Suppose I am at network where there is MITM SSL swaping firewall (google.com is not issued by Google, but reissued by custom CA root authority) some more details here https://security.stackexchange.com/questions/107542/is-it-common-practice-for-companies-to-mitm-https-traffic .
I have simple Dockerfile:
FROM alpine:latest
RUN apk --no-cache add curl
It fails badly with error with SSL errors
=> ERROR [2/2] RUN apk --no-cache add curl 1.0s
------
> [2/2] RUN apk --no-cache add curl:
#5 0.265 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#5 0.647 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.649 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
#5 0.649 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#5 0.938 140037857143624:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.940 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
#5 0.941 ERROR: unable to select packages:
#5 0.942 curl (no such package):
#5 0.942 required by: world[curl]
------
executor failed running [/bin/sh -c apk --no-cache add curl]: exit code: 1
Every tutorial at Internet says that I can add own "trusted" root certificate and run update-ca-certificates.
But it can be added by "apt add" only. This situation seems to me as "chicken-egg" problem.
FROM alpine:latest
USER root
RUN apk --no-cache add ca-certificates \
&& update-ca-certificates
Error is similar
=> ERROR [2/2] RUN apk --no-cache add ca-certificates && update-ca-certificates 1.0s
------
> [2/2] RUN apk --no-cache add ca-certificates && update-ca-certificates:
#5 0.269 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
#5 0.662 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.663 fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
#5 0.663 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
#5 0.929 140490932583240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
#5 0.931 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
#5 0.932 ERROR: unable to select packages:
#5 0.933 ca-certificates (no such package):
#5 0.933 required by: world[ca-certificates]
------
executor failed running [/bin/sh -c apk --no-cache add ca-certificates && update-ca-certificates]: exit code: 1
Is there some other solution how to install update-ca-certificates tool? Or am I missing something?
Thx
See #kthompso answer for working solution.
Working solution (with update-ca-certificates commnad) based on #kthompso answer and info from unable to add certificates to alpine linux container
FROM alpine:latest
USER root
# To be able to download `ca-certificates` with `apk add` command
COPY my-root-ca.crt /root/my-root-ca.crt
RUN cat /root/my-root-ca.crt >> /etc/ssl/certs/ca-certificates.crt
# Add again root CA with `update-ca-certificates` tool
RUN apk --no-cache add ca-certificates \
&& rm -rf /var/cache/apk/*
COPY my-root-ca.crt /usr/local/share/ca-certificates
RUN update-ca-certificates
RUN apk --no-cache add curl
Edit: One solution I have in my mind is to use curl docker image with -k option and download .apk with those certificates and tools. Install it as local file. Add my root CA certificate and run update-ca-certificates. It sounds super crazy, so I think that have to be better solution :)
Append your self-signed cert to /etc/ssl/certs/ca-certificates.crt manually.
Assuming you have the self-signed certificate in a file in your build directory called my-cert.pem:
FROM alpine:latest
COPY my-cert.pem /usr/local/share/ca-certificates/my-cert.crt
RUN cat /usr/local/share/ca-certificates/my-cert.crt >> /etc/ssl/certs/ca-certificates.crt && \
apk --no-cache add \
curl
Note: When you're using update-ca-certificates, you need to place your cert file into /usr/local/share/ca-certificates/ first. Otherwise it will be removed from /etc/ssl/certs/ca-certificates.crt the first time you run update-ca-certificates.
Related
I am trying to build my project from a dockerfile. It suddenly stopped working.
I am trying to use an alpine docker image to put my project and live in it.
FROM renokico/laravel-base:octane-latest-php8.0-alpine
COPY ./extra_files/JSON.php ./vendor/siftscience/sift-php/lib/Services_JSON-1.0.3/
COPY ./extra_files/DBSCAN.php ./vendor/php-ai/php-ml/src/Phpml/Clustering/
COPY ./extra_files/File.php ./vendor/kount/kount-ris-php-sdk/src/Kount/SimpleLogger/
COPY . /var/www/html
RUN apk add --update --no-cache libpq
RUN apk add --no-cache --virtual .build-deps
RUN apk add $PHPIZE_DEPS
RUN apk add postgresql-dev
RUN apk add g++ && \
docker-php-ext-install pdo_pgsql pgsql && \
apk del .build-deps
What could be causing this error below ?
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.12/main: temporary error (try again
later)
WARNING: Ignoring APKINDEX.2c4ac24e.tar.gz: No such file or directory
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.12/community: temporary error (try
again later)
WARNING: Ignoring APKINDEX.40a3604f.tar.gz: No such file or directory
ERROR: unsatisfiable constraints:
dpkg (missing):
required by: world[dpkg]
dpkg-dev (missing):
required by: world[dpkg-dev]
re2c (missing):
required by: world[re2c]
The command '/bin/sh -c apk add $PHPIZE_DEPS' returned a non-zero code: 3
Pretty new to docker; trying to get base layer setup on docker though it gives me these errors:
It's noting that the repository is failing / how do I set that repository?
I don't think it's AWS issue as I have been able to see the AWS push in cloud formation.
