Docker push missing visibility setting

[pveierland]

Description

docker push allows pushing a new image to the docker hub. If a repo has not already been created and marked private, the repo will be created with public visibility. When changing configurations this makes it easy to leak repositories that were not intended to be public.

Reproduce

1. docker push <image> (with image intended to be private)
2. Repo is created on docker hub with public visibility.

Expected behavior

Docker CLI should support a --visibility=private/public flag or similar to prevent images from unintentionally being exposed publicly.

docker version

Client: Docker Engine - Community
 Version:           26.0.0
 API version:       1.45
 Go version:        go1.21.8
 Git commit:        2ae903e
 Built:             Wed Mar 20 15:17:48 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          26.0.0
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.8
  Git commit:       8b79278
  Built:            Wed Mar 20 15:17:48 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    26.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.13.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.25.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 27
  Running: 19
  Paused: 0
  Stopped: 8
 Images: 31
 Server Version: 26.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: false
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: active
  NodeID: gf1ty2kauu87qxsgb10p0neup
  Is Manager: true
  ClusterID: ddk2cf6pgp8wt27kje55gibgt
  Managers: 1
  Nodes: 2
  Default Address Pool: 10.0.0.0/8
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 10.1.0.4
  Manager Addresses:
   10.1.0.4:2377
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-1017-azure
 Operating System: Ubuntu 22.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 7.743GiB
 Name: teleagent-prod-master-1
 ID: 4cb928b4-b500-47e2-affe-bda3001c10b3
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response

[ja-pavi]

Hi I'm a UT Austin student, and would like to work on this issue if possible!

[thaJeztah]

Thanks for opening this ticket; I'm not sure if this is something that can be implemented in the docker engine itself. The OCI distribution specification (which is used for all registries, including docker hub) allows clients to upload images ("manifests"), but has no concept of "visibility"; https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#pushing-manifests

Some registries disallow pushing to a repository that does not yet exist (in which case they produce an error), but Docker Hub defaults to creating the repository, using the default visibility settings as configured in the namespace; https://docs.docker.com/docker-hub/repos/create/