Docker Community Forums

Share and learn in the Docker community.

Configure Docker daemon with "icc" and "disable-legacy-registry" on Debian 8.4

docker

(Thibentran) #1

Hello,

Goal

I try to configure the Docker daemon on Debian 8.4 with Docker 1.12.1.

I would like to use the “icc” and “disable-legacy-registry” options of the Docker daemon. My aim is to be compliant with the rules of the Docker Bench for Security v1.1.0. In particular, I check the 2.1 and 2.13 rules.

Issue

The options have no effect.

Description

I tried several solutions.

“docker.service” file

  1. I replaced
    ExecStart=/usr/bin/dockerd -H fd://
    by
    ExecStart=/usr/bin/dockerd -H fd:// --icc=false --disable-legacy-registry=true
    in /lib/systemd/system/docker.service.
  2. systemctl daemon-reload
  3. systemctl restart docker

Rules 2.1 and 2.13 have still “WARN” status with Docker Bench for Security.

But when I execute “ps” I see that the launch command is correct: /usr/bin/dockerd -H fd:// --icc=false --disable-legacy-registry

“daemon.json” file

  1. Create /etc/docker/daemon.json file and add:
    {
    “icc”: false,
    “disable-legacy-registry”: true
    }
  2. systemctl restart docker

Rules 2.1 and 2.13 have still “WARN” status with Docker Bench for Security.

But if I execute docker daemon --icc=false --disable-legacy-registry=true, I get:

unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: disable-legacy-registry: (from flag: true, from file: true), icc: (from flag: false, from file: false)

In conclusion, the daemon.json file is taken into account but has no effect on the Docker Bench for Security.

“docker daemon” command

If I bypass the autolaunching of the daemon and I manually execute the command docker daemon --icc=false --disable-legacy-registry=true, then it works! The two rules of the Docker Bench for Security are in “PASS” status.

To have more information, I execute the “ps” command and see that a process was launched with:
dockerd --icc=false --disable-legacy-registry=true

But when I execute dockerd --icc=false --disable-legacy-registry=true myself, it does NOT work.