Excon::Errors::SocketError: end of file reached (EOFError)

[gregory]

$docker version =>
Client version: 1.3.0
Client API version: 1.15
Go version (client): go1.3.3
Git commit (client): c78088f
OS/Arch (client): darwin/amd64
Server version: 1.3.0
Server API version: 1.15
Go version (server): go1.3.3
Git commit (server): c78088f

lib = File.expand_path('lib', __FILE__); $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib); require 'docker';
Docker.version =>
#Excon::Errors::SocketError: end of file reached (EOFError)
#from ~/.rbenv/versions/2.0.0-p576/lib/ruby/gems/2.0.0/gems/excon-0.40.0/lib/excon/socket.rb:92:in `readline'

[tlunter]

This could be due to an API update. Right now the latest docker-api works for 1.12, specified here. We may have to vet the new API version and see what's changed.

[neckhair]

I think the relevant change is described in the Docker API Docs:

If the Docker daemon is set to use an encrypted TCP socket (--tls, or --tlsverify) as with Boot2Docker 1.3.0, then you need to add extra parameters to curl when making test API requests: curl --insecure --cert ~/.docker/cert.pem --key ~/.docker/key.pem https://boot2docker:2376/images/json

Excon should somehow use the certificates in ~/.docker/. Although mine were in ~/.boot2docker/certs/boot2docker-vm as indicated by boot2docker shellinit.

Edit: Excon is able to handle certificates: https://github.com/excon/excon#https-client-certificate. I'll give that a try.

[neckhair]

Got it running on boot2docker:

Set the url scheme of DOCKER_HOST to https:

DOCKER_HOST=https://boot2docker:2376

Then set the following options:

cert_path = File.expand_path ENV['DOCKER_CERT_PATH']
Docker.options = {
  client_cert: File.join(cert_path, 'cert.pem'),
  client_key: File.join(cert_path, 'key.pem')
}

Excon.defaults[:ssl_ca_file] = File.join(cert_path, 'ca.pem')

DOCKER_CERT_PATH was set by running $(boot2docker shellinit) and is ~/.boot2docker/certs/boot2docker-vm

[stevenjack]

I've run into this issue as well, I tried setting the following when the options are passed to the Excon resource in connection.rb:

{
  :client_cert => '/Users/stevenjack/.docker/boot2docker-vm/cert.pem',
  :client_key => '/Users/stevenjack/.docker/boot2docker-vm/key.pem',
  :ssl_ca_file => '/Users/stevenjack/.docker/boot2docker-vm/ca.pem',
  :ssl_verify_peer => false
}

but still getting the end of file reached (EOFError) error. I thought it might be something to do with the poodle exploit (I expect SSLv3 is turned off in the latest release of the remote docker api), so I tried setting the SSL versions to just TLS 1/2:

{
  :client_cert => '/Users/stevenjack/.docker/boot2docker-vm/cert.pem',
  :client_key => '/Users/stevenjack/.docker/boot2docker-vm/key.pem',
  :ssl_ca_file => '/Users/stevenjack/.docker/boot2docker-vm/ca.pem', 
  :ssl_verify_peer => false,
  :ssl_versions => :TLSv1_2
}

but still getting the issue.. @neckhair did you have any luck?

[stevenjack]

@neckhair Ah I hadn't refreshed the page so I didn't see you'd got it working, awesome!

[stevenjack]

@neckhair it works for me too, but if you set the DOCKER_HOST to:

DOCKER_HOST=https://boot2docker:2376

then the standard docker daemon doesn't work:

2014/10/25 18:23:35 Invalid bind address protocol: https://192.168.59.103:2376

Need to think of the best way around this..

[tlunter]

If you guys have a working certificate-based setup, can I ask one of you to provide some documentation that we can put in the README? Specifically about which options are needed to pass to Excon. Undoubtedly people are going to be looking for this and if we can provide the right set of options for Excon, I'm sure it'll help a lot!

[neckhair]

Basically it works with my settings from above. You can pass in the DOCKER_HOST variable for your process only. For example start Rails with a command like that:

DOCKER_HOST=https://boot2docker:2376 bundle exec rails server

I know that's not very usefull in all cases. Isn't there a way to get Excon working with a "tcp://" URL?

[neckhair]

It works now. In my Rails app I've got the following initializer (config/initializiers/docker.rb):

cert_path = File.expand_path ENV['DOCKER_CERT_PATH']

Docker.options = {
  client_cert: File.join(cert_path, 'cert.pem'),
  client_key: File.join(cert_path, 'key.pem'),
  ssl_ca_file: File.join(cert_path, 'ca.pem'),
  scheme: 'https' # This is important when the URL starts with tcp://
}

That works with

$  echo $DOCKER_HOST
tcp://192.168.59.103:2376

[stevenjack]

@neckhair perfect! That makes much more sense

[stevenjack]

👍

[joelmoss]

I have this set, but getting this error:

Excon::Errors::SocketError: Unable to verify certificate, please set `Excon.defaults[:ssl_ca_path] = path_to_certs`, `ENV['SSL_CERT_DIR'] = path_to_certs`, `Excon.defaults[:ssl_ca_file] = path_to_file`, `ENV['SSL_CERT_FILE'] = path_to_file`, `Excon.defaults[:ssl_verify_callback] = callback` (see OpenSSL::SSL::SSLContext#verify_callback), or `Excon.defaults[:ssl_verify_peer] = false` (less secure).

[alhafoudh]

@joelmoss: That is because the certificated that you use (and also boot2docker uses) are not signed by trusted CA. You can fix it by placing Excon.defaults[:ssl_verify_peer] = false somewhere while you develop you app.
In production you should get you certificates signed by some trusted CA.