Use TLS for secure docker connection

[Warashi]

By #177 、 docker cmd in runner container use tcp connection to communicate with dockerd in dind container, and this connection is not encrypted.
This PR adds configuration to encrypt the connection.

ref: docker-library/docker#170 (comment)

[mumoshu]

@Warashi Hey! Thanks for the PR and sorry for the delayed response. It took more time than I had expected due to I had a little vacation.

Would you mind reopening this if possible, so that I can test/review this once again?

[Warashi]

Oops, I mistakenly closed this PR and I have not noticed.

[Warashi]

resolved conflicts

[mumoshu]

LGTM. Thanks for the enhancement @Warashi ☺️

[mumoshu]

Note that this seem to break ghaction-docker-buildx@v1.

Hopefully this can be fixed by migrating to docker's own buildx action in #197

crazy-max/ghaction-docker-buildx@v1
  with:
    buildx-version: latest
    qemu-version: latest
✅ Buildx version found: v0.4.2
⬇️ Downloading https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-amd64...
🔨 Fixing perms...
📣 Buildx info
/usr/local/bin/docker buildx version
github.com/docker/buildx v0.4.2 fb7b670b764764dc4716df3eba07ffdae4cc47b2
⬇️ Downloading qemu-user-static Docker image...
/usr/local/bin/docker pull -q multiarch/qemu-user-static:latest
docker.io/multiarch/qemu-user-static:latest
💎 Installing QEMU static binaries...
/usr/local/bin/docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
Setting /usr/bin/qemu-alpha-static as binfmt interpreter for alpha
Setting /usr/bin/qemu-arm-static as binfmt interpreter for arm
Setting /usr/bin/qemu-armeb-static as binfmt interpreter for armeb
Setting /usr/bin/qemu-sparc-static as binfmt interpreter for sparc
Setting /usr/bin/qemu-sparc32plus-static as binfmt interpreter for sparc32plus
Setting /usr/bin/qemu-sparc64-static as binfmt interpreter for sparc64
Setting /usr/bin/qemu-ppc-static as binfmt interpreter for ppc
Setting /usr/bin/qemu-ppc64-static as binfmt interpreter for ppc64
Setting /usr/bin/qemu-ppc64le-static as binfmt interpreter for ppc64le
Setting /usr/bin/qemu-m68k-static as binfmt interpreter for m68k
Setting /usr/bin/qemu-mips-static as binfmt interpreter for mips
Setting /usr/bin/qemu-mipsel-static as binfmt interpreter for mipsel
Setting /usr/bin/qemu-mipsn32-static as binfmt interpreter for mipsn32
Setting /usr/bin/qemu-mipsn32el-static as binfmt interpreter for mipsn32el
Setting /usr/bin/qemu-mips64-static as binfmt interpreter for mips64
Setting /usr/bin/qemu-mips64el-static as binfmt interpreter for mips64el
Setting /usr/bin/qemu-sh4-static as binfmt interpreter for sh4
Setting /usr/bin/qemu-sh4eb-static as binfmt interpreter for sh4eb
Setting /usr/bin/qemu-s390x-static as binfmt interpreter for s390x
Setting /usr/bin/qemu-aarch64-static as binfmt interpreter for aarch64
Setting /usr/bin/qemu-aarch64_be-static as binfmt interpreter for aarch64_be
Setting /usr/bin/qemu-hppa-static as binfmt interpreter for hppa
Setting /usr/bin/qemu-riscv32-static as binfmt interpreter for riscv32
Setting /usr/bin/qemu-riscv64-static as binfmt interpreter for riscv64
Setting /usr/bin/qemu-xtensa-static as binfmt interpreter for xtensa
Setting /usr/bin/qemu-xtensaeb-static as binfmt interpreter for xtensaeb
Setting /usr/bin/qemu-microblaze-static as binfmt interpreter for microblaze
Setting /usr/bin/qemu-microblazeel-static as binfmt interpreter for microblazeel
Setting /usr/bin/qemu-or1k-static as binfmt interpreter for or1k
🔨 Creating a new builder instance...
/usr/local/bin/docker buildx create --name builder-47a7fa61fce1dab9962566ddb987849389286bb5 --driver docker-container --use
could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with `docker buildx create <context-name>`
Error: The process '/usr/local/bin/docker' failed with exit code 1

[mumoshu]

