docker-compose build -> SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581) #1880

PavelPolyakov · 2015-09-18T18:13:30Z

!!! SOLUTION !!!
(thanks for @pmahoney docker/compose#890 (comment))

echo $CURL_CA_BUNDLE
unset CURL_CA_BUNDLE
docker-compose up

!!! END OF SOLUTION !!!

Hi,

As I was advised in docker/compose#890 (comment) (thanks @posita for the help), I want to raise a new issue that I can not make docker-compose works on my mac.
It is worth to state, that I have python and OpenSSL installed via brew, every package is up to date.

I have tried to install docker & co in two ways:

using brew
using *.pkg

But everytime I got the SSL issue.

I have the next setup currently:

OpenSSL 0.9.8zg 14 July 2015
docker-compose version: 1.4.0
docker-machine version 0.4.1 (e2c88d6)
Python 2.7.10

And that's what I have when doing docker-compose:

As @posita suggested, the issue has place because of the certificates misconfiguration:
docker/compose#890 (comment)
And the certificates are created during docker-machine provisioning and creation, so I have created an issues here.

However, I am not a specialist in this area :( But I want to have docker-compose work on my Mac still.
As I understand, the most full debug information is the result of the next command:

(
set -x
eval $( docker-machine env shiny-new-machine-74d5a19e )
env | grep DOCKER
ls -al "${DOCKER_CERT_PATH}"
openssl x509 -in "${DOCKER_CERT_PATH}/cert.pem" -text
openssl x509 -in "${DOCKER_CERT_PATH}/ca.pem" -text
docker-compose --verbose version
docker-compose --verbose ps
DOCKER_TLS_VERIFY=0 docker-compose --verbose ps
) >"${HOME}/Desktop/docker-compose-890-outerr-$( date -u +%Y-%m-%dT%H:%M:%SZ ).txt" 2>&1

Here you can find it: http://pastebin.com/vWqZgVKi

Any advice is appreciated.

Thanks for the help!

Regards,

The text was updated successfully, but these errors were encountered:

PavelPolyakov · 2015-09-19T21:07:23Z

Any thoughts are appreciated, I'm stuck, and do not want to reinstall my OS to make docker-compose work :)

ehazlett · 2015-09-20T04:17:03Z

Thanks for reporting. Are you happening to be using a boot2docker vm with machine?

posita · 2015-09-20T18:23:24Z

This may be a red herring, but one thing I noticed is that docker-machine+boot2docker does not rely on boot2docker's default generated certs. Rather, machine seems to generate its own. When it does, the Subject of cert.pem is the same as the Issuer (i.e., the same as the Subject of ca.pem).

Due to a bug with certain (recent) versions of OpenSSL, this is substantially the same behavior that caused similar errors when using docker tools directly with boot2docker (i.e., without docker-machine; see also boot2docker/boot2docker#1029 and SvenDowideit/generate_cert#10). A fix was released with boot2docker 1.8.0 (@eaaaeae). However, as I mentioned, the (potentially) problematic behavior seems to be preserved when using machine, due to machine's own certificate handling.

My recommendation is to patch machine to make sure that the Subject of cert.pem differs from ca.pem and then have @PavelPolyakov test it in his environment. If the patched machine makes the error go away for him, I think you've got your fix. If not, then it's something else that is beyond my understanding of the problem.

I would submit a PR, but I am not (yet) very skilled with Go, nor am I familiar with how machine handles certificate creation/installation with boot2docker. Unfortunately my current schedule does not allow me to dedicate the requisite time to come up to speed. In lieu of that, I hope this summary is useful.

PavelPolyakov · 2015-09-20T18:29:00Z

@ehazlett
Sorry, I haven't understood the question.

Here is how the machine was created:

docker-machine create --driver virtualbox my-docker-machine

The latest image was downloaded from the internet.

@posita
Thanks for the help, ready to test anything which could lead to success.

PavelPolyakov · 2015-09-22T13:06:19Z

@ehazlett
Hi guys, could you tell me if I can help somehow? And how we can make it working?

Regards,

PavelPolyakov · 2015-09-23T09:50:01Z

@RKLT

Tried that:

Seems like the result is the same.

Any other thoughts?

rkit · 2015-09-23T09:51:40Z

@PavelPolyakov Sorry, I was wrong…
I am looking for a solution ...

rkit · 2015-09-23T10:22:43Z

@PavelPolyakov Done. That's what did:

Removed all machines
Run docker-machine regenerate-certs
Add

export DOCKER_HOST=tcp://192.168.99.100:2376
export DOCKER_CERT_PATH=/Users/$USERNAME/.docker/machine/certs
export DOCKER_TLS_VERIFY=1

The error was gone.

PavelPolyakov · 2015-09-23T10:39:46Z

@rkit
Thanks for the solution.

Trying to implement it.

However, couple of questions:

When I have removed the machine, I think I am not able to regenerate-certs.

[~/tmp/microservices-workshop/msworkshop/step4]$ docker-machine rm default
Successfully removed default
[~/tmp/microservices-workshop/msworkshop/step4]$ docker-machine regenerate-certs                   *[master]
Regenerate TLS machine certs?  Warning: this is irreversible. (y/n): y
Regenerating TLS certificates
Error: Expected to get one or more machine names as arguments.

Shouldn't this IP be dynamic, and is available only after the docker-machine is created?

export DOCKER_HOST=tcp://192.168.99.100:2376
export DOCKER_CERT_PATH=/Users/$USERNAME/.docker/machine/certs
export DOCKER_TLS_VERIFY=1

rkit · 2015-09-23T16:10:03Z

Yes, you need to create a machine
Dynamic, yes. To change env, you need to execute: eval "$(docker-machine env dev)", but default env from bash profile, and I added this line in the config:

export DOCKER_CERT_PATH=/Users/$USERNAME/.docker/machine/certs

After that there was no error.

posita · 2015-09-23T16:23:27Z

Am I interpreting correctly, that requiring regenerate-certs is a work-around that confirms my speculation about the cause of this issue? I.E., that docker-machine has a sister issue to boot2docker/boot2docker#808 (see also docker/docker-py#465, docker/compose#890) which was not resolved with boot2docker/boot2docker#1029 because docker-machine ignores the boot2docker default certificates and creates its own? Is that an accurate summary?

PavelPolyakov · 2015-09-23T16:41:29Z

@rkit
Sorry, I have the same thing still :(

What I did:

docker-machine rm default
docker-machine create --driver virtualbox default
docker-machine regenerate-certs default
eval "$(docker-machine env default)" export DOCKER_CERT_PATH=/Users/$USERNAME/.docker/machine/certs

Have I missed something? Any thoughts how I can overcome it?
Can I provide some additional debug?

posita · 2015-09-23T17:09:12Z

@PavelPolyakov, after doing the regenerate-certs and eval, can you do:

for i in ca cert ; do c="${DOCKER_CERT_PATH}/${i}.pem" ; ( set -x ; openssl x509 -in "${c}" -text | grep -E '^ +(Issuer|Subject): ' ) ; done

PavelPolyakov · 2015-09-23T17:42:04Z

@posita
Thanks, here we are:

posita · 2015-09-23T17:57:16Z

Okay, so regenerate-certs doesn't actually address the (potential) problem where ca.pem Subject == cert.pem Subject. 😞 In other words:

+-zsh:xxx> openssl x509 -in /.../.docker/machine/certs/ca.pem -text
+-zsh:xxx> grep ... -E '^ +Subject: '
        Subject: O=[thing]    # <<<-- THIS SHOULD *NOT*
+-zsh:xxx> openssl x509 -in /.../.docker/machine/certs/cert.pem -text
+-zsh:xxx> grep ... -E '^ +Subject: '
        Subject: O=[thing]    # <<<-- EQUAL THIS

If it does, and you have the "wrong" version of OpenSSL (i.e., any version that exhibits this bug), you will receive the [SSL: CERTIFICATE_VERIFY_FAILED] error.

I suspect this is why you're still having issues, and why @rkit's suggestion does not work.

PavelPolyakov · 2015-09-25T10:12:18Z

Hi guys, @rkit , @ehazlett , any thoughts how I can overcome that?

posita · 2015-09-25T13:39:55Z

@PavelPolyakov, for giggles, can you try this (replace [machine-name] with your actual machine name)?

% eval $( docker-machine env [machine-name] )
% docker-machine ssh [machine-name]
...
Boot2Docker version 1.8.2, build master : aba6192 - Thu Sep 10 20:58:17 UTC 2015
Docker version 1.8.2, build 0a8c2e3
docker@boot2docker:~$ rm -fv ~docker/.docker/* # get rid of copies of certificates we're about to destroy
removed '/home/docker/.docker/ca.pem'
removed '/home/docker/.docker/cert.pem'
removed '/home/docker/.docker/key.pem'
docker@boot2docker:~$ sudo -s 
root@boot2docker:/home/docker# cat /var/lib/boot2docker/profile # so I can see what is being overridden
...
root@boot2docker:/home/docker# rm -fv /var/lib/boot2docker/*.pem /var/lib/boot2docker/tls/* # remove any existing certificates
...
root@boot2docker:/home/docker# /usr/local/etc/init.d/docker restart
... # should regenerate default certificates
root@boot2docker:/home/docker# exit
docker@boot2docker:~$ exit
% rm -v "${DOCKER_CERT_PATH}"/*.pem # remove host-side (stale) certificates
...
% docker-machine scp [machine-name]:/home/docker/.docker/\*.pem "${DOCKER_CERT_PATH}" # copy newly-created certificates from machine to host
...
% docker ps
...
% docker-compose ps
...
% openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -CAfile "${DOCKER_CERT_PATH}/ca.pem" -tls1 </dev/null
...

Basically, we're trying to avoid having docker-machine create the certificates, and instead rely on boot2docker's default mechanism. By logging in to the boot2docker instance, removing the certificates, and then restarting docker, we trigger that process. Then we replace the host-side certificates with the ones we just got boot2docker to (re)create.

PavelPolyakov · 2015-09-25T18:08:47Z

@posita

Can't regenerate certificates

First:

Boot2Docker version 1.8.2, build master : aba6192 - Thu Sep 10 20:58:17 UTC 2015
Docker version 1.8.2, build 0a8c2e3
docker@default:~$ rm -fv ~docker/.docker/*
removed '/home/docker/.docker/ca.pem'
removed '/home/docker/.docker/cert.pem'
removed '/home/docker/.docker/key.pem'
docker@default:~$ sudo -s
root@default:/home/docker# cat /var/lib/boot2docker/profile

EXTRA_ARGS='
--label provider=virtualbox

'
CACERT=/var/lib/boot2docker/ca.pem
DOCKER_HOST='-H tcp://0.0.0.0:2376'
DOCKER_STORAGE=aufs
DOCKER_TLS=auto
SERVERKEY=/var/lib/boot2docker/server-key.pem
SERVERCERT=/var/lib/boot2docker/server.pem


root@default:/home/docker# rm -fv /var/lib/boot2docker/tls/*
removed '/var/lib/boot2docker/tls/ca.pem'
removed '/var/lib/boot2docker/tls/cakey.pem'
removed '/var/lib/boot2docker/tls/cert.pem'
removed '/var/lib/boot2docker/tls/hostnames'
removed '/var/lib/boot2docker/tls/key.pem'
removed '/var/lib/boot2docker/tls/server.pem'
removed '/var/lib/boot2docker/tls/serverkey.pem'

