Docker Subordinate Charm

proxy config is rendered to /lib/systemd/system/docker.service which breaks non-interactive apt upgrades

Bug #1840864 reported by Wouter van Bommel on 2019-08-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Docker Subordinate Charm	Fix Released	High	Joseph Borg	Docker Subordinate Charm 1.20

Bug Description

If the kubernetes-worker charm is deployed behind a corporate firewall that only allows access via http(s) proxy's. This has to be configured in the model.

If these settings change, then the systemd file for docker (/lib/systemd/system/docker.service) seems to be updated by inserting 3 lines:

Environment="HTTP_PROXY=http://<dummy>:<dummy>"
Environment="HTTPS_PROXY=http://<dummy>:<dummy>"
Environment="NO_PROXY="

But the service is not restarted.

What is expected is that a file would have been created in /etc/systemd/system/docker.service.d with content like shown below, and called e.d. proxy.conf:

[Service]
Environment="HTTP_PROXY=http://<dummy>:<dummy>"
Environment="HTTPS_PROXY=http://<dummy>:<dummy>"
Environment="NO_PROXY="

Obviously the service also needs to restart if this is changed

The current approach (modifying the file under /lib/systemd) has as problem that it will block any non interactive upgrade, as a file is changed that is part of the original package.

See original description

Tags:

Wouter van Bommel (woutervb) on 2019-08-21

tags:	added: bootstack
description:	updated

Revision history for this message

George Kraft (cynerva) wrote on 2020-07-10:

Docker is now installed by the docker subordinate charm, which appears to correctly restart the service after re-rendering the systemd file[1].

> The current approach (modifying the file under /lib/systemd) has as problem that it will block any non interactive upgrade, as a file is changed that is part of the original package.

Makes sense. I'll leave this issue open so we can address that at least.

[1]: https://github.com/charmed-kubernetes/charm-docker/blob/5caed3afbe55e11779209e0bc517dbf217c3daaa/reactive/docker.py#L206-L211

no longer affects:	charm-kubernetes-worker
Changed in charm-docker:
importance:	Undecided → High
status:	New → Triaged
summary:	- proxy configuration for internet access + proxy config is rendered to /lib/systemd/system/docker.service which + breaks non-interactive apt upgrades

Joseph Borg (joeborg) on 2020-09-14

Changed in charm-docker:
assignee:	nobody → Joseph Borg (joeborg)
status:	Triaged → In Progress

Revision history for this message

Joseph Borg (joeborg) wrote on 2020-09-15:

Hey Wouter,

Looking at this, I've tried overloading the systemd unit file rather than replacing it. This works, however it seems upstream no longer include $DOCKER_OPTS by default, which we rely on. Obviously, adding this back in gets us back to square 1.

How are you peeps enabling unattended upgrades? Is it a charm or are you just setting it on all the hosts via juju run / ssh?

Cheers,
Joe

Revision history for this message

Joseph Borg (joeborg) wrote on 2020-09-15:

https://github.com/charmed-kubernetes/charm-docker/pull/17

Revision history for this message

Joseph Borg (joeborg) wrote on 2020-09-15:

Got overloaded / drop-in files to work for ExecStart too.

tags:

added: review-needed

Joseph Borg (joeborg) on 2020-09-16

Changed in charm-docker:
status:	In Progress → Fix Committed
tags:	removed: review-needed

George Kraft (cynerva) on 2020-12-15

Changed in charm-docker:
milestone:	none → 1.20

Chris Sanders (chris.sanders) on 2020-12-16

Changed in charm-docker:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.