neurodocker
neurodocker copied to clipboard
ReproNim
curl: (60) SSL certificate problem: unable to get local issuer certificate
I created a bash script to run this SPM12 example from Neurodocker. When trying to to build the resulting Dockerfile using docker build ., I am apparently running into a SSL certificate problem. Is there any way to solve this? Probably related to this stackoverflow thread?
Here's the bash-script to create the Dockerfile:
#!/bin/bash
set -e
# Generate Dockerfile
generate_docker() {
docker run --rm kaczmarj/neurodocker:0.7.0 generate docker \
--base=debian:stretch --pkg-manager=apt \
--spm12 version=r7771 method=binaries
}
generate_docker > Dockerfile
And here's the console output from docker build ., with the error message at the end:
PS C:\Users\Johannes.Wiesner\Documents\testing\build_neurodocker_container> docker image build .
[+] Building 13.1s (6/7)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 3.75kB 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/debian:stretch 1.5s
=> [1/4] FROM docker.io/library/debian:stretch@sha256:ca2af3c25b43f185cc86cc2038a217d9b4cdbb4d47adbcfe5d25e04c1d75e1d9 0.0s
=> CACHED [2/4] RUN export ND_ENTRYPOINT="/neurodocker/startup.sh" && apt-get update -qq && apt-get install -y -q --no-install-recommends apt-utils bzip2 ca-certi 0.0s
=> ERROR [3/4] RUN export TMPDIR="$(mktemp -d)" && apt-get update -qq && apt-get install -y -q --no-install-recommends bc libncurses5 libxext6 libxmu6 11.5s
------
> [3/4] RUN export TMPDIR="$(mktemp -d)" && apt-get update -qq && apt-get install -y -q --no-install-recommends bc libncurses5 libxext6 libxmu6 libxpm-dev libxt6 && apt-get clean && rm -rf /var/lib/apt/lists/* && echo "Downloading MATLAB Compiler Runtime ..." && curl -sSL --retry 5 -o /tmp/toinstall.deb http://mirrors.kernel.org/debian/pool/main/libx/libxp/libxp6_1.0.2-2_amd64.deb && dpkg -i /tmp/toinstall.deb && rm /tmp/toinstall.deb && apt-get install -f && apt-get clean && rm -rf /var/lib/apt/lists/* && curl -fsSL --retry 5 -o "$TMPDIR/MCRInstaller.bin" https://dl.dropbox.com/s/zz6me0c3v4yq5fd/MCR_R2010a_glnxa64_installer.bin && chmod +x "$TMPDIR/MCRInstaller.bin" && "$TMPDIR/MCRInstaller.bin" -silent -P installLocation="/opt/matlabmcr-2010a" && rm -rf "$TMPDIR" && unset TMPDIR && echo "Downloading standalone SPM ..." && curl -fsSL --retry 5 -o /tmp/spm12.zip https://www.fil.ion.ucl.ac.uk/spm/download/restricted/utopia/previous/spm12_r7771_R2010a.zip && unzip -q /tmp/spm12.zip -d /tmp && mkdir -p /opt/spm12-r7771 && mv /tmp/spm12/* /opt/spm12-r7771/ && chmod -R 777 /opt/spm12-r7771 && rm -rf /tmp/spm* && /opt/spm12-r7771/run_spm12.sh /opt/matlabmcr-2010a/v713 quit && sed -i '$iexport SPMMCRCMD=\"/opt/spm12-r7771/run_spm12.sh /opt/matlabmcr-2010a/v713 script\"' /neurodocker/startup.sh:
#6 4.399 Reading package lists...
#6 5.488 Building dependency tree...
#6 5.637 Reading state information...
