Project Quay container registry platform provides secure storage, distribution, and governance of containers and cloud-native artifacts on any infrastructure. It is available as a standalone component or as an Operator on OpenShift Container Platform. Project Quay includes the following features and benefits:

  • Granular security management

  • Fast and robust at any scale

  • High velocity CI/CD

  • Automated installation and upates

  • Enterprise authentication and team-based access control

  • OpenShift Container Platform integration

Project Quay is regularly released, containing new features, bug fixes, and software updates. To upgrade Project Quay for both standalone and OpenShift Container Platform deployments, see Upgrade Project Quay.

Important

Project Quay only supports rolling back, or downgrading, to previous z-stream versions, for example, 3.7.2 → 3.7.1. Rolling back to previous y-stream versions (3.7.0 → 3.6.0) is not supported. This is because Project Quay updates might contain database schema upgrades that are applied when upgrading to a new version of Project Quay. Database schema upgrades are not considered backwards compatible.

Downgrading to previous z-streams is neither recommended nor supported by either Operator based deployments or virtual machine based deployments. Downgrading should only be done in extreme circumstances. The decision to rollback your Project Quay deployment must be made in conjunction with the Project Quay support and development teams. For more information, contact Project Quay support.

Project Quay release notes

The following sections detail y and z stream release information.

RHBA-2023:7819 - Project Quay {productmin} release

Issued 2023-12-14

Project Quay release {productmin} is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHBA-2023:7819 advisory.

Project Quay {productmin} bug fixes

  • PROJQUAY-5452 - Breadcrumbs incorrect when visiting a direct link

  • PROJQUAY-6333 - [New UI] The user in the team which has "member" or "creator" role can’t see the "Teams and Membership" tab

  • PROJQUAY-6336 - Quay 3.10 new UI can’t add normal user to quay new team during Create team wizard

  • PROJQUAY-6369 - The search input box doesn’t work in permanently delete default permissions wizard of new UI

RHBA-2023:7341 - Project Quay 3.10.0 release

Issued 2023-11-28

Project Quay release 3.10 is now available with Clair 4.7.2. The bug fixes that are included in the update are listed in the RHSA-2023:7341 and RHSA-2023:7575 advisories.

Project Quay release cadence

With the release of Project Quay 3.10, the product has begun to align its release cadence and lifecycle with OpenShift Container Platform. As a result, Project Quay releases are now generally available (GA) within approximately four weeks of the most recent version of OpenShift Container Platform. Customers can not expect the support lifecycle phases of Project Quay to align with OpenShift Container Platform releases.

For more information, see the Project Quay Life Cycle Policy.

Project Quay new features and enhancements

The following updates have been made to Project Quay.

IBM Power, IBM Z, IBM® LinuxONE support

With this release, IBM Power (ppc64le), IBM Z (s390x), and IBM® LinuxONE (s390x) architectures are supported.

Namespace auto-pruning

With Project Quay 3.10, Project Quay administrators can set up auto-pruning policies on namespaces (both users and organization). This feature allows for image tags to be automatically deleted within a namespace based on specified criteria. For this release, two policies have been added:

  • Auto-pruning images based on the number of tags.

  • Auto-pruning based on the age of a tag.

The auto-pruning feature allows Project Quay organization owners to stay below the storage quota by automatically pruning content based on one of the aforementioned policies.

For more information about implementing this feature, see Project Quay namespace auto-pruning overview.

Project Quay UI v2 enhancements

In Project Quay 3.8, a new UI was introduced as a technology preview feature. With Project Quay 3.10, the following enhancements have been made to the UI v2:

  • With this update, a Settings page has been added for Project Quay organizations. Project Quay administrators can edit their preferences, billing information, and set organization types from this page.

  • With this update, a Settings page has been added for Project Quay repositories. This page must be enabled by setting FEATURE_UI_V2_REPO_SETTINGS to true in your config.yaml file. This page allows users to create and set robot permissions, create events and notifications, set repository visibility, and delete repositories.

  • With this update, bulk managing robot account repository access is available on the Project Quay v2 UI. Users can now easily add a robot account to multiple repositories using the v2 UI.

  • With this update, the default user repository, or namespace, now includes a Robot accounts tab. This allows users to easily create their own robot accounts.

  • With this update, the following alert messages have been added to confirm either the creation, or failure, of robot accounts and permission updates:

    • Successfully updated repository permission

    • Successfully created robot account with robot name: <organization_name> + <robot_name>

      Alternatively, you can receive the following error if you try to create a robot account with the same name as another: Error creating robot account

    • Successfully deleted robot account

  • With this update, a Teams and membership page has been added to the v2 UI. Project Quay administrators can perform the following actions from this page:

    • Create new teams

    • Manage or create new team members

    • Set repository permissions

    • Search for specific teams

    • View teams, members of a team, or collaborators of a team

  • With this update, a Default permissions page has be been added to the v2 UI. This page allows Project Quay administrators to set repository permissions.

  • With this update, a Tag History page has been added to the v2 UI. Additionally, Project Quay administrators can add and manage labels for repositories, and set expiration dates for specified tags in a repository.

For more information about navigating the v2 UI and enabling, or using, these features, see Using the Project Quay v2 UI.

Garbage collection of manifests for Clair

Previously, Clair’s indexer database was continually growing as it added storage when new manifests and layers were uploaded. This could cause the following issues for Project Quay deployments:

  • Increased storage requirements

  • Performance issues

  • Increased storage management burden, requiring that administrators would monitor usage and develop a scaling strategy

With this update, a new configuration field, SECURITY_SCANNER_V4_MANIFEST_CLEANUP, has been added. When this field is set to true, the Project Quay garbage collector removes manifests that are not referenced by other tags or manifests. As a result, manifest reports are removed from Clair’s database.

Managing Project Quay robot accounts

Prior to Project Quay 3.10, all users were able to create robot accounts with unrestricted access. With this release, Project Quay administrators can manage robot accounts by disallowing users to create new robot accounts.

For more information, see Disabling robot accounts

New Project Quay configuration fields

The following configuration fields have been added to Project Quay 3.10.

Clair garbage collection of manifests configuration field

  • SECURITY_SCANNER_V4_MANIFEST_CLEANUP. When set to true the Project Quay garbage collector removes manifests that are not referenced by other tags or manifests.

    Default: True

Disabling robot accounts configuration field

  • ROBOTS_DISALLOW: When set to true, robot accounts are prevented from all interactions, as well as from being created

    Default: False

Namespace auto-pruning configuration field

The following configuration fields have been added for the auto-pruning feature:

  • FEATURE_AUTO_PRUNE: When set to True, enables functionality related to the auto-pruning of tags.

    Default: False

Project Quay v2 UI repository settings configuration field

  • FEATURE_UI_V2_REPO_SETTINGS: When set to True, enables repository settings in the Project Quay v2 UI.

    Default: False

Project Quay Operator

The following updates have been made to the Project Quay Operator:

  • The config editor has been removed from the Project Quay Operator on OpenShift Container Platform deployments. As a result, the quay-config-editor pod no longer deploys, and users cannot check the status of the config editor route. Additionally, the Config Editor Endpoint no longer generates on the Project Quay Operator Details page.

    Users with existing Project Quay Operators who are upgrading from 3.7, 3.8, or 3.9 to 3.10 must manually remove the Project Quay config editor by removing the deployment, route, service, and secret objects. For information about this procedure, see Removing config editor objects on Project Quay Operator.

    By default, the config editor was deployed for every QuayRegistry instance, which made it difficult to establish an audit trail over the registry’s configuration. Anyone with access to the namespace, config editor secret, and config editor route could use the editor to make changes to Project Quay’s configuration, and their identity was no logged in the system. Removing the config editor forces all changes through the config bundle property of the QuayRegistry resource, which points to a secret, which is then subject to native Kubernetes auditing and logging.

Project Quay 3.10 known issues and limitations

The following sections note known issues and limitations for Project Quay 3.10.

Project Quay 3.10 known issues

  • There is a known issue with the auto-pruning feature when pushing image tags with Cosign signatures. In some scenarios, for example, when each image tag uses a different Cosign key, the auto-pruner worker removes the image signature and only keeps the image tag. This occurs because Project Quay considers image tags and the signature as two tags. The expected behavior of this feature is that the auto-pruner should consider the image tag and signature as one item, calculate only the image tag, and when the auto-pruner worker is configured in such a way that the tag is pruned, it also prunes the signature. This will be fixed in a future version of Project Quay. (PROJQUAY-6380)

  • Currently, auditing for auto-pruning policy operations, including creating, updating, or deleting policies, is unavailable. This is a known issue and will be fixed in a future release of Project Quay. (PROJQUAY-6228)

  • Currently, the the auto-pruning worker prunes ReadOnly and mirror repositories, in addition to normal repositories. ReadOnly and mirror repositories should not be pruned automatically. This is a known issue and will be fixed in a future version of Project Quay. (PROJQUAY-6235)

  • When upgrading the Project Quay Operator from versions 3.7, 3.8, or 3.9 to 3.10, users must manually remove the Project Quay config editor by removing the deployment, route, service, and secret objects. For information about this procedure, see Removing config editor objects on Project Quay Operator.

