Add automatic TLS generation (and enable it by default in 19.03+) #166

tianon · 2019-07-17T02:15:01Z

Closes #164
Refs docker-library/docs#1525

This adds a DOCKER_TLS_CERTDIR environment variable that, when present, will auto-enable TLS on dockerd by default (and will set the appropriate client flags if the necessary certificates exist).

It will attempt to generate a suitable subjectAltName extension value based on all available container IP addresses and hostnames, but the default generation can be extended via the DOCKER_TLS_SAN environment variable (in the standard OpenSSL format, ala IP:n.n.n.n,DNS:foobar,...).

For users of 18.09 who wish to enable this behavior, simply set DOCKER_TLS_CERTDIR to a path within the container into which you want certificates generated (and share at least the client subdirectory of that path with your client containers). The default value in 19.03+ is /certs (so to mimic that, something like -e DOCKER_TLS_CERTDIR=/certs would be sufficient/appropriate).

For users of 19.03+ who wish to disable this behavior (not recommended), simply set DOCKER_TLS_CERTDIR to the empty string (-e DOCKER_TLS_CERTDIR=).

For images which don't support this feature, this will be a no-op.

tianon · 2019-07-17T02:27:44Z

Test updated in docker-library/official-images@7e44f39 👍

tianon · 2019-07-17T02:37:56Z

(We should probably also add a new docker-dind-insecure test that just does the basics to verify DOCKER_TLS_CERTDIR= works to disable this.)

tianon · 2019-07-17T02:39:39Z

(dat +529 −40 tho 😭)

18.09-rc/dind/dockerd-entrypoint.sh

19.03-rc/Dockerfile

AkihiroSuda · 2019-07-17T05:33:27Z

18.09-rc/dind/dockerd-entrypoint.sh

+		[ -z "${DOCKER_TLS_SAN:-}" ] || echo "$DOCKER_TLS_SAN"
+	} | sort -u | xargs printf '%s,' | sed "s/,\$//"
+}
+_tls_generate_certs() {


any chance to split this to a separate script so that it can be called from rootless entrypoint script? #165

18.09-rc/docker-entrypoint.sh

This adds a `DOCKER_TLS_CERTDIR` environment variable that, when present, will auto-enable TLS on `dockerd` by default (and will set the appropriate client flags if the necessary certificates exist). It will attempt to generate a suitable `subjectAltName` extension value based on all available container IP addresses and hostnames, but the default generation can be extended via the `DOCKER_TLS_SAN` environment variable (in the standard OpenSSL format, ala `IP:n.n.n.n,DNS:foobar,...`). For users of 18.09 who wish to enable this behavior, simply set `DOCKER_TLS_CERTDIR` to a path within the container into which you want certificates generated (and share at least the `client` subdirectory of that path with your client containers). The default value in 19.03+ is `/certs` (so to mimic that, something like `-e DOCKER_TLS_CERTDIR=/certs` would be sufficient/appropriate). For users of 19.03+ who wish to *disable* this behavior (not recommended), simply set `DOCKER_TLS_CERTDIR` to the empty string (`-e DOCKER_TLS_CERTDIR=`).

AkihiroSuda · 2019-07-18T04:28:26Z

opened #168 for splitting tls script

Changes: - docker-library/docker@cad4d26: Merge pull request docker-library/docker#166 from infosiftr/auto-tls - docker-library/docker@651c075: Merge pull request docker-library/docker#167 from infosiftr/simpler-dind-example

tianon · 2019-07-19T22:29:11Z

Documentation PR is now open at docker-library/docs#1538 👍

Docker added a new TLS cert option in v19+, which is breaking dind usage in pipelines. This disables the 'auto-enable TLS' feature. see: - docker-library/docker#166 - https://gitlab.com/gitlab-com/gl-infra/production/issues/982 - https://gitlab.com/gitlab-org/gitlab-ce/issues/64968

The docker-in-docker image now enables TLS by default (added in docker-library/docker#166), which complicates testing in our environment, and isn't needed for the tests we're running. This patch sets the `DOCKER_TLS_CERTDIR` to an empty value to disable TLS. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

