Menu
I want to block access to the default docker.io registry. For security/IP protection, we need to block push/pull access to/from the public Docker hub.
There have been many attempts to make this a configuration option, but all PRs just keep getting rejected. Red Hat has implemented both '--block-registry' and '--add-registry', which are exactly what I need, but it only works with Red Hat's fork of docker v1.10, and I want to use docker v1.12+
I'm using RHEL/Centos 7
DNS spoofing doesn't seem to work via the following in /etc/hosts (anymore):
127.0.0.1 index.docker.io registry.docker.io registry-1.docker.io docker.io
And I can't seem to get the firewall to block access either with the following rules (where the IPs are currently those from the above hosts listed in /etc/hosts):
# firewall-cmd --direct --get-rules ipv4 filter OUTPUT
0 -p tcp -m tcp --dport 5000 -j REJECT
0 -p tcp -m tcp --dport 443 -j REJECT
0 -p tcp -m tcp -d 52.207.178.113 -j DROP
0 -p tcp -m tcp -d 52.73.159.23 -j DROP
0 -p tcp -m tcp -d 54.85.12.131 -j DROP
0 -p tcp -m tcp -d 52.6.119.223 -j DROP
0 -p tcp -m tcp -d 52.0.53.94 -j DROP
0 -p tcp -m tcp -d 34.192.123.224 -j DROP
0 -m state --state ESTABLISHED,RELATED -j ACCEPT
1 -p tcp -m tcp --dport 80 -j ACCEPT
1 -p tcp -m tcp --dport 53 -j ACCEPT
1 -p udp --dport 53 -j ACCEPT
1 -p tcp -m tcp --dport 2376 -j ACCEPT
2 -j REJECT
or
# firewall-cmd --direct --get-rules ipv4 filter FORWARD
0 -p tcp -m tcp --dport 5000 -j REJECT
0 -p tcp -m tcp --dport 443 -j REJECT
0 -p tcp -m tcp -d 52.207.178.113 -j DROP
0 -p tcp -m tcp -d 52.73.159.23 -j DROP
0 -p tcp -m tcp -d 54.85.12.131 -j DROP
0 -p tcp -m tcp -d 52.6.119.223 -j DROP
0 -p tcp -m tcp -d 52.0.53.94 -j DROP
0 -p tcp -m tcp -d 34.192.123.224 -j DROP
With all these in place, I can still search/pull from docker.io.
One of the PRs to resolve this got closed by a maintainer who said it looks like something that should be addressed by the firewall. Can someone please tell me how this can actually be done?
808
On Docker for Windows / Mac: You'll want to open the settings, goto the daemon tab and then pop in your registry's URL in the “Insecure registries” text field. Now you should be able to pull / push to your insecure registry. Good luck and be careful!
Sign into your Docker Hub account as an organization owner. Select an organization, navigate to the Settings tab on the Organizations page and click Registry Access. Enable Registry Access Management to set the permissions for your registry.
The Docker Registry configuration is defined inside of /etc/registry/config. yml . With the default configuration the registry listens on ports 5000 and stores the Docker images under /var/lib/docker-registry .
Adding this to /etc/hosts on Ubuntu worked for me:
0.0.0.0 index.docker.io auth.docker.io registry-1.docker.io dseasb33srnrn.cloudfront.net production.cloudflare.docker.com
I got the list of domains from here: https://support.sonatype.com/hc/en-us/articles/115015442847-Whitelisting-Docker-Hub-Hosts-for-Firewalls-and-HTTP-Proxy-Servers
121
On redhat/centos add
--block-registry docker.io
to wherever you start your docker engine from ( likely /etc/sysconfig/docker on redhat, or possibly /lib/systemd/system/docker.service )
don't forget to refresh systemd if you edited the service file ( systemctl daemon-reload ) and to restart the docker engine ( systemctl restart docker.service ) in either case
now if you do a ps auxwwf | grep docker the docker engine --block-register flag should appear in the process listing.
I came here because this does not work on debian/ubuntu, and am looking for a way to do this on debian. = / HTH
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
