Hey everybody, it’s April and Red Hat Ansible Automation Platform (AAP) execution environment (EE) images are (at least kind of) on the move! The way Red Hat serves filesystem blobs for all of its container images, including the must-have Red Hat-provided Ansible Automation Platform (AAP) execution environment images, is about to undergo an important change. Starting May 1, 2023, the torch (or is it blob?) of responsibility will be passed from registry.redhat.io and registry.access.redhat.com to the better-suited Quay.io going forward.
Red Hat is making this change to not only improve the way it delivers its own container images but also pave the way for future advancements for customers.
But this change does mean that any customers who are running AAP in more secure environments may need to adjust their firewall settings very soon. The changes detailed below should be made to any firewall configuration that has previously been defined to allow outbound connections to registry.redhat.io or registry.access.redhat.com.
Once completed, you’ll be able to continue pulling Red Hat container images without needing a Quay.io login or interacting with the Quay.io registry directly. Red Hat has provided guidance to help customers make this transition a smooth sail. Level Up knows what’s important, and that’s why we appreciate Ansible and our amazing customers. We don’t want anyone to be affected by something as trivial as this, especially when the solution is as easy as pie (and as a reminder, Ansible can automate your firewalls– and just about anything else you can throw at it as far as Network Automation)! So anyway, let’s get these firewall rules future-proofed and keep on crushing automation!
As stated above, Red Hat is changing the way filesystem blobs are served for its container images, including the Red Hat-provided Ansible Automation Platform (AAP) execution environment (EE) images which AAP depends on. Starting May 1, 2023, quay.io will serve filesystem blobs instead of registry.redhat.io and registry.access.redhat.com.
Why is it changing?
Red Hat says this change will improve the way container images are delivered and pave the way for future advancements.
When is it changing?
May 1, 2023
How can customers prepare for this change?
In an effort to summarize Red Hat’s guidance, to continue pulling Red Hat container images, customers may need to adjust their firewall settings to allow outbound TCP connections to specific hostnames. To avoid problems pulling container images, you will need to allow outbound TCP connections (ports 80 and 443) to these hostnames:
This change should be made to any firewall configuration that specifically allows outbound connections to registry.redhat.io or registry.access.redhat.com. After making this change you will be able to continue pulling images from registry.redhat.io and registry.access.redhat.com as before. You do not need a Quay.io login, or to interact with the Quay.io registry directly in any way, in order to continue pulling Red Hat container images.
More from Red Hat on the changes here: