From 802f7c62186cff91cc4b104984330ab56218ae4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Fri, 20 Aug 2021 18:23:56 +0000 Subject: [PATCH] Never make Docker registry insecure by default To follow best security practices and help fellow operators. More details inline and in the linked bug report. Closes-Bug: #1940547 Change-Id: Ide9e9009a6e272f20a43319f27d257efdf315f68 --- ansible/group_vars/all.yml | 3 ++- .../bootstrap-servers.rst | 11 +++++++---- etc/kolla/globals.yml | 3 ++- .../notes/bug-1940547-771f6affb3547748.yaml | 18 ++++++++++++++++++ tests/templates/globals-default.j2 | 1 - 5 files changed, 29 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/bug-1940547-771f6affb3547748.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index b42f2e2fae..11df87b069 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -112,7 +112,8 @@ docker_registry_email: docker_registry: docker_namespace: "kolla" docker_registry_username: -docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}" +# Please read the docs carefully before applying docker_registry_insecure. +docker_registry_insecure: "no" docker_runtime_directory: "" # Docker client timeout in seconds. docker_client_timeout: 120 diff --git a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst index cef7e95922..f7e8f9fd28 100644 --- a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst +++ b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst @@ -168,10 +168,13 @@ The ``docker_registry`` variable, which is not set by default, defines the address of the Docker registry. If the variable is not set, Dockerhub will be used. -The ``docker_registry_insecure`` variable, which defaults to ``true`` if -``docker_registry`` is set, or ``false`` otherwise, defines whether to -configure ``docker_registry`` as an insecure registry. Insecure registries use -HTTP rather than HTTPS. +The ``docker_registry_insecure`` variable, which defaults to ``false``, +defines whether to configure ``docker_registry`` as an insecure registry. +Insecure registries allow to use broken certificate chains and HTTP without +TLS but it's strongly discouraged in production unless in very specific +circumstances. For more discussion, see the official Docker documentation on +`insecure registries `__. +Additionally, notice this will disable Docker registry authentication. The ``docker_log_max_file`` variable, which defaults to ``5``, defines the maximum number of log files to retain per container. The diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml index a528d01bfa..419f0ed756 100644 --- a/etc/kolla/globals.yml +++ b/etc/kolla/globals.yml @@ -77,7 +77,8 @@ # Custom docker registry settings: #docker_registry: -#docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}" +# Please read the docs carefully before applying docker_registry_insecure. +#docker_registry_insecure: "no" #docker_registry_username: # docker_registry_password is set in the passwords.yml file. diff --git a/releasenotes/notes/bug-1940547-771f6affb3547748.yaml b/releasenotes/notes/bug-1940547-771f6affb3547748.yaml new file mode 100644 index 0000000000..3b14c6dda4 --- /dev/null +++ b/releasenotes/notes/bug-1940547-771f6affb3547748.yaml @@ -0,0 +1,18 @@ +--- +upgrade: + - | + Kolla Ansible now defaults ``docker_registry_insecure`` to ``false``. + If you relied on the previous behaviour, please switch it back on + but bear in mind the consequences as discussed in the related security + note as well as the linked bug report. + `LP#1940547 `__ +security: + - | + Previously, Kolla Ansible, by default (as documented in several places), + configured Docker to insecure mode for the configured registry (i.e., if + not using the default one). This is controlled by the + ``docker_registry_insecure`` variable. + If operators did not notice this quirk, they could have opened their + deployments up for potential MITM attacks. See the bug report for + more discussion. + `LP#1940547 `__ diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2 index 4044f3f385..38dc479523 100644 --- a/tests/templates/globals-default.j2 +++ b/tests/templates/globals-default.j2 @@ -57,7 +57,6 @@ openstack_tag: "{{ build_image_tag }}" {% else %} # use the published images from a site mirror of quay.io docker_registry: "{{ zuul_site_mirror_fqdn }}:4447" -docker_registry_insecure: no docker_namespace: openstack.kolla {% if docker_image_tag_suffix %} openstack_tag_suffix: "{{ docker_image_tag_suffix }}"