Issue with IB Registry image and STIG'd RHEL8

Summary

Hi there,

Our team is finally looking to upgrade our project from RHEL7 to RHEL8 since it's been approved in SEC. One of the big issues we found is that during our deployment we load a local docker registry using the IB image to house our airgapped images. Unfortunately, it looks like the IB image is having trouble with the STIG'd RHEL8 deployment with htpasswd.

I tested with the normal non-IB registry image and it worked perfectly. For the sake of testing we've turned off fapolicyd and SELinux in our STIG'd image while we troubleshoot issues.

Like I said, this works for STIG'd RHEL7, but not RHEL8. Any ideas?

Steps to reproduce

Run this on STIG'd RHEL8:

docker run -d \
  -p 443:5000 \
  --restart=always \
  --name bigbang_registry \
  -v "/root/var/lib/registry:/var/lib/registry" \
  -v "/root/docker-registry/auth:/auth" \
  -e "REGISTRY_AUTH=htpasswd" \
  -e "REGISTRY_AUTH_HTPASSWD_REALM=XXX Realm" \
  -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
  -v "/root/certs:/certs" \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/XXX.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/XXX.key \
  ironbank/opensource/docker/registry-v2:2.8.2

What is the current bug behavior?

From the container's logs: panic: unable to configure authorization (htpasswd): open /auth/htpasswd: permission denied

What is the expected correct behavior?

No panic and the registry should load.

Possible fixes

Not a fix, but running the same above command with registry:2 instead of the IB registry image gives a successful deployment.

Tasks

• Bug has been identified and corrected within the container

Please read the Iron Bank Documentation for more info