Add --allow-insecure to docker pull

[merlin83]

This adds a parameter to the docker pull command to allow users to manually specify an insecure repository when performing "docker pull", i.e.

docker pull --allow-insecure internal.company.domain:5000/image_name

[crosbymichael]

One of the reasons it was decided to add this setting on the daemon and not per pull is that the sysadmin for the does not have a way to prohibit certain registries. Can you think of any reasons why we should change this or is there a reason why the sysadmin cannot set these registries on the daemon for your usecase?

[merlin83]

There are two distinct points this PR addresses. [There might be more]

This PR should solve #8887 and #8889 for most of the users.

As a server sysadmin, it is to insist each user manually modify their DOCKER_OPTS to ensure it is run with a customized --insecure-registry <our.internal.registry> server, and most users simply are reluctant to modify files in /etc/default for fear of breaking something.

It is very common to have developers and small teams to use their own individual registry (I blame this on the ease of use of 'docker pull registry:latest' ;-P ) to show others their changes and work before they actually push to the company/department-wide registry. Insisting that these users use HTTPS seems superfluous since they are in a development environment.

[SvenDowideit]

So to acheive the same end, I should be able to run a local mirroring registry on my localhost, and configure my Docker daemon to talk to it? (post 1.3.2)

we could convert this to a docs issue if so.

[tiborvass]

@SvenDowideit good point, I believe so.

@merlin83 since #9038 and #9124 got merged, this PR is no longer relevant. It seems that what @SvenDowideit could be possible. Either way, we do not want to encourage people to use insecure registries, hence the daemon flag and not client-side flag: this is deliberate.

Sorry for the time it took to get all this through. 1.3.2 is coming early next week and will have these fixes.

Thanks for contributing though!

[edqallen]

Personally I'd like to see this reopened and accepted. The current "solution" of messing with the docker daemon startup options on every host that wants to access the registry is a cumbersome PITA. In many (I'd wager most -- by a wide margin) environments where private registries are being used, the encryption and identification is entirely unnecessary.