Bug 1346206 - docker command overwrites DOCKER_CERT_PATH variable
Summary: docker command overwrites DOCKER_CERT_PATH variable
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-14 09:23 UTC by Ondřej Pták
Modified: 2019-03-06 01:08 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-17 20:43:13 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0116 normal SHIPPED_LIVE Moderate: docker security, bug fix, and enhancement update 2017-01-18 01:39:43 UTC

Internal Links: 1402074

Description Ondřej Pták 2016-06-14 09:23:49 UTC
Description of problem:
/usr/bin/docker (wrapper) overwrites DOCKER_CERT_PATH variable
by sourcing file /etc/sysconfig/docker, which contains:
DOCKER_CERT_PATH=/etc/docker

This brokes scenario when user want to configure docker client to communicate with specific server.


Version-Release number of selected component (if applicable):
docker-common-1.9.1-40.el7.x86_64
docker-1.9.1-40.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Confugure docker client similar to this:

export DOCKER_HOST=tcp://10.1.2.2:2376
export DOCKER_CERT_PATH=/path/to/dir/with/cert
export DOCKER_TLS_VERIFY=

2. run docker version # or any other docker command

Actual results:
Could not read CA certificate "/etc/docker/ca.pem": open /etc/docker/ca.pem: no such file or directory

Expected results:
expected version info about client and server sides

Additional info:
simple workaround: use directly docker binary and not /usr/bin/docker wrapper:

$ docker-current version

Comment 1 Ondřej Pták 2016-06-14 09:49:01 UTC
step 1 in previous comment should contain:
export DOCKER_TLS_VERIFY=1

Comment 3 Daniel Walsh 2016-06-14 18:17:00 UTC
Could you attach /usr/bin/docker

Comment 4 Lokesh Mandvekar 2016-06-14 18:26:12 UTC
unless anything's been changed, this is what the rpm installs:


#!/bin/sh
. /etc/sysconfig/docker
[ -e "${DOCKERBINARY}" ] || DOCKERBINARY=/usr/bin/docker-current
if [ ! -f /usr/bin/docker-current ]; then
    DOCKERBINARY=/usr/bin/docker-latest
fi
if [[ ${DOCKERBINARY} != "/usr/bin/docker-current" && ${DOCKERBINARY} != /usr/bin/docker-latest ]]; then
    echo "DOCKERBINARY has been set to an invalid value:" $DOCKERBINARY
    echo ""
    echo "Please set DOCKERBINARY to /usr/bin/docker-current or /usr/bin/docker-latest
by editing /etc/sysconfig/docker"
else
    exec ${DOCKERBINARY} "$@"
fi

Comment 5 Lokesh Mandvekar 2016-06-14 18:31:41 UTC
Ondřej, help me understand, does this issue still occur if you change the value for DOCKER_CERT_PATH in /etc/sysconfig/docker itself. Are you setting those 3 variables in the shell itself?

Comment 6 Lokesh Mandvekar 2016-06-14 18:35:03 UTC
Ohh is it that in your case your DOCKER_CERT_PATH will vary a lot and that's why you don't want to depend on a fixed DOCKER_CERT_PATH in /etc/sysconfig/docker ?

Comment 7 Daniel Walsh 2016-06-14 19:09:04 UTC
Instead of 

. /etc/sysconfig/docker

we could just do

eval $(grep ^DOCKERBINARY /etc/sysconfig/docker | head -1)

Which I think will solve the problem.

Comment 8 Lokesh Mandvekar 2016-06-14 20:04:10 UTC
I'll try that, btw is this gonna be a blocker?

Comment 9 Daniel Walsh 2016-06-15 12:50:32 UTC
I have no idea that is up to Product Management.

Comment 10 Ondřej Pták 2016-06-28 12:49:09 UTC
Yes, I need to change these variables often, using vagrant plugin:
https://github.com/projectatomic/vagrant-service-manager
which work by exporting env variables, including DOCKER_CERT_PATH.
By this way, it's also possible to have multiple running vagrant boxes with different values of DOCKER_CERT_PATH (and several other DOCKER* variables).

Comment 11 Daniel Walsh 2016-08-19 22:32:09 UTC
Lokesh should this be in modified state?

Comment 12 Maru Newby 2016-10-12 17:13:04 UTC
This is still a problem on centos 7.2 with docker-1.10.3-46.el7.centos.10.x86_64.

An easy workaround is to update /etc/sysconfig/docker to not override DOCKER_CERT_PATH if it is already set:

< DOCKER_CERT_PATH=/etc/docker
---
> if [ -z "${DOCKER_CERT_PATH}" ]; then
>   DOCKER_CERT_PATH=/etc/docker
> fi

Comment 13 Lokesh Mandvekar 2016-10-12 18:44:49 UTC
(In reply to Maru Newby from comment #12)
> This is still a problem on centos 7.2 with
> docker-1.10.3-46.el7.centos.10.x86_64.
> 
> An easy workaround is to update /etc/sysconfig/docker to not override
> DOCKER_CERT_PATH if it is already set:
> 
> < DOCKER_CERT_PATH=/etc/docker
> ---
> > if [ -z "${DOCKER_CERT_PATH}" ]; then
> >   DOCKER_CERT_PATH=/etc/docker
> > fi

Thanks, I'll include this in the 7.3.1 release with the next build.

Comment 14 Daniel Walsh 2016-10-18 14:18:46 UTC
Fixed in docker-1.12 release.

Comment 16 Luwen Su 2016-11-10 09:11:13 UTC
This is included in docker-1.12.3-4.el7.x86_64

#cat /etc/sysconfig/docker | grep -i1 DOCKER_CERT_PATH
OPTIONS='--selinux-enabled --log-driver=journald'
if [ -z "${DOCKER_CERT_PATH}" ]; then
    DOCKER_CERT_PATH=/etc/docker
fi

Comment 17 Alex Jia 2016-11-29 00:14:53 UTC
And worked in docker-1.12.3-8.el7.

# docker version
Could not read CA certificate "/path/to/dir/with/cert/ca.pem": open /path/to/dir/with/cert/ca.pem: no such file or directory

Comment 19 errata-xmlrpc 2017-01-17 20:43:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0116.html

Comment 20 Mike Goodwin 2017-06-24 16:04:48 UTC
Can someone advise me if there's a sibling bug for this in fedora? 

Fedora 25 - docker-1.12.6-6.gitae7d637.fc25.x86_64

and it is broken (and fixable) in the same exact manner.

Comment 21 Dusty Mabe 2017-06-26 02:12:50 UTC
(In reply to Mike Goodwin from comment #20)
> Can someone advise me if there's a sibling bug for this in fedora? 
> 
> Fedora 25 - docker-1.12.6-6.gitae7d637.fc25.x86_64
> 
> and it is broken (and fixable) in the same exact manner.

I would say please open a bug if you can reproduce it there.


Note You need to log in before you can comment on or make changes to this bug.