91 lines
4.8 KiB
Go
91 lines
4.8 KiB
Go
|
package client // import "github.com/docker/docker/client"
|
||
|
|
||
|
const (
|
||
|
// EnvOverrideHost is the name of the environment variable that can be used
|
||
|
// to override the default host to connect to (DefaultDockerHost).
|
||
|
//
|
||
|
// This env-var is read by FromEnv and WithHostFromEnv and when set to a
|
||
|
// non-empty value, takes precedence over the default host (which is platform
|
||
|
// specific), or any host already set.
|
||
|
EnvOverrideHost = "DOCKER_HOST"
|
||
|
|
||
|
// EnvOverrideAPIVersion is the name of the environment variable that can
|
||
|
// be used to override the API version to use. Value should be
|
||
|
// formatted as MAJOR.MINOR, for example, "1.19".
|
||
|
//
|
||
|
// This env-var is read by FromEnv and WithVersionFromEnv and when set to a
|
||
|
// non-empty value, takes precedence over API version negotiation.
|
||
|
//
|
||
|
// This environment variable should be used for debugging purposes only, as
|
||
|
// it can set the client to use an incompatible (or invalid) API version.
|
||
|
EnvOverrideAPIVersion = "DOCKER_API_VERSION"
|
||
|
|
||
|
// EnvOverrideCertPath is the name of the environment variable that can be
|
||
|
// used to specify the directory from which to load the TLS certificates
|
||
|
// (ca.pem, cert.pem, key.pem) from. These certificates are used to configure
|
||
|
// the Client for a TCP connection protected by TLS client authentication.
|
||
|
//
|
||
|
// TLS certificate verification is enabled by default if the Client is configured
|
||
|
// to use a TLS connection. Refer to EnvTLSVerify below to learn how to
|
||
|
// disable verification for testing purposes.
|
||
|
//
|
||
|
// WARNING: Access to the remote API is equivalent to root access to the
|
||
|
// host where the daemon runs. Do not expose the API without protection,
|
||
|
// and only if needed. Make sure you are familiar with the "daemon attack
|
||
|
// surface" (https://docs.docker.com/go/attack-surface/).
|
||
|
//
|
||
|
// For local access to the API, it is recommended to connect with the daemon
|
||
|
// using the default local socket connection (on Linux), or the named pipe
|
||
|
// (on Windows).
|
||
|
//
|
||
|
// If you need to access the API of a remote daemon, consider using an SSH
|
||
|
// (ssh://) connection, which is easier to set up, and requires no additional
|
||
|
// configuration if the host is accessible using ssh.
|
||
|
//
|
||
|
// If you cannot use the alternatives above, and you must expose the API over
|
||
|
// a TCP connection, refer to https://docs.docker.com/engine/security/protect-access/
|
||
|
// to learn how to configure the daemon and client to use a TCP connection
|
||
|
// with TLS client authentication. Make sure you know the differences between
|
||
|
// a regular TLS connection and a TLS connection protected by TLS client
|
||
|
// authentication, and verify that the API cannot be accessed by other clients.
|
||
|
EnvOverrideCertPath = "DOCKER_CERT_PATH"
|
||
|
|
||
|
// EnvTLSVerify is the name of the environment variable that can be used to
|
||
|
// enable or disable TLS certificate verification. When set to a non-empty
|
||
|
// value, TLS certificate verification is enabled, and the client is configured
|
||
|
// to use a TLS connection, using certificates from the default directories
|
||
|
// (within `~/.docker`); refer to EnvOverrideCertPath above for additional
|
||
|
// details.
|
||
|
//
|
||
|
// WARNING: Access to the remote API is equivalent to root access to the
|
||
|
// host where the daemon runs. Do not expose the API without protection,
|
||
|
// and only if needed. Make sure you are familiar with the "daemon attack
|
||
|
// surface" (https://docs.docker.com/go/attack-surface/).
|
||
|
//
|
||
|
// Before setting up your client and daemon to use a TCP connection with TLS
|
||
|
// client authentication, consider using one of the alternatives mentioned
|
||
|
// in EnvOverrideCertPath above.
|
||
|
//
|
||
|
// Disabling TLS certificate verification (for testing purposes)
|
||
|
//
|
||
|
// TLS certificate verification is enabled by default if the Client is configured
|
||
|
// to use a TLS connection, and it is highly recommended to keep verification
|
||
|
// enabled to prevent machine-in-the-middle attacks. Refer to the documentation
|
||
|
// at https://docs.docker.com/engine/security/protect-access/ and pages linked
|
||
|
// from that page to learn how to configure the daemon and client to use a
|
||
|
// TCP connection with TLS client authentication enabled.
|
||
|
//
|
||
|
// Set the "DOCKER_TLS_VERIFY" environment to an empty string ("") to
|
||
|
// disable TLS certificate verification. Disabling verification is insecure,
|
||
|
// so should only be done for testing purposes. From the Go documentation
|
||
|
// (https://pkg.go.dev/crypto/tls#Config):
|
||
|
//
|
||
|
// InsecureSkipVerify controls whether a client verifies the server's
|
||
|
// certificate chain and host name. If InsecureSkipVerify is true, crypto/tls
|
||
|
// accepts any certificate presented by the server and any host name in that
|
||
|
// certificate. In this mode, TLS is susceptible to machine-in-the-middle
|
||
|
// attacks unless custom verification is used. This should be used only for
|
||
|
// testing or in combination with VerifyConnection or VerifyPeerCertificate.
|
||
|
EnvTLSVerify = "DOCKER_TLS_VERIFY"
|
||
|
)
|