#6 5.749 The following additional packages will be installed:
#6 5.750 libbsd0 libice6 libpthread-stubs0-dev libreadline7 libsm6 libx11-6
#6 5.750 libx11-data libx11-dev libxau-dev libxau6 libxcb1 libxcb1-dev libxdmcp-dev
#6 5.750 libxdmcp6 libxpm4 readline-common x11-common x11proto-core-dev
#6 5.750 x11proto-input-dev x11proto-kb-dev xorg-sgml-doctools xtrans-dev
#6 5.754 Suggested packages:
#6 5.754 libxcb-doc readline-doc
#6 5.754 Recommended packages:
#6 5.754 libgpm2 libx11-doc
#6 6.077 The following NEW packages will be installed:
#6 6.078 bc libbsd0 libice6 libncurses5 libpthread-stubs0-dev libreadline7 libsm6
#6 6.078 libx11-6 libx11-data libx11-dev libxau-dev libxau6 libxcb1 libxcb1-dev
#6 6.079 libxdmcp-dev libxdmcp6 libxext6 libxmu6 libxpm-dev libxpm4 libxt6
#6 6.079 readline-common x11-common x11proto-core-dev x11proto-input-dev
#6 6.079 x11proto-kb-dev xorg-sgml-doctools xtrans-dev
#6 6.115 0 upgraded, 28 newly installed, 0 to remove and 2 not upgraded.
#6 6.115 Need to get 4,816 kB of archives.
#6 6.115 After this operation, 14.2 MB of additional disk space will be used.
#6 6.115 Get:1 http://deb.debian.org/debian stretch/main amd64 libxau6 amd64 1:1.0.8-1 [20.7 kB]
#6 6.125 Get:2 http://security.debian.org/debian-security stretch/updates/main amd64 libbsd0 amd64 0.8.3-1+deb9u1 [82.9 kB]
#6 6.133 Get:3 http://deb.debian.org/debian stretch/main amd64 readline-common all 7.0-3 [70.4 kB]
#6 6.154 Get:4 http://deb.debian.org/debian stretch/main amd64 libreadline7 amd64 7.0-3 [151 kB]
#6 6.166 Get:5 http://security.debian.org/debian-security stretch/updates/main amd64 libx11-data all 2:1.6.4-3+deb9u3 [291 kB]
#6 6.180 Get:6 http://deb.debian.org/debian stretch/main amd64 bc amd64 1.06.95-9+b3 [105 kB]
#6 6.216 Get:7 http://deb.debian.org/debian stretch/main amd64 x11-common all 1:7.7+19 [251 kB]
#6 6.263 Get:8 http://security.debian.org/debian-security stretch/updates/main amd64 libx11-6 amd64 2:1.6.4-3+deb9u3 [749 kB]
#6 6.292 Get:9 http://deb.debian.org/debian stretch/main amd64 libice6 amd64 2:1.0.9-2 [58.7 kB]
#6 6.306 Get:10 http://deb.debian.org/debian stretch/main amd64 libncurses5 amd64 6.0+20161126-1+deb9u2 [93.4 kB]
#6 6.324 Get:11 http://deb.debian.org/debian stretch/main amd64 libpthread-stubs0-dev amd64 0.3-4 [3,866 B]
#6 6.325 Get:12 http://deb.debian.org/debian stretch/main amd64 libsm6 amd64 2:1.2.2-1+b3 [33.3 kB]
#6 6.336 Get:13 http://deb.debian.org/debian stretch/main amd64 libxdmcp6 amd64 1:1.1.2-3 [26.3 kB]
#6 6.341 Get:14 http://deb.debian.org/debian stretch/main amd64 libxcb1 amd64 1.12-1 [133 kB]
#6 6.371 Get:15 http://deb.debian.org/debian stretch/main amd64 xorg-sgml-doctools all 1:1.11-1 [21.9 kB]
#6 6.378 Get:16 http://deb.debian.org/debian stretch/main amd64 x11proto-core-dev all 7.0.31-1 [728 kB]
#6 6.429 Get:17 http://security.debian.org/debian-security stretch/updates/main amd64 libx11-dev amd64 2:1.6.4-3+deb9u3 [815 kB]
#6 6.523 Get:18 http://deb.debian.org/debian stretch/main amd64 libxau-dev amd64 1:1.0.8-1 [23.6 kB]
#6 6.526 Get:19 http://deb.debian.org/debian stretch/main amd64 libxdmcp-dev amd64 1:1.1.2-3 [42.2 kB]
#6 6.534 Get:20 http://deb.debian.org/debian stretch/main amd64 x11proto-input-dev all 2.3.2-1 [158 kB]
#6 6.570 Get:21 http://deb.debian.org/debian stretch/main amd64 x11proto-kb-dev all 1.0.7-1 [233 kB]
#6 6.613 Get:22 http://deb.debian.org/debian stretch/main amd64 xtrans-dev all 1.3.5-1 [100 kB]
#6 6.622 Get:23 http://deb.debian.org/debian stretch/main amd64 libxcb1-dev amd64 1.12-1 [169 kB]
#6 6.637 Get:24 http://deb.debian.org/debian stretch/main amd64 libxext6 amd64 2:1.3.3-1+b2 [52.5 kB]
#6 6.640 Get:25 http://deb.debian.org/debian stretch/main amd64 libxt6 amd64 1:1.1.5-1 [188 kB]
#6 6.663 Get:26 http://deb.debian.org/debian stretch/main amd64 libxmu6 amd64 2:1.1.2-2 [60.3 kB]
#6 6.669 Get:27 http://deb.debian.org/debian stretch/main amd64 libxpm4 amd64 1:3.5.12-1 [49.1 kB]
#6 6.672 Get:28 http://deb.debian.org/debian stretch/main amd64 libxpm-dev amd64 1:3.5.12-1 [104 kB]
#6 7.881 Fetched 4,816 kB in 0s (8,245 kB/s)
#6 7.916 Selecting previously unselected package libxau6:amd64.
