please add `--insecure-registry 172.27.25.59:5000` to the daemon's arguments

[arnos]

The docker instructions simply don't work.

Ubunutu 15.04, docker version 1.6.1

I've modified the docker service file

$ sudo vim /etc/init.d/docker
 # added --insecure-registry 172.27.25.59:5000 to the docker opts
DOCKER_OPTS=--insecure-registry 172.27.25.59:5000

restarted the service to no avail (sudo service docker restart)

I've followed the instructions for deploying the 2.0 registry with a TLS enabled https://docs.docker.com/registry/deploying/

and copied the generated crt file to /etc/docker/certs.d/172.27.25.59:5000/ca.crt and still I get the same error spit

 $ docker push 172.27.25.59:5000/nginx
FATA[0000] Error response from daemon: v1 ping attempt failed with error: Get https://172.27.25.59:5000/v1/_ping: dial tcp 172.27.25.59:5000: connection refused. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 172.27.25.59:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/172.27.25.59:5000/ca.crt

And yet when you docker push localhost:5000/nginx it works like a charm (with TLS or without)

This is extremely frustrating to setup as the default instructions for the docker registry don't use TLS.

[joda70]

About CA please have a look at http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

[eaoliver]

I'm seeing this problem with the latest Docker registry image. It seems to have broken overnight.

[dmp42]

@arnos can you copy the output of:

• curl -i https://localhost:5000/v2
• curl -i https://172.27.25.59:5000/v2

Can you also copy the output of your docker daemon logs (preferably ran in debug mode: -D)

Thanks.

[dmp42]

@eaoliver are you referring to the image registry:2? or registry:latest?

[eaoliver]

@dmp42 I have tested both registry:2.0.1 and registry:latest.

[dmp42]

@eaoliver registry:latest is still pointing to the python registry, which is this one repository here.

registry:2 is now the recommended way to go, and lives in https://github.com/docker/distribution

@eaoliver can you clarify what's wrong in your case?

@arnos problem is that his registry is probably not listening on the public interface (dial tcp 172.27.25.59:5000: connection refused)

Yours might very well be different, but I have no way to know without logs.

[arnos]

I'll test it out on monday On 22 May 2015 6:49 pm, "Olivier Gambier" notifications@github.com wrote:

@eaoliver https://github.com/eaoliver registry:latest is still pointing to the python registry, which is this one repository here.

registry:2 is now the recommended way to go, and lives in https://github.com/docker/distribution

@eaoliver https://github.com/eaoliver can you clarify what's wrong in your case?

@arnos https://github.com/arnos problem is that his registry is probably not listening on the public interface (dial tcp 172.27.25.59:5000: connection refused)

Yours might very well be different, but I have no way to know without logs.

— Reply to this email directly or view it on GitHub https://github.com/docker/docker-registry/issues/1005#issuecomment-104793166 .

[xiakunhou]

I added DOCKER_OPTS="$DOCKER_OPTS --insecure-registry=10.27.19.230:5000" to /etc/default/docker file. All works well. You are using a wrong file. init.d folder is used for service.

[arnos]

Sorry crazy week last week

starting from a clean vmdocker

I've followed @XiaokunHou advice but I am still getting the same error when running "docker run -d -p 5000:5000 registry:latest"

still getting the same error it's as if it's not even trying to ping the http port and just goes for https

FATA[0004] Error response from daemon: v1 ping attempt failed with error: Get https://172.27.25.59:5000/v1/_ping: EOF. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 172.27.25.59:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/172.27.25.59:5000/ca.crt

and yes curl -1 http://172.27.25.59:5000/v1/_ping works fine and produces the expected result

HTTP/1.1 200 OK
Server: gunicorn/19.1.1
Date: Mon, 01 Jun 2015 13:35:05 GMT
Connection: keep-alive
X-Docker-Registry-Config: dev
Expires: -1
X-Docker-Registry-Standalone: True
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: 1540

