docker-composeã§ã»ãŒåæã«äž¡æ¹ã®ãã·ã³ã§ãã®ãšã©ãŒãçºçããæè¿ã§ã¯ããŒã«ããã¯åŸã«figã§ãšã©ãŒãçºçããŸããã ããã€ãã®æ€çŽ¢çµæã¯python / opensslã®åé¡ã瀺ããŠããŸãããç§ã¯åçŽã«ã©ããæãäžããã®ãç解ã§ããŸããã Python / opensslã¯èªäœããæ¥ãŠããŸãã
Boot2Docker-cliããŒãžã§ã³ïŒv1.4.1
Gitã³ãããïŒ43241cb
ã¯ã©ã€ã¢ã³ãããŒãžã§ã³ïŒ1.4.1
ã¯ã©ã€ã¢ã³ãAPIããŒãžã§ã³ïŒ1.16
GoããŒãžã§ã³ïŒã¯ã©ã€ã¢ã³ãïŒïŒgo1.4
Gitã³ãããïŒã¯ã©ã€ã¢ã³ãïŒïŒ5bc2ff8
OS / ArchïŒã¯ã©ã€ã¢ã³ãïŒïŒdarwin / amd64
ãµãŒããŒããŒãžã§ã³ïŒ1.4.1
ãµãŒããŒAPIããŒãžã§ã³ïŒ1.16
GoããŒãžã§ã³ïŒãµãŒããŒïŒïŒgo1.3.3
Gitã³ãããïŒãµãŒããŒïŒïŒ5bc2ff8
docker-compose
ãªãªãŒã¹åè£ã䜿ãããšããŠãåãããšãèµ·ãã£ãŠãããšæããŸã...
$ docker-compose ps
SSL error: hostname '192.168.59.103' doesn't match 'boot2docker'
ãããã fig
ã¯æ£åžžã«æ©èœããŸã...
$ fig -f docker-compose.yml ps
Name Command State Ports
------------------------------
ç§ã¯OSXã䜿çšããŠãããGoã¯ã©ã€ã¢ã³ãã®ããŒãžã§ã³ãgo1.3.3
ã§ããããšãé€ããŠã @ gkostyanikovãšåãããŒãžã§ã³ããã¹ãŠå®è¡ããŠããŸãã ç§ã®python / opensslãHomebrewçµç±ã§ã€ã³ã¹ããŒã«ãããŸãã ãããšé¢ä¿ãããã®ã§ããããïŒ
ç·šéïŒå®éã«ã¯ãHomebrewã¯opensslããªã³ã¯ããŠããªãããã«èŠããã®ã§ãããã©ã«ãã®OSXããŒãžã§ã³ã§ããOpenSSL 0.9.8za 5 Jun 2014
ã䜿çšããŠããŸãã
åé¡ã¯Homebrewpythonã§ããã
docker-compose
ã¯ãhomebrew python / opensslãã¢ã³ã€ã³ã¹ããŒã«ãã easy_install
docker-composer
ã䜿çšããŠpip
ãã€ã³ã¹ããŒã«ããã·ã¹ãã pythonã䜿çšããŠdocker-composer
ãåã€ã³ã¹ããŒã«ããåŸã«æ©èœããããã«ãªããŸããã
@adambiggsããªãã®ãœãªã¥ãŒã·ã§ã³ã¯æ©èœããŸãïŒ ããããšãïŒ
ããã¯ç§ã«ãšã£ãŠãããŸããããŸãããç§ã¯çæ°ããMacã䜿çšããŠããŠãèªäœã®pythonã§ã»ããã¢ããããŠããŸãã figãdockerãšéä¿¡ãããšãã«ãã®ãšã©ãŒãçºçããŸããã @adambiggsã®ã¢ããã€ã¹ã«åŸããç§ã®ãããã«ãŒã
ããã¯ç§ã«ãèµ·ãã£ãŠããŸãã ãããŠãç§ã¯ã·ã¹ãã ã®pythonã䜿ããããªãã®ã§ããã誰ãå¥ã®åé¿çããããŸããïŒ
ãã€ããªã䜿ã£ãŠã¿ãŸãããïŒ åãåé¡ãçºçããŸããïŒ
ãããããã€ããªã¯è©ŠããŠããŸããã
ã·ã¹ãã ã®Pythonã«ã€ã³ã¹ããŒã«ããããªãå Žåãå¥ã®åé¿çã¯virtualenvïŒwrapperïŒã䜿çšããããšã§ãã
mkvirtualenv --python=/usr/bin/python docker-compose
pip install docker-compose==1.1.0-rc2
pyenv
ã䜿çšããŠPython 2.7.8ã«ããŒã«ããã¯ããããè¯ã解決çãèŠã€ããŸããïŒ
http://stackoverflow.com/a/28216459/1166293
https://github.com/yyuu/pyenv
ç·šéïŒæ°ã«ããªãã§ãã ããã pyenv
ã¯ããèªèº«ã®åé¡ã®æãå°å
¥ããŸãã...
ç§ã«ãšã£ãŠãã®ãšã©ãŒã®åå ã¯ãèªäœã®opensslã/ usr / local / bin / opensslã«ãªã³ã¯ãããŠããªãã£ãããšã§ãã
openssl version
OpenSSL1.0.1jã§ã¯ãªã2014幎10æ15æ¥
ã©ã³ãã³ã°
brew link --force openssl
figãåã€ã³ã¹ããŒã«ãããšåé¡ã解決ããŸããã
èå³æ·±ãã§ãããç§ã®OpenSSLããŒãžã§ã³ã¯OpenSSL 1.0.1j 2014幎10æ15æ¥ã§ãã
@aanandç§ã®å Žåããã€ããªã«ã¯ãã®åé¡ã¯ãããŸããã
èªäœã§ã¯ãªãpipãä»ããŠfigãã€ã³ã¹ããŒã«ãããšãã«ããã®ãšã©ãŒãçºçããŸããã sudo pip uninstall fig
ãšbrew install fig
ä¿®æ£ããŠãããŸããã
@NotBobTheBuilderãœãªã¥ãŒã·ã§ã³ã®+1ããããç§ã®ããã«åãã
ïŒ+1ïŒ @NotBobTheBuilderã®å Žå
@NotBobTheBuilderã¯ã€ããžã¯ã®ããã®çŽ æŽããããœãªã¥ãŒã·ã§ã³ã§ããã
@ocasta OpenSSLã®ãªã³ã¯ã«é¢ããèªäœããã®ãã®æãããèŠåã¯ã©ãã§ããïŒ
ãã®åŒã¯æšœã®ã¿ã§ãã
Mac OS Xã¯ãã§ã«ãã®ãœãããŠã§ã¢ãæäŸããŠããã
䞊åã¯ããããçš®é¡ã®åé¡ãåŒãèµ·ããå¯èœæ§ããããŸããAppleã¯ãç¬èªã®TLSããã³æå·ã©ã€ãã©ãªãåªå ããŠOpenSSLã®äœ¿çšãéæšå¥šã«ããŸãã
@NotBobTheBuilderãé«ãè©äŸ¡ããŸã-ããã§ç§ãä¿®æ£ãããŸããã
誰ãããã®åé¡ã®åå ãç¥ã£ãŠããŸããïŒ ããã¯ã€ããžã¯ã§ç§ã«èµ·ãã£ãŠããŸãã ç§ã¯ä»ã®ããã«pip install fig
ã«åºå·ããããšã奜ã¿ãŸãã æ°é±éåã¯ãã¹ãŠæ£åžžã«æ©èœããŠããŸããããã·ã¹ãã ã§äœãå€æŽãããã®ãããããŸãã
ç§ã®ã·ã¹ãã OpenSSLã¯OpenSSL 0.9.8zc 15 Oct 2014
ã§ãèªäœã®opensslã¯æ°ããã§ããããªã³ã¯ãããŠããŸããã
... Python 2.7.9ã«ã¢ããã°ã¬ãŒããããšãã«å£ãããšæããŸãããSSLé¢é£ã®ãã°ãããã€ãããããã§ã...次ã®ããã«ãªããŸãã
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196431
http://bugs.python.org/issue23052
brew link --force openssl
ãå®è¡ããŠfigãåã€ã³ã¹ããŒã«ããŠããäœãèµ·ãããŸããã§ããã
Py 2.7.9ã§ã®SSLã®å€æŽãåé¿ããã«ã¯ãfigãæŽæ°ããå¿
èŠããããŸããïŒ
https://www.python.org/dev/peps/pep-0476/#opting -out
ç§ã¯boot2dockerã䜿çšããŠããŸãã 1.5.0ã«ã¢ããã°ã¬ãŒãããŸããããå€æŽã¯ãããŸããã
In [1]: from fig.cli.docker_client import docker_client
In [2]: client = docker_client()
In [3]: client.version()
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
In [4]: %debug
> /Users/anentropic/.virtualenvs/dpm/lib/python2.7/site-packages/requests/sessions.py(461)request()
460 send_kwargs.update(settings)
--> 461 resp = self.send(prep, **send_kwargs)
462
ipdb> p settings
{'verify': '/Users/anentropic/.boot2docker/certs/boot2docker-vm/ca.pem', 'cert': ('/Users/anentropic/.boot2docker/certs/boot2docker-vm/cert.pem', '/Users/anentropic/.boot2docker/certs/boot2docker-vm/key.pem'), 'proxies': {}, 'stream': False}
figã³ãŒãã¯æ£ããããã«èŠããŸãããboot2dockerã«ãã£ãŠã€ã³ã¹ããŒã«ããã蚌ææžã䜿çšããããšããŠããŸã...ãããã®èšŒææžã¯åžžã«æ©èœããŠããã®ã§åé¡ãªããšæããŸããb2dãã¢ããã°ã¬ãŒãããã ããªã®ã§ãæéåãã«ãªãããšã¯ãããŸããã
ããŒããç§ã®PythonïŒhomebrewçµç±ã§ã€ã³ã¹ããŒã«ïŒã¯HomebrewããŒãžã§ã³ã®OpenSSLã䜿çšããŠããããã§ããïŒ
$ python -c 'import ssl; print(ssl.OPENSSL_VERSION)'
OpenSSL 1.0.2 22 Jan 2015
$ brew info openssl
openssl: stable 1.0.2 (bottled)
==> Caveats
A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
/usr/local/etc/openssl/certs
and run
/usr/local/opt/openssl/bin/c_rehash
... /usr/local/opt/openssl/bin/c_rehash
ããŠã圹ã«ç«ã¡ãŸããã§ãã:)
以åã«ã€ã³ã¹ããŒã«ããããŒãžã§ã³ã®PythonïŒ2.7.8_2ïŒã$ brew switch python 2.7.8_2
çµç±ã§è©ŠããŸããããåãåé¡ãçºçããŸããïŒãšã©ãŒã¡ãã»ãŒãžãå°ãç°ãªã£ãŠããŠãïŒã ãããã£ãŠãPython2.7.9ããŒãžã§ã³ã¯åé¡ã§ã¯ãªãããã§ãã
次ã«ã1.0.2ãã1.0.1j_1ãŸã§ã®å€ãopensslããŒãžã§ã³ã«åãæ¿ããŠã¿ãŸãããããã¯æ©èœããŠããããã§ãã
$ python -c 'import ssl; print(ssl.OPENSSL_VERSION)'
OpenSSL 1.0.2 22 Jan 2015
$ docker-compose ps
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
$ brew switch openssl 1.0.1j_1
$ python -c 'import ssl; print(ssl.OPENSSL_VERSION)'
OpenSSL 1.0.1j 15 Oct 2014
$ docker-compose ps
Name Command State Ports
------------------------------
ç§ã«ãšã£ãŠã¯å¥ã®ãšã©ãŒãçºçããŸãããåé¡ãçµã蟌ãã®ã«åœ¹ç«ã€å¯èœæ§ããããŸãã
$ brew switch openssl 1.0.1j_1
Error: openssl does not have a version "1.0.1j_1" in the Cellar.
Versions available: 1.0.1e, 1.0.1f, 1.0.1g, 1.0.2
$ brew switch openssl 1.0.1g
Opt link created for /usr/local/Cellar/openssl/1.0.1g
$ fig up
SSL error: hostname '192.168.59.103' doesn't match 'boot2docker'
OpenSSL 1.0.2ã«æ»ããšã以åã®CERTIFICATE_VERIFY_FAILED
ãšã©ãŒãçºçãããããããŒãžã§ã³ãå€æŽãããšç¢ºå®ã«äœããã®åœ±é¿ããããŸã
åé¿çã®1ã€ã¯ãã³ã³ãããŒã§docker-composeãå®è¡ããããšã§ãã
git clone [email protected]:docker/fig.git
cd fig
docker build --tag docker-compose .
alias docker-compose='docker run --rm -e "DOCKER_TLS_VERIFY=$DOCKER_TLS_VERIFY" -e DOCKER_HOST=tcp://172.17.42.1:2376 -e DOCKER_CERT_PATH=/usr/local/certs -v "$DOCKER_CERT_PATH:/usr/local/certs" -v "$PWD:/code" docker-compose --project-name "${PWD##*/}"'
ããã«ã¯ãVirtualBoxã®ããŒã2376ãå ¬éããå¿ èŠããããŸãã
VBoxManage controlvm boot2docker-vm natpf1 "docker-s,tcp,127.0.0.1,2376,,2376"
@kretzã®çãã¯ç§ã®ããã«åããã
+1 @kretzbrewã¹ã€ããopenssl1.0.1j_1
ããªãã¯ãäœã£ã
brew switch openssl 1.0.1jã¯ç§ã®ããã«åããŸãïŒ_1ã®æ¬ åŠã«æ³šæããŠãã ããïŒ
ç§ã¯ããã奜ãã§ã¯ãããŸããããvirtualenvããfigãã¢ã³ã€ã³ã¹ããŒã«ããhomebrewçµç±ã§ã€ã³ã¹ããŒã«ãããšä¿®æ£ãããŸãã
ããããšã@ kretz-ããªãã®çãã¯ç§ã®ããã«ããã解決ããŸããïŒ
ããã¯ç§ã«ãšã£ãŠã¯ããŸããããŸããïŒ
$ brew switch openssl 1.0.1j_1
Error: openssl does not have a version "1.0.1j_1" in the Cellar.
Versions available: 1.0.2
ç§ã®åé¿çã¯ãbrewããååŸãã2.7.9ã§ã¯ãªããpython2.7.8ã§virtualenvãäœæããããšã§ããã
ããŸããŸãªåé¿ç...誰ããæ¬åœã®åé¡ã«ã€ããŠã®æŽå¯ãæã£ãŠããŸããïŒ
App Engineã¯äœããšäœã®é¢ä¿ããããŸããïŒ
18æ09åã«2015幎3æ11æ¥ãã©ã€ã¢ã³ã»å°ã®[email protected]ã¯æžããŸããïŒ
ç§ã¯ã¢ããªãšã³ãžã³ã®ãã®ã®ã©ããPython2.7.9ã§åäœããªããšç¢ºä¿¡ããŠããŸã
â
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/docker/compose/issues/890#issuecomment-78329652 ã
@anentropic䜿çšïŒåãæ¿ãïŒããåã«ãå€ãopensslããŒãžã§ã³ãã€ã³ã¹ããŒã«ããå¿ èŠããããŸãã
# Find available older versions to install
$ brew search openssl
openssl
homebrew/versions/openssl098 homebrew/versions/openssl101
# Install older 1.0.1 version
$ brew install homebrew/versions/openssl101
# See what versions are installed locally
$ brew info openssl
...
/usr/local/Cellar/openssl/1.0.1f (429 files, 15M)
Built from source
/usr/local/Cellar/openssl/1.0.1i (430 files, 15M)
Poured from bottle
/usr/local/Cellar/openssl/1.0.1j (431 files, 15M)
Poured from bottle
/usr/local/Cellar/openssl/1.0.1j_1 (431 files, 15M)
Poured from bottle
/usr/local/Cellar/openssl/1.0.2 (459 files, 18M)
Poured from bottle
...
# Switch to one of the 1.0.1 you got installed
$ brew switch openssl 1.0.1j_1
brew install openssl101
ãã 1.0.1j
ã«åãæ¿ããå¯èœæ§ããããŸãã1.0.1l
ã衚瀺ãããã·ã¹ãã ãæ··ä¹±ããã®ã§ã¯ãªãããšå¿é
ããŠããŸããããããã¯å¥ã
ã®éžé ããã±ãŒãžã§ãããç§ã¯ãã§ã«1.0.2
ã䞊è¡ããŠæã£ãŠããŸãã
圹ã«ç«ããªãã£ãããã§ãããå€åç§ã¯ããã§ååã«è¡ããŸããã§ãã
ç³ãèš³ãããŸããããééã£ãgithubã®åé¡ã«è¿ä¿¡ããŸããïŒã³ã¡ã³ãããã°ããåé€ããŸããïŒ
11:30 anentropicã®æ°Žã2015幎3æ11æ¥ã«ã¯[email protected]
æžããŸããïŒ
ç§ã¯openssl101ãbrewinstallããŸããããããã¯ç§ã«å¯èœæ§ãäžããŸããã§ãã
1.0.1jã«åãæ¿ããŸã...ããã¯ç§ã«1.0.1lãäžããŸããããããŠç§ã¯ãããè¡ãã®ã§ã¯ãªãããšå¿é ããŸãã
ãããã¯å¥ã ã®éžé ããã±ãŒãžã§ãããç§ã¯ãã§ã«æã£ãŠããã®ã§ãç§ã®ã·ã¹ãã ãæ··ä¹±ãããŸã
1.0.2䞊å圹ã«ç«ããªãã£ãããã§ãããå€åç§ã¯ããã§ååã«è¡ããŸããã§ãã
â
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/docker/compose/issues/890#issuecomment-78340580 ã
ãã®ãããMac OSXã§å®è¡ããŠããå Žåãããã®åé¡ãçºçããŠããããã§ãã docker-composeã䜿çšããŠãããç§ã®.ymlãã¡ã€ã«ã§ãã
web:
build: .
links:
- db
- cache
- worker
ports:
- "8080:8080"
db:
image: mysql
cache:
image: redis
worker:
build: .
command: celery -A application.extentions worker -l info
docker-compose pull
ãå®è¡ãããšã次ã®åºåã倱æããŸããã
$ docker-compose pull
Pulling db (mysql:latest)...
