docker.tls.verify has no effect

Question

docker.tls.verify has no effect

svInfra17 opened this issue 7 years ago · 1 comments

I want to connect to non-TLS docker host. For that purpose, I am setting environment variable docker.tls.verify to 0. Since no docker.cert.path is provided, docker-client takes defaultDockerCertPath which exists (I can not delete that folder) and tries to establish secure connection.

Here is the code snippet:

System.setProperty("docker.tls.verify", "0")
def dockerClient = new DockerClientImpl(endpoint)
dockerClient.info().content

Here are the logs from docker-client run:

21:25:37.381 [main] DEBUG d.g.docker.engine.DockerClientConfig - defaultDockerCertPath=/home/<username>/.docker
21:25:37.385 [main] DEBUG d.g.docker.engine.DockerClientConfig - certsPathExists=true, isTlsPort=true
21:25:37.390 [main] DEBUG d.g.docker.engine.DockerClientConfig - assume 'https'
21:25:37.391 [main] DEBUG d.g.docker.engine.DockerClientConfig - selected dockerHost at '[certPath:/home/<username>/.docker, protocol:https, host:192.168.5.160, port:2376]'
21:25:37.455 [main] INFO  d.g.docker.client.DockerClientImpl - using docker at 'tcp://192.168.5.160:2376'
21:25:37.621 [main] INFO  d.g.d.c.system.ManageSystemClient - docker info
java.io.FileNotFoundException: /home/<username>/.docker/key.pem (No such file or directory)

Answer 1 · 2017-08-17T07:38:56.000Z

Please see https://docs.docker.com/engine/reference/commandline/cli/#environment-variables:

DOCKER_TLS_VERIFY When set Docker uses TLS and verifies the remote.

This is a common source of misinterpretation, but is actually meant like stated: the actual value of DOCKER_TLS_VERIFY doesn't matter, it is only important whether the variable is set. So, to enable, you can use any non-null value like 1, true, 0, or foobar. To disable, you'll have to set the variable to an empty String like this: DOCKER_TLS_VERIFY="". See moby/moby#22411 for a more detailed discussion.

If you want to implement the same effect via System properties in the Docker Client, you'll have to use this code, using an empty String as value: System.setProperty("docker.tls.verify", "").

A more explicit way of configuring the DockerClient is by using another constructor, e.g.:

def dockerClient = new DockerClientImpl(new DockerEnv(dockerHost: endpoint, tlsVerify: ""))
dockerClient.info().content

This has the advantage of not using a global system property.

I'm going to close this issue since I suppose it's only due to the surprising behaviour of Docker properties. If you still have issues disabling TLS verification, please feel free to re-open!