cri-o · openshift-merge-bot · Sep 10, 2025 · Aug 12, 2025
@@ -128,6 +128,7 @@ h
 --selinux
 --separate-pull-cgroup
 --shared-cpuset
+--short-name-mode
 --signature-policy
 --signature-policy-dir
 --stats-collection-period

@@ -162,6 +162,7 @@ complete -c crio -n '__fish_crio_no_subcommand' -l seccomp-profile -r -d 'Path t
 complete -c crio -n '__fish_crio_no_subcommand' -f -l selinux -d 'Enable selinux support. This option is deprecated, and be interpreted from whether SELinux is enabled on the host in the future.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l separate-pull-cgroup -r -d '[EXPERIMENTAL] Pull in new cgroup.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l shared-cpuset -r -d 'CPUs set that will be used for guaranteed containers that want access to shared cpus'
+complete -c crio -n '__fish_crio_no_subcommand' -f -l short-name-mode -r -d 'Describes the mode of short name resolution. Allowed values are \'enforcing\' and \'disabled\'.'
 complete -c crio -n '__fish_crio_no_subcommand' -l signature-policy -r -d 'Path to signature policy JSON file.'
 complete -c crio -n '__fish_crio_no_subcommand' -l signature-policy-dir -r -d 'Path to the root directory for namespaced signature policies. Must be an absolute path.'
 complete -c crio -n '__fish_crio_no_subcommand' -f -l stats-collection-period -r -d 'The number of seconds between collecting pod and container stats. If set to 0, the stats are collected on-demand instead. DEPRECATED: This option will be removed in the future.'

@@ -153,6 +153,7 @@ it later with **--config**. Global options will modify the output.'
         '--selinux'
         '--separate-pull-cgroup'
         '--shared-cpuset'
+        '--short-name-mode'
         '--signature-policy'
         '--signature-policy-dir'
         '--stats-collection-period'

@@ -123,6 +123,7 @@ crio
 [--selinux]
 [--separate-pull-cgroup]=[value]
 [--shared-cpuset]=[value]
+[--short-name-mode]=[value]
 [--signature-policy-dir]=[value]
 [--signature-policy]=[value]
 [--stats-collection-period]=[value]
@@ -434,6 +435,8 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--shared-cpuset**="": CPUs set that will be used for guaranteed containers that want access to shared cpus
 
+**--short-name-mode**="": Describes the mode of short name resolution. Allowed values are 'enforcing' and 'disabled'. (default: "enforcing")
+
 **--signature-policy**="": Path to signature policy JSON file.
 
 **--signature-policy-dir**="": Path to the root directory for namespaced signature policies. Must be an absolute path. (default: "/etc/crio/policies")

@@ -509,6 +509,12 @@ The timeout for an image pull to make progress until the pull operation gets can
 This option is whether CRI-O enables OCI Artifact mount.
 If true, CRI-O can mount OCI artifacts as volumes.
 
+**short_name_mode**="enforcing"
+This option describes the short name mode.
+The valid values are "enforcing" and "disabled", and the default is "enforcing".
+If "enforcing", an image pull will fail if a short name is used, but the results are ambiguous.
+If "disabled", the first result will be chosen.
+
 ## CRIO.NETWORK TABLE
 
 The `crio.network` table containers settings pertaining to the management of CNI plugins.

@@ -597,6 +597,10 @@ func mergeConfig(config *libconfig.Config, ctx *cli.Context) error {
 		config.Timezone = ctx.String("timezone")
 	}
 
+	if ctx.IsSet("short-name-mode") {
+		config.ShortNameMode = ctx.String("short-name-mode")
+	}
+
 	return nil
 }
 
@@ -1447,6 +1451,12 @@ func getCrioFlags(defConf *libconfig.Config) []cli.Flag {
 			EnvVars: []string{"CONTAINER_TIME_ZONE"},
 			Value:   defConf.Timezone,
 		},
+		&cli.StringFlag{
+			Name:    "short-name-mode",
+			Usage:   "Describes the mode of short name resolution. Allowed values are 'enforcing' and 'disabled'.",
+			EnvVars: []string{"CONTAINER_SHORT_NAME_MODE"},
+			Value:   defConf.ShortNameMode,
+		},
 	}
 }
 

@@ -4,8 +4,10 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"os"
+	"strings"
 
 	"github.com/containers/common/libimage"
 	"github.com/containers/image/v5/docker"
@@ -148,10 +150,17 @@ func (d *defaultImpl) CandidatesForPotentiallyShortImageName(systemContext *type
 		sc = *systemContext // A shallow copy
 	}
 
-	disabled := types.ShortNameModeDisabled
-	sc.ShortNameMode = &disabled
+	resolved, err := shortnames.ResolveLocally(&sc, imageName)
+	if err != nil {
+		// Error is not very clear in this context, and unfortunately is also not a variable.
+		if strings.Contains(err.Error(), "short-name resolution enforced but cannot prompt without a TTY") {
+			return nil, fmt.Errorf("short name mode is enforcing, but image name %s returns ambiguous list", imageName)
+		}
 
-	return shortnames.ResolveLocally(&sc, imageName)
+		return nil, err
+	}
+
+	return resolved, nil
 }
 
 func (d *defaultImpl) ChooseInstance(manifestList manifest.List, systemContext *types.SystemContext) (digest.Digest, error) {

