forked from TrueCloudLab/distribution
b588970105
* Update fedora.md add warning class to blogquote * Update linux-postinstall.md add warning class to blogquote * Update ubuntu.md add warning class to blogquote * Update https.md add warning class to blogquote * Update swarm_manager_locking.md add warning class to blogquote * Update dockerlinks.md add warning class to blogquote * Update deploying.md add warning class to blogquote * Update deploying.md add warning class to blogquote * Update insecure.md add warning class to blogquote * Update discovery.md add warning class to blogquote * Update dockerd.yaml add warning class to blogquote * Update docker_secret_rm.yaml add warning class to blogquote * Update docker_service_rm.yaml add warning class to blogquote * Update docker_secret_rm.yaml add warning class to blogquote * Update scale-your-cluster.md add warning class to blogquote * Update resource_constraints.md add warning class to blogquote * Update binaries.md add warning class to blogquote * Update content_trust.md add warning class to blogquote * Update secrets.md add warning class to blogquote * Update index.md add warning class to blogquote * Update install-sandbox-2.md add warning class to blogquote * Update docker-toolbox.md add warning class to blogquote * Update index.md add warning class to blogquote * Update centos.md add warning class to blogquote * Update debian.md add warning class to blogquote * Update faqs.md add linebreak after Looking for popular FAQs on Docker for Windows? * Update install.md add linebreake after **Already have Docker for Windows?** * Revert "Update dockerd.yaml" This reverts commit 3a98eb86f700ade8941483546c33f69a9dab8ac3. * Revert "Update docker_secret_rm.yaml" This reverts commit 5dc1e75f37033932486c11287052b7d64bf83e55. * Revert "Update docker_service_rm.yaml" This reverts commit a983380a5625b471f1a03f8ed2301ead72f98f1b. * Revert "Update docker_secret_rm.yaml" This reverts commit 4c454b883c300e26fbb056b954bb49ec2933b172.
114 lines
3.8 KiB
Markdown
114 lines
3.8 KiB
Markdown
---
|
|
description: Deploying a Registry in an insecure fashion
|
|
keywords: registry, on-prem, images, tags, repository, distribution, insecure
|
|
title: Test an insecure registry
|
|
---
|
|
|
|
While it's highly recommended to secure your registry using a TLS certificate
|
|
issued by a known CA, you may alternatively decide to use self-signed
|
|
certificates, or even use your registry over plain http.
|
|
|
|
You have to understand the downsides in doing so, and the extra burden in
|
|
configuration.
|
|
|
|
## Deploying a plain HTTP registry
|
|
|
|
> **Warning**:
|
|
> it's not possible to use an insecure registry with basic authentication.
|
|
{:.warning}
|
|
|
|
This basically tells Docker to entirely disregard security for your registry.
|
|
While this is relatively easy to configure the daemon in this way, it is
|
|
**very** insecure. It does expose your registry to trivial MITM. Only use this
|
|
solution for isolated testing or in a tightly controlled, air-gapped
|
|
environment.
|
|
|
|
1. Open the `/etc/default/docker` file or `/etc/sysconfig/docker` for editing.
|
|
|
|
Depending on your operating system, your Engine daemon start options.
|
|
|
|
2. Edit (or add) the `DOCKER_OPTS` line and add the `--insecure-registry` flag.
|
|
|
|
This flag takes the URL of your registry, for example.
|
|
|
|
`DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"`
|
|
|
|
3. Close and save the configuration file.
|
|
|
|
4. Restart your Docker daemon
|
|
|
|
The command you use to restart the daemon depends on your operating system.
|
|
For example, on Ubuntu, this is usually the `service docker stop` and `service
|
|
docker start` command.
|
|
|
|
5. Repeat this configuration on every Engine host that wants to access your registry.
|
|
|
|
|
|
## Using self-signed certificates
|
|
|
|
> **Warning**:
|
|
> using this along with basic authentication requires to **also** trust the certificate into the OS cert store for some versions of docker (see below)
|
|
{:.warning}
|
|
|
|
This is more secure than the insecure registry solution. You must configure every docker daemon that wants to access your registry
|
|
|
|
1. Generate your own certificate:
|
|
|
|
mkdir -p certs && openssl req \
|
|
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
|
|
-x509 -days 365 -out certs/domain.crt
|
|
|
|
2. Be sure to use the name `myregistrydomain.com` as a CN.
|
|
|
|
3. Use the result to [start your registry with TLS enabled](./deploying.md#get-a-certificate)
|
|
|
|
4. Instruct every docker daemon to trust that certificate.
|
|
|
|
This is done by copying the `domain.crt` file to `/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt`.
|
|
|
|
5. Don't forget to restart the Engine daemon.
|
|
|
|
## Troubleshooting insecure registry
|
|
|
|
This sections lists some common failures and how to recover from them.
|
|
|
|
### Failing...
|
|
|
|
Failing to configure the Engine daemon and trying to pull from a registry that is not using
|
|
TLS will results in the following message:
|
|
|
|
```none
|
|
FATA[0000] Error response from daemon: v1 ping attempt failed with error:
|
|
Get https://myregistrydomain.com:5000/v1/_ping: tls: oversized record received with length 20527.
|
|
If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add
|
|
`--insecure-registry myregistrydomain.com:5000` to the daemon's arguments.
|
|
In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;
|
|
simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
|
|
```
|
|
|
|
### Docker still complains about the certificate when using authentication?
|
|
|
|
When using authentication, some versions of Docker also require you to trust the
|
|
certificate at the OS level.
|
|
|
|
#### Ubuntu
|
|
|
|
```bash
|
|
$ cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
|
|
update-ca-certificates
|
|
```
|
|
|
|
#### Red Hat Enterprise Linux
|
|
|
|
```bash
|
|
cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
|
|
update-ca-trust
|
|
```
|
|
|
|
#### Oracle Linux
|
|
|
|
```bash
|
|
$ update-ca-trust enable
|
|
```
|
|
|
|
Restart Docker for the changes to take effect.
|