Installing custom registry certificates with docker-machine

Is there a preferred way of adding custom registry certificates into docker-machines? Certificates have to be placed into /etc/docker/certs.d/<hostname>/ca.crt (as described in https://docs.docker.com/articles/certificates/). Unfortunately /etc/docker is owned by root, so docker-machine scp cannot be used (because it runs as docker).

My current solution is to pipe the contents of the certificate (and a mkdir command) to docker-machine ssh, but it is a bit ugly, and these changes are lost whenever docker-machine restarts.

echo "sudo mkdir -p /etc/docker/certs.d/my-registry.com; \
   echo "\""$(cat ~/certs/my-registry.crt)"\"" | \
   sudo tee -a /etc/docker/certs.d/my-registry.com/ca.crt" \
   | docker-machine ssh my-machine

Is there a better solution / how can I persist these changes? Could something be added as an option to docker-machine create (to be consistent with --engine-insecure-registry) and/or as an additional command?

After re-reading the boot2docker docs(!), I can make the certificate survive machine restarts by copying it as a .pem file to /var/lib/boot2docker/certs (though again this is owned by root, so I have to use docker-machine ssh). This works ok, but needs a restart to do the copy (though that could probably be avoided if my initial suggestion of copying the certificate into /etc/docker/certs.d/<hostname>/ca.crt was used as well).

echo "sudo mkdir -p /var/lib/boot2docker/certs; \
   echo "\""$(cat ~/Dev/dockertest/certs/my-registry.com.crt)"\"" | \
   sudo tee -a /var/lib/boot2docker/certs/my-registry.com.pem" \
   | docker-machine ssh my-machine
docker-machine restart my-machine

Is there a better way?

2 Likes

it’s an old issue, but what did you land on? any improved experience?

it’s slightly confusing because docker-machine on create says:

Provisioning with boot2docker...
Copying certs to the local machine directory...
Copying certs to the remote machine...

but it’s not clear what certs those are. i expected the certs on my host be present in /etc/docker/certs.d/, but as you noted, they are not, and i had to manually create them.

I will go ahead and necro this, sorry everyone.

This pops up very prominently on google when looking for “docker machine custom registry” so I figure it’d be very good to have a relevant answer in here.

Anyone have an answer to this? I am looking for the solution myself.