2.6 Setup a local registry mirror

Information

The local registry mirror is serves the images from its own storage.

If you have multiple instances of Docker running in your environment, each time one of
them requires an image, it will have to go out to the internet and fetch it from public or
your private Docker registry. By running a local registry mirror, you can keep image fetch
traffic on your local network. So, your Docker instances need not have to be internet facing
and thus this drastically reduces the threat vector. Additionally, it allows you to manage
and securely store your images within your own environment.

Solution

Configure a local registry mirror and then start the Docker daemon as below-$> docker --registry-mirror=<registry path> -dFor example,$> docker --registry-mirror=https-//10.0.0.2-5000 -d

Impact-The local registry mirror would need to be managed. It must have verified images that you
use in your environment and those images must be kept updated time to time.

Default Value-By default, there are no local registry mirrors setup on the host with Docker installation.

See Also

https://workbench.cisecurity.org/files/514

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 8d7cdb2e32206ad57c8dd17e29fa238fc473f242eb4ad821c7070d0245df7ac3