Description of problem:
New docker option (--signature-enabled) introduced in latest docker-1.12 (uncertain the precise version introducing the new parameter). It's set to false by default in /etc/sysconfig/docker. Unfortunately installer would remove the parameter during the installation, and docker would get the default value as True.
Version-Release number of the following components:
Steps to Reproduce:
1. Provision instances to be installed:
Check the options prior to trigger openshift-ansible
# grep "OPTIONS" /etc/sysconfig/docker
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false'
3. Check the options after installation
`--signature-enabled` was removed:
# grep OPTIONS /etc/sysconfig/docker
OPTIONS=' --selinux-enabled --log-driver=journald'
S2I build failed
# oc logs -f bc/cakephp-mysql-example
Cloning "https://github.com/openshift/cakephp-ex.git" ...
Commit: 7969534afdf9490ca79e37e672f0b9c81887ec28 (Merge pull request #81 from bparees/readiness)
Author: Ben Parees <email@example.com>
Date: Mon Sep 11 01:15:51 2017 -0400
pulling image error : unable to pull from V1 Docker registries with image signature verification enabled. If you need to accept this risk and disable signature verification (for ALL images), run the docker daemon with --signature-enabled=false
error: build error: unable to get registry.access.redhat.com/rhscl/php-70-rhel7@sha256:00810c34044d6772f35082416423665a7519bcc62ffeb5821bdad03f90a49e6b
--signature-enabled should persists in /etc/sysconfig/docker
Please attach logs from ansible-playbook with the -vvv flag
Looks like someone was hitting this back in February: https://bugzilla.redhat.com/show_bug.cgi?id=1425646
This bug references that option as well: https://bugzilla.redhat.com/show_bug.cgi?id=1403908
It appears that the signature-verification has been present since 1.12.2, https://github.com/projectatomic/docker/blob/docker-1.12.2/daemon/config_unix.go
I don't see a branch here tagged for 1.12.0 or 1.12.1, 1.12.2 is the oldest branch of 1.12 available in this repo.
It's probably safe to say that for most 1.12 users, this option will not break their install.
PR Submitted: https://github.com/openshift/openshift-ansible/pull/5774
Verified in openshift-ansible-3.7.0-0.176.0.git.0.eec12b8.el7.noarch.rpm
By default `--signature-verification=False`, unable to reproduce the issue as comment 1 even if removing `--signature-verification=True`. Anyway it should not break the verification.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.