Why docker crashes on Red Hat Enterprise Linux 7 nodes when image signature verification is enabled ?
Issue
- Why docker crashes on Red Hat Enterprise Linux 7 nodes when image signature verification is enabled ?
dockerd-current[30456]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x363433333934 pc=0x363433333934]
dockerd-current[30456]: runtime stack:
dockerd-current[30456]: runtime.throw(0x1927f4e, 0x2a)
dockerd-current[30456]: /opt/rh/go-toolset-1.10/root/usr/lib/go-toolset-1.10-golang/src/runtime/panic.go:616 +0x81 fp=0x7efec37fdaf8 sp=0x7efec37fdad8 pc=0x43ec51
dockerd-current[30456]: runtime.sigpanic()
dockerd-current[30456]: /opt/rh/go-toolset-1.10/root/usr/lib/go-toolset-1.10-golang/src/runtime/signal_unix.go:372 +0x28e fp=0x7efec37fdb48 sp=0x7efec37fdaf8 pc=0x4545fe
dockerd-current[30456]: goroutine 17612 [syscall]:
dockerd-current[30456]: runtime.cgocall(0x1496950, 0xc424232470, 0x0)
dockerd-current[30456]: /opt/rh/go-toolset-1.10/root/usr/lib/go-toolset-1.10-golang/src/runtime/cgocall.go:128 +0x64 fp=0xc424232440 sp=0xc424232408 pc=0x414ee4
dockerd-current[30456]: github.com/docker/docker/vendor/github.com/mtrmac/gpgme._Cfunc_gpgme_op_verify(0x7efe780008c0, 0x7efe780041f0, 0x0, 0x7efe780031a0, 0x0)
dockerd-current[30456]: _cgo_gotypes.go:924 +0x4d fp=0xc424232470 sp=0xc424232440 pc=0xf8b7ed
dockerd-current[30456]: github.com/docker/docker/vendor/github.com/mtrmac/gpgme.(*Context).Verify.func1(0x7efe780008c0, 0x7efe780041f0, 0x0, 0x7efe780031a0, 0xc4242324f8)
dockerd-current[30456]: /builddir/build/BUILD/docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/_build/src/github.com/docker/docker/vendor/github.com/mtrmac/gpgme/gpgme.go:426 +0xf9 fp=0xc4242324a8 sp=0xc424232470 pc=0xf91b79
dockerd-current[30456]: github.com/docker/docker/vendor/github.com/mtrmac/gpgme.(*Context).Verify(0xc423ac1200, 0xc4221ab800, 0x0, 0xc4221ab780, 0x0, 0x0, 0xc4242326e8, 0x424029, 0xc42348a5e0, 0x10, ...)
dockerd-current[30456]: /builddir/build/BUILD/docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/_build/src/github.com/docker/docker/vendor/github.com/mtrmac/gpgme/gpgme.go:426 +0x89 fp=0xc424232618 sp=0xc4242324a8 pc=0xf8ea89
dockerd-current[30456]: github.com/docker/docker/vendor/github.com/containers/image/signature.gpgmeSigningMechanism.Verify(0xc423ac1200, 0xc42529af80, 0x36, 0xc422bee000, 0x24a, 0x600, 0xc4242328d8, 0x424029, 0xc4231fe440, 0x20, ...)
dockerd-current[30456]: /builddir/build/BUILD/docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/_build/src/github.com/docker/docker/vendor/github.com/containers/image/signature/mechanism_gpgme.go:152 +0xe5 fp=0xc424232808 sp=0xc424232618 pc=0xf961c5
dockerd-current[30456]: github.com/docker/docker/vendor/github.com/containers/image/signature.(*gpgmeSigningMechanism).Verify(0xc4243ec020, 0xc422bee000, 0x24a, 0x600, 0xc423ac1200, 0x7eff35ed4f78, 0x0, 0xc421a9f500, 0x6d0, 0x6d2, ...)
dockerd-current[30456]: <autogenerated>:1 +0x81 fp=0xc424232880 sp=0xc424232808 pc=0xfa1401
dockerd-current[30456]: github.com/docker/docker/vendor/github.com/containers/image/signature.verifyAndExtractSignature(0x1a58180, 0xc4243ec020, 0xc422bee000, 0x24a, 0x600, 0xc4231fe400, 0xc4231fe420, 0xc4231fe440, 0x0, 0x0, ...)
