1252422 – docker.py in new package docker-python does not work with client certificate authentication

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1252422 - docker.py in new package docker-python does not work with client certificate authentication

Summary: docker.py in new package docker-python does not work with client certificate ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	python-docker-py
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Tomecek
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-11 11:20 UTC by Jarle Bjørgeengen
Modified:	2019-03-06 00:41 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-10-10 11:04:31 UTC
Target Upstream Version:
Embargoed:
Flags:	jhonce: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1251392	0	unspecified	CLOSED	Ansible docker module fails after installing docker-python from RHEL7	2021-02-22 00:41:40 UTC

Internal Links: 1251392

Description Jarle Bjørgeengen 2015-08-11 11:20:44 UTC

Description of problem:

We use ansible's docker module for orchestrating containers in an environment with local registry authenticated by x509 client certificates (nginx).

After introducing the package docker-python in RHEL7 (previously python-docker-py in EPEL. ) all operations with the docker.py library fails. 

Version-Release number of selected component (if applicable):


How reproducible:

Consistent. 

Steps to Reproduce:
1. Configure docker to authenticate to local docker-registry using X509 client-certificate authentication with nginx in front of docker-registry. 
2. Check that docker pull command works against the local registry 
3. Try to use docker.py library from docker-python-1.4.0-108 to the same thing. 


from docker import Client
c = Client(base_url='unix://var/run/docker.sock')
for line in c.pull('docker-registry.uio.no:8088/uio-logstash','7d81ad4', stream=True):
      print(json.dumps(json.loads(line), indent=4))

Actual results:
Traceback (most recent call last):
  File "docker-pull.py", line 4, in <module>
    for line in c.pull('docker-registry.uio.no:8088/uio-logstash','7d81ad4', stream=True):
  File "/usr/lib/python2.7/site-packages/docker/client.py", line 592, in pull
    repository, insecure=insecure_registry
  File "/usr/lib/python2.7/site-packages/docker/auth/auth.py", line 60, in resolve_repository_name
    return expand_registry_url(parts[0], insecure), parts[1]
  File "/usr/lib/python2.7/site-packages/docker/auth/auth.py", line 39, in expand_registry_url
    "HTTPS endpoint unresponsive and insecure mode isn't enabled."
docker.errors.DockerException: HTTPS endpoint unresponsive and insecure mode isn't enabled.


Expected results:

That it does the same thing as the docker pull command. 

Additional info:

The problem is not apparent in the EPEL package python-docker-py-0.4.0-3 which I believe the new docker-python from RHEL7 replaces. 

It seems likely that the reason is that docker.py from docker-python is not correctly picking up client certificates from /etc/docker/certs.d

Comment 1 Jarle Bjørgeengen 2015-08-11 11:25:18 UTC

nginx access log says (when running the above python snippet):

129.240.0.118 - - [11/Aug/2015:13:22:10 +0200] "GET /v2/ HTTP/1.1" 400 252 "-" "python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-229.4.2.el7.x86_64" "-"
129.240.0.118 - - [11/Aug/2015:13:22:10 +0200] "GET /v1/_ping HTTP/1.1" 400 252 "-" "python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-229.4.2.el7.x86_64" "-"


When running docker pull it says:



129.240.0.118 - - [11/Aug/2015:13:23:50 +0200] "GET /v2/ HTTP/1.1" 404 233 "-" "docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.4.2.el7.x86_64 os/linux arch/amd64" "-"
129.240.0.118 - - [11/Aug/2015:13:23:50 +0200] "GET /v1/_ping HTTP/1.1" 200 2 "-" "docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.4.2.el7.x86_64 os/linux arch/amd64" "-"
129.240.0.118 - - [11/Aug/2015:13:23:50 +0200] "GET /v1/_ping HTTP/1.1" 200 2 "-" "docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.4.2.el7.x86_64 os/linux arch/amd64" "-"
129.240.0.118 - - [11/Aug/2015:13:23:50 +0200] "GET /v1/repositories/uio-logstash/images HTTP/1.1" 200 760 "-" "docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.4.2.el7.x86_64 os/linux arch/amd64" "-"
129.240.0.118 - - [11/Aug/2015:13:23:51 +0200] "GET /v1/repositories/uio-logstash/tags HTTP/1.1" 200 158 "-" "docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.4.2.el7.x86_64 os/linux arch/amd64" "-"
129.240.0.118 - - [11/Aug/2015:13:23:51 +0200] "GET /v1/images/90a9503d3cb1c249f1ec04de4f70904bcdc096a7ba76bc31de8b4ebb9405d633/ancestry HTTP/1.1" 200 476 "-" "docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.4.2.el7.x86_64 os/linux

Comment 3 Jarle Bjørgeengen 2015-08-11 12:22:39 UTC

So it seems that the reason is indeed that the ping_registry()

in ../auth/auth.py 

tries to access the registry without providing the client certificates in /etc/docker/certs.d, hence it fails.

When commenting out the ping check I bangs the head against the next error: 

==========================================
Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1439293825.39-44102419682611/docker", line 3132, in <module>
    main()
  File "/root/.ansible/tmp/ansible-tmp-1439293825.39-44102419682611/docker", line 1494, in main
    started(manager, containers, count, name)
  File "/root/.ansible/tmp/ansible-tmp-1439293825.39-44102419682611/docker", line 1354, in started
    created = manager.create_containers(delta)
  File "/root/.ansible/tmp/ansible-tmp-1439293825.39-44102419682611/docker", line 1227, in create_containers
    containers = do_create(count, params)
  File "/root/.ansible/tmp/ansible-tmp-1439293825.39-44102419682611/docker", line 1217, in do_create
    result = self.client.create_container(**params)
  File "/usr/lib/python2.7/site-packages/docker/client.py", line 237, in create_container
    volume_driver
  File "/usr/lib/python2.7/site-packages/docker/utils/utils.py", line 546, in create_container_config
    'mem_limit has been moved to host_config in API version 1.19'
docker.errors.InvalidVersion: mem_limit has been moved to host_config in API version 1.19
====================================

This seems to be https://github.com/ansible/ansible-modules-core/issues/1707, which in turn is triggered by the upstream change https://github.com/docker/docker-py/pull/644

Sigh... 

Is it possible to rollback the version of docker-py to one closer to the one that what was in EPEL until compability problems is sorted out? Another upshot is that  

https://bugzilla.redhat.com/show_bug.cgi?id=1251392

also (at least for now) disappears.

Comment 4 Jarle Bjørgeengen 2015-08-11 13:19:42 UTC

FYI: It works with.

yum remove docker-python
yum install python-pip
pip install docker.py==1.2.3

Comment 5 Daniel Walsh 2015-08-21 04:21:47 UTC

Lokesh can you look into this?

Comment 9 Daniel Walsh 2016-02-22 19:31:07 UTC

Jon update please.

Comment 10 Jhon Honce 2016-03-30 16:30:39 UTC

It appears the dependencies have all been corrected now.

Comment 13 Tomas Tomecek 2016-04-20 06:52:28 UTC

We have updated python-docker-py to "python-docker-py-1.7.2-1.el7". Can you please check if the update resolves your problem? I know there was a lot of upstream development related to connecting to a secure registry.

Comment 14 Tomas Tomecek 2017-10-10 11:04:31 UTC

I'm closing this one since it's more than 1 year old and I presume the issue is no longer present (we updated the package to latest upstream release of major version 1 -- 1.10.6). Please reopen if you run into the issue again.

Note You need to log in before you can comment on or make changes to this bug.