docker: remove insecure tcp://0.0.0.0:2375 configuration

TCP connection without TLS is completely insecure and can easily result
in container breakout.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Author: AkihiroSuda

docker/content.md

@@ -19,17 +19,26 @@ If you are still convinced that you need Docker-in-Docker and not just access to
 ## Start a daemon instance
 
 ```console
-$ docker run --privileged --name some-docker -d %%IMAGE%%:dind
+$ docker run --privileged --name some-docker -d -v /daemon-secret:/secret %%IMAGE%%:dind \
+ dockerd -H tcp://0.0.0.0:2376 --tlsverify --tlscacert /secret/ca.pem --tlscert /secret/cert.pem --tlskey /secret/key.pem
 ```
 
 **Note:** `--privileged` is required for Docker-in-Docker to function properly, but it should be used with care as it provides full access to the host environment, as explained [in the relevant section of the Docker documentation](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities).
 
-By default, the `dind` variants of this image add `--host=tcp://0.0.0.0:2375` (on top of the explicit default of `--host=unix:///var/run/docker.sock`) in order to allow external containers to access `dockerd` appropriately (as the following examples illustrate). If you use `--network=host` or other methods of sharing network namespaces (such as Kubernetes pods, for example), this might be a security issue. To disable this image behavior, simply override the container command or entrypoint to run `dockerd` directly (`... docker:dind dockerd ...` or `... --entrypoint dockerd docker:dind ...`).
+By default, the `dind` variants of this image add `--host=tcp://0.0.0.0:2375` (on top of the explicit default of `--host=unix:///var/run/docker.sock`) via the `ENTRYPOINT` script (`/usr/local/bin/dockerd-entrypoint.sh`) in order to allow external containers to access `dockerd` without TLS.
+
+This default `ENTRYPOINT` configuration is *INSECURE* and can easily result in *"container breakout"*, because any container inside the `dind` with network connectivity can connect to the `dind` daemon via the gateway IP and gain the root privileges on the host, not just the root privileges in the `dind` daemon container. Any process in the host, and any container in the parent Docker with network connectivy can gain the root privileges as well.
+
+To disable this image behavior, simply override the container command or entrypoint to run `dockerd` directly (`... docker:dind dockerd ...` as shown in this document or `... --entrypoint dockerd docker:dind ...`).
 
 ## Connect to it from a second container
 
+`/client-secret` is assumed to contain `ca.pem`, `cert.pem`, and `key.pem` here.
+
 ```console
-$ docker run --rm --link some-docker:docker %%IMAGE%%:edge version
+$ docker run --rm --link some-docker:docker -v /client-secret:/root/.docker \
+ -e DOCKER_HOST=tcp://docker:2376 -e DOCKER_TLS_VERIFY=1 \
+ %%IMAGE%%:edge version
 Client:
  Version:      17.05.0-ce
  API version:  1.27 (downgraded from 1.29)
@@ -49,7 +58,9 @@ Server:
 ```
 
 ```console
-$ docker run -it --rm --link some-docker:docker %%IMAGE%%:edge sh
+$ docker run -it --rm --link some-docker:docker -v /client-secret:/root/.docker %%IMAGE%%:edge sh
+/ # export DOCKER_HOST=tcp://docker:2376
+/ # export DOCKER_TLS_VERIFY=1
 / # docker version
 Client:
  Version:      17.05.0-ce
@@ -70,7 +81,9 @@ Server:
 ```
 
 ```console
-$ docker run --rm --link some-docker:docker %%IMAGE%% info
+$ docker run --rm --link some-docker:docker -v /client-secret:/root/.docker \
+ -e DOCKER_HOST=tcp://docker:2376 -e DOCKER_TLS_VERIFY=1 \
+ %%IMAGE%%:edge info
 Containers: 0
  Running: 0
  Paused: 0
@@ -113,6 +126,37 @@ Insecure Registries:
 Live Restore Enabled: false
 ```
 
+## Connect via UNIX socket
+
+If the client and the daemon are running on the same host and you don't want to configure TLS, you can use UNIX socket instead.
+
+```console
+$ mkdir /tmp/foo
+$ docker run --privileged --name some-docker -d -v /tmp/foo:/var/run %%IMAGE%%:dind dockerd
+```
+
+```console
+$ docker run --rm -v /tmp/foo:/var/run  %%IMAGE%% version
+Client:
+ Version:      17.05.0-ce
+ API version:  1.28 (downgraded from 1.29)
+ Go version:   go1.7.5
+ Git commit:   89658be
+ Built:        Fri May  5 15:36:11 2017
+ OS/Arch:      linux/amd64
+
+Server:
+ Version:      17.04.0-ce
+ API version:  1.28 (minimum version 1.12)
+ Go version:   go1.8
+ Git commit:   4845c56
+ Built:        Thu Apr 27 07:51:43 2017
+ OS/Arch:      linux/amd64
+ Experimental: false
+```
+
+To connect to the host daemon:
+
 ```console
 $ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock %%IMAGE%% version
 Client: