Bug 1502560 - Default docker parameter "--signature-enabled=false" shouldn't be removed during the installation
Summary: Default docker parameter "--signature-enabled=false" shouldn't be removed dur...
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer   
(Show other bugs)
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 3.7.0
Assignee: Michael Gugino
QA Contact: Gan Huang
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-16 08:45 UTC by Gan Huang
Modified: 2017-11-28 22:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-28 22:17:21 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Gan Huang 2017-10-16 08:45:00 UTC
Description of problem:
New docker option (--signature-enabled) introduced in latest docker-1.12 (uncertain the precise version introducing the new parameter). It's set to false by default in /etc/sysconfig/docker. Unfortunately installer would remove the parameter during the installation, and docker would get the default value as True. 

Version-Release number of the following components:
docker-1.12.6-55.gitc4618fb.el7.x86_64

How reproducible:
always 

Steps to Reproduce:
1. Provision instances to be installed:
Check the options prior to trigger openshift-ansible
# grep  "OPTIONS" /etc/sysconfig/docker
OPTIONS='--selinux-enabled --log-driver=journald --signature-verification=false'

2.Trigger installation

3. Check the options after installation


Actual results:
`--signature-enabled` was removed:
# grep OPTIONS /etc/sysconfig/docker
OPTIONS=' --selinux-enabled  --log-driver=journald'

S2I build failed
# oc logs -f bc/cakephp-mysql-example
Cloning "https://github.com/openshift/cakephp-ex.git" ...
	Commit:	7969534afdf9490ca79e37e672f0b9c81887ec28 (Merge pull request #81 from bparees/readiness)
	Author:	Ben Parees <bparees@users.noreply.github.com>
	Date:	Mon Sep 11 01:15:51 2017 -0400
pulling image error : unable to pull from V1 Docker registries with image signature verification enabled. If you need to accept this risk and disable signature verification (for ALL images), run the docker daemon with --signature-enabled=false
error: build error: unable to get registry.access.redhat.com/rhscl/php-70-rhel7@sha256:00810c34044d6772f35082416423665a7519bcc62ffeb5821bdad03f90a49e6b

Expected results:
--signature-enabled should persists in /etc/sysconfig/docker

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 2 Michael Gugino 2017-10-16 16:51:58 UTC
Looks like someone was hitting this back in February: https://bugzilla.redhat.com/show_bug.cgi?id=1425646

Comment 3 Michael Gugino 2017-10-16 17:02:55 UTC
This bug references that option as well: https://bugzilla.redhat.com/show_bug.cgi?id=1403908

Comment 4 Michael Gugino 2017-10-16 17:34:15 UTC
It appears that the signature-verification has been present since 1.12.2, https://github.com/projectatomic/docker/blob/docker-1.12.2/daemon/config_unix.go

I don't see a branch here tagged for 1.12.0 or 1.12.1, 1.12.2 is the oldest branch of 1.12 available in this repo.

It's probably safe to say that for most 1.12 users, this option will not break their install.

Comment 5 Michael Gugino 2017-10-16 18:17:55 UTC
PR Submitted: https://github.com/openshift/openshift-ansible/pull/5774

Comment 7 Gan Huang 2017-10-24 06:11:48 UTC
Verified in openshift-ansible-3.7.0-0.176.0.git.0.eec12b8.el7.noarch.rpm

By default `--signature-verification=False`, unable to reproduce the issue as comment 1 even if removing `--signature-verification=True`. Anyway it should not break the verification.

Comment 10 errata-xmlrpc 2017-11-28 22:17:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188


Note You need to log in before you can comment on or make changes to this bug.