Browse code
Add DOCKER_TLS_VERIFY environment variable, equivalent to --tlsverify flag
This makes it possible to make the Docker client "secure by default"
without wrapping the binary in a shell alias so that `--tlsverify` is
always passed.
Signed-off-by: Aanand Prasad <aanand.prasad@gmail.com>
Aanand Prasad authored on 2014/10/11 00:02:04Showing 3 changed files
| ... | ... |
@@ -10,7 +10,8 @@ import ( |
| 10 | 10 |
) |
| 11 | 11 |
|
| 12 | 12 |
var ( |
| 13 |
- dockerCertPath = os.Getenv("DOCKER_CERT_PATH")
|
|
| 13 |
+ dockerCertPath = os.Getenv("DOCKER_CERT_PATH")
|
|
| 14 |
+ dockerTlsVerify = os.Getenv("DOCKER_TLS_VERIFY") != ""
|
|
| 14 | 15 |
) |
| 15 | 16 |
|
| 16 | 17 |
func init() {
|
| ... | ... |
@@ -26,7 +27,7 @@ var ( |
| 26 | 26 |
flSocketGroup = flag.String([]string{"G", "-group"}, "docker", "Group to assign the unix socket specified by -H when running in daemon mode\nuse '' (the empty string) to disable setting of a group")
|
| 27 | 27 |
flEnableCors = flag.Bool([]string{"#api-enable-cors", "-api-enable-cors"}, false, "Enable CORS headers in the remote API")
|
| 28 | 28 |
flTls = flag.Bool([]string{"-tls"}, false, "Use TLS; implied by tls-verify flags")
|
| 29 |
- flTlsVerify = flag.Bool([]string{"-tlsverify"}, false, "Use TLS and verify the remote (daemon: verify client, client: verify daemon)")
|
|
| 29 |
+ flTlsVerify = flag.Bool([]string{"-tlsverify"}, dockerTlsVerify, "Use TLS and verify the remote (daemon: verify client, client: verify daemon)")
|
|
| 30 | 30 |
|
| 31 | 31 |
// these are initialized in init() below since their default values depend on dockerCertPath which isn't fully initialized until init() runs |
| 32 | 32 |
flTrustKey *string |
| ... | ... |
@@ -139,16 +139,18 @@ need to provide your client keys, certificates and trusted CA: |
| 139 | 139 |
|
| 140 | 140 |
If you want to secure your Docker client connections by default, you can move |
| 141 | 141 |
the files to the `.docker` directory in your home directory - and set the |
| 142 |
-`DOCKER_HOST` variable as well. |
|
| 142 |
+`DOCKER_HOST` and `DOCKER_TLS_VERIFY` variables as well (instead of passing |
|
| 143 |
+`-H=tcp://:2376` and `--tlsverify` on every call). |
|
| 143 | 144 |
|
| 144 | 145 |
$ cp ca.pem ~/.docker/ca.pem |
| 145 | 146 |
$ cp cert.pem ~/.docker/cert.pem |
| 146 | 147 |
$ cp key.pem ~/.docker/key.pem |
| 147 | 148 |
$ export DOCKER_HOST=tcp://:2376 |
| 149 |
+ $ export DOCKER_TLS_VERIFY=1 |
|
| 148 | 150 |
|
| 149 |
-Then you can run Docker with the `--tlsverify` option. |
|
| 151 |
+Docker will now connect securely by default: |
|
| 150 | 152 |
|
| 151 |
- $ sudo docker --tlsverify ps |
|
| 153 |
+ $ sudo docker ps |
|
| 152 | 154 |
|
| 153 | 155 |
## Other modes |
| 154 | 156 |
|
| ... | ... |
@@ -116,6 +116,14 @@ the `-H` flag for the client. |
| 116 | 116 |
$ sudo docker ps |
| 117 | 117 |
# both are equal |
| 118 | 118 |
|
| 119 |
+Setting the `DOCKER_TLS_VERIFY` environment variable to any value other than the empty |
|
| 120 |
+string is equivalent to setting the `--tlsverify` flag. The following are equivalent: |
|
| 121 |
+ |
|
| 122 |
+ $ sudo docker --tlsverify ps |
|
| 123 |
+ # or |
|
| 124 |
+ $ export DOCKER_TLS_VERIFY=1 |
|
| 125 |
+ $ sudo docker ps |
|
| 126 |
+ |
|
| 119 | 127 |
IP masquerading uses address translation to allow containers without a public IP to talk |
| 120 | 128 |
to other machines on the Internet. This may interfere with some network topologies and |
| 121 | 129 |
can be disabled with --ip-masq=false. |