  • When creating a new team using the Project Quay v2 UI, users are unable to add normal users to the new team while. This only occurs while setting up the new team. As a workaround, you can add users after the team has been created. Robot accounts are unaffected by this issue. This is a known issue and will be fixed in a future version of Project Quay. (PROJQUAY-6336)

  • Sometimes, when creating a new default permission setting, the Create default permission button is disabled. As a workaround, you can try adjusting the Applied to setting in the Create default permission wizard. This is a known issue and will be fixed in a future version of Project Quay. (PROJQUAY-6341)

Project Quay 3.10 limitations

  • In this release, the following features are not supported on IBM Power (ppc64le) and IBM Z (s390x):

    • Geo-Replication

    • IPv6 Single stack/ Dual Stack

    • Mirror registry

    • Quay config editor - Mirror, MAG, Kinesis, Keystone, GitHub Enterprise, OIDC

    • RedHat Quay V2 User Interface

    • Deploy Red Hat Quay - High Availability is supported but the following is not:

      • Backing up and restoring on a standalone deployment

      • Migrating a standalone to operator deployment

  • Robot accounts are mandatory for repository mirroring. Setting the ROBOTS_DISALLOW configuration field to true breaks mirroring configurations. This will be fixed in a future version of Project Quay

Project Quay bug fixes

  • PROJQUAY-6184. Add missing props for Create robot account modal

  • PROJQUAY-6048. Poor UI performance with quotas enabled

  • PROJQUAY-6010. Registry quota total worker fails to start due to import

  • PROJQUAY-5212. Quay 3.8.1 can’t mirror OCI images from Docker Hub

  • PROJQUAY-2462. Consider changing the type of the removed_tag_expiration_s from integer to bigint

  • PROJQUAY-2803. Quay should notify Clair when manifests are garbage collected

  • PROJQUAY-5598. Log auditing tries to write to the database in read-only mode

  • PROJQUAY-4126. Clair database growing

  • PROJQUAY-5489. Pushing an artifact to Quay with oras binary results in a 502

  • PROJQUAY-3906. Quay can see the push image on Console after push image get error "Quota has been exceeded on namespace"

Project Quay feature tracker

New features have been added to Project Quay, some of which are currently in Technology Preview. Technology Preview features are experimental features and are not intended for production use.

Some features available in previous releases have been deprecated or removed. Deprecated functionality is still included in Project Quay, but is planned for removal in a future release and is not recommended for new deployments. For the most recent list of deprecated and removed functionality in Project Quay, refer to Table 1.1. Additional details for more fine-grained functionality that has been deprecated and removed are listed after the table.

Table 1. Technology Preview tracker
Feature Quay 3.10 Quay 3.9 Quay 3.8

Disabling robot accounts

General Availability

-

-

Project Quay namespace auto-pruning overview

General Availability

-

-

Single site geo-replication removal

General Availability

General Availability

-

Splunk log forwarding

General Availability

General Availability

-

Nutanix Object Storage

General Availability

General Availability

-

FEATURE_UI_V2

Technology Preview

Technology Preview

Technology Preview

FEATURE_LISTEN_IP_VERSION

General Availability

General Availability

General Availability

LDAP_SUPERUSER_FILTER

General Availability

General Availability

General Availability

LDAP_RESTRICTED_USER_FILTER

General Availability

General Availability

General Availability

FEATURE_SUPERUSERS_FULL_ACCESS

General Availability

General Availability

General Availability

GLOBAL_READONLY_SUPER_USERS

General Availability

General Availability

General Availability

FEATURE_RESTRICTED_USERS

General Availability

General Availability

General Availability

RESTRICTED_USERS_WHITELIST

General Availability

General Availability

General Availability

Project Quay as proxy cache for upstream registries

General Availability

General Availability

General Availability

Java scanning with Clair

Technology Preview

Technology Preview

Technology Preview