docker -f deprecation -- now removed

[plaurin84]

Docker has deprecated "-f" argument from tagging since v1.10.0
It has been removed in v.1.12.0

See https://docs.docker.com/engine/deprecated/#/f-flag-on-docker-tag

docker-tag post-processor returns the following when using packer with docker 1.12+:
Stderr: unknown shorthand flag: 'f' in -f

[dfarrell07]

Here are some examples of me hitting this with Docker 1.12.0 for the OpenDaylight Packer builds.

[dfarrell07]

moby/moby#23090 is the PR that removed the flag and broke Packer. moby/moby#24494 was a discussion about backwards compatibility, but it didn't seem to consider tools that use tag -f in an automated way, like Packer.

This consistently breaks tagging Docker images with Packer 0.10.1 (latest) and Docker 1.12.0 (latest). I tried downgrading Docker to the previous version, 1.11.2.

$ sudo systemctl stop docker
$ sudo dnf remove -y docker-engine docker-engine-selinux
# Note that I'm forcing F23 repos, as F24 only have 1.12.0
$ cat /etc/yum.repos.d/docker.repo
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/fedora/23
enabled=1
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
$ sudo dnf install -y docker-engine-1.11.2-1.fc23 docker-engine-selinux-1.11.2-1.fc23
$ docker --version                                                                                                      
Docker version 1.11.2, build b9f10c9

But I ran into moby/moby#23981 (comment).

$ sudo systemctl start docker
A dependency job for docker.service failed. See 'journalctl -xe' for details.
$ sudo journalctl -xe
Aug 10 18:41:07 localhost.localdomain audit[1]: AVC avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=unix_stream_socket permissive=0
Aug 10 18:41:07 localhost.localdomain systemd[1]: docker.socket: Failed to listen on sockets: Permission denied

Full error logs. I tried moby/moby#23981 (comment) as a workaround, basically an exception in an SELinux rule. That fixed the issue it targeted (SELinux is preventing systemd from create access on the unix_stream_socket Unknown), but not the one about docker.socket. With no more time to debug this, I set SELinux to permissive, which seems to work.

$ sudo setenforce 0
$ sudo systemctl start docker
$ sudo systemctl is-active docker                                                                        
active
$ docker run hello-world
# Works
$ docker --version                                                                                       
Docker version 1.11.2, build b9f10c9

OpenDaylight's Packer builds also work.

$ packer build -var-file=vars/opendaylight-4.2.0.json -var-file=vars/fedora-23.json templates/docker.json
# Works
$ docker run -it opendaylight/odl:4.2.0 /opt/opendaylight/bin/karaf
# Works

So I guess one work-around is to install Docker 1.11.2 and disable SELinux.

[thaJeztah]

Removing the -f / --force flag would make it work for all of docker 1.10.x, 1.11.x and 1.12.x (--force was the default starting with docker 1.10), perhaps that's the best option?

[aloukissas]

If I read this correctly, docker-tag doesn't work with current packer if using docker 1.12 and there is no plan to fix it?

[rickard-von-essen]

@aloukissas the plan is:

1. Someone contribute a fix.
2. Someone test it.
3. Someone merge it.

That is how most FOSS works *).

*) Unless you are on a enterprise contract, then you should contact support.

[aloukissas]

@rickard-von-essen the fix is a couple of source code removals in the docker driver file AFAICT (highly unfamiliar with the packer code though). I'll fork and test it out manually - unsure of what the acceptance criteria in this project are (automated testing per PR, perhaps?)

[aloukissas]

In the meantime, is there perhaps a way to disable this in the release bits? One needs to install a year-old release of docker engine for packer to work :/

[rickard-von-essen]

Whats wrong with using "force": false? See Docs: packer-tag - force

[dfarrell07]

What's wrong with using "force": false?

That works. A work-around like this gets Docker 1.12.3 working with Packer 0.10.1.

Thanks @rickard-von-essen!

[mwhooker]

Should be fixed as part of #4186. going to track there

and looks like there's a viable workaround (don't use -f) for now