From f2caf393cefef0d480db80f7d2db91e81be9d600 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 19 Jul 2019 16:57:46 -0700 Subject: [PATCH] Apply suggestions from code review Co-Authored-By: yosifkit --- docker/content.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/content.md b/docker/content.md index cf91c429c..4c8a2675b 100644 --- a/docker/content.md +++ b/docker/content.md @@ -18,9 +18,9 @@ If you are still convinced that you need Docker-in-Docker and not just access to ## TLS -Starting in 18.09+, the `dind` variants of this image will automatically generate TLS certificates the directory specified by the `DOCKER_TLS_CERTDIR` environment variable. +Starting in 18.09+, the `dind` variants of this image will automatically generate TLS certificates in the directory specified by the `DOCKER_TLS_CERTDIR` environment variable. -**Warning:** in 18.09, this behavior is disabled by default (for compatibility) but can be enabled by setting the variable to an appropriate value (`-e DOCKER_TLS_CERTDIR=/certs` or similar). In 19.03+, this behavior is enabled by default. +**Warning:** in 18.09, this behavior is disabled by default (for compatibility). If you use `--network=host`, shared network namespaces (as in Kubernetes pods), or otherwise have network access to the container (including containers started within the `dind` instance via their gateway interface), this is a potential security issue (which can lead to access to the host system, for example). It is recommended to enable TLS by setting the variable to an appropriate value (`-e DOCKER_TLS_CERTDIR=/certs` or similar). In 19.03+, this behavior is enabled by default. When enabled, the Docker daemon will be started with `--host=tcp://0.0.0.0:2376 --tlsverify ...` (and when disabled, the Docker daemon will be started with `--host=tcp://0.0.0.0:2375`).