Description
When configuring registry-mirrors through the daemon.json configuration-file, invalid mirrors are silently ignored.
While there is validation when specifying a mirror through the --registry-mirror`, and pull-request #29650 (5b9348c) added the possibility to reload mirrors without restarting the daemon (which does validate the option), a regular start of the daemon just ignores the value.
Steps to reproduce the issue:
Starting the daemon manually, and setting the --registry-mirror flag, the value is validated correctly:
$ dockerd --debug --registry-mirror="example.com:5000"
Status: invalid argument "example.com:5000" for --registry-mirror=example.com:5000: invalid mirror: unsupported scheme "example.com" in "example.com:5000"
Doing the same through the daemon.json configuration file however, silently ignores the invalid option. No message is logged as well (even in debug mode (not shown in the example output below));
$ mkdir -p /etc/docker/ && echo '{"registry-mirrors": ["example.com:5000"]}' > /etc/docker/daemon.json
$ dockerd
WARN[0000] could not change group /var/run/docker.sock to docker: group docker not found
INFO[0000] libcontainerd: new containerd process, pid: 91
INFO[0001] [graphdriver] using prior storage driver: aufs
INFO[0001] Graph migration to content-addressability took 0.00 seconds
INFO[0001] Loading containers: start.
INFO[0001] Default bridge (docker0) is assigned with an IP address 172.18.0.0/16. Daemon option --bip can be used to set a preferred IP address
WARN[0001] Running modprobe nf_nat failed with message: `modprobe: can't change directory to '/lib/modules': No such file or directory`, error: exit status 1
WARN[0001] Running modprobe xt_conntrack failed with message: `modprobe: can't change directory to '/lib/modules': No such file or directory`, error: exit status 1
WARN[0001] Failed to create DOCKER-USER chain: Iptables not found
INFO[0001] Loading containers: done.
WARN[0001] Couldn't run auplink before unmount /var/lib/docker/tmp/docker-aufs-union121916784: exec: "auplink": executable file not found in $PATH
INFO[0001] Daemon has completed initialization
INFO[0001] Docker daemon commit=02c1d87 graphdriver=aufs version=17.06.0-ce
INFO[0001] API listen on /var/run/docker.sockHowever, when reloading the same configuration, an error is logged, stating that the configuration is invalid and will not be reloaded:
$ kill -HUP $(pidof dockerd)
INFO[0304] Got signal to reload configuration, reloading from: /etc/docker/daemon.json
ERRO[0304] Error reconfiguring the daemon: invalid mirror: unsupported scheme "example.com" in "example.com:5000"
Note that users can discover that the option is ignored by watching the output of docker info; in case of an invalid mirror, the mirror is not shown in the output:
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
While with a correct configuration, the mirror is shown:
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://example.com:5000/
Live Restore Enabled: false
Describe the results you received:
No error message, and the option silently ignored
Describe the results you expected:
The daemon refusing to start, printing an error message that the configuration is invalid.
Output of docker version:
Client:
Version: 17.06.0-ce
API version: 1.30
Go version: go1.8.3
Git commit: 02c1d87
Built: Fri Jun 23 21:15:15 2017
OS/Arch: linux/amd64
Server:
Version: 17.06.0-ce
API version: 1.30 (minimum version 1.12)
Go version: go1.8.3
Git commit: 02c1d87
Built: Fri Jun 23 21:51:55 2017
OS/Arch: linux/amd64
Experimental: false
Output of docker info:
not relevant; not platform dependent
Description
When configuring registry-mirrors through the
daemon.jsonconfiguration-file, invalid mirrors are silently ignored.While there is validation when specifying a mirror through the --registry-mirror`, and pull-request #29650 (5b9348c) added the possibility to reload mirrors without restarting the daemon (which does validate the option), a regular start of the daemon just ignores the value.
Steps to reproduce the issue:
Starting the daemon manually, and setting the
--registry-mirrorflag, the value is validated correctly:Doing the same through the
daemon.jsonconfiguration file however, silently ignores the invalid option. No message is logged as well (even in debug mode (not shown in the example output below));However, when reloading the same configuration, an error is logged, stating that the configuration is invalid and will not be reloaded:
Note that users can discover that the option is ignored by watching the output of
docker info; in case of an invalid mirror, the mirror is not shown in the output:While with a correct configuration, the mirror is shown:
Describe the results you received:
No error message, and the option silently ignored
Describe the results you expected:
The daemon refusing to start, printing an error message that the configuration is invalid.
Output of
docker version:Output of
docker info:not relevant; not platform dependent