Client certs for Xyhve removed in 17.06.0-rc2-ce-mac14

[matthewbarr]

Expected behavior

Docker for Mac would maintain the contents of the /etc/docker/certs.d directory from datakit git submission into the xhyve VM filesystem.

Or: Docker for Mac would provide a method to designate which registry hosts need which client certificates from the keychain, and provision them into the xhyve filesystem.

I'd love a pointer to the work that added this, since it looks like this is a new feature to implement #1320 , but I can't seem to find any open issues or if it's in data kit, credential-helper, or for-mac.

Actual behavior

Certs are added to /etc/docker/certs.d, committed to git [master], and are then removed by data kit.

Information

My docker diagnostic is just hanging right now, but it's
Version 17.06.0-rc2-ce-mac14 (18280)
Channel: edge
e4067577a3

Client:
Version: 17.06.0-ce-rc2
API version: 1.30
Go version: go1.8.1
Git commit: 402dd4a
Built: Wed Jun 7 10:02:52 2017
OS/Arch: darwin/amd64

Server:
Version: 17.06.0-ce-rc2
API version: 1.30 (minimum version 1.12)
Go version: go1.8.3
Git commit: 402dd4a
Built: Wed Jun 7 10:02:04 2017
OS/Arch: linux/amd64
Experimental: true

Steps to reproduce the behavior

1. Using the steps I mentioned in Use client cert to access secure private registry #1320 , add client certs.

2. Restart docker (automatic due to touching the right file, and committing it)

3. Check /etc/docker in xhyve, no files.

4. git log:

commit 1640d371f7e914c9afc4fcdf27383d6a6d138723
Author: datakit datakit@docker.com
Date: Fri Jun 9 18:07:42 2017 +0000

Setting certificates

commit b2933386e872270b73cd320ff5be03237cedec39
Author: datakit datakit@docker.com
Date: Fri Jun 9 18:07:42 2017 +0000

Writing mobyconfig configuration to master

commit f39a0d77c0a591444600c6d797c4bb6a5cddd491
Author: datakit datakit@docker.com
Date: Fri Jun 9 18:07:41 2017 +0000

Creating branch

commit fce1c9d6576a569fbbb929986bf9dbe2dc1c0380
Author: datakit datakit@docker.com
Date: Fri Jun 9 18:07:41 2017 +0000

Delete previous certd

commit 5601e441132d4c91f67ded1d665f0b9a9770716a
Author: datakit datakit@docker.com
Date: Fri Jun 9 18:07:41 2017 +0000

Writing proxy settings configuration to master

commit 88fd5149134174bc1c5b8a5a224fd6cde1d4b78a
Author: datakit datakit@docker.com
Date: Fri Jun 9 18:07:41 2017 +0000

Field-level upgrade

commit 44870880bda94ddccbb575ae6ddd8b6ca5c95d6a
Author: datakit datakit@docker.com
Date: Fri Jun 9 18:07:41 2017 +0000

Updating readme

commit 56043316e882c4ec8134c65fe492461806532eda
Author: datakit datakit@docker.com
Date: Fri Jun 9 18:07:41 2017 +0000

Creating branch

commit 709b1c296c2c6039e92062c16c453035ccebbc06
Author: Matthew Barr mbarr@example.com
Date: Fri Jun 9 14:06:47 2017 -0400

add certs to docker

[matthewbarr]

Double checked the release notes: this is an effect of the work for #1320. However, we don't use docker login to auth, just a client cert.

How does one select which client cert should be sent a request?

How can one debug what's being sent?

[ebriney]

with 17.06, you don't have to push your certs with git commands anymore, we copy
certificates from your mac folder ~/.docker/certs.d in the database when starting the app.

[ebriney]

You can check the docs here, it explains how it is used in the vm.

[matthewbarr]

It'll probably be obvious to the future users, but i wasn't expecting it, with all the work on the credential helper!

Simple answer is sometimes that hardest to find.

[docker-robott]

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked