Skip to content

feat: add information about fluentd tls connection #22632

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add information about fluentd tls connection #22632

wants to merge 1 commit into from

Conversation

enoot
Copy link

@enoot enoot commented May 14, 2025
edited by thaJeztah
Loading

@netlify Netlify
Copy link

netlify bot commented May 14, 2025
edited
Loading

Deploy Preview for docsdocker ready!

Name Link
🔨 Latest commit fa05a4b
🔍 Latest deploy log https://app.netlify.com/sites/docsdocker/deploys/6824093094a1bf0008fa740d
😎 Deploy Preview https://deploy-preview-22632--docsdocker.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@github-actions github-actions bot added the area/engine Issue affects Docker engine/daemon label May 14, 2025
@thaJeztah
Copy link
Member

thaJeztah commented May 14, 2025
edited
Loading

Thanks! Looks indeed that the updated dependency from moby/moby#42979 add this as option (as part of docker engine v23.0 and up).

Looking a bit further, I see that a colleague (@akerouanton) left a comment in the PR that implemented it in the dependency; mentioning that it was "incomplete"; fluent/fluent-logger-golang#107 (comment)

Although this PR allows using self-signed TLS certs, it doesn't offer proper way of securely doing TLS because there's no way to specify which CA cert is accepted. With this change, if an attacker can mitm/redirect fluentd's network stream, they could still generate their own self-signed cert and bypass TLS promises. IMHO it could give a false sense of security. It would be great to be able to specify which CA certs are accepted (on top of what's in system truststore).

So, wondering if it was intentionally left undocumented (because of that), or if it's something we should (somewhere?) call out in the docs, in case users try to use the option and run into issues because of that limitation.

cc @akerouanton @vvoland for thoughts

@enoot
Copy link
Author

enoot commented May 14, 2025

Thanks! Looks indeed that the updated dependency from moby/moby#42979 add this as option (as part of docker engine v23.0 and up).

Looking a bit further, I see that a colleague (@akerouanton) left a comment in the PR that implemented it in the dependency; mentioning that it was "incomplete"; fluent/fluent-logger-golang#107 (comment)

Although this PR allows using self-signed TLS certs, it doesn't offer proper way of securely doing TLS because there's no way to specify which CA cert is accepted. With this change, if an attacker can mitm/redirect fluentd's network stream, they could still generate their own self-signed cert and bypass TLS promises. IMHO it could give a false sense of security. It would be great to be able to specify which CA certs are accepted (on top of what's in system truststore).

So, wondering if it was intentionally left undocumented (because of that), or if it's something we should (somewhere?) call out in the docs, in case users try to use the option and run into issues because of that limitation.

cc @akerouanton @vvoland for thoughts

Yes, looks like you can't verify self-signed cert.
You can still use your private CA trusted by your host and sign the certificate with it, then Docker will be able to verify it against your host CA bundle. (You need to restart docker to reread updated bundle)
https://docs.fluentd.org/plugin-helper-overview/api-plugin-helper-server#tls-configuration-basic-examples

@thaJeztah
Copy link
Member

Thanks! Yes, so sounds like it may be a good idea to have some warning / note / callout to outline the limitations / caveats. That way the user can make a more well-informed decision whether that's acceptable for their use.

At least, I generally prefer not trying to shove such things under the rug (even if they're ugly)

Suggestions for that definitely welcome! Also /cc @ArthurFlag (in case you have any! ❤️ )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thaJeztah thaJeztah Awaiting requested review from thaJeztah thaJeztah is a code owner

@aevesdocker aevesdocker Awaiting requested review from aevesdocker

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/engine Issue affects Docker engine/daemon
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@enoot @thaJeztah