Add --insecure to pull, push and login (carrying 10719) #11655
Conversation
Signed-off-by: Jason Sommer <jsdirv@gmail.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
tiborvass
changed the title
|
I'm not really comfortable with --insecure on login |
|
cc @docker/distribution-maintainers |
|
I agree with @jfrazelle re login. If somebody isn't willing to set up TLS to secure users' passwords on the network, they shouldn't be doing authentication. |
|
I disagree with @endophage and @jfrazelle. You try to enforce everybody to do it as you think it is right.
So in my opinion this topic was discussed a lot (I can remember 5 or 6 pull requests) and you still try to fight against this option which is in my case eyewashing. Better add an option to enforce a fingerprint for a certificate.. this would even make it much easier to use TLS with a self signed certificate because everybody could specify it on a pull/push/login cmd... |
|
As far as your argument 1) goes, that is not true. There actually have been surprisingly few incidents over the past few years where attackers have been able to get in possession of certificates for domains they didn't own. If this was true, then no one should be doing online banking using browsers and TLS.
Supporting --insecure on login is the wrong call. |
but the RISK is more or less the same.. if I know about docker and I want to do something bad, even if I have no credentials I will hook up and send you a bad image.. maybe automatically wrapping the original image you wanted to pull.. so if you have --insecure on pull .. you shoulnd't care about --insecure on login..
At the end it would be nicer if docker would have something like a local cert storage (like Firefox/Chrome/...) where you can install your certificate easily.. that would probably solve most of the issues. |
As soon as an --insecure login is allowed, now every --insecure pull will be transmitting credentials in the plaintext, this is what we are actively avoiding and something you should care about. If you don't care, then don't require credentials on the registry. We are actively designing to improve this use case for the v2 registry, mostly involving easier ways to setup trust between a daemon and registry and avoid sending credentials every time. However we should not support making the existing use case less secure in the meantime. If you are passionate about trust/distribution related topics, I encourage you to head over the distribution project and get involved there https://github.com/docker/distribution. |
|
@diogomonica @dmcgowan I'm fine removing |
|
I would prefer a check that the index is not official. I am not fan of additional special checks but it shouldn't be possible to overwrite a known secure endpoint on the client end. |
|
I'm ok with pull and push supporting --insecure, but I also agree with @dmcgowan. It would be better if it indicates that an insecure registry is acceptable but should not force a fallback if the registry supports TLS. |
|
It will not force a fallback, the insecure flag will still prefer HTTPS, only allow fallback to HTTP |
| @@ -19,7 +19,9 @@ It is also possible to specify a non-default registry to pull from. | |||
|
|
|||
| # OPTIONS | |||
| **-a**, **--all-tags**=*true*|*false* | |||
| Download all tagged images in the repository. The default is *false*. | |||
| Download all tagged images in the repository. The default is *false*. | |||
| **-i**, **--insecure-registry**=*true*|*false* | |||
There was a problem hiding this comment.
There really shouldn't be a short flag for insecure. If one wants this, please type it out.
|
@dmcgowan I'm wondering if the flag should be something like "--allow-http-fallback" or something more descriptive of what is actually happening. |
|
The |
|
not comfortable with this feature. do we indeed preder this flag --insecure? |
|
My general feeling is that we should be pushing for a safer Docker ecosystem, and this "feature" being merged gets us further from this goal. |
|
It's also worth noting that there are a variety of workarounds for this. I'm not terribly comfortable with this, but it's also of the operator's choice to do something terrible and/or shoot themselves in the foot. Such discussions make me question if the engine should have a tainted flag as in the Linux kernel. |
|
@ewindisch @diogomonica @NathanMcCauley if one of you could formulate a final decision on this, that would be very helpful. Make sure to take into account all the users' needs that were +1-ing all those closed PRs / issues. In the meantime, I'm closing this since it cannot be merged. |
Fixes #8887
Add
--insecureto pull, push and login.I carried @jsdir's work.