Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allowing TLS non-verify by environment variable #760

Closed
axel3rd opened this issue Dec 21, 2017 · 1 comment · Fixed by #863
Closed

Allowing TLS non-verify by environment variable #760

axel3rd opened this issue Dec 21, 2017 · 1 comment · Fixed by #863
Labels
version/17.06

Comments

@axel3rd
Copy link

axel3rd commented Dec 21, 2017

Preamble

Initially opened on moby: #35786

Description

When docker daemon certificate is generated without the public server ip, the docker client should use tls option but can not use tlsverify option for a remote call (Error: certificate is valid for x.x.x.x, not y.y.y.y otherwise).

Currently docker (17.09.1-ce) can only provide this use case by using --tls command line option.

The Environment variables can only active tlsverify (with DOCKER_TLS_VERIFY), not only tls.

In some case, the end users can not use docker command line option (e.g.: when docker included in third-part script or in some continuous integration plugin) ; so configuring behavior using only environment variables (generally possible) could be useful.

A DOCKER_TLS environment variable to active TLS (but non-verify), like --tls command line parameter, could be a great feature.

Moby #22411 (let DOCKER_TLS_VERIFY=0 disable TLS verification) could help to understand this feature request.

Steps to reproduce the behavior:

# Configure server endpoint (having not a really good certificate for 'verify' usage) and 'ca.pem', 'cert.pem', 'key.pem' (in cert directory)
$ export DOCKER_HOST=tcp://10.1.2.3:2376
$ export DOCKER_CERT_PATH=cert
$ export DOCKER_TLS_VERIFY=anyValue

$ docker images
error during connect: Get https://10.1.2.3:2376/v1.32/images/json: x509: certificate is valid for 192.168.4.5, 127.0.0.1, not 10.1.2.3

Only way to work:

$ export DOCKER_HOST=tcp://10.1.2.3:2376
$ export DOCKER_CERT_PATH=cert
$ docker --tls images
REPOSITORY                                     TAG                 IMAGE ID            CREATED             SIZE
xxx .. OK

Feature request:

$ export DOCKER_HOST=tcp://10.1.2.3:2376
$ export DOCKER_CERT_PATH=cert
$ export DOCKER_TLS=anyValue

$ docker images
REPOSITORY                                     TAG                 IMAGE ID            CREATED             SIZE
xxx .. OK

Output of docker version:

Client:
 Version:      17.09.1-ce
 API version:  1.30 (downgraded from 1.32)
 Go version:   go1.8.3
 Git commit:   19e2cf6
 Built:        Thu Dec  7 22:24:23 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.06.2-ce
 API version:  1.30 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   cec0b72
 Built:        Tue Sep  5 19:59:11 2017
 OS/Arch:      linux/amd64
 Experimental: false

Additional environment details:

Ubuntu 16.04 on OpenStack platform.

Linux ubuntu-test 4.4.0-103-generic #126-Ubuntu SMP Mon Dec 4 16:23:28 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
@axel3rd axel3rd mentioned this issue Dec 21, 2017
Closed
@WTFKr0
Copy link
Contributor

WTFKr0 commented Jan 30, 2018

Hi,

Is sombody start working on that ?

@WTFKr0 WTFKr0 mentioned this issue Feb 2, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
version/17.06
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add DOCKER_TLS environment variable for --tls option WTFKr0/cli
3 participants
@axel3rd @GordonTheTurtle @WTFKr0