registry: default --insecure-registry to localhost and 127.0.0.1

[proppy]

Note sure it's the best way to do this, since opt.ListVar have no defaults.

Fixes #8889 #8887

Also added some tests for registry.IsSecure

This PR makes the daemon treat localhost and 127.0.0.1 as part of the insecureRegistries whitelist, if the said list is empty.

[tiborvass]

Ping @ewindisch @unclejack @dmp42 @dmcgowan

[SvenDowideit]

Please add some documentation about this special case.

[crosbymichael]

I restarted the drone build

[proppy]

do we want to move forward with this? (i.e: would you consider merging if I make the doc changes)

[mmdriley]

What about ::1?

[proppy]

@mmdriley good catch, wondering if this work at all with docker pull ::1/foo.

[thockin]

+1

[ewindisch]

I'm NO on this. I prefer secure-by-default.

Note that our use of TLS here is not for protocol security, i.e. to prevent MITM, but for host verification. It verifies that the registry is trusted by the daemon and the systems administrator.

There seem to be good workarounds to this including setting '--insecure-registry localhost' and making localhost-with-TLS easier to deploy out of the box.

[proppy]

There seem to be good workarounds to this including setting '--insecure-registry localhost' and making localhost-with-TLS easier to deploy out of the box.

Yes, but that's not something that's easy to control with boot2docker today, or with the current registry. So current users of the docker (1.3.1) + boot2docker + registry might be broken for a while.

[tiborvass]

Sorry @ewindisch I'll have to merge this, this is a stopgap, and has no UI change compared to 1.3.1. We can revert it for 1.4 once we have a better user experience, like putting a URL to a page explaining how to setup a TLS private registry. We would update that page to have a one-liner like $(docker run -v /etc/docker/certs.d:/certs.d registry:tls).

LGTM @proppy rebase please

[proppy]

rebased PTAL

[proppy]

added DCO

[erikh]

hey @proppy I'm going to carry this.

[erikh]

Closing this, please review over at #9124

[CleanCut]

I have to run this command every time I start boot2docker to fix this issue:

boot2docker ssh 'sudo sh -c "echo \"EXTRA_ARGS=\\\"--insecure-registry 10.0.0.0/8\\\"\" > /var/lib/boot2docker/profile && sudo /etc/init.d/docker restart"'