Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tell dockerd to only bind TCP/HTTP API to localhost #11406

Merged
merged 1 commit into from Mar 18, 2023
Merged

Tell dockerd to only bind TCP/HTTP API to localhost #11406

merged 1 commit into from Mar 18, 2023

Conversation

chadlwilson
Copy link
Member

@chadlwilson chadlwilson commented Mar 18, 2023
edited

Fixes #11378

  • resolves the 15s delay caused by listening on 0.0.0.0 without TLS
  • listens on localhost only which is not perfect, but more secure
  • allows user opt-out of all TCP listens, as well as opt-in to more secure config via DOCKERD_ADDITIONAL_ARGS
  • continues listening on localhost due to possibility some tools/libs can only talk to Docker on TCP, not unix sockets by default to minimise chance of breaking change
  • waits DOCKERD_MAX_WAIT_SECS (default 30) for the daemon to start (blocking agent startup), exiting if it doesn't, to avoid hidden issues like we had here
    • image sanity tests will fail if the daemon takes 15s to start, as long as we wait for it

@chadlwilson
Tell dockerd to only bind TCP/HTTP API to localhost
969f7ca 
- resolves the 15s delay caused by listening on 0.0.0.0 without TLS
- listens on localhost only which is not perfect, but more secure
- allows user opt-out of all TCP listens, as well as opt-in to more secure config via DOCKERD_ADDITIONAL_ARGS
- continues listening on localhost due to possibility some tools/libs can only talk to Docker on TCP, not unix sockets by default to minimise chance of breaking change
- waits DOCKERD_MAX_WAIT_SECS (default 30) for the daemon to start (blocking agent startup), exiting if it doesn't, to avoid hidden issues like we had here
  - image sanity tests will fail if the daemon takes 15s to start, as long as we wait for it
@chadlwilson chadlwilson added this to the Release 23.2.0 milestone Mar 18, 2023
@chadlwilson chadlwilson merged commit 9ae5267 into gocd:master Mar 18, 2023
1 check passed
@chadlwilson chadlwilson deleted the more-secure-dind branch March 18, 2023 14:27
This was referenced Mar 18, 2023
Merged
Merged
@chadlwilson chadlwilson added bug-fix security Pull requests that address a security vulnerability labels Mar 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug-fix container-images security Pull requests that address a security vulnerability
Projects
None yet
Milestone
Release 23.2.0
Development

Successfully merging this pull request may close these issues.

gocd-agent-docker-dind:v23.1.0 image can sometimes fail docker tasks run after agent start
1 participant
@chadlwilson