Bosh deployed Concourse should allow for the configuration of the default Docker images registry

[lsilvapvt]

Feature Request

What challenge are you facing?

When Concourse is deployed to environments where connection to the internet is not allowed at all or connection to Docker Hub is not white-listed (e.g. DoD, Financial institutions), one of the solutions to run pipelines in such environment is to configure a private Docker registry internally.

However, in order for pipeline tasks and resources to consume images from such private registry, the docker image IDs referred from all pipeline config files have to be prefixed with the server location. For example:

...
type: docker-image
  source: {repository: 192.168.99.100:5000/czero/cflinuxfs2}
...

This becomes a problem as any samples or pre-packaged pipeline files obtained from external sources (e.g. pcf-pipelines) have to be customized with such private Docker registry prefix/address before they can run on that server.

In this scenario, it would be very convenient for users if Concourse, by default, retrieved docker images from a defined private Docker registry instead of trying to get it from Docker Hub.

For Bosh deployed Concourse servers, one idea to allow this configuration would be to have params to provide the default Docker registry address/information in the deployment YML.

[d]

You are asking for a security vulnerability. When a user writes in his or her pipeline:

type: docker-image
  source:
    repository: czero/cflinuxfs2

She or he is asking for "the image repository czero/cflinuxfs2 from Docker Hub". Changing its meaning (and behavior) to "the image repository czero/cflinuxfs2 from who-knows-what-man-in-the-middle" is an overstep by Concourse. In fact, the user cannot even specify the specific content-checksum to protect themselves if the platform can sneak in a different repository under the rug!

IMHO it is entirely up to the pipeline author to precisely specify where their images come from.

[rahulkj]

This feature will come handy when customers are using custom docker registry, and want to use the company docker registry as opposed to the hosted one. I feel there is value in this feature request

[lsilvapvt]

I can understand the point of a potential security exploitation point for publicly hosted Concourse servers if users (i.e. pipeline creators) do not know which registry the images will come from by default. However many enterprise customers have been deploying Concourse within their firewalls and, very frequently, with no or limited internet access due to internal policies, where they have full control over the Concourse deployment and trust on the internal private Docker registry that they maintain. It is for those cases that this feature request applies to.

[vito]

Sorry but this won't be happening for a couple reasons:

1. Concourse core has no knowledge of particular resource type's configurations. There is no way for configuration for a particular resource type to be set on a global level. There's no special handling of any particular resource type. They're entirely decoupled.
2. Pipelines are designed to be self-contained. They should work on any Concourse instance, barring obvious physical constraints like absence of particular worker types (platform/network access/etc). They should semantically mean the same thing, at the very least.

Per your original request, have you tried using ((parameters))?

...
type: docker-image
  source: {repository: ((registry-address))/czero/cflinuxfs2}
...

Yes, this is a bit more verbose, but it's also completely explicit and safe, which I imagine enterprises would love. 😄