Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Install ca-certificates in Docker image #234

Closed
Alexey-Tsarev opened this issue Feb 24, 2021 · 8 comments
Closed

Install ca-certificates in Docker image #234

Alexey-Tsarev opened this issue Feb 24, 2021 · 8 comments

Comments

@Alexey-Tsarev
Copy link

Alexey-Tsarev commented Feb 24, 2021
edited
Loading

Describe the bug
Without the ca-certificates package an official Docker image failed to proxy images from docker.io

To Reproduce

docker run --rm --name trow --network host containersol/trow:0.3.1-PROXY --proxy-docker-hub --no-tls --port 8083
Starting Trow 0.3.1-PROXY on 0.0.0.0:8083

**Validation callback configuration

  By default all remote images are denied, and all local images present in the repository are allowed

  These host names will be considered local (refer to this registry): ["0.0.0.0"]
  Images with these prefixes are explicitly allowed: ["k8s.gcr.io/", "docker.io/containersol/trow"]
  Images with these names are explicitly allowed: []
  Local images with these prefixes are explicitly denied: []
  Local images with these names are explicitly denied: []

Docker Hub repostories are being proxy-cached under f/docker/

Trow is up and running!

Pull:

docker pull 127.0.0.1:8083/f/docker/mariadb:latest
Error response from daemon: error parsing HTTP 404 response body: json: cannot unmarshal string into Go value of type struct { Errors []errcode.Error }: "\"404 page not found\""

At that time, trow logs:

Trow is up and running!
[2021-02-24T16:51:36Z ERROR rocket::rocket] No matching routes for HEAD /v2/f/docker/mariadb/manifests/latest application/vnd.docker.distribution.manifest.v1+prettyjws.
[2021-02-24T16:51:36Z ERROR trow_server::server] Remote registry didn't repsond to auth request: error sending request for url (https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/mariadb:pull): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
[2021-02-24T16:51:37Z ERROR trow_server::server] Remote registry didn't respond to HEAD request error sending request for url (https://registry-1.docker.io/v2/library/mariadb/manifests/latest): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
[2021-02-24T16:51:37Z ERROR trow_server::server] Failed to download proxied image error sending request for url (https://registry-1.docker.io/v2/library/mariadb/manifests/latest): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
[2021-02-24T16:51:37Z WARN  trow_server::server] Internal error with manifest Os { code: 2, kind: NotFound, message: "No such file or directory" }
[2021-02-24T16:51:37Z WARN  rocket::response::responder] Response was `None`.
[2021-02-24T16:51:37Z WARN  rocket::rocket] Responding with 404 Not Found catcher.
[2021-02-24T16:51:38Z ERROR trow_server::server] Remote registry didn't repsond to auth request: error sending request for url (https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/mariadb:pull): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
[2021-02-24T16:51:38Z ERROR trow_server::server] Remote registry didn't respond to HEAD request error sending request for url (https://registry-1.docker.io/v2/library/mariadb/manifests/latest): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
[2021-02-24T16:51:39Z ERROR trow_server::server] Failed to download proxied image error sending request for url (https://registry-1.docker.io/v2/library/mariadb/manifests/latest): error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915: (unable to get local issuer certificate)
[2021-02-24T16:51:39Z WARN  trow_server::server] Internal error with manifest Os { code: 2, kind: NotFound, message: "No such file or directory" }
[2021-02-24T16:51:39Z WARN  rocket::response::responder] Response was `None`.
[2021-02-24T16:51:39Z WARN  rocket::rocket] Responding with 404 Not Found catcher.

Go in the container and install:

docker exec -ti -u root trow bash
apt update
apt install ca-certificates

After installing the ca-certificates it succeed:

docker pull 127.0.0.1:8083/f/docker/mariadb:latest
latest: Pulling from f/docker/mariadb
83ee3a23efb7: Pull complete
db98fc6f11f0: Pull complete
f611acd52c6c: Pull complete
aa2333e25466: Pull complete
f53ac4b825fd: Pull complete
c20afcf9b055: Pull complete
54c5dc6dcf19: Pull complete
b1c71d744483: Pull complete
863a8cc01d1c: Pull complete
ea6c59f9e205: Pull complete
6aa441240c22: Pull complete
c1fee6e1dead: Pull complete
Digest: sha256:d866e756c68fce525419ee27e1d76a874c54072e49dfd591891acd28f95760fc
Status: Downloaded newer image for 127.0.0.1:8083/f/docker/mariadb:latest
127.0.0.1:8083/f/docker/mariadb:latest

Logs:

[2021-02-24T16:51:39Z WARN  rocket::rocket] Responding with 404 Not Found catcher.
[2021-02-24T16:53:46Z ERROR rocket::rocket] No matching routes for HEAD /v2/f/docker/mariadb/manifests/latest application/json.
@amouat
Copy link
Contributor

amouat commented Feb 24, 2021

Ooops. I suspect I removed that and it passed the tests so I thought it was ok. Facepalm.

I'll add it back with a test.

Thanks!

@amouat
Copy link
Contributor

amouat commented Feb 25, 2021

Rather than sit on this as it's pretty fundamental, I've updated the images in #235. Still need to do a release to publish the images so I'll leave this open until then.

@Alexey-Tsarev
Copy link
Author

@amouat, Are you planning to update Docker images? I found only one armv7 image was updated recently.
https://hub.docker.com/r/containersol/trow/tags?page=1&ordering=last_updated

TAG
2021-02-25-111-armv7
docker pull containersol/trow:2021-02-25-111-armv7
Last pushed 19 hours agobycsdockerhubpush

@amouat
Copy link
Contributor

amouat commented Feb 26, 2021

Yeah, they should all get published on release I think. I want to fix the bug I'm working on and do a patch release.

@amouat
Copy link
Contributor

amouat commented Mar 1, 2021

There are intermediate images pushed on merges to master - https://hub.docker.com/r/containersol/trow/tags?page=1&ordering=last_updated

@Alexey-Tsarev
Copy link
Author

Thanks. I will check soon (amd64 platform).

@Alexey-Tsarev
Copy link
Author

I checked containersol/trow:2021-02-27-112-amd64.
I found no problem. Good job!

@amouat
Copy link
Contributor

amouat commented Mar 3, 2021

Thanks!

I'll close this as it's addressed. Hopefully I'll get patch release out this week as well with the fix.

@amouat amouat closed this as completed Mar 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amouat @Alexey-Tsarev