Then:

root@default:~# /usr/local/etc/init.d/docker restart
Need TLS certs for default,127.0.0.1,10.0.2.15,192.168.99.104
-------------------
Generating CA cert
2015/09/25 18:06:48 Preventing overwrite: the following files already exist: "/var/lib/boot2docker/ca.pem". To overwrite files, add `--overwrite`.
rm: can't remove '/var/lib/boot2docker/server.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/server-key.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/cert.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/key.pem': No such file or directory
Generate server cert
/usr/local/bin/generate_cert --host=default,127.0.0.1,10.0.2.15,192.168.99.104 --ca=/var/lib/boot2docker/ca.pem --ca-key=/var/lib/boot2docker/tls/cakey.pem --cert=/var/lib/boot2docker/server.pem --key=/var/lib/boot2docker/server-key.pem --org=Boot2Docker
2015/09/25 18:06:48 Generating a server cert
2015/09/25 18:06:48 Failure to generate cert: open /var/lib/boot2docker/tls/cakey.pem: no such file or directory
Generating client cert
2015/09/25 18:06:48 no --host parameters, making a client cert
2015/09/25 18:06:48 Failure to generate cert: open /var/lib/boot2docker/tls/cakey.pem: no such file or directory
cp: can't stat '/var/lib/boot2docker/tls/cert.pem': No such file or directory
cp: can't stat '/var/lib/boot2docker/tls/key.pem': No such file or directory

posita · 2015-09-25T18:14:56Z

Ah, okay. I was afraid of that (/var/lib/boot2docker/profile overrides some default locations). Try the same thing, but instead of:

root@default:/home/docker# rm -fv /var/lib/boot2docker/tls/*

Do:

root@default:/home/docker# rm -fv /var/lib/boot2docker/*.pem /var/lib/boot2docker/tls/*

PavelPolyakov · 2015-09-25T18:24:21Z

@posita

rm -fv /var/lib/boot2docker/*.pem /var/lib/boot2docker/tls/*
removed '/var/lib/boot2docker/ca.pem'
removed '/var/lib/boot2docker/tls/hostnames'
root@default:~# /usr/local/etc/init.d/docker restart
Need TLS certs for default,127.0.0.1,10.0.2.15,192.168.99.104
-------------------
Generating CA cert
2015/09/25 18:18:14 Generating a new certificate authority.
rm: can't remove '/var/lib/boot2docker/server.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/server-key.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/cert.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls/key.pem': No such file or directory
rm: can't remove '/var/lib/boot2docker/tls//hostnames': No such file or directory
Generate server cert
/usr/local/bin/generate_cert --host=default,127.0.0.1,10.0.2.15,192.168.99.104 --ca=/var/lib/boot2docker/ca.pem --ca-key=/var/lib/boot2docker/tls/cakey.pem --cert=/var/lib/boot2docker/server.pem --key=/var/lib/boot2docker/server-key.pem --org=Boot2Docker
2015/09/25 18:18:15 Generating a server cert
Generating client cert
2015/09/25 18:18:15 no --host parameters, making a client cert
root@default:~# ls /var/lib/boot2docker/tls/
cakey.pem  cert.pem   hostnames  key.pem

(exit; exit)

but then:

[~/tmp/microservices-workshop/msworkshop/step4]$ docker ps           *[master]
An error occurred trying to connect: Get https://192.168.99.104:2376/v1.20/containers/json: x509: certificate signed by unknown authority
[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose ps   *[master]
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

the last command:

openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -key "${DOCKER_CERT_PATH}/key.pem"
CONNECTED(00000003)
depth=0 O = default
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = default
verify error:num=21:unable to verify the first certificate
verify return:1
140735289209680:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1472:SSL alert number 42
140735289209680:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/O=default
   i:/O=PavelPolyakov
-----BEGIN CERTIFICATE-----
MIIDADCCAeqgAwIBAgIQR4h88WLsll8AkYK6MIeEMTALBgkqhkiG9w0BAQswGDEW
MBQGA1UEChMNUGF2ZWxQb2x5YWtvdjAeFw0xNTA5MjMxNjMwMDBaFw0xODA5MDcx
NjMwMDBaMBIxEDAOBgNVBAoTB2RlZmF1bHQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC7MYqKigy4aJCPiaCQrOKypICUYbIvLYtHKCYG7d9d274MuYWf
dH7mMKTTu8M3GOrAzUj+tvHDAHIZgV0nDMz5qwEkYI2JD7N7hcHQ91JUPJVVpV3e
v2v4hzFra8KB/9h4grjTwAnMLLJNNcWUwu8JPvy3xRmBjpl8UIVY1+VLYwiLodfS
7bWBdqYy2E0sxoJjgtNVPWgxkOloApOrQhq0t/HcyXv0mA3hVPG+9J1r5Mxqs0nY
/qIMKGpywhTGqsWfDnBe22Bf2tFHagDN0frLRrIrF8HT8Xggwawz9pN4RpRWUrI0
lAsgxznXZR1xnvffbxmdy2P94BX1UHqzVy/dAgMBAAGjUDBOMA4GA1UdDwEB/wQE
AwIAqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIw
ADAPBgNVHREECDAGhwTAqGNoMAsGCSqGSIb3DQEBCwOCAQEAYoGQ5x3wXGVxZey9
dcxyVnBkYSZiInVIeI+bdsKtxKUv7HoXRW1iLyKSeNq8BGQzpfaEPkDtfblcEctz
U0Oj7jS4MlrdzGK1A75Bl8Bo1VDpu146M8cp/Wa09tjmrJktMrVOVZVQteDCPmZo
RIgaHWH0gRJPOy2SCTvLhmyZTK0bO2YKpgvjf2f7NMw6GBJi1hgcZuw3wDjVutjS
2hOWh2HeVyguu1na+YTpZ0csH+MSrKt79ulBpZ3SlYiG5pDFJ5Bjf74OpL0KW30Z
sBA51T1y3Xfyohb27XT28mJLa5Q1cH1PTnComd4K9AlVy7zY0u/MlDN8kaZb0ggX
pqpv2Q==
-----END CERTIFICATE-----
---
Server certificate
subject=/O=default
issuer=/O=PavelPolyakov
---
Acceptable client certificate CA names
/O=PavelPolyakov
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256
Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1247 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key: C628B5966CBC7A394199AF9D0ECA66BF01744B865D7595D3F3080158A9C9AEDA72B53714D24FCFF11F542F38CBB5CC50
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1443205317
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

posita · 2015-09-25T18:30:57Z

Did you do this after exiting docker-machine ssh [machine-name] but before doing docker ps?

% rm -v "${DOCKER_CERT_PATH}"/*.pem
...
% docker-machine scp [machine-name]:/home/docker/.docker/\*.pem "${DOCKER_CERT_PATH}"
...

Keep in mind, you still need to replace your host-side certificates with the ones you just got boot2docker to (re)create before executing docker or docker-compose commands on the host. Otherwise, you'll get certificate mismatches like the ones you experienced.

By the way, you'll probably need to start over from the beginning of the steps I outline in my #1880 (comment). I've updated that comment to reflect the change in my #1880 (comment).

PavelPolyakov · 2015-09-25T18:41:58Z

In my $DOCKER_CERT_PATH I have new (I think so) certificates located:

[~/.docker/machine/certs]$ ls
ca.pem   cert.pem key.pem

However, docker ps says:

[~/.docker/machine/certs]$ docker ps
An error occurred trying to connect: Get https://192.168.99.104:2376/v1.20/containers/json: x509: certificate signed by unknown authority

posita · 2015-09-25T18:57:08Z

I'm assuming your screenshot was just to show the details of cert.pem, not that you have added any of these *.pem files to any of your OS X keychains, correct?

There is a mismatch somewhere. What does this give you right now?

openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem"

If you aren't getting output that looks something like the following, you probably need to start over from scratch with the steps in my #1880 (comment).

...
---
Certificate chain
 0 s:/O=Boot2Docker
   i:/O=Boot2DockerCA
...
---
Server certificate
subject=/O=Boot2Docker
issuer=/O=Boot2DockerCA
---
Acceptable client certificate CA names
/O=Boot2DockerCA
...

PavelPolyakov · 2015-09-25T19:01:13Z

Yes, this is just info, I haven't add them to the keychain. But they are located in my DOCKER_CERT_PATH.

However, I still have:

Certificate chain
 0 s:/O=default
   i:/O=PavelPolyakov

and etc. , will try to startover again, thanks for the help!

cischmidt · 2015-09-25T19:51:11Z

I am having the same problem. I've followed the steps listed above and have the following signed certs:

+ openssl x509 -in /Users/cschmid/.docker/machine/certs/ca.pem -text
+ grep -E '^ +(Issuer|Subject): '
        Issuer: O=Boot2DockerCA
        Subject: O=Boot2DockerCA
+ openssl x509 -in /Users/cschmid/.docker/machine/certs/cert.pem -text
+ grep -E '^ +(Issuer|Subject): '
        Issuer: O=Boot2DockerCA
        Subject: O=Boot2Docker

But when I try to run docker-compose I continue to get the error

Chriss-MacBook-Pro:docker cschmid$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
Chriss-MacBook-Pro:docker cschmid$ docker-compose ps
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

I'm running docker-compose 1.4.2, docker 1.8.2 and have openssl v1.0.1j_1 installed.

posita · 2015-09-25T19:56:27Z

@cischmidt, what does this give you (in the same env)?

openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null

cischmidt · 2015-09-25T19:58:57Z

An error response, but it may be because I have to connect to docker via localhost because of my Cisco VPN client:

Chriss-MacBook-Pro:docker cschmid$ openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null
CONNECTED(00000003)
50891:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593:

My docker environment variables are:

DOCKER_HOST=tcp://127.0.0.1:2376
DOCKER_MACHINE_NAME=default
DOCKER_TLS_VERIFY=1
DOCKER_CERT_PATH=/Users/cschmid/.docker/machine/certs

posita · 2015-09-25T20:00:01Z

@cischmidt, you're on OS X, correct? I don't understand your DOCKER_HOST setting. 😕

cischmidt · 2015-09-25T20:03:04Z

I am on Mac OS X. I port-forward from my virtualbox VM to localhost:2376 to get around routing problems that the VPN introduces every time I connect to it. Docker related commands work well using this configuration, and I remember using docker-compose a few months ago without problem (today is the first day for some time that I began using docker-compose again).

posita · 2015-09-25T20:06:14Z

@cischmidt, just to confirm, localhost:2376 points to your docker-machine VM running on your local machine? Is your docker-machine VM boot2docker (e.g., running in VirtualBox)?

@PavelPolyakov and @cischmidt, can you do the following after having run the steps above in my #1880 (comment)? There's no need to run through those steps again if you're still in the same environment and the machine is still up.

% docker-machine ssh [machine-name]
docker@boot2docker:~$ export DOCKER_CERT_PATH="${HOME}/.docker" DOCKER_TLS_VERIFY=1 DOCKER_HOST=tcp://127.0.0.1:2376
docker@boot2docker:~$ docker ps
...
docker@boot2docker:~$ openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -CAfile  "${DOCKER_CERT_PATH}/ca.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null
...
docker@boot2docker:~$ exit

posita · 2015-09-26T19:54:50Z

The stack traces look weird to me (they don't look like SSL errors). What do you get for docker-compose --verbose build?

PavelPolyakov · 2015-09-26T19:59:38Z

[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose  build                             *[master]
Building frontend...
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose --verbose build                    *[master]
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

posita · 2015-09-26T20:12:23Z

What do you get with docker-compose --verbose ps and python compose-debug.py --verbose ps? This is what I get:

% docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
% docker-compose --verbose ps
Compose version 1.4.1
Docker base_url: https://www.xxx.yyy.zzz:2376
Docker version: KernelVersion=4.0.9-boot2docker, Os=linux, BuildTime=Thu Sep 10 19:10:10 UTC 2015, ApiVersion=1.20, Version=1.8.2, GitCommit=0a8c2e3, Arch=amd64, GoVersion=go1.4.2
docker containers <- (all=True, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=False']})
docker containers -> (list with 0 items)
docker containers <- (all=True)
docker containers -> (list with 0 items)
docker containers <- (all=False, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=True']})
docker containers -> (list with 0 items)
docker containers <- (all=True)
docker containers -> (list with 0 items)
Name   Command   State   Ports
------------------------------
% python compose-debug.py --verbose ps
DEBUG   : Trying /.../.docker/config.json
DEBUG   : File doesn't exist
DEBUG   : Trying /.../.dockercfg
DEBUG   : Attempting to parse as JSON
DEBUG   : ...
INFO    : Compose version 1.4.1
Compose version 1.4.1
INFO    : Docker base_url: https://www.xxx.yyy.zzz:2376
Docker base_url: https://www.xxx.yyy.zzz:2376
INFO    : Docker version: KernelVersion=4.0.9-boot2docker, Os=linux, BuildTime=Thu Sep 10 19:10:10 UTC 2015, ApiVersion=1.20, Version=1.8.2, GitCommit=0a8c2e3, Arch=amd64, GoVersion=go1.4.2
Docker version: KernelVersion=4.0.9-boot2docker, Os=linux, BuildTime=Thu Sep 10 19:10:10 UTC 2015, ApiVersion=1.20, Version=1.8.2, GitCommit=0a8c2e3, Arch=amd64, GoVersion=go1.4.2
INFO    : docker containers <- (all=True, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=False']})
docker containers <- (all=True, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=False']})
INFO    : docker containers -> (list with 0 items)
docker containers -> (list with 0 items)
INFO    : docker containers <- (all=True)
docker containers <- (all=True)
INFO    : docker containers -> (list with 0 items)
docker containers -> (list with 0 items)
INFO    : docker containers <- (all=False, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=True']})
docker containers <- (all=False, filters={u'label': [u'com.docker.compose.project=...', u'com.docker.compose.oneoff=True']})
INFO    : docker containers -> (list with 0 items)
docker containers -> (list with 0 items)
INFO    : docker containers <- (all=True)
docker containers <- (all=True)
INFO    : docker containers -> (list with 0 items)
docker containers -> (list with 0 items)
Name   Command   State   Ports
------------------------------

PavelPolyakov · 2015-09-27T08:53:38Z

@posita
That's what I have:

[~/tmp/microservices-workshop/msworkshop/step4]$ docker ps                                         *[master]
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[~/tmp/microservices-workshop/msworkshop/step4]$ docker --verbose ps                               *[master]
flag provided but not defined: --verbose
See 'docker --help'.
[~/tmp/microservices-workshop/msworkshop/step4]$ python compose-debug.py --verbose ps              *[master]
Traceback (most recent call last):
  File "compose-debug.py", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python2.7/site-packages/compose/cli/main.py", line 39, in main
    command.sys_dispatch()
  File "/usr/local/lib/python2.7/site-packages/compose/cli/docopt_command.py", line 21, in sys_dispatch
    self.dispatch(sys.argv[1:], None)
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 27, in dispatch
    super(Command, self).dispatch(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/compose/cli/docopt_command.py", line 24, in dispatch
    self.perform_command(*self.parse(argv, global_options))
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 57, in perform_command
    verbose=options.get('--verbose'))
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 79, in get_project
    self.get_client(verbose=verbose))
  File "/usr/local/lib/python2.7/site-packages/compose/cli/command.py", line 64, in get_client
    version_info = six.iteritems(client.version())
  File "/usr/local/lib/python2.7/site-packages/docker/client.py", line 837, in version
    return self._result(self._get(url), json=True)
  File "/usr/local/lib/python2.7/site-packages/docker/clientbase.py", line 86, in _get
    return self.get(url, **self._set_request_timeout(kwargs))
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 477, in get
    return self.request('GET', url, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 370, in send
    timeout=timeout
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 544, in urlopen
    body=body, headers=headers)
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 344, in _make_request
    self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)
  File "/usr/local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 314, in _raise_timeout
    if 'timed out' in str(err) or 'did not complete (read)' in str(err):  # Python 2.6
TypeError: __str__ returned non-string (type Error)
[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose --verbose ps                       *[master]
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
[~/tmp/microservices-workshop/msworkshop/step4]$ python -V                                         *[master]
Python 2.7.10

Do you think it's an issue of my python?
Which version do you have?

I also found this issue:
https://github.com/kennethreitz/requests/issues/2524

Regarding the https and ulr library which python uses, I don't know if docker-compose uses the same lib though.

posita · 2015-09-27T16:10:09Z

@PavelPolyakov, try docker-compose --verbose ps, not docker --verbose ps.

I doubt it's a Python version thing. I'm running 2.7.10 as well. It could be a docker-py thing? Try python -c 'import docker ; print(docker.version)'.

What version of OpenSSL do you have?

which openssl
openssl version
which python
python -c 'import ssl ; print(ssl.__file__) ; print(ssl.OPENSSL_VERSION)'

PavelPolyakov · 2015-09-27T16:35:23Z

Here we are:

[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose --verbose ps                       *[master]
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
[~/tmp/microservices-workshop/msworkshop/step4]$ python -c 'import docker ; print(docker.version)' *[master]
1.3.1
[~/tmp/microservices-workshop/msworkshop/step4]$ which openssl                                     *[master]
/usr/local/bin/openssl
[~/tmp/microservices-workshop/msworkshop/step4]$ openssl version                                   *[master]
OpenSSL 1.0.2d 9 Jul 2015
[~/tmp/microservices-workshop/msworkshop/step4]$ which python                                      *[master]
/usr/local/bin/python
[~/tmp/microservices-workshop/msworkshop/step4]$ python -c 'import ssl ; print(ssl.__file__) ; print(ssl.OPENSSL_VERSION)'
/usr/local/Cellar/python/2.7.10_2/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.pyc
OpenSSL 1.0.2d 9 Jul 2015

posita · 2015-09-27T16:48:02Z

How is docker-py getting installed on your machine? How did you upgrade (if you upgraded) docker-compose to the latest version?

PavelPolyakov · 2015-09-27T16:57:22Z

Currently all the installation was done from here: https://www.docker.com/toolbox .
I haven't updated the docker-compose.

I have tried different installation as well - from brew (same results, SSL error), but the one we are experimenting with is from toolbox pkg.

posita · 2015-09-27T17:13:12Z

Okay, your versions aren't that different from mine, except for docker-py (I don't know about requests):

% docker version --format='{{.Client.Version}}'
1.8.2
% docker-machine --version
docker-machine version 0.4.1 (e2c88d6)
% docker-compose --version
docker-compose version: 1.4.1
% openssl version
OpenSSL 1.0.2d 9 Jul 2015
% python -c 'import ssl ; print(ssl.OPENSSL_VERSION)' # just to make sure it's picking up the same version
OpenSSL 1.0.2d 9 Jul 2015
% python -c 'import docker ; print(docker.version)'
1.4.0
% python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.6.2
1.10.3

Have you tried installing/running docker-compose from a virtual environment (that really should have been our first step 😞)?

% virtualenv .venv
...
% . ./.venv/bin/activate # don't forget the dot; you're "sourcing" the file
% ./.venv/bin/pip install docker-compose
...
% rehash # necessary on some shells like zsh
% which docker-compose
.../.venv/bin/docker-compose
% docker-compose --version
docker-compose version: 1.4.2
% python -c 'import docker ; print(docker.version)'
1.4.0
% python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.7.0
1.10.4
% docker-compose --verbose ps
...?
% python compose-debug.py --verbose ps
...?
% docker-compose build
...?

PavelPolyakov · 2015-09-27T17:41:42Z

The same:

[~/tmp/microservices-workshop/msworkshop/step4]$ virtualenv .venv                                  *[master]
New python executable in .venv/bin/python
Installing setuptools, pip, wheel...done.
[~/tmp/microservices-workshop/msworkshop/step4]$ . ./.venv/bin/activate                            *[master]
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ ./.venv/bin/pip install docker-compose     *[master]
Collecting docker-compose
  Downloading docker-compose-1.4.2.tar.gz (82kB)
    100% |████████████████████████████████| 86kB 2.2MB/s
Collecting docopt<0.7,>=0.6.1 (from docker-compose)
  Downloading docopt-0.6.2.tar.gz
Collecting PyYAML<4,>=3.10 (from docker-compose)
  Downloading PyYAML-3.11.tar.gz (248kB)
    100% |████████████████████████████████| 249kB 1.4MB/s
Collecting requests<2.7,>=2.6.1 (from docker-compose)
  Downloading requests-2.6.2-py2.py3-none-any.whl (470kB)
    100% |████████████████████████████████| 471kB 839kB/s
Collecting texttable<0.9,>=0.8.1 (from docker-compose)
  Downloading texttable-0.8.3.tar.gz
Collecting websocket-client<1.0,>=0.32.0 (from docker-compose)
  Downloading websocket_client-0.32.0.tar.gz (192kB)
    100% |████████████████████████████████| 192kB 1.0MB/s
Collecting docker-py<1.4,>=1.3.1 (from docker-compose)
  Downloading docker-py-1.3.1.tar.gz (49kB)
    100% |████████████████████████████████| 53kB 3.7MB/s
Collecting dockerpty<0.4,>=0.3.4 (from docker-compose)
  Downloading dockerpty-0.3.4.tar.gz
Collecting six<2,>=1.3.0 (from docker-compose)
  Downloading six-1.9.0-py2.py3-none-any.whl
Building wheels for collected packages: docker-compose, docopt, PyYAML, texttable, websocket-client, docker-py, dockerpty
  Running setup.py bdist_wheel for docker-compose
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/85/15/68/da301b79c711f2eb9a2065f44f16dcef736862e9c334bf87c4
  Running setup.py bdist_wheel for docopt
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/0d/5c/a7/cb986749520c1950217b5d8405def5c18541322dbc411a80d1
  Running setup.py bdist_wheel for PyYAML
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/fa/db/f6/dee55793d344f1706dc4a5a693298f0115241d1085cc212364
  Running setup.py bdist_wheel for texttable
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/d6/44/0b/20a20bc6ab19b4a7f4a43fa67010cf5008140d8abab61d58d5
  Running setup.py bdist_wheel for websocket-client
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/48/45/ba/e955834950f99f1ca7a5778808d7bef1d4962edb1a4b14600a
  Running setup.py bdist_wheel for docker-py
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/18/b4/cb/62ce0b04a3055cf5d599f3cfd01213d8488e9b367fb9cfb238
  Running setup.py bdist_wheel for dockerpty
  Stored in directory: /Users/PavelPolyakov/Library/Caches/pip/wheels/52/29/66/0c53de7d30b0e2a838ba252f6db929e9cc3d528892e7d759d5
Successfully built docker-compose docopt PyYAML texttable websocket-client docker-py dockerpty
Installing collected packages: docopt, PyYAML, requests, texttable, six, websocket-client, docker-py, dockerpty, docker-compose
Successfully installed PyYAML-3.11 docker-compose-1.4.2 docker-py-1.3.1 dockerpty-0.3.4 docopt-0.6.2 requests-2.6.2 six-1.9.0 texttable-0.8.3 websocket-client-0.32.0
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ rehash                                     *[master]
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ which docker-compose                       *[master]
/Users/PavelPolyakov/tmp/microservices-workshop/msworkshop/step4/.venv/bin/docker-compose
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose --version                   *[master]
docker-compose version: 1.4.2
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ python -c 'import docker ; print(docker.version)'
1.3.1
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.6.2
1.10.3
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose --verbose ps                *[master]
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ python compose-debug.py --verbose ps       *[master]
ERROR   : SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
(.venv)[~/tmp/microservices-workshop/msworkshop/step4]$ docker-compose build                       *[master]
Building frontend...
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

For some reason, you have all the versions higher then mine (if I understand correct):

docker
request
urlib3

why? and could it have such dramatic effect?

posita · 2015-09-27T18:07:40Z

For some reason, you have all the versions higher then mine (if I understand correct): ... why?

I'm not sure. Try deactivate-ing your virtualenv, removing it, and recreating it, but with ./.venv/bin/pip install --no-cache-dir docker-compose instead (note the addition of --no-cache-dir).

... and could it have such dramatic effect?

Apparently, yes. You're at least getting the same cryptic error for python compose-debug.py --verbose ps as docker-compose --verbose ps (instead of the stacktrace you were getting before). So chalk that up to requests, I guess.

