84

I'm trying to setup a private docker registry using the image taken from: https://github.com/docker/docker-registry

Just by running:
docker run -p 5000:5000 registry

I can pull/push from/to this repository only from localhost, but if i try to access it from another machine (using a private address on the same LAN) it fails with an error message:

*2014/11/03 09:49:04 Error: Invalid registry endpoint https ://10.0.0.26:5000/v1/': 
Get https:// 10.0.0.26:5000/v1/_ping: Forbidden. If this private 
registry supports only HTTP or HTTPS with an unknown CA certificate,
please add `--insecure-registry 10.0.0.26:5000` to the daemon's 
arguments. In the case of HTTPS, if you have access to the registry's
CA certificate, no need for the flag; simply place the CA certificate 
at /etc/docker/certs.d/10.0.0.26:5000/ca.crt*

What drives me crazy is that I can access it successfully using: curl 10.0.0.26:5000 and/or curl 10.0.0.26:5000/v1/search

I also don't understand where and how I should pass the --insecure-registry flag.

030
  • 10,842
  • 12
  • 78
  • 123
Ofer Eliassaf
  • 2,870
  • 1
  • 17
  • 22
  • 3
    many of the answers seem to be out of date for docker 1.12 but see vikas027 answer which is great for docker 1.12 (latest ATOW) – danday74 Oct 06 '16 at 08:08
  • 1
    On Ubuntu, the [Docker documentation](https://docs.docker.com/registry/insecure/#deploying-a-plain-http-registry) and [this answer](http://stackoverflow.com/a/28392808/434961) worked well for me. – Batandwa Jan 11 '17 at 05:42

15 Answers15

73

OK - I found the solution to this - after a day of digging.

For docker below 1.12.1:

It turns out that the new client version refuses to work with a private registry without SSL.

To fix this - the daemon on the client machine should be launched with the insecure flag:

Just type:

sudo service docker stop # to stop the service

and then 

sudo docker -d --insecure-registry 10.0.0.26:5000

(replace the 10.0.0.26 with your own ip address).

I would expect the docker guys to add this option to the pull/push command line...

Edit - altenantively - you can add the flag to DOCKER_OPTS env variable inside /etc/default/docker... and then sudo service docker restart

Edit again - It seems that the docker guys are on it - and a fix will come soon: https://github.com/docker/docker/pull/8935

For docker 1.12.1:

Please follow below the answer of vikas027 (valid for centos)

Ofer Eliassaf
  • 2,870
  • 1
  • 17
  • 22
  • I was able to replicate your steps and pushed to a private registry on a remote host. It showed successful push as well. However, how do I list images on the private registry? I tried `docker -H tcp://remote-host-ip:5000 images` but returned with error. – Howard Lee Nov 03 '14 at 22:06
  • I can verify that this happens. It also happens when you quey :5000/v1/search - you get empty response. Probably a different bug that they have :-( – Ofer Eliassaf Nov 04 '14 at 06:45
  • Update: I was able to search/pull images stored on a remote private registry. `docker search remote-host-ip:5000/image-name` and `docker pull remote-host-ip:5000/image-name` both function just fine. Now, how do I get it to list the images... – Howard Lee Nov 05 '14 at 19:44
  • Update: this threads talks about list images in private registry http://stackoverflow.com/questions/23699809/any-api-or-web-ui-project-to-manage-a-docker-private-registry?rq=1 – Howard Lee Nov 05 '14 at 22:17
  • 3
    @ashleyaitken, I used the following reference to help me solve with Boot2Docker: https://github.com/boot2docker/boot2docker#insecure-registry. Hope that helps. – Patelify Mar 16 '15 at 00:09
  • is 10.0.0.26 your registry? (ie sth like artifactory?) why is the port 5000 and not 8081. any idea how to push docker images to artifactory? – Adrian Jul 27 '15 at 20:49
  • @Ofer E. $sudo docker -d --insecure-registry 10.0.0.26:5000 flag provided but not defined: -d. Why doesn't it support -d argument? I am using docker version 1.11.2 – ravindrab Jun 24 '16 at 19:20
  • 1
    `--insecure-registry` is a workaround and not a fix. – peterh Feb 01 '17 at 15:32
  • @peterh - it's a fix since peolpe just want to get things done. If establishing a secured registry was easy and out of the box - this FIX was not popluar and then u can consider this as a "workaround". – Ofer Eliassaf Feb 02 '17 at 08:21
  • @OferEliassaf Note, with the latest docker even this fix didn't work. I don't know, why. [This](https://stackoverflow.com/questions/26710153/remote-access-to-a-private-docker-registry/39866841#comment71171081_39866841) is also for you. – peterh Feb 02 '17 at 08:25
29