$./generate_base_layer.sh
Error: No such container: layer-container
[+] Building 27.7s (6/13)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 551B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/amazonlinux:2 0.9s
=> [auth] library/amazonlinux:pull token for registry-1.docker.io 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 37B 0.0s
=> [2/8] RUN yum install -y python37 && yum install -y python3-pip && yum install -y 26.7s
=> => # Loaded plugins: ovl, priorities
> [2/8] RUN yum install -y python37 && yum install -y python3-pip && yum install -y zip && yum clean all:
#6 0.369 Loaded plugins: ovl, priorities
#6 36.47
#6 36.47
#6 36.47 One of the configured repositories failed (Unknown),
#6 36.47 and yum doesn't have enough cached data to continue. At this point the only
#6 36.47 safe thing yum can do is fail. There are a few ways to work "fix" this:
#6 36.47
#6 36.47 1. Contact the upstream for the repository and get them to fix the problem.
#6 36.47
#6 36.47 2. Reconfigure the baseurl/etc. for the repository, to point to a working
#6 36.47 upstream. This is most often useful if you are using a newer
#6 36.47 distribution release than is supported by the repository (and the
#6 36.47 packages for the previous distribution release still work).
#6 36.47
#6 36.47 3. Run the command with the repository temporarily disabled
#6 36.47 yum --disablerepo=<repoid> ...
#6 36.47
#6 36.47 4. Disable the repository permanently, so yum won't use it by default. Yum
#6 36.47 will then just ignore the repository until you permanently enable it
#6 36.47 again or use --enablerepo for temporary usage:
#6 36.47
#6 36.47 yum-config-manager --disable <repoid>
#6 36.47 or
#6 36.47 subscription-manager repos --disable=<repoid>
#6 36.47
#6 36.47 5. Configure the failing repository to be skipped, if it is unavailable.
#6 36.47 Note that yum will try to contact the repo. when it runs most commands,
#6 36.47 so will have to try and fail each time (and thus. yum will be be much
#6 36.47 slower). If it is a very temporary problem though, this is often a nice
#6 36.47 compromise:
#6 36.47
#6 36.47 yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true
#6 36.47
#6 36.47 Cannot find a valid baseurl for repo: amzn2-core/2/aarch64
#6 36.47 Could not retrieve mirrorlist http://amazonlinux.default.amazonaws.com/2/core/latest/aarch64/mirror.list error was
#6 36.47 12: Timeout on http://amazonlinux.default.amazonaws.com/2/core/latest/aarch64/mirror.list: (28, 'Failed to connect to amazonlinux.default.amazonaws.com port 80 after 4723 ms: Connection timed out')
------
executor failed running [/bin/sh -c yum install -y python37 && yum install -y python3-pip && yum install -y zip && yum clean all]: exit code: 1
Unable to find image 'base-layer:latest' locally
docker: Error response from daemon: pull access denied for base-layer, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.
Error: No such container:path: layer-container:layer.zip
I've already logged into docker and tried it with docker build -t... ; same issue
dockerfile:
FROM amazonlinux:2
# Install Python
RUN yum install -y python37 && \
yum install -y python3-pip && \
yum install -y zip && \
yum clean all
# Set up PIP and Venv
RUN python3.7 -m pip install --upgrade pip && \
python3.7 -m pip install virtualenv
RUN python3.7 -m venv base
RUN source base/bin/activate
# Install dependencies
COPY ./requirements.txt .
RUN pip install -r requirements.txt -t ./python
# Zip it up for deployment.
RUN zip -r layer.zip ./python/
ENTRYPOINT ["/bin/bash", "-l"]
generate_base.. file:
# Generates a base layer for the Lambda functions.
# Remove the container first (if it exists).
docker rm layer-container
# Build the base layer.
docker build -t base-layer .
# Rename it to layer-container.
docker run --name layer-container base-layer
# Copy the generated zip artifact so our CDK can use it.
docker cp layer-container:layer.zip . && echo "Created layer.zip with updated base layer."
When running docker file this line failed
RUN apt-get update && apt-get install -y wget && apt-get install -y gnupg2 && wget -qO- https://deb.nodesource.com/setup_14.x | bash - && apt-get install -y build-essential nodejs
failed to solve with frontend dockerfile.v0: failed to build LLB: failed to load cache key: pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
I just had the issue, and in my case, the problem was with multistage build: I forgot to include as <stage_name> in my first stage in Dockerfile.
So as the first line I had
FROM maven:3.6.3-jdk-11-slim#latest
But I should have
FROM maven:3.6.3-jdk-11-slim#latest as build
instead, since I was referencing build in the next stage.
I had this issue too. In my case, was named image out of format.
It is wrong:
FROM debian:latest as imageBaseFromAnyThing
...
FROM imageBaseFromAnyThing as imageBaseFromAnyThingApp
...
or this
FROM debian:latest as image-base-from-any-thing
...
FROM image-base-from-any-thing as image-base-from-any-thing-app
...
Try keep simple, like:
FROM debian:latest as image
...
