Never make Docker registry insecure by default
To follow best security practices and help fellow operators. More details inline and in the linked bug report. Closes-Bug: #1940547 Change-Id: Ide9e9009a6e272f20a43319f27d257efdf315f68
This commit is contained in:
parent
a98076f11c
commit
802f7c6218
@ -112,7 +112,8 @@ docker_registry_email:
|
||||
docker_registry:
|
||||
docker_namespace: "kolla"
|
||||
docker_registry_username:
|
||||
docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}"
|
||||
# Please read the docs carefully before applying docker_registry_insecure.
|
||||
docker_registry_insecure: "no"
|
||||
docker_runtime_directory: ""
|
||||
# Docker client timeout in seconds.
|
||||
docker_client_timeout: 120
|
||||
|
@ -168,10 +168,13 @@ The ``docker_registry`` variable, which is not set by default, defines the
|
||||
address of the Docker registry. If the variable is not set, Dockerhub will be
|
||||
used.
|
||||
|
||||
The ``docker_registry_insecure`` variable, which defaults to ``true`` if
|
||||
``docker_registry`` is set, or ``false`` otherwise, defines whether to
|
||||
configure ``docker_registry`` as an insecure registry. Insecure registries use
|
||||
HTTP rather than HTTPS.
|
||||
The ``docker_registry_insecure`` variable, which defaults to ``false``,
|
||||
defines whether to configure ``docker_registry`` as an insecure registry.
|
||||
Insecure registries allow to use broken certificate chains and HTTP without
|
||||
TLS but it's strongly discouraged in production unless in very specific
|
||||
circumstances. For more discussion, see the official Docker documentation on
|
||||
`insecure registries <https://docs.docker.com/registry/insecure/>`__.
|
||||
Additionally, notice this will disable Docker registry authentication.
|
||||
|
||||
The ``docker_log_max_file`` variable, which defaults to ``5``, defines the
|
||||
maximum number of log files to retain per container. The
|
||||
|
@ -77,7 +77,8 @@
|
||||
|
||||
# Custom docker registry settings:
|
||||
#docker_registry:
|
||||
#docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}"
|
||||
# Please read the docs carefully before applying docker_registry_insecure.
|
||||
#docker_registry_insecure: "no"
|
||||
#docker_registry_username:
|
||||
# docker_registry_password is set in the passwords.yml file.
|
||||
|
||||
|
18
releasenotes/notes/bug-1940547-771f6affb3547748.yaml
Normal file
18
releasenotes/notes/bug-1940547-771f6affb3547748.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
Kolla Ansible now defaults ``docker_registry_insecure`` to ``false``.
|
||||
If you relied on the previous behaviour, please switch it back on
|
||||
but bear in mind the consequences as discussed in the related security
|
||||
note as well as the linked bug report.
|
||||
`LP#1940547 <https://launchpad.net/bugs/1940547>`__
|
||||
security:
|
||||
- |
|
||||
Previously, Kolla Ansible, by default (as documented in several places),
|
||||
configured Docker to insecure mode for the configured registry (i.e., if
|
||||
not using the default one). This is controlled by the
|
||||
``docker_registry_insecure`` variable.
|
||||
If operators did not notice this quirk, they could have opened their
|
||||
deployments up for potential MITM attacks. See the bug report for
|
||||
more discussion.
|
||||
`LP#1940547 <https://launchpad.net/bugs/1940547>`__
|
@ -57,7 +57,6 @@ openstack_tag: "{{ build_image_tag }}"
|
||||
{% else %}
|
||||
# use the published images from a site mirror of quay.io
|
||||
docker_registry: "{{ zuul_site_mirror_fqdn }}:4447"
|
||||
docker_registry_insecure: no
|
||||
docker_namespace: openstack.kolla
|
||||
{% if docker_image_tag_suffix %}
|
||||
openstack_tag_suffix: "{{ docker_image_tag_suffix }}"
|
||||
|
Loading…
Reference in New Issue
Block a user