From 3cf2fe0fffff9d888e40cdf49f4432ae1e233e22 Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Fri, 8 Mar 2024 14:50:15 +0100 Subject: [PATCH] docs: deprecate TCP connection without TLS Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- docs/deprecated.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/deprecated.md b/docs/deprecated.md index 7a68c0f60b..1c986d8739 100644 --- a/docs/deprecated.md +++ b/docs/deprecated.md @@ -50,6 +50,7 @@ The table below provides an overview of the current status of deprecated feature | Status | Feature | Deprecated | Remove | |------------|------------------------------------------------------------------------------------------------------------------------------------|------------|--------| +| Deprecated | [Unauthenticated TCP connections](#unauthenticated-tcp-connections) | v26.0 | v27.0 | | Deprecated | [Deprecate legacy API versions](#deprecate-legacy-api-versions) | v25.0 | v26.0 | | Deprecated | [Container short ID in network Aliases field](#container-short-id-in-network-aliases-field) | v25.0 | v26.0 | | Deprecated | [IsAutomated field, and "is-automated" filter on docker search](#isautomated-field-and-is-automated-filter-on-docker-search) | v25.0 | v26.0 | @@ -110,6 +111,33 @@ The table below provides an overview of the current status of deprecated feature | Removed | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit) | v0.10 | v1.13 | | Removed | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import) | v0.6.7 | v1.12 | +### Unauthenticated TCP connections + +**Deprecated in Release: v26.0** +**Target For Removal In Release: v27.0** + +Configuring the Docker daemon to listen on a TCP address will require mandatory +TLS verification. This change aims to ensure secure communication by preventing +unauthorized access to the Docker daemon over potentially insecure networks. +This mandatory TLS requirement applies to all TCP addresses except `tcp://localhost`. + +In version 27.0 and later, specifying `--tls=false` or `--tlsverify=false` CLI flags +causes the daemon to fail to start if it's also configured to accept remote connections over TCP. +This also applies to the equivalent configuration options in `daemon.json`. + +To facilitate remote access to the Docker daemon over TCP, you'll need to +implement TLS verification. This secures the connection by encrypting data in +transit and providing a mechanism for mutual authentication. + +For environments remote daemon access isn't required, +we recommend binding the Docker daemon to a Unix socket. +For daemon's where remote access is required and where TLS encryption is not feasible, +you may want to consider using SSH as an alternative solution. + +For further information, assistance, and step-by-step instructions on +configuring TLS (or SSH) for the Docker daemon, refer to +[Protect the Docker daemon socket](https://docs.docker.com/engine/security/protect-access/). + ### Deprecate legacy API versions **Deprecated in Release: v25.0**