Configuration of list of cipher suites allows a user to disable use
of weak ciphers or continue to support them for legacy usage if they
so choose.
List of available cipher suites at:
https://golang.org/pkg/crypto/tls/#pkg-constants
Default cipher suites have been updated to:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_256_GCM_SHA384
MinimumTLS has also been updated to include TLS 1.3 as an option
and now defaults to TLS 1.2 since 1.0 and 1.1 have been deprecated.
Signed-off-by: David Luu <david@davidluu.info>
The correct `vairant` string for ARM v6 is "v6", not "armv6l".
There is no known implementation that actually uses "armv6l".
See the discussion in opencontainers/image-spec PR 817
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Go 1.13 and up enforce import paths to be versioned if a project
contains a go.mod and has released v2 or up.
The current v2.x branches (and releases) do not yet have a go.mod,
and therefore are still allowed to be imported with a non-versioned
import path (go modules add a `+incompatible` annotation in that case).
However, now that this project has a `go.mod` file, incompatible
import paths will not be accepted by go modules, and attempting
to use code from this repository will fail.
This patch uses `v3` for the import-paths (not `v2`), because changing
import paths itself is a breaking change, which means that the
next release should increment the "major" version to comply with
SemVer (as go modules dictate).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Update insecure.md for Docker Desktop
Docker Desktop does not have "preferences" menu today.
It's changed to "Settings" > "Docker Engine" .
Co-authored-by: Sebastiaan van Stijn <thaJeztah@users.noreply.github.com>
See https://web.dev/external-anchors-use-rel-noopener/
Using noopener, as that addresses the security issue. "noreferer" blocks
the REFERER header, which may still be useful for some target URLs.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Add azure config container example
I was getting errors on setting up azure, this was because I was putting the full https url into the container field. There error wasn't helpful and nor was the docs.
* Update azure.md
Reword the registry azure container example.
* Fix incorrect links in compose section
there's a bug causing wrapped links to not work, and replacing
some links to point to the .md file, so that IDE's can check
if the anchors are valid. Also replaced some links to point
to their new location.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* engine/swarm: update links
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Fix various broken links
There's a bug in the "jekyll-relative-links" plugin that causes wrapped links to not work.
Also replacing some links to point to the .md file, so that IDE's can check if the anchors
are valid. Finally, replaced some links to point to their new locations, so that users don't
get redirected..
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fixes registry endpoints to return the proper `application/json`
content-type for JSON content, also updating spec examples for that.
As per IETF specification and IANA registry [0], the `application/json`
type is a binary media, so the content-type label does not need any
text-charset selector. Additionally, the media type definition
explicitly states that it has no required nor optional parameters,
which makes the current registry headers non-compliant.
[0]: https://www.iana.org/assignments/media-types/application/json
Signed-off-by: Luca Bruno <lucab@debian.org>
This is done by draining the connections for configured time after registry receives a SIGTERM signal.
This adds a `draintimeout` setting under `HTTP`. Registry doesn't drain
if draintimeout is not provided.
Signed-off-by: Manish Tomar <manish.tomar@docker.com>
I thought about this while setting this up, and then found this guide (I was setting it up without the guide first.)
The potential security implications are important, so I think we should mention them here on this web page. (We could even go further by outright _warning_ people about this, but perhaps letting people know about it so they can make an informed decision is a better way to go. This can be perfectly fine for certain intranet scenarios.)
at the first iteration, only the following metrics are collected:
- HTTP metrics of each API endpoint
- cache counter for request/hit/miss
- histogram of storage actions, including:
GetContent, PutContent, Stat, List, Move, and Delete
Signed-off-by: tifayuki <tifayuki@gmail.com>
This adds a configuration setting `HTTP.TLS.LetsEncrypt.Hosts` which can
be set to a list of hosts that the registry will whitelist for retrieving
certificates from Let's Encrypt. HTTPS connections with SNI hostnames
that are not whitelisted will be closed with an "unknown host" error.
It is required to avoid lots of unsuccessful registrations attempts that
are triggered by malicious clients connecting with bogus SNI hostnames.
NOTE: Due to a bug in the deprecated vendored rsc.io/letsencrypt library
clearing the host list requires deleting or editing of the cachefile to
reset the hosts list to null.
Signed-off-by: Felix Buenemann <felix.buenemann@gmail.com>
* Reword lots of instances of 'will'
* Reword lots of instances of won't
* Reword lots of instances of we'll
* Eradicate you'll
* Eradicate 'be able to' type of phrases
* Eradicate 'unable to' type of phrases
* Eradicate 'has / have to' type of phrases
* Eradicate 'note that' type of phrases
* Eradicate 'in order to' type of phrases
* Redirect to official Chef and Puppet docs
* Eradicate gratuitous 'please'
* Reduce use of e.g.
* Reduce use of i.e.
* Reduce use of N.B.
* Get rid of 'sexagesimal' and correct some errors
* Improve Cloudfront notes regarding private buckets
* Point to CloudFront docs
This is better than outlining the steps specifically. The API steps will be different and the specific parts of the web UI may change over time. Amazon's docs are more likely to be up to date.
Using a daemon configuration file is preferred over
using command-line flags, as it allows reloading
this configuration without restarting the
daemon.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If htpasswd authentication option is configured but the htpasswd file is
missing, populate it with a default user and automatically generated
password.
The password will be printed to stdout.
Signed-off-by: Liron Levin <liron@twistlock.com>
As the `--label` option is used before in `docker node update --label-add registry=true node1`, the Docker registry should be restricted to only run on `node1` - and nowhere else. So the `docker service create` command has to use the option `--constraint 'node.labels.registry==true` instead of `--label registry=true`- because it is a contraint, where to run the Registry - we don´t just want to set a label again.
* for all links to , changed to full path
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
* fixed link in Swarm Tutorial per review comments
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>