hartped lannie ceridwen

0 views
Skip to first unread message

Natalí Stibb

unread,
Aug 3, 2024, 11:26:42 PM8/3/24
to lornodeli

How to Use an Insecure Registry with Docker

An insecure registry is a registry that does not have a valid TLS certificate or only supports HTTP connections. Using an insecure registry can expose your registry to man-in-the-middle (MITM) attacks and compromise the security of your images and containers. Therefore, it is highly recommended to use a secure registry with a TLS certificate issued by a known CA.

However, if you need to use an insecure registry for testing purposes or in an isolated environment, you can configure Docker to allow it. There are two ways to do this: using the --insecure-registry flag or using self-signed certificates.

Using the --insecure-registry flag

This method instructs Docker to entirely disregard security for your registry. This is very insecure and not recommended. It should only be used for isolated testing or in a tightly controlled, air-gapped environment.

To use this method, you need to edit the daemon.json file on every Docker host that wants to access your registry. The default location of this file is /etc/docker/daemon.json on Linux or C:\ProgramData\docker\config\daemon.json on Windows Server. If you use Docker Desktop for Mac or Docker Desktop for Windows, you can click the Docker icon, choose Settings and then choose Docker Engine.

If the daemon.json file does not exist, create it. Assuming there are no other settings in the file, it should have the following contents:

"insecure-registries" : ["myregistrydomain.com:5000"]

Substitute the address of your insecure registry for the one in the example. You can also specify multiple registries or use CIDR notation to specify a range of IP addresses.

After editing the file, you need to restart Docker for the changes to take effect. With insecure registries enabled, Docker goes through the following steps:

    • First, try using HTTPS.
    • If HTTPS is available but the certificate is invalid, ignore the error about the certificate.
    • If HTTPS is not available, fall back to HTTP.

    Using self-signed certificates

    This method is more secure than the insecure registry solution. It involves generating your own certificate and instructing every Docker daemon to trust it. However, using self-signed certificates also requires some additional configuration steps and may not work with basic authentication.

    To use this method, you need to do the following:

      • Generate your own certificate using openssl. For example:
      $ mkdir -p certs
      $ openssl req \
      -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
      -addext "subjectAltName = DNS:myregistry.domain.com" \
      -x509 -days 365 -out certs/domain.crt

      Be sure to use the name of your registry as a CN.

      • Use the certificate to start your registry with TLS enabled. For example:
      $ docker run -d \
      --restart=always \
      --name registry \
      -v "$(pwd)"/certs:/certs \
      -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
      -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
      -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
      -p 443:443 \
      registry:2
      • Copy the certificate file to every Docker host that wants to access your registry. The location of this file depends on your OS.
        • Windows Server: Open Windows Explorer, right-click the domain.crt file, and choose Install certificate. When prompted, select the following options:
          • Store location 51082c0ec5
          Reply all
          Reply to author
          Forward
          0 new messages