Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker manifest create fails due to permission denied on /etc/docker/certs.d/gcr.io #396

Closed
2 of 3 tasks
ixdy opened this issue Aug 9, 2018 · 5 comments
Closed
2 of 3 tasks

docker manifest create fails due to permission denied on /etc/docker/certs.d/gcr.io #396

ixdy opened this issue Aug 9, 2018 · 5 comments

Comments

@ixdy
Copy link

ixdy commented Aug 9, 2018

  • This is a bug report
  • This is a feature request
  • I searched existing issues before opening this one

Expected behavior

docker manifest create is able to create a manifest list without any special permissions, running as my normal, unprivileged user.

Actual behavior

docker manifest create tries to read from /etc/docker/certs.d and fails, because that directory is only accessible to root, and the docker client is not running as root.

Steps to reproduce the behavior

  1. Install latest docker-ce (18.06.0-ce)
  2. Build several multi-arch images for the gcr.io registry.
  3. Attempt to create a manifest list of these images.

A more concrete example that I'm using:

  1. Check out https://github.com/kubernetes/kubernetes at HEAD (currently testing at 8f92b8e2884d2ae880e44e86f2c2fdb39debeb7d)
  2. cd into test/images
  3. Run make all-container WHAT=net, which builds several arch-specific images of gcr.io/kubernetes-e2e-test-images/net
  4. Run docker manifest create gcr.io/kubernetes-e2e-test-images/net gcr.io/kubernetes-e2e-test-images/net-ppc64le gcr.io/kubernetes-e2e-test-images/net-arm64 gcr.io/kubernetes-e2e-test-images/net-arm gcr.io/kubernetes-e2e-test-images/net-amd64, which fails:
$ docker manifest create gcr.io/kubernetes-e2e-test-images/net gcr.io/kubernetes-e2e-test-images/net-ppc64le gcr.io/kubernetes-e2e-test-images/net-arm64  gcr.io/kubernetes-e2e-test-images/net-arm gcr.io/kubernetes-e2e-test-images/net-amd64
open /etc/docker/certs.d/gcr.io: permission denied

While /etc/docker/certs.d/gcr.io is missing, I don't think creating this directory would help, since this directory wouldn't be readable by my user:

$ sudo ls -al /etc/docker
total 16
drwx------  2 root root 4096 Aug  9 17:58 .
drwxr-xr-x 95 root root 4096 Aug  9 11:35 ..
-rw-r--r--  1 root root   27 Aug  9 17:58 daemon.json
-rw-------  1 root root  244 Aug  9 01:15 key.json

I tried passing --insecure to docker manifest create, but that didn't seem to have any effect.

Output of docker version:

$ docker version
Client:
 Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa825
 Built:             Wed Jul 18 19:11:02 2018
 OS/Arch:           linux/amd64
 Experimental:      true

Server:
 Engine:
  Version:          18.06.0-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       0ffa825
  Built:            Wed Jul 18 19:09:05 2018
  OS/Arch:          linux/amd64
  Experimental:     true

Output of docker info:

$ docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 11
Server Version: 18.06.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-30-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.298GiB
Name: image-creator
ID: DIAD:BSLJ:QTAL:MD23:M6RM:KCAY:FZFS:NT2K:YLTJ:C2UN:I4KI:TYR2
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.)
This is running on an Ubuntu Xenial VM on GCE, though I experience the same issue using docker 18.03.0-ce on a debian-based linux workstation.
@dims dims mentioned this issue Aug 9, 2018
Closed
@ixdy ixdy mentioned this issue Aug 20, 2018
Merged
@ixdy
Copy link
Author

ixdy commented Aug 20, 2018

I was able to fix this by running sudo chmod o+x /etc/docker.

@dims dims mentioned this issue Sep 11, 2018
Closed
@olljanat
Copy link

olljanat commented Nov 8, 2018

@ixdy I think that this one was fixed on moby/moby#37847

Can we close it?

@thaJeztah
Copy link
Member

yes, let's close this one; thanks!

@cpuguy83
Copy link
Collaborator

cpuguy83 commented Mar 5, 2019

Sorry, this is strange because docker manifest is a client-side command, why is it looking in /etc/docker at all?