This is what worked for me on CentOS 7.2 and Docker 1.12.1 (latest as on date). My private registry v2 was running on 192.168.1.88:5000, change it accordingly. This also works if you have multiple registries, just keep on adding --insecure-registry IP:Port

$ sudo vim /usr/lib/systemd/system/docker.service
#ExecStart=/usr/bin/dockerd 
ExecStart=/usr/bin/dockerd --insecure-registry 192.168.1.88:5000
$
$ sudo systemctl stop docker
$ sudo systemctl daemon-reload
$ systemctl start docker
vikas027
  • 5,282
  • 4
  • 39
  • 51
  • 1
    This solution was the only one that worked for me on Ubuntu. – JARC Oct 05 '16 at 13:02
  • 1
    Thanks man - worked great - added a fuller answer based on this for those behind a corporate proxy – danday74 Oct 06 '16 at 08:05
  • 2
    Worked for me but docker.service was in `/lib/systemd/system/docker.service` on Ubuntu 16.04. – Karim Tabet Oct 18 '16 at 12:01
  • not working for me on Ubuntu 16.04 and Docker 1.12.4. I edited the same exact line in /lib/systemd/system/docker.service and used systemctl steps above. – user1870400 Dec 14 '16 at 02:24
  • I tried running curl IP:5000 and I get connection refused – user1870400 Dec 14 '16 at 02:28
  • @user1870400 That means your docker registry is either not running or running on a different port – vikas027 Jan 20 '17 at 00:59
  • 4
    `--insecure-registry` is a workaround and not a fix. – peterh Feb 01 '17 at 15:33
  • @vikas027 Docker is an important software, but unfortunately its developers somehow don't seem really eager to fix trivial problems in it. This registry is such a problem. Actually, I have a real fix for that: producing a CA key, a server key and a key for each server and for each client certified by the CA, furthermore installing this CA cert system-wide, and also specific for the docker. So it works, but wanting this from people doing only a private repo is overkill. Docker is full with similar problems - if you like to do _anything_ with it, you have around 90% that it simply won't – peterh Feb 02 '17 at 08:21
  • 1
    work. Or you have to hack your whole system (another similar "feature" is that "bridged networking" means actually NAT networking in docker, while real bridged network simply doesn't exist). These answers popularize terrible workarounds to major problems, which could be easily fixed but somehow they aren't. This was the reason, why I downvoted all of them - all of them are _bad_ solutions. – peterh Feb 02 '17 at 08:23
  • Works for Centos 7.2 running Docker 1.13.1 – Brandon Dewey Feb 27 '17 at 20:28
  • Also you can verify the insecure registry is picked up by typing `docker info`. There should be an entry under `Insecure Registries:` – James D Mar 30 '17 at 19:38
  • In my case, remote repository is on a remote Linux server running on Pi4. Push/Pull works on that Linux server however when I try to pull an image from that remote registry on my Windows PC, it says - 'invalid reference format'. My Linux machine requires username/password to connect from my Windows. Is it because of that protection. Any idea how can I pull or push from/to remote registry. I tried docker login with --host I get an error saying --host option is not available with docker login. – Prashant Bhardwaj Dec 28 '20 at 01:06
24

