Skip to content

Docker rootless dies when unable to read /etc/docker/certs.d #40236

New issue
New issue
Closed
docker/cli
#2242
Closed
Docker rootless dies when unable to read /etc/docker/certs.d#40236
docker/cli
#2242
Labels
area/rootlessRootless Modekind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.
@Caligatio

Description

@Caligatio
Caligatio
opened on Nov 22, 2019

Description

Steps to reproduce the issue:

  1. sudo mkdir -p /etc/docker/certs.d/quay.io && sudo touch /etc/docker/certs.d/quay.io/{client.cert,client.key,ca.crt} && sudo chmod 700 /etc/docker/certs.d/quay.io
  2. ./dockerd-rootless.sh --experimental
  3. docker -H unix:///run/user//docker.sock pull quay.io/benyoo/gitlab

Describe the results you received:

docker -H unix:///run/user/1000/docker.sock pull quay.io/benyoo/gitlab
Using default tag: latest
Error response from daemon: open /etc/docker/certs.d/quay.io: permission denied

Describe the results you expected:
If the rootless daemon cannot read /etc/docker/certs.d, it should ignore the directory.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client: Docker Engine - Community
 Version:           19.03.4
 API version:       1.40
 Go version:        go1.12.10
 Git commit:        9013bf583a
 Built:             Fri Oct 18 15:52:22 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          dev
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.3
  Git commit:       649e4c8
  Built:            Mon Nov 11 12:42:03 2019
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.3.0
  GitCommit:        36cf5b690dcc00ff0f34ff7799209050c3d0c59a
 runc:
  Version:          1.0.0-rc8+dev
  GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 1
 Server Version: dev
 Storage Driver: vfs
 Logging Driver: json-file
 Cgroup Driver: none
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 36cf5b690dcc00ff0f34ff7799209050c3d0c59a
 runc version: 3e425f80a8c931f88e6d94a8c831b9d5aa481657
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
  rootless
 Kernel Version: 3.10.0-1062.4.1.el7.x86_64
 Operating System: CentOS Linux 7 (Core)
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.699GiB
 Name: localhost.localdomain
 ID: ZGPZ:WCD7:AL65:BPHK:FEDC:XROH:BTT2:GS6N:V4ZJ:2W5Y:ZS7A:RPMY
 Docker Root Dir: /home/brian/.local/share/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional environment details (AWS, VirtualBox, physical, etc.):
N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/rootlessRootless Modekind/bugBugs are bugs. The cause may or may not be known at triage time so debugging may be needed.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions