Expand documentation for --insecure-registries

Signed-off-by: Michael Crosby <michael@docker.com> Upstream-commit: c66196a9dc0cd7d19eb3535c52fdbccfa2ee628e Component: engine
2026-01-16 20:22:36 +03:00 · 2014-08-19 12:27:23 -07:00
parent 62c48d6aec
commit 0184acc7f9
1 changed files with 11 additions and 1 deletions
--- a/components/engine/docs/sources/reference/commandline/cli.md
+++ b/components/engine/docs/sources/reference/commandline/cli.md
@@ -71,7 +71,7 @@ expect an integer, and they can only be specified once.
      -H, --host=[]                              The socket(s) to bind to in daemon mode or connect to in client mode, specified using one or more tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
      --icc=true                                 Enable inter-container communication
      --insecure-registry=[]                     Make these registries use http
-      --ip=0.0.0.0                             Default IP address to use when binding container ports
+      --ip=0.0.0.0                               Default IP address to use when binding container ports
      --ip-forward=true                          Enable net.ipv4.ip_forward
      --ip-masq=true                             Enable IP masquerading for bridge's IP range
      --iptables=true                            Enable Docker's addition of iptables rules
@@ -196,6 +196,16 @@ can be disabled with --ip-masq=false.



+By default docker will assume all registries are securied via TLS.  Prior versions
+of docker used an auto fallback if a registry did not support TLS.  This introduces
+the opportunity for MITM attacks so in Docker 1.2 the user must specify `--insecure-registries` 
+when starting the Docker daemon to state which registries are not using TLS and to communicate
+with these registries via plain text.  If you are running a local registry over plain text
+on `127.0.0.1:5000` you will be required to specify `--insecure-registries 127.0.0.1:500` 
+when starting the docker daemon to be able to push and pull images to that registry.
+No automatic fallback will happen after Docker 1.2 to detect if a registry is using
+HTTP or HTTPS.
+
 Docker supports softlinks for the Docker data directory
 (`/var/lib/docker`) and for `/var/lib/docker/tmp`. The `DOCKER_TMPDIR` and the data directory can be set like this: