Bug 1460097

Summary: env from binary file secret produces invalid Docker header
Product: OpenShift Container Platform Reporter: Takayoshi Kimura <tkimura>
Component: NodeAssignee: Seth Jennings <sjenning>
Status: CLOSED CURRENTRELEASE QA Contact: Xiaoli Tian <xtian>
Severity: low Docs Contact:
Priority: low    
Version: 3.5.1CC: aos-bugs, cscribne, decarr, gblomqui, joedward, jokerman, mmccomas, sjenning
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-03 18:21:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Takayoshi Kimura 2017-06-09 06:19:57 UTC 
Description of problem:

By mistake, put binary secret into container env var, container run fails with cryptic random message like:

$ oc logs hello-sinatra-3-f4v8x 
container_linux.go:247: starting container process caused "process_linux.go:291: setting cgroup config for ready process caused \"open /sys/fs/cgroup/cpu,cpuacct/system.slice/docker-ae38bec5b56d56780a990a2e9520af10861e6cc60b12373f769580feb1be5b5e.scope/cpu.shares: no such file or directory\""

container_linux.go:247: starting container process caused "process_linux.go:295: setting oom score for ready process caused \"write /proc/74956/oom_score_adj: invalid argument\""

$ oc secret new perl /usr/bin/perl
$ oc edit dc

     spec:
        containers:
        - env:
          - name: binary
            valueFrom:
              secretKeyRef:
                key: perl
                name: perl

The docker command for same works and it looks like docker filters some binary code for env:

# docker run --env "foo=`cat /usr/bin/perl`" --rm -it registry.access.redhat.com/rhel7  bash


Version-Release number of selected component (if applicable):

atomic-openshift-3.5.5.15-1.git.0.4b5f317.el7.x86_64
docker-1.12.6-16.el7.x86_64

How reproducible:

Always

Steps to Reproduce:
1. See description
2.
3.

Actual results:

Failed with various random message, like cgroups file not found, invalid argument, invalid header, etc.

Expected results:

Better error message, or filter the binary like docker does.

Additional info:
Comment 1 Seth Jennings 2017-06-12 19:52:33 UTC 
Related upstream issue:
https://github.com/kubernetes/kubernetes/issues/32432
Comment 9 Greg Blomquist 2019-07-03 18:21:36 UTC 
This looks like it should be available since 3.10.  There are no customer updates in the case since before 2017, and the reported customer version was 3.4.

Closing current release.  If this issue persists with the customer, please reopen with additional information.