Moby: How to change the default docker registry from docker.io to my private registry

You can configure docker with a registry mirror, but you can't change the default currently.
Here are the docs for that: https://docs.docker.com/registry/recipes/mirror/

ok thank you

Please change this as it's a feature break from 1.13... and prevent us from moving to 17.*

@ArcticSnowman Change what? Docker has never had the feature to change the defeault registry. Perhaps you were using RedHat's fork?

OK I just found out that 'add-registry' was a forked feature.. Darn it... It has proven very useful and makes writing Dockerfile easier for us..

This is a huge security Risk. What if someone starts pulling Kali Docker distro inside the company ?
Of course we can firewall stuff, but only to a certain extend.

I think this is a useful feature since at company level is normal to have an internal registry that caches also the docker hub but allows developers to push their own containers.
Making the default source configurable you allow people to break the vendor locking of docker itself.

All package management systems allows you to configure the default source, but docker does not allow the open source community to do it?

Edit:
The true freedom is also choosing your sources, even if is a security risk...

I meant a security risk having docker hub as default that you can not change it to an internal repo which is locked down.

You guys know if there is any open-source fork of docker implementing this?

If you want to have a pull-through mirror, then you can set that up with docker today by setting a --registry-mirror in the daemon config. There are some issues still with mirroring of private registries, but this is being worked on actively.

The problem is due to early design decisions, an image name (e.g. ubuntu) is tied to it's source location (in this case, the source location is prepended). Changing the "default source" breaks the trust established by naming conventions (even if it's not a good design to begin with).

What we want to do is have ubuntu resolve to a trusted digest (e.g. stored in a notary server) and then be able to pull an image by digest from any registry that happens to have that image digest. We really aren't too far from this reality today.

Also note that you can use containerd directly and resolve image names however you like, including using the standard docker resolver.

@cpuguy83 I tried your solution using --registry-mirror and it works with pulling, but not for pushing and not if you need to docker login because by default it tries to login to https://registry-1.docker.io/v2/...
I will check the contianerd though.

This is a ridiculous decision to not support alternate default registries. Oh, I'm sorry, we've decided git will only default to github.com going forward, so every time you git pull or push, you have to type the remote origin fq-repo. (Yeah, yeah, I know the fq-repo is stored locally in the config, that's not the point)

Come on, this is not a security risk. You really think someone is going to hijack stuff accidentally or maliciously? Ever heard of running your own DNS internally so you can have nice and convenient short urls that are meaningful?

It's time someone went old school Linus on your asses to say just how stupid this is. You aren't going to break any compatibility by supporting this. The fact that "ubuntu" means "ubuntu" on docker.io is just a default. If you want a different default but still want docker.io/ubuntu, then you have to type it out. It's sooo much more security minded to require an fq-repo for public things than for your private things. FFS - if I want dev, qa, and prod repos, I should be able to have that rather than having to tag things as .dkr.ecr.us-west-2.amazonaws.com/foo:bar. That's so clunky.

There's no real trust, as anyone who is allowed to contribute to that repo can upload anything they want. Docker.io doesn't curate the content, they're just a repo, like github. On top of that, it's standard practice for engineering organizations to audit the open source stuff they use for security and lock to known, safe versions, as well as just known well behaving versions. People don't operate in "latest" land if they know what they're doing.

And you can't use docker in China when GFW block index.docker.io or it's IPs.

Error response from daemon: Get https://index.docker.io/v1/search?q=kraken&n=25: net/http: TLS handshake timeout

Make sure you refer https://github.com/moby/moby/issues/36598 before going ahead with --registry-mirror configuration

Also, using --registry-mirror does not work well UX-wise with all commercial image registry offerings. For example, when using Artifactory as a pull-though cache _(by configuring a remote)_, HEADing the image on the registry mirror is not sufficient to trigger a pull. It has to be a _"real"_ pull.