Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker_common TLS and TLS_Verify not mutually exclusive. #15614

Closed
chouseknecht opened this issue Apr 27, 2016 · 2 comments · Fixed by #53906
Closed

docker_common TLS and TLS_Verify not mutually exclusive. #15614

chouseknecht opened this issue Apr 27, 2016 · 2 comments · Fixed by #53906
Assignees
@chouseknecht
Labels
docker

Comments

@chouseknecht
Copy link
Contributor

chouseknecht commented Apr 27, 2016
edited

ISSUE TYPE
  • Bug Report
ANSIBLE VERSION
ansible 2.1.0 (docker_common 8b50e93151) last updated 2016/04/25 15:04:12 (GMT -400)
  lib/ansible/modules/core: (devel 804a8e6378) last updated 2016/04/21 18:24:50 (GMT -400)
  lib/ansible/modules/extras: (devel 3031105e78) last updated 2016/04/21 18:24:27 (GMT -400)
  config file =
  configured module search path = Default w/o overrides
CONFIGURATION
OS / ENVIRONMENT
SUMMARY

This is actually wrong in docker_common:

DOCKER_MUTUALLY_EXCLUSIVE = [
    ['tls', 'tls_verify']
]

TLS and TLS_VERIFY are not mutually exclusive. One could set TLS and TLS_VERIFY to True, which would mean connect using TLS and verify the server using the default/public CA pool.

Need to review _get_connect_params() method again and make sure we're covering all the connection use cases.
@chouseknecht chouseknecht self-assigned this Apr 27, 2016
@ssbarnea
Copy link
Member

I think that this bug is still valid and there is a very easy way to verify it: testing docker cli behavior.

# success:
DOCKER_TLS=1 DOCKER_TLS_VERIFY=0 docker ps
# failure with 'parameters are mutually exclusive: tls, tls_verify'
DOCKER_TLS=1 DOCKER_TLS_VERIFY=0 ansible -m docker ....

There is no such thing as mutually exclusive on docker and for good reasons: one may have to use TLS on port 2376 but the SSL vertificates may be temporary broken like expired or not matching hostnames.

This is someting that can happen in real life, even production and thus is why the DOCKER_TLS_VERIFY option was added in the first place, to allow bypassing verification. Making it mutually exclusive makes no sense and breaks it because without telling docker to use TLS via DOCKER_TLS=1, it will fail to run.

@felixfontein felixfontein mentioned this issue Jan 31, 2019
Closed
@felixfontein
Copy link
Contributor

This bug is invalid and was closed rightly; I've explained why here.

@felixfontein felixfontein mentioned this issue Mar 16, 2019
Merged
@ansible ansible locked and limited conversation to collaborators Apr 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@chouseknecht chouseknecht

Labels
docker
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docker: improve TLS config felixfontein/ansible
4 participants
@ssbarnea @dagwieers @chouseknecht @felixfontein