bosco
bosco copied to clipboard
tes
Certificate issue when pulling/running docker containers under iojs v2.0.2
bosco morning and bosco start run into trouble when starting/running docker containers under iojs v2.0.2. The actual error it reports is:
[12:04:18] Bosco: Error pulling infra-nginx-gateway, reason: undefined
But console.loging the err gives me:
{ [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }
The same error is returned when bosco starting:
[12:05:21] Bosco: Running docker service infra-redis ...
[12:05:21] Bosco: Error: unable to verify the first certificate
at Error (native)
at TLSSocket.<anonymous> (_tls_wrap.js:926:38)
at emitNone (events.js:67:13)
at TLSSocket.emit (events.js:166:7)
at TLSSocket._finishInit (_tls_wrap.js:511:8)
Update: still occurs under iojs v2.2.1.
The error appears to be caused by this line: https://github.com/tes/bosco/blob/master/src/RunWrappers/DockerUtils.js#L205
I very much doubt that is actually caused by that line, my guess is that there's some difference in underlying libraries that our docker client (dockerode) uses between node and iojs.
My best guess is that there's some difference in the https builtin between node and iojs. You could dig down into node_modules/ until you find follow-redirects which is the module that actually uses https.
Yeah, I've got that far. It looks like there's a checkServerIdentity option I might be able to pass into docker-modem, but I'm having trouble working out why dockerode isn't doing so...
What if you set your DOCKER_CERT_PATH and/or DOCKER_TLS_VERIFY env vars to empty before you call bosco? Alternatively, make sure they're set up correctly (not sure what that is).
Running DEBUG=modem DOCKER_TLS_VERIFY= DOCKER_CERT_PATH= bosco start -wr app-employer-profile
Results in:
[05:57:06] Bosco: Running docker service infra-mongodb ...
modem Sending: { path: '/images/json',
method: 'GET',
headers: {},
key: undefined,
cert: undefined,
ca: undefined,
hostname: '192.168.59.103',
port: '2376' } +43ms
[05:57:06] Bosco: Error: Parse Error
at Error (native)
at Socket.socketOnData (_http_client.js:304:20)
at emitOne (events.js:77:13)
at Socket.emit (events.js:169:7)
at readableAddChunk (_stream_readable.js:145:16)
at Socket.Readable.push (_stream_readable.js:109:10)
at TCP.onread (net.js:519:20)
My guess is there's a JSON.parse somewhere that's not handling the 'you should be using https' error that's being returned from Docker.
That's just a guess though.
Can you get the curls in this issue to work? https://github.com/boot2docker/boot2docker/issues/573 Specifically this comment: https://github.com/boot2docker/boot2docker/issues/573#issuecomment-59584210 Maybe it's an issue with OSX libs being exposed by how iojs vs node is built on OSX?
As suggested in that issue, running a curl against /images/json did indeed lead to all sort of certificate errors, and performing the following steps fixed them:
Generate 'client' certificate:
openssl pkcs12 -export \
-inkey $DOCKER_CERT_PATH/key.pem \
-in $DOCKER_CERT_PATH/cert.pem \
-name b2d-client-side \
-out $DOCKER_CERT_PATH/b2d-client-side.p12 \
-password pass:tcuser
Add routing rules to boot2docker vm for Docker's remote API:
VBoxManage controlvm boot2docker-vm natpf1 report_api,tcp,127.0.0.1,52376,,2376
Now you can access the /images/json path using the following curl command:
curl --insecure --cert $DOCKER_CERT_PATH/b2d-client-side.p12 --pass tcuser https://127.0.0.1:52376/images/json
This leads me to believe that @geophree is onto something, but I'm still none-the-wiser as to how to apply this 'fix' to Bosco/Dockerode/Docker Modem/HTTP Redirect/HTTPS under io.js.
Having the same issue with iojs as well. Maybe worth filling an issue on the nodejs(iojs) repo