FYI, this is what I get from my virtualenv (and a fresh ~/.docker/machine directory):

% deactivate
% rm -frv ./.venv
...
% for i in $( docker-machine ls --quiet ) ; do docker-machine stop "${i}" ; done
...
% docker-machine ls
NAME     ACTIVE   DRIVER       STATE     URL   SWARM
% mv -v ~/.docker/machine ~/.docker/machine.bak
/.../.docker/machine -> /.../.docker/machine.bak
% docker-machine create --driver virtualbox testes
Creating VirtualBox VM...
Creating SSH key...
Starting VirtualBox VM...
Starting VM...
To see how to connect Docker to this machine, run: docker-machine env testes
docker-machine create --driver virtualbox testes  8.12s user 6.22s system 13% cpu 1:47.48 total
% docker-machine ls
NAME     ACTIVE   DRIVER       STATE     URL                         SWARM
testes            virtualbox   Running   tcp://192.168.99.100:2376
% eval $( docker-machine env testes )
% docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
% virtualenv .venv
...
% . ./.venv/bin/activate
% ./.venv/bin/pip install --no-cache-dir docker-compose
...
% rehash
% cat Dockerfile
FROM debian:stable
% cat docker-compose.yml
deb1:
    build: .

deb2:
    image: debian:stable
    links:
        - deb1
% docker-compose ps
Name   Command   State   Ports
------------------------------
% docker-compose --verbose build
Compose version 1.4.2
Docker base_url: https://192.168.99.100:2376
Docker version: KernelVersion=4.0.9-boot2docker, Os=linux, BuildTime=Thu Sep 10 19:10:10 UTC 2015, ApiVersion=1.20, Version=1.8.2, GitCommit=0a8c2e3, Arch=amd64, GoVersion=go1.4.2
Building deb1...
docker build <- (pull=False, stream=True, nocache=False, tag=u'test_deb1', rm=True, path='/...', dockerfile=None)
docker build -> <generator object _stream_helper at 0x10f29b5f0>
Step 0 : FROM debian:stable
stable: Pulling from library/debian
401015d2a1e5: Pull complete
315baabd82d5: Pull complete
library/debian:stable: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:2ee35f51e54da93075fe46631a28d84ef4e23eb4ca51e7a8ef9f9ba625e7f6be
Status: Downloaded newer image for debian:stable
 ---> 315baabd82d5
Successfully built 315baabd82d5
docker close <- ()
docker close -> None
deb2 uses an image, skipping

PavelPolyakov · 2015-09-27T18:27:01Z

Nope :(

... steps above were done as well ...
[~/tmp/docker-compose-fixing]$ for i in $( docker-machine ls --quiet ) ; do docker-machine stop "${i}" ; done
[~/tmp/docker-compose-fixing]$ docker-machine ls
NAME     ACTIVE   DRIVER       STATE     URL   SWARM
testes            virtualbox   Stopped
[~/tmp/docker-compose-fixing]$ mv -v ~/.docker/machine ~/.docker/machine.bak
/Users/PavelPolyakov/.docker/machine -> /Users/PavelPolyakov/.docker/machine.bak/machine
[~/tmp/docker-compose-fixing]$ docker-machine create --driver virtualbox testes
Creating CA: /Users/PavelPolyakov/.docker/machine/certs/ca.pem
Creating client certificate: /Users/PavelPolyakov/.docker/machine/certs/cert.pem
Image cache does not exist, creating it at /Users/PavelPolyakov/.docker/machine/cache...
No default boot2docker iso found locally, downloading the latest release...
Downloading https://github.com/boot2docker/boot2docker/releases/download/v1.8.2/boot2docker.iso to /Users/PavelPolyakov/.docker/machine/cache/boot2docker.iso...
Creating VirtualBox VM...
Creating SSH key...
Error creating machine: exit status 1
You will want to check the provider to make sure the machine and associated resources were properly removed.
[~/tmp/docker-compose-fixing]$ docker-machine create --driver virtualbox testes
Creating CA: /Users/PavelPolyakov/.docker/machine/certs/ca.pem
Creating client certificate: /Users/PavelPolyakov/.docker/machine/certs/cert.pem
Image cache does not exist, creating it at /Users/PavelPolyakov/.docker/machine/cache...
No default boot2docker iso found locally, downloading the latest release...
Downloading https://github.com/boot2docker/boot2docker/releases/download/v1.8.2/boot2docker.iso to /Users/PavelPolyakov/.docker/machine/cache/boot2docker.iso...
Creating VirtualBox VM...
Creating SSH key...
Starting VirtualBox VM...
Starting VM...
To see how to connect Docker to this machine, run: docker-machine env testes
[~/tmp/docker-compose-fixing]$ docker-machine ls
NAME     ACTIVE   DRIVER       STATE     URL                         SWARM
testes            virtualbox   Running   tcp://192.168.99.109:2376
[~/tmp/docker-compose-fixing]$ eval $( docker-machine env testes )
[~/tmp/docker-compose-fixing]$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
[~/tmp/docker-compose-fixing]$ virtualenv .venv
New python executable in .venv/bin/python
Installing setuptools, pip, wheel...done.
[~/tmp/docker-compose-fixing]$ . ./.venv/bin/activate
(.venv)[~/tmp/docker-compose-fixing]$ ./.venv/bin/pip install --no-cache-dir docker-compose
Collecting docker-compose
  Downloading docker-compose-1.4.2.tar.gz (82kB)
    100% |████████████████████████████████| 86kB 16.0MB/s
Collecting docopt<0.7,>=0.6.1 (from docker-compose)
  Downloading docopt-0.6.2.tar.gz
Collecting PyYAML<4,>=3.10 (from docker-compose)
  Downloading PyYAML-3.11.tar.gz (248kB)
    100% |████████████████████████████████| 249kB 2.7MB/s
Collecting requests<2.7,>=2.6.1 (from docker-compose)
  Downloading requests-2.6.2-py2.py3-none-any.whl (470kB)
    100% |████████████████████████████████| 471kB 15.5MB/s
Collecting texttable<0.9,>=0.8.1 (from docker-compose)
  Downloading texttable-0.8.3.tar.gz
Collecting websocket-client<1.0,>=0.32.0 (from docker-compose)
  Downloading websocket_client-0.32.0.tar.gz (192kB)
    100% |████████████████████████████████| 192kB 20.1MB/s
Collecting docker-py<1.4,>=1.3.1 (from docker-compose)
  Downloading docker-py-1.3.1.tar.gz (49kB)
    100% |████████████████████████████████| 53kB 10.5MB/s
Collecting dockerpty<0.4,>=0.3.4 (from docker-compose)
  Downloading dockerpty-0.3.4.tar.gz
Collecting six<2,>=1.3.0 (from docker-compose)
  Downloading six-1.9.0-py2.py3-none-any.whl
Installing collected packages: docopt, PyYAML, requests, texttable, six, websocket-client, docker-py, dockerpty, docker-compose
  Running setup.py install for docopt
  Running setup.py install for PyYAML
  Running setup.py install for texttable
  Running setup.py install for websocket-client
  Running setup.py install for docker-py
  Running setup.py install for dockerpty
  Running setup.py install for docker-compose
Successfully installed PyYAML-3.11 docker-compose-1.4.2 docker-py-1.3.1 dockerpty-0.3.4 docopt-0.6.2 requests-2.6.2 six-1.9.0 texttable-0.8.3 websocket-client-0.32.0
(.venv)[~/tmp/docker-compose-fixing]$ rehash
(.venv)[~/tmp/docker-compose-fixing]$ cat Dockerfile
FROM debian:stable
(.venv)[~/tmp/docker-compose-fixing]$ cat docker-compose.yml
deb1:
    build: .

deb2:
    image: debian:stable
    links:
        - deb1
(.venv)[~/tmp/docker-compose-fixing]$ docker-compose ps
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

However, library versions are the same, basically:

(.venv)[~/tmp/docker-compose-fixing]$ python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.6.2
1.10.3
(.venv)[~/tmp/docker-compose-fixing]$ python -c 'import docker ; print(docker.version)'
1.3.1

posita · 2015-09-27T19:04:40Z

However, library versions are the same, basically:

(.venv)[~/tmp/docker-compose-fixing]$ python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.6.2
1.10.3
(.venv)[~/tmp/docker-compose-fixing]$ python -c 'import docker ; print(docker.version)'
1.3.1

Oops...you're right. That's my fault (I was getting my terminals confused). I was (mistakenly) partially copying version numbers from my terminal where I had done something like pip install --upgrade ...). 😩 In my working environment, I have the same as you:

% which python
.../.venv/bin/python
% python -c 'import docker ; print(docker.version)'
1.3.1
% python -c 'import requests.packages.urllib3 ; print(requests.__version__) ; print(requests.packages.urllib3.__version__)'
2.6.2
1.10.3

What do you get for this in your current environment?

( set -x ; openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -tls1 -CAfile "${DOCKER_CERT_PATH}/ca.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null ; echo "exit code: ${?}" ) | awk '$0 ~ /TLS session ticket:/ { ticket = 1; } !ticket || $1 !~ /^[0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f]$/ { print; }'

Also, can you try this (corrected)?

% deactivate
% virtualenv -p /usr/bin/python .venv2
...
% ./.venv2/bin/pip install --no-cache-dir docker-compose
% ./.venv2/bin/python -c 'import ssl ; print(ssl.__file__) ; print (ssl.OPENSSL_VERSION)'
...
% ./.venv2/bin/python -c 'import _ssl ; print(_ssl.__file__) ; print (_ssl.OPENSSL_VERSION)' # note the underscore-ssl
...
% ./.venv2/bin/docker-compose ps
...

PavelPolyakov · 2015-09-27T19:13:09Z

1st:

(.venv)[~/tmp/docker-compose-fixing]$ ( set -x ; openssl s_client -showcerts -connect "${DOCKER_HOST#tcp:\/\/}" -tls1 -CAfile "${DOCKER_CERT_PATH}/ca.pem" -cert "${DOCKER_CERT_PATH}/cert.pem" -key "${DOCKER_CERT_PATH}/key.pem" </dev/null ; echo "exit code: ${?}" ) | awk '$0 ~ /TLS session ticket:/ { ticket = 1; } !ticket || $1 !~ /^[0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f][0-9A-Fa-f]$/ { print; }'
+-zsh:111> openssl s_client -showcerts -connect 192.168.99.109:2376 -tls1 -CAfile /Users/PavelPolyakov/.docker/machine/machines/testes/ca.pem -cert /Users/PavelPolyakov/.docker/machine/machines/testes/cert.pem -key /Users/PavelPolyakov/.docker/machine/machines/testes/key.pem
depth=1 O = PavelPolyakov
verify return:1
depth=0 O = testes
verify return:1
DONE
CONNECTED(00000003)
---
Certificate chain
 0 s:/O=testes
   i:/O=PavelPolyakov
-----BEGIN CERTIFICATE-----
MIIC/zCCAemgAwIBAgIQHxlNz0mEt4afcgoccLhiGzALBgkqhkiG9w0BAQswGDEW
MBQGA1UEChMNUGF2ZWxQb2x5YWtvdjAeFw0xNTA5MjcxODE2MDBaFw0xODA5MTEx
ODE2MDBaMBExDzANBgNVBAoTBnRlc3RlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAOhSHinVHHH9BjwuGyNwMPlvyLQvJHngyUqbRx5L+NaOL6lTGinr
vXG+xosolY8TuTdTd9LZu25ccQMQ3AbwVV0XNklkqxUc1cQma9pZ/9VsmfOlHl+n
HkgFrJIhiV+GpsjbXy/oNiwkuNGIu0/DByPbf7NWVoTKMOUKyJBFQnqWE9VWLXA/
4BVnl/8VOFnCdGCqx8EkJEk0RC4h8No76M0Z/t32w2wj1Cj8BFzO5slGwwcFuOTt
TQNfOyicxg/KUPeeLEr0st9WenBOE90lzozecqeBLLEwUcpFFFdNrC79Gy4W9YEd
f60kNsAxFxlvKLg5svxNJPwBmiA2mam54GkCAwEAAaNQME4wDgYDVR0PAQH/BAQD
AgCoMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA
MA8GA1UdEQQIMAaHBMCoY20wCwYJKoZIhvcNAQELA4IBAQCfOH1AxRjw+ZDS04S8
ne+uUwk7KW5Ws2lZELAzedB9Izz/QOUyN89GGSttPrlUP0YOmMbwXOqFyMVuqx7e
WEGcGH1dduCbvP7SELBPYrocvAEQPWLqyA5W7uRiJA9KipRe2r5bVer1bvADt6Ir
UuNpoqYWM5fG+X0LT3PbNCEaxC8Itzb4KnVVCHrE+Me931uvOahLWrcisM6eQEYS
asDytbK9KvKM86TVEkyWFEAzTc4VWCLeK3JTy6Tfi+86Yqvk0TTaoh1X6hjKnfWY
5xT7SOL6DsNBZHDAUG0W/2FDR8EYfOmKoDW4PH5F7Qyamd0fcgMBrwZ/uMqhXHAd
vIsF
-----END CERTIFICATE-----
---
Server certificate
subject=/O=testes
issuer=/O=PavelPolyakov
---
Acceptable client certificate CA names
/O=PavelPolyakov
Client Certificate Types: RSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2165 bytes and written 1378 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 9329F3198FC79ACBDF2CAB18200C02B19F9AFD84AF4462C7044878A6A16BF257
    Session-ID-ctx:
    Master-Key: 52FFF668D11FCE75BADCA40CAFB7F016B888E975D87E2010EAC9ADE5CC0EEB5B562074D822D7306991E149BC2DCA83E6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:

    Start Time: 1443381037
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
+-zsh:111> echo 'exit code: 0'
exit code: 0

and 2nd:

(.venv)[~/tmp/docker-compose-fixing]$ deactivate
[~/tmp/docker-compose-fixing]$ virtualenv -p /usr/bin/python .venv2
Running virtualenv with interpreter /usr/bin/python2.7
New python executable in .venv2/bin/python
Installing setuptools, pip, wheel...done.
[~/tmp/docker-compose-fixing]$ ./.venv2/bin/pip install --no-cache-dir docker-compose
Collecting docker-compose
  Downloading docker-compose-1.4.2.tar.gz (82kB)
    100% |████████████████████████████████| 86kB 1.9MB/s
Collecting docopt<0.7,>=0.6.1 (from docker-compose)
  Downloading docopt-0.6.2.tar.gz
Collecting PyYAML<4,>=3.10 (from docker-compose)
  Downloading PyYAML-3.11.tar.gz (248kB)
    100% |████████████████████████████████| 249kB 2.6MB/s
Collecting requests<2.7,>=2.6.1 (from docker-compose)
  Downloading requests-2.6.2-py2.py3-none-any.whl (470kB)
    100% |████████████████████████████████| 471kB 11.1MB/s
Collecting texttable<0.9,>=0.8.1 (from docker-compose)
  Downloading texttable-0.8.3.tar.gz
Collecting websocket-client<1.0,>=0.32.0 (from docker-compose)
  Downloading websocket_client-0.32.0.tar.gz (192kB)
    100% |████████████████████████████████| 192kB 12.5MB/s
Collecting docker-py<1.4,>=1.3.1 (from docker-compose)
  Downloading docker-py-1.3.1.tar.gz (49kB)
    100% |████████████████████████████████| 53kB 12.5MB/s
Collecting dockerpty<0.4,>=0.3.4 (from docker-compose)
  Downloading dockerpty-0.3.4.tar.gz
Collecting six<2,>=1.3.0 (from docker-compose)
  Downloading six-1.9.0-py2.py3-none-any.whl
Installing collected packages: docopt, PyYAML, requests, texttable, six, websocket-client, docker-py, dockerpty, docker-compose
  Running setup.py install for docopt
  Running setup.py install for PyYAML
  Running setup.py install for texttable
  Running setup.py install for websocket-client
  Running setup.py install for docker-py
  Running setup.py install for dockerpty
  Running setup.py install for docker-compose
Successfully installed PyYAML-3.11 docker-compose-1.4.2 docker-py-1.3.1 dockerpty-0.3.4 docopt-0.6.2 requests-2.6.2 six-1.9.0 texttable-0.8.3 websocket-client-0.32.0
[~/tmp/docker-compose-fixing]$ ./.venv/bin/python -c 'import ssl ; print(ssl.__file__) ; print (ssl.OPENSSL_VERSION)'
/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.pyc
OpenSSL 0.9.8zg 14 July 2015
[~/tmp/docker-compose-fixing]$ ./.venv2/bin/python -c 'import _ssl ; print(_ssl.__file__) ; print (_ssl.OPENSSL_VERSION)'
/Users/PavelPolyakov/tmp/docker-compose-fixing/.venv2/lib/python2.7/lib-dynload/_ssl.so
OpenSSL 0.9.8zg 14 July 2015
[~/tmp/docker-compose-fixing]$ ./.venv2/bin/docker-compose ps
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

posita · 2015-09-27T19:38:05Z

Okay, I've officially run out of ideas. I cannot for the life of me fathom why openssl s_client can work, and docker ps can work, but you're still getting SSL certificate verification errors with docker-compose across two different versions of Python and two different versions of OpenSSL. Can you do a straight Docker build (i.e., docker build .)?

PavelPolyakov · 2015-09-27T19:54:20Z

Yes, docker build works ok:

[~/tmp/docker-compose-fixing]$ docker build -t hhh .
Sending build context to Docker daemon 27.28 MB
Step 0 : FROM debian:stable
 ---> 315baabd82d5
Successfully built 315baabd82d5
[~/tmp/docker-compose-fixing]$ docker run hhh --verbose
Error response from daemon: Cannot start container 4843e6bbbbbdd363356cb5536f82ce8cfada0960ed865242ebfe825ba7eade50: [8] System error: exec: "--verbose": executable file not found in $PATH

But docker-compose build not :)

[~/tmp/docker-compose-fixing]$ docker-compose build deb1
Building deb1...
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

Nevermind :) Thanks for the help and effort. Anyhow it is good to know that someone had docker-compose working on OSX, probably, as some point I would have it working as well!

posita · 2015-09-27T20:05:33Z

I suppose one silver lining is that I no longer think your issue is with docker-machine. 😥

This may be an issue with docker-compose, but it's not docker/compose#890. Since it seems so difficult to reproduce outside of your environment, I suspect that you'll need to do some serious digging on your end to properly diagnose this (e.g., using pdb, maybe even dtrace or wireshark to fully understand what's going on).

I wish I could be of more help. 😞

@ehazlett

# The first commit's message is: Fix Go Vet errors This commit makes no changes to code execution, but rather resolves some `go vet` errors, the majority of which relate to `fatal` being used instead of `fatalf` during testing. Signed-off-by: Matt McNaughton <mattjmcnaughton@gmail.com> # This is the 2nd commit message: FIX docker#1297 - Support additional tags on GCE Signed-off-by: David Gageot <david@gageot.net> # This is the 3rd commit message: FIX docker#676 - Support Start/Stop GCE instance Signed-off-by: David Gageot <david@gageot.net> # This is the 4th commit message: Updating with changes dropped in 1830 Tweaking language Incorporate Olivier's comments Stomp the nit --- a misspelling Wrapping lines Possessive Signed-off-by: Mary Anthony <mary@docker.com> # This is the 5th commit message: Fix docker#1846 Signed-off-by: Olivier Gambier <viapanda@gmail.com> # This is the 6th commit message: Adding FUSE HGFS mount option Signed-off-by: Fabio Rapposelli <fabio@vmware.com> # This is the 7th commit message: cleanup log.*ln, unuseful methods, some typos error … 1. cleanup log.*ln for docker#1081 2. add "\n" to config command 3. typos error 4. remove unuseful methods: getBasedir@commands.go, and GetDefaultTestHost@commands_test Signed-off-by: Xiaohui Liu <xiaohui.liu@ucloud.cn> # This is the 8th commit message: separate pkgaction into 'pkgaction' and 'serviceaction' ignored IntellJ IDEA files Signed-off-by: Xiaohui Liu <xiaohui.liu@ucloud.cn> # This is the 9th commit message: fix debian provisioning bug with systemd Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> # This is the 10th commit message: Rehauled build system and integration testing - USE_CONTAINER allow to seamlessly run targets inside or outside containers - all build calls have been harmonized, honoring the same env variables - contributing doc has been streamlined according to that - kill the distinction between remote and local docker builds - got rid of some of the byzantine calls in various asorted scripts - support for static build, debug builds, verbose Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 11th commit message: Fix missing dep on circle Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 12th commit message: Fix vet errors and enforce vet on travis Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 13th commit message: First steps to make ssh command smoother Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 14th commit message: Handle bad netmask returned by virtualbox after hostonlyif creation. Fixes docker#1843 Signed-off-by: Ron Williams <ron.a.williams@gmail.com> # This is the 15th commit message: Add tests for host only network retrieval feature Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 16th commit message: Fix failing case creating host only interface Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 17th commit message: Make libmachine usable by outside world - Clear out some cruft tightly coupling libmachine to filestore - Comment out drivers other than virtualbox for now - Change way too many things - Mostly, break out the code to be more modular. - Destroy all traces of "provider" in its current form. It will be brought back as something more sensible, instead of something which overlaps in function with both Host and Store. - Fix mis-managed config passthru - Remove a few instances of state stored in env vars - This should be explicitly communicated in Go-land, not through the shell. - Rename "store" module to "persist" - This is done mostly to avoid confusion about the fact that a concrete instance of a "Store" interface is oftentimes referred to as "store" in the code. - Rip out repetitive antipattern for getting store - This replaces the previous repetive idiom for getting the cert info, and consequently the store, with a much less repetitive idiom. - Also, some redundant methods in commands.go for accessing hosts have either been simplified or removed entirely. - First steps towards fixing up tests - Test progress continues - Replace unit tests with integration tests - MAKE ALL UNIT TESTS PASS YAY - Add helper test files - Don't write to disk in libmachine/host - Heh.. coverage check strikes again - Fix remove code - Move cert code around - Continued progress: simplify Driver - Fixups and make creation work with new model - Move drivers module inside of libmachine - Move ssh module inside of libmachine - Move state module to libmachine - Move utils module to libmachine - Move version module to libmachine - Move log module to libmachine - Modify some constructor methods around - Change Travis build dep structure - Boring gofmt fix - Add version module - Move NewHost to store - Update some boring cert path infos to make API easier to use - Fix up some issues around the new model - Clean up some cert path stuff - Don't use shady functions to get store path :D - Continue artifact work - Fix silly machines dir bug - Continue fixing silly path issues - Change up output of vbm a bit - Continue work to make example go - Change output a little more - Last changes needed to make create finish properly - Fix config.go to use libmachine - Cut down code duplication and make both methods work with libmachine - Add pluggable logging implementation - Return error when machine already in desired state - Update example to show log method - Fix file:// bug - Fix Swarm defaults - Remove unused TLS settings from Engine and Swarm options - Remove spurious error - Correct bug detecting if migration was performed - Fix compilation errors from tests - Fix most of remaining test issues - Fix final silly bug in tests - Remove extraneous debug code - Add -race to test command - Appease the gofmt - Appease the generate coverage - Making executive decision to remove Travis coverage check In the early days I thought this would be a good idea because it would encourage people to write tests in case they added a new module. Well, in fact it has just turned into a giant nuisance and made refactoring work like this even more difficult. - Move Get to Load - Move HostListItem code to CLI Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 18th commit message: --no-proxy flag for env command This optinal flag will add the docker host to the no_proxy environement variable. This is useful for local providers (e.g. virtualbox, fusion) in environments where an http_proxy is set and docker by default tries to connect to the ip via the proxy. Signed-off-by: Fabian Ruff <fabian@progra.de> # This is the 19th commit message: Add doc section about --no-proxy flag Signed-off-by: Fabian Ruff <fabian@progra.de> # This is the 20th commit message: Update documentation and integration tests for no_proxy Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 21st commit message: Remove beta warning message Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 22nd commit message: Fix error reporting on VBoxManage not found Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 23rd commit message: Remove empty test files Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 24th commit message: Fix flag accidentally left out in PR carry Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 25th commit message: Tests fixes / silence build / add unit tests Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 26th commit message: Fix Docker daemon wait Also, a few various cleanups are bundled: 1. Only call GetDriver() once to get the object in provision/utils.go 2. SSH command wrapper will return the error and let the consumer decide what to do with it instead of bailing automatically on non-255 Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 27th commit message: Re-add godep This change is needed to fix a Continuous Build pipeline run by @ehazlett which spits out master build binaries for Docker Machine. Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 28th commit message: Remove dead code. Function getMachineDir is not used. Signed-off-by: Alexey Grachov <grachov.alexey@gmail.com> # This is the 29th commit message: Add argument assertion to inspect/status/url commands Signed-off-by: Kazuyuki Suzuki <kechol28@gmail.com> # This is the 30th commit message: Update release version number 0.4.1 Signed-off-by: Vladimir Chernyshev <volch5@gmail.com> # This is the 31st commit message: Issue docker#1867 improve detectShell for windows newer versions of git bash use mintty which doesn't set TERM=cygwin but does set SHELL appropriately. Allow for SHELL to be detected on windows and only output the message if its not. Signed-off-by: Donovan Jimenez <donovan.jimenez@gmail.com> # This is the 32nd commit message: Additional info message while waiting for IP address. It takes a lot of time to assign the IP to droplet, so informing user about this hang looks like good idea. Signed-off-by: Alexey Grachov <grachov.alexey@gmail.com> # This is the 33rd commit message: Fix binaries location Signed-off-by: David Gageot <david@gageot.net> # This is the 34th commit message: Add --github-api-token flag and troubleshooting section Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 35th commit message: Fix broken --storage-path flag Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 36th commit message: commands: make `ls` to not report saved hosts to be active when $DOCKER_HOST is not set Signed-off-by: Soshi Katsuta <soshi.katsuta@gmail.com> # This is the 37th commit message: Move VBox detection to Precreate and print version Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 38th commit message: Add --openstack-ip-version option This option allows users to specify IP version. Signed-off-by: Hironobu Saitoh <hiro@hironobu.org> # This is the 39th commit message: clarified hostname error with valid characters this is a fix for docker#1922 to add in a valid character error message. Signed-off-by: Kendrick Coleman <kendrickcoleman@gmail.com> # This is the 40th commit message: Display error message only when create was otherwise successful Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 41st commit message: Prepare build for plugins PR Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 42nd commit message: Add environment varibles for OpenStack flags Some flags for the OpenStack driver did not have a corresponding environment variable. Among others, this is needed to run bats core tests with the OpenStack driver. Signed-off-by: Guillaume Giamarchi <guillaume.giamarchi@gmail.com> # This is the 43rd commit message: Fix building in docker - now has the default build target on `make` - test depends on non-bogus target Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 44th commit message: Don't build test files in cmd Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 45th commit message: Updating CI builds to use Go 1.5.1 Signed-off-by: Dave Henderson <dhenderson@gmail.com> # This is the 46th commit message: Fix config drive support in VMware Fusion driver Signed-off-by: Marcel Harkema <marcel@harkema.name> # This is the 47th commit message: Fix docker#1974 make clean after a make build-x#1974 Signed-off-by: David Gageot <david@gageot.net> # This is the 48th commit message: Fix filenames of loggers. Signed-off-by: Kent Wang <pragkent@gmail.com> # This is the 49th commit message: Remove TerminalLogger. Signed-off-by: Kent Wang <pragkent@gmail.com> # This is the 50th commit message: Fix Windows SSH issues Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 51st commit message: Hugo 15 support Markdown per GitHub; Removing seds Signed-off-by: Mary Anthony <mary@docker.com> # This is the 52nd commit message: Explain how to prepare a Go 1.5 development environment Other minor documentation fixes Signed-off-by: Giuseppe Mazzotta <gdm85@users.noreply.github.com> # This is the 53rd commit message: Simplify fetch process by using go get Signed-off-by: Giuseppe Mazzotta <gdm85@users.noreply.github.com> # This is the 54th commit message: Fix docker#1972 Google drive is broken because of tags Signed-off-by: David Gageot <david@gageot.net> # This is the 55th commit message: FIX docker#1914 Reject command lines with trailing flags Signed-off-by: David Gageot <david@gageot.net> # This is the 56th commit message: add default AddressType: Fixed Signed-off-by: Christian Mouttet <cmouttet@gmail.com> # This is the 57th commit message: Build system enhancements - new simpler targets: * make machine * make plugins * make cross - fixed windows cross build to output .exe files Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 58th commit message: Move towards using external binaries / RPC plugins - First RPC steps - Work on some flaws in RPC model - Remove unused TLS settings from Engine and Swarm options - Add code to correctly encode data over the network - Add client driver for RPC - Rename server driver file - Start to make marshal make sense - Fix silly RPC method args and add client - Fix some issues with RPC calls, and marshaling - Simplify plugin main.go - Move towards 100% plugin in CLI - Ensure that plugin servers are cleaned up properly - Make flag parsing for driver flags work properly Includes some work carried from @dmp42 updating the build process and tests to use the new method. Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 59th commit message: Bump version for release candidate Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 60th commit message: Close docker#2001 / consistent hyperv internal naming Signed-off-by: David Arnold <dar@devco.co> # This is the 61st commit message: Fix log.* method calls which meant to be log.*f Stuff like `log.Debug("foo bar: %s", baz)` really wants to be `log.Debugf("foo bar: %s", baz)`... Signed-off-by: Dave Henderson <dhenderson@gmail.com> # This is the 62nd commit message: fix IPV6NetworkMaskPrefixLength value parsing docker#1692 Adapted from boot2docker/boot2docker-cli@941c70c Signed-off-by: Gianpaolo Macario <gmacario@gmail.com> # This is the 63rd commit message: Introduced a new flag for google driver: --google-use-internal-ip Signed-off-by: Mariusz Woloszyn <emsi@EmsiOSX.dom.qpqp01.pl> # This is the 64th commit message: Fixing JSON marshaling of large numbers during migration - Added some context to an error message - it's useful to know _which_ plugin failed when invoking the binary failed - Replaced `json.Umarshal` with a `json.Decoder`, so that the `UseNumber` function can be called, which prevents large integers from being interpreted as `float64`s. - Fixed a couple `log.Warn` calls that should've been `log.Warnf` Signed-off-by: Dave Henderson <dhenderson@gmail.com> # This is the 65th commit message: Add some small support for forward compatible configuration mistakes Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 66th commit message: Ensure log writes only to os.Stderr for env and config command Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 67th commit message: Spit out at least some message when flag parsing etc. fails Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 68th commit message: Bump version to 0.5.0-rc2 Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 69th commit message: Fix Typos in integration tests Signed-off-by: David Gageot <david@gageot.net> # This is the 70th commit message: Check that VT-X/AMD-v is enabled Signed-off-by: David Gageot <david@gageot.net> # This is the 71st commit message: FIX docker#1974 in-container make test fails Signed-off-by: David Gageot <david@gageot.net> # This is the 72nd commit message: Add tests to virtualbox driver Signed-off-by: David Gageot <david@gageot.net> # This is the 73rd commit message: Adding provisioner for Arch Linux Signed-off-by: Dave Henderson <dhenderson@gmail.com> # This is the 74th commit message: Add SUSE Enterprise Linux and openSUSE provision Add support for SUSE Enterprise Linux and openSUSE Signed-off-by: Flavio Castelli <fcastelli@suse.com> # This is the 75th commit message: Revert "Add SUSE Enterprise Linux and openSUSE provision" # This is the 76th commit message: FIX docker#2020 Better error when vboxmanage is missing Signed-off-by: David Gageot <david@gageot.net> # This is the 77th commit message: Adding support for darwin to IsVTXDisabled Signed-off-by: Dave Henderson <dhenderson@gmail.com> # This is the 78th commit message: Additional validation on virtualbox-hostonly-cidr Check that the CIDR provided for a virtualbox host only CIDR is specified as a host IP and netmask, e.g., 192.168.100.1/24, and not a network IP and netmask, e.g., 192.168.100.0/24. This will help prevent confusion like docker#1383 Signed-off-by: Chris Abernethy <cabernet@chrisabernethy.com> Signed-off-by: David Gageot <david@gageot.net> # This is the 79th commit message: Report VirtualBox errors Signed-off-by: David Gageot <david@gageot.net> # This is the 80th commit message: Carrys and closes docker#1352 Pull the chmod line per reviewers Signed-off-by: Mary Anthony <mary@docker.com> # This is the 81st commit message: Fix ordered list numbering Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 82nd commit message: Increase SSH timeout back to five minutes Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 83rd commit message: FIX docker#2019 invalid env hints Signed-off-by: David Gageot <david@gageot.net> # This is the 84th commit message: Bump version to rc3 Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 85th commit message: Add more debug during certificates validation Signed-off-by: David Gageot <david@gageot.net> # This is the 86th commit message: Remove dead code Signed-off-by: David Gageot <david@gageot.net> # This is the 87th commit message: Use SDK to Validate VpcID with SubnetId Signed-off-by: feelobot <felix.a.rod@gmail.com> # This is the 88th commit message: Inspired by docker#1880 (and docker/compose#890 et al.). Make sure `ca.pem` subject is different from `cert.pem` subject to work-around OpenSSL bug. Signed-off-by: Matt Bogosian <mtb19@columbia.edu> # This is the 89th commit message: force tty allocation for ssh with multiple '-tt'. fix docker#2037: when provision on CentOS 7.0, it needs to force tty allocation with multiple '-t' option. Otherwise, the ssh command will failed with "sudo: sorry, you must have a tty to run sudo" in SetHostname. Signed-off-by: Xiaohui Liu <xiaohui.liu@ucloud.cn> # This is the 90th commit message: improve cmd shell support Signed-off-by: Stefan Scherer <scherer_stefan@icloud.com> Signed-off-by: David Gageot <david@gageot.net> # This is the 91st commit message: Add SUSE Enterprise Linux and openSUSE provision Add support for SUSE Enterprise Linux and openSUSE. Code revised to build against current master. Signed-off-by: Flavio Castelli <fcastelli@suse.com> # This is the 92nd commit message: Adding bash completion and helper scripts This patch adds some bash helper scripts. * docker-machine.bash - command completion for docker-machine * docker-machine-prompt.bash - function for putting the active machine name in PS1 * docker-machine-wrapper.bash - function wrapper adding an `use` command that runs `eval $(docker-machine env whatever)` in the current shell. Signed-off-by: David M. Lee <dlee@respoke.io> # This is the 93rd commit message: Fix some links found with linkchecker Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au> # This is the 94th commit message: Typo in EXOSCALE_IMAGE Signed-off-by: Bruno Renié <brutasse@gmail.com> # This is the 95th commit message: Adding localhost to the list of alt_names When attempting to connect to the docker api from the machine itself, the TLS verification of the certificate checked against the public IP address of the primary interface. This is undesirable on hosts which have NAT rules that block access to that address by default. Adding "localhost" to the list of alt_names allows the cert to be verified and connections to localhost (either 127.0.0.1 or [::1]) to the port to pass verification. Otherwise one would need to disable verification just to connect to the local docker instance. Signed-off-by: David Gageot <david@gageot.net> # This is the 96th commit message: Minor cleanup and fix docker#2022 Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 97th commit message: support github enterprise urls for b2d downloads This commit allows downloading boot2docker releases not only from the official releases url (https://api.github.com/repos/boot2docker/boot2docker/releases) but from arbitrary github repositories that publish releases with a boot2docker.iso artifact. It also supports downloading from github enterprise. Signed-off-by: Fabian Ruff <fabian@progra.de> # This is the 98th commit message: support upgrading b2d from custom urls . Signed-off-by: Fabian Ruff <fabian@progra.de> # This is the 99th commit message: Add heartbeat / automatic server cleanup code This replaces the previous method of attempting to clean up servers when an unexpected exit occurs in the client (e.g. SIGINT or panic) by a heartbeat protocol. If the server does not hear from the connecting client within a certain interval of time (500ms in this commit), it will de-activate itself. This prevents dangling Docker Machine server processes from accumulating. Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 100th commit message: Remove useless duplication on PreCreateCheck Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 101st commit message: Trivial cleanup / ordering / inline doc Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 102nd commit message: Remove useless duplication on GetSSHHostname Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 103rd commit message: Remove duplication over GetIP + ip address proper validation Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 104th commit message: Generic and Base slight cleanups - tests for GetIP - extract default values into consts (user & port) - better error handling (cert permissions change) - unexport Driver for generic (linting) - ordering of methods and variables for better readability Signed-off-by: Olivier Gambier <olivier@docker.com> # This is the 105th commit message: Re-add make install to Makefile Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 106th commit message: Fixes docker#2062 Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 107th commit message: Remove dead code Signed-off-by: David Gageot <david@gageot.net> # This is the 108th commit message: FIX docker#1985 Build with Docker on TravisCI Signed-off-by: David Gageot <david@gageot.net> # This is the 109th commit message: Revert "Generic and Base slight cleanups" This reverts commit 19625de. Signed-off-by: David Gageot <david@gageot.net> # This is the 110th commit message: Revert "Remove duplication over GetIP" This reverts commit 99aacc7. Signed-off-by: David Gageot <david@gageot.net> # This is the 111th commit message: Revert "Remove useless duplication on GetSSHHostname" This reverts commit b6462eb. Signed-off-by: David Gageot <david@gageot.net> # This is the 112th commit message: Returning active host when swarm is active Signed-off-by: Dave Henderson <dhenderson@gmail.com> # This is the 113th commit message: Stop heartbeat when there is an issue connecting to the server Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 114th commit message: Print a better error when virtualbox fails Instead of printing `exit status 1` we'll print the stderr output Signed-off-by: David Gageot <david@gageot.net> # This is the 115th commit message: Simpler code for env usage hints. We can just output the original os.Args in the eval call. Signed-off-by: David Gageot <david@gageot.net> # This is the 116th commit message: Pipe error output from git line to /dev/null This will simply leave the tag empty if compiled independent of a source repository. Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> # This is the 117th commit message: Fixed typo Signed-off-by: Ian Lee <IanLee1521@gmail.com> # This is the 118th commit message: Fix panic when using openstack driver The openstack driver was unusable because some cli flags were redifined. That caused a runtime error like: create flag redefined: openstack-ssh-user panic: create flag redefined: openstack-ssh-user Signed-off-by: Flavio Castelli <fcastelli@suse.com> # This is the 119th commit message: FIX docker#2093 warn in case we think VT-X is not enabled. Signed-off-by: David Gageot <david@gageot.net>

