github.com/rawahars/moby@v24.0.4+incompatible/client/envvars.go (about) 1 package client // import "github.com/docker/docker/client" 2 3 const ( 4 // EnvOverrideHost is the name of the environment variable that can be used 5 // to override the default host to connect to (DefaultDockerHost). 6 // 7 // This env-var is read by FromEnv and WithHostFromEnv and when set to a 8 // non-empty value, takes precedence over the default host (which is platform 9 // specific), or any host already set. 10 EnvOverrideHost = "DOCKER_HOST" 11 12 // EnvOverrideAPIVersion is the name of the environment variable that can 13 // be used to override the API version to use. Value should be 14 // formatted as MAJOR.MINOR, for example, "1.19". 15 // 16 // This env-var is read by FromEnv and WithVersionFromEnv and when set to a 17 // non-empty value, takes precedence over API version negotiation. 18 // 19 // This environment variable should be used for debugging purposes only, as 20 // it can set the client to use an incompatible (or invalid) API version. 21 EnvOverrideAPIVersion = "DOCKER_API_VERSION" 22 23 // EnvOverrideCertPath is the name of the environment variable that can be 24 // used to specify the directory from which to load the TLS certificates 25 // (ca.pem, cert.pem, key.pem) from. These certificates are used to configure 26 // the Client for a TCP connection protected by TLS client authentication. 27 // 28 // TLS certificate verification is enabled by default if the Client is configured 29 // to use a TLS connection. Refer to EnvTLSVerify below to learn how to 30 // disable verification for testing purposes. 31 // 32 // WARNING: Access to the remote API is equivalent to root access to the 33 // host where the daemon runs. Do not expose the API without protection, 34 // and only if needed. Make sure you are familiar with the "daemon attack 35 // surface" (https://docs.docker.com/go/attack-surface/). 36 // 37 // For local access to the API, it is recommended to connect with the daemon 38 // using the default local socket connection (on Linux), or the named pipe 39 // (on Windows). 40 // 41 // If you need to access the API of a remote daemon, consider using an SSH 42 // (ssh://) connection, which is easier to set up, and requires no additional 43 // configuration if the host is accessible using ssh. 44 // 45 // If you cannot use the alternatives above, and you must expose the API over 46 // a TCP connection, refer to https://docs.docker.com/engine/security/protect-access/ 47 // to learn how to configure the daemon and client to use a TCP connection 48 // with TLS client authentication. Make sure you know the differences between 49 // a regular TLS connection and a TLS connection protected by TLS client 50 // authentication, and verify that the API cannot be accessed by other clients. 51 EnvOverrideCertPath = "DOCKER_CERT_PATH" 52 53 // EnvTLSVerify is the name of the environment variable that can be used to 54 // enable or disable TLS certificate verification. When set to a non-empty 55 // value, TLS certificate verification is enabled, and the client is configured 56 // to use a TLS connection, using certificates from the default directories 57 // (within `~/.docker`); refer to EnvOverrideCertPath above for additional 58 // details. 59 // 60 // WARNING: Access to the remote API is equivalent to root access to the 61 // host where the daemon runs. Do not expose the API without protection, 62 // and only if needed. Make sure you are familiar with the "daemon attack 63 // surface" (https://docs.docker.com/go/attack-surface/). 64 // 65 // Before setting up your client and daemon to use a TCP connection with TLS 66 // client authentication, consider using one of the alternatives mentioned 67 // in EnvOverrideCertPath above. 68 // 69 // Disabling TLS certificate verification (for testing purposes) 70 // 71 // TLS certificate verification is enabled by default if the Client is configured 72 // to use a TLS connection, and it is highly recommended to keep verification 73 // enabled to prevent machine-in-the-middle attacks. Refer to the documentation 74 // at https://docs.docker.com/engine/security/protect-access/ and pages linked 75 // from that page to learn how to configure the daemon and client to use a 76 // TCP connection with TLS client authentication enabled. 77 // 78 // Set the "DOCKER_TLS_VERIFY" environment to an empty string ("") to 79 // disable TLS certificate verification. Disabling verification is insecure, 80 // so should only be done for testing purposes. From the Go documentation 81 // (https://pkg.go.dev/crypto/tls#Config): 82 // 83 // InsecureSkipVerify controls whether a client verifies the server's 84 // certificate chain and host name. If InsecureSkipVerify is true, crypto/tls 85 // accepts any certificate presented by the server and any host name in that 86 // certificate. In this mode, TLS is susceptible to machine-in-the-middle 87 // attacks unless custom verification is used. This should be used only for 88 // testing or in combination with VerifyConnection or VerifyPeerCertificate. 89 EnvTLSVerify = "DOCKER_TLS_VERIFY" 90 )