Technical resources

Container Image Registries Changes Part 3 - Consequences

April 24, 2023
3 minute read

As covered in previous in part 1 and 2 of this blog series , there are changes coming to the Red Hat container image registries. Here we will explore why it is important to be prepared for them.

These changes will start being deployed May 1, 2023. It will not be applied to all repositories at once but will occur in phases over the subsequent weeks.

Take action now to avoid problems

As a reminder, if you are pulling container images from or in an environment that restricts outbound network connections, be sure to adjust the firewall configuration to allow connections to the CDN hosts. More information about this can be found in this article.

When you have made changes but want to verify they will be sufficient, pull the image – this already utilizes for image pulls.

In general, wherever outbound connections to or are allowed, so too should connections to the CDN hosts.

Let's look at some of the types of failure you might face if you leave this too late.

Failing image builds

There are many ways of building container images, but let's focus on one example, that of building from a Containerfile using buildah. A common image to use in the FROM line is the Red Hat Universal Base Image, ubi:

FROM ubi8/ubi


Without taking action, building this image in an environment that restricts outbound network access may result in errors like this:


$ buildah bud -f Containerfile

STEP 1/2: FROM ubi8/ubi

Resolved "ubi8/ubi" as an alias


Trying to pull

WARN[0006] Failed, retrying in 2s ... (1/3). Error: copying system image from manifest list: parsing image configuration: Get "[...]": dial tcp connect: connection refused

In this case, is the CDN host used to serve one of the filesystem layer blobs, but the restrictive firewall has prevented access to it by rejecting the connection. The resolution will be to allow access to all of the CDN hosts.

The same problem may be seen when building an image using any other Red Hat base image (such as RHEL8 or RHEL9).

Failing to run images

Not just building images, but running images may be affected, if those images have not already been pulled locally. For example, when running a web server like this:

$ podman run

Trying to pull

WARN[0005] Failed, retrying in 1s ... (1/3). Error: copying system image from manifest list: parsing image configuration: Get "[...]": dial tcp connect: connection refused

Failing to mirror images

Don't forget about any local mirrors of Red Hat container images you have.

In order to keep them in sync the original content needs to be accessible from Red Hat container image registries, whether you are using 'oc', 'oc-mirror', 'skopeo sync' or some other method. If the environment performing the sync restricts outbound network access, make sure it can access the CDN hosts as well as the Red Hat container image registries.


Tim Waugh
Principal Software Engineer
Tim Waugh is a Principal Software Engineer at Red Hat, working with teams across organization on product delivery tools and workflows.
Red Hat Partner Connect logo LinkedIn YouTube Facebook Twitter

Red Hat Products

Tools & Resources


About Red Hat Partner Connect

The Red Hat partner ecosystem is a catalyst for open innovation. It connects partners with a thriving network of companies, expertise, and opportunity. With Red Hat, there are multiple paths to partnership and the flexibility to adapt as your business needs change. We work to help you achieve financial success on your terms.

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.