Merge pull request #13970 from cpuguy83/13964_fix_tlsverify_env

Fix DOCKER_TLS_VERIFY being ignored

docker/docker.go

@@ -86,7 +86,8 @@ func main() {
 
 	// Regardless of whether the user sets it to true or false, if they
 	// specify --tlsverify at all then we need to turn on tls
-	if flag.IsSet("-tlsverify") {
+	// *flTlsVerify can be true even if not set due to DOCKER_TLS_VERIFY env var, so we need to check that here as well
+	if flag.IsSet("-tlsverify") || *flTlsVerify {
 		*flTls = true
 	}
 

integration-cli/docker_cli_daemon_test.go

@@ -1264,3 +1264,14 @@ func (s *DockerDaemonSuite) TestDaemonRestartCleanupNetns(c *check.C) {
 	c.Assert(err, check.Not(check.IsNil), check.Commentf("Output: %s", out))
 	// c.Assert(out, check.Equals, "", check.Commentf("Output: %s", out))
 }
+
+// tests regression detailed in #13964 where DOCKER_TLS_VERIFY env is ignored
+func (s *DockerDaemonSuite) TestDaemonNoTlsCliTlsVerifyWithEnv(c *check.C) {
+	host := "tcp://localhost:4271"
+	c.Assert(s.d.Start("-H", host), check.IsNil)
+	cmd := exec.Command(dockerBinary, "-H", host, "info")
+	cmd.Env = []string{"DOCKER_TLS_VERIFY=1", "DOCKER_CERT_PATH=fixtures/https"}
+	out, _, err := runCommandWithOutput(cmd)
+	c.Assert(err, check.Not(check.IsNil), check.Commentf("%s", out))
+	c.Assert(strings.Contains(out, "error occurred trying to connect"), check.Equals, true)
+}