From 3f2b8677190deaaf8807ca855a26c6ab4d998ed7 Mon Sep 17 00:00:00 2001 From: Monica Chao Date: Tue, 22 Apr 2025 17:12:53 -0500 Subject: [PATCH 1/3] Added section explaining how RAM configurations restricting Docker hub interacts with mirror registries --- .../manuals/docker-hub/image-library/mirror.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/content/manuals/docker-hub/image-library/mirror.md b/content/manuals/docker-hub/image-library/mirror.md index 427ee68f5f7d..5f3060cc19e0 100644 --- a/content/manuals/docker-hub/image-library/mirror.md +++ b/content/manuals/docker-hub/image-library/mirror.md @@ -45,6 +45,23 @@ Hub can be mirrored. The Registry can be configured as a pull through cache. In this mode a Registry responds to all normal docker pull requests but stores all content locally. +### Using Registry Access Management (RAM) with a registry mirror + +If Docker Hub access is restricted via your Registry Access Management (RAM) configuration, you will not be able to pull images originating from Docker Hub even if the images are available in your registry mirror. + +You may encounter an error like: +```bash +Error response from daemon: Access to docker.io has been restricted by your administrators. +``` + +This happens because RAM restrictions are enforced at the API proxy layer, meaning the request is blocked before Docker Desktop even attempts to pull from a registry mirror or fall back to Docker Hub. + +If you are unable to allow access to Docker Hub, you can manually pull from your registry mirror and optionally, retag the image. For example: +``` +docker pull /library/busybox +docker tag /library/busybox:latest busybox:latest +``` + ## How does it work? The first time you request an image from your local registry mirror, it pulls From 6ea4f749eb9e477c80a0dd6ee61f066a5d3a8480 Mon Sep 17 00:00:00 2001 From: Monica Chao Date: Tue, 22 Apr 2025 17:32:30 -0500 Subject: [PATCH 2/3] Improved wording and commands --- content/manuals/docker-hub/image-library/mirror.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/manuals/docker-hub/image-library/mirror.md b/content/manuals/docker-hub/image-library/mirror.md index 5f3060cc19e0..e3ca092781e7 100644 --- a/content/manuals/docker-hub/image-library/mirror.md +++ b/content/manuals/docker-hub/image-library/mirror.md @@ -49,17 +49,17 @@ responds to all normal docker pull requests but stores all content locally. If Docker Hub access is restricted via your Registry Access Management (RAM) configuration, you will not be able to pull images originating from Docker Hub even if the images are available in your registry mirror. -You may encounter an error like: -```bash +You will encounter the following error: +```console Error response from daemon: Access to docker.io has been restricted by your administrators. ``` -This happens because RAM restrictions are enforced at the API proxy layer, meaning the request is blocked before Docker Desktop even attempts to pull from a registry mirror or fall back to Docker Hub. +This happens because RAM restrictions are enforced at the API proxy layer, meaning that the request is blocked before Docker Desktop even attempts to pull from a registry mirror or fall back to Docker Hub. If you are unable to allow access to Docker Hub, you can manually pull from your registry mirror and optionally, retag the image. For example: -``` -docker pull /library/busybox -docker tag /library/busybox:latest busybox:latest +```console +docker pull [:]/library/busybox +docker tag [:]/library/busybox:latest busybox:latest ``` ## How does it work? From dcaac7003d4889f8ac5739b62e5f7e53d13ed6d3 Mon Sep 17 00:00:00 2001 From: Monica Chao Date: Wed, 23 Apr 2025 09:23:48 -0500 Subject: [PATCH 3/3] Responded to feedback --- content/manuals/docker-hub/image-library/mirror.md | 2 -- .../for-admins/hardened-desktop/registry-access-management.md | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/content/manuals/docker-hub/image-library/mirror.md b/content/manuals/docker-hub/image-library/mirror.md index e3ca092781e7..9ab5fdf7b4e6 100644 --- a/content/manuals/docker-hub/image-library/mirror.md +++ b/content/manuals/docker-hub/image-library/mirror.md @@ -54,8 +54,6 @@ You will encounter the following error: Error response from daemon: Access to docker.io has been restricted by your administrators. ``` -This happens because RAM restrictions are enforced at the API proxy layer, meaning that the request is blocked before Docker Desktop even attempts to pull from a registry mirror or fall back to Docker Hub. - If you are unable to allow access to Docker Hub, you can manually pull from your registry mirror and optionally, retag the image. For example: ```console docker pull [:]/library/busybox diff --git a/content/manuals/security/for-admins/hardened-desktop/registry-access-management.md b/content/manuals/security/for-admins/hardened-desktop/registry-access-management.md index cf3892b1a54f..75f194954906 100644 --- a/content/manuals/security/for-admins/hardened-desktop/registry-access-management.md +++ b/content/manuals/security/for-admins/hardened-desktop/registry-access-management.md @@ -89,6 +89,7 @@ earlier Linux kernel series). This will be resolved in the updated 5.15 series Linux kernel. - Images pulled by Docker Desktop when Docker Debug or Kubernetes is enabled, are not restricted by default even if Docker Hub is blocked by RAM. +- If Docker Hub access is restricted by RAM, pulls on images originating from Docker Hub are restricted even if the image has been previously cached by a registry mirror. See [Using Registry Access Management (RAM) with a registry mirror](/manuals/docker-hub/image-library/mirror.md). Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain