when enable FEATURE_SUPERUSERS_FULL_ACCESS
  • PROJQUAY-6892. The new UI should not invoke not required stripe and status page
  • PROJQUAY-6884. The new UI should show the tip of slack Webhook URL when creating slack notification
  • PROJQUAY-6882. The new UI global readonly super user can’t see all organizations and image repos
  • PROJQUAY-6881. The new UI can’t show all operation types in the logs chart
  • PROJQUAY-6861. The new UI "Last Modified" of organization always show N/A after target organization’s setting is updated
  • PROJQUAY-6860. The new UI update the time machine configuration of organization show NULL in usage logs
  • PROJQUAY-6859. Thenew UI remove image repo permission show "undefined" for organization name in audit logs
  • PROJQUAY-6852. "Tag manifest with the branch or tag name" option in build trigger setup wizard should be checked by default.
  • PROJQUAY-6832. The new UI should validate the OIDC group name when enable OIDC Directory Sync
  • PROJQUAY-6830. The new UI should show the sync icon when the team is configured sync team members from OIDC Group
  • PROJQUAY-6829. The new UI team member added to team sync from OIDC group should be audited in Organization logs page
  • PROJQUAY-6825. Build cancel operation log can not be displayed correctly in new UI
  • PROJQUAY-6812. The new UI the "performer by" is NULL of build image in logs page
  • PROJQUAY-6810. The new UI should highlight the tag name with tag icon in logs page
  • PROJQUAY-6808. The new UI can’t click the robot account to show credentials in logs page
  • PROJQUAY-6807. The new UI can’t see the operations types in log page when quay is in dark mode
  • PROJQUAY-6770. The new UI build image by uploading Docker file should support .tar.gz or .zip
  • PROJQUAY-6769. The new UI should not display message "Trigger setup has already been completed" after build trigger setup completed
  • PROJQUAY-6768. The new UI can’t navigate back to current image repo from image build
  • PROJQUAY-6767. The new UI can’t download build logs
  • PROJQUAY-6758. The new UI should display correct operation number when hover over different operation type
  • PROJQUAY-6757. The new UI usage log should display the tag expiration time as date format

1.9.2. Red Hat Quay 3.12 limitations

The following features are not supported on IBM Power (ppc64le) or IBM Z (s390x):

  • Ceph RadosGW storage
  • Splunk HTTP Event Collector (HEC)

1.10. Red Hat Quay bug fixes

The following issues were fixed with Red Hat Quay 3:

  • PROJQUAY-6763. Quay 3.11 new UI operations of enable/disable team sync from OIDC group should be audited
  • PROJQUAY-6826. Log histogram can’t be hidden in the new UI
  • PROJQUAY-6855. Quay 3.11 new UI no usage log to audit operations under user namespace
  • PROJQUAY-6857. Quay 3.11 new UI usage log chart covered the operations types list
  • PROJQUAY-6931. OCI-compliant pagination
  • PROJQUAY-6972. Quay 3.11 new UI can’t open repository page when Quay has 2k orgs and 2k image repositories
  • PROJQUAY-7037. Can’t get slack and email notification when package vulnerability found
  • PROJQUAY-7069. Invalid time format error messages and layout glitches in tag expiration modal
  • PROJQUAY-7107. Quay.io overview page does not work in dark mode
  • PROJQUAY-7239. Quay logging exception when caching specific security_reports
  • PROJQUAY-7304. security: Add Vary header to 404 responses
  • PROJQUAY-6973. Add OCI Pagination
  • PROJQUAY-6974. Set a default auto-pruning policy at the registry level
  • PROJQUAY-6976. Org owner can change ownership of API tokens
  • PROJQUAY-6977. Trigger event on image expiration
  • PROJQUAY-6979. Annotation Parsing
  • PROJQUAY-6980. Add support for a global read only superuser
  • PROJQUAY-7360. Missing index on subject_backfilled field in manifest table
  • PROJQUAY-7393. Create backfill index concurrently
  • PROJQUAY-7116. Allow to ignore audit logging failures

1.11. Red Hat Quay feature tracker

New features have been added to Red Hat Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.

Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Red Hat Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Red Hat Quay, refer to Table 1.1. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.

Table 1.1. New features tracker
FeatureQuay 3.12Quay 3.11Quay 3.10

Splunk HTTP Event Collector (HEC) support

General Availability

-

-

Open Container Initiative 1.1 support

General Availability

-

-

Reassigning an OAuth access token

General Availability

-

-

Creating an image expiration notification

General Availability

-

-

Team synchronization for Red Hat Quay OIDC deployments

General Availability

General Availability

-

Configuring resources for managed components on OpenShift Container Platform

General Availability

General Availability

-

Configuring AWS STS for Red Hat Quay, Configuring AWS STS for Red Hat Quay on OpenShift Container Platform

General Availability

General Availability

-

Red Hat Quay repository auto-pruning

General Availability

General Availability

-

Configuring dark mode on the Red Hat Quay v2 UI

General Availability

General Availability

-

Disabling robot accounts

General Availability

General Availability

General Availability

Red Hat Quay namespace auto-pruning

General Availability

General Availability

General Availability

FEATURE_UI_V2

Technology Preview

Technology Preview

Technology Preview

1.11.1. IBM Power, IBM Z, and IBM® LinuxONE support matrix

Table 1.2. list of supported and unsupported features
FeatureIBM PowerIBM Z and IBM® LinuxONE

Allow team synchronization via OIDC on Azure

Not Supported

Not Supported

Backing up and restoring on a standalone deployment

Supported

Supported

Clair Disconnected

Supported

Supported

Geo-Replication (Standalone)

Supported

Supported

Geo-Replication (Operator)

Not Supported

Not Supported

IPv6

Not Supported

Not Supported

Migrating a standalone to operator deployment

Supported

Supported

Mirror registry

Not Supported

Not Supported

PostgreSQL connection pooling via pgBouncer

Supported

Supported

Quay config editor - mirror, OIDC

Supported

Supported

Quay config editor - MAG, Kinesis, Keystone, GitHub Enterprise

Not Supported

Not Supported

Quay config editor - Red Hat Quay V2 User Interface

Supported

Supported

Quay Disconnected

Supported

Supported

Repo Mirroring

Supported

Supported

Legal Notice

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.