Bug 1460378 - docker improper handle registry config
docker improper handle registry config
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker (Show other bugs)
7.4
All Linux
high Severity high
: rc
: ---
Assigned To: Brent Baude
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-09 17:38 EDT by CAI Qian
Modified: 2017-08-01 20:11 EDT (History)
4 users (show)

See Also:
Fixed In Version: docker-1.12.6-38.1.git6ffd653.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-01 20:11:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description CAI Qian 2017-06-09 17:38:00 EDT
Description of problem:
Since docker switches to use atomic-registry, the docker unit file assume that /etc/containers/registries.conf is a shell environment file that can be parsed directly to the docker daemon.

# cat /usr/lib/systemd/system/docker.service
...
+EnvironmentFile=-/run/containers/registries.conf
...
ExecStart=/usr/bin/dockerd-current \
          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
          --default-runtime=docker-runc \
          --authorization-plugin=rhel-push-plugin \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          $INSECURE_REGISTRY\
          $REGISTRIES

but in fact, it is in yaml format and need to be parsed by registries command first before pass to the docker daemon.

# /usr/libexec/registries
 --insecure-registry brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 CAI Qian 2017-06-09 17:38:58 EDT
docker-1.12.6-33.1.git3a6eaeb.el7
Comment 2 CAI Qian 2017-06-09 17:44:11 EDT
To workaround it, just hard-code your registries to the docker unit file like,

ExecStart=/usr/bin/dockerd-current \
          --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current \
          --default-runtime=docker-runc \
          --authorization-plugin=rhel-push-plugin \
          --exec-opt native.cgroupdriver=systemd \
          --userland-proxy-path=/usr/libexec/docker/docker-proxy-current \
          $OPTIONS \
          $DOCKER_STORAGE_OPTIONS \
          $DOCKER_NETWORK_OPTIONS \
          $ADD_REGISTRY \
          $BLOCK_REGISTRY \
          --insecure-registry brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888\
          $REGISTRIES
Comment 3 Brent Baude 2017-06-13 12:10:01 EDT
I think something is wrong or a wrong assumption is being made here.  The file /etc/containers/registries.conf is in YAML format.  But the atomic-registries service file creates a text file /run/containers/registries.conf (which is not YAML).  Therefore, that file can be loaded by systemd as an export.  Perhaps you can show the error you were getting? or perhaps you were editing /run/containers/registries.conf and not /etc/containers/registries.conf ?
Comment 4 CAI Qian 2017-06-13 13:06:06 EDT
Change this line in docker.service.

+EnvironmentFile=-/run/containers/registries.conf

to

EnvironmentFile=-/run/containers/registries.conf

Fixed the problem. No idea why plus sign is needed.
Comment 7 errata-xmlrpc 2017-08-01 20:11:21 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2344

Note You need to log in before you can comment on or make changes to this bug.