FROM image as app
I'm trying out Spark on Kubernetes. Just downloaded Spark 2.4.3 on an EC2 instance in my VPC. I have setup my proxy in /etc/sysconfig/docker and able to import and run docker images from docker hub.
Command: bin/docker-image-tool.sh -t k8s-spark-2.4.3 build
Sending build context to Docker daemon 261.4MB
Step 1/15 : FROM openjdk:8-alpine
---> a3562aa0b991
Step 2/15 : ARG spark_jars=jars
---> Using cache
---> 2f9744e85911
Step 3/15 : ARG img_path=kubernetes/dockerfiles
---> Using cache
---> ba02760dc2df
Step 4/15 : ARG k8s_tests=kubernetes/tests
---> Using cache
---> a630900ca584
Step 5/15 : RUN set -ex && apk upgrade --no-cache && apk add --no-cache bash tini libc6-compat linux-pam nss && mkdir -p /opt/spark && mkdir -p /opt/spark/work-dir && touch /opt/spark/RELEASE && rm /bin/sh && ln -sv /bin/bash /bin/sh && echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su && chgrp root /etc/passwd && chmod ug+rw /etc/passwd
---> Running in 6b2fe7f7fcc6
+ apk upgrade --no-cache
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
WARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz: network error (check Internet connection and firewall)
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
WARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz: network error (check Internet connection and firewall)
+ apk add --no-cache bash tini libc6-compat linux-pam nss
OK: 103 MiB in 54 packages
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz
WARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz: network error (check Internet connec tion and firewall)
fetch http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz
WARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.9/community/x86_64/APKINDEX.tar.gz: network error (check Internet connection and firewall)
bash (missing):
required by: world[bash]
libc6-compat (missing):
required by: world[libc6-compat]
linux-pam (missing):
required by: world[linux-pam]
tini (missing):
required by: world[tini]
ERROR: unsatisfiable constraints:
The command '/bin/sh -c set -ex && apk upgrade --no-cache && apk add --no-cache bash tini libc6-compat linux-pam nss && mkdir -p /opt/spark && mkdir -p /opt/spark/work-dir && touch /opt/spark/RELEASE && rm /bin/sh && ln -sv /bin/bash /bin/sh && echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su && chgrp root /etc/passwd && chmod ug+rw /etc/passwd' returned a non-zero code: 4
Sending build context to Docker daemon 261.4MB
Step 1/9 : ARG base_img
Step 2/9 : FROM $base_img
pull access denied for spark, repository does not exist or may require 'docker login'
Sending build context to Docker daemon 261.4MB
Step 1/9 : ARG base_img
Step 2/9 : FROM $base_img
pull access denied for spark, repository does not exist or may require 'docker login'
Any idea how to fix this?
I tried running this after 'docker login' as well. Result is same.
Seems like your EC2 instance has no conection with internet
WARNING: Ignoring http://dl-cdn.alpinelinux.org/alpine/v3.9/main/x86_64/APKINDEX.tar.gz:
network error (check Internet connection and firewall)
I had this exact same problem from within an Ubuntu 16.04 VM running on my laptop.
I was able to download the packages with curl and to visit the alpine repository directories using a web browser, so I know the issue was not the network connection.
Believe it or not, the solution was to restart the docker service running within the VM.
I found this as a suggested solution when searching for one of the apline package loading errors and it worked!
My Dckerfile
FROM python:3.7-alpine
ADD requirements.txt /code/requirements.txt
RUN apk --no-cache add --virtual build-dependencies \
build-base \
py-mysqldb \
gcc \
libc-dev \
libffi-dev \
mariadb-dev \
&& pip install -r /code/requirements.txt \
&& rm -rf .cache/pip \
&& apk del build-dependencies
RUN apk -q --no-cache add mariadb-client-libs
COPY . /code
...
I am able to build the image locally.
But when google (cloud build) tries to build the image I get the following error:
...
(28/28) Purging python2 (2.7.15-r0)
Executing busybox-1.28.4-r0.trigger
OK: 17 MiB in 34 packages
Removing intermediate container bc1fb0b1da92
---> bf2c564de5a5
Step 4/7 : RUN apk -q --no-cache add mariadb-client-libs
---> Running in 9c4fcad1f632
ERROR: unsatisfiable constraints:
**mariadb-client-libs (missing):**
required by: world[mariadb-client-libs]
The command '**/bin/sh -c apk -q --no-cache add mariadb-client-libs**' returned a non-zero code: 1
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/docker" failed: exit status 1
A quick search online suggested that the repo could be offline, but I doubt that's the case. It seems Google Cloud build is blocking the access to the repo. Anyone else run into this issue? Any pointers on how to fix this?
On #helado's suggestion, I'm posting my comment from above as the answer:
#helado: I hesitated from posting this as the answer as its a solution that bypasses the problem. But i think the more important point is an issue like this should'nt stop folks from making progress :)
---- Copy pasted comment from above ----
It works for me when I try to build it locally, but fails on google
cloud. Also, its not the correct way to solve the problem, but I
switched my dependency form mariadb-client-libs to py-mysqldb and
all is working now. Just in case it helps you :)