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
ç§ããã§ãã¯ããããã€ãã®ããšã
which openssl; openssl version
/usr/local/bin/openssl
OpenSSL 1.0.2 22 Jan 2015
@psykzz brewã§ã€ã³ã¹ããŒã«ãããšã
brew install docker-compose
@arvindtestäœããã®åé¡ã«é¢é£ããŠãããšæããŸããïŒ
åèãŸã§ã«ãããã«å€ãã®èŠåŽãããåŸãããã¯boot2dockerã®åé¡ã®ããã§ãã
ç§ã®ããã«åããã®ã¯TLSãç¡å¹ã«ããããšã§ããã ãããè¡ãããã®ãŠãŒã¶ãŒãã¬ã³ããªãŒãªæ¹æ³ã¯ãŸã ãããŸããããæé ã®æŠèŠã¯æ¬¡ã®ãšããã§ãã
https://github.com/deis/deis/issues/2230
åºæ¬çã«ã次ã®ããšãè¡ãå¿ èŠããããŸãã
boot2docker ssh
sudo echo'DOCKER_TLS = no '> / var / lib / boot2docker / profile
次ã«ãboot2dockerãåèµ·åããŸãã
boot2dockeråæ¢
boot2dockeréå§
ã/ .bashrcã«ãã®ãããªãã®ãè¿œå ããŸãïŒIPãæ£ããããšã確èªããŠãã ããïŒ
export DOCKER_HOST = tcpïŒ//192.168.59.103 ïŒ2375
æªèšå®ã®DOCKER_CERT_PATH
æªèšå®ã®DOCKER_TLS_VERIFY
ããªãã®bashrcã§$ïŒboot2docker shellinitïŒãæã£ãŠããªãã®ã¯ãªãã§ãã
ãã¹ãŠãæ£ããæ¯æŽããå¿ èŠããããŸããïŒ
ã€ãŸãããŸã TLSãœãªã¥ãŒã·ã§ã³ãå®è¡ããå¿
èŠããããŸãã
2015幎3æ21æ¥23:05ããcoderfiã [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãã
åèãŸã§ã«ããããšå€ãã®èŠåŽãããåŸãããã¯
boot2dockerã®åé¡ã
ç§ã®ããã«åããã®ã¯TLSãç¡å¹ã«ããããšã§ããã ãŸã ãŠãŒã¶ãŒãã¬ã³ããªãŒãªæ¹æ³ã¯ãããŸãã
ãããè¡ãã«ã¯ãæé ã®æŠèŠã¯æ¬¡ã®ãšããã§ãã
deis / deisïŒ2230 https://github.com/deis/deis/issues/2230åºæ¬çã«ã次ã®ããšãè¡ãå¿ èŠããããŸãã
boot2docker ssh
sudo echo'DOCKER_TLS = no '> / var / lib / boot2docker / profile次ã«ãboot2dockerãåèµ·åããŸãã
boot2dockeråæ¢
boot2dockeréå§ãããŠããªãã®ã/ .bashrcã«ãã®ãããªãã®
IPãæ£ããããšã確èªããŠãã ããexport DOCKER_HOST = tcpïŒ//192.168.59.103 ïŒ2375
æªèšå®ã®DOCKER_CERT_PATH
æªèšå®ã®DOCKER_TLS_VERIFYâ
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/docker/compose/issues/890#issuecomment-84468058 ã
@kretzããã¯åäœããŸãïŒ ããããšãã
@psykzz $(boot2docker shellinit)
ã§ããïŒ
ã¯ããã³ã¡ã³ããæŽæ°ããŸããã derpã
TLSãç¡å¹ã«ãã@coderfiã®ãœãªã¥ãŒã·ã§ã³ãæ©èœããããšã確èªã§ããŸãïŒ
ãããããªãã®ããã«åãããšãããããæããŸãã :)
@Mattã¯ããã·ã§ã«ã®initã·ã§ã«æ¡åŒµã®ãã³ãã«ã€ããŠã¯æ£ããã§ãã
ãã ããboot2dockerããŸã èµ·åããŠããªãå Žåã¯æ©èœããªãå¯èœæ§ãããããã
äŸãæ瀺çã«ããŸããã
Fi
2015幎3æ26æ¥åå10æ18åããanentropicã [email protected]ã¯æ¬¡ã®ããã«æžããŠããŸãã
@coderfihttps ïŒ//github.com/coderfiã®ãœãªã¥ãŒã·ã§ã³ã確èªã§ã
TLSãç¡å¹ã«ããããšã¯ç§ã®ããã«åããŸãïŒâ
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/docker/compose/issues/890#issuecomment-86630313 ã
ããã¯æãããããããŸããããTLSãç¡å¹ã«ãããããããæ©èœãããããã ãã«OpenSSLãããŠã³ã°ã¬ãŒããããããå Žåã¯ãå®è¡å 容ã«å¿ããŠæ éã«æ€èšããå¿ èŠããããŸãã
ããã¯ãã¹ãŠã«é¢ä¿ããããã§ã¯ãããŸãããã gliderlabs/alpine:3.1
ãããã«ããDockerfile
ã䜿çšããpip
ã€ã³ã¹ããŒã«äžã«ãåæ§ã®ãšã©ãŒããããã¢ããããŸãããããã¯ãprogriumãšcrewã®æå°éã®Linuxã³ã³ãããŒã§ãã åé¡ã¯ãã·ã¹ãã 蚌ææžããã±ãŒãžãã€ã³ã¹ããŒã«ããŠããªãã£ãããšã§ããããã®åé¡ã¯ã pip
ãã€ã³ã¹ããŒã«ããåã«ããã±ãŒãžãã€ã³ã¹ããŒã«ããèŠä»¶ãã¡ã€ã«ãå®è¡ããããšã§è§£æ±ºãããŸããã
RUN apk-install -X ca-certificates
ææ¡ããã解決çã¯ç§ã«ãšã£ãŠå®éã«ã¯ããŸããããŸããã§ããã 1.0.1OpenSSLããŒãžã§ã³ã®ãããã«ãåãæ¿ããããšãã§ããŸããã§ããã çµå±ãpipã§ã€ã³ã¹ããŒã«ããããã¹ãŠã®docker-composeããŒãžã§ã³ãã¢ã³ã€ã³ã¹ããŒã«ãã brew install docker-compose
å®è¡ããã ãã§ããŸãããããšãããããŸããã
äžèšã®è§£æ±ºçã¯æ©èœããŸããããç§ã«ã¯é¢åã§ããã ç°¡åãªboot2docker upgrade
ã§ãç§ã®åŽã®ãã¹ãŠãä¿®æ£ãããŸããã
ç§ã¯ãã§ã«ææ°ã®boot2dockerããŒãžã§ã³ãæã£ãŠããŸãããäžèšã®ä¿®æ£ããªããšæ©èœããŸãã
èªäœã®éçºè
ã¯ãdocker-pyãšdocker-composeãrequests
2.6.0ã®äœ¿çšã«ã¢ããã°ã¬ãŒãããå¿
èŠãããããšã瀺åããŠããŸã
https://github.com/Homebrew/homebrew/issues/38226#issuecomment -88083428
ããŸãããã°ãããã¯èª°ããå©ããã§ããã...解決çã¯ããããŸããããMac OSXãããã·ãšããŠCharlesã䜿çšããŠããå Žåã¯ãã®ã¡ãã»ãŒãžã衚瀺ãããŸãã
FWIWãpipãä»ããŠdocker-composeãã€ã³ã¹ããŒã«ãããšãdocker-composeèªäœãæ©èœããããã«ãªããŸããïŒOS X Mavericksã«curlãä»ããŠã€ã³ã¹ããŒã«ãããšã illegal operation
ãšã©ãŒãçºçããŸããïŒã ãã®åŸãSSLãšã©ãŒãçºçããŠããŸããã brew link --force openssl && brew switch openssl 1.0.1j
å®è¡ãããšãä¿®æ£ãããããã§ãã
@rseymourã®çãã¯ç§ã®ããã«åãã
brewã§openssl-1.0.1j
ãèŠã€ãããªãå Žåã¯ãgithubãªããžããªããå€ãããŒãžã§ã³ã®opensslã¬ã·ããååŸããŠå©çšã§ããŸãã
» brew switch openssl 1.0.1j
Error: openssl does not have a version "1.0.1j" in the Cellar.
Versions available: 1.0.2a-1
» brew unlink openssl
Unlinking /usr/local/Cellar/openssl/1.0.2a-1... 1543 symlinks removed
» brew install https://raw.githubusercontent.com/Homebrew/homebrew/62fc2a1a65e83ba9dbb30b2e0a2b7355831c714b/Library/Formula/openssl.rb
...
ðº /usr/local/Cellar/openssl/1.0.1j_1: 431 files, 14M, built in 4.2 minutes
» docker-compose up
Creating myservice...
1.0.1mãè©ŠããŸããããããŸããããŸããã§ããã
ã ããç§ã¯@lazyvalã®æ¹æ³ãè©Šã
ããã¯ç§ããã£ãããšã§ãã
brew install https://raw.githubusercontent.com/Homebrew/homebrew/62fc2a1a65e83ba9dbb30b2e0a2b7355831c714b/Library/Formula/openssl.rb
éžé ã¹ã€ããopenssl1.0.1j_1
brew unlink openssl101 //ãã®åã«1.0.1mããªã³ã¯ããã®ã§
brew link openssl --force
docker-compose ps
ããããšãããããŸããïŒïŒ
Python 2.7.9以éã§ãã€ããªããã«ãããå¿ èŠããããããçŸåšããã調æ»ããŠããŸãã
_ïŒ1427ãã移転_
ãµãŒãïŒ
ã¯ã©ã€ã¢ã³ãïŒ
~/.docker/{ca.pem,cert.pem,key.pem}
é
眮ãããSSL蚌ææžDOCKER_HOST=tcp://docker-builder:2376
DOCKER_TLS_VERIFY=1
次ã®Makefileã䜿çšããŠSSL蚌ææžãäœæããŸãã
#!/bin/bash
SERVER=docker-builder
clean:
rm ca.* server.* client.* *.key
all: ca.crt server.crt client.crt
%.key:
openssl genrsa -out $@ 4096
ca.crt: ca.key
openssl req -new -x509 -days 365 -key ca.key -sha256 -out ca.crt \
-subj "/C=US/ST=Texas/L=Austin/O=Abc123/OU=Operations/CN=${SERVER}/[email protected]"
server.csr: server.key
openssl req -new -key server.key -out server.csr \
-subj "/C=US/ST=Texas/L=Austin/O=Abc123/OU=Operations/CN=${SERVER}/[email protected]"
server.crt: ca.key ca.crt server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt
client.csr: client.key
openssl req -new -key client.key -out client.csr \
-subj "/C=US/ST=Texas/L=Austin/O=Abc123/OU=Operations/CN=Docker Client/[email protected]"
client.ext.cnf:
echo "extendedKeyUsage = clientAuth" > client.ext.cnf
client.crt: client.csr ca.crt ca.key client.ext.cnf
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out client.crt -extfile client.ext.cnf
ãã®ãã·ã³ãããããžã§ãã³ã°ããããã®ïŒæããã«çæ³çãšã¯èšããªãïŒãŠãŒã¶ãŒããŒã¿ã¹ã¯ãªããã¯æ¬¡ã®ãšããã§ãã
#cloud-config
write_files:
- path: /home/core/server.crt
owner: core:core
permissions: 0644
content: |
-----BEGIN CERTIFICATE-----
<cert goes here>
-----END CERTIFICATE-----
- path: /home/core/server.key
owner: core:core
permissions: 0644
content: |
-----BEGIN RSA PRIVATE KEY-----
<key goes here>
-----END RSA PRIVATE KEY-----
- path: /home/core/ca.crt
owner: core:core
permissions: 0644
content: |
-----BEGIN CERTIFICATE-----
<ca cert goes here>
-----END CERTIFICATE-----
coreos:
update:
reboot-strategy: reboot
units:
units:
- name: var-lib-docker.mount
command: start
content: |
[Unit]
Description=Mount RAM to /var/lib/docker
Before=docker.service
[Mount]
What=tmpfs
Where=/var/lib/docker
Type=tmpfs
Options=size=200g
- name: docker.service
command: restart
content: |
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
After=network.target
[Service]
ExecStartPre=/bin/mount --make-rprivate /
# Run docker but don't have docker automatically restart
# containers. This is a job for systemd and unit files.
ExecStart=/usr/bin/docker -d \
--tlsverify \
--tlscert=/home/core/server.crt \
--tlscacert=/home/core/ca.crt \
--tlskey=/home/core/server.key \
-H 0.0.0.0:2376 -H unix:///var/run/docker.sock
[Install]
WantedBy=multi-user.target
docker
ã¯ã©ã€ã¢ã³ãã䜿çšããŠããªã¢ãŒãDockerãµãŒããŒã«ã¢ã¯ã»ã¹ããããšã«æåããŸããã ãªã¢ãŒããµãŒããŒã¯1æ¥ã«æ倧10äžååŒã³åºãããæåãåããŠããŸãã
curlãŸãã¯Python2.7ã§pip install --upgrade
ãä»ããŠã€ã³ã¹ããŒã«ãããdocker-compose
ã䜿çšããããšãããšãSSLãšã©ãŒãçºçããŸãã
$ docker-compose up -d
SSL error: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ããã¯ã DOCKER_CERT_PATH=/home/user/.docker/
ãšREQUESTS_CA_BUNDLE=/home/user/.docker/ca.pem
ãåå¥ã«ããŸãã¯äžç·ã«æåã§æå®ããåŸã®å Žåã§ãã
æ確ã«ããããã«ïŒãã®ã»ããã¢ããã¯dockerããŒã¢ã³ã ãã§ããŸãæ©èœããŸããã -compose
ã«ã€ããŠã®äœããééã£ãŠããŸãã
ããã€ãã®æ³šæïŒ
$ python -V
$ python -c 'import ssl; print ssl.OPENSSL_VERSION'
ãšã©ãŒãåçŸã§ããããŒã«ã«ãã·ã³ã«ã¯ã Python 2.7.10
ãšOpenSSL 1.0.2a 19 Mar 2015
ãŸãã
ããŒããããã¯æ¬åœã«å¥åŠã§ãã 䜿çšããŠããb2dã®ããŒãžã§ã³ãšããŒãžã§ã³
æ©æ¢°ã®ïŒ ã©ã¡ããb2dã䜿çšããŠããã®ã§ãäœãéãã®ãããããŸãã
ããŒãžã§ã³ã®ã»ãã«ã
OS Xãã·ã³ã«pipçµç±ã§ã€ã³ã¹ããŒã«ããäœãåŸããããã確èªããŸãã
9:19ã®æšã2015幎5æ28æ¥ã«ã¯ãAanandãã©ãµã[email protected]
æžããŸããïŒ
ããã€ãã®æ³šæïŒ
1.1ã
OSXçšã®Compose1.3.0RC1ãã€ããªã«ã¯ãã®ãã°ããããŸãã ããããããã§ã¯ãªã
å¶ç¶ã«ããPython2.7.9ã«å¯ŸããŠãã«ããããã®ã¯ãããåããŠã§ãã
- 以åã¯2.7.6ã§ããã
2.2ãå¥åŠãªããšã«ãboot2docker VMã«å¯ŸããŠã¯åçŸã§ããŸããã
Machineã«ãã£ãŠããããžã§ãã³ã°ãããVirtualboxVMã @ehazlett
https://github.com/ehazlettã@ nathanleclaire
https://github.com/nathanleclaireã@tianon
https://github.com/tianon-ããã«äœãæŽå¯ã¯ãããŸããïŒ
3.3ãComposeãPipãšãšãã«ã€ã³ã¹ããŒã«ãããŠãããšãã«ãããçµéšããŠãã人ã¯ãã©ãã
次ã®ã³ãã³ãã®åºåãå ±åããŸãã$ python -V
$ python -c'import ssl; print ssl.OPENSSL_VERSION 'ãšã©ãŒãåçŸã§ããããŒã«ã«ãã·ã³ã«ã¯ãPythonããããŸã
2.7.10ããã³OpenSSL1.0.2a 2015幎3æ19æ¥ã
4.4ãããã¯Homebrewã«å ±åãããŠãããäžéšã®äººã ã¯åœŒããæã£ãŠãããšèšããŸã
PythonãšOpenSSLã®åã€ã³ã¹ããŒã«ã«æåããŸããããããŸããããŸããã§ããã
èªäœ/èªäœïŒ38226
https://github.com/Homebrew/homebrew/issues/38226â
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/docker/compose/issues/890#issuecomment-106306690 ã
$ boot2docker version
Boot2Docker-cli version: v1.6.2
Git commit: cb2c3bc
$ docker-machine --version
docker-machine version 0.2.0 (8b9eaf2)
蚌ææžã®çæã«ã€ããŠäœãéãã®ã§ããããïŒ boot2dockerããããã·ã³ã®èšŒææžãã£ã¬ã¯ããªã«å€ãã®ãã¡ã€ã«ãããããã§ãã
$ $(boot2docker shellinit)
$ ls -l $DOCKER_CERT_PATH/*.pem
-rw-r--r-- 1 aanand staff 1042 28 May 14:27 /Users/aanand/.boot2docker/certs/boot2docker-vm/ca.pem
-rw-r--r-- 1 aanand staff 1070 28 May 14:27 /Users/aanand/.boot2docker/certs/boot2docker-vm/cert.pem
-rw-r--r-- 1 aanand staff 1675 28 May 14:27 /Users/aanand/.boot2docker/certs/boot2docker-vm/key.pem
$ eval "$(docker-machine env)"
$ ls -l $DOCKER_CERT_PATH/*.pem
-rw-r--r-- 1 aanand staff 1029 11 May 12:15 /Users/aanand/.docker/machine/machines/dev/ca.pem
-rw-r--r-- 1 aanand staff 1054 11 May 12:15 /Users/aanand/.docker/machine/machines/dev/cert.pem
-rw-r--r-- 1 aanand staff 1679 11 May 12:15 /Users/aanand/.docker/machine/machines/dev/key.pem
-rw------- 1 aanand staff 1679 11 May 12:15 /Users/aanand/.docker/machine/machines/dev/server-key.pem
-rw-r--r-- 1 aanand staff 1086 11 May 12:15 /Users/aanand/.docker/machine/machines/dev/server.pem
