Docker Images API Allows Cross-Host Registry Assignment, Creating Undeletable Dependencies #217
Description
| NetBox version | Plugin Version | Agent version | Docker API Version |
|---|---|---|---|
| 3.7.8 | 1.24.0 | N/A | N/A |
Actual Behavior
The /api/plugins/docker/images/ endpoint allows creating a Docker Image that is assigned to a Registry belonging to a different Docker Host than the Image itself.
This results in a cross-host dependency between:
- a Docker Image associated with Host A, and
- a Docker Registry associated with Host B.
Once such a relationship is created:
- the affected Docker Host or Registry cannot be deleted,
- referential integrity is logically broken (even if technically valid),
- the data model no longer reflects a real-world Docker setup, where images and registries are host-scoped.
This behavior can be reproduced via the API even if the UI would normally prevent such configuration.
Desired Behavior
The API should enforce host-level consistency by validating that:
- a Docker Image can only be associated with a Registry that belongs to the same Docker Host, or
- the registry relationship is otherwise explicitly designed to be global (and documented as such).
If cross-host relationships are not supported by design, the API should:
- reject such requests with a clear validation error, and
- prevent creation of data that leads to undeletable objects or invalid dependencies.
Impact
This issue can lead to:
- inconsistent Docker inventory data,
- blocked deletions during cleanup or decommissioning,
- manual database intervention to resolve invalid relationships.