红帽全球峰会此内容没有您所选择的语言版本。
Chapter 1. Red Hat Quay release notes
The following sections detail y and z stream release information.
1.1. RHBA-2026:5684 - Red Hat Quay 3.17.0 release
Issued 2026-03-25
Red Hat Quay release 3.17 is now available with Clair 4.9. The bug fixes that are included in the update are listed in the RHBA-2026:5684 advisory. For the most recent compatibility matrix, see Quay Enterprise 3.x Tested Integrations. For information on the release cadence of Red Hat Quay, see the Red Hat Quay Life Cycle Policy.
1.1.1. Red Hat Quay new features and enhancements
The following updates have been made to Red Hat Quay.
Previously, audit logs sent to Splunk could only be viewed on the Splunk UI. Now, when Splunk is configured as the log backend, you can view and query audit logs in the Red Hat Quay UI from Organizations, Repositories, and Superuser pages.
For more information, see Configuring action log storage for Splunk
1.1.1.2. Quay container image size optimization
The Red Hat Quay container image now uses Red Hat Universal Base Image (UBI) minimal 9.7 as the base layer, with build-time dependencies and caches removed from the final image. This change reduces image size by approximately 30%, shortens download and deployment times, and narrows the attack surface. The image remains a drop-in replacement for previous versions, and no configuration changes are required for upgrades to 3.17.0.
1.1.1.3. Container security hardening
Red Hat Quay 3.17 introduces enhanced security hardening that is enabled by default for all deployment types. To follow the principle of least privilege, Quay container images now operate with a minimal set of Linux capabilities, using a DROP ALL strategy and adding back only essential permissions, such as NET_BIND_SERVICE.
Additionally, this release provides a hardened seccomp profile for standalone Podman deployments, aligning their security posture with the RuntimeDefault protections found in OpenShift Container Platform. These changes significantly reduce the container attack surface without requiring manual configuration by the user.
Red Hat Quay now accepts and serves sparse manifest lists where only a subset of referenced architectures such as x86_64 or arm64 are stored locally while the original manifest list digest is preserved. This is useful for disconnected OpenShift Container Platform environments where digest-based image references must remain valid. It also benefits high-availability and standalone Red Hat Quay deployments that mirror multi-arch images but need only a subset of architectures.
You can mirror only the architectures you need, like x86_64, via repository mirroring with an architecture filter, reducing storage and transfer by 50% or more for multi-arch images. A global configuration option enables sparse manifest acceptance and the UI shows which architectures are present for each tag.
For more information, see Mirroring images with Red Hat Quay.
1.1.1.5. Support for immutable tags
Red Hat Quay now supports immutable tags for organizations and organization-owned repositories. This feature allows users to protect specific image tags from being overwritten, deleted, or auto-pruned, ensuring stable references for builds and deployments. Immutability can be applied manually per tag, automated through regex-based policies, or triggered during the build process using the quay.immutable=true manifest label. For more information, see Immutable tags overview.
1.1.1.6. Support for ARM Architecture
Red Hat Quay 3.17 now supports the ARM architecture for both standalone deployments and Operator-based installations. This includes native ARM builds for all core components and the Quay Operator, enabling end-to-end management on ARM64 infrastructure.
The following configuration fields have been added to Red Hat Quay 3.17.
The following configuration options have been added when using Splunk to store Red Hat Quay usage logs.
| Field | Type | Description |
|---|---|---|
| .search_timeout | Integer |
Timeout, in seconds, for Splunk search queries. Increase for slow Splunk clusters or complex queries. |
| .max_results | Integer |
Maximum number of results to return per search query. Larger values require more memory. |
| .export_batch_size | Integer |
Batch size for log export operations. |
| Field | Type | Description |
|---|---|---|
| .search_timeout | Integer |
Timeout, in seconds, for Splunk search queries. Increase for slow Splunk clusters or complex queries. |
| .max_results | Integer |
Maximum number of results to return per search query. Larger values require more memory. |
| .export_batch_size | Integer |
Batch size for log export operations. |
| .search_host | String |
Splunk management host for search API. Defaults to HEC host if not specified. |
| .search_port | Integer |
Splunk management port for search API. |
|
.search_token | String |
Bearer token for Splunk search API. Required because HEC tokens are ingest-only and cannot search. See Manage HEC tokens for more information. |
1.1.2.2. Sparse manifest index configuration field
The following configuration options have been added to enable multi-architecture filtering.
