Tell HN: docker pull fails in spain due to football cloudflare block

Posted by littlecranky67 11 hours ago

I just spent 1h+ debugging why my locally-hosted gitlab runner would fail to create pipelines. The gitlab job output would just display weird TLS errors when trying to pull a docker images. After debugging gitlab and the runner, I realized after a while I could not even run "docker pull <image>" on my machine as root:

> error pulling image configuration: download failed after attempts=6: tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted to match docker-images-prod.6aa30f8b08e16409b46e0173d6de2f56.r2.cloudflarestorage.com

First blaming tailscale, dns configuration and all other stuff. Until I just copied that above URL into my browser on my laptop, and received a website banner:

> El acceso a la presente dirección IP ha sido bloqueado en cumplimiento de lo dispuesto en la Sentencia de 18 de diciembre de 2024, dictada por el Juzgado de lo Mercantil nº 6 de Barcelona en el marco del procedimiento ordinario (Materia mercantil art. 249.1.4)-1005/2024-H instado por la Liga Nacional de Fútbol Profesional y por Telefónica Audiovisual Digital, S.L.U. https://www.laliga.com/noticias/nota-informativa-en-relacion-con-el-bloqueo-de-ips-durante-las-ultimas-jornadas-de-laliga-ea-sports-vinculadas-a-las-practicas-ilegales-de-cloudflare

For those non-spanish speakers: It means there is football match on, and during that time that specific host is blocked. This is just plain madness. I guess that means my gitlab pipelines will not run when football is on. Thank you, Spain.

594 points | 229 commentspage 4

Magnets 7 hours ago|

BT used to block the entire streamable.com site during football matches

thomasjudge 5 hours ago||

Could you bypass this with a VPN?

tossandthrow 5 hours ago|

Yes, and all of Spain is learning how to use VPNs

jimaek 10 hours ago||

Off topic but I wonder when Cloudflare is going to launch their own Docker registry as a product.

ImJasonH 9 hours ago||

It's pretty easy to write your own. I made this one a while ago: https://github.com/chainguard-dev/crow-registry

ai_slop_hater 7 hours ago|||

https://github.com/cloudflare/serverless-registry

jimaek 7 hours ago||

I've seen it but it's buggy and lacking in features. Feels like an afterthought instead of a real product

wqtz 9 hours ago|||

Well, Cloudflare does not launch anything. They acquire to build products. Look into all their recent product launches. They acquired a relatively small company and converted the founding team to a product team.

So, if you want them to build stuff, ask yourself, are there any "Docker Registry" startups out there. If jsdelivr/globalping is not keeping you busy enough... there is an idea

jimaek 9 hours ago||

Honestly I would build it if I knew how to properly market it to quickly get users.

Globalping and jsDelivr took years to gain a meaningful user base

wqtz 8 hours ago||

I do not think that is the issue. The recent acquisitions from all these big tech companies did not have any "meaningful" user base to begin with.

I think your name alone carries significant weight in the industry and you have built a very large community.

If you even vibe code something with, you will get a stupid amount of money thrown at you and a contract that bounds your existing projects and the next 3-5 years to a particular company as project lead.

Here is a list of acquisitions Cloudflare made recently: https://blog.cloudflare.com/tag/acquisitions/

Most of these companies did not have a half dozen paying customer or even a fully fleshed-out product before they were acquired.

jimaek 7 hours ago||

I wish I had as much faith in myself as you have in me :)

vaylian 10 hours ago||

What would the business case be?

jimaek 10 hours ago||

Capture developers and funnel them to the Workers platform

blurb4969 5 hours ago||

Welcome to the club, buddies! Here, in Russia, the government doesn't care about collateral damage at all when shutting down whole Internet in cities. They turn on white list mode, when only approved sites and IPs work. Businesses stop working and start losing money? They don't care. Important IT systems stop working? They don't care. People can't communicate with each other? Don't care. And seems like it will happen everywhere else. Sad to see the whole world goes down apart.

fc417fc802 5 hours ago|

I think perhaps there's a difference in expectations between wartime versus a country at peace going after pirates.

blurb4969 4 hours ago||

I wanted to say that Internet freedom dismantlement is a global trend.

fc417fc802 4 hours ago||

Fair enough, I completely agree. However in the case of Russia specifically, I understand that at one point Ukrainian drones were making routine use of mobile internet within the county. Temporary internet whitelists seem like a reasonable alternative to complete blackouts in that scenario. There are plenty of historic examples of malware using just about any communication platform for the C&C transport.

ahachete 10 hours ago||

Yeah, I know. Welcome to the club :(

https://x.com/ahachete/status/2035783292549755228

Myzel394 6 hours ago||

Just use a VPN

anthk 9 hours ago||

CF could just sue LaLiga and the judge as interrupting and intercepting telecomms it's a really serious crime in Spain. Call the AEPD too because of consumers' right against both ISP and LaLiga's snooping. Another huge fine.

This is not an issue under the civil code (civilian issues), but something to be dealt under penal (criminal) code.

