konstruktoid
commented
1 year ago Hi @pgatilov, I believe the correct way to handle it is to add an empty array to the configuration file and manage that setting as any other.
Closed pgatilov closed 10 months ago
konstruktoid
commented
1 year ago Hi @pgatilov, I believe the correct way to handle it is to add an empty array to the configuration file and manage that setting as any other.
pgatilov
commented
1 year ago Hi @konstruktoid , thanks for your response. Well, adding "insecure-registries": [] did help, thanks!
However, it's a bit confusing because the output of docker info still shows 127.0.0.0/8. Seems like the tool uses a different way of checking the setting compared to what is described in the Docker Benchmark PDF
konstruktoid
commented
1 year ago That's great to hear.
The script has evolved from the PDF due to the variations people have compared to the benchmark; swarm and services and whatnot.
Does the insecure registry still show up after a docker daemon restart?
pgatilov
commented
1 year ago @konstruktoid , yes, it still shows up. I believe it's some built-in logic for docker.
konstruktoid
commented
1 year ago Sorry to say, that's nothing this script can fix
Hello,
We've encountered an issue where check '2.5 - Ensure insecure registries are not used' sometimes gives false positives on default docker installation:
Seems like in some cases the tool triggers on localhost record which docker adds by default:
Should there be some exception for this default record? Or a way to specify a list of allowed insecure registries to the tool, so it's not necessary to review the configuration every time benchmark is run?
Thanks
PS
We don't run / intend to run any registry on localhost, nor have we configured anything for that. At least not intentionally.