Hello,
Goal
I try to configure the Docker daemon on Debian 8.4 with Docker 1.12.1.
I would like to use the “icc” and “disable-legacy-registry” options of the Docker daemon. My aim is to be compliant with the rules of the Docker Bench for Security v1.1.0. In particular, I check the 2.1 and 2.13 rules.
Issue
The options have no effect.
Description
I tried several solutions.
“docker.service” file
- I replaced
ExecStart=/usr/bin/dockerd -H fd://
by
ExecStart=/usr/bin/dockerd -H fd:// --icc=false --disable-legacy-registry=true
in /lib/systemd/system/docker.service. - systemctl daemon-reload
- systemctl restart docker
Rules 2.1 and 2.13 have still “WARN” status with Docker Bench for Security.
But when I execute “ps” I see that the launch command is correct: /usr/bin/dockerd -H fd:// --icc=false --disable-legacy-registry
“daemon.json” file
- Create /etc/docker/daemon.json file and add:
{
“icc”: false,
“disable-legacy-registry”: true
} - systemctl restart docker
Rules 2.1 and 2.13 have still “WARN” status with Docker Bench for Security.
But if I execute docker daemon --icc=false --disable-legacy-registry=true, I get:
unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: disable-legacy-registry: (from flag: true, from file: true), icc: (from flag: false, from file: false)
In conclusion, the daemon.json file is taken into account but has no effect on the Docker Bench for Security.
“docker daemon” command
If I bypass the autolaunching of the daemon and I manually execute the command docker daemon --icc=false --disable-legacy-registry=true, then it works! The two rules of the Docker Bench for Security are in “PASS” status.
To have more information, I execute the “ps” command and see that a process was launched with:
dockerd --icc=false --disable-legacy-registry=true
But when I execute dockerd --icc=false --disable-legacy-registry=true myself, it does NOT work.