In Spanish

https://www.fiscal.es/memorias/memoria2020/FISCALIA_SITE/rec...

Oh, and BTW, LaLiga has just partnered with a CF rival.

Now CF can just sue both like hell because of unfair competition:

https://nitter.tiekoetter.com/xataka/status/2042658662850724...

quadrifoliate 9 hours ago||

Looks like they already tried to appeal the block, and lost:

https://x.com/jaumepons/status/1904906677335245294

buzer 7 hours ago||

They could potentially file the suit against Spain in European Court of Human Rights if they have exhausted national remedies. ECtHR has previously ruled some blocks to be illegal, but generally in the context where country sought the ban. Of course in both cases Court is the one that actually orders the ban.

One relevant would be Yildirim v. Turkey where court ordered blocking access to all Google sites because there was one that where someone insulted the memory of Atatürk. This was due to request from Telecommunications Directorate. This then caused the appellant's website to get blocked as well.

Another one would be Vladimir Kharitonov v. Russia.

prmoustache 9 hours ago||

I think they are doing it already.

anthk 9 hours ago||

Yea, La Liga it's crapping out as always. Docker needs either some I2P gateway, or a Tor service.

fc417fc802 4 hours ago|

The pirate streams need an I2P service that way LaLiga might give up.

mschuster91 5 hours ago||

Cloudflare could resolve this without negatively impacting fundamental services... just place all newly registered sites (e.g. <30 days) on a dedicated block of IP addresses. That way, Spain's government-ordered censorship could be limited to (mostly) pirate sites. Or they could invest money in vetting customers properly.

But of course, Cloudflare rather prefers to hold their actual large customers (who don't have much of an alternative to CF) and everyday Spaniard users hostage.

fc417fc802 5 hours ago|

What would prevent a pirate site operator from registering a domain a few months in advance and sitting on it in the meantime?

How do you propose customers ought to be vetted? Why should a host be expected to take on the duties of a hall monitor? Isn't that the judiciary's job?

I think it is actually Spain using their residents as hostages in an attempt to extort Cloudflare and other large providers. The current situation is best described as blatantly corrupt regulatory capture.

mschuster91 3 hours ago||

> What would prevent a pirate site operator from registering a domain a few months in advance and sitting on it in the meantime?

It's driving up the cost and expenses. Operators of legitimate sites don't have to worry during that probation time about anything with the exception of customers in Spain during LL match hours.

LL has ~10 matches / weekend (Fri/Sat/Sun/Mon), that means pirates have to have about 40 domains/CF integrations per month plus more in standby - and more, for longer probation periods.

> How do you propose customers ought to be vetted?

I dunno... stuff like basic KYC measures would be a good start. Copies of ID cards. Government business licenses. Private entities (credit bureaus). Even phone number verification is a serious hurdle for malicious actors, and it ties activities to real world identities that can be held accountable.

Dangerous stuff (e.g. streaming) could only be made available upon a security deposit.

> Why should a host be expected to take on the duties of a hall monitor? Isn't that the judiciary's job?

No, and that we let ISPs get away with ignoring abuse@ emails is part of why the Internet is such a nasty place these days. You need a license to drive a car on public roads, you need an expensive license to fly a small plane, and you need a goddamn massively expensive license to fly a widebody aircraft. So why shouldn't you need to pass some set of verification before you get access to inarguably the Internet's most powerful data pipes?

fc417fc802 45 minutes ago||

> It's driving up the cost and expenses.

That's an interesting point. Are their margins so slim that they can't afford less than ~$50 per domain? I'm not familiar with their revenue model.

This is the sort of thing that could be done via the legislature if Spain were serious and playing by the rules. They could require ISPs to do DNS filtering based on domain age during matches. If they really wanted to do service level filtering they could require hosts such as CF to perform geoblocking in a similar manner during matches.

> Dangerous stuff (e.g. streaming) could only be made available upon a security deposit.

Let's set aside for a moment that I think this suggestion is completely absurd. Are these sites using some prepackaged streaming solution? Do you not realize that I can stream video from any machine using software I control? To an approximation the only thing required to scale streaming up to lots of customers is raw bandwidth. If you don't accommodate seeking you can potentially serve thousands of simultaneous streams with a single cheap VPS (in practice this won't work because a cheap VPS won't have a 100 Gbit pipe).

> So why shouldn't you need to pass some set of verification

Since when have you needed a license or verification to publish? You're acting as though a global impressum requirement is the natural state of affairs. Your demand is an affront to free society.

> we let ISPs get away with ignoring abuse@ emails

That seems like an entirely separate matter, if it's even true at all.

> No

Ah yes, a rousing argument. Obviously you must be correct.

You've failed to make a convincing case as to why deciding what is and isn't permissible isn't the job of the judiciary. If Spain wants to change that then they need to pass laws to that effect but in practice those won't have global reach. Thus they might (for example) engage in international lobbying efforts to incorporate a DMCA equivalent for illegal streaming into the global copyright regime.

Failing the above it is Spain that is in the wrong here and I'm happy to see that CF isn't going along with their overbearing and entirely unreasonable nonsense.

More comments...