New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to change the default docker registry from docker.io to my private registry #33069

Closed
akb2017 opened this Issue May 7, 2017 · 13 comments

Comments

Projects
None yet
7 participants
@akb2017

akb2017 commented May 7, 2017

Is there any way to set default registry as my private registry instead of docker.io ?
Actually my need is -->
I am using Nexus Repository Manager as my private registry for docker ..There i created repository for docker-hub, so now i want it to pull directly to my private registry when i run command -- > docker pull ubuntu
Is there any way?

@cpuguy83

This comment has been minimized.

Contributor

cpuguy83 commented May 8, 2017

You can configure docker with a registry mirror, but you can't change the default currently.
Here are the docs for that: https://docs.docker.com/registry/recipes/mirror/

@cpuguy83 cpuguy83 closed this May 8, 2017

@akb2017

This comment has been minimized.

akb2017 commented May 8, 2017

ok thank you

@ArcticSnowman

This comment has been minimized.

ArcticSnowman commented Dec 19, 2017

Please change this as it's a feature break from 1.13... and prevent us from moving to 17.*

@cpuguy83

This comment has been minimized.

Contributor

cpuguy83 commented Dec 19, 2017

@ArcticSnowman Change what? Docker has never had the feature to change the defeault registry. Perhaps you were using RedHat's fork?

@ArcticSnowman

This comment has been minimized.

ArcticSnowman commented Dec 19, 2017

OK I just found out that 'add-registry' was a forked feature.. Darn it... It has proven very useful and makes writing Dockerfile easier for us..

@mikekuzak

This comment has been minimized.

mikekuzak commented Mar 5, 2018

This is a huge security Risk. What if someone starts pulling Kali Docker distro inside the company ?
Of course we can firewall stuff, but only to a certain extend.

@edupo

This comment has been minimized.

edupo commented Mar 14, 2018

I think this is a useful feature since at company level is normal to have an internal registry that caches also the docker hub but allows developers to push their own containers.
Making the default source configurable you allow people to break the vendor locking of docker itself.

All package management systems allows you to configure the default source, but docker does not allow the open source community to do it?

Edit:
The true freedom is also choosing your sources, even if is a security risk...

@mikekuzak

This comment has been minimized.

mikekuzak commented Mar 14, 2018

I meant a security risk having docker hub as default that you can not change it to an internal repo which is locked down.

@edupo

This comment has been minimized.

edupo commented Mar 14, 2018

You guys know if there is any open-source fork of docker implementing this?

@cpuguy83

This comment has been minimized.

Contributor

cpuguy83 commented Mar 14, 2018

If you want to have a pull-through mirror, then you can set that up with docker today by setting a --registry-mirror in the daemon config. There are some issues still with mirroring of private registries, but this is being worked on actively.


The problem is due to early design decisions, an image name (e.g. ubuntu) is tied to it's source location (in this case, the source location is prepended). Changing the "default source" breaks the trust established by naming conventions (even if it's not a good design to begin with).

What we want to do is have ubuntu resolve to a trusted digest (e.g. stored in a notary server) and then be able to pull an image by digest from any registry that happens to have that image digest. We really aren't too far from this reality today.

@cpuguy83

This comment has been minimized.

Contributor

cpuguy83 commented Mar 14, 2018

Also note that you can use containerd directly and resolve image names however you like, including using the standard docker resolver.

@edupo

This comment has been minimized.

edupo commented Mar 14, 2018

@cpuguy83 I tried your solution using --registry-mirror and it works with pulling, but not for pushing and not if you need to docker login because by default it tries to login to https://registry-1.docker.io/v2/...
I will check the contianerd though.

@gnydick

This comment has been minimized.

gnydick commented Oct 25, 2018

This is a ridiculous decision to not support alternate default registries. Oh, I'm sorry, we've decided git will only default to github.com going forward, so every time you git pull or push, you have to type the remote origin fq-repo. (Yeah, yeah, I know the fq-repo is stored locally in the config, that's not the point)

Come on, this is not a security risk. You really think someone is going to hijack stuff accidentally or maliciously? Ever heard of running your own DNS internally so you can have nice and convenient short urls that are meaningful?

It's time someone went old school Linus on your asses to say just how stupid this is. You aren't going to break any compatibility by supporting this. The fact that "ubuntu" means "ubuntu" on docker.io is just a default. If you want a different default but still want docker.io/ubuntu, then you have to type it out. It's sooo much more security minded to require an fq-repo for public things than for your private things. FFS - if I want dev, qa, and prod repos, I should be able to have that rather than having to tag things as <account_num>.dkr.ecr.us-west-2.amazonaws.com/foo:bar. That's so clunky.

There's no real trust, as anyone who is allowed to contribute to that repo can upload anything they want. Docker.io doesn't curate the content, they're just a repo, like github. On top of that, it's standard practice for engineering organizations to audit the open source stuff they use for security and lock to known, safe versions, as well as just known well behaving versions. People don't operate in "latest" land if they know what they're doing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment