docker manifest create fails due to permission denied on /etc/docker/certs.d/gcr.io #396
Description
- This is a bug report
- This is a feature request
- I searched existing issues before opening this one
Expected behavior
docker manifest create is able to create a manifest list without any special permissions, running as my normal, unprivileged user.
Actual behavior
docker manifest create tries to read from /etc/docker/certs.d and fails, because that directory is only accessible to root, and the docker client is not running as root.
Steps to reproduce the behavior
- Install latest docker-ce (18.06.0-ce)
- Build several multi-arch images for the gcr.io registry.
- Attempt to create a manifest list of these images.
A more concrete example that I'm using:
- Check out https://github.com/kubernetes/kubernetes at HEAD (currently testing at 8f92b8e2884d2ae880e44e86f2c2fdb39debeb7d)
- cd into
test/images - Run
make all-container WHAT=net, which builds several arch-specific images ofgcr.io/kubernetes-e2e-test-images/net - Run
docker manifest create gcr.io/kubernetes-e2e-test-images/net gcr.io/kubernetes-e2e-test-images/net-ppc64le gcr.io/kubernetes-e2e-test-images/net-arm64 gcr.io/kubernetes-e2e-test-images/net-arm gcr.io/kubernetes-e2e-test-images/net-amd64, which fails:
$ docker manifest create gcr.io/kubernetes-e2e-test-images/net gcr.io/kubernetes-e2e-test-images/net-ppc64le gcr.io/kubernetes-e2e-test-images/net-arm64 gcr.io/kubernetes-e2e-test-images/net-arm gcr.io/kubernetes-e2e-test-images/net-amd64
open /etc/docker/certs.d/gcr.io: permission deniedWhile /etc/docker/certs.d/gcr.io is missing, I don't think creating this directory would help, since this directory wouldn't be readable by my user:
$ sudo ls -al /etc/docker
total 16
drwx------ 2 root root 4096 Aug 9 17:58 .
drwxr-xr-x 95 root root 4096 Aug 9 11:35 ..
-rw-r--r-- 1 root root 27 Aug 9 17:58 daemon.json
-rw------- 1 root root 244 Aug 9 01:15 key.jsonI tried passing --insecure to docker manifest create, but that didn't seem to have any effect.
Output of docker version:
$ docker version
Client:
Version: 18.06.0-ce
API version: 1.38
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:11:02 2018
OS/Arch: linux/amd64
Experimental: true
Server:
Engine:
Version: 18.06.0-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:09:05 2018
OS/Arch: linux/amd64
Experimental: true
Output of docker info:
$ docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 11
Server Version: 18.06.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.15.0-30-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.298GiB
Name: image-creator
ID: DIAD:BSLJ:QTAL:MD23:M6RM:KCAY:FZFS:NT2K:YLTJ:C2UN:I4KI:TYR2
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
Additional environment details (AWS, VirtualBox, physical, etc.)
This is running on an Ubuntu Xenial VM on GCE, though I experience the same issue using docker 18.03.0-ce on a debian-based linux workstation.