Docker v26 support (TLS mandatory now)

[gabrielmocan]

As of Docker v26 release, TLS is now mandatory to connect to the docker socket.

Source: https://docs.docker.com/engine/release-notes/26.0/

Deprecate the ability to accept remote TCP connections without TLS. [Deprecation notice](https://github.com/docker/cli/tree/v26.0.0/deprecation.md#unauthenticated-tcp-connections) [docker/cli#4928](https://github.com/docker/cli/pull/4928) [moby/moby#47556](https://github.com/moby/moby/pull/47556).

Any plans to support this breaking change?

[pedrobaeza]

Can you propose a PR for supporting it?

[bluepuma77]

Note: this is only deprecated for now, TLS will be required in Docker v27 (link)

Deprecated: the feature is marked "deprecated" and should no longer be used.

Unauthenticated TCP connections Deprecated in Release: v26.0 Target For Removal In Release: v27.0

Also note:

This mandatory TLS requirement applies to all TCP addresses except tcp://localhost.

[andretrial]

Does this mean that docker-socket-proxy is fully working also on Docker v26?

I quickly tried to spin a container (through swarm) on v26 but the healthcheck fails ("Connecting to localhost:2375 ([::1]:2375) wget: can't connect to remote host: Connection refused"). I am using the exact same CICD and compose-file which is working on many older versions.

I will need to dig deeper to understand if this issue comes from the new version or from some wrong setup elsewhere.

Thanks!

[andretrial]

After some digging, I found where this strange behaviour comes from: it seems that "localhost" is no longer working as before. Connecting directly to the docker-socket-proxy container:

• wget -O- http://localhost:2375/version Connecting to localhost:2375 ([::1]:2375) wget: can't connect to remote host: Connection refused

• wget -O- http://127.0.0.1:2375/version Connecting to 127.0.0.1:2375 (127.0.0.1:2375) writing to stdout {"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"26.0.0","Details":{"ApiVersion":"1.45"....}

As we can see, not working using localhost, but working with 127.0.0.1 on docker v26.

But this strange behaviour is only with this container. In the same compose-file all other healthchecks are working fine with localhost. Then, something is no longer working on docker v26.

Here the same call within the same container running on top of docker v25:

• wget -O- http://localhost:2375/version Connecting to localhost:2375 (127.0.0.1:2375) writing to stdout {"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"25.0.3","Details":{"ApiVersion":"1.44"...}

As we can see, on older versions is working as expected.

Thanks

[pedrobaeza]

I have seen today this warning:

[DEPRECATION WARNING]: The default value "localhost" for tls_hostname is 
deprecated and will be removed in community.docker 2.0.0. From then on, 
docker_host will be used to compute tls_hostname. If you want to keep using 
"localhost", please set that value explicitly.

Isn't this your problem?

[andretrial]

I don't think so.

After analysing it, I can see that in older versions of Docker localhost is resolved as ipv4 -> 127.0.0.1: Instead, on version 26, is resolved as ipv6 -> [::1]. You can see it on my previous post with both wget output.

I guess this "issue" might be already resolved on this commit: https://github.com/Tecnativa/docker-socket-proxy/commit/ce81071d863579261ccd7956bfa331462b3ea50f With this config DISABLE_IPV6=0, both ipv4 and ipv6 are being bound. This is probably the solution of the issue. What do you think?

Thanks

[pedrobaeza]

Yeah, you can try with it.

[andretrial]

Are you planning a new release with these recent commits?

Anyway, I will clone the repo and build the image on my side in order to test it ;)

Thanks

[pedrobaeza]

New release done. I thought the registry was updated after each push.

[andretrial]

Thanks,

The deployment went well and the healthcheck is now working great ;)

I just need to go through your doc to find out what I need to configure with this new version: [WARNING] 095/192057 (1) : config : missing timeouts for backend 'docker-events'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'.

Thanks a lot ;)

[gabrielmocan]

Thanks for all the effort guys, will try now and see how my deployment will go.