Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable slowdown when TLS deliberately disabled #430

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

perlun
Copy link

@perlun perlun commented Jun 1, 2023

Noticed this by coincidence when upgrading our local image to 23.0.6. The warning is fine in itself, but pushing the 15-second delay to all users setting DOCKER_TLS_CERTDIR: '' (perhaps for perfectly justifiable reasons) is a bit too harsh for my taste. 🤔

(Untested if this works with 24.0, so this should probably be verified before merging.)

@tianon
Copy link
Member

tianon commented Jun 1, 2023

I agree that it's harsh for sure, but it is an intentional "upstream" choice in Moby / Docker Engine to have this delay, so I'd hesitate to override it based on just the environment variable we invented for the image packaging (especially when it's pretty easy to add --tls=false to your command when doing docker run or to command: in YAML, which gives the same end result as this PR). 😅

@perlun
Copy link
Author

perlun commented Jun 2, 2023

I get that point. 👍 I just think it's bad to push this delay onto the users, who might be unaware of it.

We've been using a Docker >= 19.03.12 version (where TLS is enabled by default) since June 2021, without fully realizing that this would cost us 15s for every single CI run using a Docker service in our local GitLab. 😂 I don't know for sure, but I wouldn't be very surprised if others are in the "same boat".

We ended up overriding it by setting ENTRYPOINT ["dockerd-entrypoint.sh", "--tls=false"] in our Docker image.


I'm open to alternative suggestions. Would you feel better about adding a note about this in the project README.md instead, which gets displayed at Docker Hub?

@tianon
Copy link
Member

tianon commented Mar 20, 2024

See https://docs.docker.com/engine/deprecated/#unauthenticated-tcp-connections and https://docs.docker.com/go/api-security/ (using unauthenticated TCP is officially deprecated upstream, and as such is not something we will or even can continue to encourage or support).

@perlun
Copy link
Author

perlun commented Mar 31, 2024

Interesting, thanks for the note @tianon. How is this planned (from Docker Inc) to work with Docker-in-Docker scenarios, do you know? 🤔 I mean, those are also perfectly valid "local" cases even though binding to tcp://localhost isn't enough for that use case. Enforcing TLS there will only add extra overhead/work for little benefit. Do you happen to know if this has been discussed upstream within the Moby project or so?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants