From c66196a9dc0cd7d19eb3535c52fdbccfa2ee628e Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Tue, 19 Aug 2014 12:27:23 -0700 Subject: [PATCH] Expand documentation for --insecure-registries Signed-off-by: Michael Crosby --- docs/sources/reference/commandline/cli.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/sources/reference/commandline/cli.md b/docs/sources/reference/commandline/cli.md index 94cbb580b4..ddfc983d3a 100644 --- a/docs/sources/reference/commandline/cli.md +++ b/docs/sources/reference/commandline/cli.md @@ -71,7 +71,7 @@ expect an integer, and they can only be specified once. -H, --host=[] The socket(s) to bind to in daemon mode or connect to in client mode, specified using one or more tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd. --icc=true Enable inter-container communication --insecure-registry=[] Make these registries use http - --ip=0.0.0.0 Default IP address to use when binding container ports + --ip=0.0.0.0 Default IP address to use when binding container ports --ip-forward=true Enable net.ipv4.ip_forward --ip-masq=true Enable IP masquerading for bridge's IP range --iptables=true Enable Docker's addition of iptables rules @@ -196,6 +196,16 @@ can be disabled with --ip-masq=false. +By default docker will assume all registries are securied via TLS. Prior versions +of docker used an auto fallback if a registry did not support TLS. This introduces +the opportunity for MITM attacks so in Docker 1.2 the user must specify `--insecure-registries` +when starting the Docker daemon to state which registries are not using TLS and to communicate +with these registries via plain text. If you are running a local registry over plain text +on `127.0.0.1:5000` you will be required to specify `--insecure-registries 127.0.0.1:500` +when starting the docker daemon to be able to push and pull images to that registry. +No automatic fallback will happen after Docker 1.2 to detect if a registry is using +HTTP or HTTPS. + Docker supports softlinks for the Docker data directory (`/var/lib/docker`) and for `/var/lib/docker/tmp`. The `DOCKER_TMPDIR` and the data directory can be set like this: