RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1395401 - block-registry does not work for docker.io with docker 1.10
Summary: block-registry does not work for docker.io with docker 1.10
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-15 22:17 UTC by Ryan Howe
Modified: 2020-05-14 15:24 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: wrong docker daemon option "--block-registry docker.io" handling Consequence: docker allowed to pull images from docker.io even when the "--block-registry docker.io" option was in place Fix: fix "--block-registry docker.io" daemon option handling Result: "--block-registry docker.io" blocks image pulling from docker.io
Clone Of:
Environment:
Last Closed: 2017-01-17 20:43:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0116 0 normal SHIPPED_LIVE Moderate: docker security, bug fix, and enhancement update 2017-01-18 01:39:43 UTC

Description Ryan Howe 2016-11-15 22:17:48 UTC 
Description of problem:

Adding the following to /etc/sysconfig/docker will not block the docker.io registry. Only this registry is unable to be blocked. 

BLOCK_REGISTRY='--block-registry docker.io' 



Version-Release number of selected component (if applicable):
RHEL 7.3
Docker 1.10.3

How reproducible:
100%

Actual results:
 /etc/sysconfig/docker file looks like 
OPTIONS=' --selinux-enabled --insecure-registry=172.30.0.0/16 --log-driver=json-file --log-opt max-size=50m'
DOCKER_CERT_PATH=/etc/docker
ADD_REGISTRY='--add-registry registry.access.redhat.com'
BLOCK_REGISTRY='--block-registry docker.io'
#BLOCK_REGISTRY='--block-registry public'


Restarted docker

# docker pull docker.io/nginx
Using default tag: latest
Trying to pull repository docker.io/library/nginx ...
latest: Pulling from docker.io/library/nginx
386a066cd84a: Pull complete
7bdb4b002d7f: Pull complete
49b006ddea70: Pull complete
Digest: sha256:9038d5645fa5fcca445d12e1b8979c87f46ca42cfb17beb1e5e093785991a639
Status: Downloaded newer image for docker.io/nginx:latest

Where are you experiencing the behavior?  What environment?

Client:
 Version:         1.10.3
 API version:     1.22
 Package version: docker-common-1.10.3-57.el7.x86_64
 Go version:      go1.6.2
 Git commit:      79ebcd8-unsupported
 Built:           Thu Oct 20 14:37:17 2016
 OS/Arch:         linux/amd64

Server:
 Version:         1.10.3
 API version:     1.22
 Package version: docker-common-1.10.3-57.el7.x86_64
 Go version:      go1.6.2
 Git commit:      79ebcd8-unsupported
 Built:           Thu Oct 20 14:37:17 2016
 OS/Arch:         linux/amd64

$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)


Expected results:

$ docker pull docker.io/nginx
Using default tag: latest
Error response from daemon: Blocked registry "docker.io"


Additional info:

Tested with Docker 1.9 and got extecpted results. 

Temporary work around would be use * to block all. With OpenShift the internal registry service IP would be needed in the --add-registry option so that we do not block pulls from this registry. 

/etc/sysconfig/docker

BLOCK_REGISTRY='--block-registry *'
Comment 1 Antonio Murdaca 2016-11-16 08:59:22 UTC 
Fixed by https://github.com/projectatomic/docker/commit/e92eb832bc59e85d4d7dfe3c95a5182abd8be3cc

Fix is in docker-1.12.3 and rhel7-1.10.3 branch in projectatomic/docker (just in case someone needs the fix for 1.10.3 which I don't believe it'll be shipped for 7.3).

Assigning to Lokesh to rebuild for RHEL.
Comment 9 errata-xmlrpc 2017-01-17 20:43:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0116.html
Note You need to log in before you can comment on or make changes to this bug.