Comment by tangotaylor

7 hours ago

My favorite use of this is peer-to-peer transfer of Docker images. The Docker CLI only allows you to use registries authenticated with HTTPS but there's an exception where it allows HTTP transfers over localhost.

So, if you use SSH tunneling to forward a port from localhost to a remote, then Docker unwittingly pushes to a remote. This is super useful "off the grid" with robotics/embedded applications where you don't want to bother with a registry and a good Internet connection.

Example, docker pussh: https://github.com/psviderski/unregistry

8 comments

tangotaylor

mmh0000 6 hours ago

That's not quite true, you just need to add the `insecure-registries`[1] option with a list of either IP (or ip ranges) or hostnames that you want to allow without TLS.

```/etc/docker/daemon.json

  {
    "insecure-registries": ["10.100.0.0/24", "registry.yourmom.example.com:5000"]
  }

```

[1] https://docs.docker.com/reference/cli/dockerd/#insecure-regi...

tangotaylor 4 hours ago
Yes this is true. I should caveat that we distributed the tool among a team and we didn't want to ask them to all edit their daemon.json with an ever-expanding list of IP addresses.
- fragmede 1 hour ago
  
  Could the tool you distributed update the daemon.json for your users so they don't have to change daemon.json manually?

QGQBGdeZREunxLe 6 hours ago

This is really useful as you don't have to add an entry under insecure-registries for local registries that don't have valid certificates.

bitlad 6 hours ago
You might as well handover the images to hackers.
- QGQBGdeZREunxLe 1 hour ago
  
  A tad hyperbolic for a LAN registry

Kampfschnitzel 7 hours ago

iirc there's a setting to allow docker to trust and use http registries

i set it up a few years ago for my homelab

afiori 5 hours ago

Which makes me think that I have never heard of signed images/artefacts