Bug 1346206

step 1 in previous comment should contain:
export DOCKER_TLS_VERIFY=1

Could you attach /usr/bin/docker

unless anything's been changed, this is what the rpm installs:


#!/bin/sh
. /etc/sysconfig/docker
[ -e "${DOCKERBINARY}" ] || DOCKERBINARY=/usr/bin/docker-current
if [ ! -f /usr/bin/docker-current ]; then
    DOCKERBINARY=/usr/bin/docker-latest
fi
if [[ ${DOCKERBINARY} != "/usr/bin/docker-current" && ${DOCKERBINARY} != /usr/bin/docker-latest ]]; then
    echo "DOCKERBINARY has been set to an invalid value:" $DOCKERBINARY
    echo ""
    echo "Please set DOCKERBINARY to /usr/bin/docker-current or /usr/bin/docker-latest
by editing /etc/sysconfig/docker"
else
    exec ${DOCKERBINARY} "$@"
fi

Ondřej, help me understand, does this issue still occur if you change the value for DOCKER_CERT_PATH in /etc/sysconfig/docker itself. Are you setting those 3 variables in the shell itself?

Ohh is it that in your case your DOCKER_CERT_PATH will vary a lot and that's why you don't want to depend on a fixed DOCKER_CERT_PATH in /etc/sysconfig/docker ?

Instead of 

. /etc/sysconfig/docker

we could just do

eval $(grep ^DOCKERBINARY /etc/sysconfig/docker | head -1)

Which I think will solve the problem.

I'll try that, btw is this gonna be a blocker?

I have no idea that is up to Product Management.

Yes, I need to change these variables often, using vagrant plugin:
https://github.com/projectatomic/vagrant-service-manager
which work by exporting env variables, including DOCKER_CERT_PATH.
By this way, it's also possible to have multiple running vagrant boxes with different values of DOCKER_CERT_PATH (and several other DOCKER* variables).

Lokesh should this be in modified state?

This is still a problem on centos 7.2 with docker-1.10.3-46.el7.centos.10.x86_64.

An easy workaround is to update /etc/sysconfig/docker to not override DOCKER_CERT_PATH if it is already set:

< DOCKER_CERT_PATH=/etc/docker
---
> if [ -z "${DOCKER_CERT_PATH}" ]; then
>   DOCKER_CERT_PATH=/etc/docker
> fi

(In reply to Maru Newby from comment #12)
> This is still a problem on centos 7.2 with
> docker-1.10.3-46.el7.centos.10.x86_64.
> 
> An easy workaround is to update /etc/sysconfig/docker to not override
> DOCKER_CERT_PATH if it is already set:
> 
> < DOCKER_CERT_PATH=/etc/docker
> ---
> > if [ -z "${DOCKER_CERT_PATH}" ]; then
> >   DOCKER_CERT_PATH=/etc/docker
> > fi

Thanks, I'll include this in the 7.3.1 release with the next build.

Fixed in docker-1.12 release.

This is included in docker-1.12.3-4.el7.x86_64

#cat /etc/sysconfig/docker | grep -i1 DOCKER_CERT_PATH
OPTIONS='--selinux-enabled --log-driver=journald'
if [ -z "${DOCKER_CERT_PATH}" ]; then
    DOCKER_CERT_PATH=/etc/docker
fi

And worked in docker-1.12.3-8.el7.

# docker version
Could not read CA certificate "/path/to/dir/with/cert/ca.pem": open /path/to/dir/with/cert/ca.pem: no such file or directory

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0116.html

Can someone advise me if there's a sibling bug for this in fedora? 

Fedora 25 - docker-1.12.6-6.gitae7d637.fc25.x86_64

and it is broken (and fixable) in the same exact manner.

(In reply to Mike Goodwin from comment #20)
> Can someone advise me if there's a sibling bug for this in fedora? 
> 
> Fedora 25 - docker-1.12.6-6.gitae7d637.fc25.x86_64
> 
> and it is broken (and fixable) in the same exact manner.

I would say please open a bug if you can reproduce it there.