Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rule 2.13 no longer valid for Docker v17.12 and on #309

Closed
isuftin opened this Issue Jun 29, 2018 · 7 comments

Comments

Projects
None yet
3 participants
@isuftin
Copy link

isuftin commented Jun 29, 2018

The --disable-legacy-registry flag is no longer supported by Docker since version v17.12 and on.

In order to meet rule 2.13, one would have to include this flag into the docker daemon options. However, Docker no longer starts once you do include that flag.

...
Jun 29 15:44:45 default-centos-7.vagrantup.com dockerd[29998]: ERROR: The '--disable-legacy-registry' flag has been removed. Interacting with legacy (v1) registries is no longer supported
Jun 29 15:44:45 default-centos-7.vagrantup.com systemd[1]: docker.service: main process exited, code=exited, status=1/FAILURE
Jun 29 15:44:45 default-centos-7.vagrantup.com systemd[1]: Failed to start Docker Application Container Engine.
Jun 29 15:44:45 default-centos-7.vagrantup.com systemd[1]: Unit docker.service entered failed state.
Jun 29 15:44:45 default-centos-7.vagrantup.com systemd[1]: docker.service failed.
...

Perhaps check if the version of the daemon is v17.12 or later here and pass if so, since it is always disabled with no option to enable it at that version and above.

@konstruktoid

This comment has been minimized.

Copy link
Member

konstruktoid commented Jul 1, 2018

Hi and thanks @isuftin, this should be fixed in #311

@konstruktoid

This comment has been minimized.

Copy link
Member

konstruktoid commented Oct 12, 2018

Closing since #311 has been merged.

@isuftin

This comment has been minimized.

Copy link
Author

isuftin commented Oct 12, 2018

Thank you 👍

@src7

This comment has been minimized.

Copy link

src7 commented Apr 12, 2019

Hello,

this test is a bit confusing because it returns always "INFO" since 1712.
Shouldn't it return "PASS" instead ? (since support for V1 registries has indeed been removed).
There is enough "INFOs" to take into account and some of them are really serious.

@src7

This comment has been minimized.

Copy link

src7 commented Apr 12, 2019

Also I have serious doubts about the version comparison (because of tr -d '[:alpha:]-,.').

For example, 18.06.3-ce gives 18063 and is compared to 1712.
If the string was 17.12.0-ce for v17.12(.0), it would be 17120.
17.09.0-ce would give 17090 and is greater than 1712 so there would be no warnings despite v17.09 has been released before v17.12.
(I don't have such old versions to test now).

| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.')

if [ "$docker_version" -lt 1712 ]; then

@src7

This comment has been minimized.

Copy link

src7 commented Apr 12, 2019

Ok, now I understand why it returns "INFO" and not simply "PASS".

konstruktoid added a commit to konstruktoid/docker-bench-security that referenced this issue Apr 13, 2019

use only year and month for version check docker#309
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

konstruktoid added a commit that referenced this issue Apr 13, 2019

Merge pull request #373 from konstruktoid/ISSUE309
use only year and month for version check #309
@konstruktoid

This comment has been minimized.

Copy link
Member

konstruktoid commented Apr 13, 2019

Hi @src7, I've updated to 2.13 only uses year and month. Thanks for catching this.

$ docker version | grep -i -A2 '^server' | grep ' Version:' | awk '{print $NF; exit}' | tr -d '[:alpha:]-,.'
18093
$ docker version | grep -i -A2 '^server' | grep ' Version:' | awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4
1809
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.