Hi all. Is there a way of specifying a whitelist of insecure registries in the beta version?
Thanks!
Owen
Share and learn in the Docker community.
Hi all. Is there a way of specifying a whitelist of insecure registries in the beta version?
Thanks!
Owen
How did you previously have them setup in the old VBox VM?
hello, i would create a machine with a > --engine-insecure-registry flag.
On linux, there is a file that allows you add DOCKER_OPTS… not sure where that lives on the native mac version…
Sorry at the moment we only support the options in the daemon.json
file, which does not include --insecure-registry
. We would recommend you get a certificate for your registry as a workaround - a free one from letsencrypt should be fine.
Just to confirm, the location of certs is:
/etc/docker/certs.d/$REGISTRY_NAME/ca.crt
Is it possible to add these so they exist/persist on the FS – they need to be added initially or anytime I restart the Docker.app.
Any guidance on how/where to build a custom version (or if it’s possible to commit them) would be greatly appreciated!
how config certificate?
So with the release on 1.11 I was able to set it via pinata. something ala {"storage-driver":"aufs","debug":true,"insecure-registries":["<regurl>"]}
Oh did some more googling for pinta and found Trying out Docker Beta for OSX
Another thing I noticed is that Docker for Mac comes with a command calls pinata, which is use to manage your Docker configuration. Here’s how you might set an insecure-registry:
pinata set daemon @docker-daemon.json
Where docker-daemon.json:
{ "storage-driver": "aufs", "debug": true, "insecure-registry": "my-custom-register.com" }
You can retrieve the changes using:
pinata get daemon {"storage-driver":"aufs","debug":true,"insecure-registry":"my-custom-register.com"}
Update: While this lets you set the option it doesn’t seem to affect docker’s behavior.
Since --insecure-registry is not supported, would it be possible to configure a local registry that cache/proxies calls to another insecure registry? It looks like by default it accepts invalid certs on localhost, so insecure local registry can be talked to.
Yeah this change is turning out to be a real PITA. We’ve got an internal CA for all our development certs. Our ops team isn’t really into switching to an external cert when the internal one is working fine for everything else.
Could you please provide some instructions on how to add that cert to the list docker is using?
Eventually I found this thread: Adding (self signed) certificates
The TL;DR is:
screen ~/Library/Containers/com.docker.docker/Data/com.docker.driver.amd64-linux/tty
Login as root, then create a directory for the cert and copy it from your local file system:
mkdir -p /etc/docker/certs.d/example.com:1234 && cp /Users/foo/YOUR_CERT.crt /etc/docker/certs.d/example.com:1234/ca.crt
But as noted you’ll need to redo this every time you restart Docker.app before you can pull from the registry.
I did see that but it seemed like overkill since I don’t need to generate certs, I just need to get an existing one into the VM. So for now the manual process is a sufficient workaround.