Browse code
Rewrite documentation for insecure registries
Signed-off-by: Tibor Vass <teabee89@gmail.com>
Tibor Vass authored on 2014/11/15 04:04:47Showing 1 changed files
| ... | ... |
@@ -70,7 +70,7 @@ expect an integer, and they can only be specified once. |
| 70 | 70 |
-g, --graph="/var/lib/docker" Path to use as the root of the Docker runtime |
| 71 | 71 |
-H, --host=[] The socket(s) to bind to in daemon mode or connect to in client mode, specified using one or more tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd. |
| 72 | 72 |
--icc=true Enable inter-container communication |
| 73 |
- --insecure-registry=[] Enable insecure communication with specified registries (no certificate verification for HTTPS and enable HTTP fallback) (ex: localhost:5000 or 10.20.0.0/16) |
|
| 73 |
+ --insecure-registry=[] Enable insecure communication with specified registries (disables certificate verification for HTTPS and enables HTTP fallback) (e.g., localhost:5000 or 10.20.0.0/16) |
|
| 74 | 74 |
--ip=0.0.0.0 Default IP address to use when binding container ports |
| 75 | 75 |
--ip-forward=true Enable net.ipv4.ip_forward |
| 76 | 76 |
--ip-masq=true Enable IP masquerading for bridge's IP range |
| ... | ... |
@@ -193,24 +193,44 @@ To set the DNS server for all Docker containers, use |
| 193 | 193 |
To set the DNS search domain for all Docker containers, use |
| 194 | 194 |
`docker -d --dns-search example.com`. |
| 195 | 195 |
|
| 196 |
+### Insecure registries |
|
| 197 |
+ |
|
| 198 |
+Docker considers a private registry either secure or insecure. |
|
| 199 |
+In the rest of this section, *registry* is used for *private registry*, and `myregistry:5000` |
|
| 200 |
+is a placeholder example for a private registry. |
|
| 201 |
+ |
|
| 202 |
+A secure registry uses TLS and a copy of its CA certificate is placed on the Docker host at |
|
| 203 |
+`/etc/docker/certs.d/myregistry:5000/ca.crt`. |
|
| 204 |
+An insecure registry is either not using TLS (i.e., listening on plain text HTTP), or is using |
|
| 205 |
+TLS with a CA certificate not known by the Docker daemon. The latter can happen when the |
|
| 206 |
+certificate was not found under `/etc/docker/certs.d/myregistry:5000/`, or if the certificate |
|
| 207 |
+verification failed (i.e., wrong CA). |
|
| 208 |
+ |
|
| 209 |
+By default, Docker assumes all, but local (see local registries below), registries are secure. |
|
| 210 |
+Communicating with an insecure registry is not possible if Docker assumes that registry is secure. |
|
| 211 |
+In order to communicate with an insecure registry, the Docker daemon requires `--insecure-registry` |
|
| 212 |
+in one of the following two forms: |
|
| 213 |
+ |
|
| 214 |
+* `--insecure-registry myregistry:5000` tells the Docker daemon that myregistry:5000 should be considered insecure. |
|
| 215 |
+* `--insecure-registry 10.1.0.0/16` tells the Docker daemon that all registries whose domain resolve to an IP address is part |
|
| 216 |
+of the subnet described by the CIDR syntax, should be considered insecure. |
|
| 217 |
+ |
|
| 218 |
+The flag can be used multiple times to allow multiple registries to be marked as insecure. |
|
| 219 |
+ |
|
| 220 |
+If an insecure registry is not marked as insecure, `docker pull`, `docker push`, and `docker search` |
|
| 221 |
+will result in an error message prompting the user to either secure or pass the `--insecure-registry` |
|
| 222 |
+flag to the Docker daemon as described above. |
|
| 223 |
+ |
|
| 224 |
+Local registries, whose IP address falls in the 127.0.0.0/8 range, are automatically marked as insecure |
|
| 225 |
+as of Docker 1.3.2. It is not recommended to rely on this, as it may change in the future. |
|
| 226 |
+ |
|
| 227 |
+ |
|
| 196 | 228 |
### Miscellaneous options |
| 197 | 229 |
|
| 198 | 230 |
IP masquerading uses address translation to allow containers without a public IP to talk |
| 199 | 231 |
to other machines on the Internet. This may interfere with some network topologies and |
| 200 | 232 |
can be disabled with --ip-masq=false. |
| 201 | 233 |
|
| 202 |
- |
|
| 203 |
-By default, Docker will assume all registries are secured via TLS with certificate verification |
|
| 204 |
-enabled. Prior versions of Docker used an auto fallback if a registry did not support TLS |
|
| 205 |
-(or if the TLS connection failed). This introduced the opportunity for Man In The Middle (MITM) |
|
| 206 |
-attacks, so as of Docker 1.3.1, the user must now specify the `--insecure-registry` daemon flag |
|
| 207 |
-for each insecure registry. An insecure registry is either not using TLS (i.e. plain text HTTP), |
|
| 208 |
-or is using TLS with a CA certificate not known by the Docker daemon (i.e. certification |
|
| 209 |
-verification disabled). For example, if there is a registry listening for HTTP at 127.0.0.1:5000, |
|
| 210 |
-as of Docker 1.3.1 you are required to specify `--insecure-registry 127.0.0.1:5000` when starting |
|
| 211 |
-the Docker daemon. |
|
| 212 |
- |
|
| 213 |
- |
|
| 214 | 234 |
Docker supports softlinks for the Docker data directory |
| 215 | 235 |
(`/var/lib/docker`) and for `/var/lib/docker/tmp`. The `DOCKER_TMPDIR` and the data directory can be set like this: |
| 216 | 236 |
|