{"host": ["Linux", "57b42740ea63", "3.19.0-16-generic", "#16-Ubuntu SMP Thu Apr 30 16:09:58 UTC 2015", "x86_64", "x86_64"], "launch": ["/usr/local/bin/gunicorn", "--access-logfile", "-", "--error-logfile", "-", "--max-requests", "100", "-k", "gevent", "--graceful-timeout", "3600", "-t", "3600", "-w", "4", "-b", "0.0.0.0:5000", "--reload", "docker_registry.wsgi:application"], "versions": {"M2Crypto.m2xmlrpclib": "0.22", "SocketServer": "0.4", "argparse": "1.1", "backports.lzma": "0.0.3", "blinker": "1.3", "cPickle": "1.71", "cgi": "2.6", "ctypes": "1.1.0", "decimal": "1.70", "distutils": "2.7.6", "docker_registry.app": "0.9.1", "docker_registry.core": "2.0.3", "docker_registry.server": "0.9.1", "email": "4.0.3", "flask": "0.10.1", "gevent": "1.0.1", "greenlet": "0.4.7", "gunicorn": "19.1.1", "gunicorn.arbiter": "19.1.1", "gunicorn.config": "19.1.1", "gunicorn.six": "1.2.0", "jinja2": "2.7.3", "json": "2.0.9", "logging": "0.5.1.2", "parser": "0.5", "pickle": "$Revision: 72223 $", "platform": "1.0.7", "pyexpat": "2.7.6", "python": "2.7.6 (default, Mar 22 2014, 22:59:56) \n[GCC 4.8.2]", "re": "2.2.1", "redis": "2.10.3", "requests": "2.3.0", "requests.packages.chardet": "2.2.1", "requests.packages.urllib3": "dev", "requests.packages.urllib3.packages.six": "1.2.0", "requests.utils": "2.3.0", "simplejson": "3.6.2", "sqlalchemy": "0.9.4", "tarfile": "$Revision: 85213 $", "urllib": "1.17", "urllib2": "2.7", "werkzeug": "0.10.4", "xml.parsers.expat": "$Revision: 17640 $", "xmlrpclib": "1.0.1", "yaml": "3.11", "zlib": "1.0"}}

running either curl -i https://localhost:5000/v2 or curl -i https://172.27.25.59:5000/v2 produces an error

curl: (35) Unknown SSL protocol error in connection to localhost:5000

the logs of the registry

[2015-06-01 13:25:48 +0000] [1] [INFO] Starting gunicorn 19.1.1
[2015-06-01 13:25:48 +0000] [1] [INFO] Listening at: http://0.0.0.0:5000 (1)
[2015-06-01 13:25:48 +0000] [1] [INFO] Using worker: gevent
[2015-06-01 13:25:48 +0000] [14] [INFO] Booting worker with pid: 14
[2015-06-01 13:25:48 +0000] [15] [INFO] Booting worker with pid: 15
[2015-06-01 13:25:48 +0000] [18] [INFO] Booting worker with pid: 18
[2015-06-01 13:25:48 +0000] [19] [INFO] Booting worker with pid: 19
01/Jun/2015:13:25:48 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:48 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:49 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:49 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Cache storage disabled!
01/Jun/2015:13:25:49 +0000 WARNING: LRU cache disabled!
01/Jun/2015:13:25:49 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
01/Jun/2015:13:25:49 +0000 WARNING: Another process is creating the search database
01/Jun/2015:13:25:49 +0000 WARNING: Another process is creating the search database
01/Jun/2015:13:25:49 +0000 WARNING: Another process is creating the search database
172.17.42.1 - - [01/Jun/2015:13:26:36 +0000] "GET / HTTP/1.1" 200 28 "-" "curl/7.38.0"
172.17.42.1 - - [01/Jun/2015:13:26:52 +0000] "GET /v2 HTTP/1.1" 404 233 "-" "curl/7.38.0"
172.27.25.59 - - [01/Jun/2015:13:29:47 +0000] "GET /v1/_ping HTTP/1.1" 200 1540 "-" "curl/7.38.0"

running curl -i http://localhost:5000/v2 or curl -i http://172.27.25.59:5000/v2 produces a 404

HTTP/1.1 404 NOT FOUND
Server: gunicorn/19.1.1
Date: Mon, 01 Jun 2015 13:34:13 GMT
Connection: keep-alive
Content-Type: text/html
Content-Length: 233

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server.  If you entered the URL manually please check your spelling and try again.</p>

[arnos]

I tried various changes in the /etc/defaults/docker file as well

it doesn't seem to work with either of --insecure-registry http://172.27.25.59:5000 --insecure-registry=172.27.25.59:5000 --insecure-registry 172.27.25.59:5000

[xiakunhou]

you should add these lines in client docker machine, rather than the registry host machine. Add it and restart service. http://stackoverflow.com/questions/27792969/using-private-registry-hosted-on-docker/30478338#30478338

[arnos]

right now the host and client are one and the same.

On Mon, Jun 1, 2015 at 11:03 AM, XiaokunHou notifications@github.com wrote:

you should add these lines in client docker machine, rather than the registry host machine.

http://stackoverflow.com/questions/27792969/using-private-registry-hosted-on-docker/30478338#30478338

— Reply to this email directly or view it on GitHub https://github.com/docker/docker-registry/issues/1005#issuecomment-107559945 .

