Please sign your commits following these rules:
https://github.com/moby/moby/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "ignore-permission-error-when-accessing-certs.d-directory" [email protected]:dims/moby.git somewhere
$ cd somewhere
$ git commit --amend -s --no-edit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.

Really wondering if this is the correct approach; note that docker manifest create is a pure client-side implementation, so the logging would be done by the docker cli, not the daemon in this case.

ping @clnperez @silvin-lubecki PTAL

@thaJeztah i am happy to re-work this any way you recommend.

hope that the certs are not needed and try to continue

What happens if the certs are needed? Does it fail too? Or do we have a risk to silently fallback on an unsecured connexion?

@silvin-lubecki if the certs are needed (required by server) then the connection will fail i believe.

Really wondering if this is the correct approach; note that docker manifest create is a pure client-side >implementation, so the logging would be done by the docker cli, not the daemon in this case.

The cli vendors in some docker/moby registry code so we do get some of the engine logging.

Also, as seen in docker/cli#1358, the permissions error is logged by the manifest command. For other things, though, this might be useful?

#37847 was merged, but let's discuss the logging here

Codecov Report

Merging #37619 into master will decrease coverage by 0.23%.
The diff coverage is 0%.

@@            Coverage Diff             @@
##           master   #37619      +/-   ##
==========================================
- Coverage   35.85%   35.61%   -0.24%     
==========================================
  Files         606      611       +5     
  Lines       44704    44965     +261     
==========================================
- Hits        16029    16016      -13     
- Misses      26466    26732     +266     
- Partials     2209     2217       +8

Ack @thaJeztah, thanks!

@thaJeztah @clnperez so what can i change here in this PR?

Re-reading, I don't think we should ignore the permission error. Logging it more explicitly if it's a permission error could be good, in case the caller does not, since that's something a user can fix themselves. I think it's up the the caller to decide whether or not to ignore the error or not.

BTW, I submitted a PR for manifest inspect to do the right thing when a user wants to allow the cert-checking to be skipped.

With #37847, and docker/cli#1378, perhaps we don't need to make changes. From the linked issue, the error message would look like this;

$ docker manifest create gcr.io/kubernetes-e2e-test-images/net gcr.io/kubernetes-e2e-test-images/net-ppc64le gcr.io/kubernetes-e2e-test-images/net-arm64  gcr.io/kubernetes-e2e-test-images/net-arm gcr.io/kubernetes-e2e-test-images/net-amd64
open /etc/docker/certs.d/gcr.io: permission denied

Which (I think) is an acceptable error

@thaJeztah #37847 and docker/cli#1378 are merged so can we close this one?

@olljanat sounds good to me! thanks

Yes, I think we should close this one.

Thanks so much for working on this @dims! Sorry that it didn't get merged, but it's really appreciated 🤗

@thaJeztah my pleasure! i am glad it help nudge :)