github.com/rawahars/moby@v24.0.4+incompatible/client/envvars.go (about)

     1  package client // import "github.com/docker/docker/client"
     2  
     3  const (
     4  	// EnvOverrideHost is the name of the environment variable that can be used
     5  	// to override the default host to connect to (DefaultDockerHost).
     6  	//
     7  	// This env-var is read by FromEnv and WithHostFromEnv and when set to a
     8  	// non-empty value, takes precedence over the default host (which is platform
     9  	// specific), or any host already set.
    10  	EnvOverrideHost = "DOCKER_HOST"
    11  
    12  	// EnvOverrideAPIVersion is the name of the environment variable that can
    13  	// be used to override the API version to use. Value should be
    14  	// formatted as MAJOR.MINOR, for example, "1.19".
    15  	//
    16  	// This env-var is read by FromEnv and WithVersionFromEnv and when set to a
    17  	// non-empty value, takes precedence over API version negotiation.
    18  	//
    19  	// This environment variable should be used for debugging purposes only, as
    20  	// it can set the client to use an incompatible (or invalid) API version.
    21  	EnvOverrideAPIVersion = "DOCKER_API_VERSION"
    22  
    23  	// EnvOverrideCertPath is the name of the environment variable that can be
    24  	// used to specify the directory from which to load the TLS certificates
    25  	// (ca.pem, cert.pem, key.pem) from. These certificates are used to configure
    26  	// the Client for a TCP connection protected by TLS client authentication.
    27  	//
    28  	// TLS certificate verification is enabled by default if the Client is configured
    29  	// to use a TLS connection. Refer to EnvTLSVerify below to learn how to
    30  	// disable verification for testing purposes.
    31  	//
    32  	// WARNING: Access to the remote API is equivalent to root access to the
    33  	// host where the daemon runs. Do not expose the API without protection,
    34  	// and only if needed. Make sure you are familiar with the "daemon attack
    35  	// surface" (https://docs.docker.com/go/attack-surface/).
    36  	//
    37  	// For local access to the API, it is recommended to connect with the daemon
    38  	// using the default local socket connection (on Linux), or the named pipe
    39  	// (on Windows).
    40  	//
    41  	// If you need to access the API of a remote daemon, consider using an SSH
    42  	// (ssh://) connection, which is easier to set up, and requires no additional
    43  	// configuration if the host is accessible using ssh.
    44  	//
    45  	// If you cannot use the alternatives above, and you must expose the API over
    46  	// a TCP connection, refer to https://docs.docker.com/engine/security/protect-access/
    47  	// to learn how to configure the daemon and client to use a TCP connection
    48  	// with TLS client authentication. Make sure you know the differences between
    49  	// a regular TLS connection and a TLS connection protected by TLS client
    50  	// authentication, and verify that the API cannot be accessed by other clients.
    51  	EnvOverrideCertPath = "DOCKER_CERT_PATH"
    52  
    53  	// EnvTLSVerify is the name of the environment variable that can be used to
    54  	// enable or disable TLS certificate verification. When set to a non-empty
    55  	// value, TLS certificate verification is enabled, and the client is configured
    56  	// to use a TLS connection, using certificates from the default directories
    57  	// (within `~/.docker`); refer to EnvOverrideCertPath above for additional
    58  	// details.
    59  	//
    60  	// WARNING: Access to the remote API is equivalent to root access to the
    61  	// host where the daemon runs. Do not expose the API without protection,
    62  	// and only if needed. Make sure you are familiar with the "daemon attack
    63  	// surface" (https://docs.docker.com/go/attack-surface/).
    64  	//
    65  	// Before setting up your client and daemon to use a TCP connection with TLS
    66  	// client authentication, consider using one of the alternatives mentioned
    67  	// in EnvOverrideCertPath above.
    68  	//
    69  	// Disabling TLS certificate verification (for testing purposes)
    70  	//
    71  	// TLS certificate verification is enabled by default if the Client is configured
    72  	// to use a TLS connection, and it is highly recommended to keep verification
    73  	// enabled to prevent machine-in-the-middle attacks. Refer to the documentation
    74  	// at https://docs.docker.com/engine/security/protect-access/ and pages linked
    75  	// from that page to learn how to configure the daemon and client to use a
    76  	// TCP connection with TLS client authentication enabled.
    77  	//
    78  	// Set the "DOCKER_TLS_VERIFY" environment to an empty string ("") to
    79  	// disable TLS certificate verification. Disabling verification is insecure,
    80  	// so should only be done for testing purposes. From the Go documentation
    81  	// (https://pkg.go.dev/crypto/tls#Config):
    82  	//
    83  	// InsecureSkipVerify controls whether a client verifies the server's
    84  	// certificate chain and host name. If InsecureSkipVerify is true, crypto/tls
    85  	// accepts any certificate presented by the server and any host name in that
    86  	// certificate. In this mode, TLS is susceptible to machine-in-the-middle
    87  	// attacks unless custom verification is used. This should be used only for
    88  	// testing or in combination with VerifyConnection or VerifyPeerCertificate.
    89  	EnvTLSVerify = "DOCKER_TLS_VERIFY"
    90  )