Bug 1502560

Summary: Default docker parameter "--signature-enabled=false" shouldn't be removed during the installation
Product: OpenShift Container Platform Reporter: Gan Huang <ghuang>
Component: InstallerAssignee: Michael Gugino <mgugino>
Status: CLOSED ERRATA QA Contact: Gan Huang <ghuang>
Severity: medium Docs Contact:
Priority: high    
Version: 3.7.0CC: aos-bugs, jokerman, mmccomas
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 22:17:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gan Huang 2017-10-16 08:45:00 UTC 
Description of problem:
New docker option (--signature-enabled) introduced in latest docker-1.12 (uncertain the precise version introducing the new parameter). It's set to false by default in /etc/sysconfig/docker. Unfortunately installer would remove the parameter during the installation, and docker would get the default value as True. 

Version-Release number of the following components:
docker-1.12.6-55.gitc4618fb.el7.x86_64

How reproducible:
always 

Steps to Reproduce:
1. Provision instances to be installed:
Check the options prior to trigger openshift-ansible
# grep  "OPTIONS" /etc/sysconfig/docker
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false'

2.Trigger installation

3. Check the options after installation


Actual results:
`--signature-enabled` was removed:
# grep OPTIONS /etc/sysconfig/docker
OPTIONS=' --selinux-enabled  --log-driver=journald'

S2I build failed
# oc logs -f bc/cakephp-mysql-example
Cloning "https://github.com/openshift/cakephp-ex.git" ...
	Commit:	7969534afdf9490ca79e37e672f0b9c81887ec28 (Merge pull request #81 from bparees/readiness)
	Author:	Ben Parees <bparees.github.com>
	Date:	Mon Sep 11 01:15:51 2017 -0400
pulling image error : unable to pull from V1 Docker registries with image signature verification enabled. If you need to accept this risk and disable signature verification (for ALL images), run the docker daemon with --signature-enabled=false
error: build error: unable to get registry.access.redhat.com/rhscl/php-70-rhel7@sha256:00810c34044d6772f35082416423665a7519bcc62ffeb5821bdad03f90a49e6b

Expected results:
--signature-enabled should persists in /etc/sysconfig/docker

Additional info:
Please attach logs from ansible-playbook with the -vvv flag
Comment 2 Michael Gugino 2017-10-16 16:51:58 UTC 
Looks like someone was hitting this back in February: https://bugzilla.redhat.com/show_bug.cgi?id=1425646
Comment 3 Michael Gugino 2017-10-16 17:02:55 UTC 
This bug references that option as well: https://bugzilla.redhat.com/show_bug.cgi?id=1403908
Comment 4 Michael Gugino 2017-10-16 17:34:15 UTC 
It appears that the signature-verification has been present since 1.12.2, https://github.com/projectatomic/docker/blob/docker-1.12.2/daemon/config_unix.go

I don't see a branch here tagged for 1.12.0 or 1.12.1, 1.12.2 is the oldest branch of 1.12 available in this repo.

It's probably safe to say that for most 1.12 users, this option will not break their install.
Comment 5 Michael Gugino 2017-10-16 18:17:55 UTC 
PR Submitted: https://github.com/openshift/openshift-ansible/pull/5774
Comment 7 Gan Huang 2017-10-24 06:11:48 UTC 
Verified in openshift-ansible-3.7.0-0.176.0.git.0.eec12b8.el7.noarch.rpm

By default `--signature-verification=False`, unable to reproduce the issue as comment 1 even if removing `--signature-verification=True`. Anyway it should not break the verification.
Comment 10 errata-xmlrpc 2017-11-28 22:17:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188