distribution/docs/insecure.md
Lenny Linux b588970105 add warning class and a linebreake to the warning blogquote (#2937)
* Update fedora.md

add warning class to blogquote

* Update linux-postinstall.md

add warning class to blogquote

* Update ubuntu.md

add warning class to blogquote

* Update https.md

add warning class to blogquote

* Update swarm_manager_locking.md

add warning class to blogquote

* Update dockerlinks.md

add warning class to blogquote

* Update deploying.md

add warning class to blogquote

* Update deploying.md

add warning class to blogquote

* Update insecure.md

add warning class to blogquote

* Update discovery.md

add warning class to blogquote

* Update dockerd.yaml

add warning class to blogquote

* Update docker_secret_rm.yaml

add warning class to blogquote

* Update docker_service_rm.yaml

add warning class to blogquote

* Update docker_secret_rm.yaml

add warning class to blogquote

* Update scale-your-cluster.md

add warning class to blogquote

* Update resource_constraints.md

add warning class to blogquote

* Update binaries.md

add warning class to blogquote

* Update content_trust.md

add warning class to blogquote

* Update secrets.md

add warning class to blogquote

* Update index.md

add warning class to blogquote

* Update install-sandbox-2.md

add warning class to blogquote

* Update docker-toolbox.md

add warning class to blogquote

* Update index.md

add warning class to blogquote

* Update centos.md

add warning class to blogquote

* Update debian.md

add warning class to blogquote

* Update faqs.md

add linebreak after Looking for popular FAQs on Docker for Windows?

* Update install.md

add linebreake after **Already have Docker for Windows?**

* Revert "Update dockerd.yaml"

This reverts commit 3a98eb86f700ade8941483546c33f69a9dab8ac3.

* Revert "Update docker_secret_rm.yaml"

This reverts commit 5dc1e75f37033932486c11287052b7d64bf83e55.

* Revert "Update docker_service_rm.yaml"

This reverts commit a983380a5625b471f1a03f8ed2301ead72f98f1b.

* Revert "Update docker_secret_rm.yaml"

This reverts commit 4c454b883c300e26fbb056b954bb49ec2933b172.
2017-04-25 11:33:27 -07:00

3.8 KiB

description keywords title
Deploying a Registry in an insecure fashion registry, on-prem, images, tags, repository, distribution, insecure Test an insecure registry

While it's highly recommended to secure your registry using a TLS certificate issued by a known CA, you may alternatively decide to use self-signed certificates, or even use your registry over plain http.

You have to understand the downsides in doing so, and the extra burden in configuration.

Deploying a plain HTTP registry

Warning

: it's not possible to use an insecure registry with basic authentication. {:.warning}

This basically tells Docker to entirely disregard security for your registry. While this is relatively easy to configure the daemon in this way, it is very insecure. It does expose your registry to trivial MITM. Only use this solution for isolated testing or in a tightly controlled, air-gapped environment.

  1. Open the /etc/default/docker file or /etc/sysconfig/docker for editing.

    Depending on your operating system, your Engine daemon start options.

  2. Edit (or add) the DOCKER_OPTS line and add the --insecure-registry flag.

    This flag takes the URL of your registry, for example.

    DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"

  3. Close and save the configuration file.

  4. Restart your Docker daemon

    The command you use to restart the daemon depends on your operating system. For example, on Ubuntu, this is usually the service docker stop and service docker start command.

  5. Repeat this configuration on every Engine host that wants to access your registry.

Using self-signed certificates

Warning

: using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below) {:.warning}

This is more secure than the insecure registry solution. You must configure every docker daemon that wants to access your registry

  1. Generate your own certificate:

     mkdir -p certs && openssl req \
       -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
       -x509 -days 365 -out certs/domain.crt
    
  2. Be sure to use the name myregistrydomain.com as a CN.

  3. Use the result to start your registry with TLS enabled

  4. Instruct every docker daemon to trust that certificate.

    This is done by copying the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt.

  5. Don't forget to restart the Engine daemon.

Troubleshooting insecure registry

This sections lists some common failures and how to recover from them.

Failing...

Failing to configure the Engine daemon and trying to pull from a registry that is not using TLS will results in the following message:

FATA[0000] Error response from daemon: v1 ping attempt failed with error:
Get https://myregistrydomain.com:5000/v1/_ping: tls: oversized record received with length 20527.
If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add
`--insecure-registry myregistrydomain.com:5000` to the daemon's arguments.
In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;
simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt

Docker still complains about the certificate when using authentication?

When using authentication, some versions of Docker also require you to trust the certificate at the OS level.

Ubuntu

$ cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
update-ca-certificates

Red Hat Enterprise Linux

cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
update-ca-trust

Oracle Linux

$ update-ca-trust enable

Restart Docker for the changes to take effect.