Edit the config file "/etc/default/docker"

sudo vi /etc/default/docker

add the line at the end of file

DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=192.168.2.170:5000"

(replace the 192.168.2.170 with your own ip address)

and restart docker service

sudo service docker restart

daozhao
  • 267
  • 2
  • 8
12

I found the following to be very useful as it discusses how the Docker service itself is configured. https://docs.docker.com/articles/systemd/

Along with this article on the systemctl command https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units

I used the following series of commands in a Centos 7 based container with a registry image obtained by "docker pull registry:2.1.1"

sudo mkdir -p /etc/systemd/system/docker.service.d
cd /etc/systemd/system/docker.service.d
sudo touch override.conf
sudo nano override.conf

And inside the override.conf added the following.

[Service]
ExecStart=
ExecStart=/usr/bin/docker -d -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --insecure-registry 10.2.3.4:5000

Note the first, blank, ExecStart= clears anything that is already in place so be sure to add anything from the /usr/lib/systemd/system/docker.service ExecStart= statement that you wish to retain.

If you don't specify the -d(daemon) option you'll get a "Please specify only one -H" error.

After issuing the following series of commands I can see my overrides in place.

sudo systemctl stop docker
sudo systemctl daemon-reload
sudo systemctl start docker
sudo systemctl status docker

docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled)
  Drop-In: /etc/systemd/system/docker.service.d
           └─override.conf
   Active: active (running) since Thu 2015-09-17 13:37:34 AEST; 7s ago
     Docs: https://docs.docker.com
 Main PID: 5697 (docker)
   CGroup: /system.slice/docker.service
           └─5697 /usr/bin/docker -d -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock --insecure-registry 10.2.3.4:5000

NOTE: The information provided by Loaded: and Drop-In: lines in the status message, the are useful for checking what's happening with a pre-existing docker daemon to work.

NOTE: Also have a look in the Loaded: docker.service file for an EnvironmentFile= for further clues.

TJA
  • 2,969
  • 2
  • 25
  • 32
  • 3
    `--insecure-registry` is a workaround and not a fix. – peterh Feb 01 '17 at 15:33
  • Hello @peterh I understand that it is a workaround, and an insecure one. I have no doubt there are Production systems out there using it which is a very bad thing indeed. – TJA Feb 04 '17 at 05:43
  • 1
    @peterh can you please point me at any links that show how to do it properly and I will update my answer and reference the link. – TJA Feb 04 '17 at 05:45
11

Ok. Here is how I got it to work. If you see this error in docker 1.3.2 or above, do this

go to /etc/sysconfig/docker

other_args="--insecure-registry 10.0.0.26:5000"

and run

sudo service docker restart

Jay
  • 4,347
  • 1
  • 17
  • 17
9

use the following command replacing {YOUR_REGISTRY} with your registry

boot2docker ssh "echo $'EXTRA_ARGS=\"--insecure-registry {YOUR_REGISTRY}\"' | sudo tee -a /var/lib/boot2docker/profile && sudo /etc/init.d/docker restart"
JaTo
  • 2,742
  • 4
  • 29
  • 38
7

edit docker.service file, add --insecure-registry x.x.x.x after -d flag, restart docker

this is the only thing that worked for me, the DOCKER_OPTS didn't have any effect

Diman
  • 79
  • 1
  • 1
4

Docker 1.12.1

For CentOS 7.2

/usr/lib/systemd/system/docker.service
#ExecStart=/usr/bin/dockerd
ExecStart=/usr/bin/dockerd --insecure-registry my-docker-registry.com:5000

For ubuntu 16.04

/lib/systemd/system/docker.service
#ExecStart=/usr/bin/dockerd -H fd://
ExecStart=/usr/bin/dockerd --insecure-registry my-docker-registry.com:5000 -H fd://

sudo systemctl stop docker
sudo systemctl daemon-reload
sudo systemctl start docker

It seems the --insecure-registry option may be used both with and without the "=" between it and the registry ID.

tedwards
  • 43
  • 4
2

I found that docker client version and registry docker version has to match up, else you would run into connectivity issues, despite having everything in place.

Saikrishna Rao
  • 595
  • 5
  • 4
2

Two step solution(without --insecure-registry):

  1. Download public key from your registry
  2. Put it into /etc/docker/certs.d/$HOSTNAME/ directory

 

mkdir -p /etc/docker/certs.d/10.0.0.26:5000
echo -n | openssl s_client -connect 10.0.0.26:5000 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /etc/docker/certs.d/10.0.0.26:5000/registry.crt

Now your docker will trust your self-signed certificate.

vp_arth
  • 14,461
  • 4
  • 37
  • 66
1

This is based on the answer from vikas027 on Centos 7 and Docker 1.12

Since I am behind a proxy my full solution was ...

/etc/systemd/system/docker.service.d/http-proxy.conf

[Service]

Environment="FTP_PROXY={{MY_PROXY}}"
Environment="ftp_proxy={{MY_PROXY}}"

Environment="HTTPS_PROXY={{MY_PROXY}}"
Environment="https_proxy={{MY_PROXY}}"

Environment="HTTP_PROXY={{MY_PROXY}}"
Environment="http_proxy={{MY_PROXY}}"

Environment="NO_PROXY=localhost,127.0.0.1,{{MY_INSECURE_REGISTRY_IP}}"
Environment="no_proxy=localhost,127.0.0.1,{{MY_INSECURE_REGISTRY_IP}}"

/usr/lib/systemd/system/docker.service

ExecStart=/usr/bin/dockerd --insecure-registry {{MY_INSECURE_REGISTRY_IP}}:5000

and dont forget to restart :)

sudo systemctl daemon-reload; sudo systemctl restart docker;
danday74
  • 52,471
  • 49
  • 232
  • 283
0

Setting Local insecure registry in docker along with proxy:

1) in ubuntu add the following flag --insecure-registry IP:port under DOCKER_OPTS in file /etc/default/docker

1.1) configure no_proxy env variable to bypass local IP/hostname/domainname...as proxy can throw a interactive msg ...like continue and this intermediate msg confuses docker client and finally timesout...

1.2) if domainname is configured...then don't forget to update /etc/hosts file if not using DNS.

1.3) in /etc/default/docker set the env variables http_proxy and https_proxy...as it enables to download images from outside company hubs. format http_proxy=http://username:password@proxy:port

2) restart the docker service...if installed as service, use sudo service docker restart

3) restart the registry container [sudo docker run -p 5000:5000 registry:2 ]

4) tag the required image using sudo docker tag imageid IP:port/imagename/tagname ifany

5) push the image ...sudo docker push ip:port/imagename

6) If u want to pull the image from another machine say B without TLS/SSL,then in B apply setps 1,1.1 and 2. If these changes are not done in machine B...pull will fail.

Ragha
  • 11
  • 2
0

To save you hassle, why don't you just use the FREE private docker registry service provided by gitlab - works great

https://about.gitlab.com/2016/05/23/gitlab-container-registry/

Their registry is secure so you won't have any issues

danday74
  • 52,471
  • 49
  • 232
  • 283
0

Ubuntu 16.04

Create (does not exist) file /etc/systemd/system/docker.service.d/registry.conf with contents:

[Service]
#You need the below or you 'ExecStart=' or you will get and error 'Service has more than one ExecStart= setting, which is only allowed'
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry 10.20.30.40:5000

then

sudo systemctl stop docker
sudo systemctl daemon-reload
sudo systemctl start docker
danday74
  • 52,471
  • 49
  • 232
  • 283
0

In addition to the above answers, I am adding what worked in "docker for mac" for me:

  1. Click on the docker whale icon from mac tray on top right corner of your screen.
  2. Click on Preferences -> Daemon.
  3. Add your IP and port to the insecure registries.
  4. Restart the Daemon.

enter image description here

paulina_glab
  • 2,467
  • 2
  • 16
  • 25
Parantap Sharma
  • 353
  • 3
  • 16