(Reading database ... 7854 files and directories currently installed.)
#6 7.930 Preparing to unpack .../00-libxau6_1%3a1.0.8-1_amd64.deb ...
#6 7.935 Unpacking libxau6:amd64 (1:1.0.8-1) ...
#6 7.984 Selecting previously unselected package readline-common.
#6 7.986 Preparing to unpack .../01-readline-common_7.0-3_all.deb ...
#6 7.991 Unpacking readline-common (7.0-3) ...
#6 8.047 Selecting previously unselected package libreadline7:amd64.
#6 8.048 Preparing to unpack .../02-libreadline7_7.0-3_amd64.deb ...
#6 8.058 Unpacking libreadline7:amd64 (7.0-3) ...
#6 8.122 Selecting previously unselected package bc.
#6 8.123 Preparing to unpack .../03-bc_1.06.95-9+b3_amd64.deb ...
#6 8.130 Unpacking bc (1.06.95-9+b3) ...
#6 8.195 Selecting previously unselected package libbsd0:amd64.
#6 8.197 Preparing to unpack .../04-libbsd0_0.8.3-1+deb9u1_amd64.deb ...
#6 8.202 Unpacking libbsd0:amd64 (0.8.3-1+deb9u1) ...
#6 8.266 Selecting previously unselected package x11-common.
#6 8.267 Preparing to unpack .../05-x11-common_1%3a7.7+19_all.deb ...
#6 8.274 Unpacking x11-common (1:7.7+19) ...
#6 8.336 Selecting previously unselected package libice6:amd64.
#6 8.338 Preparing to unpack .../06-libice6_2%3a1.0.9-2_amd64.deb ...
#6 8.343 Unpacking libice6:amd64 (2:1.0.9-2) ...
#6 8.396 Selecting previously unselected package libncurses5:amd64.
#6 8.398 Preparing to unpack .../07-libncurses5_6.0+20161126-1+deb9u2_amd64.deb ...
#6 8.403 Unpacking libncurses5:amd64 (6.0+20161126-1+deb9u2) ...
#6 8.458 Selecting previously unselected package libpthread-stubs0-dev:amd64.
#6 8.460 Preparing to unpack .../08-libpthread-stubs0-dev_0.3-4_amd64.deb ...
#6 8.465 Unpacking libpthread-stubs0-dev:amd64 (0.3-4) ...
#6 8.505 Selecting previously unselected package libsm6:amd64.
#6 8.507 Preparing to unpack .../09-libsm6_2%3a1.2.2-1+b3_amd64.deb ...
#6 8.513 Unpacking libsm6:amd64 (2:1.2.2-1+b3) ...
#6 8.560 Selecting previously unselected package libxdmcp6:amd64.
#6 8.562 Preparing to unpack .../10-libxdmcp6_1%3a1.1.2-3_amd64.deb ...
#6 8.567 Unpacking libxdmcp6:amd64 (1:1.1.2-3) ...
#6 8.615 Selecting previously unselected package libxcb1:amd64.
#6 8.617 Preparing to unpack .../11-libxcb1_1.12-1_amd64.deb ...
#6 8.622 Unpacking libxcb1:amd64 (1.12-1) ...
#6 8.675 Selecting previously unselected package libx11-data.
#6 8.677 Preparing to unpack .../12-libx11-data_2%3a1.6.4-3+deb9u3_all.deb ...
#6 8.683 Unpacking libx11-data (2:1.6.4-3+deb9u3) ...
#6 8.801 Selecting previously unselected package libx11-6:amd64.
#6 8.803 Preparing to unpack .../13-libx11-6_2%3a1.6.4-3+deb9u3_amd64.deb ...
#6 8.808 Unpacking libx11-6:amd64 (2:1.6.4-3+deb9u3) ...
#6 8.970 Selecting previously unselected package xorg-sgml-doctools.
#6 8.971 Preparing to unpack .../14-xorg-sgml-doctools_1%3a1.11-1_all.deb ...
#6 8.977 Unpacking xorg-sgml-doctools (1:1.11-1) ...
#6 9.017 Selecting previously unselected package x11proto-core-dev.
#6 9.019 Preparing to unpack .../15-x11proto-core-dev_7.0.31-1_all.deb ...
#6 9.024 Unpacking x11proto-core-dev (7.0.31-1) ...
#6 9.120 Selecting previously unselected package libxau-dev:amd64.
#6 9.122 Preparing to unpack .../16-libxau-dev_1%3a1.0.8-1_amd64.deb ...
#6 9.127 Unpacking libxau-dev:amd64 (1:1.0.8-1) ...
#6 9.171 Selecting previously unselected package libxdmcp-dev:amd64.
#6 9.173 Preparing to unpack .../17-libxdmcp-dev_1%3a1.1.2-3_amd64.deb ...
#6 9.178 Unpacking libxdmcp-dev:amd64 (1:1.1.2-3) ...
#6 9.226 Selecting previously unselected package x11proto-input-dev.
#6 9.228 Preparing to unpack .../18-x11proto-input-dev_2.3.2-1_all.deb ...
#6 9.234 Unpacking x11proto-input-dev (2.3.2-1) ...
#6 9.297 Selecting previously unselected package x11proto-kb-dev.
#6 9.299 Preparing to unpack .../19-x11proto-kb-dev_1.0.7-1_all.deb ...
#6 9.304 Unpacking x11proto-kb-dev (1.0.7-1) ...
#6 9.387 Selecting previously unselected package xtrans-dev.
#6 9.389 Preparing to unpack .../20-xtrans-dev_1.3.5-1_all.deb ...
#6 9.395 Unpacking xtrans-dev (1.3.5-1) ...
#6 9.448 Selecting previously unselected package libxcb1-dev:amd64.
#6 9.449 Preparing to unpack .../21-libxcb1-dev_1.12-1_amd64.deb ...
#6 9.455 Unpacking libxcb1-dev:amd64 (1.12-1) ...
#6 9.521 Selecting previously unselected package libx11-dev:amd64.
#6 9.523 Preparing to unpack .../22-libx11-dev_2%3a1.6.4-3+deb9u3_amd64.deb ...
#6 9.529 Unpacking libx11-dev:amd64 (2:1.6.4-3+deb9u3) ...
#6 9.701 Selecting previously unselected package libxext6:amd64.
#6 9.702 Preparing to unpack .../23-libxext6_2%3a1.3.3-1+b2_amd64.deb ...
#6 9.708 Unpacking libxext6:amd64 (2:1.3.3-1+b2) ...
#6 9.762 Selecting previously unselected package libxt6:amd64.
#6 9.764 Preparing to unpack .../24-libxt6_1%3a1.1.5-1_amd64.deb ...
#6 9.770 Unpacking libxt6:amd64 (1:1.1.5-1) ...
#6 9.844 Selecting previously unselected package libxmu6:amd64.
#6 9.846 Preparing to unpack .../25-libxmu6_2%3a1.1.2-2_amd64.deb ...
#6 9.851 Unpacking libxmu6:amd64 (2:1.1.2-2) ...
#6 9.903 Selecting previously unselected package libxpm4:amd64.
#6 9.905 Preparing to unpack .../26-libxpm4_1%3a3.5.12-1_amd64.deb ...
#6 9.910 Unpacking libxpm4:amd64 (1:3.5.12-1) ...
#6 9.953 Selecting previously unselected package libxpm-dev:amd64.
#6 9.954 Preparing to unpack .../27-libxpm-dev_1%3a3.5.12-1_amd64.deb ...
