Getting a warning when deploying Docker packages "Using password via the CLI is insecure"

(josecbmaia) #1

I am deploying a Docker-based solution via Octopus to two different virtual machines. Both are Ubuntu 16.04, one on Amazon and the other on Azure.

For the Amazon machine, since the last couple of days, my deployments have been getting marked with a warning. The message is:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

I assume this is related to the private Docker Container Registry I am using as an external feed. The VM with the WARNING is on Docker 17.07.0-ce, and the one without it is on 17.06. Octopus’ version is 3.16.0.

Is this a change in Docker that Octopus needs to adapt to?

Thank you,
JM

(Daniel Fischer) #2

Hi,

Thanks for getting in touch! The warning you are seeing is a recent docker update which logs a warning when --password is used in the CLI over --password-stdin.

Using STDIN prevents the password from ending up in the shell's history, or log-files.

The following documentation provides some further information on this. Whilst using the --password flag will still work and only throw a warning, it is now considered less secure.

Hope that helps! Let me know if you have any further questions here. :slight_smile:

Best regards,
Daniel

(josecbmaia) #3

Hello Daniel.

I understand. However, I am not using docker login directly - I am using the docker deployment steps via Octopus, which I have no control over.

I assume this means that Octopus should be using --password-stdin instead for the deployment step mentioned.

(Daniel Fischer) #4

Hi,

Thanks for getting back! I just created a GitHub issue for this. Hopefully we can get something out for this soon. Below is a link to the GitHub issue:

Let me know if you have any further thoughts here. :slight_smile:

Best regards,
Daniel

(system) closed #6