Docker insecure registries issue on Windows Server 2016

[asif110]

This is my daemon.json at C:\ProgramData\docker\config, it did not exist originally but I created manually and copied contents from my Windows 10 pro config file.

{
  "allow-nondistributable-artifacts": [
    "myregistry:5000"
  ],
  "experimental": true,
  "insecure-registries": [
    "myregistry:5000"
  ],
  "hosts": [
    "npipe:////./pipe/docker_engine_windows"
  ]
}

I am pulling a pre-build image from the registry but keep getting the error.

Pulling myContainer (myregistry:5000/mycontainer:v1)...
ERROR: Get https://myregistry:5000/v2/: http: server gave HTTP response to HTTPS client

I even tried setting insecure registries from command line flag

PS D:\workDir> dockerd --insecure-registry "myregistry:5000"
unable to configure the Docker daemon with file C:\ProgramData\docker\config\daemon.json: the following directives are specified both as a flag and in the configuration file: insecure-registries: (from flag: [myregistry:5000], from file: [myregistry:5000])

The registry server is Windows Server 2019
The same settings work fine on my Windows 10 pro machine. Only difference is that I have Docker Desktop installed on the Windows 10 machine. I am pretty new to Docker, so if I missed any info please let me know and I will edit my post and include it.

Edit: I am using also creating and using a context

docker context create  mycontext--docker "host=tcp://myregistry:2375"
docker context use mycontext

[thaJeztah]

I see there's a space before the registry name in your example; is that the actual config you're using? " myregistry:5000"

[thaJeztah]

Also Please provide more information as requested in the issue-template that was shown when you opened this issue.

• provide the output of docker version
• provide the output of docker info
• provide the exact steps to reproduce. If the steps to reproduce require custom images, or source code, provide a minimal test-case to reproduce. Keep in mind that we don't have access to your private images or source code. Without steps to reproduce, or a reproducible case it's unlikely that your issue can be resolved.

[asif110]

Sorry my bad, that was a typo. I changed names of the server to hide confidential information
I added the insecure registry on the registry server itself, and it is working now. It is self referencing, is there a better way to do it?
Info required, from the client, I can get the same from registry server, if required.

PS C:\temp> docker version
Client: Mirantis Container Runtime
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        40ef3b6
 Built:             08/19/2021 18:54:26
 OS/Arch:           windows/amd64
 Context:           myregistry
 Experimental:      true

Server: Mirantis Container Runtime
 Engine:
  Version:          20.10.7
  API version:      1.41 (minimum version 1.24)
  Go version:       go1.13.15
  Git commit:       e1bf5b9c13
  Built:            08/19/2021 18:53:20
  OS/Arch:          windows/amd64
  Experimental:     true

PS C:\temp> docker info
Client:
 Context:    myregistry
 Debug Mode: false
 Plugins:
  app: Docker Application (Docker Inc., v0.8.0)
  cluster: Manage Mirantis Container Cloud clusters (Mirantis Inc., v1.9.0)
  registry: Manage Docker registries (Docker Inc., 0.1.0)

Server:
 Containers: 7
  Running: 4
  Paused: 0
  Stopped: 3
 Images: 1277
 Server Version: 20.10.7
 Storage Driver: windowsfilter (windows) lcow (linux)
  Windows:
  LCOW:
 Logging Driver: json-file
 Plugins:
  Volume: local
  Network: ics internal l2bridge l2tunnel nat null overlay private transparent
  Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog
 Swarm: inactive
 Default Isolation: process
 Kernel Version: 10.0 17763 (17763.1.amd64fre.rs5_release.180914-1434)
 Operating System: Windows Server 2019 Standard Version 1809 (OS Build 17763.2114)
 OSType: windows
 Architecture: x86_64
 CPUs: 20
 Total Memory: 255.7GiB
 Name: MYREGISTRY
 ID: 6IGJ:ZR7K:5FYE:QG3S:DGMS:J5QV:3UQV:J2QQ:I2XS:MTAX:S3AG:LODT
 Docker Root Dir: C:\ProgramData\docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  myregistry:5000
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/go/attack-surface/

[thaJeztah]

Sorry my bad, that was a typo. I changed names of the server to hide confidential information

Ah, thanks! I somewhat "assumed" that was the case (but it wouldn't be the first time a minor thing like that was the actual issue, so thought I'd check 👍)

I added the insecure registry on the registry server itself, and it is working now.

Could you explain this a bit more? The daemon.json is used by the daemon so, yes, it's expected to be configured on the server where the daemon runs (if that's what you meant).

I notice the warning in your output; if this server is accessible, please make sure to secure the remote API, as it allows full control over the host (mis-configured API's are actively being exploited)

WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information: https://docs.docker.com/go/attack-surface/

[asif110]

Could you explain this a bit more? The daemon.json is used by the daemon so, yes, it's expected to be configured on the server where the daemon runs (if that's what you meant).

Yes, but I shouldn't have to specify the server itself in the insecure registry.
I have edited the version and info dumps to change server name to myregistry

Insecure Registries:
myregistry:5000
127.0.0.0/8