Bug 1395401

Summary: block-registry does not work for docker.io with docker 1.10
Product: Red Hat Enterprise Linux 7 Reporter: Ryan Howe <rhowe>
Component: dockerAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.3CC: amurdaca, cevich, lsm5, lsu
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: wrong docker daemon option "--block-registry docker.io" handling Consequence: docker allowed to pull images from docker.io even when the "--block-registry docker.io" option was in place Fix: fix "--block-registry docker.io" daemon option handling Result: "--block-registry docker.io" blocks image pulling from docker.io
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-17 20:43:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2016-11-15 22:17:48 UTC 
Description of problem:

Adding the following to /etc/sysconfig/docker will not block the docker.io registry. Only this registry is unable to be blocked. 

BLOCK_REGISTRY='--block-registry docker.io' 



Version-Release number of selected component (if applicable):
RHEL 7.3
Docker 1.10.3

How reproducible:
100%

Actual results:
 /etc/sysconfig/docker file looks like 
OPTIONS=' --selinux-enabled --insecure-registry=172.30.0.0/16 --log-driver=json-file --log-opt max-size=50m'
DOCKER_CERT_PATH=/etc/docker
ADD_REGISTRY='--add-registry registry.access.redhat.com'
BLOCK_REGISTRY='--block-registry docker.io'
#BLOCK_REGISTRY='--block-registry public'


Restarted docker

# docker pull docker.io/nginx
Using default tag: latest
Trying to pull repository docker.io/library/nginx ...
latest: Pulling from docker.io/library/nginx
386a066cd84a: Pull complete
7bdb4b002d7f: Pull complete
49b006ddea70: Pull complete
Digest: sha256:9038d5645fa5fcca445d12e1b8979c87f46ca42cfb17beb1e5e093785991a639
Status: Downloaded newer image for docker.io/nginx:latest

Where are you experiencing the behavior?  What environment?

Client:
 Version:         1.10.3
 API version:     1.22
 Package version: docker-common-1.10.3-57.el7.x86_64
 Go version:      go1.6.2
 Git commit:      79ebcd8-unsupported
 Built:           Thu Oct 20 14:37:17 2016
 OS/Arch:         linux/amd64

Server:
 Version:         1.10.3
 API version:     1.22
 Package version: docker-common-1.10.3-57.el7.x86_64
 Go version:      go1.6.2
 Git commit:      79ebcd8-unsupported
 Built:           Thu Oct 20 14:37:17 2016
 OS/Arch:         linux/amd64

$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)


Expected results:

$ docker pull docker.io/nginx
Using default tag: latest
Error response from daemon: Blocked registry "docker.io"


Additional info:

Tested with Docker 1.9 and got extecpted results. 

Temporary work around would be use * to block all. With OpenShift the internal registry service IP would be needed in the --add-registry option so that we do not block pulls from this registry. 

/etc/sysconfig/docker

BLOCK_REGISTRY='--block-registry *'
Comment 1 Antonio Murdaca 2016-11-16 08:59:22 UTC 
Fixed by https://github.com/projectatomic/docker/commit/e92eb832bc59e85d4d7dfe3c95a5182abd8be3cc

Fix is in docker-1.12.3 and rhel7-1.10.3 branch in projectatomic/docker (just in case someone needs the fix for 1.10.3 which I don't believe it'll be shipped for 7.3).

Assigning to Lokesh to rebuild for RHEL.
Comment 9 errata-xmlrpc 2017-01-17 20:43:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0116.html