ããã¯çµæ§ã§ãã ã¯ã©ã€ã¢ã³ãã¯ãca.pemãcert.pemãããã³key.pemã䜿çšããã ãã§ãã
ïŒãµãŒããŒã¯ããã·ã³å
ã®ãã¹ãã®åãªãããŒã«ã«ã³ããŒã§ãïŒã ç§ã¯ãšããŠäœæããŸã
ããã蚌ææžã調ã¹ãŠãéããäœã§ãããã確èªããŸãã
åå9æ30åæšã2015幎5æ28æ¥ã«ã¯ãAanandãã©ãµã[email protected]
æžããŸããïŒ
$ boot2dockerããŒãžã§ã³
Boot2Docker-cliããŒãžã§ã³ïŒv1.6.2
Gitã³ãããïŒcb2c3bc$ docker-machine --version
docker-machineããŒãžã§ã³0.2.0ïŒ8b9eaf2ïŒèšŒææžã®çæã«ã€ããŠäœãéãã®ã§ããããïŒ ãã£ãšããããã§ã
boot2dockerããããã·ã³ã®certdirã«ãããã¡ã€ã«ã$ $ïŒboot2docker shellinitïŒ
$ ls -l $ DOCKER_CERT_PATH/*ãpem
-rw-r--r-- 1aanandã¹ã¿ãã104225æ28æ¥14ïŒ27 / Users / aanand / .boot2docker / certs / boot2docker-vm / ca.pem
-rw-r--r-- 1aanandã¹ã¿ãã10705æ28æ¥14ïŒ27 / Users / aanand / .boot2docker / certs / boot2docker-vm / cert.pem
-rw-r--r-- 1aanandã¹ã¿ãã167525æ28æ¥14ïŒ27 / Users / aanand / .boot2docker / certs / boot2docker-vm / key.pem$ eval "$ïŒdocker-machine envïŒ"
$ ls -l $ DOCKER_CERT_PATH/*ãpem
-rw-r--r-- 1aanandã¹ã¿ãã1029115æ12ïŒ15 / Users / aanand / .docker / machine / machines / dev / ca.pem
-rw-r--r-- 1aanandã¹ã¿ãã105415æ12ïŒ15 / Users / aanand / .docker / machine / machines / dev / cert.pem
-rw-r--r-- 1aanandã¹ã¿ãã167911 May 12:15 /Users/aanand/.docker/machine/machines/dev/key.pem
-rw ------- 1aanandã¹ã¿ãã167911 May 12:15 /Users/aanand/.docker/machine/machines/dev/server-key.pem
-rw-r--r-- 1aanandã¹ã¿ãã108615æ11æ¥12ïŒ15 / Users / aanand / .docker / machine / machines / dev / server.pemâ
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/docker/compose/issues/890#issuecomment-106309885 ã
grahamc@snap$ python -V
Python 2.7.6
grahamc@snap$ python -c 'import ssl; print ssl.OPENSSL_VERSION'
OpenSSL 1.0.1e-fips 11 Feb 2013
https://github.com/docker/docker-py/issues/465ãåç §ããŠ@garethrã®ãã¹ãã¹ã¯ãªããã¯ããã¹ãåãã§ãã¯ãç¡å¹ã«ããããã«1ã€ã®å€æŽãå ããåŸãç§ã«ããšã©ãŒãåçŸããŸãã
from docker.client import Client
from docker.utils import kwargs_from_env
kwargs = kwargs_from_env()
kwargs['tls'].assert_hostname = False
client = Client(**kwargs)
print client.version()
$ eval "$(boot2docker shellinit)" && python test.py
Writing /Users/aanand/.boot2docker/certs/boot2docker-vm/ca.pem
Writing /Users/aanand/.boot2docker/certs/boot2docker-vm/cert.pem
Writing /Users/aanand/.boot2docker/certs/boot2docker-vm/key.pem
Traceback (most recent call last):
File "test.py", line 8, in <module>
print client.version()
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/docker/client.py", line 1108, in version
return self._result(self._get(url), json=True)
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/docker/client.py", line 106, in _get
return self.get(url, **self._set_request_timeout(kwargs))
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py", line 477, in get
return self.request('GET', url, **kwargs)
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
resp = self.send(prep, **send_kwargs)
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
r = adapter.send(request, **kwargs)
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
ãã ãããã·ã³ã§ããããžã§ãã³ã°ãããVMã§ã¯åŒãç¶ãæ©èœããŸãã
$ eval "$(docker-machine env)" && python test.py
{u'KernelVersion': u'4.0.3-boot2docker', u'Arch': u'amd64', u'ApiVersion': u'1.18', u'Version': u'1.6.2', u'GitCommit': u'7c8fca2', u'Os': u'linux', u'GoVersion': u'go1.4.2'}
ãã¹ãåãã§ãã¯ãå床æå¹ã«ãããšïŒãã¹ãã¹ã¯ãªããã®assert_hostname
è¡ãã³ã¡ã³ãã¢ãŠãããããšã«ããïŒãboot2docker-cli VMã«å¯ŸããŠã¯åããšã©ãŒã§å€±æããŸããããã·ã³VMã«å¯ŸããŠã¯
Traceback (most recent call last):
File "test.py", line 8, in <module>
print client.version()
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/docker/client.py", line 1108, in version
return self._result(self._get(url), json=True)
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/docker/client.py", line 106, in _get
return self.get(url, **self._set_request_timeout(kwargs))
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py", line 477, in get
return self.request('GET', url, **kwargs)
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
resp = self.send(prep, **send_kwargs)
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
r = adapter.send(request, **kwargs)
File "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: no appropriate commonName or subjectAltName fields were found
ããã«ãcurlïŒpipã§ã¯ãªããã€ããªãªãªãŒã¹ïŒãä»ããŠv1.3.0-rc1ã䜿çšããããšããŸããããdocker1.6.2ããŒã¢ã³ã§ä»¥åãšåããšã©ãŒãçºçããŸããã
SSL error: [Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ãã-RC1ãã€ããªã¯Python2.7.9ãšOpenSSL1.0.2aã§æ§ç¯ãããŸããããããã¯åé¡ã®ããçµã¿åããã®1ã€ãšæãããŸãã
b2dã§ã®èšŒææžã®çæã¯VMäžã«ãããšç§ã¯ä¿¡ããŠããã®ã§ãããã¯çã«ããªã£ãŠããŸã
äžæ¹ãmachineã¯ããããmachineã§çæããŸãã ãæ€åºããŠè¿œå ã§ããŸã
å¿
èŠã«å¿ããŠãSANãžã®ãã·ã³åã å®éãããã¯ããããè¯ãã§ããã
ç¹ã«b2dVMã®å Žåã ä»ãããæ©èœããçç±ã¯ããªãã
ãã·ã³ãIPSANãšããŠè¿œå ããIPã䜿çšããŠãšã³ãžã³ã«ã¢ã¯ã»ã¹ããŸãã ãããŸã
PRãéããŠãä»»æã®è¿œå SANãèš±å¯ããŸãããããæ©èœããŸãã
2015幎5æ28æ¥ïŒæšææ¥ïŒã«ãAanandãã©ãµãã®[email protected]ã¯æžããŸããïŒ
docker / docker-pyïŒ465ãåç §ããŠãã ããã
https://github.com/docker/docker-py/issues/465ã @garethr
https://github.com/garethrã®ãã¹ãã¹ã¯ãªããã§ãšã©ãŒãåçŸãããŸã
ç§ãããã¹ãåãã§ãã¯ãç¡å¹ã«ããããã«1ã€ã®å€æŽãå ããåŸïŒdocker.clientããimportClientfrom docker.utils import kwargs_from_env
kwargs = kwargs_from_envïŒïŒ
kwargs ['tls']ãassert_hostname = Falseclient = ClientïŒ** kwargsïŒprint client.versionïŒïŒ
$ eval "$ïŒboot2docker shellinitïŒ" && python test.py
/Users/aanand/.boot2docker/certs/boot2docker-vm/ca.pemã®æžã蟌ã¿
/Users/aanand/.boot2docker/certs/boot2docker-vm/cert.pemã®æžã蟌ã¿
/Users/aanand/.boot2docker/certs/boot2docker-vm/key.pemã®æžã蟌ã¿
ãã¬ãŒã¹ããã¯ïŒæåŸã®æåŸã®åŒã³åºãïŒïŒ
ãã¡ã€ã« "test.py"ã8è¡ç®ã
client.versionïŒïŒãåºåããŸã
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/docker/client.py"ãè¡1108ãããŒãžã§ã³
self._resultïŒself._getïŒurlïŒãjson = TrueïŒãè¿ããŸã
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/docker/client.py"ãè¡106ã_get
self.getïŒurlã* _self._set_request_timeoutïŒkwargsïŒïŒãè¿ããŸã
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py"ãè¡477ãget
self.requestïŒ 'GET'ãurlã* _kwargsïŒãè¿ããŸã
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py"ãè¡465ããªã¯ãšã¹ã
resp = self.sendïŒprepã* _send_kwargsïŒ
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py"ãè¡573ãéä¿¡
r = adapter.sendïŒrequestã* _kwargsïŒ
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/adapters.py"ãè¡431ãéä¿¡
SSLErrorïŒeãrequest = requestïŒãçºçãããŸã
requests.exceptions.SSLErrorïŒ[SSLïŒCERTIFICATE_VERIFY_FAILED]蚌ææžã®æ€èšŒã«å€±æããŸããïŒ_ssl.cïŒ590ïŒãã ãããã·ã³ã§ããããžã§ãã³ã°ãããVMã§ã¯åŒãç¶ãæ©èœããŸãã
$ eval "$ïŒdocker-machine envïŒ" && python test.py
{u'KernelVersion 'ïŒu'4.0.3-boot2docker'ãu'Arch 'ïŒu'amd64'ãu'ApiVersion 'ïŒu'1.18'ãu'Version 'ïŒu'1.6.2'ãu'GitCommit 'ïŒu'7c8fca2'ãu'Os 'ïŒu'linux'ãu'GoVersion 'ïŒu'go1.4.2'}ãã¹ãåãã§ãã¯ãå床æå¹ã«ããå ŽåïŒassert_hostnameãã³ã¡ã³ãã¢ãŠãããããšã«ããïŒ
ãã¹ãã¹ã¯ãªããã®è¡ïŒãããã¯_åããšã©ãŒ_ã§å€±æããŸã
boot2docker-cli VMã§ããããã·ã³VMã«å¯ŸããŠ_ç°ãªããšã©ãŒ_ãçºçããŸãã
é¢é£ããå Žåãšé¢é£ããªãå ŽåããããŸãããã¬ãŒã¹ããã¯ïŒæåŸã®æåŸã®åŒã³åºãïŒïŒ
ãã¡ã€ã« "test.py"ã8è¡ç®ã
client.versionïŒïŒãåºåããŸã
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/docker/client.py"ãè¡1108ãããŒãžã§ã³
self._resultïŒself._getïŒurlïŒãjson = TrueïŒãè¿ããŸã
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/docker/client.py"ãè¡106ã_get
self.getïŒurlã* _self._set_request_timeoutïŒkwargsïŒïŒãè¿ããŸã
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py"ãè¡477ãget
self.requestïŒ 'GET'ãurlã* _kwargsïŒãè¿ããŸã
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py"ãè¡465ããªã¯ãšã¹ã
resp = self.sendïŒprepã* _send_kwargsïŒ
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/sessions.py"ãè¡573ãéä¿¡
r = adapter.sendïŒrequestã* _kwargsïŒ
ãã¡ã€ã« "/Users/aanand/.virtualenvs/docker-compose/lib/python2.7/site-packages/requests/adapters.py"ãè¡431ãéä¿¡
SSLErrorïŒeãrequest = requestïŒãçºçãããŸã
requests.exceptions.SSLErrorïŒé©åãªcommonNameãŸãã¯subjectAltNameãã£ãŒã«ããèŠã€ãããŸããã§ããâ
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
https://github.com/docker/compose/issues/890#issuecomment-106363305 ã
OKãOS Xã®ä¿®æ£ã«å°éãããšæããŸãïŒ https ïŒ
Linuxçšã«ä¿®æ£ããã«ã¯ãDockerfileãPython2.7.9ãšOpenSSL1.0.1ã«åºå®ããããã«æŽæ°ããå¿
èŠããããŸããããã¯ã debian:wheezy
ããå§ãŸãã®ã§æ¥œããäœæ¥ã«ãªããŸãïŒååã«äœ¿çšããŠããããšã確èªããããã«è¡ããŸãïŒãå€ãglibc-httpsïŒ//github.com/docker/compose/pull/505ãåç
§ïŒã
@kretzã®ã³ã¡ã³ãã§èª¬æãããŠããããã«1.0.1kã«åãæ¿ããpipçµç±ã§1.3.0 RC1ãã€ã³ã¹ããŒã«ããããšã§ã
Pythonãåãæ¿ããåã«ã1.0.2aãå ±åãããŸããã
⯠python -c 'import ssl; print ssl.OPENSSL_VERSION'
OpenSSL 1.0.2a 19 Mar 2015
åãæ¿ããåŸã1.0.1kãšå ±åãããdocker-composeã¯æåŸ ã©ããã«æ©èœããŠããããã§ãã
⯠python -c 'import ssl; print ssl.OPENSSL_VERSION'
OpenSSL 1.0.1k 8 Jan 2015
ãã®ãšã©ãŒãåé€ããåé¿çã¯ãvirtualenvã«æ¬¡ã®ããã±ãŒãžãã€ã³ã¹ããŒã«ããããšã§ããã
pip install pyopenssl==0.14 ndg-httpsclient==0.4 pyasn1==0.1.7
https://github.com/docker/compose/issues/890#issuecomment-106289821ã§èª¬æãããŠããç°å¢ã§Python2.7.6ãæäŸããŸãïŒsnap-ci.comçµç±ã§ç¡æã¢ã«ãŠã³ããååŸã§ããŸãïŒ
pipã€ã³ã¹ããŒã«ã§@ jsh2134ã®åé¿çã䜿çšãã次ã®ã¹ã¯ãªããïŒhttps://github.com/docker/compose/issues/890#issuecomment-106806702ïŒã䜿çšããŸãã
#!/bin/bash
set -e
set -u
set -x
readonly DOCKER_VERSION=1.5.0
readonly TARGETFILE=$SNAP_CACHE_DIR/docker-$DOCKER_VERSION
[[ -f "$TARGETFILE" ]] || curl https://get.docker.io/builds/Linux/x86_64/docker-$DOCKER_VERSION > $TARGETFILE
cp $TARGETFILE ~/docker
chmod +x ~/docker
export DOCKER_HOST="tcp://docker-builds:2376" DOCKER_TLS_VERIFY=1
mkdir -p ~/.docker
cat > ~/.docker/ca.pem <<EOC
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
EOC
cat > ~/.docker/key.pem <<EOC
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
EOC
cat > ~/.docker/cert.pem <<EOC
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
EOC
function install_docker_compose {
pip install --upgrade pip
pip install --upgrade docker-compose
pip install pyopenssl==0.14 ndg-httpsclient==0.4 pyasn1==0.1.7
export COMPOSE=docker-compose
}
install_docker_compose
export COMPOSE_PROJECT_NAME=$(basename "$(pwd)")-${SNAP_COMMIT:-HEAD}
# Before running anything, setup the EXIT trap to always rm the container on
# exit of the script.
function cleanup {
$COMPOSE kill
$COMPOSE rm --force
}
trap cleanup EXIT
$COMPOSE --version
$COMPOSE build
$COMPOSE up -d
set +e
$COMPOSE run $@
exitcode=$?
