Description
Issue:
Docker cli stop responding to commands, because in some cases message sent to init-stderr or init-stdout is above the linux kernel default max pipe size of 64Kb. The only way to return to working conditions is to read the pipe manually.
Pipes in question:
/var/run/docker/plugins/<opa-docker-authz_id>/init-stderr
/var/run/docker/plugins/<opa-docker-authz_id>/init-stdout
Example
Create yaml stack definition with docker secret above 64Kb (docker itself allow secret to be 500Kb: https://docs.docker.com/engine/swarm/secrets/)
secrets:
- source: cacert
target: /app/bundle/rootCA.crt
uid: '19000'
gid: '19000'
mode: 0440
let's say my rootCA.crt is above 100Kb
then deploy stack:
docker stack deploy --with-registry-auth -c deploy_something.yml SomeStack
Expected behavior:
Docker OPA plugin check for allowed policies, if allowed, then deploy stack, else deny.
Actual behavior:
Docker cli output freeze. Restarting docker service is not possible, since gracefull shutdown can't be made. The only way to unfreeze the docker cli is to:
cat /var/run/docker/plugins/<opa-docker-authz_id>/init-stderr
or
tail -f /var/run/docker/plugins/<opa-docker-authz_id>/init-stderr
Looks like opa-plugin cant correctly work with SIGPIPE signals, which tells about pipe size.
Environment:
System: RHEL 7.*
Kernel: Linux 3.10.0-957.el7.x86_64
Docker-CE: 18.09.6
Docker api: 1.39
OPA-Plugin: 0.4, 0.5 (I believe all of them will behave exactly the same)