Fedora CoreOS ignores OPTIONS in `/etc/sysconfig/docker`

rocketraman · June 8, 2023, 2:32pm

I have a Fedora CoreOS system with docker.

My /etc/sysconfig/docker file looks like this:

# /etc/sysconfig/docker

# Modify these options if you want to change the way the docker daemon runs
OPTIONS="--selinux-enabled \
--log-driver=journald \
--default-ulimit nofile=122880:122880 \
--init-path /usr/libexec/docker/docker-init \
--userland-proxy-path /usr/libexec/docker/docker-proxy \
--live-restore \
"

However, the docker daemon does not pick up those options:

ps -ef | grep dockerd
root        2879       1  0 14:24 ?        00:00:00 /usr/bin/dockerd --host=fd:// --exec-opt native.cgroupdriver=systemd

Creating an explicit drop-in to override ExecStart and explicitly set the options works, but I’m surprised the default CoreOS configuration is so broken as to completely ignore /etc/sysconfig/docker. I am not doing anything to modify this behavior in the ignition file.

siosm · June 8, 2023, 2:40pm

i can not reproduce that on a fresh system:

[core@cosa-devsh ~]$ cat /etc/sysconfig/docker 
# /etc/sysconfig/docker

# Modify these options if you want to change the way the docker daemon runs
OPTIONS="--selinux-enabled \
  --log-driver=journald \
  --live-restore \
  --default-ulimit nofile=1024:1024 \
  --init-path /usr/libexec/docker/docker-init \
  --userland-proxy-path /usr/libexec/docker/docker-proxy \
"
[core@cosa-devsh ~]$ ps -ef | grep dockerd
root        1963       1  0 14:38 ?        00:00:00 /usr/bin/dockerd --host=fd:// --exec-opt native.cgroupdriver=systemd --selinux-enabled --log-driver=journald --live-restore --default-ulimit nofile=1024:1024 --init-path /usr/libexec/docker/docker-init --userland-proxy-path /usr/libexec/docker/docker-proxy

rocketraman · June 8, 2023, 2:50pm

Thank you for confirming that.

I looked at my options file again with a more critical eye, and turns out I had a comment with a line continuation character at the end, like this:

# Swarm is not compatible with --live-restore \
OPTIONS="--selinux-enabled \
  --log-driver=journald \
  --default-ulimit nofile=122880:122880 \
  --init-path /usr/libexec/docker/docker-init \
  --userland-proxy-path /usr/libexec/docker/docker-proxy \
  --live-restore \
"

and it seems that systemd parses this such that the line continuation character at the end of the comment makes OPTIONS part of the comment!

Bash ignores the line continuation character at the end of the comment so this is at the very least surprising behavior, if not a bug in systemd’s parsing of these files.

rocketraman · June 8, 2023, 3:00pm

I’ve created this upstream issue: EnvironmentFile parsing: line continuation characters at the end of comments are not ignored · Issue #27975 · systemd/systemd · GitHub.

Topic		Replies	Views
Recommended way of setting Docker Flags Project Discussion coreos-wg	3	1523	January 22, 2020
Disabling SELinux breaks docker overlayfs Project Discussion coreos-wg	0	2105	May 30, 2020
SELINUX blocks `docker build` when running with `DOCKER_BUILDKIT=1` Project Discussion coreos-wg	3	432	February 5, 2023
Managing SELinux in Fedora CoreOS Ask Fedora selinux , coreos	2	650	September 23, 2024
Fedora CoreOS: Can't run binaries in /opt/*/bin as systemd services Ask Fedora selinux , coreos	6	1678	October 21, 2021

Fedora CoreOS ignores OPTIONS in `/etc/sysconfig/docker`

Related topics