Red Hat Quay Release Notes
Preface
Red Hat Quay container registry platform provides secure storage, distribution, and governance of containers and cloud-native artifacts on any infrastructure. It is available as a standalone component or as an Operator on OpenShift Container Platform. Red Hat Quay includes the following features and benefits:
- Granular security management
- Fast and robust at any scale
- High velocity CI/CD
- Automated installation and upates
- Enterprise authentication and team-based access control
- OpenShift Container Platform integration
Red Hat Quay is regularly released, containing new features, bug fixes, and software updates. To upgrade Red Hat Quay for both standalone and OpenShift Container Platform deployments, see Upgrade Red Hat Quay.
Red Hat Quay only supports rolling back, or downgrading, to previous z-stream versions, for example, 3.7.2 → 3.7.1. Rolling back to previous y-stream versions (3.7.0 → 3.6.0) is not supported. This is because Red Hat Quay updates might contain database schema upgrades that are applied when upgrading to a new version of Red Hat Quay. Database schema upgrades are not considered backwards compatible.
Downgrading to previous z-streams is neither recommended nor supported by either Operator based deployments or virtual machine based deployments. Downgrading should only be done in extreme circumstances. The decision to rollback your Red Hat Quay deployment must be made in conjunction with the Red Hat Quay support and development teams. For more information, contact Red Hat Quay support.
Documentation for Red Hat Quay is versioned with each release. The latest Red Hat Quay documentation is available from the Red Hat Quay Documentation page. Currently, version 3 is the latest major version.
Prior to version 2.9.2, Red Hat Quay was called Quay Enterprise. Documentation for 2.9.2 and prior versions are archived on the Product Documentation for Red Hat Quay 2.9 page.
Chapter 1. Red Hat Quay release notes
The following sections detail y and z stream release information.
1.1. RHBA-2024:6048 - Red Hat Quay 3.12.2 release
Issued 2024-09-3
Red Hat Quay release 3.12.2 is now available with Clair 4.7.4. The bug fixes that are included in the update are listed in the RHBA-2024:6048 advisory.
1.2. RHBA-2024:5039 - Red Hat Quay 3.12.1 release
Issued 2024-08-14
Red Hat Quay release 3.12.1 is now available with Clair 4.7.4. The bug fixes that are included in the update are listed in the RHBA-2024:5039 advisory.
1.2.1. Red Hat Quay 3.12.2 bug fixes
- PROJQUAY-7598. Invalid manifests are now returned when using the API.
-
PROJQUAY-7689. Previously, there was a bug affecting STSS3Storage engines, in which a
config
error was returned. This bug has been resolved.
1.2.2. Red Hat Quay 3.12.1 new features
With this release, NetApp ONTAP S3 object storage is now supported. For more information, see NetApp ONTAP S3 object storage.
1.2.3. Red Hat Quay 3.12.1 known issues
When using NetApp ONTAP S3 object storage, images with large layer sizes fail to push. This is a known issue and will be fixed in a future version of Red Hat Quay. (PROJQUAY-7462).
1.2.4. Red Hat Quay 3.12.1 bug fixes
- PROJQUAY-7177. Previously, global read-only superusers could not obtain resources from an organization when using the API. This issue has been resolved.
-
PROJQUAY-7446. Previously, global read-only superusers could not obtain correct information when using the
listRepos
API endpoints. This issue has been resolved. -
PROJQUAY-7449. Previously, global read-only superusers could not use some
superuser
API endpoints. This issue has been resolved. - PROJQUAY-7487. Previously, when a repository had multiple notifications enabled, the wrong type of event notification could be triggered. This issue has been resolved.
-
PROJQUAY-7491. When using NetAPP’s OnTAP S3 implementation, the follow errors could be returned:
presigned URL request computed using signature-version v2 is not supported by ONTAP-S3
. This error occurred becauseboto
iterates over a map of authentications if none is requested, and returnsv2
because it is ordered earlier thanv4
. This issue has been fixed, and the error is no longer returned. - PROJQUAY-7578. On the 3.12.1 UI, the release notes pointed to Red Hat Quay’s 3.7 release. This has been fixed, and they now point to the current version.