@roycaihw roycaihw mentioned this issue Mar 7, 2019
Closed
@mkumatag mkumatag mentioned this issue May 14, 2019
Merged
schjan added a commit to schjan/fritzdect-exporter that referenced this issue Jun 17, 2019
@schjan
workaround docker/for-linux#396
98b9fbb
@paulfantom paulfantom mentioned this issue Apr 29, 2020
Closed
paulfantom added a commit to prometheus-operator/prometheus-operator that referenced this issue Apr 29, 2020
@paulfantom
Workaround for docker/for-linux#396
c6a3cfb 
`docker manifest` command needs access to /etc/docker/cert.d which is prevented by default
brancz added a commit to prometheus-operator/prometheus-operator that referenced this issue Apr 29, 2020
@brancz
Merge pull request #3184 from coreos/paulfantom-patch-1
327f266 
Workaround for docker/for-linux#396
paulfantom added a commit to paulfantom/kube-rbac-proxy that referenced this issue May 7, 2020
@paulfantom
Workaround for docker/for-linux#396
7045896
@paulfantom paulfantom mentioned this issue May 7, 2020
Merged
paulfantom added a commit to paulfantom/prometheus-operator that referenced this issue Jun 8, 2020
@paulfantom
Merge remote-tracking branch 'upstream/release-0.39' into sync
6edc0bf 
* upstream/release-0.39: (73 commits)
  Release v0.39.0 (prometheus-operator#3197)
  .github/ISSUE_TEMPLATES: add note about helm; remove tectonic-installer :(
  *: remove v1beta1 crds
  Update compatibility matrix
  Workaround for docker/for-linux#396
  *: create separate namespace informers if needed
  README.md: add v1beta1-crd bundle to quickstart
  test: bump CRDs from v1beta1 to v1
  bundle,example,jsonnet: regenerate
  Makefile: add generate-crds rule
  scripts: generate bundle with v1beta1 CRDs
  scripts: add script to generate crds
  pkg/thanos: fix typo in statefulset informer (prometheus-operator#3179)
  test/e2e: add volume claim template metadata test
  update generated files for pvc metadata fix
  types: use custom type for embedded persistent volume claims
  scripts: build container images for multiple architectures
  allow easier builds for ARM architecture
  Support matching only pod monitors
  Fix `make generate-in-docker` on macOS
  ...
paulfantom added a commit to paulfantom/prometheus-operator that referenced this issue Jun 8, 2020
@paulfantom
Merge remote-tracking branch 'upstream/release-0.39' into sync
375f46f 
* upstream/release-0.39: (73 commits)
  Release v0.39.0 (prometheus-operator#3197)
  .github/ISSUE_TEMPLATES: add note about helm; remove tectonic-installer :(
  *: remove v1beta1 crds
  Update compatibility matrix
  Workaround for docker/for-linux#396
  *: create separate namespace informers if needed
  README.md: add v1beta1-crd bundle to quickstart
  test: bump CRDs from v1beta1 to v1
  bundle,example,jsonnet: regenerate
  Makefile: add generate-crds rule
  scripts: generate bundle with v1beta1 CRDs
  scripts: add script to generate crds
  pkg/thanos: fix typo in statefulset informer (prometheus-operator#3179)
  test/e2e: add volume claim template metadata test
  update generated files for pvc metadata fix
  types: use custom type for embedded persistent volume claims
  scripts: build container images for multiple architectures
  allow easier builds for ARM architecture
  Support matching only pod monitors
  Fix `make generate-in-docker` on macOS
  ...
Madhu-1 added a commit to Madhu-1/ceph-csi that referenced this issue Jul 16, 2020
@Madhu-1
build: Fix docker permission issue during manifest create
d4e64cb 
This is a workaround to fix docker permission denied issue
during manifest create in Travis CI
`docker manifest create` fails due to permission denied
on `/etc/docker/certs.d/quay.io`
more info docker/for-linux#396.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
@Madhu-1 Madhu-1 mentioned this issue Jul 16, 2020
Merged
mergify bot pushed a commit to ceph/ceph-csi that referenced this issue Jul 16, 2020
@Madhu-1 @mergify
build: Fix docker permission issue during manifest create
e03c0dc 
This is a workaround to fix docker permission denied issue
during manifest create in Travis CI
`docker manifest create` fails due to permission denied
on `/etc/docker/certs.d/quay.io`
more info docker/for-linux#396.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
@lrgar lrgar mentioned this issue Aug 20, 2020
Merged
@johananl johananl mentioned this issue Oct 23, 2020
Closed
@chessky
Copy link

chessky commented Sep 17, 2024

sudo chmod 755 /etc/docker worked for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cpuguy83 @thaJeztah @olljanat @ixdy @chessky