#6 9.959 Unpacking libxpm-dev:amd64 (1:3.5.12-1) ...
#6 10.02 Setting up libncurses5:amd64 (6.0+20161126-1+deb9u2) ...
#6 10.04 Setting up readline-common (7.0-3) ...
#6 10.06 Setting up libpthread-stubs0-dev:amd64 (0.3-4) ...
#6 10.07 Setting up libreadline7:amd64 (7.0-3) ...
#6 10.09 Setting up xorg-sgml-doctools (1:1.11-1) ...
#6 10.10 Setting up x11proto-kb-dev (1.0.7-1) ...
#6 10.12 Setting up libbsd0:amd64 (0.8.3-1+deb9u1) ...
#6 10.13 Setting up xtrans-dev (1.3.5-1) ...
#6 10.15 Processing triggers for libc-bin (2.24-11+deb9u4) ...
#6 10.17 Setting up libxdmcp6:amd64 (1:1.1.2-3) ...
#6 10.19 Setting up bc (1.06.95-9+b3) ...
#6 10.20 Setting up x11-common (1:7.7+19) ...
#6 10.40 update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
#6 10.40 invoke-rc.d: could not determine current runlevel
#6 10.41 invoke-rc.d: policy-rc.d denied execution of start.
#6 10.42 Setting up libx11-data (2:1.6.4-3+deb9u3) ...
#6 10.44 Setting up libxau6:amd64 (1:1.0.8-1) ...
#6 10.46 Setting up x11proto-core-dev (7.0.31-1) ...
#6 10.47 Setting up libxau-dev:amd64 (1:1.0.8-1) ...
#6 10.49 Setting up libxdmcp-dev:amd64 (1:1.1.2-3) ...
#6 10.50 Setting up libice6:amd64 (2:1.0.9-2) ...
#6 10.52 Setting up libxcb1:amd64 (1.12-1) ...
#6 10.53 Setting up x11proto-input-dev (2.3.2-1) ...
#6 10.55 Setting up libsm6:amd64 (2:1.2.2-1+b3) ...
#6 10.56 Setting up libx11-6:amd64 (2:1.6.4-3+deb9u3) ...
#6 10.58 Setting up libxpm4:amd64 (1:3.5.12-1) ...
#6 10.59 Setting up libxt6:amd64 (1:1.1.5-1) ...
#6 10.60 Setting up libxcb1-dev:amd64 (1.12-1) ...
#6 10.62 Setting up libx11-dev:amd64 (2:1.6.4-3+deb9u3) ...
#6 10.63 Setting up libxext6:amd64 (2:1.3.3-1+b2) ...
#6 10.65 Setting up libxpm-dev:amd64 (1:3.5.12-1) ...
#6 10.66 Setting up libxmu6:amd64 (2:1.1.2-2) ...
#6 10.68 Processing triggers for libc-bin (2.24-11+deb9u4) ...
#6 10.73 Downloading MATLAB Compiler Runtime ...
#6 11.18 Selecting previously unselected package libxp6:amd64.
#6 11.19 (Reading database ... 8450 files and directories currently installed.)
#6 11.19 Preparing to unpack /tmp/toinstall.deb ...
#6 11.20 Unpacking libxp6:amd64 (1:1.0.2-2) ...
#6 11.22 Setting up libxp6:amd64 (1:1.0.2-2) ...
#6 11.27 Reading package lists...
#6 11.28 Building dependency tree...
#6 11.28 Reading state information...
#6 11.29 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
#6 11.40 curl: (60) SSL certificate problem: unable to get local issuer certificate
#6 11.40 More details here: https://curl.haxx.se/docs/sslcerts.html
#6 11.40
#6 11.40 curl performs SSL certificate verification by default, using a "bundle"
#6 11.40 of Certificate Authority (CA) public keys (CA certs). If the default
#6 11.40 bundle file isn't adequate, you can specify an alternate file
#6 11.40 using the --cacert option.
#6 11.40 If this HTTPS server uses a certificate signed by a CA represented in
#6 11.40 the bundle, the certificate verification probably failed due to a
#6 11.40 problem with the certificate (it might be expired, or the name might
#6 11.40 not match the domain name in the URL).
#6 11.40 If you'd like to turn off curl's verification of the certificate, use
#6 11.40 the -k (or --insecure) option.
