clarify --insecure-registry in man docker

Signed-off-by: Sally O'Malley <[email protected]>
mtanlee · Sep 3, 2015 · 2d9ea18 · 2d9ea18
1 parent d9065fc
commit 2d9ea18
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/man/docker.1.md b/man/docker.1.md
@@ -90,7 +90,11 @@ unix://[/path/to/socket] to use.
   Allow unrestricted inter\-container and Docker daemon host communication. If disabled, containers can still be linked together using **--link** option (see **docker-run(1)**). Default is true.
 
 **--insecure-registry**=[]
-  Enable insecure registry communication.
+  Enable insecure registry communication, i.e., enable un-encrypted and/or untrusted communication.
+
+  List of insecure registries can contain an element with CIDR notation to specify a whole subnet. Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
+
+  Enabling `--insecure-registry` is useful when running a local registry.  However, because its use creates security vulnerabilities it should ONLY be enabled for testing purposes.  For increased security, users should add their CA to their system's list of trusted CAs instead of using `--insecure-registry`. 
 
 **--ip**=""
   Default IP address to use when binding container ports. Default is `0.0.0.0`.