[OT] Re: Additional container registry mirror [Was: Re: Sunsetting the Docker `openwrtorg` org (not `openwrt` org)]

Sebastian Moeller moeller0 at gmx.de
Sat Apr 15 03:08:32 PDT 2023 


> On Apr 15, 2023, at 10:19, Petr Štetiar <ynezz at true.cz> wrote:
> 
> Paul Spooren <mail at aparcar.org> [2023-04-15 02:02:24]:
> 
> Hi,
> 
>> I’d simply disable it instead of no longer updating it, any other opinions?
> 
> fine with me, thanks for taking care. I would simply announce it in several
> places, that there is a plan to sunset that namespace in 3-6 months, thus
> being nice and giving everyone some time to adjust their workflows.
> 
> BTW I've recently experienced following from Hetzner.de ephemeral VPS in their
> Helsinki DC with IP address within AS24940:
> 
> WARNING: Failed to pull image with policy "if-not-present": Error response
> from daemon: error parsing HTTP 403 response body: invalid character '<'
> looking for beginning of value: "<html><body><h1>403 Forbidden</h1>\nSince
> Docker is a US company, we must comply with US export control regulations. In
> an effort to comply with these, we now block all IP addresses that are located
> in Cuba, Iran, North Korea, Republic of Crimea, Sudan, and Syria. If you are
> not in one of these cities, countries, or regions and are blocked, please
> reach out to https://hub.docker.com/support/contact/\n</body></html>\n"
> (manager.go:237:1s)
> 
> From docker.com support I've got a response, that they're using maxmind.com
> service for this purpose and that Hetzner.de should fix that, but they don't
> fully understand the situation and/or don't care.

	[SM] Given the known relatively high false-localisation rates of geoIP providers it is pretty concerning (to me) that these are now used to apparently trying to enforce the law. Mind you docker has to follow the laws and regulations, so my concern is to outsource the critical decision to a known imprecise entity.

> 
> Anyway, I'm seeing more and more such issues recently with Cloudflare/GCP/AWS
> as well, probably using similar IP flagging service, so perhaps we should
> consider using some additional container registry as a backup/mirror? So if
> the pull from one registry doesn't work, then folks could try a different one.
> 
> I've not done any prior research about all viable options yet, but quay.io
> looks so far as my favorite option. Any objections/ideas?
> 
> Cheers,
> 
> Petr
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list