@ehazlett

# The first commit's message is: Fix Go Vet errors This commit makes no changes to code execution, but rather resolves some `go vet` errors, the majority of which relate to `fatal` being used instead of `fatalf` during testing. Signed-off-by: Matt McNaughton <mattjmcnaughton@gmail.com> FIX docker#1297 - Support additional tags on GCE Signed-off-by: David Gageot <david@gageot.net> FIX docker#676 - Support Start/Stop GCE instance Signed-off-by: David Gageot <david@gageot.net> Updating with changes dropped in 1830 Tweaking language Incorporate Olivier's comments Stomp the nit --- a misspelling Wrapping lines Possessive Signed-off-by: Mary Anthony <mary@docker.com> Fix docker#1846 Signed-off-by: Olivier Gambier <viapanda@gmail.com> Adding FUSE HGFS mount option Signed-off-by: Fabio Rapposelli <fabio@vmware.com> cleanup log.*ln, unuseful methods, some typos error … 1. cleanup log.*ln for docker#1081 2. add "\n" to config command 3. typos error 4. remove unuseful methods: getBasedir@commands.go, and GetDefaultTestHost@commands_test Signed-off-by: Xiaohui Liu <xiaohui.liu@ucloud.cn> separate pkgaction into 'pkgaction' and 'serviceaction' ignored IntellJ IDEA files Signed-off-by: Xiaohui Liu <xiaohui.liu@ucloud.cn> fix debian provisioning bug with systemd Signed-off-by: Evan Hazlett <ejhazlett@gmail.com> Rehauled build system and integration testing - USE_CONTAINER allow to seamlessly run targets inside or outside containers - all build calls have been harmonized, honoring the same env variables - contributing doc has been streamlined according to that - kill the distinction between remote and local docker builds - got rid of some of the byzantine calls in various asorted scripts - support for static build, debug builds, verbose Signed-off-by: Olivier Gambier <olivier@docker.com> Fix missing dep on circle Signed-off-by: Olivier Gambier <olivier@docker.com> Fix vet errors and enforce vet on travis Signed-off-by: Olivier Gambier <olivier@docker.com> First steps to make ssh command smoother Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Handle bad netmask returned by virtualbox after hostonlyif creation. Fixes docker#1843 Signed-off-by: Ron Williams <ron.a.williams@gmail.com> Add tests for host only network retrieval feature Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Fix failing case creating host only interface Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Make libmachine usable by outside world - Clear out some cruft tightly coupling libmachine to filestore - Comment out drivers other than virtualbox for now - Change way too many things - Mostly, break out the code to be more modular. - Destroy all traces of "provider" in its current form. It will be brought back as something more sensible, instead of something which overlaps in function with both Host and Store. - Fix mis-managed config passthru - Remove a few instances of state stored in env vars - This should be explicitly communicated in Go-land, not through the shell. - Rename "store" module to "persist" - This is done mostly to avoid confusion about the fact that a concrete instance of a "Store" interface is oftentimes referred to as "store" in the code. - Rip out repetitive antipattern for getting store - This replaces the previous repetive idiom for getting the cert info, and consequently the store, with a much less repetitive idiom. - Also, some redundant methods in commands.go for accessing hosts have either been simplified or removed entirely. - First steps towards fixing up tests - Test progress continues - Replace unit tests with integration tests - MAKE ALL UNIT TESTS PASS YAY - Add helper test files - Don't write to disk in libmachine/host - Heh.. coverage check strikes again - Fix remove code - Move cert code around - Continued progress: simplify Driver - Fixups and make creation work with new model - Move drivers module inside of libmachine - Move ssh module inside of libmachine - Move state module to libmachine - Move utils module to libmachine - Move version module to libmachine - Move log module to libmachine - Modify some constructor methods around - Change Travis build dep structure - Boring gofmt fix - Add version module - Move NewHost to store - Update some boring cert path infos to make API easier to use - Fix up some issues around the new model - Clean up some cert path stuff - Don't use shady functions to get store path :D - Continue artifact work - Fix silly machines dir bug - Continue fixing silly path issues - Change up output of vbm a bit - Continue work to make example go - Change output a little more - Last changes needed to make create finish properly - Fix config.go to use libmachine - Cut down code duplication and make both methods work with libmachine - Add pluggable logging implementation - Return error when machine already in desired state - Update example to show log method - Fix file:// bug - Fix Swarm defaults - Remove unused TLS settings from Engine and Swarm options - Remove spurious error - Correct bug detecting if migration was performed - Fix compilation errors from tests - Fix most of remaining test issues - Fix final silly bug in tests - Remove extraneous debug code - Add -race to test command - Appease the gofmt - Appease the generate coverage - Making executive decision to remove Travis coverage check In the early days I thought this would be a good idea because it would encourage people to write tests in case they added a new module. Well, in fact it has just turned into a giant nuisance and made refactoring work like this even more difficult. - Move Get to Load - Move HostListItem code to CLI Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> --no-proxy flag for env command This optinal flag will add the docker host to the no_proxy environement variable. This is useful for local providers (e.g. virtualbox, fusion) in environments where an http_proxy is set and docker by default tries to connect to the ip via the proxy. Signed-off-by: Fabian Ruff <fabian@progra.de> Add doc section about --no-proxy flag Signed-off-by: Fabian Ruff <fabian@progra.de> Update documentation and integration tests for no_proxy Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Remove beta warning message Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Fix error reporting on VBoxManage not found Signed-off-by: Olivier Gambier <olivier@docker.com> Remove empty test files Signed-off-by: Olivier Gambier <olivier@docker.com> Fix flag accidentally left out in PR carry Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Tests fixes / silence build / add unit tests Signed-off-by: Olivier Gambier <olivier@docker.com> Fix Docker daemon wait Also, a few various cleanups are bundled: 1. Only call GetDriver() once to get the object in provision/utils.go 2. SSH command wrapper will return the error and let the consumer decide what to do with it instead of bailing automatically on non-255 Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Re-add godep This change is needed to fix a Continuous Build pipeline run by @ehazlett which spits out master build binaries for Docker Machine. Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Remove dead code. Function getMachineDir is not used. Signed-off-by: Alexey Grachov <grachov.alexey@gmail.com> Add argument assertion to inspect/status/url commands Signed-off-by: Kazuyuki Suzuki <kechol28@gmail.com> Update release version number 0.4.1 Signed-off-by: Vladimir Chernyshev <volch5@gmail.com> Issue docker#1867 improve detectShell for windows newer versions of git bash use mintty which doesn't set TERM=cygwin but does set SHELL appropriately. Allow for SHELL to be detected on windows and only output the message if its not. Signed-off-by: Donovan Jimenez <donovan.jimenez@gmail.com> Additional info message while waiting for IP address. It takes a lot of time to assign the IP to droplet, so informing user about this hang looks like good idea. Signed-off-by: Alexey Grachov <grachov.alexey@gmail.com> Fix binaries location Signed-off-by: David Gageot <david@gageot.net> Add --github-api-token flag and troubleshooting section Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Fix broken --storage-path flag Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> commands: make `ls` to not report saved hosts to be active when $DOCKER_HOST is not set Signed-off-by: Soshi Katsuta <soshi.katsuta@gmail.com> Move VBox detection to Precreate and print version Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Add --openstack-ip-version option This option allows users to specify IP version. Signed-off-by: Hironobu Saitoh <hiro@hironobu.org> clarified hostname error with valid characters this is a fix for docker#1922 to add in a valid character error message. Signed-off-by: Kendrick Coleman <kendrickcoleman@gmail.com> Display error message only when create was otherwise successful Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Prepare build for plugins PR Signed-off-by: Olivier Gambier <olivier@docker.com> Add environment varibles for OpenStack flags Some flags for the OpenStack driver did not have a corresponding environment variable. Among others, this is needed to run bats core tests with the OpenStack driver. Signed-off-by: Guillaume Giamarchi <guillaume.giamarchi@gmail.com> Fix building in docker - now has the default build target on `make` - test depends on non-bogus target Signed-off-by: Olivier Gambier <olivier@docker.com> Don't build test files in cmd Signed-off-by: Olivier Gambier <olivier@docker.com> Updating CI builds to use Go 1.5.1 Signed-off-by: Dave Henderson <dhenderson@gmail.com> Fix config drive support in VMware Fusion driver Signed-off-by: Marcel Harkema <marcel@harkema.name> Fix docker#1974 make clean after a make build-x#1974 Signed-off-by: David Gageot <david@gageot.net> Fix filenames of loggers. Signed-off-by: Kent Wang <pragkent@gmail.com> Remove TerminalLogger. Signed-off-by: Kent Wang <pragkent@gmail.com> Fix Windows SSH issues Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Hugo 15 support Markdown per GitHub; Removing seds Signed-off-by: Mary Anthony <mary@docker.com> Explain how to prepare a Go 1.5 development environment Other minor documentation fixes Signed-off-by: Giuseppe Mazzotta <gdm85@users.noreply.github.com> Simplify fetch process by using go get Signed-off-by: Giuseppe Mazzotta <gdm85@users.noreply.github.com> Fix docker#1972 Google drive is broken because of tags Signed-off-by: David Gageot <david@gageot.net> FIX docker#1914 Reject command lines with trailing flags Signed-off-by: David Gageot <david@gageot.net> add default AddressType: Fixed Signed-off-by: Christian Mouttet <cmouttet@gmail.com> Build system enhancements - new simpler targets: * make machine * make plugins * make cross - fixed windows cross build to output .exe files Signed-off-by: Olivier Gambier <olivier@docker.com> Move towards using external binaries / RPC plugins - First RPC steps - Work on some flaws in RPC model - Remove unused TLS settings from Engine and Swarm options - Add code to correctly encode data over the network - Add client driver for RPC - Rename server driver file - Start to make marshal make sense - Fix silly RPC method args and add client - Fix some issues with RPC calls, and marshaling - Simplify plugin main.go - Move towards 100% plugin in CLI - Ensure that plugin servers are cleaned up properly - Make flag parsing for driver flags work properly Includes some work carried from @dmp42 updating the build process and tests to use the new method. Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Bump version for release candidate Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Close docker#2001 / consistent hyperv internal naming Signed-off-by: David Arnold <dar@devco.co> Fix log.* method calls which meant to be log.*f Stuff like `log.Debug("foo bar: %s", baz)` really wants to be `log.Debugf("foo bar: %s", baz)`... Signed-off-by: Dave Henderson <dhenderson@gmail.com> fix IPV6NetworkMaskPrefixLength value parsing docker#1692 Adapted from boot2docker/boot2docker-cli@941c70c Signed-off-by: Gianpaolo Macario <gmacario@gmail.com> Introduced a new flag for google driver: --google-use-internal-ip Signed-off-by: Mariusz Woloszyn <emsi@EmsiOSX.dom.qpqp01.pl> Fixing JSON marshaling of large numbers during migration - Added some context to an error message - it's useful to know _which_ plugin failed when invoking the binary failed - Replaced `json.Umarshal` with a `json.Decoder`, so that the `UseNumber` function can be called, which prevents large integers from being interpreted as `float64`s. - Fixed a couple `log.Warn` calls that should've been `log.Warnf` Signed-off-by: Dave Henderson <dhenderson@gmail.com> Add some small support for forward compatible configuration mistakes Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Ensure log writes only to os.Stderr for env and config command Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Spit out at least some message when flag parsing etc. fails Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Bump version to 0.5.0-rc2 Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Fix Typos in integration tests Signed-off-by: David Gageot <david@gageot.net> Check that VT-X/AMD-v is enabled Signed-off-by: David Gageot <david@gageot.net> FIX docker#1974 in-container make test fails Signed-off-by: David Gageot <david@gageot.net> Add tests to virtualbox driver Signed-off-by: David Gageot <david@gageot.net> Adding provisioner for Arch Linux Signed-off-by: Dave Henderson <dhenderson@gmail.com> Add SUSE Enterprise Linux and openSUSE provision Add support for SUSE Enterprise Linux and openSUSE Signed-off-by: Flavio Castelli <fcastelli@suse.com> Revert "Add SUSE Enterprise Linux and openSUSE provision" FIX docker#2020 Better error when vboxmanage is missing Signed-off-by: David Gageot <david@gageot.net> Adding support for darwin to IsVTXDisabled Signed-off-by: Dave Henderson <dhenderson@gmail.com> Additional validation on virtualbox-hostonly-cidr Check that the CIDR provided for a virtualbox host only CIDR is specified as a host IP and netmask, e.g., 192.168.100.1/24, and not a network IP and netmask, e.g., 192.168.100.0/24. This will help prevent confusion like docker#1383 Signed-off-by: Chris Abernethy <cabernet@chrisabernethy.com> Signed-off-by: David Gageot <david@gageot.net> Report VirtualBox errors Signed-off-by: David Gageot <david@gageot.net> Carrys and closes docker#1352 Pull the chmod line per reviewers Signed-off-by: Mary Anthony <mary@docker.com> Fix ordered list numbering Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Increase SSH timeout back to five minutes Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> FIX docker#2019 invalid env hints Signed-off-by: David Gageot <david@gageot.net> Bump version to rc3 Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Add more debug during certificates validation Signed-off-by: David Gageot <david@gageot.net> Remove dead code Signed-off-by: David Gageot <david@gageot.net> Use SDK to Validate VpcID with SubnetId Signed-off-by: feelobot <felix.a.rod@gmail.com> Inspired by docker#1880 (and docker/compose#890 et al.). Make sure `ca.pem` subject is different from `cert.pem` subject to work-around OpenSSL bug. Signed-off-by: Matt Bogosian <mtb19@columbia.edu> force tty allocation for ssh with multiple '-tt'. fix docker#2037: when provision on CentOS 7.0, it needs to force tty allocation with multiple '-t' option. Otherwise, the ssh command will failed with "sudo: sorry, you must have a tty to run sudo" in SetHostname. Signed-off-by: Xiaohui Liu <xiaohui.liu@ucloud.cn> improve cmd shell support Signed-off-by: Stefan Scherer <scherer_stefan@icloud.com> Signed-off-by: David Gageot <david@gageot.net> Add SUSE Enterprise Linux and openSUSE provision Add support for SUSE Enterprise Linux and openSUSE. Code revised to build against current master. Signed-off-by: Flavio Castelli <fcastelli@suse.com> Adding bash completion and helper scripts This patch adds some bash helper scripts. * docker-machine.bash - command completion for docker-machine * docker-machine-prompt.bash - function for putting the active machine name in PS1 * docker-machine-wrapper.bash - function wrapper adding an `use` command that runs `eval $(docker-machine env whatever)` in the current shell. Signed-off-by: David M. Lee <dlee@respoke.io> Fix some links found with linkchecker Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au> Typo in EXOSCALE_IMAGE Signed-off-by: Bruno Renié <brutasse@gmail.com> Adding localhost to the list of alt_names When attempting to connect to the docker api from the machine itself, the TLS verification of the certificate checked against the public IP address of the primary interface. This is undesirable on hosts which have NAT rules that block access to that address by default. Adding "localhost" to the list of alt_names allows the cert to be verified and connections to localhost (either 127.0.0.1 or [::1]) to the port to pass verification. Otherwise one would need to disable verification just to connect to the local docker instance. Signed-off-by: David Gageot <david@gageot.net> Minor cleanup and fix docker#2022 Signed-off-by: Olivier Gambier <olivier@docker.com> support github enterprise urls for b2d downloads This commit allows downloading boot2docker releases not only from the official releases url (https://api.github.com/repos/boot2docker/boot2docker/releases) but from arbitrary github repositories that publish releases with a boot2docker.iso artifact. It also supports downloading from github enterprise. Signed-off-by: Fabian Ruff <fabian@progra.de> support upgrading b2d from custom urls . Signed-off-by: Fabian Ruff <fabian@progra.de> Add heartbeat / automatic server cleanup code This replaces the previous method of attempting to clean up servers when an unexpected exit occurs in the client (e.g. SIGINT or panic) by a heartbeat protocol. If the server does not hear from the connecting client within a certain interval of time (500ms in this commit), it will de-activate itself. This prevents dangling Docker Machine server processes from accumulating. Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Remove useless duplication on PreCreateCheck Signed-off-by: Olivier Gambier <olivier@docker.com> Trivial cleanup / ordering / inline doc Signed-off-by: Olivier Gambier <olivier@docker.com> Remove useless duplication on GetSSHHostname Signed-off-by: Olivier Gambier <olivier@docker.com> Remove duplication over GetIP + ip address proper validation Signed-off-by: Olivier Gambier <olivier@docker.com> Generic and Base slight cleanups - tests for GetIP - extract default values into consts (user & port) - better error handling (cert permissions change) - unexport Driver for generic (linting) - ordering of methods and variables for better readability Signed-off-by: Olivier Gambier <olivier@docker.com> Re-add make install to Makefile Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Fixes docker#2062 Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Remove dead code Signed-off-by: David Gageot <david@gageot.net> FIX docker#1985 Build with Docker on TravisCI Signed-off-by: David Gageot <david@gageot.net> Revert "Generic and Base slight cleanups" This reverts commit 19625de. Signed-off-by: David Gageot <david@gageot.net> Revert "Remove duplication over GetIP" This reverts commit 99aacc7. Signed-off-by: David Gageot <david@gageot.net> Revert "Remove useless duplication on GetSSHHostname" This reverts commit b6462eb. Signed-off-by: David Gageot <david@gageot.net> Returning active host when swarm is active Signed-off-by: Dave Henderson <dhenderson@gmail.com> Stop heartbeat when there is an issue connecting to the server Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Print a better error when virtualbox fails Instead of printing `exit status 1` we'll print the stderr output Signed-off-by: David Gageot <david@gageot.net> Simpler code for env usage hints. We can just output the original os.Args in the eval call. Signed-off-by: David Gageot <david@gageot.net> Pipe error output from git line to /dev/null This will simply leave the tag empty if compiled independent of a source repository. Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com> Fixed typo Signed-off-by: Ian Lee <IanLee1521@gmail.com> Fix panic when using openstack driver The openstack driver was unusable because some cli flags were redifined. That caused a runtime error like: create flag redefined: openstack-ssh-user panic: create flag redefined: openstack-ssh-user Signed-off-by: Flavio Castelli <fcastelli@suse.com> FIX docker#2093 warn in case we think VT-X is not enabled. Signed-off-by: David Gageot <david@gageot.net> FIX docker#2023 and docker#1061 Use google default authentication Signed-off-by: David Gageot <david@gageot.net> # This is the 2nd commit message: Remove redundant error log Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com>

