Firewall rules for Docker Hub access
Question
I am looking to implement Docker in an enterprise environment that uses a firewall ip-address white-list. Unfortunately, white-listing by domains is not an option.
Is there a list of all IP addresses (including ports) that I need to open up to allow a machine full access to Docker Hub?
Also wondering if there are any recommended strategies for monitoring if any of these change over time so that I can ensure the firewall rules get updated?
1 answers
solution1
4 2016-01-11 21:16:28
you could routinely run a dig command and parse out the IPs there are returned. Here is a dig result
;; ANSWER SECTION:
hub.docker.com. 9 IN CNAME elb-default.us-east-1.aws.dckr.io.
elb-default.us-east-1.aws.dckr.io. 276 IN CNAME us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com.
us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com. 55 IN A 52.7.223.172
us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com. 55 IN A 54.208.38.120
us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com. 55 IN A 54.86.125.243
This indicates to me that the hub.docker.com is a CNAME that points to an AWS Elastic Load Balancer instance. ELBs are not guaranteed to always have the same IP, so this solution is definitely a hack, but you might get some mileage out of it.
If you have a restrictive IT department with restrictive rules, you may need Docker Trusted Registry , which will allow you to deploy a private registry in your own environment, tied to just one IP, and locked down via firewall rules.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.