Docker Community Forums

Share and learn in the Docker community.

Inescure registry


(Osmorgan) #1

Hi all. Is there a way of specifying a whitelist of insecure registries in the beta version?

Thanks!
Owen


(Frenchben) #2

How did you previously have them setup in the old VBox VM?


(Osmorgan) #3

hello, i would create a machine with a > --engine-insecure-registry flag.

On linux, there is a file that allows you add DOCKER_OPTS… not sure where that lives on the native mac version…


(Justin Cormack) #4

Sorry at the moment we only support the options in the daemon.json file, which does not include --insecure-registry. We would recommend you get a certificate for your registry as a workaround - a free one from letsencrypt should be fine.


(Snikifor) #5

Just to confirm, the location of certs is:

/etc/docker/certs.d/$REGISTRY_NAME/ca.crt

Is it possible to add these so they exist/persist on the FS – they need to be added initially or anytime I restart the Docker.app.

Any guidance on how/where to build a custom version (or if it’s possible to commit them) would be greatly appreciated!


(Yingjunjiao) #6

how config certificate?


(Fridder) #7

So with the release on 1.11 I was able to set it via pinata. something ala {"storage-driver":"aufs","debug":true,"insecure-registries":["<regurl>"]}


(andrew morton) #8

@fridder could you spell out that process in a little more detail for someone who’s a total noob?


(andrew morton) #9

Oh did some more googling for pinta and found https://marconijr.com/post/trying-out-docker-beta-for-osx/

Another thing I noticed is that Docker for Mac comes with a command calls pinata, which is use to manage your Docker configuration. Here’s how you might set an insecure-registry:

pinata set daemon @docker-daemon.json

Where docker-daemon.json:

{
  "storage-driver": "aufs",
  "debug": true,
  "insecure-registry": "my-custom-register.com"
}

You can retrieve the changes using:

pinata get daemon
{"storage-driver":"aufs","debug":true,"insecure-registry":"my-custom-register.com"}

Update: While this lets you set the option it doesn’t seem to affect docker’s behavior.


(Drew Wells) #10

Since --insecure-registry is not supported, would it be possible to configure a local registry that cache/proxies calls to another insecure registry? It looks like by default it accepts invalid certs on localhost, so insecure local registry can be talked to.


(andrew morton) #11

Yeah this change is turning out to be a real PITA. We’ve got an internal CA for all our development certs. Our ops team isn’t really into switching to an external cert when the internal one is working fine for everything else.

Could you please provide some instructions on how to add that cert to the list docker is using?


(andrew morton) #12

Eventually I found this thread: Adding (self signed) certificates

The TL;DR is:

screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty

Login as root, then create a directory for the cert and copy it from your local file system:

mkdir -p /etc/docker/certs.d/example.com:1234 && cp /Users/foo/YOUR_CERT.crt /etc/docker/certs.d/example.com:1234/ca.crt

But as noted you’ll need to redo this every time you restart Docker.app before you can pull from the registry.


(Tobias Gesellchen) #13

There’s an update to the manual process, see Adding (self signed) certificates.


(andrew morton) #14

I did see that but it seemed like overkill since I don’t need to generate certs, I just need to get an existing one into the VM. So for now the manual process is a sufficient workaround.