The docker-in-docker image now enables TLS by default (added in docker-library/docker#166), which complicates testing in our environment, and isn't needed for the tests we're running. This patch sets the `DOCKER_TLS_CERTDIR` to an empty value to disable TLS. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b1a3c1a) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

The docker-in-docker image now enables TLS by default (added in docker-library/docker#166), which complicates testing in our environment, and isn't needed for the tests we're running. This patch sets the `DOCKER_TLS_CERTDIR` to an empty value to disable TLS. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: b1a3c1aad1d802975af11c16fce1177f09d1d97e Component: cli

The docker-in-docker image now enables TLS by default (added in docker-library/docker#166), which complicates testing in our environment, and isn't needed for the tests we're running. This patch sets the `DOCKER_TLS_CERTDIR` to an empty value to disable TLS. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b1a3c1aad1d802975af11c16fce1177f09d1d97e) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: 9c8ac0a1233944b0b3929bb34edc66d27c290293 Component: cli

The docker-in-docker image now enables TLS by default (added in docker-library/docker#166), which complicates testing in our environment, and isn't needed for the tests we're running. This patch sets the `DOCKER_TLS_CERTDIR` to an empty value to disable TLS. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit b1a3c1aad1d802975af11c16fce1177f09d1d97e) Signed-off-by: Sebastiaan van Stijn <github@gone.nl> Upstream-commit: f357def0361cc2ae5f101ac95dff486ba4cd86c2 Component: cli

The `docker` Docker Hub repository lists what versions of the image are supported and 18.6 is not among them at all. Use the current stable line of 18.09 instead, to stay on supported versions. See more info at: https://hub.docker.com/_/docker Also add a required parameter to run images from 18.09.8-dind onwards, due to this change: docker-library/docker#166 Change-type: minor Signed-off-by: Gergely Imreh <gergely@balena.io>

The `docker` Docker Hub repository lists what versions of the image are supported and 18.6 is not among them at all. Use the current stable line of 18.09 instead, to stay on supported versions. See more info at: https://hub.docker.com/_/docker Also add a required parameter to run images from 18.09.8-dind onwards, due to this change: docker-library/docker#166 Here in effect disabling AutoTLS for the moment (TLS communication with the daemon) since it's all local anyways. Change-type: minor Signed-off-by: Gergely Imreh <gergely@balena.io>

The `docker` Docker Hub repository lists what versions of the image are supported and 18.6 is not among them at all. Use the current stable line of 18.09 instead, to stay on supported versions. See more info at: https://hub.docker.com/_/docker Also add a required parameter to run images from 18.09.8-dind onwards, due to this change: docker-library/docker#166 Update the test checking for docker being up, too. Change-type: minor Signed-off-by: Gergely Imreh <gergely@balena.io>

The `docker` Docker Hub repository lists what versions of the image are supported and 18.6 is not among them at all. Use the current stable line of 18.09 instead, to stay on supported versions. See more info at: https://hub.docker.com/_/docker Also added `DOCKER_HOST` as it affects `v18.09.8-dind` (which is trying to use tcp socket instead, it seems: docker-library/docker#175 after it enabled AutoTLS in docker-library/docker#166 Change-type: minor Signed-off-by: Gergely Imreh <gergely@balena.io>

- name: docker:dind entrypoint: ["env", "-u", "DOCKER_HOST"] command: ["dockerd-entrypoint.sh"] variables: DOCKER_HOST: tcp://docker:2375/ DOCKER_DRIVER: overlay2 # See docker-library/docker#166 DOCKER_TLS_CERTDIR: ""

docker-library/docker#166

tianon added a commit to docker-library/official-images that referenced this pull request Jul 17, 2019

Add "DOCKER_TLS_CERTDIR" for docker-library/docker#166

7e44f39

For images which don't support this feature, this will be a no-op.

tianon force-pushed the auto-tls branch from 06fc02e to 9046c8e Compare July 17, 2019 02:34

tianon mentioned this pull request Jul 17, 2019

docker: add a note about TLS docker-library/docs#1525

Merged