2

I need to block all registries and allow only one private registry for docker to pull images from , how can that be done natively in docker.

Ijaz Ahmad
  • 11,198
  • 9
  • 53
  • 73

2 Answers2

3

Using the RedHat options will not work on the upstream Docker CE or EE engine, RedHat had forked the docker engine and added their own features that are incompatible. You'll also find that /etc/sysconfig/docker is a RedHat only configuration file, designed to work with their version of the startup scripts. And I don't believe RedHat supports this old fork either, instead preferring their own podman and crio runtimes.

A hard limit on registry servers is not currently supported in the Linux Docker engine. The standard way to implement this for servers is with firewall rules on outbound connections, but that needs to only permit outbound connections to a known allow list. You still need to ensure that users don't import images from a tar file, or rebuild the otherwise blocked images from scratch (for example, all of official images on Docker Hub have the source available to rebuild them).

With Docker Desktop, the ability to restrict what registries a user can pull from has been added in their paid business tier with their image access management.

Previously I might have suggested using Notary and Docker Content Trust to ensure you only run trusted images, but that tooling has a variety of known issue, including the use of TOFU (trust on first use) that allows any image from a repo that hasn't been seen before to be signed by anyone and trusted to run. There are a few attempts to replace this, and the current leader is sigstore/cosign, but that isn't integrated directly into the docker engine. If you run in Kubernetes, this would be configured in your admission controller, like Gatekeeper or Kyverno.

BMitch
  • 231,797
  • 42
  • 475
  • 450
  • our use case is different , we are using docker EE on top of redhat machines , and we have two types of DTRs , 1. user facing DTR 2. production read only DTR and we want to only allow production read only DTR and no one else , so that we can pull images to production readonly DTR given our security requirements are passed. so in addition to signing , we need to enforce on the users to have 0 CVEs in images – Ijaz Ahmad Jan 23 '19 at 15:00
  • @IjazAhmadKhan You would handle that last case by automating the signing of the production ready images only after the vulnerability scan passes. I don't believe Docker will support the RHEL fork of the docker engine with their EE offering, but that's a questions for sales. – BMitch Jan 23 '19 at 15:10
  • yea I see i tested this on my rhel workstation is fine but there is no such option on docker EE server systems – Ijaz Ahmad Jan 23 '19 at 15:11
  • Is there a way to have a single automation job for all the user repos that sign the image after scanning? – Ijaz Ahmad Jan 24 '19 at 17:18
2

Just found in redhat docs:

This can be done on docker daemon config:

/etc/sysconfig/docker

BLOCK_REGISTRY='--block-registry=all'
ADD_REGISTRY='--add-registry=registry.access.redhat.com'

and then do:

systemctl restart docker
Ijaz Ahmad
  • 11,198
  • 9
  • 53
  • 73
  • Note however, that ADD_REGISTRY and BLOCK_REGISTRY are only available in the Red Hat's fork, not in the officially distributed `docker`. – mirekphd Jul 22 '22 at 09:40