Is there a preferred way of adding custom registry certificates into docker-machines? Certificates have to be placed into /etc/docker/certs.d/<hostname>/ca.crt (as described in https://docs.docker.com/articles/certificates/). Unfortunately /etc/docker is owned by root, so docker-machine scp cannot be used (because it runs as docker).
My current solution is to pipe the contents of the certificate (and a mkdir command) to docker-machine ssh, but it is a bit ugly, and these changes are lost whenever docker-machine restarts.
echo "sudo mkdir -p /etc/docker/certs.d/my-registry.com; \
echo "\""$(cat ~/certs/my-registry.crt)"\"" | \
sudo tee -a /etc/docker/certs.d/my-registry.com/ca.crt" \
| docker-machine ssh my-machine
Is there a better solution / how can I persist these changes? Could something be added as an option to docker-machine create (to be consistent with --engine-insecure-registry) and/or as an additional command?
After re-reading the boot2docker docs(!), I can make the certificate survive machine restarts by copying it as a .pem file to /var/lib/boot2docker/certs (though again this is owned by root, so I have to use docker-machine ssh). This works ok, but needs a restart to do the copy (though that could probably be avoided if my initial suggestion of copying the certificate into /etc/docker/certs.d/<hostname>/ca.crt was used as well).
it’s an old issue, but what did you land on? any improved experience?
it’s slightly confusing because docker-machine on create says:
Provisioning with boot2docker...
Copying certs to the local machine directory...
Copying certs to the remote machine...
but it’s not clear what certs those are. i expected the certs on my host be present in /etc/docker/certs.d/, but as you noted, they are not, and i had to manually create them.
This pops up very prominently on google when looking for “docker machine custom registry” so I figure it’d be very good to have a relevant answer in here.
Anyone have an answer to this? I am looking for the solution myself.