Okay even docker's own setup-buildx-action doesn't work 😇

Run docker/setup-buildx-action@v1
👉 Installing Buildx
📣 Buildx version: 0.4.2
🔨 Creating a new builder instance
  /usr/local/bin/docker buildx create --name builder-build-2 --driver docker-container --driver-opt image=moby/buildkit:v0.8-beta --buildkitd-flags --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host --use
  could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with `docker buildx create <context-name>`
  Error: The process '/usr/local/bin/docker' failed with exit code 1

[mumoshu]

Seems this is exactly what docker/buildx#413 says

[mumoshu]

You can reproduce docker/buildx#413 on the runner container by running the below steps:

mkdir -p ~/.docker/cli-plugins/; \
curl -L -o ~/.docker/cli-plugins/docker-buildx https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-amd64 ;\
chmod +x ~/.docker/cli-plugins/docker-buildx ;\
docker --help | grep buildx

$ docker --help | grep buildx
  buildx*     Build with BuildKit (Docker Inc., v0.4.2)

$ docker buildx create --name builder-build-2 --driver docker-container --driver-opt image=moby/buildkit:v0.8-beta --buildkitd-flags "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host --use"
could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with `docker buildx create <context-name>`

The fix should be indeed to create the dedicated docker context and use that to create the buildx builder:

$ docker context ls
NAME                DESCRIPTION                               DOCKER ENDPOINT        KUBERNETES ENDPOINT   ORCHESTRATOR
default *           Current DOCKER_HOST based configuration   tcp://localhost:2376                         swarm
Warning: DOCKER_HOST environment variable overrides the active context. To use a context, either set the global --context flag, or unset DOCKER_HOST environment variable.

$ docker context create buildx
buildx
Successfully created context "buildx"

$ docker --context buildx ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

$ docker buildx create --help  | head -n 2

Usage:  docker buildx create [OPTIONS] [CONTEXT|ENDPOINT]

[mumoshu]

In nutshell, you need to pass the valid docker context that has all the TLS settings inherited from envvars.

In the following example, we add buildx to docker buildx create 's first argument, which corresponds to a docker context created by docker context create buildx:

$ docker buildx create buildx --name builder-build-2 --driver docker-container --driver-opt image=moby/buildkit:v0.8-beta --buildkitd-flags "--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host" --use
builder-build-2

$ docker buildx build --load .
WARN[0000] invalid non-bool value for BUILDX_NO_DEFAULT_LOAD:  
[+] Building 10.1s (7/7) FINISHED                                                                         
 => [internal] booting buildkit                                                                      4.9s
 => => pulling image moby/buildkit:v0.8-beta                                                         4.2s
 => => creating container buildx_buildkit_builder-build-60                                           0.7s
 => [internal] load build definition from Dockerfile                                                 0.0s
 => => transferring dockerfile: 56B                                                                  0.0s
 => [internal] load .dockerignore                                                                    0.0s
 => => transferring context: 2B                                                                      0.0s
 => [internal] load metadata for docker.io/library/alpine:latest                                     3.7s
 => [1/1] FROM docker.io/library/alpine:latest@sha256:c0e9560cda118f9ec63ddefb4a173a2b2a0347082d7df  1.1s
 => => resolve docker.io/library/alpine:latest@sha256:c0e9560cda118f9ec63ddefb4a173a2b2a0347082d7df  0.0s
 => => sha256:188c0c94c7c576fff0792aca7ec73d67a2f7f4cb3a6e53a84559337260b36964 2.80MB / 2.80MB       1.1s
 => exporting to oci image format                                                                    1.3s
 => => exporting layers                                                                              0.0s
 => => exporting manifest sha256:4567b80f4b7d8f139e9574aaa0850c8c4d89cc36b40f973902eab249492a78c6    0.0s
 => => exporting config sha256:8d19be48f0403c567476dc8607fc05eeb8a33846798029f7b4bd2e94f3ee331f      0.0s
 => => sending tarball                                                                               0.1s
 => importing to docker                                                                              0.0s

[mumoshu]

The below is the workflow config change you need in order to use setup-buildx-action after this TLS secured docker connection change:

mumoshu/actions-runner-controller-ci@e91c8c0

I have no confidence if this should bother setup-buildx-action. Please open issues/pull requests to the setup-buildx-action if you think it's better supported there.