docs: deprecate TCP connection without TLS#4928
Conversation
Signed-off-by: David Karlsson <[email protected]>
|
|
||
| ### Unauthenticated TCP connections | ||
|
|
||
| **Deprecated in Release: v26.0** |
There was a problem hiding this comment.
To some extent, the upstream project deprecated it in 20.10. Not sure how correct it would be to put that here though 🤔 (the engine did log the deprecation message since that time; moby/moby#41285)
WARN[2024-03-08T09:54:46.486330417Z] Support for listening on TCP without authentication or explicit intent to run without authentication will be removed in the next release host="tcp://0.0.0.0:2375"
But it looks like the warning returned in docker info only mentions the warning, not deprecation 🙃 🤷♂️
WARNING: API is accessible on http://0.0.0.0:2375/ without encryption.
Access to the remote API is equivalent to root access on the host. Refer
to the 'Docker daemon attack surface' section in the documentation for
more information: https://docs.docker.com/go/attack-surface/
☝️ we should definitely consider updating that message as well (cc @vvoland so that we don't forget)
For visibility, I think it would also be good to add a warning on the https://docs.docker.com/go/attack-surface/ page (linking to the deprecation page).
| To facilitate remote access to the Docker daemon over TCP, you'll need to | ||
| implement TLS verification. This secures the connection by encrypting data in | ||
| transit and providing a mechanism for mutual authentication. |
There was a problem hiding this comment.
Do you think we should mention ssh:// as recommended alternative here as well, or too much out of context (and better left for the linked docs)?
There was a problem hiding this comment.
Ah, never mind, you mention it below 😂
3 participants
- What I did
Added a deprecation notice for remote daemon connections over TCP without TLS
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)