Red Hat Bugzilla – Bug 1502560
Default docker parameter "--signature-enabled=false" shouldn't be removed during the installation
Last modified: 2017-11-28 17:17:21 EST
Description of problem: New docker option (--signature-enabled) introduced in latest docker-1.12 (uncertain the precise version introducing the new parameter). It's set to false by default in /etc/sysconfig/docker. Unfortunately installer would remove the parameter during the installation, and docker would get the default value as True. Version-Release number of the following components: docker-1.12.6-55.gitc4618fb.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Provision instances to be installed: Check the options prior to trigger openshift-ansible # grep "OPTIONS" /etc/sysconfig/docker OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false' 2.Trigger installation 3. Check the options after installation Actual results: `--signature-enabled` was removed: # grep OPTIONS /etc/sysconfig/docker OPTIONS=' --selinux-enabled --log-driver=journald' S2I build failed # oc logs -f bc/cakephp-mysql-example Cloning "https://github.com/openshift/cakephp-ex.git" ... Commit: 7969534afdf9490ca79e37e672f0b9c81887ec28 (Merge pull request #81 from bparees/readiness) Author: Ben Parees <bparees@users.noreply.github.com> Date: Mon Sep 11 01:15:51 2017 -0400 pulling image error : unable to pull from V1 Docker registries with image signature verification enabled. If you need to accept this risk and disable signature verification (for ALL images), run the docker daemon with --signature-enabled=false error: build error: unable to get registry.access.redhat.com/rhscl/php-70-rhel7@sha256:00810c34044d6772f35082416423665a7519bcc62ffeb5821bdad03f90a49e6b Expected results: --signature-enabled should persists in /etc/sysconfig/docker Additional info: Please attach logs from ansible-playbook with the -vvv flag
Looks like someone was hitting this back in February: https://bugzilla.redhat.com/show_bug.cgi?id=1425646
This bug references that option as well: https://bugzilla.redhat.com/show_bug.cgi?id=1403908
It appears that the signature-verification has been present since 1.12.2, https://github.com/projectatomic/docker/blob/docker-1.12.2/daemon/config_unix.go I don't see a branch here tagged for 1.12.0 or 1.12.1, 1.12.2 is the oldest branch of 1.12 available in this repo. It's probably safe to say that for most 1.12 users, this option will not break their install.
PR Submitted: https://github.com/openshift/openshift-ansible/pull/5774
Verified in openshift-ansible-3.7.0-0.176.0.git.0.eec12b8.el7.noarch.rpm By default `--signature-verification=False`, unable to reproduce the issue as comment 1 even if removing `--signature-verification=True`. Anyway it should not break the verification.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188