New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tlsverify option in daemon.json works incorrectly when set to false #27105
Comments
This is the intended behavior, but it's confusing (others tripped over this). Setting tlsverify to "false", actually enables TLS, but disables verification of the certificate; basically it's the same as I think this was reconsidered at some point, but would be a breaking change if we changed this behavior |
Thanks for the explanation @thaJeztah Ideally, it would be nice to have a configuration file have the ability to define all available options fully populated with defaults instead of just omitting them, since an upgrade of dockerd can cause a change in behavior if a once omitted default value changes between versions. I suppose this issue can be closed if this is the intended behavior. |
Your requirement seems reasonable, but I think there must be a way to do |
It appears that |
That seems unfortunate, if tls=false is explicitly set. |
Can we get some traction on this? It is not intuitive that We should keep existing behavior in these two cases (ie. enable TLS, don't verify):
But, unless I am missing something, in this case TLS should not be enabled because it is explicitly set to false:
|
Any update on this? Anyone know current behavior? |
+1 - I just hit this and also found this confusing. The way to get this to work is just to use On my Windows 7 docker tool box client I had to take extra steps to run commands successfully. The environment variable |
Just wanted to write here because we hit this as well on Ubuntu and wanted to explain it a little more clearly. The Ubuntu people have setup systemd stuff that starts Docker in a certain mode. If you look at Since Docker authors have made it a feature that Docker fails if you try to configure the same option in You can see why this makes sense - the Ubuntu people want Docker to start in a secure way. If they make it easy to override, more systems will become compromised. Same with the Docker people. The best way to fix this is to use the override feature of systemd. All you need to do is drop a file into |
I can't get this to work (on Ubuntu 20.04). I also tried setting them in /etc/docker/config.json If set tlsverify at all - it complains "failed to create API server: Could not load X509 key pair (cert: "", key: ""): open : no such file or directory" If I just do --tls=false, when I then try to run: it complains over the certificate of my configured proxy is unknown (which it is - and which is why I wanted to disable tls verification) :( So it seems impossible to use those tls setting for this ? |
Description
when simply creating a /etc/docker/daemon.json file with only
tlsverify
set tofalse
, docker will not start because it attempts to look for tls certs/keys that don't exist because they have not been defined. I have also tried setting this option tonull
and an empty string, both attempts also failed.I know that this could be fixed by simply omitting the option, however I would like to create a default config with all possible options defined for use with configuration management software.
Steps to reproduce the issue:
1 - create a config file the following content:
2 - try to launch docker deamon
Describe the results you received:
The following error is logged:
Describe the results you expected:
I expected docker to start just fine... why is it looking for certs?
Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
not relevant
The text was updated successfully, but these errors were encountered: