New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Excon::Errors::SocketError: end of file reached (EOFError) #202

Closed
gregory opened this Issue Oct 16, 2014 · 13 comments

Comments

Projects
None yet
6 participants
@gregory

gregory commented Oct 16, 2014

$docker version =>
Client version: 1.3.0
Client API version: 1.15
Go version (client): go1.3.3
Git commit (client): c78088f
OS/Arch (client): darwin/amd64
Server version: 1.3.0
Server API version: 1.15
Go version (server): go1.3.3
Git commit (server): c78088f
lib = File.expand_path('lib', __FILE__); $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib); require 'docker';
Docker.version =>
#Excon::Errors::SocketError: end of file reached (EOFError)
#from ~/.rbenv/versions/2.0.0-p576/lib/ruby/gems/2.0.0/gems/excon-0.40.0/lib/excon/socket.rb:92:in `readline'
@tlunter

This comment has been minimized.

Show comment
Hide comment
@tlunter

tlunter Oct 20, 2014

Member

This could be due to an API update. Right now the latest docker-api works for 1.12, specified here. We may have to vet the new API version and see what's changed.

Member

tlunter commented Oct 20, 2014

This could be due to an API update. Right now the latest docker-api works for 1.12, specified here. We may have to vet the new API version and see what's changed.

@neckhair

This comment has been minimized.

Show comment
Hide comment
@neckhair

neckhair Oct 25, 2014

I think the relevant change is described in the Docker API Docs:

If the Docker daemon is set to use an encrypted TCP socket (--tls, or --tlsverify) as with Boot2Docker 1.3.0, then you need to add extra parameters to curl when making test API requests: curl --insecure --cert ~/.docker/cert.pem --key ~/.docker/key.pem https://boot2docker:2376/images/json

Excon should somehow use the certificates in ~/.docker/. Although mine were in ~/.boot2docker/certs/boot2docker-vm as indicated by boot2docker shellinit.

Edit: Excon is able to handle certificates: https://github.com/excon/excon#https-client-certificate. I'll give that a try.

I think the relevant change is described in the Docker API Docs:

If the Docker daemon is set to use an encrypted TCP socket (--tls, or --tlsverify) as with Boot2Docker 1.3.0, then you need to add extra parameters to curl when making test API requests: curl --insecure --cert ~/.docker/cert.pem --key ~/.docker/key.pem https://boot2docker:2376/images/json

Excon should somehow use the certificates in ~/.docker/. Although mine were in ~/.boot2docker/certs/boot2docker-vm as indicated by boot2docker shellinit.

Edit: Excon is able to handle certificates: https://github.com/excon/excon#https-client-certificate. I'll give that a try.

@neckhair

This comment has been minimized.

Show comment
Hide comment
@neckhair

neckhair Oct 25, 2014

Got it running on boot2docker:

Set the url scheme of DOCKER_HOST to https:

DOCKER_HOST=https://boot2docker:2376

Then set the following options:

cert_path = File.expand_path ENV['DOCKER_CERT_PATH']
Docker.options = {
  client_cert: File.join(cert_path, 'cert.pem'),
  client_key: File.join(cert_path, 'key.pem')
}

Excon.defaults[:ssl_ca_file] = File.join(cert_path, 'ca.pem')

DOCKER_CERT_PATH was set by running $(boot2docker shellinit) and is ~/.boot2docker/certs/boot2docker-vm

Got it running on boot2docker:

Set the url scheme of DOCKER_HOST to https:

DOCKER_HOST=https://boot2docker:2376

Then set the following options:

cert_path = File.expand_path ENV['DOCKER_CERT_PATH']
Docker.options = {
  client_cert: File.join(cert_path, 'cert.pem'),
  client_key: File.join(cert_path, 'key.pem')
}

Excon.defaults[:ssl_ca_file] = File.join(cert_path, 'ca.pem')

DOCKER_CERT_PATH was set by running $(boot2docker shellinit) and is ~/.boot2docker/certs/boot2docker-vm

@stevenjack

This comment has been minimized.

Show comment
Hide comment
@stevenjack

stevenjack Oct 25, 2014

I've run into this issue as well, I tried setting the following when the options are passed to the Excon resource in connection.rb:

{
  :client_cert => '/Users/stevenjack/.docker/boot2docker-vm/cert.pem',
  :client_key => '/Users/stevenjack/.docker/boot2docker-vm/key.pem',
  :ssl_ca_file => '/Users/stevenjack/.docker/boot2docker-vm/ca.pem',
  :ssl_verify_peer => false
}

but still getting the end of file reached (EOFError) error. I thought it might be something to do with the poodle exploit (I expect SSLv3 is turned off in the latest release of the remote docker api), so I tried setting the SSL versions to just TLS 1/2:

{
  :client_cert => '/Users/stevenjack/.docker/boot2docker-vm/cert.pem',
  :client_key => '/Users/stevenjack/.docker/boot2docker-vm/key.pem',
  :ssl_ca_file => '/Users/stevenjack/.docker/boot2docker-vm/ca.pem', 
  :ssl_verify_peer => false,
  :ssl_versions => :TLSv1_2
}

but still getting the issue.. @neckhair did you have any luck?

I've run into this issue as well, I tried setting the following when the options are passed to the Excon resource in connection.rb:

{
  :client_cert => '/Users/stevenjack/.docker/boot2docker-vm/cert.pem',
  :client_key => '/Users/stevenjack/.docker/boot2docker-vm/key.pem',
  :ssl_ca_file => '/Users/stevenjack/.docker/boot2docker-vm/ca.pem',
  :ssl_verify_peer => false
}

but still getting the end of file reached (EOFError) error. I thought it might be something to do with the poodle exploit (I expect SSLv3 is turned off in the latest release of the remote docker api), so I tried setting the SSL versions to just TLS 1/2:

{
  :client_cert => '/Users/stevenjack/.docker/boot2docker-vm/cert.pem',
  :client_key => '/Users/stevenjack/.docker/boot2docker-vm/key.pem',
  :ssl_ca_file => '/Users/stevenjack/.docker/boot2docker-vm/ca.pem', 
  :ssl_verify_peer => false,
  :ssl_versions => :TLSv1_2
}

but still getting the issue.. @neckhair did you have any luck?

@stevenjack

This comment has been minimized.

Show comment
Hide comment
@stevenjack

stevenjack Oct 25, 2014

@neckhair Ah I hadn't refreshed the page so I didn't see you'd got it working, awesome!

@neckhair Ah I hadn't refreshed the page so I didn't see you'd got it working, awesome!

@stevenjack

This comment has been minimized.

Show comment
Hide comment
@stevenjack

stevenjack Oct 25, 2014

@neckhair it works for me too, but if you set the DOCKER_HOST to:

DOCKER_HOST=https://boot2docker:2376

then the standard docker daemon doesn't work:

2014/10/25 18:23:35 Invalid bind address protocol: https://192.168.59.103:2376

Need to think of the best way around this..

@neckhair it works for me too, but if you set the DOCKER_HOST to:

DOCKER_HOST=https://boot2docker:2376

then the standard docker daemon doesn't work:

2014/10/25 18:23:35 Invalid bind address protocol: https://192.168.59.103:2376

Need to think of the best way around this..

@tlunter

This comment has been minimized.

Show comment
Hide comment
@tlunter

tlunter Oct 25, 2014

Member

If you guys have a working certificate-based setup, can I ask one of you to provide some documentation that we can put in the README? Specifically about which options are needed to pass to Excon. Undoubtedly people are going to be looking for this and if we can provide the right set of options for Excon, I'm sure it'll help a lot!

Member

tlunter commented Oct 25, 2014

If you guys have a working certificate-based setup, can I ask one of you to provide some documentation that we can put in the README? Specifically about which options are needed to pass to Excon. Undoubtedly people are going to be looking for this and if we can provide the right set of options for Excon, I'm sure it'll help a lot!

@neckhair

This comment has been minimized.

