New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
registry: default --insecure-registry to localhost and 127.0.0.1 #8898
Conversation
2b70fc7
to
a32d03b
Compare
Please add some documentation about this special case. |
I restarted the drone build |
do we want to move forward with this? (i.e: would you consider merging if I make the doc changes) |
What about ::1? |
@mmdriley good catch, wondering if this work at all with |
+1 |
I'm NO on this. I prefer secure-by-default. Note that our use of TLS here is not for protocol security, i.e. to prevent MITM, but for host verification. It verifies that the registry is trusted by the daemon and the systems administrator. There seem to be good workarounds to this including setting '--insecure-registry localhost' and making localhost-with-TLS easier to deploy out of the box. |
Yes, but that's not something that's easy to control with boot2docker today, or with the current registry. So current users of the docker (1.3.1) + boot2docker + registry might be broken for a while. |
Sorry @ewindisch I'll have to merge this, this is a stopgap, and has no UI change compared to 1.3.1. We can revert it for 1.4 once we have a better user experience, like putting a URL to a page explaining how to setup a TLS private registry. We would update that page to have a one-liner like LGTM @proppy rebase please |
a32d03b
to
0c1f4f5
Compare
rebased PTAL |
Signed-off-by: Johan Euphrosine <proppy@google.com>
Signed-off-by: Johan Euphrosine <proppy@google.com>
0c1f4f5
to
887f466
Compare
added DCO |
hey @proppy I'm going to carry this. |
Closing this, please review over at #9124 |
Secure localhost registry (carry of #8898)
I have to run this command every time I start boot2docker to fix this issue:
|
Note sure it's the best way to do this, since
opt.ListVar
have no defaults.Fixes #8889 #8887
Also added some tests for
registry.IsSecure
This PR makes the daemon treat
localhost
and127.0.0.1
as part of theinsecureRegistries
whitelist, if the said list is empty.