| Field | Type | Description |
|---|---|---|
| FEATURE_SPARSE_INDEX | Boolean |
Whether to allow sparse manifest indexes where not all architectures are required to be present. |
| REPO_MIRROR_MAX_MANIFEST_LIST_SIZE | Integer |
Maximum size in bytes of manifest list JSON to parse during mirroring. Prevents DoS via oversized manifests. |
| REPO_MIRROR_MAX_MANIFEST_ENTRIES | Integer |
Maximum number of manifest entries to process during architecture-filtered mirroring. Prevents DoS via manifest lists with excessive entries. |
Multi-architecture filtering example YAML
# ...
FEATURE_SPARSE_INDEX: true
REPO_MIRROR_MAX_MANIFEST_LIST_SIZE: 10485760
REPO_MIRROR_MAX_MANIFEST_ENTRIES: 1000
# ...1.1.2.3. Immutable tags configuration field
The following configuration option has been added to enable immutable tags.
| Field | Type | Description |
|---|---|---|
| FEATURE_IMMUTABLE_TAGS | Boolean |
Whether to enable immutability policies. Immutability can be set at the individual setting level and via a policy in the repository configuration by an administrator. |
Immutable tags example YAML
# ...
FEATURE_IMMUTABLE_TAGS: true
# ...Mirroring in Red Hat Quay enables automatic synchronization of organizations with upstream sources. This feature is useful for maintaining local mirrors of remote container images, ensuring availability in disconnected environments or improving performance through caching.
| Field | Type | Description |
|---|---|---|
| FEATURE_ORG_MIRROR | Boolean |
Enable or disable organization-level mirroring. |
| ORG_MIRROR_INTERVAL | Integer |
Worker processing interval in seconds. |
| ORG_MIRROR_BATCH_SIZE | Integer |
Number of organization mirrors to process for each iteration. |
| ORG_MIRROR_MAX_SYNC_DURATION | Integer |
Maximum sync duration in seconds. |
| ORG_MIRROR_DEFAULT_SKOPEO_TIMEOUT | Integer | Default skopeo timeout in seconds. Default: 300 |
| ORG_MIRROR_DISCOVERY_TIMEOUT | Integer |
Discovery timeout in seconds. |
| ORG_MIRROR_MAX_REPOS_PER_ORG | Integer |
Maximum repositories to discover for each organization. |
| ORG_MIRROR_MAX_RETRIES | Integer |
Maximum sync retries for a failure operation. |
| SSRF_ALLOWED_HOSTS | List | Allowed hosts for the Server Side Request Forgery (SSRF) protection. Use optional field to allow specific hosts to be accessed by the registry. |
Mirroring configuration example YAML
# ...
FEATURE_ORG_MIRROR: true
ORG_MIRROR_INTERVAL: 60
ORG_MIRROR_BATCH_SIZE: 100
ORG_MIRROR_MAX_SYNC_DURATION: 3600
ORG_MIRROR_DEFAULT_SKOPEO_TIMEOUT: 600
ORG_MIRROR_DISCOVERY_TIMEOUT: 600
ORG_MIRROR_MAX_REPOS_PER_ORG: 5000
ORG_MIRROR_MAX_RETRIES: 3
SSRF_ALLOWED_HOSTS:
- harbor.example.lab
# ...1.1.3. API endpoint enhancements
The following API endpoints were added in Red Hat Quay 3.17.
