Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

registry: default --insecure-registry to localhost and 127.0.0.1 #8898

Closed
wants to merge 2 commits into from
Closed

registry: default --insecure-registry to localhost and 127.0.0.1 #8898

wants to merge 2 commits into from

Conversation

proppy
Copy link
Contributor

@proppy proppy commented Oct 31, 2014

Note sure it's the best way to do this, since opt.ListVar have no defaults.

Fixes #8889 #8887

Also added some tests for registry.IsSecure

This PR makes the daemon treat localhost and 127.0.0.1 as part of the insecureRegistries whitelist, if the said list is empty.

@tiborvass
Copy link
Contributor

Ping @ewindisch @unclejack @dmp42 @dmcgowan

@SvenDowideit
Copy link
Contributor

Please add some documentation about this special case.

@dmp42 dmp42 mentioned this pull request Nov 3, 2014
Merged
@crosbymichael
Copy link
Contributor

I restarted the drone build

@jessfraz jessfraz mentioned this pull request Nov 3, 2014
Closed
@proppy
Copy link
Contributor Author

proppy commented Nov 5, 2014

do we want to move forward with this? (i.e: would you consider merging if I make the doc changes)

@crosbymichael crosbymichael added this to the 1.3.2 milestone Nov 5, 2014
@proppy proppy mentioned this pull request Nov 6, 2014
Open
@mmdriley
Copy link
Contributor

mmdriley commented Nov 6, 2014

What about ::1?

@proppy
Copy link
Contributor Author

proppy commented Nov 6, 2014

@mmdriley good catch, wondering if this work at all with docker pull ::1/foo.

@thockin
Copy link
Contributor

thockin commented Nov 6, 2014

+1

@proppy proppy mentioned this pull request Nov 6, 2014
Closed
@ewindisch
Copy link
Contributor

I'm NO on this. I prefer secure-by-default.

Note that our use of TLS here is not for protocol security, i.e. to prevent MITM, but for host verification. It verifies that the registry is trusted by the daemon and the systems administrator.

There seem to be good workarounds to this including setting '--insecure-registry localhost' and making localhost-with-TLS easier to deploy out of the box.

@proppy
Copy link
Contributor Author

proppy commented Nov 10, 2014

There seem to be good workarounds to this including setting '--insecure-registry localhost' and making localhost-with-TLS easier to deploy out of the box.

Yes, but that's not something that's easy to control with boot2docker today, or with the current registry. So current users of the docker (1.3.1) + boot2docker + registry might be broken for a while.

@proppy proppy mentioned this pull request Nov 11, 2014
Merged
@tiborvass
Copy link
Contributor

Sorry @ewindisch I'll have to merge this, this is a stopgap, and has no UI change compared to 1.3.1. We can revert it for 1.4 once we have a better user experience, like putting a URL to a page explaining how to setup a TLS private registry. We would update that page to have a one-liner like $(docker run -v /etc/docker/certs.d:/certs.d registry:tls).

LGTM @proppy rebase please

@proppy
Copy link
Contributor Author

proppy commented Nov 12, 2014

rebased PTAL

@proppy
registry: default --insecure-registry to localhost and 127.0.0.1
0cf49a5 
Signed-off-by: Johan Euphrosine <proppy@google.com>
@proppy
registry: add test for empty insecure registry
887f466 
Signed-off-by: Johan Euphrosine <proppy@google.com>
@proppy
Copy link
Contributor Author

proppy commented Nov 12, 2014

added DCO

@erikh
Copy link
Contributor

erikh commented Nov 12, 2014

hey @proppy I'm going to carry this.

@erikh
Copy link
Contributor

erikh commented Nov 12, 2014

Closing this, please review over at #9124

@erikh erikh closed this Nov 12, 2014
erikh pushed a commit that referenced this pull request Nov 12, 2014
Merge pull request #9124 from erikh/secure-localhost
3338238 
Secure localhost registry (carry of #8898)
@CleanCut
Copy link

I have to run this command every time I start boot2docker to fix this issue:

boot2docker ssh 'sudo sh -c "echo \"EXTRA_ARGS=\\\"--insecure-registry 10.0.0.0/8\\\"\" > /var/lib/boot2docker/profile && sudo /etc/init.d/docker restart"'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.3.2
Development

Successfully merging this pull request may close these issues.

--insecure-regitsry, request for way to enable for all registries, without listing each registry.
10 participants
@proppy @tiborvass @SvenDowideit @crosbymichael @mmdriley @thockin @ewindisch @erikh @CleanCut @dmp42