@@ -1015,11 +1015,13 @@ func (svc *imageService) CandidatesForPotentiallyShortImageName(systemContext *t
 		sc = *systemContext // A shallow copy
 	}
 
-	disabled := types.ShortNameModeDisabled
-	sc.ShortNameMode = &disabled
-
 	resolved, err := shortnames.Resolve(&sc, imageName)
 	if err != nil {
+		// Error is not very clear in this context, and unfortunately is also not a variable.
+		if strings.Contains(err.Error(), "short-name resolution enforced but cannot prompt without a TTY") {
+			return nil, fmt.Errorf("short name mode is enforcing, but image name %s returns ambiguous list", imageName)
+		}
+
 		return nil, err
 	}
 

@@ -27,6 +27,7 @@ import (
 	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
 	"k8s.io/utils/cpuset"
+	"k8s.io/utils/ptr"
 	"tags.cncf.io/container-device-interface/pkg/cdi"
 
 	"github.com/cri-o/cri-o/internal/config/apparmor"
@@ -616,6 +617,11 @@ type ImageConfig struct {
 	PullProgressTimeout time.Duration `toml:"pull_progress_timeout"`
 	// OCIArtifactMountSupport is used to determine if CRI-O should support OCI Artifacts.
 	OCIArtifactMountSupport bool `toml:"oci_artifact_mount_support"`
+	// ShortNameMode describes the mode of short name resolution.
+	// The valid values are "enforcing" and "disabled".
+	// If "enforcing", an image pull will fail if a short name is used, but the results are ambiguous.
+	// If "disabled", the first result will be chosen.
+	ShortNameMode string `toml:"short_name_mode"`
 }
 
 // NetworkConfig represents the "crio.network" TOML config table.
@@ -746,6 +752,11 @@ type tomlConfig struct {
 // SetSystemContext configures the SystemContext used by containers/image library.
 func (t *tomlConfig) SetSystemContext(c *Config) {
 	c.SystemContext.BigFilesTemporaryDir = c.BigFilesTemporaryDir
+	c.SystemContext.ShortNameMode = ptr.To(types.ShortNameModeEnforcing)
+
+	if c.ShortNameMode == "disabled" {
+		c.SystemContext.ShortNameMode = ptr.To(types.ShortNameModeDisabled)
+	}
 }
 
 func (t *tomlConfig) toConfig(c *Config) {
@@ -981,6 +992,7 @@ func DefaultConfig() (*Config, error) {
 			SignaturePolicyDir:      "/etc/crio/policies",
 			PullProgressTimeout:     0,
 			OCIArtifactMountSupport: true,
+			ShortNameMode:           "enforcing",
 		},
 		NetworkConfig: NetworkConfig{
 			NetworkDir: cniConfigDir,
@@ -1690,6 +1702,12 @@ func (c *ImageConfig) Validate(onExecution bool) error {
 		return fmt.Errorf("invalid pause image %q: %w", c.PauseImage, err)
 	}
 
+	switch c.ShortNameMode {
+	case "enforcing", "disabled", "":
+	default:
+		return fmt.Errorf("invalid short name mode %q", c.ShortNameMode)
+	}
+
 	if onExecution {
 		if err := os.MkdirAll(c.SignaturePolicyDir, 0o755); err != nil {
 			return fmt.Errorf("cannot create signature policy dir: %w", err)

@@ -553,6 +553,11 @@ func initCrioTemplateConfig(c *Config) ([]*templateConfigValue, error) {
 			group:          crioImageConfig,
 			isDefaultValue: simpleEqual(dc.PullProgressTimeout, c.PullProgressTimeout),
 		},
+		{
+			templateString: templateStringCrioImageShortNameMode,
+			group:          crioImageConfig,
+			isDefaultValue: simpleEqual(dc.ShortNameMode, c.ShortNameMode),
+		},
 		{
 			templateString: templateStringOCIArtifactMountSupport,
 			group:          crioImageConfig,
@@ -1534,6 +1539,14 @@ const templateStringCrioImagePullProgressTimeout = `# The timeout for an image p
 
 `
 
+const templateStringCrioImageShortNameMode = `# The mode of short name resolution.
+# The valid values are "enforcing" and "disabled", and the default is "enforcing".
+# If "enforcing", an image pull will fail if a short name is used, but the results are ambiguous.
+# If "disabled", the first result will be chosen.
+{{ $.Comment }}short_name_mode = "{{ .ShortNameMode }}"
+
+`
+
 const templateStringCrioNetwork = `# The crio.network table containers settings pertaining to the management of
 # CNI plugins.
 [crio.network]

@@ -397,3 +397,19 @@ EOF
 
 	crictl pull "$IMAGE_LIST_TAG"
 }
+
+@test "short name mode enabled should fail to pull ambiguous image" {
+	start_crio
+
+	# There should be many nginx images
+	run crictl pull nginx
+	[[ "$output" == *"short name mode is enforcing, but image name nginx returns ambiguous list"* ]]
+	[[ "$status" -ne 0 ]]
+}
+
+@test "short name mode disabled should succeed to pull ambiguous image" {
+	CONTAINER_SHORT_NAME_MODE="disabled" start_crio
+
+	# There should be many nginx images
+	crictl pull nginx
+}