The insecure-registries configuration is ignored beginning with version 29.0.0.

[FilipB]

Description

The containerd image store is the default storage backend for Docker Engine 29.0 and later on fresh installations or it can be enabled via:

  "features": {
    "containerd-snapshotter": true
  }

When enabled, insecure-registries configuration in /etc/docker/daemon.json is ignored.
docker info still shows the insecure registry but it has no effect and the attempt to push to given registry fails with:
failed to do request: Head "https://my.insecure.registry.com/v2/images/blobs/sha256:9f9449d1a8e45aa4c987a0de8a47f0844503ad8bd9f36d40f917d44baa55816a": tls: failed to verify certificate: x509: certificate signed by unknown authority

docker info
....
Insecure Registries:
  my.insecure.registry.com
  127.0.0.0/8
  ::1/128
...

insecure-registries configuration is useful in testing environments where self-signed certificates might be used.

Reproduce

1. Install fresh docker v29.1.3
2. Prepare e.g. my.insecure.registry.com registry with a self-signed cert
3. Configure insecure registries in /etc/docker/daemon.json: {"insecure-registries" : ["my.insecure.registry.com" ]}
4. restart docker
5. Push an image, e.g. docker push my.insecure.registry.com/images/myImage:latest

Expected behavior

docker push should work

docker version

docker version
Client: Docker Engine - Community
 Version:           29.1.3
 API version:       1.52
 Go version:        go1.25.5
 Git commit:        f52814d
 Built:             Fri Dec 12 14:52:44 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          29.1.3
  API version:      1.52 (minimum version 1.44)
  Go version:       go1.25.5
  Git commit:       fbf3ed2
  Built:            Fri Dec 12 14:49:14 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v2.2.1
  GitCommit:        dea7da592f5d1d2b7755e3a161be07f43fad8f75
 runc:
  Version:          1.3.4
  GitCommit:        v1.3.4-0-gd6d73eb8
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    29.1.3
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.30.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v5.0.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 3
 Server Version: 29.1.3
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: dea7da592f5d1d2b7755e3a161be07f43fad8f75
 runc version: v1.3.4-0-gd6d73eb8
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.17.13-200.fc42.x86_64
 Operating System: Fedora Linux 42 (Workstation Edition)
 OSType: linux
 Architecture: x86_64
 CPUs: 14
 Total Memory: 30.78GiB
 Name: fedora
 ID: a42ef4bf-e11b-4928-9603-89e607d452a8
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  my.insecure.registry.com
  127.0.0.0/8
  ::1/128
 Registry Mirrors:
  https://mirror.gcr.io/
 Live Restore Enabled: false
 Firewall Backend: iptables+firewalld

Additional Info

No response