William Lieurance's Tech Blog

Podman v2 config for insecure registries


[registries.insecure] no longer works

Podman is replacement for the UI parts of docker that is becoming more complete and more popular by the week. At the same time, there are some subtle places where Podmand and Docker differ, including in where exactly to specify that a registry wants to talk over unencrypted HTTP.

If you haven't tried creating a registry, it's super simple. There's a publicy-accessible registry container image on Docker Hub called registry that you can run on any given container orchestrator that will expose a working server on port 5000. Give it some persistent storage to survive reboots and you're in good shape. For more in-depth walkthroughs, see something like this TechRepublic one

Where that and many other howtos and walkthroughs go wrong, however, is in trying to tell you how to convince podman to talk to the registry over HTTP instead of HTTPS. You'll know if you hit that problem because of the very popular error message

error pinging docker registry registry.mycluster.williamlieurance.com:5000: Get "https://registry.mycluster.williamlieurance.com:5000/v2/": http: server gave HTTP response to HTTPS client

In older versions, v1 config versions specifically, podman and the libcontainer library that undergirds it would suggest using a block called [registries.insecure] to list your insecure registry. In v2, that no longer works, and you'll have a different message.

error loading registries: error loading registries configuration "/etc/containers/registries.conf": mixing sysregistry v1/v2 is not supported

Instead, you've got basically two options. One, by far the better option, is to turn on HTTPS, usually at whatever ingress point your orchestrator is using. Sadly sometimes that's hard and you'd like to keep your traffic unencrypted. In that case you should use the new v2 config format. In my example above, I've got a registry listening for HTTP traffic on port 5000 at http://registry.mycluster.williamlieurance.com:5000/v2/. To use that in a v2 config, I created a file at /etc/containers/registries.conf.d/myregistry.conf and put the following content in there.

location = "registry.mycluster.williamlieurance.com:5000"
insecure = true

After saving the file, podman can interact with my insecure cluster in an insecure way.