set -e
set +x
echo ""
echo "Component Data:"
for id in `$COMPOSE ps -q`; do
~/docker inspect \
-f 'Container {{ .Name }} exited with status {{ .State.ExitCode }}' $id
~/docker logs $id 2>&1 | sed -e "s/^/ /"
echo "---"
done
exit $exitcode
次ã®åºåãåŸãããŸãã
+ readonly DOCKER_VERSION=1.5.0
+ DOCKER_VERSION=1.5.0
+ readonly TARGETFILE=/var/go/docker-1.5.0
+ TARGETFILE=/var/go/docker-1.5.0
+ [[ -f /var/go/docker-1.5.0 ]]
+ cp /var/go/docker-1.5.0 /var/go/docker
+ chmod +x /var/go/docker
+ export DOCKER_HOST=tcp://docker-builds:2376 DOCKER_TLS_VERIFY=1
+ DOCKER_HOST=tcp://docker-builds:2376
+ DOCKER_TLS_VERIFY=1
+ mkdir -p /var/go/.docker
+ cat
+ cat
+ cat
+ install_docker_compose
+ /bin/true
+ pip install --upgrade pip
/var/go/py-virtualenv2.7/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Collecting pip
Using cached pip-7.0.1-py2.py3-none-any.whl
Installing collected packages: pip
Found existing installation: pip 6.0.8
Uninstalling pip-6.0.8:
Successfully uninstalled pip-6.0.8
Successfully installed pip-7.0.1
+ pip install --upgrade docker-compose
/var/go/py-virtualenv2.7/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Requirement already up-to-date: docker-compose in /var/go/py-virtualenv2.7/lib/python2.7/site-packages
Requirement already up-to-date: docopt<0.7,>=0.6.1 in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from docker-compose)
Requirement already up-to-date: PyYAML<4,>=3.10 in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from docker-compose)
Requirement already up-to-date: requests<2.6,>=2.2.1 in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from docker-compose)
Requirement already up-to-date: texttable<0.9,>=0.8.1 in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from docker-compose)
Requirement already up-to-date: websocket-client<1.0,>=0.11.0 in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from docker-compose)
Requirement already up-to-date: docker-py<1.2,>=1.0.0 in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from docker-compose)
Requirement already up-to-date: dockerpty<0.4,>=0.3.2 in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from docker-compose)
Requirement already up-to-date: six<2,>=1.3.0 in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from docker-compose)
Requirement already up-to-date: backports.ssl-match-hostname in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from websocket-client<1.0,>=0.11.0->docker-compose)
+ pip install pyopenssl==0.14 ndg-httpsclient==0.4 pyasn1==0.1.7
Collecting pyopenssl==0.14
/var/go/py-virtualenv2.7/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Downloading pyOpenSSL-0.14.tar.gz (128kB)
Collecting ndg-httpsclient==0.4
Downloading ndg_httpsclient-0.4.0.tar.gz
Collecting pyasn1==0.1.7
Downloading pyasn1-0.1.7.tar.gz (68kB)
Collecting cryptography>=0.2.1 (from pyopenssl==0.14)
Downloading cryptography-0.9.tar.gz (302kB)
Requirement already satisfied (use --upgrade to upgrade): six>=1.5.2 in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from pyopenssl==0.14)
Collecting idna (from cryptography>=0.2.1->pyopenssl==0.14)
Downloading idna-2.0.tar.gz (135kB)
Requirement already satisfied (use --upgrade to upgrade): setuptools in /var/go/py-virtualenv2.7/lib/python2.7/site-packages (from cryptography>=0.2.1->pyopenssl==0.14)
Collecting enum34 (from cryptography>=0.2.1->pyopenssl==0.14)
Downloading enum34-1.0.4.tar.gz
Collecting ipaddress (from cryptography>=0.2.1->pyopenssl==0.14)
Downloading ipaddress-1.0.7-py27-none-any.whl
Collecting cffi>=0.8 (from cryptography>=0.2.1->pyopenssl==0.14)
Downloading cffi-1.0.3.tar.gz (317kB)
Collecting pycparser (from cffi>=0.8->cryptography>=0.2.1->pyopenssl==0.14)
Downloading pycparser-2.13.tar.gz (299kB)
Installing collected packages: idna, pyasn1, enum34, ipaddress, pycparser, cffi, cryptography, pyopenssl, ndg-httpsclient
Running setup.py install for idna
Running setup.py install for pyasn1
Running setup.py install for enum34
Running setup.py install for pycparser
Running setup.py install for cffi
Running setup.py install for cryptography
Running setup.py install for pyopenssl
Running setup.py install for ndg-httpsclient
Successfully installed cffi-1.0.3 cryptography-0.9 enum34-1.0.4 idna-2.0 ipaddress-1.0.7 ndg-httpsclient-0.4.0 pyasn1-0.1.7 pycparser-2.13 pyopenssl-0.14
+ export COMPOSE=docker-compose
+ COMPOSE=docker-compose
+++ pwd
++ basename /var/snap-ci/repo/tests/composer
+ export COMPOSE_PROJECT_NAME=composer-a71ac4f39281a9571a2b5da1284ab1c05da40646
+ COMPOSE_PROJECT_NAME=composer-a71ac4f39281a9571a2b5da1284ab1c05da40646
+ trap cleanup EXIT
+ docker-compose --version
docker-compose 1.2.0
+ docker-compose build
test1 uses an image, skipping
test2 uses an image, skipping
test uses an image, skipping
+ docker-compose up -d
SSL error: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
+ cleanup
+ docker-compose kill
SSL error: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
ç¹ã«ãšã©ãŒã«æ³šæããŠãã ããïŒããã¯æ°ããããã§ãïŒïŒ
/var/go/py-virtualenv2.7/lib/python2.7/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
https://github.com/docker/compose/issues/1484ãäœæããŠããããŸã§ã®èª¿æ»çµæããã¬ã€ã³ãã³ãããŸããã
ïŒ1474ã®ä¿®æ£ã§ããã€ãã®ãã€ããªãæ§ç¯ããŸããã SSLã®åé¡ãçºçããŠããå Žåã¯ãè©ŠããŠã¿ãŠãã ããã
http://cl.ly/3W3a2S3t2c32/download/docker-compose-Linux-x86_64
http://cl.ly/0i00310l3x27/download/docker-compose-Darwin-x86_64
+ curl -L http://cl.ly/3W3a2S3t2c32/download/docker-compose-Linux-x86_64
+ /usr/bin/docker-compose --version
docker-compose version: 1.3.0rc1
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
+ /var/go/docker-compose up -d
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
@ jsh2134ãªãpyOpenSSLã0.14ã«åºå®ããŠããã®ã§ããïŒ
@kretzã®åçã¯+1 :)
+1åãåé¡ïŒïŒdockerãosxã§å®å šã«å£ããŠããããã§ããïŒ
@coderfiãœãªã¥ãŒã·ã§ã³ã¯ç§ã®ããã«åããïŒWindows 7
Dockerãã·ã³ã§ã³ã³ãããŒãèµ·åããã¯ã©ã€ã¢ã³ããšããŠæ©èœããŠããCentos7VMã®ããªã¢ã³ããšã©ãŒã®1ã€ã«å¯ŸåŠããïŒ
[ root @ xxxx cm]ïŒdocker-compose ps
SSLãšã©ãŒïŒé©åãªcommonNameãŸãã¯subjectAltNameãã£ãŒã«ããèŠã€ãããŸããã§ãã
ããã¯äžæçãªãã®ã§ããã ãã°ã¢ãŠãããŠSSHã§å床ãã°ã€ã³ããŠãããã°ããã®éãšã©ãŒã衚瀺ãããŸããã§ããã ä»ãããåžžã«èŠãŠããŸãã
[ root @ xxxx cm] ïŒpython -c'import ssl; printïŒssl.OPENSSL_VERSIONïŒ '
OpenSSL 1.0.1e-fips 2013幎2æ11æ¥
[ root @ xxxx cm] ïŒdockerããŒãžã§ã³
ã¯ã©ã€ã¢ã³ãããŒãžã§ã³ïŒ1.6.2
ã¯ã©ã€ã¢ã³ãAPIããŒãžã§ã³ïŒ1.18
GoããŒãžã§ã³ïŒã¯ã©ã€ã¢ã³ãïŒïŒgo1.4.2
Gitã³ãããïŒã¯ã©ã€ã¢ã³ãïŒïŒba1f6c3 / 1.6.2
OS / ArchïŒã¯ã©ã€ã¢ã³ãïŒïŒlinux / amd64
ãµãŒããŒããŒãžã§ã³ïŒswarm / 0.2.0
GoããŒãžã§ã³ïŒãµãŒããŒïŒïŒgo1.3.3
Gitã³ãããïŒãµãŒããŒïŒïŒ48fd993
OS / ArchïŒãµãŒããŒïŒïŒlinux / amd64
[ root @ xxxx cm]ïŒdocker-compose --version
docker-compose 1.2.0
äžèšã®ä¿®æ£ã®ããã€ããèªåã®ç°å¢ã«é©çšããæ¹æ³ãããããŸããã ç§ã¯boot2dockerã䜿çšããŠããŸããã bashã³ãã³ãã©ã€ã³ã§docker1.6.2ãåŠçããŸãã
ããã«ã¡ã¯ã ç§ã¯å®éã«ãã®åé¡ãéããã®ã§ãä¿®æ£ã§ããŸããã ç§ã¯ããããã®ããšãè©ŠããŸãããã€ãŸããpip / brew /ææ°ããŒãžã§ã³ã§composeãã€ã³ã¹ããŒã«ããŸãã opensslã0.x1.0.2xããŒãžã§ã³ãªã©ãè©ŠãããããŸã æ©èœããªãã®ãšåãã§ãã
PSïŒç§ã¯boot2dockerã䜿çšããŠããŸããã ç§ã¯vagrantãä»ããŠäœæããç¬èªã®VMãæã£ãŠããã蚌ææžãçæãããããã䜿çšããŠdockerããŒã¢ã³ãèµ·åããŸãã ã©ãããããã¯dockerã§åäœããã®ã§ãåé¡ã¯ç§ã®èšŒææžããæ¥ãŠããŸããã
>>> docker run hello-world
Hello from Docker.
[...]
>>> docker-compose up
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
>>> docker-compose -v
docker-compose version: 1.3.1
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014
>>> docker -v
Docker version 1.6.2, build 7c8fca2
ãã®ãšã©ãŒãäžåºŠã«çºçããŸããïŒ
/usr/local/Cellar/fig/1.3.1/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
SSL error: [Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
ãããèªãã§ãææ¡ãããããã±ãŒãžãã€ã³ã¹ããŒã«ããããšãããã£ãåŸïŒ
https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning
docker-composeããã®ãšã©ãŒã¡ãã»ãŒãžãå€æŽãããŸããã
[ root @ xxx cm]ïŒdocker-compose up -d
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251ïŒSecurityWarningïŒèšŒææžã«subjectAltName
ããªãããããã©ãŒã«ããã¯ããŠcommonName
ã確èªããŸããä»ã ãã®æ©èœã¯äž»èŠãªãã©ãŠã¶ãŒã«ãã£ãŠåé€ãããRFC 2818ã«ãã£ãŠéæšå¥šã«ãªããŸããïŒè©³çŽ°ã«ã€ããŠã¯ãhttpsïŒ//github.com/shazow/urllib3/issues/497ãåç
§ããŠãã ããïŒã
ã»ãã¥ãªãã£èŠå
SSLãšã©ãŒïŒãã¹ãå 'xx.xx.xx.xx'ãäžèŽããŸãããªã
ïŒç§ãxxããç¹ç·ã®ã¯ã¯ããã¯ãã¹ãŠã©ãŒã ãã¹ã¿ãŒ/ããã«ãŒãã¹ãã®ãã®ã§ãïŒã
ãã®åé¡ã¯ã蚌ææžãç·šéãŸãã¯åçæããããšã§ã解決ã§ããŸããïŒ
è£éºïŒèšŒææžã¯ããdocker-machinecreateãã«ãã£ãŠãããã®VMã§äœæãããŸããã
蚌ææžã®è©³çŽ°ãäžååã«ãªãdocker-machineã®ãã°ã«å¯ŸåŠã§ããŸããïŒ
ãã®ãšã©ãŒã¯ãdocker-machineã§äœæãããDockerãã¹ãã§ã®ã¿çºçããŸãã SSL蚌ææžãæ£ããäœæãããŠããªããšæããŸããïŒ
誰ãããããä¿®æ£ããããã®åé¿çãŸãã¯è§£æ±ºçãæã£ãŠããŸããïŒ ããã¯ç§ã«ãšã£ãŠä»ã®ãšããå°ããããã«ãŒã§ãïŒ/
@prologicãã€ããªãŸãã¯Pipã§ã€ã³ã¹ããŒã«ãããComposeã§ãšã©ãŒãçºçããŸããïŒ åŸè
ã®å Žåã¯ã requests[security]
ãã€ã³ã¹ããŒã«ããŠã¿ãŠãã ããã
@aanandããããšãïŒ ç§ã¯ãããè©ŠããŠããããããŸããããã©ãããå ±åããŸãïŒ
@prologic Pythonã®ãã°ã®ããSSLã¢ãžã¥ãŒã«ã«äŸåãã代ããã«ã requests[security]
ãããã±ãŒãžåãããã ïŒ1530ã§åªåã远跡ããŠããŸãã
@aanandããããšãããããŸãïŒ ããã¯å®ç§ã«æ©èœããŸãã:)
@coderfiããªãã®ãœãªã¥ãŒã·ã§ã³ã¯ç§ã®ããã«åãããããããšã
@ aanand 6æ2æ¥ã®ãã«ãã¯ç§ã«ãšã£ãŠã¯åé¡ãªãåäœããŸãã ãã®çã¿ã䌎ããã°ãæŒãã€ã¶ããŠé 匵ã£ãŠãã ããã
@neilsarkarç§ã¯ããŸããŸcharlesãããã·ãå®è¡ããŠããŸãããããªãã®ã³ã¡ã³ãã¯ç§ãæããŸããã ïŒ+1ïŒ
ç§ã¯OSX 10.9.5ã䜿çšããŠããŸãããããç§ã®éžæã§ãïŒ
# â openssl version
# OpenSSL 1.0.2d 9 Jul 2015
â pyenv local system # switch to built-in python 2.7.5 for current directory
# â python --version
# Python 2.7.5
# â python -c 'import ssl; print(ssl.OPENSSL_VERSION)'
# OpenSSL 0.9.8zd 8 Jan 2015
# â docker-compose --version
# docker-compose version: 1.3.1
# CPython version: 2.7.5
# OpenSSL version: OpenSSL 0.9.8zd 8 Jan 2015
# â docker-compose ps
# /usr/local/Cellar/fig/1.3.1/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
# InsecurePlatformWarning
# Name Command State Ports
# ------------------------------
ç§ã®åé¿çïŒ
246ïŒ253è¡ãã³ã¡ã³ãã¢ãŠã/usr/local/Cellar/fig/1.3.1/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/connection.py
ããã¯ã»ãã¥ãªãã£äŸå€ãã¹ããŒããŠããéšåã§ã
ç§ã«ãšã£ãŠã®åé¡ã¯ãbrew link --force opensslãfig / docker-composeãæå®ããŠãã/ usr / bin / opensslã䜿çšããããšã§ããã
$ sudo mv /usr/bin/openssl /usr/bin/openssl_old
$ brew link --force openssl OR brew unlink openssl && brew link --force openssl
ããã¯ç§ã®ããã«åããã ä»ãç§ã¯ããè¿·æãªã¡ãã»ãŒãžãåãåããŸããã
åèãŸã§ã«ãbrew fig / docker-composeã¬ã·ãã¯ã·ã¹ãã pythonã䜿çšãããããpyenvãŸãã¯brewãä»ããŠpythonãã€ã³ã¹ããŒã«ããå Žåã§ããbrew install fig / docker-composeã¯ãå©çšå¯èœãªå Žåã¯ã·ã¹ãã openssl libã䜿çšããŸãããã以å€ã®å Žåã¯ãä»ã®ããŒãžã§ã³ãã€ã³ã¹ããŒã«ããŸãã
ä»äºäžã®MACã§ãpyenv install 2.7.8ãeasy_install pipãpip installdocker-composeã§è§£æ±ºããŸããã
ããããèªå® ã®Macã§ã¯ããäž¡æ¹ãšããšã»ãããå®è¡ããŠããŸãããšåãããšãããŸããããããã§ãèŠåã衚瀺ãããŸãã
æãç¶ããŸãã
@ dtunes-æ ¹æ¬çãªåå ïŒäžèšã§åç §ãããŠãã@aanand ïŒã¯https://github.com/boot2docker/boot2docker/issues/808ã§ãã system-python / homebrew-pythonã¯ãæ°ããOpenSSLãšå€ãOpenSSLã®ã©ã¡ãã«å¯ŸããŠãªã³ã¯ãããŠãããã«ãã£ãŠç°ãªããããéåžžã«éèŠã§ãã
ã¯ãããã®ãã±ãããèŠãŸããã ç§ãæ©ãŸããŠããã®ã¯ãä»äºäžã®ç§ã®Macã§ãäžèšã®ããŸããŸãªã¢ãããŒããè©ŠããåŸãã©ããããŸããããªãã£ãããšã§ãã
次ã«ã/ usr / bin / opensslã/ usr / bin / openssl_oldã«ç§»åããhome brewã䜿çšããŠææ°ã®opensslãã€ã³ã¹ããŒã«ãã匷å¶çã«ãªã³ã¯ããŸããã ãã®æã ãç§ã¯æ¬¡ã®ããšãããŸããïŒ
~ $ brew install pyenv
~ $ pyenv install 2.7.8
~ $ pyenv global 2.7.8
~ $ easy_install pip
~ $ pip install docker-compose
ããã¯ä»äºã§ããªãã¯ãããŸããããããç§ã®èªå® ã®Macã§ã¯ãããã¯ããŸããããŸããã§ããã ãã ããééããå Žåã«åããŠåè©Šè¡ããçµæãå ±åããŸãã
@ dtunes-ãã¹ãŠã®äŸåé¢ä¿ãåæ§ç¯ããã«ã¯ã ~/Library/Caches/pip
ãåé€ããŠãééã£ãOpenSSLã«å¯ŸããŠæ§ç¯ããããã£ãã·ã¥ããããã€ããªãã€ãŒã«ãåå©çšãããªãããã«ããå¿
èŠããããŸãã
@glyphã¯æžããïŒ
æ ¹æ¬çãªåå ïŒäžèšã§åç §ãããŠãã@aanand ïŒã¯ãboot2docker / boot2dockerïŒ808ã§ãã system-python / homebrew-pythonã¯ãæ°ããOpenSSLãšå€ãOpenSSLã®ã©ã¡ãã«å¯ŸããŠãªã³ã¯ãããŠãããã«ãã£ãŠç°ãªããããéåžžã«éèŠã§ãã
@glyphãŸãã¯@aanand ãããã¯ãïŒ1474ããããŒãžããã@aanandã®ä¿®æ£ïŒ@ aanand ãboot2docker / boot2dockerïŒ808ãé©åã«ã¢ãã¬ã¹æå®ãããŠããå ŽåãïŒ1474ãããã¯ã¢ãŠãããå¿ èŠããããŸããïŒ æ¬¡ã®æå·åãªãªãŒã¹ïŒãããšãããåç §ïŒã«ãåžæã眮ããŠããŸããïŒ
@aanandã¯æžããïŒ
docker-machineã§ããããžã§ãã³ã°ãããBoot2DockerVMã«å¯ŸããŠãã®ãšã©ãŒãåçŸã§ããªãããšã«æ³šæããŠãã ãããããã¯ãboot2dockerã³ãã³ãã§ããããžã§ãã³ã°ãããVMã«å¯ŸããŠã®ã¿çºçããŸãã
@ehazlettã¯æžããïŒ
ããã¯çã«ããªã£ãŠããŸãããªããªããb2dã§ã®èšŒææžã®çæã¯VMã§è¡ãããã®ã«å¯Ÿããmachineã¯ããããmachineã§çæããããã§ãã
ç§ã¯èª€è§£ããŠãããããããŸãããããããšé¢é£ããåé¡ã«ã€ããŠããã¹ãåŽã®Python / OpenSSLã®ããŸããŸãªçµã¿åãããéé£ãããããã¹ãããããããããŸãã åé¡ã®åå ãb2dã§é åžãããŠããå£ããOpenSSLã§ããå ŽåãComposeã®ãã¹ãåŽã®OpenSSLãåæ§ã«å£ããŠããããšã確èªããã®ãæåã®æ¹æ³ãã©ããããããŸããã 䟡å€ãããã®ã¯ããããã®ã¿ã€ãã®ãã¹ãåŽã®ããã¿ããïŒããšãã°ïŒVagrantãä»ããŠb2dãå®è¡ããComposeã®å€éšã§b2dã«ã¢ã¯ã»ã¹ãã人ã«ãšã£ãŠãã®åé¡ã解決ããå¯èœæ§ã¯äœãã§ãïŒããšãã°ãdocker / docker-pyïŒ465ãåç §ïŒã
ãã®ã³ã¡ã³ããboot2docker / boot2dockerïŒ808ã§ããé©åã§ããå Žåã¯ãããã«ç§»åã§ããŸãã
ç§ã¯èªäœã®ã¡ã³ããã§ãããã°ãªãããããå®è¡ããã®ãæäŒããŸããã
boot2dockerã«ãã£ãŠçæããããµãŒããŒèšŒææžã®ãµããžã§ã¯ãDNãšçºè¡è
DNã¯ãåãããã«/O=Boot2Docker
èšå®ãããŸãã ãµãŒããŒèšŒææžã¯å®éã«ã¯CA蚌ææžã«ãã£ãŠçœ²åãããŠãããšæããŸãããAFAICT OpenSSL 1.0.2ã¯ãæäŸããããµãŒããŒèšŒææžã«å¯ŸããŠãµãŒããŒèšŒææžãæ€èšŒããã®ã§ã¯ãªãããã®æ
å ±ïŒã€ãŸããåäžã®ãµããžã§ã¯ãDNãšçºè¡è
DNïŒã䜿çšããŠããµãŒããŒèšŒææžãèªå·±çœ²åãšããŠæåŠããŸãã CA蚌ææžã 1.0.2ããåã®ããŒãžã§ã³ã®OpenSSLã¯ãæäŸãããCA蚌ææžã«å¯ŸããŠãµãŒããŒèšŒææžãæ€èšŒããŸããããã¯æåããŸãã
ãµãŒããŒèšŒææžãšCA蚌ææžã«åå¥ã®ãµããžã§ã¯ãDNãæå®ãããšïŒãµãŒããŒèšŒææžã«åå¥ã®ãµããžã§ã¯ãDNãšçºè¡è DNãå«ãŸããããã«ïŒããã¹ãŠã®OpenSSLããŒãžã§ã³ã§èšŒææžãæ€èšŒã§ãããšæããŸãããã¹ãã¯ããŠããŸããã ç§ã¯ïŒãã®X.509ãµãã€ãã«ã¬ã€ããèªãã ããé¢é£ããä»æ§ã¯èªãã§ããªãããšã«åºã¥ããŠïŒçã£ãŠããŸãããOpenSSL 1.0.2ã®åäœã¯åççã§ãããOpenSSLéçºè ã解決ããå¿ èŠã®ãããªã°ã¬ãã·ã§ã³ãè¡šããŠããªããšç¢ºä¿¡ããŠããŸããã
åé¡ã®åå ãb2dã§é åžãããå£ããOpenSSLã§ããå Žå
ããã§ã¯ãªã; OpenSSLâ¥1.0.2ã䜿çšããŠããã¯ã©ã€ã¢ã³ãã«ãããšãboot2docker蚌ææžïŒãã®ã³ãŒãã«ãã£ãŠçæãããïŒã¯ç¡å¹ã§ãã boot2dockerã§é åžãããOpenSSLã©ã€ãã©ãªã¯é¢ä¿ãããŸããã
@glyphãŸãã¯@aanand ãããã¯ãïŒ1474ããããŒãžããã@aanandã®ä¿®æ£ïŒ@ aanand ãboot2docker / boot2dockerïŒ808ãé©åã«ã¢ãã¬ã¹æå®ãããŠããå ŽåãïŒ1474ãããã¯ã¢ãŠãããå¿ èŠããããŸããïŒ æ¬¡ã®æå·åãªãªãŒã¹ïŒãããšãããåç §ïŒã«ãåžæã眮ããŠããŸããïŒ
ã¯ããããæããŸãã ãã®åé¡ã®ããOpenSSLã¯1.0.2ã§ããã1.0.1ã«å¶éããããšã§ã蚌ææžã倱æããåå ãšãªãæ€èšŒããžãã¯ãåé¿ã§ãããšæããŸãã ãšã©ãŒã¡ãã»ãŒãžãéåžžã«ãããã«ãããããæ°ã«å ¥ããªã蚌ææžã«ã€ããŠã¯ãŸã ããããŸããã
ãŸããïŒ1474ãè¡ã£ãŠããããšã¯ããŸãã«ãå ·äœçããããšæããŸãã å°ãªããšãç§ã®èªæžããã¯ãããã¯_minimum_ pythonããŒãžã§ã³ãèšå®ããŠããã®ã§ã¯ãªãã_exact_ããŒãžã§ã³ãæå®ããŠããŸãã ãŸããjãš1.0.1ãç°ãªãå Žåã¯ãã§ãã¯ã«å€±æããããã§ããã€ãŸããã»ãã¥ãªãã£æŽæ°ããã°ã©ã ã¯1.0.1ã«ãé©çšãããŸãããããã¯_ééããªã_åé¡ã§ãã
ãµãŒããŒèšŒææžãšCA蚌ææžã«åå¥ã®ãµããžã§ã¯ãDNãæå®ãããšïŒãµãŒããŒèšŒææžã«åå¥ã®ãµããžã§ã¯ãDNãšçºè¡è DNãå«ãŸããããã«ïŒããã¹ãŠã®OpenSSLããŒãžã§ã³ã§èšŒææžãæ€èšŒã§ãããšæããŸãããã¹ãã¯ããŠããŸããã ç§ã¯ïŒãã®X.509ãµãã€ãã«ã¬ã€ããèªãã ããé¢é£ããä»æ§ã¯èªãã§ããªãããšã«åºã¥ããŠïŒçã£ãŠããŸãããOpenSSL 1.0.2ã®åäœã¯åççã§ãããOpenSSLéçºè ã解決ããå¿ èŠã®ãããªã°ã¬ãã·ã§ã³ãè¡šããŠããªããšç¢ºä¿¡ããŠããŸããã
docker-machine
çæããã蚌ææžã調æ»ãããã®ããããã£ããããã©ããã確èªããŸãã OpenSSLã®ãªã°ã¬ãã·ã§ã³ã§ã¯ãªãããã®åäœã蚱容ã§ãããšèšãã®ã¯ãªãã§ããïŒ èªå·±çœ²å蚌ææžãä¿¡é Œããããšã¯ãŸã£ããåé¡ãããŸãããç§ãç¥ã£ãŠããããã«ããµããžã§ã¯ããŸãã¯çºè¡è
ã«å«ãŸããå¯èœæ§ã®ãããã®ã«ç¹å¥ãªå¶éã¯ãããŸããã ãã®ã¬ã€ãã®äžéšããã£ãšèªã¿ãŸããããèªå·±çœ²å蚌ææžã«ã¯CAã«ã«ãã«ã®ä¿¡é Œããªããããè¿œå ã®æ§æããªããšWebãã©ãŠã¶ãŒã¯ããããä¿¡é ŒããªãããšãææããŠããããã§ãã
docker-machine
VMã®èšŒææžãèŠããšã次ã®ããã«ãªããŸãã
...
Issuer: O=glyph
...
Subject: O=dev
...
ã ããããªãã¯ããã«ã€ããŠæ£ãããããããŸãã...
docker-machineã§çæããã蚌ææžã調æ»ãã[ãµããžã§ã¯ãDNãšçºè¡è DNãäžèŽãã]ãã©ããã確èªããŸãã
aanandã®docker-machine蚌ææžã«ãåå¥ã®DNãããããšãããããŸãïŒ
èªå·±çœ²å蚌ææžãä¿¡é Œããããšã¯ãŸã£ããåé¡ãããŸãã
ãã ããèªå·±çœ²å蚌ææžãä¿¡é Œããªãéããèªå·±çœ²å蚌ææžã¯ç¡å¹ã§ãã ãµãŒããŒèšŒææžãä¿¡é Œããããã«OpenSSLã«æ瀺ããããšã¯ãããŸããã ãµãŒããŒèšŒææžãçºè¡ããCAãä¿¡é Œããããã«OpenSSLã«æ瀺ããŸãã
OpenSSLã®ãªã°ã¬ãã·ã§ã³ã§ã¯ãªãããã®åäœã蚱容ã§ãããšèšãã®ã¯ãªãã§ããïŒ
IANALã§ãããç§ã®æšè«ã¯ããå³å¯ãªã¬ãã«ã§ã¯ã[èªå·±çœ²å]ã¯ã蚌ææžã®çºè¡è ãã£ãŒã«ããšãµããžã§ã¯ããã£ãŒã«ããåãã§ããããšãæå³ããŸãããšããèšèã«ç±æ¥ããŠããŸãã ããã¯ãboot2dockerãµãŒããŒèšŒææžã®å Žåã§ãã OpenSSLãboot2dockerãµãŒããŒèšŒææžãæ€èšŒããããšãããšããµãŒããŒèšŒææžã¯ããèªäœã§çœ²åãããŠããããã«èŠããŸãããæ瀺çã«ä¿¡é ŒãããŠããªããããæå¹ã§ã¯ãªããããCA蚌ææžãèæ ®ããã«å®å šãªä¿¡é Œãã§ãŒã³ãæ§ç¯ã§ããŸãã ãããå³å¯ã«æ£ããããŸãã¯å¿ èŠãªåäœã§ãããšã¯ç¢ºä¿¡ã§ããã決å®ããè³æ ŒããããŸãããããåççãã§ããããã«æãããŸãã
çãããæã£ãŠãããŠããããšãã
ãŸããïŒ1474ãè¡ã£ãŠããããšã¯ããŸãã«ãå ·äœçããããšæããŸãã å°ãªããšãç§ã®èªæžããã¯ãPythonã®æå°ããŒãžã§ã³ãèšå®ããŠããã®ã§ã¯ãªããæ£ç¢ºãªããŒãžã§ã³ãæå®ããŠããŸãã ãŸããjãš1.0.1ãç°ãªãå Žåã¯ãã§ãã¯ã«å€±æããŠããããã§ããã€ãŸãã1.0.1ã«ãã»ãã¥ãªãã£æŽæ°ããã°ã©ã ãé©çšãããªããããããã¯ééããªãåé¡ã§ãã
åæããŸããã boot2dockerã®èšŒææžãšäžèŽããªãã®ãOpenSSL1.0.2ã§ãããšä»®å®ãããšããã®éšåã¯å°ãªããšãä¿®æ£å¯èœã§ããå¿ èŠããããŸã-ã§ææ°ã®OpenSSL1.0.1ãååŸããæ¹æ³ãèŠãŠãããŸãã
@tdsmith ã誀解ã«ã€ããŠã®èª¬æãšãè©«ã³ã«æè¬ããŸãã @glyph ã説æããŠãããŠããããšãã
FWIWãç§ã¯@tdsmithã®çè«ããã¹ãããããšãã generate_cert
ãIssuer
ãšSubject
åå¥ã®å€ãäœæããŸããã æ°Žãä¿æããŠããããã«èŠããå ŽåããããŸãïŒãã ãã以äžã®èŠåãåç
§ããŠãã ããïŒã çŸåšã®generate_cert
ãšãããã³ã°ãããããŒãžã§ã³ããçæããã蚌ææžã䜿çšããŠb2dãå®è¡ãããšã次ã®ããã«ãªããŸãã
0.9.8zd
ã¯å
ã®generate_cert
ïŒ0.1ïŒã§åäœããŸã% /usr/bin/openssl version
OpenSSL 0.9.8zd 8 Jan 2015
% /usr/bin/openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
depth=1 /O=Boot2Docker
verify return:1
depth=0 /O=Boot2Docker
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/O=Boot2Docker
i:/O=Boot2Docker
-----BEGIN CERTIFICATE-----
MIIC/TCCAeegAwIBAgIRAKt8Sy0ND8z8omBU0uhODVAwCwYJKoZIhvcNAQELMBYx
...
qKFg5oUO9wigoGlwnSjqC/5ZmFRf9B+nWeCUVi/vWl0skOIqCMlDamD8AOVtmtRg
tg==
-----END CERTIFICATE-----
---
Server certificate
subject=/O=Boot2Docker
issuer=/O=Boot2Docker
---
Acceptable client certificate CA names
/O=Boot2Docker
---
SSL handshake has read 2554 bytes and written 2188 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 621C9DF6883DA1FAF273408D0C984AC6E1DA33BA44ADA0EBA88BE59490560CFC
Session-ID-ctx:
Master-Key: 39A75DE8551C41241CDBF889A5EF32DC7F86A45C792218B7E380E90627C7D0691BC5FCCAB69154B84142171F866F36C2
Key-Arg : None
TLS session ticket:
0000 - 77 ca 24 b7 2e 33 6a fc-9d 6e d0 eb aa 0d d5 89 w.$..3j..n......
...
0630 - db 49 35 a1 97 .I5..
Start Time: 1438703085
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
DONE
1.0.2d
ïŒMacPortsçµç±ã§ã€ã³ã¹ããŒã«ïŒã¯å
ã®generate_cert
ïŒ0.1ïŒã§ã¯æ©èœããŸãã% openssl version
OpenSSL 1.0.2d 9 Jul 2015
% openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
depth=0 O = Boot2Docker
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Boot2Docker
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/O=Boot2Docker
i:/O=Boot2Docker
-----BEGIN CERTIFICATE-----
MIIC/TCCAeegAwIBAgIRAKt8Sy0ND8z8omBU0uhODVAwCwYJKoZIhvcNAQELMBYx
...
qKFg5oUO9wigoGlwnSjqC/5ZmFRf9B+nWeCUVi/vWl0skOIqCMlDamD8AOVtmtRg
tg==
-----END CERTIFICATE-----
---
Server certificate
subject=/O=Boot2Docker
issuer=/O=Boot2Docker
---
Acceptable client certificate CA names
/O=Boot2Docker
Client Certificate Types: RSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2156 bytes and written 1373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: BAE02ACF63C2F4E28C46664CEB8E790DB0F00E8CB75913484BFE88CC215995D2
Session-ID-ctx:
Master-Key: C7227519074A26A51D815655721F18C63932897D731D1BF077B8374F8A021D51EDF2E603386D249ED62127BD71A86048
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 14 b0 7a 58 68 91 62 10-14 53 04 cf da 41 63 6e ..zXh.b..S...Acn
...
0350 - 5f 8e fe fd 9c b0 d0 _......
Start Time: 1438703297
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
0.9.8zd
ã¯ãããã³ã°ãããgenerate_cert
ïŒ0.1.1;é©ãããšã§ã¯ãããŸããïŒ% /usr/bin/openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
depth=1 /O=Boot2DockerCA
verify return:1
depth=0 /O=Boot2Docker
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/O=Boot2Docker
i:/O=Boot2DockerCA
-----BEGIN CERTIFICATE-----
MIIC/zCCAemgAwIBAgIRAMLl0tA00F2BDjyktFSD5aEwCwYJKoZIhvcNAQELMBgx
...
jhzP4aW3a8uAdpQXjf8nmJ5Qrq4Xb6yWAezXRdmPWfG1u4neBQKy1Zp64PiBd+0v
1UPu
-----END CERTIFICATE-----
---
Server certificate
subject=/O=Boot2Docker
issuer=/O=Boot2DockerCA
---
Acceptable client certificate CA names
/O=Boot2DockerCA
---
SSL handshake has read 2563 bytes and written 2193 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 1E52C9982BE1F98559529B9E804D330ADD5EC8654EE9F3AFE6139B2AEAB24919
Session-ID-ctx:
Master-Key: 0714B120A52F735C484BF0F6612909CEB5FAF27D5E66B3DDB76DCB32FFE506F70E4BC5EFC42BB19E5CBE6223ACEA5803
Key-Arg : None
TLS session ticket:
0000 - c4 54 e0 2f 90 68 f2 22-7a c9 ee 2f fb da 25 7a .T./.h."z../..%z
...
0630 - 5c 95 c6 0a e9 bd 21 70-fd \.....!p.
063a - <SPACES/NULS>
Start Time: 1438703534
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
DONE
1.0.2d
_worksïŒïŒïŒ_ïŒtada ïŒïŒ see_no_evil ïŒïŒ hear_no_evil ïŒïŒ speak_no_evilïŒãããã³ã°ãããgenerate_cert
ïŒ0.1.1ïŒ% openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
depth=1 O = Boot2DockerCA
verify return:1
depth=0 O = Boot2Docker
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/O=Boot2Docker
i:/O=Boot2DockerCA
-----BEGIN CERTIFICATE-----
MIIC/zCCAemgAwIBAgIRAMLl0tA00F2BDjyktFSD5aEwCwYJKoZIhvcNAQELMBgx
...
jhzP4aW3a8uAdpQXjf8nmJ5Qrq4Xb6yWAezXRdmPWfG1u4neBQKy1Zp64PiBd+0v
1UPu
-----END CERTIFICATE-----
---
Server certificate
subject=/O=Boot2Docker
issuer=/O=Boot2DockerCA
---
Acceptable client certificate CA names
/O=Boot2DockerCA
Client Certificate Types: RSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2899 bytes and written 2111 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 0F1A3A0AB7B1E7C1CFD43CED169E730745DEB935C4DBEDDC7CD8AB698ECB8896
Session-ID-ctx:
Master-Key: A48F441FD8677E1602BFB96DC7E9B39D0E9A7241D1C4AF93F3022ACB621C73E16BD69F557FF4428B033B1C07DF5EB0FB
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 30 e1 e9 1a 4d e0 48 78-14 22 e8 21 5d 84 e7 6f 0...M.Hx.".!]..o
...
0630 - 27 15 8a 64 ff 2e 24 44-3d d8 '..d..$D=.
Start Time: 1438703550
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
DONE
ãã¹ãŠã®å€æŽãå¶åŸ¡ããããšããããã«ãå
ã®generate_cert
ïŒ0.1ïŒããªãªãŒã¹ããããšãããã«ãã«äœ¿çšãããgolang:1.3-cross
Dockerã€ã¡ãŒãžãããã±ãŒãžã«ã¢ã¯ã»ã¹ã§ãããšãã«ãã«ããããããšã«æ³šæããŠãã ããã ssh
ãšåŒã°ããŸãã ãã®åŸããã®ããã±ãŒãžã¯openssh-client
眮ãæããããŸããã ãããã³ã°ãããgenerate_cert
ãã«ããããšãã«äœ¿çšãããOpenSSLã®ããŒãžã§ã³ã¯1.0.1k
ã§ãã ããã¯éçã«ãªã³ã¯ãããŠããããã§ãã
% ldd generate_cert-0.1.1-linux-amd64
linux-vdso.so.1 (0x00007ffd0936c000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007fddefe7f000)
libc.so.6 => /lib/libc.so.6 (0x00007fddefb11000)
/lib64/ld-linux-x86-64.so.2 => /lib/ld-linux-x86-64.so.2 (0x00007fddf009a000)
ãããã£ãŠã次ã®2ã€ã®ãããããçºçããŠããããã«èŠããŸãã
Issuer
== Subject
å Žåã«æ··ä¹±ããŸãã ãŸãã¯ããããã¹ããã1ã€ã®æ¹æ³ã¯ãããã¯ããã«generate_cert
ãåæ§ç¯ããããšã§ãããOpenSSLã®æŽæ°ããŒãžã§ã³ã䜿çšããŸãã 次ã«ãããããŸãã
ãããã£ãŠã @ tdsmithãæ£ããããã«èŠããŸãã Issuer
<> Subject
ã確ä¿ããããã«ããã¯ãããã¯ã¢ãŠãããåŸã golang:1.3-cross
ããã®æ°ããããŒãžã§ã³ã®OpenSSLã§generate_cert
ãåæ§ç¯ãããšã倱æã«æ»ããŸããã¯ã©ã€ã¢ã³ãåŽã®ãã以éã®OpenSSLããŒãžã§ã³ïŒ
0.9.8zd
ãæŽæ°ãããOpenSSLã§generate_cert
ïŒ0.1.2ïŒãšé£æºããŸã% /usr/bin/openssl version
OpenSSL 0.9.8zd 8 Jan 2015
% /usr/bin/openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
depth=1 /O=Boot2Docker
verify return:1
depth=0 /O=Boot2Docker
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/O=Boot2Docker
i:/O=Boot2Docker
-----BEGIN CERTIFICATE-----
MIIC/TCCAeegAwIBAgIRAIVQ9IAYtPQwnu/FHM8HNS0wCwYJKoZIhvcNAQELMBYx
...
xZ+XhXvepeJ/mBIui1qT3yAMum0Mj1zLAxqCY/qsEU4odsgU9N9DbUGngoIkBCrY
gw==
-----END CERTIFICATE-----
---
Server certificate
subject=/O=Boot2Docker
issuer=/O=Boot2Docker
---
Acceptable client certificate CA names
/O=Boot2Docker
---
SSL handshake has read 2554 bytes and written 2188 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: FDE088ECF8D0EB2B36EC909B9A66C9C6770AE31355040761CB35150C5A56E92E
Session-ID-ctx:
Master-Key: 86522F869CDE85C8171EEC3A7CF76FDF26F81AE6162DDDEA7D1C55FD5E49E4BDCA56D827C3BFECBFAD9AA2F71A5A94EE
Key-Arg : None
TLS session ticket:
0000 - 67 d0 60 8e 54 54 7c 7a-3e 5e 71 97 26 e0 06 2c g.`.TT|z>^q.&..,
...