1.1.3.1. Manifest support API endpoint
New tag API parameters, getRegistryCapabilities and getManifestPullStatistics, has been added to the Red Hat Quay API. With this field, users can return information about supported registry features including sparse manifest support and required architectures.
| Name | Description | Schema |
| getRegistryCapabilities | Returns information about supported registry features including sparse manifest support and required architectures. | object |
See capabilities for more information, including example commands.
1.1.3.2. Organization mirroring API endpoints
New organization mirroring API endpoints have been added to the Red Hat Quay API. These endpoints allow users to manage organization-level mirroring configurations.
| Name | Description | Schema |
| createOrgMirrorConfig | Create a new organization-level mirroring configuration. | object |
| getOrgMirrorConfig | Retrieve the organization-level mirroring configuration. | object |
| listOrgMirrorRepositories | List all repositories that are being mirrored in an organization. | object |
| syncOrgMirrorNow | Trigger an immediate sync of all repositories in an organization. | object |
| updateOrgMirrorConfig | Update the organization-level mirroring configuration. | object |
| verifyOrgMirrorConnection | Verify the connection to the external registry for an organization-level mirroring configuration. | object |
| cancelOrgMirrorSync | Cancel a pending sync of all repositories in an organization. | object |
| deleteOrgMirrorConfig | Delete an organization-level mirroring configuration. | object |
See Chapter 23. org_mirror for more information, including example commands.
1.1.3.3. Immutability policy API endpoints
The following API endpoints were added in Red Hat Quay 3.17.
| Name | Description | Schema |
| createOrgImmutabilityPolicy | Create an immutability policy for an organization. | object |
| createRepositoryImmutabilityPolicy | Create an immutability policy for a repository. | object |
| deleteOrgImmutabilityPolicy | Delete an immutability policy for an organization. | object |
| deleteRepositoryImmutabilityPolicy | Delete an immutability policy for a repository. | object |
| getOrgImmutabilityPolicy | Get an immutability policy for an organization. | object |
| getRepositoryImmutabilityPolicy | Get an immutability policy for a repository. | object |
| listOrgImmutabilityPolicies | List immutability policies for an organization. | object |
| listRepositoryImmutabilityPolicies | List immutability policies for a repository. | object |
| updateOrgImmutabilityPolicy | Update an immutability policy for an organization. | object |
| updateRepositoryImmutabilityPolicy | Update an immutability policy for a repository. | object |
See Chapter 23. immutability_policy for more information, including example commands.
1.1.4. Known issues and limitations
The following sections note known issues and limitations for Red Hat Quay 3.17.
1.1.4.1. Repositories persist after filter changes
When an Organization-level mirror is configured, repositories that were previously discovered and mirrored are not automatically deleted if the repository_filters pattern is updated to exclude them.
While the excluded repositories stop syncing new data, they remain in the database as stale entries. This behavior differs from Repository-level mirroring, which automatically prunes obsolete tags when filters change. This may lead to repository accumulation and increased database overhead in large environments.
As a temporary workaround, users can delete the entire mirror configuration by using the DELETE /api/v1/organization/{orgname}/mirror API endpoint. Note that this can be disruptive and loses sync history and other metadata.
When an organization mirror is initiated or canceled, the dashboard displays conflicting counts for task states. The Scheduled state in the header shoes a count, for example, 53 items, however when selecting Scheduled from the dropdown list it reports 0 items. This is a known issue and will be fixed in a future version of Red Hat Quay.
1.1.5. Red Hat Quay bug fixes
The following issues were fixed with Red Hat Quay 3.17.
Not all bug fixes included in the RHBA-2026:5684 advisory are documented here. Many of the bugs included in the advisory were found and resolved when testing new features included as part of this release.
PROJQUAY-10609. Previously, the RHEL-9 image migration caused SHA-1 signing errors due to the deprecated RSA-SHA1 algorithm. Consequently, image pulls failed because of a cryptography policy change.
