I am trying to add a running instance of MinIO to Airflow connections, I thought it should be as easy as this setup in the GUI (never mind the exposed credentials, this is a blocked of environment and will be changed afterwards):
Airflow as well as minio are running in docker containers, which both use the same docker network. Pressing the test button results in the following error:
'ClientError' error occurred while testing connection: An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
I am curious about what I am missing. The idea was to set up this connection and then use a bucket for data-aware scheduling (= I want to trigger a DAG as soon as someone uploads a file to the bucket)
I am also facing the problem that the endpoint URL refused connection. what I have done is the is actually running in the docker container so we should give docker host url
{
"aws_access_key_id":"your_minio_access_key",
"aws_secret_access_key": "your_minio_secret_key",
"host": "http://host.docker.internal:9000"
}
I am also facing this error in Airflow 2.5.0.
I've found workaround using boto3 library that already buit-in.
Firsty I created connection with parameters:
Connection Id: any label (Minio in my case)
Connection Type: Generic
Host: minio server ip and port
Login: Minio access key
Password: Minio secret key
And here's my code:
import boto3
from airflow.hooks.base import BaseHook
conn = BaseHook.get_connection('Minio')
s3 = boto3.resource('s3',
endpoint_url=conn.host,
aws_access_key_id=conn.login,
aws_secret_access_key=conn.password
)
s3client = s3.meta.client
#and then you can use boto3 methods for manipulating buckets and files
#for example:
bucket = s3.Bucket('test-bucket')
# Iterates through all the objects, doing the pagination for you. Each obj
# is an ObjectSummary, so it doesn't contain the body. You'll need to call
# get to get the whole body.
for obj in bucket.objects.all():
key = obj.key
Related
I'm getting an error details: name = ErrorInfo reason = IAM_PERMISSION_DENIED domain = iam.googleapis.com metadata = map[permission:logging.logEntries.create] when I check the logs of a deployed container in GCP. I'm not sure why this is happening since running the container in localhost seems to work fine.
The service is also deployed on the same host with another service but with a different port number, the other service seems to be working fine, although that didn't use any google API services.
The service having the error on GCP has a .env file with this content:
GOOGLE_APPLICATION_CREDENTIALS=json/name-of-json-file.json
With the json file being the service account keys file. The dockerfile looks like this:
# Specifies a parent image
FROM golang:1.19.2-bullseye
# Creates an app directory to hold your app’s source code
WORKDIR /app
# Copies everything from your root directory into /app
COPY . .
# Installs Go dependencies
RUN go mod download
# Builds your app with optional configuration
RUN go build -o /logging-go
# Tells Docker which network port your container listens on
EXPOSE 8040
# Specifies the executable command that runs when the container starts
CMD [ "/logging-go" ]
The service is making use of the google logging API and is accessed through this snipper of code:
c, cErr := Load(".env")
if cErr != nil {
log.Fatalf("could not load config: %s", cErr)
return
}
// initializes logger which writes to stdout
ctx := context.Background()
opt := option.WithCredentialsFile(c.GoogleApplicationCredentials);
loggerClient, clientErr := logging.NewClient(ctx, "poc-projects-01", opt)
if clientErr != nil {
log.Fatal(clientErr)
}
if clientErr := loggerClient.Ping(ctx); clientErr != nil {
log.Fatal(clientErr)
}
logger := loggerClient.Logger("frontend_logs")
It works fine on my localhost when running it through docker, but it doesn't work on GCP. Any ideas on how I can fix this?
error details: name = ErrorInfo reason = IAM_PERMISSION_DENIED domain
= iam.googleapis.com metadata = map[permission:logging.logEntries.create]
Above error means you have a permissions issue when trying to access the Google Logging API from your deployed container. This could occur if the service account key you are using does not have the correct permissions to access the API, or if the service account key has not been properly configured.
To ensure that the service account key has the correct permissions, you should check the IAM roles associated with the service account and make sure that the roles have the correct permissions to access the Google Logging API, check whether do you have ‘logging.logEntries.create’ role assigned to your service account.
Attaching troubleshooting document for reference.
I am using maxmind GeoLite2 binary database for geolocation services and I want to update this periodically.
It works fine on updating through geoipupdate program installed via brew.
However Maxmind provides a docker image to update db periodically.
When I try to run docker command below,
docker run --env-file IdeaProjects/ip-geolocation-service/src/main/resources/application.properties -v /Users/me/GeoIp maxmindinc/geoipupdate
With the environment file refers to application.properties,
GEOIPUPDATE_ACCOUNT_ID=12345
GEOIPUPDATE_LICENSE_KEY=aaaaaaaaaa
GEOIPUPDATE_EDITION_IDS=GeoIP2-Country
I gets the following error:
# STATE: Creating configuration file at /etc/GeoIP.conf
# STATE: Running geoipupdate
error retrieving updates: error while getting database for GeoIP2-Country: unexpected HTTP status code: received HTTP status code: 403: Invalid product ID or subscription expired for GeoIP2-Country
Since my credentials is working on manual trigger, I wonder why it has not working on docker run? Any idea for spotting problem or anyone has faced with it?