nathanleclaire · 2015-11-05T21:03:44Z

Closing this, please re-open as a new issue if you can provide a reproducible test case. Thanks

herveDarritchon · 2015-11-24T15:27:49Z

@PavelPolyakov

One very dirty solution that did the trick for me :

Declare in the /etc/hosts, your docker ip address as localhost like
192.168.99.100 localhost

and then you put in the DOCKER_HOST localhost instead of your IP address.
export DOCKER_HOST=tcp://localhost:2376

And finally, on your mac, you will have either docker and docker-compose working together.

But I admit, it's really dirty :d but if it could help for a time, it worth may be a try.

posita · 2015-11-26T17:32:22Z

For those who are new to this issue, but have arrived here from outside (e.g,. web search), see @pmahoney's docker/compose#890 (comment) regarding the CURL_CA_BUNDLE environment variable being a possible cause. (@PavelPolyakov, if you can verify this was the cause of your issue, please consider updating your OP so others don't have to read the entire commit history.)

PavelPolyakov · 2015-11-26T20:12:44Z

@posita
Done, thanks for the help, good to have this issue solved.

hongyanh · 2015-12-13T05:57:15Z

I ran into the same error when I was using docker-compose commands. I finally uninstalled docker-machine and use boot2docker to re-build a mv and problem solved.

My OS is El Capitan and it seems mv created by docker-machine had some certificate conflicts with my system.

lcarva · 2020-05-08T02:52:26Z

Because docker-compose is python based and uses the requests python package, you must also unset the REQUESTS_CA_BUNDLE environment variable to make this work:

unset CURL_CA_BUNDLE
unset REQUESTS_CA_BUNDLE
docker-compose up

posita mentioned this issue Sep 27, 2015

READY FOR REVIEW - Work-around erroneous SSL: CERTIFICATE_VERIFY_FAILED error with some buggy versions of OpenSSL #1910

Merged

dgageot added the driver/virtualbox label Oct 14, 2015

nathanleclaire closed this as completed Nov 5, 2015

pmahoney mentioned this issue Nov 25, 2015

SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed docker/compose#890

Closed

JohannesWiesner mentioned this issue Jan 24, 2023

curl: (60) SSL certificate problem: unable to get local issuer certificate ReproNim/neurodocker#388

Closed

docker-compose build -> SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581) #1880

docker-compose build -> SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581) #1880

Comments

PavelPolyakov commented Sep 18, 2015

PavelPolyakov commented Sep 19, 2015

ehazlett commented Sep 20, 2015

posita commented Sep 20, 2015

PavelPolyakov commented Sep 20, 2015

PavelPolyakov commented Sep 22, 2015

PavelPolyakov commented Sep 23, 2015

rkit commented Sep 23, 2015

rkit commented Sep 23, 2015

PavelPolyakov commented Sep 23, 2015

rkit commented Sep 23, 2015

posita commented Sep 23, 2015

PavelPolyakov commented Sep 23, 2015

posita commented Sep 23, 2015

PavelPolyakov commented Sep 23, 2015

posita commented Sep 23, 2015

PavelPolyakov commented Sep 25, 2015

posita commented Sep 25, 2015

PavelPolyakov commented Sep 25, 2015

posita commented Sep 25, 2015

PavelPolyakov commented Sep 25, 2015

posita commented Sep 25, 2015

PavelPolyakov commented Sep 25, 2015

posita commented Sep 25, 2015

PavelPolyakov commented Sep 25, 2015

cischmidt commented Sep 25, 2015

posita commented Sep 25, 2015

cischmidt commented Sep 25, 2015

posita commented Sep 25, 2015

cischmidt commented Sep 25, 2015

posita commented Sep 25, 2015

posita commented Sep 26, 2015

PavelPolyakov commented Sep 26, 2015

posita commented Sep 26, 2015

PavelPolyakov commented Sep 27, 2015

posita commented Sep 27, 2015

PavelPolyakov commented Sep 27, 2015

posita commented Sep 27, 2015

PavelPolyakov commented Sep 27, 2015

posita commented Sep 27, 2015

PavelPolyakov commented Sep 27, 2015

posita commented Sep 27, 2015

PavelPolyakov commented Sep 27, 2015

posita commented Sep 27, 2015

PavelPolyakov commented Sep 27, 2015

posita commented Sep 27, 2015

PavelPolyakov commented Sep 27, 2015

posita commented Sep 27, 2015

nathanleclaire commented Nov 5, 2015

herveDarritchon commented Nov 24, 2015

posita commented Nov 26, 2015

PavelPolyakov commented Nov 26, 2015

hongyanh commented Dec 13, 2015

lcarva commented May 8, 2020