Never make Docker registry insecure by default

To follow best security practices and help fellow operators.

More details inline and in the linked bug report.

Closes-Bug: #1940547
Change-Id: Ide9e9009a6e272f20a43319f27d257efdf315f68
This commit is contained in:
Radosław Piliszek 2021-08-20 18:23:56 +00:00
parent a98076f11c
commit 802f7c6218
5 changed files with 29 additions and 7 deletions

View File

@ -112,7 +112,8 @@ docker_registry_email:
docker_registry: docker_registry:
docker_namespace: "kolla" docker_namespace: "kolla"
docker_registry_username: docker_registry_username:
docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}" # Please read the docs carefully before applying docker_registry_insecure.
docker_registry_insecure: "no"
docker_runtime_directory: "" docker_runtime_directory: ""
# Docker client timeout in seconds. # Docker client timeout in seconds.
docker_client_timeout: 120 docker_client_timeout: 120

View File

@ -168,10 +168,13 @@ The ``docker_registry`` variable, which is not set by default, defines the
address of the Docker registry. If the variable is not set, Dockerhub will be address of the Docker registry. If the variable is not set, Dockerhub will be
used. used.
The ``docker_registry_insecure`` variable, which defaults to ``true`` if The ``docker_registry_insecure`` variable, which defaults to ``false``,
``docker_registry`` is set, or ``false`` otherwise, defines whether to defines whether to configure ``docker_registry`` as an insecure registry.
configure ``docker_registry`` as an insecure registry. Insecure registries use Insecure registries allow to use broken certificate chains and HTTP without
HTTP rather than HTTPS. TLS but it's strongly discouraged in production unless in very specific
circumstances. For more discussion, see the official Docker documentation on
`insecure registries <https://docs.docker.com/registry/insecure/>`__.
Additionally, notice this will disable Docker registry authentication.
The ``docker_log_max_file`` variable, which defaults to ``5``, defines the The ``docker_log_max_file`` variable, which defaults to ``5``, defines the
maximum number of log files to retain per container. The maximum number of log files to retain per container. The

View File

@ -77,7 +77,8 @@
# Custom docker registry settings: # Custom docker registry settings:
#docker_registry: #docker_registry:
#docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}" # Please read the docs carefully before applying docker_registry_insecure.
#docker_registry_insecure: "no"
#docker_registry_username: #docker_registry_username:
# docker_registry_password is set in the passwords.yml file. # docker_registry_password is set in the passwords.yml file.

View File

@ -0,0 +1,18 @@
---
upgrade:
- |
Kolla Ansible now defaults ``docker_registry_insecure`` to ``false``.
If you relied on the previous behaviour, please switch it back on
but bear in mind the consequences as discussed in the related security
note as well as the linked bug report.
`LP#1940547 <https://launchpad.net/bugs/1940547>`__
security:
- |
Previously, Kolla Ansible, by default (as documented in several places),
configured Docker to insecure mode for the configured registry (i.e., if
not using the default one). This is controlled by the
``docker_registry_insecure`` variable.
If operators did not notice this quirk, they could have opened their
deployments up for potential MITM attacks. See the bug report for
more discussion.
`LP#1940547 <https://launchpad.net/bugs/1940547>`__

View File

@ -57,7 +57,6 @@ openstack_tag: "{{ build_image_tag }}"
{% else %} {% else %}
# use the published images from a site mirror of quay.io # use the published images from a site mirror of quay.io
docker_registry: "{{ zuul_site_mirror_fqdn }}:4447" docker_registry: "{{ zuul_site_mirror_fqdn }}:4447"
docker_registry_insecure: no
docker_namespace: openstack.kolla docker_namespace: openstack.kolla
{% if docker_image_tag_suffix %} {% if docker_image_tag_suffix %}
openstack_tag_suffix: "{{ docker_image_tag_suffix }}" openstack_tag_suffix: "{{ docker_image_tag_suffix }}"