Skip to content

docker(install): opt to expose local tcp address #531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
crazy-max merged 3 commits into from
Dec 12, 2024
Merged

docker(install): opt to expose local tcp address #531

crazy-max merged 3 commits into from
Dec 12, 2024

Conversation

@crazy-max
Copy link
Member

@crazy-max crazy-max commented Dec 11, 2024
edited
Loading

@crazy-max crazy-max force-pushed the docker-install-local-tcp branch 2 times, most recently from 3476a96 to 5b9555f Compare December 11, 2024 18:07
@crazy-max crazy-max force-pushed the docker-install-local-tcp branch 4 times, most recently from db19a10 to f0cc1b8 Compare December 12, 2024 10:10
@crazy-max crazy-max force-pushed the docker-install-local-tcp branch 8 times, most recently from d8b99ff to 56f7596 Compare December 12, 2024 13:11
@crazy-max crazy-max force-pushed the docker-install-local-tcp branch from 56f7596 to 51e6621 Compare December 12, 2024 13:18
@crazy-max crazy-max marked this pull request as ready for review December 12, 2024 13:31
@crazy-max crazy-max merged commit 1d49775 into docker:main Dec 12, 2024
61 checks passed
@crazy-max crazy-max deleted the docker-install-local-tcp branch December 12, 2024 13:32
@crazy-max crazy-max mentioned this pull request Dec 12, 2024
Merged
vvoland
vvoland reviewed Dec 13, 2024
View reviewed changes
src/docker/install.ts
const cmd = `${dockerPath} --host="${dockerHost}" --config-file="${daemonConfigPath}" --exec-root="${this.runDir}/execroot" --data-root="${this.runDir}/data" --pidfile="${this.runDir}/docker.pid"`;
let cmd = `${dockerPath} --host="${dockerHost}" --config-file="${daemonConfigPath}" --exec-root="${this.runDir}/execroot" --data-root="${this.runDir}/data" --pidfile="${this.runDir}/docker.pid"`;
if (this.localTCPPort) {
cmd += ` --host="tcp://127.0.0.1:${this.localTCPPort}"`;
Copy link
Contributor

@vvoland vvoland Dec 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: Exposing the docker socket over TCP without TLS is deprecated and will be a hard failure in future:

WARN[2024-12-13T11:24:36.737970212Z] Binding to IP address without --tlsverify is insecure and gives root access on this machine to everyone who has access to your network.  host="tcp://127.0.0.1:1234"
WARN[2024-12-13T11:24:36.738007253Z] Binding to an IP address, even on localhost, can also give access to scripts run in a browser. Be safe out there!  host="tcp://127.0.0.1:1234"
WARN[2024-12-13T11:24:36.738011878Z] [DEPRECATION NOTICE] In future versions this will be a hard failure preventing the daemon from starting! Learn more at: https://docs.docker.com/go/api-security/  host="tcp://127.0.0.1:1234"

See: moby/moby#41285

Copy link
Member Author

@crazy-max crazy-max Dec 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do agree but hope there will be some opt-in env var to still avoid TLS for development purpose.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vvoland vvoland vvoland left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@crazy-max @vvoland