Show comment
Hide comment
@neckhair

neckhair Oct 26, 2014

Basically it works with my settings from above. You can pass in the DOCKER_HOST variable for your process only. For example start Rails with a command like that:

DOCKER_HOST=https://boot2docker:2376 bundle exec rails server

I know that's not very usefull in all cases. Isn't there a way to get Excon working with a "tcp://" URL?

Basically it works with my settings from above. You can pass in the DOCKER_HOST variable for your process only. For example start Rails with a command like that:

DOCKER_HOST=https://boot2docker:2376 bundle exec rails server

I know that's not very usefull in all cases. Isn't there a way to get Excon working with a "tcp://" URL?

@neckhair

This comment has been minimized.

Show comment
Hide comment
@neckhair

neckhair Oct 31, 2014

It works now. In my Rails app I've got the following initializer (config/initializiers/docker.rb):

cert_path = File.expand_path ENV['DOCKER_CERT_PATH']

Docker.options = {
  client_cert: File.join(cert_path, 'cert.pem'),
  client_key: File.join(cert_path, 'key.pem'),
  ssl_ca_file: File.join(cert_path, 'ca.pem'),
  scheme: 'https' # This is important when the URL starts with tcp://
}

That works with

$  echo $DOCKER_HOST
tcp://192.168.59.103:2376

It works now. In my Rails app I've got the following initializer (config/initializiers/docker.rb):

cert_path = File.expand_path ENV['DOCKER_CERT_PATH']

Docker.options = {
  client_cert: File.join(cert_path, 'cert.pem'),
  client_key: File.join(cert_path, 'key.pem'),
  ssl_ca_file: File.join(cert_path, 'ca.pem'),
  scheme: 'https' # This is important when the URL starts with tcp://
}

That works with

$  echo $DOCKER_HOST
tcp://192.168.59.103:2376
@stevenjack

This comment has been minimized.

Show comment
Hide comment
@stevenjack

stevenjack Nov 2, 2014

@neckhair perfect! That makes much more sense

@neckhair perfect! That makes much more sense

@stevenjack

This comment has been minimized.

Show comment
Hide comment

👍

@joelmoss

This comment has been minimized.

Show comment
Hide comment
@joelmoss

joelmoss Nov 27, 2014

I have this set, but getting this error:

Excon::Errors::SocketError: Unable to verify certificate, please set `Excon.defaults[:ssl_ca_path] = path_to_certs`, `ENV['SSL_CERT_DIR'] = path_to_certs`, `Excon.defaults[:ssl_ca_file] = path_to_file`, `ENV['SSL_CERT_FILE'] = path_to_file`, `Excon.defaults[:ssl_verify_callback] = callback` (see OpenSSL::SSL::SSLContext#verify_callback), or `Excon.defaults[:ssl_verify_peer] = false` (less secure).

I have this set, but getting this error:

Excon::Errors::SocketError: Unable to verify certificate, please set `Excon.defaults[:ssl_ca_path] = path_to_certs`, `ENV['SSL_CERT_DIR'] = path_to_certs`, `Excon.defaults[:ssl_ca_file] = path_to_file`, `ENV['SSL_CERT_FILE'] = path_to_file`, `Excon.defaults[:ssl_verify_callback] = callback` (see OpenSSL::SSL::SSLContext#verify_callback), or `Excon.defaults[:ssl_verify_peer] = false` (less secure).
@alhafoudh

This comment has been minimized.

Show comment
Hide comment
@alhafoudh

alhafoudh Dec 4, 2014

@joelmoss: That is because the certificated that you use (and also boot2docker uses) are not signed by trusted CA. You can fix it by placing Excon.defaults[:ssl_verify_peer] = false somewhere while you develop you app.
In production you should get you certificates signed by some trusted CA.

@joelmoss: That is because the certificated that you use (and also boot2docker uses) are not signed by trusted CA. You can fix it by placing Excon.defaults[:ssl_verify_peer] = false somewhere while you develop you app.
In production you should get you certificates signed by some trusted CA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment