docker manifest create fails due to permission denied on /etc/docker/certs.d/gcr.io

[ixdy]

• This is a bug report
• This is a feature request
• I searched existing issues before opening this one

Expected behavior

docker manifest create is able to create a manifest list without any special permissions, running as my normal, unprivileged user.

Actual behavior

docker manifest create tries to read from /etc/docker/certs.d and fails, because that directory is only accessible to root, and the docker client is not running as root.

Steps to reproduce the behavior

1. Install latest docker-ce (18.06.0-ce)
2. Build several multi-arch images for the gcr.io registry.
3. Attempt to create a manifest list of these images.

A more concrete example that I'm using:

1. Check out https://github.com/kubernetes/kubernetes at HEAD (currently testing at 8f92b8e2884d2ae880e44e86f2c2fdb39debeb7d)
2. cd into test/images
3. Run make all-container WHAT=net, which builds several arch-specific images of gcr.io/kubernetes-e2e-test-images/net
4. Run docker manifest create gcr.io/kubernetes-e2e-test-images/net gcr.io/kubernetes-e2e-test-images/net-ppc64le gcr.io/kubernetes-e2e-test-images/net-arm64 gcr.io/kubernetes-e2e-test-images/net-arm gcr.io/kubernetes-e2e-test-images/net-amd64, which fails:

$ docker manifest create gcr.io/kubernetes-e2e-test-images/net gcr.io/kubernetes-e2e-test-images/net-ppc64le gcr.io/kubernetes-e2e-test-images/net-arm64  gcr.io/kubernetes-e2e-test-images/net-arm gcr.io/kubernetes-e2e-test-images/net-amd64
open /etc/docker/certs.d/gcr.io: permission denied

While /etc/docker/certs.d/gcr.io is missing, I don't think creating this directory would help, since this directory wouldn't be readable by my user:

$ sudo ls -al /etc/docker
total 16
drwx------  2 root root 4096 Aug  9 17:58 .
drwxr-xr-x 95 root root 4096 Aug  9 11:35 ..
-rw-r--r--  1 root root   27 Aug  9 17:58 daemon.json
-rw-------  1 root root  244 Aug  9 01:15 key.json

I tried passing --insecure to docker manifest create, but that didn't seem to have any effect.

Output of docker version:

$ docker version
Client:
 Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa825
 Built:             Wed Jul 18 19:11:02 2018
 OS/Arch:           linux/amd64
 Experimental:      true

Server:
 Engine:
  Version:          18.06.0-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       0ffa825
  Built:            Wed Jul 18 19:09:05 2018
  OS/Arch:          linux/amd64
  Experimental:     true

Output of docker info:

$ docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 11
Server Version: 18.06.0-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host ipvlan macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.15.0-30-generic
Operating System: Ubuntu 16.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.298GiB
Name: image-creator
ID: DIAD:BSLJ:QTAL:MD23:M6RM:KCAY:FZFS:NT2K:YLTJ:C2UN:I4KI:TYR2
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.)
This is running on an Ubuntu Xenial VM on GCE, though I experience the same issue using docker 18.03.0-ce on a debian-based linux workstation.

[ixdy]

I was able to fix this by running sudo chmod o+x /etc/docker.

[olljanat]

@ixdy I think that this one was fixed on moby/moby#37847

Can we close it?

[thaJeztah]

yes, let's close this one; thanks!

[cpuguy83]

Sorry, this is strange because docker manifest is a client-side command, why is it looking in /etc/docker at all?