How to run a insecure-registry

There was a discussion about how to set up an insecure registry with docker for mac. It was closed before I could comment on how to do it correctly.

This seems like the correct way to set this up please correct me if I’m wrong.

First I created a new file with the output of the current daemon.json file

$ pinata get daemon > myconfig.json

Then I added another rule to the json


Finally I set the new config

$ pinata set daemon @myconfig.json

The daemon restarted and I was able to pull from my registry.


Only to confirm your observation: the init script for docker contains the following code:

if mobyconfig exists insecure-registry
		DOCKER_OPTS="${DOCKER_OPTS} --insecure-registry $(mobyconfig get insecure-registry)"

So in contrast to other statements in the forum adding the `insecure-registry` setting seems to be passed through `mobyconfig`, by reading the `daemon.json` file.

Folks, any idea how to add .crt of registry to system on Mac?
I mean, I added cert as usual - to system keychain etc - but docker daemon still insists
x509: certificate signed by unknown authority

@kabae Did you copy your certs into the VM?

@gesellix Oh… Not quite… There a document to get familiar with concepts of this thing?

I wouldn’t call it a document as in “documentation”, and as far as I know it won’t survive VM restarts :wink:
But you might give this one a try: Adding (self signed) certificates

That’s some hack. Thanks :slight_smile:

@kabae you might be able to use the method I describe above for setting the insecure registry, to set you ca cert.

Check out the options you can set in the daemon.json file here

There is an option for tlscacert which I believe takes the path to the cert.

I haven’t tried this myself so I’m don’t know if this will work.

Thanks @theverything, I’m afraid the moment I do ‘set’ for config - my Mac will go reboot (already happened few times, hehe, saw a thread here).
Anyway, beta is beta. But thanks a lot for guiding.

Nice info.

People are facing issues with “localhost”, and on the current release (beta 9) the “hostnet” is the default (no NAT). There is a typical case where people are running a “registry:2” locally and want to tag/push images downloaded in order not to pull them again from Docker Hub even after resetting Docker for Mac.

This used to be very simple:

docker pull nginx
docker tag localhost:5000/nginx
docker push localhost:5000/nginx 

Well, we must remember that “docker pull” is a daemon thing, so the host part of the registry must make sense inside the VM.

At your Mac terminal the line below returns the expected “{}” response, but not if you run it inside the VM:

curl localhost:5000/v2/

Inside the VM only the IPs assigned to “docker0” and “eth0” work:


I managed to pull it of tagging the images a bit differently:

docker pull busybox
docker tag
docker push 

Of course, I had to do the “pinata set daemon” just like @theverything described, but declaring “” as insecure (NOT localhost:5000).

Other engines on different machines in your LAN can still pull images from your registry, using whatever name or IP your host is known for, but they will also have to do the same “pinata set daemon” (with the proper name, and NOT and NOT localhost).

If you are feeling brave you can also try a different setup:

  1. pull the registry from hub
  2. run the registry locally on mirror mode (try another port, say, 5050, if you know how to do it)
    3, set the engine with the “registry-mirror” option (same “pinata set daemon” technique, entry is named “registry-mirrors”):
  1. Restart Docker app (this is a VM reboot)
  2. Other machines on the LAN can do the same, but using your host IP/hostname when setting engine options

With this setting everyone can “docker pull” at will with normal names (no need for tagging), your registry is caching everything.


Does Docker for Mac support v1 insecure registries?

Yup, it’s in an example above, insecure-registries. Just make sure you use an ip address that the docker server can access, localhost does not seem to work.

$ pinata set daemon '{"storage-driver":"aufs","debug":true,"insecure-registries":[""]}'

In my case it’s the Docker for Mac internal ip address.

$ pinata list | grep docker-ipv4
*  network = hostnet (docker-ipv4=, host-ipv4=

Run your registry as you normally would, e.g.:

$ docker run -d -p 5000:5000 --restart=always --name registry registry:2
1 Like

Then my problem:

Error response from daemon: invalid registry endpoint "http://docker-registry:80/v1/". HTTPS attempt: Get https://docker-registry:80/v1/_ping: dial tcp: lookup docker-registry on server misbehaving. HTTP attempt: Get http://docker-registry:80/v1/_ping: dial tcp: lookup docker-registry on server misbehaving

Must be the infamous /etc/resolv.conf issue. With boot2docker or the toolbox I would have ssh’d to the docker machine and added the necessary entries. How do I do that same thing with Docker for Mac?

In lieu of sshing to the docker machine, you can access the tty directly with a program like screen. e.g:

$ screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty

From there you can login as root (no password) and modify /etc/hosts. Modifying /etc/resolv.conf is a fruitless effort because this file seems to be continuously overwritten at very regular intervals.


The latest Docker for Mac betas use certs from the macOS:

  1. Open Windows Explorer, right-click the domain.crt file, and choose Install certificate. When prompted, select the following options: Store location. local machine. Place all certificates in the following store. …
  2. Click Browser and select Trusted Root Certificate Authorities.
  3. Click Finish. Restart Docker.


Thanks jack421 for the ans i was looking for the same problem.please share thease all essential knowledge like this with will be very helpful for us.adobe photoshop

You have to set it to Docker Machine’s / Boot2Docker profile file: docker-machine ssh <machine name>

nice info.

Thanks @theverything, I’m afraid the moment I do ‘set’ for config.