* Update insecure.md Copied the "Windows" section from https://docs.docker.com/datacenter/dtr/2.2/guides/user/access-dtr/ and changed the deep linkt to the msdn documentation. * Update insecure.md Link removed and updated the other one * Remove mentions to DTR
4.3 KiB
description | keywords | title |
---|---|---|
Deploying a Registry in an insecure fashion | registry, on-prem, images, tags, repository, distribution, insecure | Test an insecure registry |
While it's highly recommended to secure your registry using a TLS certificate issued by a known CA, you may alternatively decide to use self-signed certificates, or even use your registry over plain http.
You have to understand the downsides in doing so, and the extra burden in configuration.
Deploying a plain HTTP registry
Warning
it's not possible to use an insecure registry with basic authentication. {:.warning}
This basically tells Docker to entirely disregard security for your registry. While this is relatively easy to configure the daemon in this way, it is very insecure. It does expose your registry to trivial MITM. Only use this solution for isolated testing or in a tightly controlled, air-gapped environment.
-
Open the
/etc/default/docker
file or/etc/sysconfig/docker
for editing.Depending on your operating system, your Engine daemon start options.
-
Edit (or add) the
DOCKER_OPTS
line and add the--insecure-registry
flag.This flag takes the URL of your registry, for example.
DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"
-
Close and save the configuration file.
-
Restart your Docker daemon
The command you use to restart the daemon depends on your operating system. For example, on Ubuntu, this is usually the
service docker stop
andservice docker start
command. -
Repeat this configuration on every Engine host that wants to access your registry.
Using self-signed certificates
Warning
using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below) {:.warning}
This is more secure than the insecure registry solution. You must configure every docker daemon that wants to access your registry
-
Generate your own certificate:
mkdir -p certs && openssl req \ -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \ -x509 -days 365 -out certs/domain.crt
-
Be sure to use the name
myregistrydomain.com
as a CN. -
Use the result to start your registry with TLS enabled
-
Instruct every docker daemon to trust that certificate.
This is done by copying the
domain.crt
file to/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
. -
Don't forget to restart the Engine daemon.
Troubleshooting insecure registry
This sections lists some common failures and how to recover from them.
Failing...
Failing to configure the Engine daemon and trying to pull from a registry that is not using TLS will results in the following message:
FATA[0000] Error response from daemon: v1 ping attempt failed with error:
Get https://myregistrydomain.com:5000/v1/_ping: tls: oversized record received with length 20527.
If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add
`--insecure-registry myregistrydomain.com:5000` to the daemon's arguments.
In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;
simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
Docker still complains about the certificate when using authentication?
When using authentication, some versions of Docker also require you to trust the certificate at the OS level.
Ubuntu
$ cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
update-ca-certificates
Red Hat Enterprise Linux
cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
update-ca-trust
Oracle Linux
$ update-ca-trust enable
Restart Docker for the changes to take effect.
Windows
Open Windows Explorer, right-click the certificate, and choose Install certificate.
Then, select the following options:
- Store location: local machine
- Check 'place all certificates in the following store'
- Click 'Browser', and select 'Trusted Root Certificate Authorities'
- Click 'Finish' Learn more about managing TLS certificates
After adding the CA certificate to Windows, restart Docker for Windows.