DOCKER_OPTS in /etc/default/docker ignored



I changed /etc/default/docker to add a private docker registry, then I restarted docker service and finally tried to pull some image.

$ cat /etc/default/docker

$ service docker restart

$ docker pull
FATA[0000] Error: v1 ping attempt failed with error: Get https://mydocker- dial tcp: lookup no 
such host. If this private registry supports only HTTP or HTTPS with an 
unknown CA certificate, please add `--insecure-registry mydocker-` to the daemon's arguments. In the case of HTTPS, if 
you have access to the registry's CA certificate, no need for the flag; 
simply place the CA certificate at /etc/docker/certs.d/mydocker-

A ps output shows nothing about DOCKER_OPTS environment var.

  • Requirement to accept network packets in container from host or outside? (docker port forwarding)
  • docker: cannot map two container ports to one host port
  • PHP api requests outgoing IP on docker swarm & HAproxy
  • Docker Rest Apis using node.js
  • Docker compose with networks and “internal” property example
  • Mapreduce job ipc.Client retrying to connect
  • $ ps auxwww|grep docker
    root  6919   0.0   0.1   331076   19984 ? Ssl 10:14   0:00 /usr/bin/docker -d -H fd://


    According to docker documentation the way to use a private registry is through DOCKER_OPTS in /etc/default/docker. Why, after doing that, it does not take effect in this environment?


    • The private registry hostname is correctly resolved by the DNS.

  • Unable to connect to dockerized redis instance from outside docker
  • Jhipster application development with Docker and gulp
  • systemd in a docker container
  • Docker container won't run through a “CommandError:”
  • Pulling Docker Images from Private Repository using REGISTRY REST API
  • unable to find user root: no matching entries in passwd file
  • 5 Solutions collect form web for “DOCKER_OPTS in /etc/default/docker ignored”

    Recommended Way

    According to docker documentation, The recommended way to configure the daemon flags and environment variables for your Docker daemon is to use a systemd drop-in file.

    So, for this specific case, do the following:

    1. Create a file called /etc/systemd/system/docker.service.d/private-registry.conf with the following content:

      If not exists, create directory /etc/systemd/system/docker.service.d

      ExecStart=/usr/bin/dockerd --insecure-registry
    2. Flush changes:

      $ sudo systemctl daemon-reload
    3. Restart Docker:

       $ sudo systemctl restart docker


    Not recommended way

    Edit file /lib/systemd/system/docker.service

    ExecStart=/usr/bin/docker -d -H fd:// $DOCKER_OPTS

    Then execute

    systemctl daemon-reload
    systemctl restart docker

    Verify that /etc/default/docker is loaded

    ps auxwww | grep docker
    root      4989  0.8  0.1 265540 16608 ?        Ssl  10:37   0:00 /usr/bin/docker -d -H fd:// --insecure-registry 

    That’s it.

    Things seem to have changed in Ubuntu 16.04 using docker 1.12.x. Based on the updated documentation

    Add DOCKER_OPTS="-g /mnt/somewhere/else/docker/ --storage-driver=overlay2" to /etc/default/docker

    Edit file /lib/systemd/system/docker.service

    ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS

    Then execute:

    sudo systemctl daemon-reload
    sudo systemctl restart docker

    Systemd based systems do not read /etc/default configurations, you have to put those in /etc/systemd now, see also docker bug docker bug #12926

    There is an official documentation on the Docker site now, refer to Control and configure Docker with systemd.

    You should never directly hack the service files for configuration.

    Tested and works on Arch and Debian based systems – I had to include the option to ignore any obsolete EnvironmentFile directives, though (see also linked Docker reference, but I didn’t spot it at first and thought it was not needed):

    ExecStart=/usr/bin/docker daemon ...

    Systemd is really not designed for appending options to ExecStart or Environment. The best and also most platform-independent way is to use the /etc/docker/daemon.json configuration file.


    cat > /etc/docker/daemon.json <<DOCKERCONFIG
      "labels": ["foo=bar"],
      "insecure-registries": [""]

    Ubuntu specific solution to insecure-registry via DOCKER_OPTS


    $ dpkg --list | grep -i docker
    ii                          1.12.3-0ubuntu4~16.04.2            amd64        Linux container runtime

    …ships with…

    $ cat /etc/systemd/system/
    Description=Docker Application Container Engine
    Documentation= docker.socket
    # the default is not to use systemd for cgroups because the delegate issues still
    # exists and systemd currently does not support the cgroup feature set required
    # for containers run by docker
    ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS
    ExecReload=/bin/kill -s HUP $MAINPID
    # Having non-zero Limit*s causes performance problems due to accounting overhead
    # in the kernel. We recommend using cgroups to do container-local accounting.
    # Uncomment TasksMax if your systemd version supports it.
    # Only systemd 226 and above support this version.
    # set delegate yes so that systemd does not reset the cgroups of docker containers
    # kill only the docker process, not all processes in the cgroup

    …(Specifically: ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS) you can do a hybrid approach combining the [chosen answer’s] “Recommended Way” and the use of DOCKER_OPTS to keep from blowing over the -H fd:// option if you were to redefine ExecStart

    # The package doesn't create a systemd drop-ins directory, so we will
    $ mkdir -p /etc/systemd/system/docker.service.d
    $ cat > /etc/systemd/system/docker.service.d/10-insecure-registry.conf <<EOF
    Environment="DOCKER_OPTS=--insecure-registry docker.internal:5000"
    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.