How to run a insecure-registry

Only to confirm your observation: the init script for docker contains the following code:

if mobyconfig exists insecure-registry
	then
		DOCKER_OPTS="${DOCKER_OPTS} --insecure-registry $(mobyconfig get insecure-registry)"
	fi````

So in contrast to other statements in the forum adding the `insecure-registry` setting seems to be passed through `mobyconfig`, by reading the `daemon.json` file.

Folks, any idea how to add .crt of registry to system on Mac?
I mean, I added cert as usual - to system keychain etc - but docker daemon still insists
x509: certificate signed by unknown authority

@kabae Did you copy your certs into the VM?

@gesellix Oh… Not quite… There a document to get familiar with concepts of this thing?

I wouldn’t call it a document as in “documentation”, and as far as I know it won’t survive VM restarts :wink:
But you might give this one a try: Adding (self signed) certificates

That’s some hack. Thanks :slight_smile:

@kabae you might be able to use the method I describe above for setting the insecure registry, to set you ca cert.

Check out the options you can set in the daemon.json file here https://docs.docker.com/engine/reference/commandline/daemon/#daemon-configuration-file

There is an option for tlscacert which I believe takes the path to the cert.

I haven’t tried this myself so I’m don’t know if this will work.

Thanks @theverything, I’m afraid the moment I do ‘set’ for config - my Mac will go reboot (already happened few times, hehe, saw a thread here).
Anyway, beta is beta. But thanks a lot for guiding.

Nice info.

People are facing issues with “localhost”, and on the current release (beta 9) the “hostnet” is the default (no NAT). There is a typical case where people are running a “registry:2” locally and want to tag/push images downloaded in order not to pull them again from Docker Hub even after resetting Docker for Mac.

This used to be very simple:

docker pull nginx
docker tag localhost:5000/nginx
docker push localhost:5000/nginx 

Well, we must remember that “docker pull” is a daemon thing, so the host part of the registry must make sense inside the VM.

At your Mac terminal the line below returns the expected “{}” response, but not if you run it inside the VM:

curl localhost:5000/v2/

Inside the VM only the IPs assigned to “docker0” and “eth0” work:

curl 192.168.65.2:5000/v2/
curl 172.17.0.1:5000/v2/

I managed to pull it of tagging the images a bit differently:

docker pull busybox
docker tag 192.168.65.2:5000/busybox
docker push 192.168.65.2:5000/busybox 

Of course, I had to do the “pinata set daemon” just like @theverything described, but declaring “192.168.65.2:5000” as insecure (NOT localhost:5000).

Other engines on different machines in your LAN can still pull images from your registry, using whatever name or IP your host is known for, but they will also have to do the same “pinata set daemon” (with the proper name, and NOT 192.168.65.2 and NOT localhost).

If you are feeling brave you can also try a different setup:

  1. pull the registry from hub
  2. run the registry locally on mirror mode (try another port, say, 5050, if you know how to do it)
    3, set the engine with the “registry-mirror” option (same “pinata set daemon” technique, entry is named “registry-mirrors”):
{"storage-driver":"aufs","debug":true,"registry-mirrors":["http://192.168.65.2:5050"]}
  1. Restart Docker app (this is a VM reboot)
  2. Other machines on the LAN can do the same, but using your host IP/hostname when setting engine options

With this setting everyone can “docker pull” at will with normal names (no need for tagging), your registry is caching everything.

2 Likes

Does Docker for Mac support v1 insecure registries?

Yup, it’s in an example above, insecure-registries. Just make sure you use an ip address that the docker server can access, localhost does not seem to work.

$ pinata set daemon '{"storage-driver":"aufs","debug":true,"insecure-registries":["192.168.65.2:5000"]}'

In my case it’s the Docker for Mac internal ip address.

$ pinata list | grep docker-ipv4
*  network = hostnet (docker-ipv4=192.168.65.2, host-ipv4=192.168.65.1)

Run your registry as you normally would, e.g.:

$ docker run -d -p 5000:5000 --restart=always --name registry registry:2
1 Like

Then my problem:

Error response from daemon: invalid registry endpoint "http://docker-registry:80/v1/". HTTPS attempt: Get https://docker-registry:80/v1/_ping: dial tcp: lookup docker-registry on 192.168.65.1:53: server misbehaving. HTTP attempt: Get http://docker-registry:80/v1/_ping: dial tcp: lookup docker-registry on 192.168.65.1:53: server misbehaving

Must be the infamous /etc/resolv.conf issue. With boot2docker or the toolbox I would have ssh’d to the docker machine and added the necessary entries. How do I do that same thing with Docker for Mac?

In lieu of sshing to the docker machine, you can access the tty directly with a program like screen. e.g:

$ screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty

From there you can login as root (no password) and modify /etc/hosts. Modifying /etc/resolv.conf is a fruitless effort because this file seems to be continuously overwritten at very regular intervals.

2 Likes

The latest Docker for Mac betas use certs from the macOS: https://docs.docker.com/docker-for-mac/faqs/#/how-do-i-add-custom-ca-certificates

  1. Open Windows Explorer, right-click the domain.crt file, and choose Install certificate. When prompted, select the following options: Store location. local machine. Place all certificates in the following store. …
  2. Click Browser and select Trusted Root Certificate Authorities.
  3. Click Finish. Restart Docker.

Mobdro

Thanks jack421 for the ans i was looking for the same problem.please share thease all essential knowledge like this with us.it will be very helpful for us.adobe photoshop

You have to set it to Docker Machine’s / Boot2Docker profile file: docker-machine ssh <machine name>https://b4blog.net/video-editor/wondershare-filmora-crack-download.html

nice info.

Thanks @theverything, I’m afraid the moment I do ‘set’ for config.

Hi , I am trying to run a insecure-registry and when i am trying to create the registry pod using yaml file i am seeing the below error

Failed to pull image “127.0.0.1:5000/my-ubuntu”: rpc error: code = Unknown desc = Error response from daemon: received unexpected HTTP status: 502 Bad Gateway

Can any one help me in resolving this issue?

I have added the required entries in the config files to make the registry as in-secure and could see the same in the output of docker version.


Experimental: false
Insecure Registries:
127.0.0.1:5000
127.0.0.0/8
Live Restore Enabled: false