------
executor failed running [/bin/sh -c export TMPDIR="$(mktemp -d)" && apt-get update -qq && apt-get install -y -q --no-install-recommends bc libncurses5 libxext6 libxmu6 libxpm-dev libxt6 && apt-get clean && rm -rf /var/lib/apt/lists/* && echo "Downloading MATLAB Compiler Runtime ..." && curl -sSL --retry 5 -o /tmp/toinstall.deb http://mirrors.kernel.org/debian/pool/main/libx/libxp/libxp6_1.0.2-2_amd64.deb && dpkg -i /tmp/toinstall.deb && rm /tmp/toinstall.deb && apt-get install -f && apt-get clean && rm -rf /var/lib/apt/lists/* && curl -fsSL --retry 5 -o "$TMPDIR/MCRInstaller.bin" https://dl.dropbox.com/s/zz6me0c3v4yq5fd/MCR_R2010a_glnxa64_installer.bin && chmod +x "$TMPDIR/MCRInstaller.bin" && "$TMPDIR/MCRInstaller.bin" -silent -P installLocation="/opt/matlabmcr-2010a" && rm -rf "$TMPDIR" && unset TMPDIR && echo "Downloading standalone SPM ..." && curl -fsSL --retry 5 -o /tmp/spm12.zip https://www.fil.ion.ucl.ac.uk/spm/download/restricted/utopia/previous/spm12_r7771_R2010a.zip && unzip -q /tmp/spm12.zip -d /tmp && mkdir -p /opt/spm12-r7771 && mv /tmp/spm12/* /opt/spm12-r7771/ && chmod -R 777 /opt/spm12-r7771 && rm -rf /tmp/spm* && /opt/spm12-r7771/run_spm12.sh /opt/matlabmcr-2010a/v713 quit && sed -i '$iexport SPMMCRCMD=\"/opt/spm12-r7771/run_spm12.sh /opt/matlabmcr-2010a/v713 script\"' $ND_ENTRYPOINT]: exit code: 60
Hello @JohannesWiesner
I tried your example on Ubuntu 20.04 and I couldn't reproduce the error. I did come across it in the past though, that's why the SPM Dockerfile disables the certificate verification:
https://github.com/spm/spm-docker/blob/master/matlab/Dockerfile#L34
You could do the same here by adding a --insecure flag but it would be better to understand what is causing the issue in some cases. Could it be that the certificate verification will be made on the host if it failed from the container? Does it make a difference for you if you add ca-certificates in the list of packages to install in the Dockerfile?
@gllmflndn With using --insecure and installing ca-certificates it seemed to have worked...
Could it be that the certificate verification will be made on the host if it failed from the container?
I really couldn't tell, lacking the knowledge here...Could it have something to do with the security settings of my PC and/or pre-installed AntiVirus Software?
hmm ca-certificates is installed in the container... I also cannot reproduce the curl error.
to add --insecure to the spm download, one can use the following:
docker run --rm kaczmarj/neurodocker:0.7.0 generate docker \
--base=debian:stretch \
--pkg-manager=apt \
--spm12 version=r7771 method=binaries curl_opts="--insecure"
hmm
ca-certificatesis installed in the container... I also cannot reproduce the curl error.to add
--insecureto the spm download, one can use the following:docker run --rm kaczmarj/neurodocker:0.7.0 generate docker \ --base=debian:stretch \ --pkg-manager=apt \ --spm12 version=r7771 method=binaries curl_opts="--insecure"
I tried that as well instead of manually editing the resulting Dockerfile, works equally well!
Still a bit mysterious but curl_opts="--insecure" is a convenient workaround without having to modify the Dockerfile.
Are you behind a proxy? What is returned if you use curl_opts="-v"?
Strange, I executed the EXACT same script from my first post today:
#!/bin/bash
set -e
# Generate Dockerfile
generate_docker() {
docker run --rm kaczmarj/neurodocker:0.7.0 generate docker \
--base=debian:stretch --pkg-manager=apt \
--spm12 version=r7771 method=binaries
}
generate_docker > Dockerfile
and could successfully build an image from the resulting Dockerfile. Yes it might have something to do with a proxy...I might have been in my institute the last time I tried it (cannot remember unfortunately). Feel free to close this issue, not sure if it should stay open.
