Deprecate Docker API over TCP without TLS

[justincormack]

Running the Docker socket over TCP without any authentication, even on localhost (yes, JavaScript can connect to localhost from your browser) is very dangerous, even in non production environments. Since we have had named pipe support for Windows for some years now, and always have had unix socket support, there is no reason for this to be supported out of the box, and we should remove it. Obviously we will continue to support tcp with TLS.

If users really want to do this, they can make a proxy from tcp to the socket, which is pretty trivial, but then it is clearly their responsibility.

We could potentially have quite a long deprecation period, and should have warnings on the client and server.

[AkihiroSuda]

SGTM but maybe except DIND?

[justincormack]

@AkihiroSuda why do you need it in dind?

[AkihiroSuda]

a nondind container may want to connect to a dind container.
I think non-tls is allowed when separate nw is created.

[justincormack]

The problem is that Docker cannot know if there is a separate network. We could have a flag to allow the current behaviour still, but I would still rather you had to run a proxy. The dind container could include a suitable proxy option I guess.

[justincormack]

We could add a feature to generate a TLS keypair for simple local use cases.

[AkihiroSuda]

Yes, I think just including socat is fine (after some deprecation period of the current behaviour)

[AkihiroSuda]

Still SGTM

[cyli]

It sounds like from the description the comments in from the comments from #37299, this feature for deprecating support for tcp without mutual TLS, as opposed to unauthenticated one-way TLS. If that's the case, would it make sense to clarify on the issue title?

[corhere]

#41285 (comment)

• future release; enable both --tls and --tlsverify by default: if a user didn't specify options, the daemon will fail to start as no certs are provided
• add options to explicitly disable tls / tlfverify: --disable-tls, --disable-tls-verify (name can be discussed)

[corhere]

An entry needs to be added to the deprecation log before we can enable --tlsverify by default.