RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1346206 - docker command overwrites DOCKER_CERT_PATH variable
Summary: docker command overwrites DOCKER_CERT_PATH variable
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-14 09:23 UTC by Ondřej Pták
Modified: 2019-03-06 01:08 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-17 20:43:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0116 0 normal SHIPPED_LIVE Moderate: docker security, bug fix, and enhancement update 2017-01-18 01:39:43 UTC

Internal Links: 1402074

Description Ondřej Pták 2016-06-14 09:23:49 UTC 
Description of problem:
/usr/bin/docker (wrapper) overwrites DOCKER_CERT_PATH variable
by sourcing file /etc/sysconfig/docker, which contains:
DOCKER_CERT_PATH=/etc/docker

This brokes scenario when user want to configure docker client to communicate with specific server.


Version-Release number of selected component (if applicable):
docker-common-1.9.1-40.el7.x86_64
docker-1.9.1-40.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Confugure docker client similar to this:

export DOCKER_HOST=tcp://10.1.2.2:2376
export DOCKER_CERT_PATH=/path/to/dir/with/cert
export DOCKER_TLS_VERIFY=

2. run docker version # or any other docker command

Actual results:
Could not read CA certificate "/etc/docker/ca.pem": open /etc/docker/ca.pem: no such file or directory

Expected results:
expected version info about client and server sides

Additional info:
simple workaround: use directly docker binary and not /usr/bin/docker wrapper:

$ docker-current version
Comment 1 Ondřej Pták 2016-06-14 09:49:01 UTC 
step 1 in previous comment should contain:
export DOCKER_TLS_VERIFY=1
Comment 3 Daniel Walsh 2016-06-14 18:17:00 UTC 
Could you attach /usr/bin/docker
Comment 4 Lokesh Mandvekar 2016-06-14 18:26:12 UTC 
unless anything's been changed, this is what the rpm installs:


#!/bin/sh
. /etc/sysconfig/docker
[ -e "${DOCKERBINARY}" ] || DOCKERBINARY=/usr/bin/docker-current
if [ ! -f /usr/bin/docker-current ]; then
    DOCKERBINARY=/usr/bin/docker-latest
fi
if [[ ${DOCKERBINARY} != "/usr/bin/docker-current" && ${DOCKERBINARY} != /usr/bin/docker-latest ]]; then
    echo "DOCKERBINARY has been set to an invalid value:" $DOCKERBINARY
    echo ""
    echo "Please set DOCKERBINARY to /usr/bin/docker-current or /usr/bin/docker-latest
by editing /etc/sysconfig/docker"
else
    exec ${DOCKERBINARY} "$@"
fi
Comment 5 Lokesh Mandvekar 2016-06-14 18:31:41 UTC 
Ondřej, help me understand, does this issue still occur if you change the value for DOCKER_CERT_PATH in /etc/sysconfig/docker itself. Are you setting those 3 variables in the shell itself?
Comment 6 Lokesh Mandvekar 2016-06-14 18:35:03 UTC 
Ohh is it that in your case your DOCKER_CERT_PATH will vary a lot and that's why you don't want to depend on a fixed DOCKER_CERT_PATH in /etc/sysconfig/docker ?
Comment 7 Daniel Walsh 2016-06-14 19:09:04 UTC 
Instead of 

. /etc/sysconfig/docker

we could just do

eval $(grep ^DOCKERBINARY /etc/sysconfig/docker | head -1)

Which I think will solve the problem.
Comment 8 Lokesh Mandvekar 2016-06-14 20:04:10 UTC 
I'll try that, btw is this gonna be a blocker?
Comment 9 Daniel Walsh 2016-06-15 12:50:32 UTC 
I have no idea that is up to Product Management.
Comment 10 Ondřej Pták 2016-06-28 12:49:09 UTC 
Yes, I need to change these variables often, using vagrant plugin:
https://github.com/projectatomic/vagrant-service-manager
which work by exporting env variables, including DOCKER_CERT_PATH.
By this way, it's also possible to have multiple running vagrant boxes with different values of DOCKER_CERT_PATH (and several other DOCKER* variables).
Comment 11 Daniel Walsh 2016-08-19 22:32:09 UTC 
Lokesh should this be in modified state?
Comment 12 Maru Newby 2016-10-12 17:13:04 UTC 
This is still a problem on centos 7.2 with docker-1.10.3-46.el7.centos.10.x86_64.

An easy workaround is to update /etc/sysconfig/docker to not override DOCKER_CERT_PATH if it is already set:

< DOCKER_CERT_PATH=/etc/docker
---
> if [ -z "${DOCKER_CERT_PATH}" ]; then
>   DOCKER_CERT_PATH=/etc/docker
> fi
Comment 13 Lokesh Mandvekar 2016-10-12 18:44:49 UTC 
(In reply to Maru Newby from comment #12)
> This is still a problem on centos 7.2 with
> docker-1.10.3-46.el7.centos.10.x86_64.
> 
> An easy workaround is to update /etc/sysconfig/docker to not override
> DOCKER_CERT_PATH if it is already set:
> 
> < DOCKER_CERT_PATH=/etc/docker
> ---
> > if [ -z "${DOCKER_CERT_PATH}" ]; then
> >   DOCKER_CERT_PATH=/etc/docker
> > fi

Thanks, I'll include this in the 7.3.1 release with the next build.
Comment 14 Daniel Walsh 2016-10-18 14:18:46 UTC 
Fixed in docker-1.12 release.
Comment 16 Luwen Su 2016-11-10 09:11:13 UTC 
This is included in docker-1.12.3-4.el7.x86_64

#cat /etc/sysconfig/docker | grep -i1 DOCKER_CERT_PATH
OPTIONS='--selinux-enabled --log-driver=journald'
if [ -z "${DOCKER_CERT_PATH}" ]; then
    DOCKER_CERT_PATH=/etc/docker
fi
Comment 17 Alex Jia 2016-11-29 00:14:53 UTC 
And worked in docker-1.12.3-8.el7.

# docker version
Could not read CA certificate "/path/to/dir/with/cert/ca.pem": open /path/to/dir/with/cert/ca.pem: no such file or directory
Comment 19 errata-xmlrpc 2017-01-17 20:43:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0116.html
Comment 20 Mike Goodwin 2017-06-24 16:04:48 UTC 
Can someone advise me if there's a sibling bug for this in fedora? 

Fedora 25 - docker-1.12.6-6.gitae7d637.fc25.x86_64

and it is broken (and fixable) in the same exact manner.
Comment 21 Dusty Mabe 2017-06-26 02:12:50 UTC 
(In reply to Mike Goodwin from comment #20)
> Can someone advise me if there's a sibling bug for this in fedora? 
> 
> Fedora 25 - docker-1.12.6-6.gitae7d637.fc25.x86_64
> 
> and it is broken (and fixable) in the same exact manner.

I would say please open a bug if you can reproduce it there.
Note You need to log in before you can comment on or make changes to this bug.