cli: "docker manifest inspect --insecure" doesn't work
Description
I have a local (insecure) registry for debugging purposes. But I cannot run manifest inspect against it, even with --insecure.
$ docker -D manifest inspect --insecure 172.17.0.4:5000/foo:latest
DEBU[0000] hostDir: /etc/docker/certs.d/172.17.0.4:5000
DEBU[0000] endpoints for 172.17.0.4:5000/foo:latest: []
DEBU[0000] hostDir: /etc/docker/certs.d/172.17.0.4:5000
DEBU[0000] endpoints for 172.17.0.4:5000/foo:latest: []
open /etc/docker/certs.d/172.17.0.4:5000: permission denied
Steps to reproduce the issue:
Just run docker -D manifest inspect --insecure 172.17.0.4:5000/foo:latest.
The registry and the image don’t actually need to exist to hit the problem since it occurs before any sockets are opened etc (according to my quick look over the strace logs).
Describe the results you received:
open /etc/docker/certs.d/172.17.0.4:5000: permission denied
Describe the results you expected:
The manifest to be printed.
Additional information you deem important (e.g. issue happens only occasionally):
The directory /etc/docker/certs.d doesn’t exist, but in any case the permissions on /etc/docker are 0700, also it seems odd to rely only on a system wide directory here. I couldn’t find any setting or config file option which would redirect this to e.g. ~/.docker/certs.d.
Output of docker version:
$ docker version
Client:
Version: 18.06.0-ce
API version: 1.38
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:09:33 2018
OS/Arch: linux/amd64
Experimental: true
Server:
Engine:
Version: 18.06.0-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:07:38 2018
OS/Arch: linux/amd64
Experimental: true
Also reproduced with 96dba79d99d69df9adc67b230d9dd39849733ef2 (recent master).
Output of docker info:
Containers: 3
Running: 3
Paused: 0
Stopped: 0
Images: 178
Server Version: 18.06.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.14.0-3-amd64
Operating System: Debian GNU/Linux buster/sid
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.53GiB
Name: bokrug
ID: AU33:BO7D:7VGM:MOLB:RSDF:IBRV:GCWT:THHM:OEVM:TX3C:BNLM:WHAR
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
File Descriptors: 41
Goroutines: 67
System Time: 2018-09-10T10:09:15.802266701+01:00
EventsListeners: 0
Username: ijc25
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
Additional environment details (AWS, VirtualBox, physical, etc.):
Native Linux (Debian) running docker-ce packages from download.docker.com apt repo.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 15 (15 by maintainers)
Commits related to this issue
- fix insecure manifest inspect with restrictive certs perms If, for some reason, the certs directory has permissions that are inaccessible by docker, we should still be able to fetch manifests using t... — committed to clnperez/cli by clnperez 6 years ago
- fix insecure manifest inspect with restrictive certs perms If, for some reason, the certs directory has permissions that are inaccessible by docker, we should still be able to fetch manifests using t... — committed to clnperez/cli by clnperez 6 years ago
- fix insecure manifest inspect with restrictive certs perms If, for some reason, the certs directory has permissions that are inaccessible by docker, we should still be able to fetch manifests using t... — committed to clnperez/cli by clnperez 6 years ago
- fix insecure manifest inspect with restrictive certs perms If, for some reason, the certs directory has permissions that are inaccessible by docker, we should still be able to fetch manifests using t... — committed to clnperez/cli by clnperez 6 years ago
- fix insecure manifest inspect with restrictive certs perms If, for some reason, the certs directory has permissions that are inaccessible by docker, we should still be able to fetch manifests using t... — committed to thaJeztah/cli by clnperez 6 years ago
- fix insecure manifest inspect with restrictive certs perms If, for some reason, the certs directory has permissions that are inaccessible by docker, we should still be able to fetch manifests using t... — committed to lifubang/cli by clnperez 6 years ago
@thaJeztah @vdemeester I think this one should stay open until the permissions handling on the CLI side is fixed too.
I was initially unable to recreate this, but forgetting that by default loopback (which is what I was using) is in the engine’s insecure registries list. I mapped it to host’s actual IP and, with the permissions set to 700, can recreate.
Also, I realized what you were trying to get at after I sent that last message. I was looking for something the wrong way. So, apologies for being a little slow there.
Thanks for all that detail.
@clnperez