I see the ability to add registry, and maybe I am missing it, but we have a need to block all registry's except what we white list. I have added local registry, and they work, but now we would like the abiltiy to block docker from pulling from any public registry's, ie docker hub.

All registries, as well as images, are blocked by default. You can whitelist single images or registries with the commands below:

• hbm resource add -t image -v "kassisol/hbm" img_hbm, tags are not checked so no need to specify them.
• hbm resouce add -t registry -v "private.registry.com" registry_private1.
• You can also allow only official images from docker public registry hbm resource add -t config -v image_create_official official_image.

Let me know if that work for you

Ok so I may have something missed configured. I have whitelisted centos and oracle images and I have allowed my local registry. Our local registry only contains centos images but I can still pull down oralce images from docker hub. Let me look into my settings.

can you paste the output the commands hbm resource ls -f "type=image" -f "type=registry" and the docker pull commands

Sure thing,

$ hbm resource ls -f "type=image
NAME                TYPE                VALUE               OPTIONS             COLLECTIONS
image_centos        image               centos                                  spf-collection
image_oracle        image               oraclelinux                             spf-collection

$ hbm resouce ls -f  "type=registry"
NAME                TYPE                VALUE               OPTIONS             COLLECTIONS
td-registry         registry            td.registry.domain                      spf-collection

$ docker pull oraclelinux
Using default tag: latest
Warning: failed to get default registry endpoint from daemon (Error response from daemon: authorization denied by plugin hbm: info is not allowed). Using system default: https://index.docker.io/v1/
latest: Pulling from library/oraclelinux
27de86fdd696: Pull complete 
Digest: sha256:e000f0ba4aa2873b5f0a2a30219f8ab04a865ab536567652526134057fd299c7
Status: Downloaded newer image for oraclelinux:latest

Would that hbm:info error have anything to do with it? What I would like to prevent is docker from pulling from public repos like what happened when I pulled oraclelinux.
Thanks

Why do you whitelist the image oraclelinux if you don't want it to be pulled?

image_oracle image oraclelinux spf-collection

It was a test, the thought was if docker could not find an image in my local registry I want to prevent docker from pulling it from docker hub if that makes sense.

Now I think I understand what you are trying to do. When whitelisting registry, all images from that registry is allowed. Registry and image resources are not related.
If you want to whitelist a single image, and not all of them, from your registry, run the following command hbm resource add -t image -v "td.registry.domain/centos" img_centos as you will specify the image to the docker command (docker pull td.registry.domain/centos).
If specifying oraclelinux that means an official image from docker public registry. That's the reason why you can still pull it.

remove those 2 resources image_centos and image_oracle.

Ok, I think I am following. If whitelist a specific image with the registry like so

hbm resource add -t image -v "td.registry.domain/centos" img_centos
It will only pull that image down from that registry.

If I whitelist an image name like
hbm resource add --type image --value centos image_centos
Docker is allowed to pull that image from any registry.

Is that correct?

Almost! For the last one, It's the same as running docker pull centos, the docker command does not pull it from any registry but from the public registry, right?

That's what I meant. Got it thanks!

👍