1.2.5. Upgrading to Red Hat Quay 3.12.1
For information about upgrading standalone Red Hat Quay deployments, see Standalone upgrade.
For information about upgrading Red Hat Quay on OpenShift Container Platform, see Upgrading the Red Hat Quay Operator.
1.3. RHBA-2024:4525 - Red Hat Quay 3.12.0 release
Issued 2024-07-23
Red Hat Quay release 3.12 is now available with Clair 4.7.4. The bug fixes that are included in the update are listed in the RHBA-2024:4525 advisory. For the most recent compatibility matrix, see Quay Enterprise 3.x Tested Integrations.
1.4. Red Hat Quay release cadence
With the release of Red Hat Quay 3.10, the product has begun to align its release cadence and lifecycle with OpenShift Container Platform. As a result, Red Hat Quay releases are now generally available (GA) within approximately four weeks of the most recent version of OpenShift Container Platform. Customers can not expect the support lifecycle phases of Red Hat Quay to align with OpenShift Container Platform releases.
For more information, see the Red Hat Quay Life Cycle Policy.
1.5. Red Hat Quay documentation changes
The following documentation changes have been made with the Red Hat Quay 3 release:
- The Use Red Hat Quay guide now includes accompanying API procedures for basic operations, such as creating and deleting repositories and organizations by using the API, access management, and so on.
1.6. Red Hat Quay new features and enhancements
The following updates have been made to Red Hat Quay.
1.6.1. Splunk event collector enhancements
With this update, Red Hat Quay administrators can configure their deployment to forward action logs directly to a Splunk HTTP Event Collector (HEC). This enhancement enables seamless integration with Splunk for comprehensive log management and analysis.
For more information, see Configuring action log storage for Splunk.
1.6.2. API token ownership
Previously, when a Red Hat Quay organization owner created an API OAuth token, and that API OAuth token was used by another organization member, the action was logged to the creator of the token. This was undesirable for auditing purpose, notably in restricted environments where only dedicated registry administrators are organization owners.
With this release, organization administrators can now assign OAuth API tokens to be created by other users with specific permissions. This allows the audit logs to be reflected accurately when the token is used by a user that has no organization administrative permissions to create an OAuth API token.
For more information, see Reassigning an OAuth access token.
1.6.3. Image expiration notification
Previously, Red Hat Quay administrators and users had no way of being alerted when an image was about to expire. With this update, an event can be configured to notify users when an image is about to expire. This helps Red Hat Quay users avoid unexpected pull failures.
Image expiration event triggers can be configured to notify users through email, Slack, webhooks, and so on, and can be configured at the repository level. Triggers can be set for images expiring in any amount of days, and can work in conjunction with the auto-pruning feature.
For more information, see Creating an image expiration notification.
1.6.4. Red Hat Quay auto-pruning enhancements
With the release of Red Hat Quay 3.10, a new auto-pruning feature was released. With that feature, Red Hat Quay administrators could set up auto-pruning policies on namespaces for both users and organizations so that image tags were automatically deleted based on specified criteria. In Red Hat Quay 3.11, this feature was enhanced so that auto-pruning policies could be set up on specified repositories.
With this release, default auto-pruning policies can now be set up at the registry level. Default auto-pruning policies set up at the registry level can be configured on new and existing organizations. This feature saves Red Hat Quay administrators time, effort, and storage by enforcing registry-wide rules.
Red Hat Quay administrators must enable this feature by updating their config.yaml
file to include the DEFAULT_NAMESPACE_AUTOPRUNE_POLICY
configuration field and one of number_of_tags
or creation_date
methods. Currently, this feature cannot be enabled by using the v2 UI or the API.
For more information, see Red Hat Quay auto-pruning overview.
1.6.5. Open Container Initiative 1.1 implementation
Red Hat Quay now supports the Open Container Initiative (OCI) 1.1 distribution spec version 1.1. Key highlights of this update include support for the following areas:
- Enhanced capabilities for handling various types of artifacts, which provides better flexibility and compliance with OCI 1.1.
- Introduction of new reference types, which allows more descriptive referencing of artifacts.
- Introduction of the referrers API, which aids in the retrieval and management of referrers, which helps improve container image management.
- Enhance UI to better visualize referrers, which makes it easier for users to track and manage dependencies.
For more information about OCI spec 1.1, see OCI Distribution Specification.
For more information about OCI support and Red Hat Quay, see Open Container Initiative support.
1.6.6. Metadata support through annotations
Some OCI media types do not utilize labels and, as such, critical information such as expiration timestamps are not included. With this release, Red Hat Quay now supports metadata passed through annotations to accommodate OCI media types that do not include these labels for metadata transmission. Tools such as ORAS (OCI Registry as Storage) can now be used to embed information with artifact types to help ensure that images operate properly, for example, to expire.
For more information about OCI media types and how adding an annotation with ORAS works, see Open Container Initiative support.
1.6.7. Red Hat Quay v2 UI enhancements
The following enhancements have been made to the Red Hat Quay v2 UI.
1.6.7.1. Robot account creation enhancement
- When creating a robot account with the Red Hat Quay v2 UI, administrators can now specify that the kubernetes runtime use a secret only for a specific organization or repository. This option can be selected by clicking the name of your robot account on the v2 UI, and then clicking the Kubernetes tab.
1.7. New Red Hat Quay configuration fields
The following configuration fields have been added to Red Hat Quay 3.
1.7.1. OAuth access token reassignment configuration field
The following configuration field has been added for reassigning OAuth access tokens:
Field | Type | Description |
---|---|---|
FEATURE_ASSIGN_OAUTH_TOKEN | Boolean | Allows organization administrators to assign OAuth tokens to other users. |
Example OAuth access token reassignment YAML
# ... FEATURE_ASSIGN_OAUTH_TOKEN: true # ...
1.7.2. Notification interval configuration field
The following configuration field has been added to enhance Red Hat Quay notifications:
Field | Type | Description |
NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES | Integer | The interval, in minutes, that defines the frequency to re-run notifications for expiring images. By default, this field is set to notify Red Hat Quay users of events happening every 5 hours. |
Example notification re-run YAML
# ... NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES: 10 # ...
1.7.3. Registry auto-pruning configuration fields
The following configuration fields have been added to Red Hat Quay auto-pruning feature:
Field | Type | Description |
NOTIFICATION_TASK_RUN_MINIMUM_INTERVAL_MINUTES | Integer |
The interval, in minutes, that defines the frequency to re-run notifications for expiring images. |
DEFAULT_NAMESPACE_AUTOPRUNE_POLICY | Object | The default organization-wide auto-prune policy. |
.method: number_of_tags | Object | The option specifying the number of tags to keep. |
.value: <integer> | Integer |
When used with method: number_of_tags, denotes the number of tags to keep.
For example, to keep two tags, specify |
.method: creation_date | Object | The option specifying the duration of which to keep tags. |
.value: <integer> | Integer |
When used with creation_date, denotes how long to keep tags.
Can be set to seconds ( |
AUTO_PRUNING_DEFAULT_POLICY_POLL_PERIOD | Integer | The period in which the auto-pruner worker runs at the registry level. By default, it is set to run one time per day (one time per 24 hours). Value must be in seconds. |
Example registry auto-prune policy by number of tags
DEFAULT_NAMESPACE_AUTOPRUNE_POLICY: method: number_of_tags value: 10
Example registry auto-prune policy by creation date
DEFAULT_NAMESPACE_AUTOPRUNE_POLICY: method: creation_date value: 1y
1.7.4. Vulnerability detection notification configuration field
The following configuration field has been added to notify users on detected vulnerabilities based on security level:
Field | Type | Description |
NOTIFICATION_MIN_SEVERITY_ON_NEW_INDEX | String |
Set minimal security level for new notifications on detected vulnerabilities. Avoids creation of large number of notifications after first index. If not defined, defaults to |
Example image vulnerability notification YAML
NOTIFICATION_MIN_SEVERITY_ON_NEW_INDEX: High
1.7.5. OCI referrers API configuration field
The following configuration field allows users to list OCI referrers of a manifest under a repository by using the v2 API:
Field | Type | Description |
FEATURE_REFERRERS_API | Boolean | Enables OCI 1.1’s referrers API. |
Example OCI referrers enablement YAML
# ... FEATURE_REFERRERS_API: True # ...
1.7.6. Disable strict logging configuration field
The following configuration field has been added to address when external systems like Splunk or ElasticSearch are configured as audit log destinations but are intermittently unavailable. When set to True
, the logging event is logged to the stdout instead.