With this release, the system actively enables the SHA-1 algorithm in its crypto policy, resolving the issue with RHEL-9 image pulls.
PROJQUAY-10588. Previously, emails from users with lengths exceeding 64 characters were not migrated due to a length filter in the data migration. This led to end users receiving duplicate emails for organizations during migration, causing confusion and potential data inconsistencies.
This release adds an
OrganizationContactEmailtable and allows end users to manage multiple organization email contacts easily.- PROJQUAY-10575. Previously, there was an issue causing log failure when canceling repository mirroring. This issue has been resolved, and the mirroring operation no longer fails.
-
PROJQUAY-10609. Previously, image pulls were failing due to the deprecated
RSA-SHA1algorithm in the RHEL-9 image. With this release, the RHEL-9 cryptography policy has been updated, enabling SHA-1 for RSA signing. As a result, the SHA-1 algorithm is now supported, allowing image pulls without issues. -
PROJQUAY-10273. Previously, users were unable to download the
auth.jsonfile, affecting the management of Robot Accounts. With this release, the option to download theauth.jsonfile has been reintroduced to the new UI, enabling users to now view and downloadauth.jsonfiles for Robot Accounts. PROJQUAY-9750. In previous versions, browser incompatibility led to inconsistencies in the design of the calendar pop-up, specifically for service key and repository mirror configuration. This inconsistency was noticeable across browsers, with hour and minute options missing in Mozilla Firefox and Safari.
In this release, the calendar pop-up in the Quay UI has been standardized, ensuring consistency across browsers, including hour and minute options. As a result, the calendar pop-up is now uniform across browsers.
PROJQUAY-9729. Previously, attempting to run automated tests after merging downstream builds without updating downstream documentation used UBI (Universal Base Image) minimal adoption, resulted in an image size increase due to failed Continuous Integration (CI).
This update resolves the issue, leading to a smaller image size and reduced Common Vulnerabilities and Exposures (CVE) surface, thereby enhancing overall system security and performance.
PROJQUAY-7025. Previously, the web UI update led to incomplete link display for foreign organizations and repositories for superusers, resulting in incomplete superuser access. This caused missing links and log retrieval errors.
This issue has been resolved, enabling superusers to access all links in foreign organizations and repositories.
PROJQUAY-6934. Previously, the user interface previously displayed inappropriate error messages when configured with the Splunk
LOGS_MODELparameter. These messages caused confusion for users when working with Splunk.With this release, the user interface shows accurate error messages for Splunk logs. This improvement results in the correct display of the
Method not implemented, Splunk does not support log searches`message.
1.1.6. Red Hat Quay feature tracker
New features have been added to Red Hat Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.
Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Red Hat Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Red Hat Quay, refer to Table 1.1. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.
| Feature | Quay 3.17 | Quay 3.16 | Quay 3.15 |
|---|---|---|---|
| General Availability | - | - | |
| General Availability | - | - | |
| General Availability | General Availability | - | |
| v1 UI | Deprecated | Deprecated | Deprecated |
| General Availability | General Availability | Technology Preview |
| Feature | IBM Power | IBM Z and IBM® LinuxONE |
|---|---|---|
| Allow team synchronization via OIDC on Azure | Not Supported | Not Supported |
| Backing up and restoring on a standalone deployment | Supported | Supported |
| Clair Disconnected | Supported | Supported |
| Geo-Replication (Standalone) | Supported | Supported |
| Geo-Replication (Operator) | Supported | Supported |
| IPv6 | Not Supported | Not Supported |
| Migrating a standalone to operator deployment | Supported | Supported |
| Mirror registry | Supported | Supported |
| Quay config editor - mirror, OIDC | Supported | Supported |
| Quay config editor - MAG, Kinesis, Keystone, GitHub Enterprise | Not Supported | Not Supported |
| Quay config editor - Red Hat Quay V2 User Interface | Supported | Supported |
| Quay Disconnected | Supported | Supported |
| Repo Mirroring | Supported | Supported |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}