Appendix C. Configuring Docker to Push or Pull from an Insecure Registry

The Docker runtime establishes trust of a remote image registry based on the validity of its Transport Layer Security (TLS) certificate. If your cluster uses a self-signed certificate, Docker will consider it “insecure” by default.

You can confirm the allowed insecure registries for your Docker runtime by using the docker info command, as demonstrated here:

docker info| grep -A 20 "Insecure Registries"
Insecure Registries:
 mycluster.icp:8500
 127.0.0.0/8
Live Restore Enabled: false

Configuring the insecure registries for your platform may vary a bit, but the basic flow is to extend the DOCKER_OPTS to explicitly list each insecure registry that the Docker runtime is allowed to interact with.

Edit the Docker daemon configuration to add the alias for your IBM Cloud Private cluster, which will be mycluster.icp:8500, by default. Depending on your installation and platform, your configuration file might be at /etc/docker/daemon.json, ~/.docker/daemon.json, or C:ProgramDatadockerconfigdaemon.json.

cat ~/.docker/daemon.json
{
  "debug"  : true,
  "insecure-registries" : [
    "mycluster.icp:8500"
   ],
   "experimental" : true
 }

Then, update your /etc/hosts configuration to alias this hostname (provided by the certificate when Docker connects to the endpoint) to the specific public IP of your cluster:

cat /etc/hosts | grep mycluster.icp
1.1.1.1mycluster.icp

Restart your Docker runtime to make this change effective.

To find more details for your platform, refer to the Docker docs.