Field | Type | Description |
ALLOW_WITHOUT_STRICT_LOGGING | Boolean |
When set to |
Example strict logging YAML
# ... ALLOW_WITHOUT_STRICT_LOGGING: True # ...
1.7.7. Clair indexing layer size configuration field
The following configuration field has been added for the Clair security scanner, which allows Red Hat Quay administrators to set a maximum layer size allowed for indexing.
Field | Type | Description |
SECURITY_SCANNER_V4_INDEX_MAX_LAYER_SIZE | String |
The maximum layer size allowed for indexing. If the layer size exceeds the configured size, the Red Hat Quay UI returns the following message: |
1.8. API endpoint enhancements
1.8.1. New changeOrganizationQuota and createOrganizationQuota endpoints:
The following optional API field has been added to the changeOrganizationQuota
and createOrganizationQuota
endpoints:
Name | Description | Schema |
---|---|---|
limits |
Human readable storage capacity of the organization. Accepts SI units like Mi, Gi, or Ti, as well as non-standard units like GB or MB. Must be mutually exclusive with | string |
Use this field to set specific limits when creating or changing an organization’s quote limit. For more information about these endpoints, see changeOrganizationQuota and createOrganizationQuota.
1.8.2. New referrer API endpoint
The following API endpoint allows use to obtain referrer artifact information:
Type | Name | Description | Schema |
path |
orgname | The name of the organization | string |
path |
repository | The full path of the repository. e.g. namespace/name | string |
path |
referrers | Looks up the OCI referrers of a manifest under a repository. | string |
To use this field, you must generate a v2 API OAuth token and set FEATURE_REFERRERS_API: true
in your config.yaml
file. For more information, see Creating an OCI referrers OAuth access token.
1.9. Red Hat Quay 3.12 known issues and limitations
The following sections note known issues and limitations for Red Hat Quay 3.
1.9.1. Red Hat Quay v2 UI known issues
The Red Hat Quay team is aware of the following known issues on the v2 UI:
- PROJQUAY-6910. The new UI can’t group and stack the chart on usage logs
- PROJQUAY-6909. The new UI can’t toggle the visibility of the chart on usage log
- PROJQUAY-6904. "Permanently delete" tag should not be restored on new UI
- PROJQUAY-6899. The normal user can not delete organization in new UI when enable FEATURE_SUPERUSERS_FULL_ACCESS
- PROJQUAY-6892. The new UI should not invoke not required stripe and status page
- PROJQUAY-6884. The new UI should show the tip of slack Webhook URL when creating slack notification
- PROJQUAY-6882. The new UI global readonly super user can’t see all organizations and image repos
- PROJQUAY-6881. The new UI can’t show all operation types in the logs chart
- PROJQUAY-6861. The new UI "Last Modified" of organization always show N/A after target organization’s setting is updated
- PROJQUAY-6860. The new UI update the time machine configuration of organization show NULL in usage logs
- PROJQUAY-6859. Thenew UI remove image repo permission show "undefined" for organization name in audit logs
- PROJQUAY-6852. "Tag manifest with the branch or tag name" option in build trigger setup wizard should be checked by default.
- PROJQUAY-6832. The new UI should validate the OIDC group name when enable OIDC Directory Sync
- PROJQUAY-6830. The new UI should show the sync icon when the team is configured sync team members from OIDC Group
- PROJQUAY-6829. The new UI team member added to team sync from OIDC group should be audited in Organization logs page
- PROJQUAY-6825. Build cancel operation log can not be displayed correctly in new UI
- PROJQUAY-6812. The new UI the "performer by" is NULL of build image in logs page
- PROJQUAY-6810. The new UI should highlight the tag name with tag icon in logs page
- PROJQUAY-6808. The new UI can’t click the robot account to show credentials in logs page
- PROJQUAY-6807. The new UI can’t see the operations types in log page when quay is in dark mode
- PROJQUAY-6770. The new UI build image by uploading Docker file should support .tar.gz or .zip
- PROJQUAY-6769. The new UI should not display message "Trigger setup has already been completed" after build trigger setup completed
- PROJQUAY-6768. The new UI can’t navigate back to current image repo from image build
- PROJQUAY-6767. The new UI can’t download build logs
- PROJQUAY-6758. The new UI should display correct operation number when hover over different operation type
- PROJQUAY-6757. The new UI usage log should display the tag expiration time as date format
1.9.2. Red Hat Quay 3.12 limitations
The following features are not supported on IBM Power (ppc64le
) or IBM Z (s390x
):
- Ceph RadosGW storage
- Splunk HTTP Event Collector (HEC)
1.10. Red Hat Quay bug fixes
The following issues were fixed with Red Hat Quay 3:
- PROJQUAY-6763. Quay 3.11 new UI operations of enable/disable team sync from OIDC group should be audited
- PROJQUAY-6826. Log histogram can’t be hidden in the new UI
- PROJQUAY-6855. Quay 3.11 new UI no usage log to audit operations under user namespace
- PROJQUAY-6857. Quay 3.11 new UI usage log chart covered the operations types list
- PROJQUAY-6931. OCI-compliant pagination
- PROJQUAY-6972. Quay 3.11 new UI can’t open repository page when Quay has 2k orgs and 2k image repositories
- PROJQUAY-7037. Can’t get slack and email notification when package vulnerability found
- PROJQUAY-7069. Invalid time format error messages and layout glitches in tag expiration modal
- PROJQUAY-7107. Quay.io overview page does not work in dark mode
-
PROJQUAY-7239. Quay logging exception when caching specific
security_reports
- PROJQUAY-7304. security: Add Vary header to 404 responses
- PROJQUAY-6973. Add OCI Pagination
- PROJQUAY-6974. Set a default auto-pruning policy at the registry level
- PROJQUAY-6976. Org owner can change ownership of API tokens
- PROJQUAY-6977. Trigger event on image expiration
- PROJQUAY-6979. Annotation Parsing
- PROJQUAY-6980. Add support for a global read only superuser
- PROJQUAY-7360. Missing index on subject_backfilled field in manifest table
- PROJQUAY-7393. Create backfill index concurrently
- PROJQUAY-7116. Allow to ignore audit logging failures
1.11. Red Hat Quay feature tracker
New features have been added to Red Hat Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.
Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Red Hat Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Red Hat Quay, refer to Table 1.1. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.
Feature | Quay 3.12 | Quay 3.11 | Quay 3.10 |
---|---|---|---|
General Availability | - | - | |
General Availability | - | - | |
General Availability | - | - | |
General Availability | - | - | |
General Availability | General Availability | - | |
Configuring resources for managed components on OpenShift Container Platform | General Availability | General Availability | - |
Configuring AWS STS for Red Hat Quay, Configuring AWS STS for Red Hat Quay on OpenShift Container Platform | General Availability | General Availability | - |
General Availability | General Availability | - | |
General Availability | General Availability | - | |
General Availability | General Availability | General Availability | |
General Availability | General Availability | General Availability | |
Technology Preview | Technology Preview | Technology Preview |
1.11.1. IBM Power, IBM Z, and IBM® LinuxONE support matrix
Feature | IBM Power | IBM Z and IBM® LinuxONE |
---|---|---|
Allow team synchronization via OIDC on Azure | Not Supported | Not Supported |
Backing up and restoring on a standalone deployment | Supported | Supported |
Clair Disconnected | Supported | Supported |
Geo-Replication (Standalone) | Supported | Supported |
Geo-Replication (Operator) | Not Supported | Not Supported |
IPv6 | Not Supported | Not Supported |
Migrating a standalone to operator deployment | Supported | Supported |
Mirror registry | Not Supported | Not Supported |
PostgreSQL connection pooling via pgBouncer | Supported | Supported |
Quay config editor - mirror, OIDC | Supported | Supported |
Quay config editor - MAG, Kinesis, Keystone, GitHub Enterprise | Not Supported | Not Supported |
Quay config editor - Red Hat Quay V2 User Interface | Supported | Supported |
Quay Disconnected | Supported | Supported |
Repo Mirroring | Supported | Supported |