dockerd-current[30456]: /builddir/build/BUILD/docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/_build/src/github.com/docker/docker/vendor/github.com/containers/image/signature/signature.go:219 +0x70 fp=0xc424232918 sp=0xc424232880 pc=0xf9fe00
dockerd-current[30456]: github.com/docker/docker/vendor/github.com/containers/image/signature.(*prSignedBy).isSignatureAuthorAccepted(0xc4228b1620, 0x7eff2853d8e0, 0xc4228cfc40, 0xc422bee000, 0x24a, 0x600, 0x0, 0x0, 0x0, 0x0, ...)
dockerd-current[30456]: /builddir/build/BUILD/docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/_build/src/github.com/docker/docker/vendor/github.com/containers/image/signature/policy_eval_signedby.go:53 +0x2c6 fp=0xc424232a08 sp=0xc424232918 pc=0xf9d096
dockerd-current[30456]: github.com/docker/docker/vendor/github.com/containers/image/signature.(*prSignedBy).isRunningImageAllowed(0xc4228b1620, 0x7eff2853d8e0, 0xc4228cfc40, 0xc4222b28f0, 0x1, 0x1)
dockerd-current[30456]: /builddir/build/BUILD/docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/_build/src/github.com/docker/docker/vendor/github.com/containers/image/signature/policy_eval_signedby.go:100 +0x110 fp=0xc424232b28 sp=0xc424232a08 pc=0xf9d780
dockerd-current[30456]: github.com/docker/docker/vendor/github.com/containers/image/signature.(*PolicyContext).IsRunningImageAllowed(0xc4247881a0, 0x7eff2853d8e0, 0xc4228cfc40, 0x7eff2853d800, 0x0, 0x0)
dockerd-current[30456]: /builddir/build/BUILD/docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/_build/src/github.com/docker/docker/vendor/github.com/containers/image/signature/policy_eval.go:276 +0x2b1 fp=0xc424232be8 sp=0xc424232b28 pc=0xf9cb61
dockerd-current[30456]: github.com/docker/docker/distribution.(*v2Puller).checkTrusted(0xc421202980, 0x1a543c0, 0xc42401a340, 0x7eff35e85768, 0xc421fe8650, 0x1, 0x18e2b8f, 0x6, 0xc4222b2f50)
dockerd-current[30456]: /builddir/build/BUILD/docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/_build/src/github.com/docker/docker/distribution/pull_v2_unix.go:73 +0x344 fp=0xc424232dc8 sp=0xc424232be8 pc=0xff8b64
dockerd-current[30456]: github.com/docker/docker/distribution.(*v2Puller).pullV2Repository(0xc421202980, 0x1a543c0, 0xc42401a340, 0x7eff35e85768, 0xc421fe8650, 0x2, 0x100)
dockerd-current[30456]: /builddir/build/BUILD/docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/_build/src/github.com/docker/docker/distribution/pull_v2.go:101 +0x225 fp=0xc424232e80 sp=0xc424232dc8 pc=0xff1025
dockerd-current[30456]: github.com/docker/docker/distribution.(*v2Puller).Pull(0xc421202980, 0x1a543c0, 0xc42401a340, 0x7eff35e85768, 0xc421fe8650, 0xc423851b30, 0xc420c29180)
dockerd-current[30456]: /builddir/build/BUILD/docker-4ef4b30c57f05be26c9387ef0828e86c2ed543b8/_build/src/github.com/docker/docker/distribution/pull_v2.go:80 +0x309 fp=0xc424233010 sp=0xc424232e80 pc=0xff0bb9
dockerd-current[30456]: github.com/docker/docker/distribution.pullFromRegistry(0x1a543c0, 0xc42401a340, 0x7eff35e85768, 0xc421fe8650, 0xc420c29180, 0x16ded00, 0x7eff35ed3458)
`
Environment
- Red Hat Enterprise Linux 7
- docker-1.13.1-104.git4ef4b30.el7.x86_64
- Image signing configured
- Crash noticed while initiating
docker pull
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.