docker-socket-proxy icon indicating copy to clipboard operation
docker-socket-proxy copied to clipboard

Published 20 hours ago verified publisher icon Tecnativa

Docker v26 support (TLS mandatory now)

Open gabrielmocan opened this issue 1 year ago • 3 comments

As of Docker v26 release, TLS is now mandatory to connect to the docker socket.

Source: https://docs.docker.com/engine/release-notes/26.0/

Deprecate the ability to accept remote TCP connections without TLS. [Deprecation notice](https://github.com/docker/cli/tree/v26.0.0/deprecation.md#unauthenticated-tcp-connections) [docker/cli#4928](https://github.com/docker/cli/pull/4928) [moby/moby#47556](https://github.com/moby/moby/pull/47556).

Any plans to support this breaking change?

gabrielmocan avatar Mar 25 '24 14:03 gabrielmocan

Can you propose a PR for supporting it?

pedrobaeza avatar Mar 25 '24 14:03 pedrobaeza

Note: this is only deprecated for now, TLS will be required in Docker v27 (link)

Deprecated: the feature is marked "deprecated" and should no longer be used.

Unauthenticated TCP connections Deprecated in Release: v26.0 Target For Removal In Release: v27.0

Also note:

This mandatory TLS requirement applies to all TCP addresses except tcp://localhost.

bluepuma77 avatar Apr 04 '24 07:04 bluepuma77

Does this mean that docker-socket-proxy is fully working also on Docker v26?

I quickly tried to spin a container (through swarm) on v26 but the healthcheck fails ("Connecting to localhost:2375 ([::1]:2375) wget: can't connect to remote host: Connection refused"). I am using the exact same CICD and compose-file which is working on many older versions.

I will need to dig deeper to understand if this issue comes from the new version or from some wrong setup elsewhere.

Thanks!

andretrial avatar Apr 04 '24 08:04 andretrial

After some digging, I found where this strange behaviour comes from: it seems that "localhost" is no longer working as before. Connecting directly to the docker-socket-proxy container:

  • wget -O- http://localhost:2375/version Connecting to localhost:2375 ([::1]:2375) wget: can't connect to remote host: Connection refused

  • wget -O- http://127.0.0.1:2375/version Connecting to 127.0.0.1:2375 (127.0.0.1:2375) writing to stdout {"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"26.0.0","Details":{"ApiVersion":"1.45"....}

As we can see, not working using localhost, but working with 127.0.0.1 on docker v26.

But this strange behaviour is only with this container. In the same compose-file all other healthchecks are working fine with localhost. Then, something is no longer working on docker v26.

Here the same call within the same container running on top of docker v25:

  • wget -O- http://localhost:2375/version Connecting to localhost:2375 (127.0.0.1:2375) writing to stdout {"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"25.0.3","Details":{"ApiVersion":"1.44"...}

As we can see, on older versions is working as expected.

Thanks

andretrial avatar Apr 05 '24 07:04 andretrial

I have seen today this warning:

[DEPRECATION WARNING]: The default value "localhost" for tls_hostname is 
deprecated and will be removed in community.docker 2.0.0. From then on, 
docker_host will be used to compute tls_hostname. If you want to keep using 
"localhost", please set that value explicitly.

Isn't this your problem?

pedrobaeza avatar Apr 05 '24 10:04 pedrobaeza

I don't think so.

After analysing it, I can see that in older versions of Docker localhost is resolved as ipv4 -> 127.0.0.1: Instead, on version 26, is resolved as ipv6 -> [::1]. You can see it on my previous post with both wget output.

I guess this "issue" might be already resolved on this commit: https://github.com/Tecnativa/docker-socket-proxy/commit/ce81071d863579261ccd7956bfa331462b3ea50f With this config DISABLE_IPV6=0, both ipv4 and ipv6 are being bound. This is probably the solution of the issue. What do you think?

Thanks

andretrial avatar Apr 05 '24 18:04 andretrial

Yeah, you can try with it.

pedrobaeza avatar Apr 05 '24 18:04 pedrobaeza

Are you planning a new release with these recent commits?

Anyway, I will clone the repo and build the image on my side in order to test it ;)

Thanks

andretrial avatar Apr 05 '24 19:04 andretrial

New release done. I thought the registry was updated after each push.

pedrobaeza avatar Apr 05 '24 19:04 pedrobaeza

Thanks,

The deployment went well and the healthcheck is now working great ;)

I just need to go through your doc to find out what I need to configure with this new version: [WARNING] 095/192057 (1) : config : missing timeouts for backend 'docker-events'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'.

Thanks a lot ;)

andretrial avatar Apr 05 '24 19:04 andretrial

Thanks for all the effort guys, will try now and see how my deployment will go.

gabrielmocan avatar Apr 05 '24 19:04 gabrielmocan