[dotNetDR]

In my CentOS Linux release 7.1.1503 (Core) The following configuration is working.

file: /lib/systemd/system/docker.service text:

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target docker.socket
Requires=docker.socket

[Service]
EnvironmentFile=-/etc/sysconfig/docker
ExecStart=/usr/bin/docker -d $other_args -H fd://
MountFlags=slave
LimitNOFILE=1048576
LimitNPROC=1048576
LimitCORE=infinity

[Install]
WantedBy=multi-user.target

check here >> EnvironmentFile=-/etc/sysconfig/docker check here >> ExecStart=/usr/bin/docker -d $other_args -H fd://

---

file: /etc/sysconfig/docker text:

# /etc/sysconfig/docker
#
# Other arguments to pass to the docker daemon process
# These will be parsed by the sysv initscript and appended
# to the arguments list passed to docker -d

other_args="--insecure-registry yoururl"

set registry address >> other_args="--insecure-registry yoururl"

---

# systemctl start docker

# docker version
Client version: 1.7.0
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 0baf609
OS/Arch (client): linux/amd64
Server version: 1.7.0
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 0baf609
OS/Arch (server): linux/amd64

[wharsojo]

here's the steps I do using docker-machine to run docker private registry:

 ~$ docker-machine create dev -d virtualbox
 ~$ docker-machine ssh dev
 docker@dev:~$

add host-name in "/etc/host":

 docker@dev:~$ sudo vi /etc/hosts 
 127.0.0.1 localhub

update profile env. variable "EXTRA_ARGS" in "/var/lib/boot2docker/profile" add "--insecure-registry localhub:5000"

 docker@dev:~$ sudo vi /var/lib/boot2docker/profile
 EXTRA_ARGS='
 --label provider=virtualbox
 --insecure-registry localhub:5000
 '

create folder to host the images:

 docker@dev:~$ sudo mkdir /mnt/sda1/registry
 docker@dev:~$ sudo chown docker:staff /mnt/sda1/registry
 docker@dev:~$ exit

exit and back to my mac console & run private registry:

 ~$ docker run -p 5000:5000 -v /mnt/sda1/registry:/tmp/registry -e GUNICORN_OPTS='["--preload"]' --restart=always --name=registry registry

open another iterm, pull "hello-world", create another tag "localhub:5000/hello-world" and push it to private registry:

 ~$ docker pull hello-world
 ~$ docker tag hello-world localhub:5000/hello-world
 ~$ docker push localhub:5000/hello-world

try to use hello-world from private registry:

 ~$ docker run localhub:5000/hello-world

screenshot (gif-animation):

your first comment in this issue mentioned:

DOCKER_OPTS=--insecure-registry 172.27.25.59:5000

it should be:

DOCKER_OPTS="--insecure-registry 172.27.25.59:5000"

[zync-mzy]

your first comment in this issue mentioned:

DOCKER_OPTS=--insecure-registry 172.27.25.59:5000 it should be:

DOCKER_OPTS="--insecure-registry 172.27.25.59:5000"

I met the same problem. Without quotation, parameters took no effect Simply add quotation fixed the issue.

[ozbillwang]

Thanks, @wharsojo

Your solution works with docker toolbox. The only adjust is on this line in /var/lib/boot2docker/profile

--insecure-registry 192.168.99.100:5000

[coldfire-x]

this works you SHOULD add this opts at /var/lib/boot2docker/profile

thanks, this really sucks.

[coldfire-x]

@wharsojo thanks

took two more hours for this issue.

[niclarcipretti]

Anyone knows how to add --insecure-registry in windows virtualized solution? I don't want to modify my VM files cause whenever I upgrade it, all will be lost. I think this should be parametrized in the init script (start.sh maybe?).

Cheers

[coldfire-x]

@niclarcipretti you can open the virtualbox client , double click the running vm, input your username/password, it should be ok to go.

[raghakk]

Setting Local insecure registry in docker along a proxy:

1) in ubuntu add the following flag --insecure-registry IP:port under DOCKER_OPTS in file /etc/default/docker

1.1) configure no_proxy env variable to bypass local IP/hostname/domainname...as proxy can throw a interactive msg ...like continue and this intermediate msg confuses docker client and finally timesout...[symptom observed: push done will not reach the regisrty service whose port is open at 5000]

1.2) if domainname is configured...then don't forget to update /etc/hosts file if not using DNS.