0630 - cf 68 86 83 d7 .h...
Start Time: 1438705996
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
DONE
1.0.2d
ïŒMacPortsçµç±ã§ã€ã³ã¹ããŒã«ïŒã¯ãæŽæ°ãããOpenSSLã䜿çšããgenerate_cert
ïŒ0.1.2ïŒã§ã¯æ©èœããŸãã% openssl version
OpenSSL 1.0.2d 9 Jul 2015
% openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
depth=0 O = Boot2Docker
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Boot2Docker
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/O=Boot2Docker
i:/O=Boot2Docker
-----BEGIN CERTIFICATE-----
MIIC/TCCAeegAwIBAgIRAIVQ9IAYtPQwnu/FHM8HNS0wCwYJKoZIhvcNAQELMBYx
...
xZ+XhXvepeJ/mBIui1qT3yAMum0Mj1zLAxqCY/qsEU4odsgU9N9DbUGngoIkBCrY
gw==
-----END CERTIFICATE-----
---
Server certificate
subject=/O=Boot2Docker
issuer=/O=Boot2Docker
---
Acceptable client certificate CA names
/O=Boot2Docker
Client Certificate Types: RSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2156 bytes and written 1373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: C2A8BF01E9B754CBF48C69243091C54DAD19DCF52D285C9379B684A3B333AFDD
Session-ID-ctx:
Master-Key: F8510162517AF4C115A13B7CA9E05E04868B4D78CBFA57B28A5B9616EE6FBED6B7B4FC52C2003EBC5D150FA8BDE95F4C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - bc bc 2c 3e 2d b0 92 49-80 c2 c0 df 4f bd fb 84 ..,>-..I....O...
...
0350 - 1e c7 c2 b2 e6 f5 74 ......t
Start Time: 1438705985
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
SvenDowideit / generate_certïŒ10ãå¿
èŠã§ãã ã¡ãªã¿ã«ããããã³ã°ãããgenerate_cert
ãæãb2dã€ã¡ãŒãžãäœæãããå Žåã¯ãå
¬åŒã®ä¿®æ£ããªãªãŒã¹ããããŸã§ãããã
ç§ãæ£ããç解ããŠããã°ãããã«ãããã¯ã©ã€ã¢ã³ãåŽã§OpenSSL / PythonããŒãžã§ã³ã®ã²ãŒã ããã¬ã€ããå¿ èŠããªããªããŸãïŒå°ãªããšããã®åé¡ã«é¢ããŠã¯ïŒã
@SvenDowideitã®ã¿ã°ä»ã
ç§ã¯OpenSSLã®äººãã¡ãšå°ããããšããããŸããã ã¹ãã£ãŒããã³ãœã³ããã®èŠçŽã¯æ¬¡ã®ãšããã§ãã
From: Stephen Henson via RT <[email protected]>
Subject: [openssl.org #3979] New OpenSSL issue: valid certificate fails validation where subject text == issuer text
Date: August 5, 2015 at 04:32:18 PDT
Cc: [email protected]
Reply-To: [email protected]
... The bug is that OpenSSL 1.0.2 is less strict about
what counts as a valid self signed certificate. Before 1.0.2 the certificate
had to have issuer and subject matching, if present AKID==SKID and
keyUsage (if present) had to include keyCertSign. For1.0.2 and later the
keyCertSign check is no longer present.
The attached patch should fix it. Let me know if it works for you.
A workaround (other than making subject != issuer) is to include SKID/AKID in
all certificates.
Regards, Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
ãã°ã®ããOpenSSLã¯ã©ã€ã¢ã³ãã«å¯Ÿå¿ããããã«ãb2dã蚌ææžãçæããæ¹æ³ãå€æŽããããšã¯ãã¯ã©ã€ã¢ã³ãåŽã§OpenSSLã«ããããé©çšããŠã€ã³ã¹ããŒã«ãããããã¯ããã«åªããŠããããã§ãã ãã ããã©ã¡ãã®ç¹å®ã®ã¢ãããŒããããé©åãã¯ããããŸããïŒä»¶åãïŒ=çºè¡è ã«ãããããã¹ãŠã®èšŒææžã«SKID / ADIDãå«ãããïŒã ãã®ãéã@SvenDowideitã«æž¡ããŸãã ïŒã«ãã«ãç¬ãïŒ
奜å¥å¿æºçãªæ¹ã®ããã«ïŒããã§ãããã®ã«ãŒããåãã¹ãã§ã¯ãªããšæããŸãïŒãSteveããã®OpenSSLãããã¯æ¬¡ã®ãšããã§ãã
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 1f9296a..7a0130a 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -63,6 +63,7 @@
#include <openssl/x509_vfy.h>
static void x509v3_cache_extensions(X509 *x);
+static int check_ca(const X509 *x);
static int check_ssl_ca(const X509 *x);
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
@@ -493,7 +494,7 @@ static void x509v3_cache_extensions(X509 *x)
if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
x->ex_flags |= EXFLAG_SI;
/* If SKID matches AKID also indicate self signed */
- if (X509_check_akid(x, x->akid) == X509_V_OK)
+ if (X509_check_akid(x, x->akid) == X509_V_OK && check_ca(x) == 1)
x->ex_flags |= EXFLAG_SS;
}
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
åŸ ã£ãŠãã ãã..._ less_ strictïŒ ããå³å¯ãªãã§ãã¯ãééããå Žåãã©ã®ããã«_less_å³å¯ãªãã§ãã¯ã倱æããã®ãæ··ä¹±ããŠããŸããïŒ
åŸ ã£ãŠãã ãã..._ less_ strictïŒ ããå³å¯ãªãã§ãã¯ãééããå Žåãã©ã®ããã«_less_å³å¯ãªãã§ãã¯ã倱æããã®ãæ··ä¹±ããŠããŸããïŒ
ãããç§ããã®èšèªã®éžæã«åé¡ããããŸããã å·®åãèŠããšã圌ã¯ãå€ãã®ãã§ãã¯ãå®è¡ããªãããšã«ãã£ãŠãèªå·±çœ²åãšããŠããå€ãã®èšŒææžã誀ã£ãŠã¹ã€ãŒãããããšãæå³ããŠãããšæããŸãïŒã€ãŸããèªå·±çœ²åãšããŠé©æ Œã§ãªããã®ã決å®ããéã®å³å¯æ§ãäœããªããŸãïŒã ããããããªãã¯æ£ããã§ãã ããã¯å¥åŠãªèšãåãã§ãã
ç§ã¯OpenSSLãœãŒã¹ã®èª¿æ»ã«ããã»ã©å€ãã®æéãè²»ãããŠããŸããããå€ãã®å Žæã§ããããããªã浞éã§ããªãããšãããããŸããã ããããããã®ãããžã§ã¯ãã«åãçµãã«ã¯ãç¹å¥ãªãèãæ¹ãå¿ èŠã§ãã ïŒãã€ãªïŒ
ç§ã¯OpenSSLãœãŒã¹ã®èª¿æ»ã«ããã»ã©å€ãã®æéãè²»ãããŠããŸããããå€ãã®å Žæã§ããããããªã浞éã§ããªãããšãããããŸããã ããããããã®ãããžã§ã¯ãã«åãçµãã«ã¯ãç¹å¥ãªãèãæ¹ãå¿ èŠã§ãã
æ§ãããªè¡šçŸã ãšæããŸãïŒwink:ã
ãããã«ãããOpenSSLã®äººã ã«é£çµ¡ããŠãããŠããããšããããã§ããã解決ãããããšãããããæããŸãã ãããŸã§ã®éãb2dã§ãããåé¿ããããšã¯æ£ããããšã®ããã«æãããŸãã ããã§äœæ²ããããšã¯äœããªããšæããŸãããåŸ ã£ãŠãã ããã
ããã§è¿°ã¹ããã
pip install requests[security]
@iffyããã¯èµ€ããã·ã³ã§ãã å¥ã®OpenSSLã«å¯ŸããŠãªã³ã¯ããããã£ãã·ã¥ããããã€ããªãã€ãŒã«ããã£ããããããããä¿®æ£ãããŸãã
åèãŸã§ã«ãboot2docker / boot2dockerïŒ1029ãšããŠæåºãããä¿®æ£ãå«ãPRã
ããã«å¯Ÿããä¿®æ£ïŒ@positaã«æè¬ïŒïŒã¯ãboot2dockerã®ææ°ããŒãžã§ã³ã§å ¬éãããŠããŸãã æ¹è¯ããïŒ
$ boot2docker upgrade
$ boot2docker delete
$ boot2docker init
$ boot2docker up
ããã§åé¡ã¯è§£æ±ºããŸããã ãã²ãè©Šãããã ãããå ±åãã ããã
ãŸãã¯ã Docker Machineã«åãæ¿ããŸããããã¯ãæ°ããDockerToolboxã®äžéšãšããŠæšæºã§æäŸãããŠããŸãã
ç§ã¯ãŸã ãã®åé¡ãæ±ããŠããŸã...
⯠openssl version && docker-compose --version && docker-machine --version && python --version
OpenSSL 1.0.2d 9 Jul 2015
docker-compose version: 1.4.0
docker-machine version 0.4.1 (HEAD)
Python 2.7.10
⯠docker-compose ps
/usr/local/Cellar/fig/1.4.0/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Name Command State Ports
------------------------------
@ chiefydocker -composeåŒã³åºããæåããŠããŸãã ããªããèŠãŠããèŠåã¯ç¡å®³ã§ãã 衚瀺ãé¿ãããå Žåã¯ãOS X10.10.5ã«ã¢ããã°ã¬ãŒãããå¿ èŠããããŸãã
@tdsmithã¯ç§ã«ç¡å®³ã§ã¯ãªããç§ã®OCDãçãããŠããŸãïŒsmileïŒãã³ããããããšããä»ããã¢ããã°ã¬ãŒãããŸãã
brewçµç±ã§ã€ã³ã¹ããŒã«ãããPythonããŒãžã§ã³ãã¢ã³ã€ã³ã¹ããŒã«ãããšããã®åé¡ã解決ããŸããã brew remove --force python
brewããŒãžã§ã³ãã¢ã³ã€ã³ã¹ããŒã«ããŸãããããŸã Python 2.7.10
ãããã
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
ãšã©ãŒã
次ã®èšå®ããããŸãïŒ
OpenSSL 0.9.8zg 14 July 2015
docker-compose version: 1.4.0
docker-machine version 0.4.1 (e2c88d6)
Python 2.7.10
@chiefy
åé¡ã解決ããŸãããïŒ
docker-composeã®äººãåé¡ã®è§£æ±ºã«åãçµãã§ãããã©ããããŸãã¯åºæ¬çã«åé¡ã§ã¯ãªããã©ããã誰ããç¥ã£ãŠããŸããïŒ
ããããã
@PavelPolyakov
çªå·ã ç§ã®äž¡æ¹ã®MacïŒ10.9.xãš10.10.xïŒã§ãå€æŽãªãã§ããŸããŸãªããšãè©ŠããŸããã ããã¯docker-compose
ãã®ã§ã¯ãªããPythonã®ãã®FWIWã®å€ãã ãšæããŸãã
@chiefy
ç§ã¯åæããŸããããããæ©èœãããæ¹æ³ã®ããªãšãŒã·ã§ã³ã¯èŠã€ãããŸããã§ãã:(
誰ãããã§ã«ãã®åé¡ã解決ããŠããããã§ãããç§ã§ã¯ãããŸãã:)
brewã䜿çšããŠPythonãäžåºŠã€ã³ã¹ããŒã«ããŸããããã·ã¹ãã ãåé€ãããšæãã®ã§ãå€ããã®ã«æ»ããªãã·ã§ã³ããããŸããã
ç§ã¯ããã€ãã®ããªãšãŒã·ã§ã³ã§dockerãã€ã³ã¹ããŒã«ããããšããŸããïŒ
ããããç§ã¯ãŸã æã£ãŠããŸãïŒ
誰ãããã®è¡åãå æããæ¹æ³ã®å æ¬çãªã¬ã€ããæã£ãŠããŸããïŒ
ããããã
@ PavelPolyakov-ãã°ã¯ãboot2dockerïŒå Žåã«ãã£ãŠã¯docker-machineïŒããPythonã®SSLãµããŒãã§ã¯äœ¿çšã§ããªã蚌ææžãäœæããŠããããšã§ãã ãã¹ãŠã®ãœãããŠã§ã¢ãã¢ããã°ã¬ãŒãããŠããå€ã蚌ææžãæ®ã£ãŠããå Žåã¯ãåé¡ãçºçããŸãã ãããã£ãŠããã®æç¹ã§ãçŸåšã®ããŒãžã§ã³ã®docker-machineã䜿çšããŠãååŸããéçºVMãåããããžã§ãã³ã°ããæ°ããSSL蚌ææžãããããžã§ãã³ã°ãããããã«ããããšããå§ãããŸãã ããã«ã¯ããã¹ãäžã®~/.docker
ãèã«ç§»åããããšãå«ãŸããå ŽåããããŸãã
@PavelPolyakovãš@ chiefy ã @ glyphã®ã¢ããã€ã¹ã«å ããŠããããè©Šãããšãã§ããŸãïŒ boot2docker
ç°å¢ãå®å
šã«åããããžã§ãã³ã°ããããªãå ŽåïŒïŒ
% mv ~/.docker ~/.docker.bak
% ssh docker@[boot2dockerip]
docker@[boot2dockerip]'s password: [typically "tcuser"]
...
Boot2Docker version 1.8.1, build master : 7f12e95 - Thu Aug 13 03:24:56 UTC 2015
Docker version 1.8.1, build d12ea79
docker<strong i="10">@boot2docker</strong>:~$ rm -frv ~/.docker
...
docker<strong i="11">@boot2docker</strong>:~$ sudo -s
root<strong i="12">@boot2docker</strong>:/home/docker# rm -v /var/lib/boot2docker/tls/*
...
root<strong i="13">@boot2docker</strong>:/home/docker# shutdown -h now
...
