Search code examples
dockersslpipeline

tlsverify - gitlab pipeline - DIND deprecation warning

I'm using molecule to test my Ansible roles. I'm using a .gitlab-ci.yml file to execute a pipeline in which Molecule is invoked to test the role. The pipeline is configured as Docker in Docker.

---
image: docker:latest

services:
  - name: docker:dind
    entrypoint: ["env", "-u", "DOCKER_HOST"]
    command: ["dockerd-entrypoint.sh"]

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: ""

stages:
  - test

<snip>

The pipeline actually runs without any errors and my roles are perfectly tested, which is good.

The problem: there are deprecation warnings shown in the output of the pipeline:

2021-12-27T20:54:55.033126585Z time="2021-12-27T20:54:55.032781033Z" level=warning msg="could not change group /var/run/docker.sock to docker: group docker not found"
2021-12-27T20:54:55.035055413Z time="2021-12-27T20:54:55.032907524Z" level=warning msg="Binding to IP address without --tlsverify is insecure and gives root access on this machine to everyone who has access to your network." host="tcp://0.0.0.0:2375"
2021-12-27T20:54:55.035076321Z time="2021-12-27T20:54:55.034207001Z" level=warning msg="Binding to an IP address, even on localhost, can also give access to scripts run in a browser. Be safe out there!" host="tcp://0.0.0.0:2375"
2021-12-27T20:54:56.034494370Z time="2021-12-27T20:54:56.034363786Z" level=warning msg="Binding to an IP address without --tlsverify is deprecated. Startup is intentionally being slowed down to show this message" host="tcp://0.0.0.0:2375"
2021-12-27T20:54:56.034595755Z time="2021-12-27T20:54:56.034566557Z" level=warning msg="Please consider generating tls certificates with client validation to prevent exposing unauthenticated root access to your network" host="tcp://0.0.0.0:2375"
2021-12-27T20:54:56.034665726Z time="2021-12-27T20:54:56.034638945Z" level=warning msg="You can override this by explicitly specifying '--tls=false' or '--tlsverify=false'" host="tcp://0.0.0.0:2375"
2021-12-27T20:54:56.034732887Z time="2021-12-27T20:54:56.034688345Z" level=warning msg="Support for listening on TCP without authentication or explicit intent to run without authentication will be removed in the next release" host="tcp://0.0.0.0:2375"
2021-12-27T20:55:11.036193082Z tim

When I read this, it looks quite serious.

The containers are executed at gitlab.com themselves, I use shared runners. All my roles have been for development purposes, so I don't really care if someone could read them. They are open-source either way. No production data or sensitive information is stored.

Question: How do I configure my pipeline so the depreciation warning is either solved or ignored.

I've tried configuring something along the lines of:

variables:
  DOCKER_TLSVERIFY: false

But the warning persists.

Bonus: how should I fix: could not change group /var/run/docker.sock to docker: group docker not found

Solution

  • Figured it out, I had to set the following variables:

    variables:
  # DOCKER_HOST: tcp://docker:2375/ # not used anymore
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: "/certs"