@kaczmarj @gllmflndn :
Coming back to this problem after more than a year, I now know it definitely has something to do with my corporate firewall. When you are not logged in to the corporates network (e.g. working remotely) everything works fine, but as soon as you are at work and try to run docker build with the Dockerfile generated by neurodocker we run into all sorts of SSL-errors. We had the same problem with conda and pip in a bare metal installation of miniconda which we could solve by providing our corporates CA certificate:
conda config --set ssl_verify /home/johannes.wiesner/work/certs/certificates.pem
pip config set global.cert /home/johannes.wiesner/work/certs/certificates.pem
The question is, if something like this is also possible with Docker. Setting curl_opts="--insecure" is one option, but SSl-errors are not restricted to SPM12 we also get them with super simple Dockerfiles like:
FROM ubuntu:latest
RUN apt-get update && apt-get install -y git
which produces:
> [2/2] RUN apt-get update && apt-get install -y git:
#5 0.541 Err:1 http://archive.ubuntu.com/ubuntu jammy InRelease
#5 0.541 403 Forbidden [IP: 185.125.190.39 80]
#5 0.566 Err:2 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
#5 0.566 403 Forbidden [IP: 185.125.190.39 80]
#5 0.600 Err:3 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
#5 0.600 403 Forbidden [IP: 185.125.190.39 80]
#5 0.605 Err:4 http://security.ubuntu.com/ubuntu jammy-security InRelease
#5 0.605 403 Forbidden [IP: 91.189.91.39 80]
So the question is, if it would be preferrable to have a more general solution instead of providing "insecure" options for each software. The question is also, if we are not the only ones? If not, has someone a solution for that, and would it make sense to document it in the neurodocker docs? For example solutions for this problem might be found here:
https://docs.docker.com/engine/security/protect-access/ https://github.com/docker/machine/issues/1880
There could be three options for this I guess:
1.) Before using neurodocker: Can we somehow pass the certificate to our local docker installation?
2.) While using neurodocker: Could we solve the problem by passing the certificate to neurodocker (e.g. docker run -i --rm -v /home/johannes.wiesner/work/it/certificates.pem:/etc/ssl/certs/certificates.pem repronim/neurodocker:0.9.4 generate docker?)
3.) After using neurodocker: Could we solve the problem by passing the certificate to docker build after neurodocker ran?
@JohannesWiesner - have you tried the three options? option 2 seems like a good way to go if it works.
We already asked IT about options 1 and 3, let's see if they can come up with a solution (unfortunately this is way too IT-ish for me, so I don't understand anything from the Docker docs). I've tried the 2nd option, but this did not help. And now that I think about it, this idea doesn't make sense, because of course, the generation of the Dockerfile stays the same (with or without mounting the path to the certificates.pem file). The second option should be re-written as:
2.) Include a neurodocker command that let's users incorporate a certificates.pem file into the Dockerfile generated by neurodocker
you're right, it wouldn't work because the problem happens during the build, not during runtime.
could you try adding a --copy instruction to copy your certificate into the docker image? toward the beginning of the dockerfile, before any installation of software. first, copy your certificate into your current working directory because that will make it easier to copy into the docker image. if you want to edit a dockerfile directly, add this:
COPY certificates.pem /etc/ssl/certs/
just be aware the resulting docker image will have your certificate in it.
@kaczmarj : You can close this issue, as I don't think there's anything on your side that you can do. We could solve it at my institution by unsetting the ssl deep inspection for my machine. Specifically, this SPM-line created problems:
curl -fL -o /tmp/spm12.zip https://www.fil.ion.ucl.ac.uk/spm/download/restricted/utopia/previous/spm12_r7771_R2010a.zip
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
However, other curl commands generated by neurodocker worked completely fine:
- MATLAB:
curl -fL -o ./MCRInstaller.bin https://dl.dropbox.com/s/zz6me0c3v4yq5fd/MCR_R2010a_glnxa64_installer.bin - Freesurfer:
curl -fL https://surfer.nmr.mgh.harvard.edu/pub/dist/freesurfer/7.1.1/freesurfer-linux-centos6_x86_64-7.1.1.tar.gz - Minconda
curl -fsSL -o "$conda_installer" https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh
One other solution would be to get in contact with the SPM-peepz, because apparently, their server settings seem to create the issue?