package client // import "github.com/docker/docker/client" const ( // EnvOverrideHost is the name of the environment variable that can be used // to override the default host to connect to (DefaultDockerHost). // // This env-var is read by FromEnv and WithHostFromEnv and when set to a // non-empty value, takes precedence over the default host (which is platform // specific), or any host already set. EnvOverrideHost = "DOCKER_HOST" // EnvOverrideAPIVersion is the name of the environment variable that can // be used to override the API version to use. Value should be // formatted as MAJOR.MINOR, for example, "1.19". // // This env-var is read by FromEnv and WithVersionFromEnv and when set to a // non-empty value, takes precedence over API version negotiation. // // This environment variable should be used for debugging purposes only, as // it can set the client to use an incompatible (or invalid) API version. EnvOverrideAPIVersion = "DOCKER_API_VERSION" // EnvOverrideCertPath is the name of the environment variable that can be // used to specify the directory from which to load the TLS certificates // (ca.pem, cert.pem, key.pem) from. These certificates are used to configure // the Client for a TCP connection protected by TLS client authentication. // // TLS certificate verification is enabled by default if the Client is configured // to use a TLS connection. Refer to EnvTLSVerify below to learn how to // disable verification for testing purposes. // // WARNING: Access to the remote API is equivalent to root access to the // host where the daemon runs. Do not expose the API without protection, // and only if needed. Make sure you are familiar with the "daemon attack // surface" (https://docs.docker.com/go/attack-surface/). // // For local access to the API, it is recommended to connect with the daemon // using the default local socket connection (on Linux), or the named pipe // (on Windows). // // If you need to access the API of a remote daemon, consider using an SSH // (ssh://) connection, which is easier to set up, and requires no additional // configuration if the host is accessible using ssh. // // If you cannot use the alternatives above, and you must expose the API over // a TCP connection, refer to https://docs.docker.com/engine/security/protect-access/ // to learn how to configure the daemon and client to use a TCP connection // with TLS client authentication. Make sure you know the differences between // a regular TLS connection and a TLS connection protected by TLS client // authentication, and verify that the API cannot be accessed by other clients. EnvOverrideCertPath = "DOCKER_CERT_PATH" // EnvTLSVerify is the name of the environment variable that can be used to // enable or disable TLS certificate verification. When set to a non-empty // value, TLS certificate verification is enabled, and the client is configured // to use a TLS connection, using certificates from the default directories // (within `~/.docker`); refer to EnvOverrideCertPath above for additional // details. // // WARNING: Access to the remote API is equivalent to root access to the // host where the daemon runs. Do not expose the API without protection, // and only if needed. Make sure you are familiar with the "daemon attack // surface" (https://docs.docker.com/go/attack-surface/). // // Before setting up your client and daemon to use a TCP connection with TLS // client authentication, consider using one of the alternatives mentioned // in EnvOverrideCertPath above. // // Disabling TLS certificate verification (for testing purposes) // // TLS certificate verification is enabled by default if the Client is configured // to use a TLS connection, and it is highly recommended to keep verification // enabled to prevent machine-in-the-middle attacks. Refer to the documentation // at https://docs.docker.com/engine/security/protect-access/ and pages linked // from that page to learn how to configure the daemon and client to use a // TCP connection with TLS client authentication enabled. // // Set the "DOCKER_TLS_VERIFY" environment to an empty string ("") to // disable TLS certificate verification. Disabling verification is insecure, // so should only be done for testing purposes. From the Go documentation // (https://pkg.go.dev/crypto/tls#Config): // // InsecureSkipVerify controls whether a client verifies the server's // certificate chain and host name. If InsecureSkipVerify is true, crypto/tls // accepts any certificate presented by the server and any host name in that // certificate. In this mode, TLS is susceptible to machine-in-the-middle // attacks unless custom verification is used. This should be used only for // testing or in combination with VerifyConnection or VerifyPeerCertificate. EnvTLSVerify = "DOCKER_TLS_VERIFY" )