Getting a warning when deploying Docker packages "Using password via the CLI is insecure"

josecbmaia's Avatar

josecbmaia

13 Sep, 2017 02:49 PM

I am deploying a Docker-based solution via Octopus to two different virtual machines. Both are Ubuntu 16.04, one on Amazon and the other on Azure.

For the Amazon machine, since the last couple of days, my deployments have been getting marked with a warning. The message is:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

I assume this is related to the private Docker Container Registry I am using as an external feed. The VM with the WARNING is on Docker 17.07.0-ce, and the one without it is on 17.06. Octopus' version is 3.16.0.

Is this a change in Docker that Octopus needs to adapt to?

Thank you,
JM

  1. Support Staff 1 Posted by Daniel Fischer on 14 Sep, 2017 04:55 AM

    Daniel Fischer's Avatar

    Hi,

    Thanks for getting in touch! The warning you are seeing is a recent docker update which logs a warning when --password is used in the CLI over --password-stdin.

    Using STDIN prevents the password from ending up in the shell's history, or log-files.
    
    The following documentation provides some further information on this. Whilst using the --password flag will still work and only throw a warning, it is now considered less secure.
    https://github.com/docker/cli/blob/master/docs/reference/commandlin...

    Hope that helps! Let me know if you have any further questions here. :)

    Best regards,
    Daniel

  2. 2 Posted by josecbmaia on 15 Sep, 2017 08:29 AM

    josecbmaia's Avatar

    Hello Daniel.

    I understand. However, I am not using docker login directly - I am using the docker deployment steps via Octopus, which I have no control over.

    I assume this means that Octopus should be using --password-stdin instead for the deployment step mentioned.

  3. Support Staff 3 Posted by Daniel Fischer on 17 Sep, 2017 11:56 PM

    Daniel Fischer's Avatar

    Hi,

    Thanks for getting back! I just created a GitHub issue for this. Hopefully we can get something out for this soon. Below is a link to the GitHub issue:
    https://github.com/OctopusDeploy/Issues/issues/3802

    Let me know if you have any further thoughts here. :)

    Best regards,
    Daniel

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac