registry/docs/insecure.md
Misty Stanley-Jones eb77e2f74a Docker 17.03 release (#2050)
* First pass of tabs-based organization

* Improvements

* Second pass at tabs org

* Move tab highlighting to Liquid instead of JS

* Adding forwarding links for in-product TOCs

* Move to pre-rendered left-navs instead of post-load JS for TOC sync

* Optimizations and nosync-ing the Reference section

* Optimizations, fix Cloud YAML

* Make a "Sample applications" node

* Update index.md

* Tabs CSS fixes and 12-factor reposition

* Theme Start (#1709)

* Hooking up nav to real TOC data, formatting fixes

* Fixing JS error

* Layout updates, dark themes, tons o stuff (#1971)

* Add cookie saving for day/night mode

* Newsite tabs (#2004)

* Layout updates, dark themes, tons o stuff

* Update themes

Theme updates + scaffolding

* Update style.css

* Update style-alt.css

* Missing font fixes

* Import Open Sans from Google

* Font fix, archive removal in TOC, favicon, Feedback img fix

* Oops, returning -webkit-font-smoothing: antialiased;

* Add old favicon.ico

* Make archives a non-tiered link

* Reorder docs archive to newest-first, add local instructions

* Commenting out day/night switch for now

* Fix 'rate this page'

* Rate this page fixes

* Autocomplete and Docker Cloud fixes

* Open tree to current page

* Adding indentation for nav collapse in

* Ensure left nav visibly displays the current topic

* Update flex layout

- adjust rescale
- code block styles

* add focus to search

- force code block color (for now)
- increase section max-width

* increase content padding

- add padding to toc for wrapping long strings.

* grid adjustment

- grid
- content and wrapper adjustments for mobile

* left/right sidebar adjustments

- refine position on scroll for toc on landing

- add default height to compensate for upcoming position absolute
onScroll

* side bar overflow

- hidden on X-scroll

* fix version button

- override bstrap defaults

* tabs + buttons

* update landing svgs

* fix sidebar height

set to 100% on landing pre-affix

* Update blurb about engine/editions on front page

* add side menu to mobile collapse menu

* update classnames

* overall mobile tweaks

* Right-nav highlighting and auto-scroll

* Slightly slower right-nav highlighting, correct version

* add toggle menus for small devices

* Fixing JS error/Docker 1.13>17.03

* header updates

* re-add fan to header

* update transition time

* Add first 20 words to Twitter card

* fixed width of components

- lockdown elements on rescale (wil need more TLC)

* set max-width of content

* Left and right nav resizing w/footer scroll and window resize

* update links on landing page

* Fix for overzealous resizing, JS redundancies

* Fix for JS error on homepage

* JS error fixes

* toggle adjustments

- wrap toggle button

* add tab width

* version button type

* version button both headers

* tabs - fix typo

* landing page grid

* components

* Share images, JS fixes, Marketo removal

* Anchor links fix

* Fix for black space on mobile

* Restore hamburger (partial)

* Update run.md

Minor grammar cleanup.

* Update apparmor.md

I'm a little confused about which one is better to be used here, a period (.) or a colon (:),  as a command is given below. Or both are OK, and we only have to keep consistency in a single page.

* Update apparmor.md

Fixed the indentation for the codeblock (indented by 4 spaces). Thank you for your careful review.

* Replacing service with secret

* Update networking.md

fix typo with triple "m" for command word

* Update run.md

Address PR feedback.

* Update install instructions to latest version

* Added "related topics" section

* Add documentation for mem_swappiness

* Update to new Docker version scheme (#1926)

* mem_swappiness for current version and v1

* merge other changes, fix typo

* There is no OpenSuSE and there never was

though we had SuSE and S.u.S.E.

* Add release notes for 1.12.6-cs9 (#2028)

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

* need sudo to access key cache (#1931)

* need sudo to access key cache

* List other keyservers to try for cs-engine install (#2033)

* List other keyservers to try for cs-engine install

Sometimes ha.pool.sks-keyservers.net goes down, so let's provide some
other keyservers to try in such cases.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

* Update work_issue.md (#2030)

Change "re-start" to "restart". Though not included in "Prefered usages" in the documentation guide, but I think "restart" is better and used more frequently. Besides, some other docs here, such as "Keep containers alive during daemon downtime" of "Admin Guide", also use "restart".

* Update create_pr.md (#2015)

* Update work_issue.md (#2013)

Change "id" to "ID" except for those in code.

* Update set_up_dev.md (#2011)

Add periods (.) in some steps.

* Update set_up_dev.md (#2010)

Apply Oxford Comma as described in the documentation guide.

* Update create_pr.md (#2014)

Delete an extra space.

* Update trust_key_mng.md (#1883)

* Update trust_key_mng.md

* Update trust_key_mng.md

I don‘t know how the whitespace appears, and it seems that it appears because something happened related to its original format (right-aligned pipe characters) and my change. Still unknown. 

Now I've deleted some redundant whitespace.

* Update 

I don‘t know how the whitespace appears, and it seems that it appears because something happened related to its original format (right-aligned pipe characters) and my change. Still unknown. 

Now I've deleted some redundant whitespace.

* Update content_trust.md (#1912)

* Update content_trust.md

* update deprecation policy

Signed-off-by: Victor Vieux <victorvieux@gmail.com>

* Update info about how to check whether Docker is running

* Updated docs to reflect edge channel

Signed-off-by: French Ben <frenchben@docker.com>

* Updated wording for SP creation

Signed-off-by: French Ben <frenchben@docker.com>

* beta to edge, cloud features first draft

added cloud images

Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>

* Distinguish between cloud stack file and stack file

* Added EE links

Signed-off-by: French Ben <frenchben@docker.com>

* Use variables

Signed-off-by: French Ben <frenchben@docker.com>

* Replace deprecated MAINTAINER with LABEL (#1445)

Replace MAINTAINER instruction with LABEL as MAINTAINER was deprecated in https://github.com/docker/docker/pull/25466

* Updates for Docker CE and Docker EE

* Updated DDC launch button

Signed-off-by: French Ben <frenchben@docker.com>

* added Docker Cloud topics for Mac and Windows

Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>

* d4mac, d4win stable and beta release notes for 17.03.0

Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
2017-03-02 05:54:49 -08:00

3.8 KiB

description keywords title
Deploying a Registry in an insecure fashion registry, on-prem, images, tags, repository, distribution, insecure Test an insecure registry

While it's highly recommended to secure your registry using a TLS certificate issued by a known CA, you may alternatively decide to use self-signed certificates, or even use your registry over plain http.

You have to understand the downsides in doing so, and the extra burden in configuration.

Deploying a plain HTTP registry

Warning

: it's not possible to use an insecure registry with basic authentication.

This basically tells Docker to entirely disregard security for your registry. While this is relatively easy to configure the daemon in this way, it is very insecure. It does expose your registry to trivial MITM. Only use this solution for isolated testing or in a tightly controlled, air-gapped environment.

  1. Open the /etc/default/docker file or /etc/sysconfig/docker for editing.

    Depending on your operating system, your Engine daemon start options.

  2. Edit (or add) the DOCKER_OPTS line and add the --insecure-registry flag.

    This flag takes the URL of your registry, for example.

    DOCKER_OPTS="--insecure-registry myregistrydomain.com:5000"

  3. Close and save the configuration file.

  4. Restart your Docker daemon

    The command you use to restart the daemon depends on your operating system. For example, on Ubuntu, this is usually the service docker stop and service docker start command.

  5. Repeat this configuration on every Engine host that wants to access your registry.

Using self-signed certificates

Warning

: using this along with basic authentication requires to also trust the certificate into the OS cert store for some versions of docker (see below)

This is more secure than the insecure registry solution. You must configure every docker daemon that wants to access your registry

  1. Generate your own certificate:

     mkdir -p certs && openssl req \
       -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
       -x509 -days 365 -out certs/domain.crt
    
  2. Be sure to use the name myregistrydomain.com as a CN.

  3. Use the result to start your registry with TLS enabled

  4. Instruct every docker daemon to trust that certificate.

    This is done by copying the domain.crt file to /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt.

  5. Don't forget to restart the Engine daemon.

Troubleshooting insecure registry

This sections lists some common failures and how to recover from them.

Failing...

Failing to configure the Engine daemon and trying to pull from a registry that is not using TLS will results in the following message:

FATA[0000] Error response from daemon: v1 ping attempt failed with error:
Get https://myregistrydomain.com:5000/v1/_ping: tls: oversized record received with length 20527.
If this private registry supports only HTTP or HTTPS with an unknown CA certificate,please add
`--insecure-registry myregistrydomain.com:5000` to the daemon's arguments.
In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag;
simply place the CA certificate at /etc/docker/certs.d/myregistrydomain.com:5000/ca.crt

Docker still complains about the certificate when using authentication?

When using authentication, some versions of Docker also require you to trust the certificate at the OS level.

Ubuntu

$ cp certs/domain.crt /usr/local/share/ca-certificates/myregistrydomain.com.crt
update-ca-certificates

Red Hat Enterprise Linux

cp certs/domain.crt /etc/pki/ca-trust/source/anchors/myregistrydomain.com.crt
update-ca-trust

Oracle Linux

$ update-ca-trust enable

Restart Docker for the changes to take effect.