Documentation work

- move away insecure & self-signed
- introduce native basic auth
- move "down" nginx based authentication
- overall shortening / smoothing of "deploying" documentation

Signed-off-by: Olivier Gambier <olivier@docker.com>

docs/insecure.md

@@ -0,0 +1,74 @@
+<!--[metadata]>
++++
+title = "Docker Registry 2.0"
+description = "Deploying an insecure Registry"
+keywords = ["registry, images, repository"]
+[menu.main]
+parent="smn_registry"
++++
+<![end-metadata]-->
+
+# Insecure Registry
+
+While it's highly recommended to secure your registry using a TLS certificate issued by a known CA, you may alternatively decide to use self-signed certificates, or even use your registry over plain http.
+
+You have to understand the downsides in doing so, and the extra burden in configuration.
+
+## Deploying a plain HTTP registry
+
+> :warning: it's not possible to use an insecure registry with basic authentication
+
+This basically tells Docker to entirely disregard security for your registry.
+
+1. edit the file `/etc/default/docker` so that there is a line that reads: `DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"` (or add that to existing `DOCKER_OPTS`)
+2. restart your Docker daemon: on ubuntu, this is usually `service docker stop && service docker start`
+
+**Pros:**
+
+ - easy to configure
+ 
+**Cons:**
+ 
+ - very insecure
+ - you have to configure every docker daemon that wants to access your registry 
+  
+## Using self-signed certificates
+
+> :warning: using this along with basic authentication requires to **also** trust the certificate into the OS cert store for some versions of docker
+
+Generate your own certificate:
+
+```
+mkdir -p certs && openssl req \
+  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
+  -x509 -days 365 -out certs/domain.crt
+```
+
+Be sure to use the name `myregistrydomain.com` as a CN.
+
+Stop and restart your registry.
+
+Then you have to instruct every docker daemon to trust that certificate. This is done by copying the `domain.crt` file to `/etc/docker/certs.d/myregistrydomain.com:5000/ca.crt` (don't forget to restart docker after doing so).
+
+Stop and restart all your docker daemons.
+
+**Pros:**
+
+ - more secure than the insecure registry solution
+
+**Cons:**
+
+ - you have to configure every docker daemon that wants to access your registry
+
+## Failing...
+
+Failing to configure docker and trying to pull from a registry that is not using TLS will result in the following message:
+
+```
+FATA[0000] Error response from daemon: v1 ping attempt failed with error:
+Get https://myregistrydomain.com:5000/v1/_ping: tls: oversized record received with length 20527. 
+If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add 
+`--insecure-registry myregistrydomain.com:5000` to the daemon's arguments.
+In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;
+simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt
+```