Adds image denylist (#1896)

* Adds image denylist * Move to DockerAPI * Wording * Use error instead of critical * Update supervisor/docker/__init__.py Co-authored-by: Martin Hjelmare <marhje52@gmail.com> * Run in executor * Add pyouroboros/ouroboros * Mark as unsupported * Use set * Update supervisor/docker/__init__.py Co-authored-by: Martin Hjelmare <marhje52@gmail.com> * Remove duplicate * Change logging * Update supervisor/docker/__init__.py Co-authored-by: Martin Hjelmare <marhje52@gmail.com> * Set healthy to False * small move Co-authored-by: Martin Hjelmare <marhje52@gmail.com> Co-authored-by: Pascal Vizeli <pvizeli@syshack.ch>
2025-07-24 09:36:31 +00:00 · 2020-08-14 09:45:22 +02:00 · 2020-08-14 09:45:22 +02:00 · 2d312c276f
commit 2d312c276f
parent 3b0d0e9928
3 changed files with 32 additions and 1 deletions
--- a/supervisor/const.py
+++ b/supervisor/const.py
@ -36,6 +36,11 @@ SOCKET_DBUS = Path("/run/dbus/system_bus_socket")
 DOCKER_NETWORK = "hassio"
 DOCKER_NETWORK_MASK = ip_network("172.30.32.0/23")
 DOCKER_NETWORK_RANGE = ip_network("172.30.33.0/24")
+DOCKER_IMAGE_DENYLIST = [
+    "containrrr/watchtower",
+    "pyouroboros/ouroboros",
+    "v2tec/watchtower",
+]

 DNS_SUFFIX = "local.hass.io"

--- a/supervisor/core.py
+++ b/supervisor/core.py
@ -144,6 +144,11 @@ class Core(CoreSysAttributes):
            self.supported = False
            _LOGGER.error("Systemd DBUS is not connected")

+        # Check if image names from denylist exist
+        if await self.sys_run_in_executor(self.sys_docker.check_denylist_images):
+            self.coresys.supported = False
+            self.healthy = False
+
    async def start(self):
        """Start Supervisor orchestration."""
        self.state = CoreStates.STARTUP
--- a/supervisor/docker/init.py
+++ b/supervisor/docker/init.py
@ -9,7 +9,7 @@ import attr
 import docker
 from packaging import version as pkg_version

-from ..const import DNS_SUFFIX, SOCKET_DOCKER
+from ..const import DNS_SUFFIX, DOCKER_IMAGE_DENYLIST, SOCKET_DOCKER
 from ..exceptions import DockerAPIError
 from .network import DockerNetwork

@ -232,3 +232,24 @@ class DockerAPI:
            _LOGGER.debug("Networks prune: %s", output)
        except docker.errors.APIError as err:
            _LOGGER.warning("Error for networks prune: %s", err)
+
+    def check_denylist_images(self) -> bool:
+        """Return a boolean if the host has images in the denylist."""
+        denied_images = set()
+        for image in self.images.list():
+            for tag in image.tags:
+                image_name = tag.split(":")[0]
+                if (
+                    image_name in DOCKER_IMAGE_DENYLIST
+                    and image_name not in denied_images
+                ):
+                    denied_images.add(image_name)
+
+        if not denied_images:
+            return False
+
+        _LOGGER.error(
+            "Found images: '%s' which are not supported, remove these from the host!",
+            ", ".join(denied_images),
+        )
+        return True