Open stuhood opened 1 year ago
https://www.howtogeek.com/devops/how-to-secure-dockers-tcp-socket-with-tls/ has some good commentary.
Basically, it looks like docker
relies on command-line configuration (or via environment variables) to know when to use TLS.
Maybe Pants needs some new options to configure TLS for Docker?
Currently, the
docker::CommandRunner
hardcodes use ofDocker::connect_with_local_defaults
, which under the hood assumes unix domain sockets are in use (i.e. that DOCKER_HOST is aunix://
connection string).It seems clear based on the dockerd documentation that Pants (or the bollard crate) could do a bit of
DOCKER_HOST
parsing to decide between attempting aunix
ortcp
connection, so we should do that.But there is an additional unknown:
tcp://
connection strings might be using TLS, which requires a separate bollardconnect_with_ssl_defaults
method. There does not appear from the docs to be a guaranteed indicator in the connection string that would indicate that TLS should be used.It's possible that just trying first
ssl
and thenhttp
connection methods would be sufficient... or adding a flag to force SSL.