To avoid using docker.sock, the lab framework host needs to expose its dockerd API so the lab framework host can connect to it. Currently, this is accomplished via:
sudo tee /etc/docker/daemon.json > /dev/null <<'EOF'
{
"hosts": ["tcp://0.0.0.0:2375", "unix:///var/run/docker.sock"]
}
EOF
sudo mkdir /etc/systemd/system/docker.service.d/
sudo tee /etc/systemd/system/docker.service.d/override.conf > /dev/null <<'EOF'
# Disable flags to dockerd, all settings are done in /etc/docker/daemon.json
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd
EOF
sudo systemctl daemon-reload; sudo systemctl restart docker
Unfortunately, this exposes the docker API on the target network as HTTP, resulting in the following deprecation warning in the syslog:
level=warning msg="[DEPRECATION NOTICE]: API is accessible on http://0.0.0.0:2375 without encryption.\n Access to the remote API is equivalent to root access on the host. Refer\n to the 'Docker daemon attack surface' section in the documentation for\n more information: https://docs.docker.com/go/attack-surface/\nIn future versions this will be a hard failure preventing the daemon from starting! Learn more at: https://docs.docker.com/go/api-security/"
Need to configure the Docker API to use HTTPS, and ideally with mTLS.
To avoid using docker.sock, the lab framework host needs to expose its dockerd API so the lab framework host can connect to it. Currently, this is accomplished via:
Unfortunately, this exposes the docker API on the target network as HTTP, resulting in the following deprecation warning in the syslog:
Need to configure the Docker API to use HTTPS, and ideally with mTLS.