`docker run` with content trust enabled pollutes stdout

[ijc]

Description

Doing a docker run with DOCKER_CONTENT_TRUST outputs to stdout things other than the container's stdout. In particular this message https://github.com/docker/cli/blob/master/cli/command/image/trust.go#L358

This is breaking some output formats of Moby tool. As seen in linuxkit/linuxkit#2612.

Steps to reproduce the issue:

Using LinuxKit and Moby tool manually to simulate the effect of moby build -format gcp linuxkit.yml:

1. moby build -format tar-kernel-initrd linuxkit.yml produces linuxkit-initrd.tar
2. docker image ls| grep linuxkit/mkimage-gcp | cut -c 114-125 | xargs docker rmi, to ensure a pull will happen in the next step
3. Convert to gcp:

cat linuxkit-initrd.tar | DOCKER_CONTENT_TRUST=1 docker run --network=none --rm -i linuxkit/mkimage-gcp:d1883809d212ce048f60beb0308a4d2b14c256af > img.tar

4. file img.tar shows data and not tar file

$ head -n1 img.tar 
Tagging linuxkit/mkimage-gcp@sha256:d9571a557e4b82a944f12082cd50987d3726385b5458846cbae89ea9bd694c85 as linuxkit/mkimage-gcp:d1883809d212ce048f60beb0308a4d2b14c256af

I have also tried using -a stdin -a stdout without success.

Describe the results you received:

$ file img.tar 
img.tar: data
$ head -n1 img.tar 
Tagging linuxkit/mkimage-gcp@sha256:d9571a557e4b82a944f12082cd50987d3726385b5458846cbae89ea9bd694c85 as linuxkit/mkimage-gcp:d1883809d212ce048f60beb0308a4d2b14c256af

Describe the results you expected:

$ file img.tar 
img.tar: gzip compressed data, last modified: Fri Oct 20 14:49:07 2017, max compression, from Unix

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client:
 Version:      17.10.0-ce
 API version:  1.33
 Go version:   go1.8.3
 Git commit:   f4ffd25
 Built:        Tue Oct 17 19:02:43 2017
 OS/Arch:      linux/amd64

Server:
 Version:      17.10.0-ce
 API version:  1.33 (minimum version 1.12)
 Go version:   go1.8.3
 Git commit:   f4ffd25
 Built:        Tue Oct 17 19:01:22 2017
 OS/Arch:      linux/amd64
 Experimental: true

I also reproduced with 17.06 and 17.09.

Output of docker info:

Containers: 2
 Running: 0
 Paused: 0
 Stopped: 2
Images: 1700
Server Version: 17.10.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 06b9cb35161009dcb7123345749fef02f7cea8e0
runc version: 0351df1c5a66838d0c392b4ac4cf9450de844e2d
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.12.0-1-amd64
Operating System: Debian GNU/Linux buster/sid
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.53GiB
Name: bokrug
ID: AU33:BO7D:7VGM:MOLB:RSDF:IBRV:GCWT:THHM:OEVM:TX3C:BNLM:WHAR
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: ijc25
Registry: https://index.docker.io/v1/
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

Additional environment details (AWS, VirtualBox, physical, etc.):

I'm running on Linux (Debian). I believe @rn is seeing it on MacOS and LinuxKit CI is tripping over it too.

[ijc]

See moby/tool#170 and moby/tool#171 for the workarounds we are considering.

[thaJeztah]

ping @riyazdf

[dnephin]

Opened #636 with a fix