Skip to content
This repository has been archived by the owner on Oct 30, 2018. It is now read-only.

docker module can't autodetect use_tls=no from envrionment variables #946

Closed
lorin opened this issue Mar 14, 2015 · 3 comments
Closed

docker module can't autodetect use_tls=no from envrionment variables #946

lorin opened this issue Mar 14, 2015 · 3 comments
Labels
bug_report cloud needs_info P1

Comments

@lorin
Copy link
Contributor

lorin commented Mar 14, 2015

If boot2docker is configured with TLS disabled, with environment variables like this:

export DOCKER_HOST=tcp://192.168.59.103:2375
unset DOCKER_CERT_PATH
unset DOCKER_TLS_VERIFY

Then invoking the docker module, for example like this:

  - name: start nginx
    docker: image=nginx ports=80:80

will cause Ansible will error out:

TASK: [start nginx] *********************************************************
failed: [localhost] => {"failed": true, "parsed": false}
Traceback (most recent call last):
  File "/Users/lorinhochstein/.ansible/tmp/ansible-tmp-1426369649.06-38564241422715/docker", line 3101, in <module>
    main()
  File "/Users/lorinhochstein/.ansible/tmp/ansible-tmp-1426369649.06-38564241422715/docker", line 1446, in main
    manager = DockerManager(module)
  File "/Users/lorinhochstein/.ansible/tmp/ansible-tmp-1426369649.06-38564241422715/docker", line 623, in __init__
    tls=tls_config)
  File "/Library/Python/2.7/site-packages/docker/client.py", line 50, in __init__
    'If using TLS, the base_url argument must begin with '
docker.errors.TLSParameterError: If using TLS, the base_url argument must begin with "https://".. TLS configurations should map the Docker CLI client configurations. See http://docs.docker.com/examples/https/ for API details.

If use_tls is explicitly disabled, then it works:

  - name: start nginx
    docker: image=nginx ports=80:80 use_tls=no

It would be helpful if the Ansible module could detect whether TLS was enabled from the environment variables. When configure from environment variables, Docker checks if the DOCKER_TLS_VERIFY environment variable is set to determine whether to use TLS.
@lorin lorin mentioned this issue Mar 14, 2015
Closed
@lorin lorin changed the title docker module can't autodetect no_tls from envrionment variables docker module can't autodetect use_tls=no from envrionment variables Mar 14, 2015
@abadger
Copy link
Contributor

abadger commented Mar 15, 2015

CC: @smashwilson @dguerri

I whipped this off to address the same traceback revealed in a different bug. It may address or half address this issue: #947 by making the default if use_tls is unspecified and no tls options are found in the playbook task or the environment be to not use tls. If you could give it a try and see if it solves this without breaking your other cases, I'd appreciate the testing.

Trying to figure out if we want to do something with DOCKER_TLS_VERIFY as well. If my pull request above does what I hope it does then DOCKER_TLS_VERIFY would only serve as an additional way to turn tls_verify on. The default if no tls params or environment variables were set would be to be off. I suppose that since we're already utilizing the other DOCKER_* env variables, that this one might be okay as well.... What are the possible values that it can have? Either it is set or not set? So we can do something like:

use_tls = module.get_param('use_tls')
if use_tls is None:
    if os.environ.get('DOCKER_TLS_VERIFY', None) is not None:
        use_tls = 'verify'

One note about this -- I believe that docker independently toggles whether verification also checks the hostname vs just verifying the validity of the certificate. We take a different strategy: allowing you to specify the hostname that the certificate should have. If we start checking the value of DOCKER_TLS_VERIFY to enable tls you may also have to specify tls_hostname in the playbook tasks or set the new environment variable DOCKER_TLS_HOSTNAME.

@lorin
Copy link
Contributor Author

lorin commented Mar 16, 2015

What are the possible values that it can have? Either it is set or not set?

@abadger The docker command-line client just checks if DOCKER_TLS_VERIFY is set to a non-empty string: https://github.com/docker/docker/blob/ed435fb458d71757e561ee267e0954f17c06559c/docker/flags.go#L16

abadger added a commit to ansible/ansible that referenced this issue Mar 16, 2015
@abadger
Update core pointer to make use of DOCKER_TLS_VERIFY env var:
dc434dd 
ansible/ansible-modules-core#946
abadger added a commit to ansible/ansible that referenced this issue Mar 16, 2015
@abadger
Update core pointer to make use of DOCKER_TLS_VERIFY env var:
37ab61c 
    ansible/ansible-modules-core#946
@abadger
Copy link
Contributor

abadger commented Mar 16, 2015

Okay, DOCKER_TLS_VERIFY should now be used to set use_tls to verify: 34c4e0d

Closing This Ticket

Hi!

We believe recent commits (likely detailed above) should resolve this question or problem for you.

This will also be included in the next major release.

If you continue seeing any problems related to this issue, or if you have any further questions, please let us know by stopping by one of the two mailing lists, as appropriate:

Because this project is very active, we're unlikely to see comments made on closed tickets, but the mailing list is a great way to ask questions, or post if you don't think this particular
issue is resolved.

Thank you!

@abadger abadger closed this as completed Mar 16, 2015
cblument pushed a commit to cblument/ansible that referenced this issue Mar 16, 2015
@abadger @cblument
Update core pointer to make use of DOCKER_TLS_VERIFY env var:
2c9b9ac 
    ansible/ansible-modules-core#946
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug_report cloud needs_info P1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abadger @lorin