[boot2dockerip]
ã¯VMç°å¢ã«åºæã§ãã ããç°¡åãªæ¹æ³ããããããããŸããïŒäŸãã°ãVagrantã䜿çšããŠããå Žåã¯vagrant ssh
ïŒã 次ã«ã boot2docker
ã€ã³ã¹ã¿ã³ã¹ãåèµ·åããSSLãšã©ãŒãåŒãç¶ãçºçãããã©ããã確èªããŸãã
@glyph
ã¢ããã€ã¹ãããããšããç§ã«ãšã£ãŠã¯ãdocker-machineãåããããžã§ãã³ã°ããããšã¯åé¡ã§ã¯ãããŸããã ããããããã¯åœ¹ã«ç«ã¡ãŸããã
dockerïŒcoãã€ã³ã¹ããŒã«ããå ŽåïŒ
brew install docker docker-machine docker-compose
ãã®åŸã default
ãã·ã³ã¯äœæãããŸããã ãããŠã docker-machine create
ã䜿çšããŠãããäœæããæ¹æ³ãããããŸããã
* .pkgãã¡ã€ã«ã䜿çšããŠdocker-toolbeltãã€ã³ã¹ããŒã«ãããšããã·ã³ã¯äœæãããŸãããSSLãšã©ãŒãçºçããŸãã
ç§ãããããšããŸããïŒ
docker-machine regenerate-certs default
ããããããã¯åœ¹ã«ç«ã¡ãŸããã
@posita
ã¢ããã€ã¹ãããããšãããããŸãã
ããªãã®ã¬ã€ãã§ã¯ã mv ~/.docker ~/.docker-bak
ãææ¡ããŠããŸã-ã©ã®ãããªçç±ã§ïŒ ãããè¡ããšããã«ããã¡ã€ã«ã移åãããããããã·ã³ãåèµ·åã§ããªããªããŸãã
ã¯ãããã·ã³ã«ãã°ã€ã³ããŠtls/*
ãåé€ããŠããã·ã£ããããŠã³ããããšã¯ã§ããŸãããåèµ·åããã«ã¯ã©ãããã°ããã§ããïŒ
ãŒãããåããããžã§ãã³ã°ããæ¹æ³ã¯ïŒ
@ãã¹ãŠ
dockerïŒdocker-composeãæ©èœããŠããïŒãã€ã³ã¹ããŒã«ããæ¹æ³ã¯äœã§ããïŒ brew install
çµç±ã§ããããããšãtoolbelt .pkgçµç±ã§ââããïŒ
docker-machineã«ãã蚌ææžãPythonã§æå¹ã§æçšã§ããããšãã©ã®ããã«ç¢ºèªã§ããŸããïŒPythonãšopensslãbrewcanãããããã«ã¢ããã°ã¬ãŒãããã«ã¯ã©ãããã°ããã§ããïŒ
å©ããŠãããŠããããšãã
ããããã
@PavelPolyakov - docker-machine
ã¯ããããã©ã«ãããã·ã³ã®æŠå¿µããããŸããã docker-machine create --driver virtualbox my-docker-machine
å®è¡ã§ããŸãã
@PavelPolyakovãããçµãã£ããã eval "$(docker-machine env my-docker-machine)"
ããŸãã¯ããŒã«ã«éçºãã·ã³ãåŒã³åºãããã«éžæããããšãè¡ãå¿
èŠããããŸãã
@glyph
æ£è§£ã§ããããã¯ã brew
ãããã¹ãŠãå®è¡ããäžã§æ¬ ããŠããéšådefault
ãšããååã®ãã·ã³ãæ£åžžã«ããããžã§ãã³ã°ããŸããïŒ* .pkgããã®ã€ã³ã¹ããŒã«äžã«å®è¡ãããã®ãšåãã§ãïŒã
ãã ãããã€ãã®ããã«ãç§ã¯æ¬¡ã®ããã«çµãããŸãã
:(
ããªãã®ã¬ã€ãã§ã¯ãmvã / .dockerã / .docker-bakã«ææ¡ããŠããŸã-ã©ã®ãããªçç±ã§ïŒ ãããè¡ããšããã«ããã¡ã€ã«ã移åãããããããã·ã³ãåèµ·åã§ããªããªããŸãã
@PavelPolyakov ãdocker-machine
ã¯äœ¿ããŸããã ç§ã¯ä»ã®ç°å¢ã«åºã¥ããŠæšæž¬ããŠããŸããã ãããæ©èœããªãå Žåã¯ç¡èŠããŠãã ããã
ã¯ãããã·ã³ã«ãã°ã€ã³ããŠ
tls/*
ãåé€ããŠããã·ã£ããããŠã³ããããšã¯ã§ããŸãããåèµ·åããã«ã¯ã©ãããã°ããã§ããïŒ
docker-machine restart
ã¯æ©èœããŸãããïŒ
ç§ã®ã³ã¡ã³ãã¯ãVagrantã§boot2docker
ãå®è¡ããç§èªèº«ã®çµéšã«åºã¥ããŠããŸãã docker-machine
ã«ã¯ããŸãåœãŠã¯ãŸããªããããããŸããã @glyphã¯ãã®ç°å¢ã§ããå€ãã®çµéšãæã£ãŠããããã§ãã ç§ã¯åœŒã®ææ¡ãè©ŠããŠã¿ãŸãã
dockerãã€ã³ã¹ããŒã«ããæ¹æ³ã¯äœã§ããïŒdocker-composeãæ©èœããŠããŸãïŒã
brew install
çµç±ã§ããããããšãtoolbelt .pkgçµç±ã§ââããïŒ
ããã¯ãã®åé¡ã®ç¯å²å€ã§ãïŒç¹ã«docker-compose
瀺ãããŠããboot2docker
蚌ææžã®åé¡ãæ±ããŸãïŒããOSXã§ã¯ãã€ããªãã«ãã䜿çšã
@PavelPolyakov ã次ã®ããã«ãããšã©ããªããŸããïŒ
docker-machine create --driver virtualbox shiny-new-machine-74d5a19e
eval $( docker-machine env shiny-new-machine-74d5a19e )
docker-compose build
次ã®æé ãå®è¡ãããšè¡šç€ºãããboot2docker
ã®ããŒãžã§ã³ã¯äœã§ããïŒ
docker-machine ssh shiny-new-machine-74d5a19e
shiny-new-machine-74d5a19e
ã¯ãæ¢åã®ã€ã³ã¹ã¿ã³ã¹ãåç
§ããŠããªãéããèªç±ã«çœ®ãæããŠãã ããïŒã€ãŸããäžèšã®ã³ãã³ããå®è¡ããåã«docker-machine ls
ãå®è¡ãããšãã«ãååã衚瀺ãããŠããªãã¯ãã§ãã ãïŒã
@posita
ããŒã....ïŒæ··ä¹±ïŒ
eval $( docker-machine env shiny-new-machine-74d5a19e ) # probably unnecessary if you're still in the same shell as above
which openssl
openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
@posita
åŒãç¶ããæ¯æŽããã ãããããšãããããŸãã
openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
http://pastebin.com/Y9ZqfTVG
å¥ã®OSXãã·ã³ã§åãããšãè©Šã¿ãŸããã
ãã¹ãŠã®ææ°ã®ã¢ããããŒãïŒOSããã³brewããã±ãŒãžïŒã§ãSSLã§åãåé¡ã«çŽé¢ããŸããã
@PavelPolyakov ãç§ã¯ããªãã®openssl s_client ...
ãã³ããããããèŠãŠããŸãïŒ
...
Certificate chain
0 s:/O=shiny-new-machine-74d5a19e
i:/O=PavelPolyakov
...
ãããã¯boot2docker
ããã©ã«ãã§ã¯ãªããïŒçŸåšã¯ïŒæ¬¡ã®ããã«ãªã£ãŠããã¯ãã§ãã
...
Certificate chain
0 s:/O=Boot2Docker
i:/O=Boot2Docker
...
詳现ãç¥ããªããŠãã docker-machine
ã¯ãä»®æ³ãã·ã³ãããããžã§ãã³ã°ãããšãã«ããã©ã«ããïŒã©ããããããïŒäžæžãããŠãããšæããŸãã ãããã openssl
åŒã³åºãã¯æ©èœããŠããããã«èŠããã®ã§ããããåé¡ã§ãããã©ããã¯ããããŸããããŸãã docker-compose
ã倱æããçç±ãããããŸããã ïŒäº€çµ¡ïŒ
次ã®åºåã¯äœã§ããïŒ
(
set -x
eval $( docker-machine env shiny-new-machine-74d5a19e )
env | grep DOCKER
ls -al "${DOCKER_CERT_PATH}"
openssl x509 -in "${DOCKER_CERT_PATH}/cert.pem" -text
openssl x509 -in "${DOCKER_CERT_PATH}/ca.pem" -text
docker-compose --verbose version
docker-compose --verbose ps
DOCKER_TLS_VERIFY=0 docker-compose --verbose ps
) >"${HOME}/Desktop/docker-compose-890-outerr-$( date -u +%Y-%m-%dT%H:%M:%SZ ).txt" 2>&1
ããã«ããã貌ãä»ã/ã¢ããããŒãã«é©ãã~/Desktop/docker-compose-890-outerr-2015-09-18T14:45:29Z.txt
ãããªãã¡ã€ã«ãäœæãããŸãã
@posita
ããã«ãããŸãïŒ
http://pastebin.com/vWqZgVKi
ããã¯ããªãã®åé¡ãšã¯äœã®é¢ä¿ããªããšç¢ºä¿¡ããŠããŸããã docker-compose
ãšdocker-py
ããŒãžã§ã³ã¯é
ããŠããŸãã ãããã¯ææ°ã®ãªãªãŒã¹ã§ãïŒ
...
docker-compose version: 1.4.1
docker-py version: 1.4.0
...
ãŸãïŒãããŠç§ã¯ããã誀解ããŠãããããããŸããïŒãããªãã®ca.pem
ãšcert.pem
ãåãSubject
å
±æããŠããããã«èŠããŸãïŒãããå
ã®boot2docker
åå docker-machine
ã«ãã£ãŠäœæ/ç¶æãããŠããããã«èŠããã®ã§ãåé¡ãããã®ã§ã¯ãªãããšæããŸãã docker / machineïŒ1335ãšdocker / machineïŒ1767ãèŠã€ãããŸããããããã¯é¢é£ããŠããå¯èœæ§ããããŸãããã©ã¡ããçŽæ¥çã§ã¯ãªãããã§ãã
FWIWãMacPortsããã€ã³ã¹ããŒã«ãããOpenSSLãšPython2.7ã§docker-compose
ïŒ virtualenv
pip
ãä»ããŠã€ã³ã¹ããŒã«ïŒã䜿çšããŠããŸãã ãã®ããŒãžã§ã³ã®OpenSSLã¯ããã®åé¡ã§ç¹å®ãããåé¡ã®åœ±é¿ãåããŸãïŒãããŠã boot2docker
ãžã®æŽæ°ã«ãã£ãŠåé¿ãããŸããïŒã ç§ã«ãšã£ãŠããã®çµã¿åããã¯boot2docker
1.8.1+ãšVagrantã§åé¡ãªãæ©èœããŸãïŒç§ã®Vagrantfile
ã¯ãããããžã§ãã³ã°ã®éæ³ã䜿ã£ãŠboot2docker
蚌ææžããã¹ãã«ã³ããŒããŠæ»ããŸãïŒïŒ
% cat /.../Vagrantfile
...
# See <http://tinyurl.com/nz4tgy6>
boot2docker.vm.provision :shell, inline: "set -e ; while ! docker >/dev/null ps --quiet ; do echo 'Waiting for Docker to come alive so we can kill it...' ; sleep 1 ; done ; sudo /etc/init.d/docker stop ; sudo rm -f /var/lib/boot2docker/tls/*.pem ~docker/.docker/*.pem ; sudo /etc/init.d/docker restart ; while ! docker >/dev/null ps --quiet ; do echo 'Waiting for Docker to come alive again so we can steal its keys...' ; sleep 1 ; done ; echo 'It lives!' ; [ -z \"$( find ~docker/.docker -name '*.pem' 2>/dev/null )\" ] || cp -Rv ~docker/.docker/*.pem '/vagrant/certs" , privileged: true
...
% env | grep DOCKER
DOCKER_HOST=tcp://w.x.y.z:2376
DOCKER_TLS_VERIFY=1
DOCKER_CERT_PATH=/.../certs
% ls "${DOCKER_CERT_PATH}"
ca.pem
cert.pem
key.pem
% openssl x509 -in "${DOCKER_CERT_PATH}/cert.pem" -text
...
Issuer: O=Boot2DockerCA
...
Subject: O=Boot2Docker
...
% openssl x509 -in "${DOCKER_CERT_PATH}/ca.pem" -text
...
Subject: O=Boot2DockerCA
...
% virtualenv --python=python2.7 .../venv
...
% .../venv/bin/pip install docker-compose
...
% .../venv/bin/docker-compose --verbose version
docker-compose version: 1.4.1
docker-py version: 1.4.0
CPython version: 2.7.10
OpenSSL version: OpenSSL 1.0.2d 9 Jul 2015
% .../venv/bin/docker-compose ps
Name Command State Ports
------------------------------
ç§ã¯ããªãããã®ãªãã·ã§ã³ãæã£ãŠããªããããããªãããšãç解ããŠããŸãã åé¡ã®èšºæã«åœ¹ç«ã€å¯èœæ§ã®ããéããæããã«ããããã«æçš¿ããŠããŸãã äžèšãdocker-machine
äœæãã蚌ææžãšæ¯èŒããŠãã ããã
+-zsh:39> openssl x509 -in /.../.docker/machine/machines/shiny-new-machine-74d5a19e/cert.pem -text
...
Issuer: O=PavelPolyakov
...
Subject: O=PavelPolyakov
...
+-zsh:40> openssl x509 -in /.../.docker/machine/machines/shiny-new-machine-74d5a19e/ca.pem -text
...
Subject: O=PavelPolyakov
...
ãã®ããŒãSubject
ã®ca.pem
åãã§ããSubject
ã®cert.pem
ã
ããªãã®åé¡ã¯docker-compose
åé¡ã§ã¯ãªããšæããŸãã ïŒ @aanand ãããããã³ã¡ã³ãã§ããŸããïŒïŒãã®åé¡ãéåžžã«éç¶ãšããŠããã®ã§ã docker / machineã®æ°ããåé¡ãæåºããããšãæ€èšããŠãã ããã ç§ã¯ããªãã®æåã®ã³ã¡ã³ãããå§ããŠããããåç
§ããŸãã
docker / machineã®æ°ããåé¡ãæåºããããšã«ããå Žåã¯ãVMã€ã³ã¹ã¿ã³ã¹ã®/var/log/docker.log
ãŸãã¯/var/log/boot2docker.log
ã«äœãé¢çœããã®ãããå Žæãè¿œå ããããšãæ€èšããŠãã ããã ããšãã°ããããè©ŠããŠãã ããã
ssh docker@[machine-instance] grep generate_cert /var/log/boot2docker.log
ãŸãã¯ïŒ
docker-machine ssh grep generate_cert /var/log/boot2docker.log
OSX el capitainã§ãããååŸãã
docker-machine version 0.4.1 (HEAD)
Docker version 1.8.2, build 0a8c2e3
docker-compose version: 1.4.2
ããã«ã¡ã¯@DaveBlooman ã
èå³ããããŸãããbrewã䜿çšããŠPythonãªã©ãã€ã³ã¹ããŒã«ããŠããŸããïŒ ãŸãã¯ãã®éã
ãããŠã docker-compose build
å®è¡ãããšãã«æ£ç¢ºãªãšã©ãŒããããŸããïŒ
èªäœçµç±ãPython 2.7.10
ã ããééããªãbrew
ããã«äœããèµ·ãããŸã:(
@ DaveBlooman ã @PavelPolyakovã®åé¡ãåçŸ
ç§ã¯åãåé¡ãæ±ããŠããŸããããããã¯ãããããããã¯ãŒã¯æ§æã§äœããå°ç¡ãã«ããŠããå¥ã®ã¢ããªã±ãŒã·ã§ã³ïŒç§ã®å Žåã¯AstrillïŒã«ãã£ãŠVPNæ¥ç¶ãéããŠãããšããäºå®ã«ãããã®ã§ããã ãããåãåé¡ãæ±ããŠããä»ã®èª°ããå©ããããšãã§ããããšãé¡ã£ãŠããŸãã
OSX10.9.5ã§ãšã©ãŒãçºçãã
/usr/local/Cellar/docker-compose/1.5.0/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Starting compose_maven_1
/usr/local/Cellar/docker-compose/1.5.0/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Starting compose_ssh_1
/usr/local/Cellar/docker-compose/1.5.0/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Python 2.7.10
docker-machineããŒãžã§ã³0.5.0
docker-composeããŒãžã§ã³ïŒ1.5.0
ãã¹ãŠHomebrewçµç±ã§ã€ã³ã¹ããŒã«ãããŸã
@anthonygreen ãããã¯å®è³ªçã«ç°ãªãåé¡ã®ããã«èŠããŸãã ããã§èª¬æããŠãããã®ãšåããšã©ãŒã¡ãã»ãŒãžã¯è¡šç€ºãããŸããã HomebrewãŠãŒã¶ãŒã¯ããããšã¯é¢ä¿ã®ãªãããªãã®æ°ã®åé¡ãçµéšããŠããããã§ãã æ°ããåé¡ã®æåºãæ€èšããŠãã ããã
ãã®æçš¿å šäœãèªãã ããã§ã¯ãããŸããããDocker Toolbox1.9.1aã䜿çšããOSXYosemiteã®æè¿ã®ã»ããã¢ããã§åããšã©ãŒãçºçããŸããã
$ docker-machine --version
docker-machine version 0.5.1 (7e8e38e)
$ docker-compose --version
docker-compose version: 1.5.1
$ docker --version
Docker version 1.9.1, build a34a1d5
ã«ã¹ã¿ã CURL_CA_BUNDLE
ç°å¢å€æ°ã»ããïŒããã€ãã®ã«ã¹ã¿ã å
éšèšŒææžãå«ãïŒãããã docker-compose
å®è¡ããåã«ãã®ç°å¢å€æ°ã®èšå®ã解é€ãããšã [SSL: CERTIFICATE_VERIFY_FAILED]
ãšã©ãŒãä¹ãè¶ããããšãã§ããŸããã
$ (unset CURL_CA_BUNDLE; docker-compose up)
Starting ...
