diff --git a/api/swagger.yaml b/api/swagger.yaml index e57f10409183a..d7c438dbca3b9 100644 --- a/api/swagger.yaml +++ b/api/swagger.yaml @@ -6005,7 +6005,7 @@ definitions: accept un-encrypted (HTTP) and/or untrusted (HTTPS with certificates from unknown CAs) communication. - By default, local registries (`127.0.0.0/8`) are configured as + By default, local registries (`::1/128` and `127.0.0.0/8`) are configured as insecure. All other registries are secure. Communicating with an insecure registry is not possible if the daemon assumes that registry is secure. diff --git a/daemon/reload_test.go b/daemon/reload_test.go index 5d220632b1490..e1ec217a1350e 100644 --- a/daemon/reload_test.go +++ b/daemon/reload_test.go @@ -82,6 +82,7 @@ func TestDaemonReloadAllowNondistributableArtifacts(t *testing.T) { } registries := []string{ + "::1/128", "127.0.0.0/8", "10.10.1.11:5000", "10.10.1.33:5000", // This will be added during reload. @@ -225,6 +226,7 @@ func TestDaemonReloadInsecureRegistries(t *testing.T) { // initialize daemon with existing insecure registries: "127.0.0.0/8", "10.10.1.11:5000", "10.10.1.22:5000" daemon.registryService, err = registry.NewService(registry.ServiceOptions{ InsecureRegistries: []string{ + "::1/128", "127.0.0.0/8", "10.10.1.11:5000", "10.10.1.22:5000", // this will be removed when reloading @@ -237,6 +239,7 @@ func TestDaemonReloadInsecureRegistries(t *testing.T) { } insecureRegistries := []string{ + "::1/128", // this will be kept "127.0.0.0/8", // this will be kept "10.10.1.11:5000", // this will be kept "10.10.1.33:5000", // this will be newly added diff --git a/integration/system/info_test.go b/integration/system/info_test.go index f0f32242b492c..25950cbe72e0b 100644 --- a/integration/system/info_test.go +++ b/integration/system/info_test.go @@ -101,12 +101,14 @@ func TestInfoInsecureRegistries(t *testing.T) { defer d.Stop(t) info := d.Info(t) - assert.Assert(t, is.Len(info.RegistryConfig.InsecureRegistryCIDRs, 2)) + assert.Assert(t, is.Len(info.RegistryConfig.InsecureRegistryCIDRs, 3)) cidrs := []string{ info.RegistryConfig.InsecureRegistryCIDRs[0].String(), info.RegistryConfig.InsecureRegistryCIDRs[1].String(), + info.RegistryConfig.InsecureRegistryCIDRs[2].String(), } assert.Assert(t, is.Contains(cidrs, registryCIDR)) + assert.Assert(t, is.Contains(cidrs, "::1/128")) assert.Assert(t, is.Contains(cidrs, "127.0.0.0/8")) assert.DeepEqual(t, *info.RegistryConfig.IndexConfigs["docker.io"], registry.IndexInfo{Name: "docker.io", Mirrors: []string{}, Secure: true, Official: true}) assert.DeepEqual(t, *info.RegistryConfig.IndexConfigs[registryHost], registry.IndexInfo{Name: registryHost, Mirrors: []string{}, Secure: false, Official: false}) diff --git a/registry/config.go b/registry/config.go index e1b0a0ca14c62..3ec6ec715d918 100644 --- a/registry/config.go +++ b/registry/config.go @@ -184,7 +184,7 @@ func (config *serviceConfig) loadMirrors(mirrors []string) error { func (config *serviceConfig) loadInsecureRegistries(registries []string) error { // Localhost is by default considered as an insecure registry. This is a // stop-gap for people who are running a private registry on localhost. - registries = append(registries, "127.0.0.0/8") + registries = append(registries, "::1/128", "127.0.0.0/8") var ( insecureRegistryCIDRs = make([]*registry.NetIPNet, 0)