|
|
@@ -18,9 +18,9 @@ If you are still convinced that you need Docker-in-Docker and not just access to
|
|
|
|
|
|
## TLS
|
|
|
|
|
|
-Starting in 18.09+, the `dind` variants of this image will automatically generate TLS certificates the directory specified by the `DOCKER_TLS_CERTDIR` environment variable.
|
|
|
+Starting in 18.09+, the `dind` variants of this image will automatically generate TLS certificates in the directory specified by the `DOCKER_TLS_CERTDIR` environment variable.
|
|
|
|
|
|
-**Warning:** in 18.09, this behavior is disabled by default (for compatibility) but can be enabled by setting the variable to an appropriate value (`-e DOCKER_TLS_CERTDIR=/certs` or similar). In 19.03+, this behavior is enabled by default.
|
|
|
+**Warning:** in 18.09, this behavior is disabled by default (for compatibility). If you use `--network=host`, shared network namespaces (as in Kubernetes pods), or otherwise have network access to the container (including containers started within the `dind` instance via their gateway interface), this is a potential security issue (which can lead to access to the host system, for example). It is recommended to enable TLS by setting the variable to an appropriate value (`-e DOCKER_TLS_CERTDIR=/certs` or similar). In 19.03+, this behavior is enabled by default.
|
|
|
|
|
|
When enabled, the Docker daemon will be started with `--host=tcp://0.0.0.0:2376 --tlsverify ...` (and when disabled, the Docker daemon will be started with `--host=tcp://0.0.0.0:2375`).
|
|
|
|
Tianon Gravi