Add warning if REST API is accessible through an insecure connection

[thaJeztah]

The remote API allows full privilege escalation and is equivalent to having root access on the host. Because of this, the API should never be accessible through an insecure connection (TCP without TLS, or TCP without TLS verification).

Although a warning is already logged on startup if the daemon uses an insecure configuration, this warning is not very visible (unless someone decides to read the logs).

This patch attempts to make insecure configuration more visible by sending back warnings through the API (which will be printed when using docker info).

- Description for the changelog

+ Add warning if REST API is accessible through an insecure connection [moby#37684](https://github.com/moby/moby/pull/37684)

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

ping @vdemeester @cpuguy83 @justincormack

related to #37299 (/cc @cyphar)

[vdemeester]

LGTM 🐸

[cpuguy83]

Seems ok, but I don't like that it's parsing hosts for the info endpoint, especially since these don't change while the daemon is running.

Since we already have to parse the hosts can we store this info somewhere?

[cpuguy83]

Nit, this should be a constant.

[thaJeztah]

Actually; may not even need the ParseHost(), because the startup code parses this, and writes it back to Config;

moby/cmd/dockerd/daemon.go

Lines 593 to 595 in cf72051

	if cli.Config.Hosts[i], err = dopts.ParseHost(cli.Config.TLS, cli.Config.Hosts[i]); err != nil {
	return nil, fmt.Errorf("error parsing -H %s : %v", cli.Config.Hosts[i], err)
	}

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@2629fe9). Click here to learn what that means.
The diff coverage is 0%.

@@            Coverage Diff            @@
##             master   #37684   +/-   ##
=========================================
  Coverage          ?   36.01%           
=========================================
  Files             ?      609           
  Lines             ?    45060           
  Branches          ?        0           
=========================================
  Hits              ?    16229           
  Misses            ?    26605           
  Partials          ?     2226

[thaJeztah]

@cpuguy83 updated; PTAL

[cpuguy83]

s/without TLS protection/unencrypted/

[cpuguy83]

TLS client verification

[cyphar]

LGTM, after @cpuguy83's comments are addressed.

[cpuguy83]

Probably fine for this PR, but it would be nice to eliminate this by being able to do something like host.Protocol()

[thaJeztah]

Yes; tried to keep this PR minimal, but I'm thinking of exposing some of this information (e.g., the configured hosts) in docker info as well. I can do some refactoring as part of that 👍

[thaJeztah]

Thanks for reviewing @cyphar 🤗

[cpuguy83]

LGTM

[andrewhsu]

Please ignore powerpc build results. The IBM Power infrastructure is experiencing outage at the moment.

[tiborvass]

LGTM