Hide Forgot
Description of problem: /usr/bin/docker (wrapper) overwrites DOCKER_CERT_PATH variable by sourcing file /etc/sysconfig/docker, which contains: DOCKER_CERT_PATH=/etc/docker This brokes scenario when user want to configure docker client to communicate with specific server. Version-Release number of selected component (if applicable): docker-common-1.9.1-40.el7.x86_64 docker-1.9.1-40.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Confugure docker client similar to this: export DOCKER_HOST=tcp://10.1.2.2:2376 export DOCKER_CERT_PATH=/path/to/dir/with/cert export DOCKER_TLS_VERIFY= 2. run docker version # or any other docker command Actual results: Could not read CA certificate "/etc/docker/ca.pem": open /etc/docker/ca.pem: no such file or directory Expected results: expected version info about client and server sides Additional info: simple workaround: use directly docker binary and not /usr/bin/docker wrapper: $ docker-current version
step 1 in previous comment should contain: export DOCKER_TLS_VERIFY=1
Could you attach /usr/bin/docker
unless anything's been changed, this is what the rpm installs: #!/bin/sh . /etc/sysconfig/docker [ -e "${DOCKERBINARY}" ] || DOCKERBINARY=/usr/bin/docker-current if [ ! -f /usr/bin/docker-current ]; then DOCKERBINARY=/usr/bin/docker-latest fi if [[ ${DOCKERBINARY} != "/usr/bin/docker-current" && ${DOCKERBINARY} != /usr/bin/docker-latest ]]; then echo "DOCKERBINARY has been set to an invalid value:" $DOCKERBINARY echo "" echo "Please set DOCKERBINARY to /usr/bin/docker-current or /usr/bin/docker-latest by editing /etc/sysconfig/docker" else exec ${DOCKERBINARY} "$@" fi
Ondřej, help me understand, does this issue still occur if you change the value for DOCKER_CERT_PATH in /etc/sysconfig/docker itself. Are you setting those 3 variables in the shell itself?
Ohh is it that in your case your DOCKER_CERT_PATH will vary a lot and that's why you don't want to depend on a fixed DOCKER_CERT_PATH in /etc/sysconfig/docker ?
Instead of . /etc/sysconfig/docker we could just do eval $(grep ^DOCKERBINARY /etc/sysconfig/docker | head -1) Which I think will solve the problem.
I'll try that, btw is this gonna be a blocker?
I have no idea that is up to Product Management.
Yes, I need to change these variables often, using vagrant plugin: https://github.com/projectatomic/vagrant-service-manager which work by exporting env variables, including DOCKER_CERT_PATH. By this way, it's also possible to have multiple running vagrant boxes with different values of DOCKER_CERT_PATH (and several other DOCKER* variables).
Lokesh should this be in modified state?
This is still a problem on centos 7.2 with docker-1.10.3-46.el7.centos.10.x86_64. An easy workaround is to update /etc/sysconfig/docker to not override DOCKER_CERT_PATH if it is already set: < DOCKER_CERT_PATH=/etc/docker --- > if [ -z "${DOCKER_CERT_PATH}" ]; then > DOCKER_CERT_PATH=/etc/docker > fi
(In reply to Maru Newby from comment #12) > This is still a problem on centos 7.2 with > docker-1.10.3-46.el7.centos.10.x86_64. > > An easy workaround is to update /etc/sysconfig/docker to not override > DOCKER_CERT_PATH if it is already set: > > < DOCKER_CERT_PATH=/etc/docker > --- > > if [ -z "${DOCKER_CERT_PATH}" ]; then > > DOCKER_CERT_PATH=/etc/docker > > fi Thanks, I'll include this in the 7.3.1 release with the next build.
Fixed in docker-1.12 release.
This is included in docker-1.12.3-4.el7.x86_64 #cat /etc/sysconfig/docker | grep -i1 DOCKER_CERT_PATH OPTIONS='--selinux-enabled --log-driver=journald' if [ -z "${DOCKER_CERT_PATH}" ]; then DOCKER_CERT_PATH=/etc/docker fi
And worked in docker-1.12.3-8.el7. # docker version Could not read CA certificate "/path/to/dir/with/cert/ca.pem": open /path/to/dir/with/cert/ca.pem: no such file or directory
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0116.html
Can someone advise me if there's a sibling bug for this in fedora? Fedora 25 - docker-1.12.6-6.gitae7d637.fc25.x86_64 and it is broken (and fixable) in the same exact manner.
(In reply to Mike Goodwin from comment #20) > Can someone advise me if there's a sibling bug for this in fedora? > > Fedora 25 - docker-1.12.6-6.gitae7d637.fc25.x86_64 > > and it is broken (and fixable) in the same exact manner. I would say please open a bug if you can reproduce it there.