Getting a warning when deploying Docker packages "Using password via the CLI is insecure"

josecbmaia · 13 September 2017 14:49

I am deploying a Docker-based solution via Octopus to two different virtual machines. Both are Ubuntu 16.04, one on Amazon and the other on Azure.

For the Amazon machine, since the last couple of days, my deployments have been getting marked with a warning. The message is:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

I assume this is related to the private Docker Container Registry I am using as an external feed. The VM with the WARNING is on Docker 17.07.0-ce, and the one without it is on 17.06. Octopus’ version is 3.16.0.

Is this a change in Docker that Octopus needs to adapt to?

Thank you,
JM

Daniel_Fischer · 14 September 2017 04:55

Hi,

Thanks for getting in touch! The warning you are seeing is a recent docker update which logs a warning when --password is used in the CLI over --password-stdin.

Using STDIN prevents the password from ending up in the shell's history, or log-files.

The following documentation provides some further information on this. Whilst using the --password flag will still work and only throw a warning, it is now considered less secure.

github.com

docker/cli/blob/master/docs/reference/commandline/login.md

---
title: "login"
description: "The login command description and usage"
keywords: "registry, login, image"
---

<!-- This file is maintained within the docker/cli GitHub
     repository at https://github.com/docker/cli/. Make all
     pull requests against that repo. If you see this file in
     another repository, consider it read-only there, as it will
     periodically be overwritten by the definitive file. Pull
     requests which include edits to this file in other repositories
     will be rejected.
-->

# login

```markdown
Usage:  docker login [OPTIONS] [SERVER]

This file has been truncated. show original

Hope that helps! Let me know if you have any further questions here.

Best regards,
Daniel

josecbmaia · 15 September 2017 08:29

Hello Daniel.

I understand. However, I am not using docker login directly - I am using the docker deployment steps via Octopus, which I have no control over.

I assume this means that Octopus should be using --password-stdin instead for the deployment step mentioned.

Daniel_Fischer · 17 September 2017 23:56

Hi,

Thanks for getting back! I just created a GitHub issue for this. Hopefully we can get something out for this soon. Below is a link to the GitHub issue:
https://github.com/OctopusDeploy/Issues/issues/3802

Let me know if you have any further thoughts here.

Best regards,
Daniel