|
| 1 | +--- |
| 2 | +title: Registry host configuration |
| 3 | +description: Configure per-registry behavior for Docker Engine using hosts.toml files |
| 4 | +keywords: containerd, registry, hosts, push, pull, mirror, configuration, daemon |
| 5 | +weight: 25 |
| 6 | +--- |
| 7 | + |
| 8 | +When using the [containerd image store](/manuals/engine/storage/containerd.md), |
| 9 | +you can configure per-registry behavior using `hosts.toml` files. This lets |
| 10 | +you restrict push or pull access, redirect traffic to a mirror, or customize |
| 11 | +TLS settings on a per-registry basis. |
| 12 | + |
| 13 | +## Configuration directory |
| 14 | + |
| 15 | +Docker Engine reads registry host configuration from the following directory: |
| 16 | + |
| 17 | +| Setup | Directory | |
| 18 | +| ------------- | --------------------------- | |
| 19 | +| Regular | `/etc/docker/certs.d/` | |
| 20 | +| Rootless mode | `~/.config/docker/certs.d/` | |
| 21 | + |
| 22 | +Create a subdirectory for each registry you want to configure. The directory |
| 23 | +name must match the registry host as it appears in image references: |
| 24 | + |
| 25 | +| Image reference | Directory | |
| 26 | +| --------------------------------------- | ---------------------------- | |
| 27 | +| `docker.io/myorg/myimage:latest` | `docker.io/` | |
| 28 | +| `registry.example.com/myimage:latest` | `registry.example.com/` | |
| 29 | +| `registry.example.com:5000/myimage:tag` | `registry.example.com:5000/` | |
| 30 | + |
| 31 | +Each directory contains a `hosts.toml` file: |
| 32 | + |
| 33 | +```text |
| 34 | +/etc/docker/certs.d/ |
| 35 | +├── docker.io/ |
| 36 | +│ └── hosts.toml |
| 37 | +├── registry.example.com/ |
| 38 | +│ └── hosts.toml |
| 39 | +└── registry.example.com:5000/ |
| 40 | + └── hosts.toml |
| 41 | +``` |
| 42 | + |
| 43 | +Changes to `hosts.toml` files take effect immediately, without restarting |
| 44 | +Docker. |
| 45 | + |
| 46 | +## hosts.toml format |
| 47 | + |
| 48 | +Each `hosts.toml` file configures the behavior for one registry. The `server` |
| 49 | +field sets the upstream registry URL. The `[host]` section configures specific |
| 50 | +endpoints, including what operations they're allowed to perform using the |
| 51 | +`capabilities` field. |
| 52 | + |
| 53 | +Valid capabilities are: |
| 54 | + |
| 55 | +| Capability | Description | |
| 56 | +| ---------- | -------------------- | |
| 57 | +| `pull` | Allow pulling images | |
| 58 | +| `resolve` | Allow tag resolution | |
| 59 | +| `push` | Allow pushing images | |
| 60 | + |
| 61 | +## Examples |
| 62 | + |
| 63 | +### Disable push to a registry |
| 64 | + |
| 65 | +To prevent Docker from pushing images to a specific registry, omit `push` from |
| 66 | +the capabilities: |
| 67 | + |
| 68 | +```toml {title="/etc/docker/certs.d/docker.io/hosts.toml"} |
| 69 | +server = "https://registry-1.docker.io" |
| 70 | + |
| 71 | +[host."https://registry-1.docker.io"] |
| 72 | + capabilities = ["pull", "resolve"] |
| 73 | +``` |
| 74 | + |
| 75 | +With this configuration, `docker pull` from Docker Hub works normally, but |
| 76 | +`docker push` to Docker Hub returns an error. |
| 77 | + |
| 78 | +### Redirect pulls to a mirror |
| 79 | + |
| 80 | +To route pull traffic through a registry mirror: |
| 81 | + |
| 82 | +```toml {title="/etc/docker/certs.d/docker.io/hosts.toml"} |
| 83 | +server = "https://registry-1.docker.io" |
| 84 | + |
| 85 | +[host."https://mirror.example.com"] |
| 86 | + capabilities = ["pull", "resolve"] |
| 87 | + |
| 88 | +[host."https://registry-1.docker.io"] |
| 89 | + capabilities = ["pull", "resolve", "push"] |
| 90 | +``` |
| 91 | + |
| 92 | +Docker tries the mirror first for pulls, and falls back to Docker Hub if the |
| 93 | +mirror doesn't have the image. Pushes always go to Docker Hub directly. |
| 94 | + |
| 95 | +### Internal registry only |
| 96 | + |
| 97 | +To restrict Docker to only push and pull from an internal registry, and block |
| 98 | +access to all public registries: |
| 99 | + |
| 100 | +```toml {title="/etc/docker/certs.d/docker.io/hosts.toml"} |
| 101 | +server = "https://registry-1.docker.io" |
| 102 | + |
| 103 | +[host."https://registry-1.docker.io"] |
| 104 | + capabilities = [] |
| 105 | +``` |
| 106 | + |
| 107 | +With no capabilities, all operations to that registry fail. |
| 108 | + |
| 109 | +> [!NOTE] |
| 110 | +> This configuration controls behavior at the daemon level, not as a security |
| 111 | +> boundary. Builds, containers, and other mechanisms can still interact with |
| 112 | +> registries. For strict registry access control, consider |
| 113 | +> [Registry Access Management](/manuals/enterprise/security/hardened-desktop/registry-access-management.md) |
| 114 | +> in Docker Business. |
| 115 | +
|
| 116 | +## Relation to daemon.json registry settings |
| 117 | + |
| 118 | +Docker daemon also supports registry configuration through `daemon.json` options |
| 119 | +like `insecure-registries` and `registry-mirrors`. These settings interact with |
| 120 | +`hosts.toml` as follows: |
| 121 | + |
| 122 | +- If a `hosts.toml` file configures **two or more** endpoints for a registry |
| 123 | + (such as a mirror and an upstream fallback), the daemon.json settings for that |
| 124 | + registry are **ignored**. The `hosts.toml` configuration takes full control. |
| 125 | +- If `hosts.toml` is absent or configures only a single endpoint, the |
| 126 | + daemon.json settings are applied on top. |
| 127 | + |
| 128 | +If you're using `hosts.toml` to configure mirrors for a registry, include all |
| 129 | +TLS and authentication settings in the `hosts.toml` file rather than relying on |
| 130 | +`insecure-registries` in `daemon.json`. |
| 131 | + |
| 132 | +## Reference |
| 133 | + |
| 134 | +For the full `hosts.toml` specification, see the |
| 135 | +[containerd registry hosts documentation](https://github.com/containerd/containerd/blob/main/docs/hosts.md). |
0 commit comments