You write that you want to use the free GeoLite2 database but the ID you use looks like the commercial/paid one. Try the following instead:
GEOIPUPDATE_EDITION_IDS=GeoLite2-Country
Source: https://github.com/maxmind/geoipupdate/blob/main/doc/docker.md
VSCode Version:
1.62.2
Local OS Version:
Windows 10.0.18363
Reproduces in: Remote - Containers
Name of Dev Container Definition with Issue:
/vscode/devcontainers/typescript-node
In our company we use a proxy which terminates the SSL connections. When I now try to start any devcontainer (the workspace is in the WSL2 filesystem), I get the following error message:
Installing VS Code Server for commit 3a6960b964327f0e3882ce18fcebd07ed191b316
[2021-11-12T17:01:44.400Z] Start: Downloading VS Code Server
[2021-11-12T17:01:44.400Z] 3a6960b964327f0e3882ce18fcebd07ed191b316 linux-x64 stable
[2021-11-12T17:01:44.481Z] Stop (81 ms): Downloading VS Code Server
[2021-11-12T17:01:44.499Z] Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1497:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket._finishInit (_tls_wrap.js:932:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:706:12)
In the dockerfile I copy the company certificates and update them:
ADD ./certs /usr/local/share/ca-certificates
RUN update-ca-certificates 2>/dev/null
The proxy environment variables are also set correctly. Out of desperation I also tried to disable the certificate check for wget:
RUN su node -c "echo check_certificate=off >> ~/.wgetrc"
Even in the devcontainer configuration I have disabled the proxy and the security check for VS code via the settings:
// Set *default* container specific settings.json values on container create.
"settings": {
"http.proxy": "http://<proxy.url>:8080",
"http.proxyStrictSSL": false
},
I have tried many other things, like setting NODE_TLS_REJECT_UNAUTHORIZED=0 as env variable inside the dockerfile, unfortunately without any success. Outside the company network, without the proxy, it works wonderfully.
Maybe one of you has an idea how I can solve this problem?
A working if not so nice solution to the problem is to add HTTPS exceptions for the following domains:
https://update.code.visualstudio.com
https://az764295.vo.msecnd.net
A list of common hostnames can be found here:
https://code.visualstudio.com/docs/setup/network
I'm trying to retrieve the actual region where the instance running the ECS task in a container is. The container runs a python script which first task is to get the region so that I can use boto3 methods like sqs.get_queue_by_name() which need a region to be set. To do that, I try to get the region with
meta = requests.get('http://169.254.169.254/latest/dynamic/instance-identity/document', timeout=1).json()
os.environ["AWS_DEFAULT_REGION"] = meta.get("region")
but I got a connection error.
When I build my stack by hand, there is no issue, but when the stack is deployed by CDK (the the same security groups, roles etc), I got the error
requests.exceptions.ConnectionError: HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /latest/dynamic/instance-identity/document (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fe3d62491f0>: Failed to establish a new connection: [Errno 22] Invalid argument'))
I can see two different avenues to solve this issue:
Set the environment variable 'AWS_DEFAULT_REGION' when deploying with CDK, but with
taskDefinition.addContainer('DSPTContainer', {
image: ecrImage,
memoryLimitMiB: 30000,
environment: {
AWS_DEFAULT_REGION: props.env?.region
})
there is an issue with Property 'AWS_DEFAULT_REGION' is incompatible with index signature.
Modifying the task role (but how) or something else (like the security group) to allow the connection. Note that within the instance, I am able to establish the connection....
[EDIT]
Inside the container (I can log into container when instance is running), I can ping say google.com but not the instance metadata URI:
import requests
requests.get("https://www.google.com", timeout=1) ---> Response200
requests.get("http://169.254.169.254/latest/meta-data/", timeout=1) ---> ConnectTimeout Exception
[SOLUTION]
Issue linked to duplicate?
I am new to docker, influx grafana etc. I got grafana and influxdb running, but seems to be unable to connect telegraf to influxdb. I followed many guides, but I am missing something.
I created a Telegraf conf file on E:\docker\containers\telegraf and try to use it with:
docker run -v e:/docker/containers/telegraf/:/etc/telegraf/telegraf:ro telegraf
But I keep getting the following error:
2017/05/13 20:32:39 I! Using config file: /etc/telegraf/telegraf.conf
2017-05-13T20:32:39Z E! Database creation failed: Post
http://localhost:8086/query?db=&q=CREATE+DATABASE+%22telegraf%22: dial tcp
[::1]:8086:
getsockopt: connection refused
I have this in the influxdb output part of the conf file:
[[outputs.influxdb]]
# urls = ["udp://localhost:8089"] # UDP endpoint example
urls = ["http://10.0.75.1:8086"] # required
database = "telegraf" # required
retention_policy = ""
write_consistency = "any"
timeout = "5s"
#username = "telegraf"
#password = "telegraf"
If you look ad the urls, it does not seem to read the conf file. I just keeps trying to connect to localhost. (localhost:8083 and 10.0.75.1:8083 both open the influxdb webpage)
This sounds like the mapping and / or E drive is now allowed to be mapped in Docker for Windows.
First, your mapping doesn't appear correct. If you have a file of telegraf.conf at e:/docker/containers/telegraf/ then your current mapping will end up with the file at /etc/telegraf/telegraf/telegraf.conf which is one extra telegraf folder deep. The error states it is looking for /etc/telegraf/telegraf.conf. In this case, it is likely using a default telegraf.conf.
Next, I believe the Docker on Windows doesn't allow mapping of drives other than C by default. Check the shared drive settings to make sure that E is allowed to be mapped (an article I found that shows this is at https://rominirani.com/docker-on-windows-mounting-host-directories-d96f3f056a2c).
After fixing both of these errors, if it still persists, I would get into the container with docker exec and confirm that the /etc/telegraf/telegraf.conf file does appear to have the contents that it should.