docker
feat: add information about fluentd tls connection
Description
I added information about TLS support for Fluentd log driver connection https://github.com/moby/moby/blob/294f0c36e468dc097d56dcf88d4418b7dc3d2856/vendor/github.com/fluent/fluent-logger-golang/fluent/fluent.go#L443
Related issues or tickets
- relates to https://github.com/moby/moby/pull/42979
- relates to https://github.com/fluent/fluent-logger-golang/pull/107
- relates to https://github.com/fluent/fluent-logger-golang/issues/112
Reviews
- [x] Technical review
- [x] Editorial review
- [ ] Product review
Deploy Preview for docsdocker ready!
| Name | Link |
|---|---|
| Latest commit | fa05a4bc5a5d0aa894a52a67428e5cb6d13359ad |
| Latest deploy log | https://app.netlify.com/sites/docsdocker/deploys/6824093094a1bf0008fa740d |
| Deploy Preview | https://deploy-preview-22632--docsdocker.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks! Looks indeed that the updated dependency from https://github.com/moby/moby/pull/42979 add this as option (as part of docker engine v23.0 and up).
Looking a bit further, I see that a colleague (@akerouanton) left a comment in the PR that implemented it in the dependency; mentioning that it was "incomplete"; https://github.com/fluent/fluent-logger-golang/pull/107#issuecomment-984184421
Although this PR allows using self-signed TLS certs, it doesn't offer proper way of securely doing TLS because there's no way to specify which CA cert is accepted. With this change, if an attacker can mitm/redirect fluentd's network stream, they could still generate their own self-signed cert and bypass TLS promises. IMHO it could give a false sense of security. It would be great to be able to specify which CA certs are accepted (on top of what's in system truststore).
- ☝️ tracking ticket for that is in https://github.com/fluent/fluent-logger-golang/issues/112
So, wondering if it was intentionally left undocumented (because of that), or if it's something we should (somewhere?) call out in the docs, in case users try to use the option and run into issues because of that limitation.
cc @akerouanton @vvoland for thoughts
Thanks! Looks indeed that the updated dependency from moby/moby#42979 add this as option (as part of docker engine v23.0 and up).
Looking a bit further, I see that a colleague (@akerouanton) left a comment in the PR that implemented it in the dependency; mentioning that it was "incomplete"; fluent/fluent-logger-golang#107 (comment)
Although this PR allows using self-signed TLS certs, it doesn't offer proper way of securely doing TLS because there's no way to specify which CA cert is accepted. With this change, if an attacker can mitm/redirect fluentd's network stream, they could still generate their own self-signed cert and bypass TLS promises. IMHO it could give a false sense of security. It would be great to be able to specify which CA certs are accepted (on top of what's in system truststore).
- ☝️ tracking ticket for that is in Add a new option TLSCertPath fluent/fluent-logger-golang#112
So, wondering if it was intentionally left undocumented (because of that), or if it's something we should (somewhere?) call out in the docs, in case users try to use the option and run into issues because of that limitation.
cc @akerouanton @vvoland for thoughts
Yes, looks like you can't verify self-signed cert. You can still use your private CA trusted by your host and sign the certificate with it, then Docker will be able to verify it against your host CA bundle. (You need to restart docker to reread updated bundle) https://docs.fluentd.org/plugin-helper-overview/api-plugin-helper-server#tls-configuration-basic-examples
Thanks! Yes, so sounds like it may be a good idea to have some warning / note / callout to outline the limitations / caveats. That way the user can make a more well-informed decision whether that's acceptable for their use.
At least, I generally prefer not trying to shove such things under the rug (even if they're ugly)
Suggestions for that definitely welcome! Also /cc @ArthurFlag (in case you have any! ❤️ )