ç·šéïŒãã£ãšãããã«ã³ã¡ã³ãããããšãæå³ããŸãhttps://github.com/docker/machine/issues/1880
@pmahoney ãæ®ãã®äººã«ç¥ãããŠãããŠããããšãïŒ ç§ã¯ãããæšæž¬ããããšã¯ãªãã£ãã§ãããã åèãŸã§ã«ããããã次ã®ãããªããšãã§ããŸãïŒãµãã·ã§ã«ãå¿ èŠãªãå ŽåïŒïŒ
$ CURL_CA_BUNDLE= docker-compose up
@posita env varã空ã®æååã«èšå®ãããšãèŠåã衚瀺ãããŸãã
$TMPDIR/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
SSLãšã©ãŒã¯çºçããŸãããã
@pmahoney ããããããã ãããã£ãŠãèšå®ãããŠããã空ã®CURL_CA_BUNDLE
ã¯ããŸã£ããèšå®ãããŠããªãïŒããããããã©ã«ãã®å Žæã«èŠããïŒã®ãšã¯ç°ãªãã»ãã³ãã£ã¯ã¹ïŒã€ãŸããnullãªãŒããŒã©ã€ãïŒãæã£ãŠããããã«èŠããŸãã ããã¥ã¡ã³ãã®åäœã§ãããèŠã€ããããšããŸããããæåããŸããã§ããã ç§ãèŠã€ããæãè¿ããã®ã¯ããã§ããã
@neilsarkarç§ã®åé¡ã¯Charlesãããã·ã®å®è¡ã§ããããŸããïŒ ããããšãããããŸããïŒ
ãªããŠãã£ããç§ã¯ãã¹ãããŠããäž¡æ¹ã®ãã·ã³ã«ã«ã¹ã¿ã CURL_CA_BUNDLEãæã£ãŠããŸãã
ããããšã
ç§ã«ãšã£ãŠã¯äœããããŸãããCURL_CA_BUNDLEå€æ°ã¯ãããŸãã:(
ã ããç§ã¯ããããŸã£ããæåããªãå€ã«èšå®ããããšããŸããããCURL_CA_BUNDLEãäœãèšå®ããªãå ŽåïŒCURL_CA_BUNDLE =ïŒã @ pmahoneyãèšã£ãããã«èŠåããããããã¯æ©èœããŸãããç§ã®ç«¯æ«ã¯èŠåã¡ãã»ãŒãžã«ãã£ãŠå®å
šã«æ··ä¹±ããŸãã
ç§ã«ãšã£ãŠããè¯ã解決çãããããšãé¡ã£ãŠããŸã:)
CURL_CA_BUNDLEå€æ°ã®é©åãªå€ãããã£ãŠããå Žåã¯ãããã䜿çšããŸã:)
THX
webkit-patchã§ãåãåé¡ãçºçããŸããã SSL / TLSã¢ãžã¥ãŒã«ã®ssl.get_default_verify_paths()
ã¯ãPython / OpenSSLãCA蚌ææžãã¡ã€ã«ãäºæããŠããå Žæã瀺ããŠããŸãã ãããã£ãŠããããã¿ãŒããã«ã§å®è¡ãããšã次ã®ããã«ãªããŸãã
python3 -c "import ssl; [print(i) for i in ssl.get_default_verify_paths()]"
SSL_CERT_FILE
ãèšå®ãããŠããªãå ŽåãPythonã®SSLã¢ãžã¥ãŒã«ã¯/usr/local/ssl/cert.pem
CA蚌ææžãã¡ã€ã«ãæ³å®ããŠããããšãããããŸãïŒOpenSSLã/usr/local/ssl
ã€ã³ã¹ããŒã«ããå ŽåïŒã ãããã£ãŠã SSL_CERT_FILE
ãã«ãŒãCA蚌ææžãå«ã蚌ææžãã¡ã€ã«ã«èšå®ããããã«ãŒãCA蚌ææžãå«ããã¡ã€ã«ã/usr/local/ssl/cert.pem
ãŸãã ã«ãŒãCA蚌ææžãå¿
èŠãªå Žåã¯ã curl
ãããŠã³ããŒããããœãŒã¹ããªãŒã§lib/mk-ca-bundle.pl
ãå®è¡ãããšãca-bundle.crtãã¡ã€ã«ãçæãããŸãã SSL_CERT_FILE
èšå®
@grahamcåé¡ã解決ããŸãããïŒ ç§ã¯ããªããšåããããªèšå®ãããŠããŸããããªã¢ãŒãDockerããŒã¢ã³ã§ã¯ããŸãæ©èœããŸããã docker-compose
倱æããŸã
ç§ãåŸããšã©ãŒã¯ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
ããããæ®å¿µãªããããªã¢ãŒãDockerãã¹ããæŸæ£ããå¿ èŠããããŸãã:(
CURL_CA_BUNDLE
ãåå ã§docker-compose
ã倱æãããšãããã®åé¡ãçºçããŸããïŒ
ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
docker
ã¯æ£åžžã«æ©èœããŠããŸããã docker-compose
ã«ç°å¢å€æ°ãç¡èŠãããããå°ãªããšãæåŸ
ããã蚌ææžã䜿çšããªããšããèŠåããã°ã«èšé²ããããšããå§ãããŸãã
@buckett ãæ©èœãªã¯ãšã¹ããšããŠè¿œå ããããã«æ°ããåé¡ãæåºããããšãæ€èšããŠãã ããã docker-py
å§åŠ¹å·ãæåºãããäºãã«åç
§ããŠãããããšãæ€èšããŠãã ããã ã©ã®ã¬ã€ã€ãŒãæãé©åãããããŸããã
ç·šéïŒæ°ããåé¡ïŒ3114ãäœæããŸãã
誰ãããããä¿®æ£ããŸãããïŒ ããã§ãåããšã©ãŒãçºçããŸãã ç§ã®docker-compose version
ã¯æ¬¡ã®ãšããã§ãã
docker-compose version 1.6.2, build 4d72027
docker-py version: 1.7.2
CPython version: 2.7.9
OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014
ããã¯ç§ãdocker-compose --verbose build
ããåŸããã®ã§ãïŒ
compose.config.config.find: Using configuration files: ./docker-compose.yml
docker.auth.auth.load_config: File doesn't exist
Traceback (most recent call last):
File "<string>", line 3, in <module>
File "compose/cli/main.py", line 56, in main
File "compose/cli/docopt_command.py", line 23, in sys_dispatch
File "compose/cli/docopt_command.py", line 26, in dispatch
File "compose/cli/main.py", line 189, in perform_command
File "compose/cli/command.py", line 52, in project_from_options
File "compose/cli/command.py", line 85, in get_project
File "compose/cli/command.py", line 68, in get_client
File "site-packages/docker/api/daemon.py", line 78, in version
File "site-packages/docker/utils/decorators.py", line 47, in inner
File "site-packages/docker/client.py", line 112, in _get
File "site-packages/requests/sessions.py", line 477, in get
File "site-packages/requests/sessions.py", line 465, in request
File "site-packages/requests/sessions.py", line 573, in send
File "site-packages/requests/adapters.py", line 431, in send
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
Dockerã®ããŒã«ããã¯ã¹ãä»ããŠdockerãdocker-mahineãdocker-composeãã€ã³ã¹ããŒã«ããŸããã
äžèšã®ææ¡ããã¹ãŠè©ŠããŸããããããŸããããŸããã§ããã ç§ã¯docker
ã®çµéšããªãã®ã§ãèªåã§ãããç解ããããšãã§ããŸããã§ããã
誰ããããã«é¢ããæ ¹æ¬çãªåå ãŸãã¯åé¿çãæã£ãŠããŸããïŒ æ°ããopensslããŒãžã§ã³ã䜿çšããcompose1.7.0ã§è¡šç€ºãããŠããŸãã
ããã¯ãã¹ãŠé«å±±ããæ§ç¯ããã³å®è¡ããããããç°å¢ã¯çŽç²ã§ããå¿
èŠããããŸãã
/usr/src/app # env | sed 's/DOCKER_HOST=.*/DOCKER_HOST=#redacted/' && docker version && docker ps && docker-compose version && docker-compose pull
HOSTNAME=aebfe81b5938
SHLVL=1
PYTHON_PIP_VERSION=8.1.1
HOME=/root
GPG_KEY=97FC712E4C024BBEA48A61ED3A5CA953F73C700D
DOCKER_TLS_VERIFY=1
TERM=xterm
DOCKER_CERT_PATH=/certs
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
LANG=C.UTF-8
PYTHON_VERSION=3.5.1
DOCKER_HOST=#redacted
PWD=/usr/src/app
Client:
Version: 1.10.3
API version: 1.22
Go version: go1.5.3
Git commit: 20f81dd
Built: Thu Mar 10 21:49:11 2016
OS/Arch: linux/amd64
Server:
Version: 1.10.3
API version: 1.22
Go version: go1.5.3
Git commit: 20f81dd
Built: Thu Mar 10 15:39:25 2016
OS/Arch: linux/amd64
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
docker-compose version 1.7.0, build 0d7bf73
docker-py version: 1.8.0
CPython version: 3.5.1
OpenSSL version: OpenSSL 1.0.2g 1 Mar 2016
Pulling registry (registry:2)...
ERROR: SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
@jmmills
ç§ã®å Žåãããã¯åå®çŸ©ãããCURL_CA_BUNDLE
envå€æ°ãåå
@PavelPolyakovã¯ç§ã®ç°å¢ãã³ãããã§ãã¯ããŸã... CURL_CA_BUNDLEã¯ãããŸãã
@PavelPolyakovããããŸãããããã¯å¥åŠã§ããç§ã¯ãã®envå€æ°ã®èšå®ãæ瀺çã«è§£é€ããŸããããç§ã®ç°å¢ã«ããªããŠãæ©èœããŸããã
@jmmillsãã¡ãâŠãããåãã ãã¶ããPythonã¯set-as-emptyãunsetãšã¯ç°ãªãæ¹æ³ã§æ±ããŸããïŒ
Mac OSãèªäœã®docker-composeããã³docker-machineãã·ã¹ãã pythonã䜿çšã æ°ããäœæããããã·ã³ïŒ docker-machine create --driver=vmwarefusion --vmwarefusion-memory-size 1536 dev
env | grep CURL
ã¯äœãè¿ããŸãã
docker-compose ps
ã¯æ»ããŸã
ãšã©ãŒïŒSSLãšã©ãŒïŒãã¹ãåã172.16.129.133ãããlocalhostããšäžèŽããŸãã
CURL_CA_BUNDLE='' docker-compose ps
ã¯ä»¥äžãè¿ããŸãïŒ
/usr/local/Cellar/docker-compose/1.7.0/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
/usr/local/Cellar/docker-compose/1.7.0/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
Name Command State Ports
------------------------------
ç§ã¯ãŸã£ããåããã®ãæã£ãŠããŸãã- CURL_CA_BUNDLE
ã¯ç§ã®ç°å¢ã«èšå®ãããŠããŸããã§ããããããŠããã空ã®æååã«èšå®ãããš@inanimattãšåãåºåãåŸãããŸããã
ããã¯ééããªãã¢ããã¹ããªãŒã ã®ãã°ã®ãããªã«ãããããŸããç§ã®æšæž¬ã§ã¯ãcurlã®ç°å¢äºææ§ã³ãŒãã§ããå®çŸ©æžã¿ããšã空ãã®åŠçãç°ãªããŸãã
ããããšãã
ãžã§ã€ãœã³ãã«ãº
2016幎4æ24æ¥ã«ã¯ã6:14ã§ãã¢ã¬ãã¯ã¹ã»ãŠã£ã«ãœã³[email protected]ã¯æžããŸããïŒ
ãŸã£ããåãã§ã-CURL_CA_BUNDLEãç°å¢ã«èšå®ãããŠãããã空ã®æååã«èšå®ãããšã@ inanimattãšåãåºåãåŸãããŸããã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
èªäœããŒãžã§ã³ã«ã®ã¿åœ±é¿ããããã§ã-èªäœPythonãã€ã³ã¹ããŒã«ããŠããdocker-composeãpipçµç±ã§ã€ã³ã¹ããŒã«ãããšããã¹ãŠã®ãšã©ãŒã解決ãããŸãã
2016幎4æ24æ¥ã«ã¯ãåå14æ14ã§ãã¢ã¬ãã¯ã¹ã»ãŠã£ã«ãœã³[email protected]ã¯æžããŸããïŒ
ãŸã£ããåãã§ã-CURL_CA_BUNDLEãç°å¢ã«èšå®ãããŠãããã空ã®æååã«èšå®ãããšã@ inanimattãšåãåºåãåŸãããŸããã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
以åã«Linuxã§åé¡ã®è€è£œã貌ãä»ãããšæããŸãã ææ¥ã¯ã¯ãŒã¯ã¹ããŒã·ã§ã³ã§å確èªã§ããŸã
ããããšãã
ãžã§ã€ãœã³ãã«ãº
2016幎4æ24æ¥ã«ã¯ã12ïŒ22 PMã§ããããã»ããã³ãœã³[email protected]ã¯æžããŸããïŒ
èªäœããŒãžã§ã³ã«ã®ã¿åœ±é¿ããããã§ã-èªäœPythonãã€ã³ã¹ããŒã«ããŠããdocker-composeãpipçµç±ã§ã€ã³ã¹ããŒã«ãããšããã¹ãŠã®ãšã©ãŒã解決ãããŸãã
2016幎4æ24æ¥ã«ã¯ãåå14æ14ã§ãã¢ã¬ãã¯ã¹ã»ãŠã£ã«ãœã³[email protected]ã¯æžããŸããïŒ
ãŸã£ããåãã§ã-CURL_CA_BUNDLEãç°å¢ã«èšå®ãããŠãããã空ã®æååã«èšå®ãããšã@ inanimattãšåãåºåãåŸãããŸããã
â
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ããâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
docker-composeãbrewã䜿çšããŠããŒãžã§ã³1.7ã«æŽæ°ããã®ã§ãããã§ãåãåé¡ãçºçããŸãã
$ docker-compose ps
ERROR: SSL error: hostname '192.168.99.100' doesn't match 'localhost'
$ docker-compose version
docker-compose version 1.7.0, build unknown
docker-py version: 1.8.0
CPython version: 2.7.10
OpenSSL version: OpenSSL 0.9.8zh 14 Jan 2016
CURL_CA_BUNDLE env varã®çš®é¡ã空ã«ãããšãåé¡ã解決ããŸãã
CURL_CA_BUNDLE= docker-compose ps
/opt/boxen/homebrew/Cellar/docker-compose/1.7.0/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
/opt/boxen/homebrew/Cellar/docker-compose/1.7.0/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
/opt/boxen/homebrew/Cellar/docker-compose/1.7.0/libexec/vendor/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:768: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
Name Command State Ports
------------------------------------------------------------
1.6.2ã«ããŠã³ã°ã¬ãŒããããšãåé¡ã解決ããŸãã
$ brew switch docker-compose 1.6.2
Cleaning /opt/boxen/homebrew/Cellar/docker-compose/1.4.2
Cleaning /opt/boxen/homebrew/Cellar/docker-compose/1.5.1
Cleaning /opt/boxen/homebrew/Cellar/docker-compose/1.5.2
Cleaning /opt/boxen/homebrew/Cellar/docker-compose/1.6.0
Cleaning /opt/boxen/homebrew/Cellar/docker-compose/1.6.2
Cleaning /opt/boxen/homebrew/Cellar/docker-compose/1.7.0
3 links created for /opt/boxen/homebrew/Cellar/docker-compose/1.6.2
$ docker-compose ps
Name Command State Ports
------------------------------------------------------------
CURL_CA_BUNDLEãç¡å¹ã«ããã®ã§ã¯ãªãã次ã䜿çšããŠå®è¡ã§ããŸãã
CURL_CA_BUNDLE =ã/ .docker / machine / machine / default / ca.pem docker-compose ps
ç§ã¯ãããããããæèµ·ããæåã®äººã§ã¯ãããŸããããcurlç°å¢å€æ°ãç¡é¢ä¿ã®Pythonã¢ããªã±ãŒã·ã§ã³ã«åœ±é¿ãäžããããšã¯çŽæã«åããŸãããïŒ
ããããšãã
ãžã§ã€ãœã³ãã«ãº
2016幎5æ7æ¥ã«ã¯ã15:22ã§ããã¬ã³ãã©ã»ã·ããªã¢ã®[email protected]ã¯æžããŸããïŒ
CURL_CA_BUNDLEãç¡å¹ã«ããã®ã§ã¯ãªãã次ã䜿çšããŠå®è¡ã§ããŸãã
CURL_CA_BUNDLE =ã/ .docker / machine / machine / default / ca.pem docker-compose psâ
ããªããèšåãããã®ã§ããªãã¯ãããåãåã£ãŠããŸãã
ãã®ã¡ãŒã«ã«çŽæ¥è¿ä¿¡ããããGitHubã§è¡šç€ºããŠãã ãã
ç§ã¯ãã®åé¡ã«ééããŸããããããŠãåé¡ã¯èªå·±çœ²å蚌ææžã®ããã®ã«ã¹ã¿ã ã®å ŽæãæããŠããç°å¢å€æ°REQUESTS_CA_BUNDLEã«ãããŸããã ããã誰ã«ã§ã圹ç«ã€ã±ãŒã¹ã
@aboutloããã¯æ©èœããŸã-ä»ã®ca.pem
ãã¡ã€ã«ã§ã¯æ©èœããããã®ãã¡ã€ã«ã§ã®ã¿æ©èœããŸããã ç§ãWindowsã䜿çšããŠããã®ã§ãããããŒãã¥ãŒæ§æã«ãªã£ãŠããŸããããããšãããããŸãã
ndg-httpsclientïŒpipã䜿çš-ããŒãžã§ã³0.4.0ïŒãã¢ã³ã€ã³ã¹ããŒã«ãããšãåé¡ã解決ããŸããããã¡ãã®æçš¿ãåç §ããŠãã ããïŒ https ïŒ
docker-composeãšdocker-pyããããã°ããã³ãã³ãã§ç°å¢å€æ°ãŸãã¯ãªãã·ã§ã³ã䜿çšããå¿ èŠãããããšãç解ããŸããã ããããæ··ããªãã§ãã ããã ã³ãã³ãã§--tlsãæå®ããå Žåã§ãããã¹ãŠã®ãªãã·ã§ã³ãTLSConfigãªããžã§ã¯ããšããŠæå®ããå¿ èŠããããŸããããã¯ãTLSConfigãªããžã§ã¯ããã³ãã³ããªãã·ã§ã³ããå®å šã«äœæãããç°å¢å€æ°ããäœæãããTFSConfigãªããžã§ã¯ããæäœããããã§ãã
@ m-housh OMGãã®ãã³ããããããšãïŒ ãŸã£ããåãããšãç§ã«ãèµ·ãããŸããïŒ ç§ã®ç°å¢ããREQUESTS_CA_BUNDLE
ãåé€ãããã®åé¡ã解決ããŸããã
ç§ã¯åãåé¡ã«ééããŸããã ãŸããOpenSSLã®ããŒãžã§ã³ã®éãïŒPyhtonã«ã¯1.0.2ãOSã«ã¯0.9.8ïŒããã£ãããã§ãããäž¡æ¹ã1.0.2ã«ããŸããããããã§ãæ©èœããŸããã§ããã
Dockerã«SSHã§æ¥ç¶ããæ¿èªãããããŒã§èšŒææžã確èªããŠæŽæ°ããã ãã§ãåé¡ã解決ããŸããã èå³æ·±ãããšã«ãããã«ã¯ééã£ã蚌ææžããããŸããã
次ã®æé ã«åŸã£ãŠãã ããïŒ
boot2docker ssh
docker<strong i="10">@boot2docker</strong>:~$ cat .ssh/authorized_keys
ãã®èšŒææžãæ¬åœã«ã³ã³ãã¥ãŒã¿ããã®èšŒææžã§ãããã©ããã確èªããŠãã ããã ãã以å€ã®å Žåã¯ããã®ãã¡ã€ã«ã«ã³ããŒããŠä¿åããŠãã ããã 次ã«ãå®è¡ããŸãã
docker-compose up
ããã¯ç§ã«ãšã£ãŠã¯ããŸããããããã圹ç«ã€ããšãé¡ã£ãŠããŸãã
åé¡ã®ã°ã«ãŒãã³ã°ïŒããã§èª¬æããããŸããŸãªé害ã¢ãŒããšãŠãŒã¶ãŒãšã©ãŒ/æ§æãã¹ã®ã·ããªãªïŒãã¹ãŠäž»ã«æŽå²çïŒãããããã§ãã
äœæ²ã§é²è¡äžã®ã¢ã¯ãã£ããªåé¡ãæããŠããããã«èŠãããã®ã¯äœãèŠåœãããªãã®ã§ãåé¡ãéããŸãã ææ°ããŒãžã§ã³ã§é¢é£ãããšã©ãŒãåŒãç¶ã衚瀺ãããå Žå
æãåèã«ãªãã³ã¡ã³ã
ç§ã¯ãããããããæèµ·ããæåã®äººã§ã¯ãããŸããããcurlç°å¢å€æ°ãç¡é¢ä¿ã®Pythonã¢ããªã±ãŒã·ã§ã³ã«åœ±é¿ãäžããããšã¯çŽæã«åããŸãããïŒ
ããããšãã
ãžã§ã€ãœã³ãã«ãº