1.3) in /etc/default/docker set the env variables http_proxy and https_proxy...as it enables to download images from outside company hubs. format http_proxy=http://username:password@proxy:port

2) restart the docker service...if installed as service, use sudo service docker restart

3) restart the registry container [sudo docker run -p 5000:5000 registry:2 ]

4) tag the required image using sudo docker tag imageid IP:port/imagename/tagname ifany

5) push the image ...sudo docker push ip:port/imagename

6) If u want to pull the image from another machine say B without TLS/SSL,then in B apply setps 1,1.1 and 2. If these changes are not done in machine B...pull will fail.

[prashantabkari]

I am facing the same issue, hence not opening a new issue. Following are the details Master Node on which the registry is installed

On the file /lib/systemd/system/docker.service

EnvironmentFile=-/etc/sysconfig/docker EnvironmentFile=-/etc/sysconfig/docker-storage EnvironmentFile=-/etc/sysconfig/docker-network Environment=GOTRACEBACK=crash ExecStart=/usr/bin/docker-current daemon \ --exec-opt native.cgroupdriver=systemd \ $OPTIONS \ $DOCKER_STORAGE_OPTIONS \ $DOCKER_NETWORK_OPTIONS \ $ADD_REGISTRY \ $BLOCK_REGISTRY \ $INSECURE_REGISTRY

the file /etc/sysconfig/docker has following contents

OPTIONS='--selinux-enabled --log-driver=journald' if [ -z "${DOCKER_CERT_PATH}" ]; then DOCKER_CERT_PATH=/etc/docker fi

INSECURE_REGISTRY='--insecure-registry 10.143.219.59:5000'**

When i try to do docker pull 10.143.219.59:5000/hello-world It fails.

How to setup an insecure registry? Also the documentation in https://docs.docker.com/registry/deploying/ doesnt specify where exactly do we need to run these commands? On the registry host or the remote host?

[zrml]

@prashantabkari those commands are to run on the host supporting the registry you've just spun up. However I find that they ONLY work if you use "localhost". What I mean is: -I can only push & pull if I use localhost -if I use the hostname (fully dsn'd) inside the VPN I cannot push the image to the registry -if I use the ip address, again it's like the previous issue.

The errors hints at the fact that my client uses https which I have not told it to nor is it setup as such.

`$ docker pull busybox Using default tag: latest latest: Pulling from library/busybox 7520415ce762: Pull complete Digest: sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f Status: Downloaded newer image for busybox:latest

$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE cache-sd 15 f7c0c8a91c4d 6 days ago 1.92 GB busybox latest 00f017a8c2a6 3 weeks ago 1.11 MB registry 2 047218491f8c 3 weeks ago 33.2 MB jjones028/apache-csp latest 19402b7f7207 10 months ago 419 MB

$ docker tag busybox ub1604rel1:5000/me:1 $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE cache-sd 15 f7c0c8a91c4d 6 days ago 1.92 GB busybox latest 00f017a8c2a6 3 weeks ago 1.11 MB ub1604rel1:5000/me 1 00f017a8c2a6 3 weeks ago 1.11 MB registry 2 047218491f8c 3 weeks ago 33.2 MB jjones028/apache-csp latest 19402b7f7207 10 months ago 419 MB

$ docker push ub1604rel1:5000/me:1 The push refers to a repository [ub1604rel1:5000/me] Get https://ub1604rel1:5000/v1/_ping: http: server gave HTTP response to HTTPS client`

Please note -again, that IF I do the above steps with "localhost" vs the hostname or the ip address it works.

[d4rkd0s]

I am on Fedora 28 and the solution I found was changing /etc/sysconfig/docker:

OPTIONS='--selinux-enabled --log-driver=journald --live-restore'

to

OPTIONS='--selinux-enabled --log-driver=journald --live-restore --insecure-registry 172.30.0.0/16'

replace 172.16.0.0/16 with whatever you are trying to add as insecure.

Keep in mind other solutions reference DOCKER_OPTS which is no longer used, as least by how systemctl spins up my docker. I've installed with dnf install docker, and my /lib/systemd/system/docker.service contained the following:

ExecStart=/usr/bin/dockerd-current \
          --add-runtime oci=/usr/libexec/docker/docker-runc-current \
          --default-runtime=oci \
          --authorization-plugin=rhel-push-plugin \
          --containerd /run/containerd.sock \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          --init-path=/usr/libexec/docker/docker-init-current \
          --seccomp-profile=/etc/docker/seccomp.json \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY \
          $REGISTRIES

Where you can see its OPTIONS that you'll want to change/add in your /etc/sysconfig/docker file instead of DOCKER_OPTS