Docker Insecure Registry

Let's take a look at how to set up an insecure docker registry and a self-signed docker registry on Digital Ocean. Then we will attempt to access the registry via basic authentication with boot2docker.

I guess that like a lot of you, I've been pushing my Docker images to Docker Hub, which has been and still is a good registry. Though, if you've been following the open source ecosystem development recently, then GitHub Actions and with it GitHub Packages registry is now being more widely adopted. Apr 13, 2017 I added DOCKEROPTS='–insecure-registry 10.0.0.11:5000' to /etc/default/docker and restarted the docker service but didn’t help. Anyone an idea of what I am doing wrong? Kar1 (Kar1) April 13, 2017, 1:01pm.

  1. Warning: It’s not possible to use an insecure registry with basic authentication. This procedure configures Docker to entirely disregard security for your registry. This is very insecure and is not recommended. It exposes your registry to trivial man-in-the-middle (MITM) attacks.
  2. Aug 05, 2021 You need to configure insecure registry setting on every node in your cluster. Depends on your container runtime (docker vs containerd), the steps are different.

What I use:

  1. Docker 1.9.0
  2. Docker Machine 0.5.0 (version 1.9.0, build master : 16e4a2a)
  3. Docker Registry 2
  4. Digital Ocean account

Create A Registry Host

Docker Insecure Registry Flag

Registry

To create the registry host on Digital Ocean:

Docker Insecure Registry

Cheat flash games. This creates a droplet named registry in <our_region>, defaulted to 512MB of memory and 20GB of hard disk storage, with an auto-assign public floating IP address.

Set Up Docker Registry 2.0

Let's SSH into our droplet and set up a docker registry.

Docker Insecure Registry Not Work

This should get Docker Registry 2.0 running on our host. We can verify this by using docker ps.

If we tried to push a docker image to our registry now, it should fail. (In my case, I am using boot2docker.)

Trust An Insecure Registry

To tell our local Docker to disregard security and trust our docker registry as an insecure registry, make the following changes in our local Docker (not our registry host). In my case, this changes need to be done to my boot2docker.

Add the floating IP of your registry node to EXTRA_ARGS as an insecure registry in the boot2docker profile file:

Exit out of boot2docker and restart it using docker-machine. Now attempt to push our newly tagged image again, and it should work.

Docker Insecure Registry Download

Since we run our registry with a mounted volume earlier, we should see the image stored under the volume source. In my case, my registry host looks like:

Docker Insecure Registry List

Please read up on the pros-and-cons of insecure registry.

Self-Signed Registry With Access Restriction

Registry

Remove the --insecure-registry flag from our boot2docker profile file and restart our boot2docker. We will now create our own self-signed certificate, secure our registry with TLS, and then restrict access to it using Basic Auth.

To generate a self-signed certificate on our registry host:

When prompted for Common Name (e.g. server FQDN or YOUR name), I use <floating_ip>.xip.io. You can read more about xip.io here. We should see our private keys and certificates in the certs/ folder.

Audi map update 2019 for 2016 audi a6. To set up basic auth on our registry host:

This will create a auth/htpasswd file.

Docker Insecure Registry Centos

Stop and remove our running docker registry. (/data folder should still be intact.) Restart it to pick up the certs and password:

Docker insecure registry list

Docker Insecure Registry Mac

Now we have to update the Docker daemon on our boot2docker to trust the certificates.

Create the /etc/docker/certs.d/<floating_ip>.xip.io:5000 folder and copy our certs/domain.crt certificate from our registry host to /etc/docker/certs.d/<floating_ip>.xip.io:5000/ca.crt.

Restart our docker daemon.

Now we should be able to push image and login to our registry host.

Insecure

Notice the usage of the xip.io domain.