Open Wind010 opened 1 year ago
Does updating the local cert store prior to installation help? e.g. run below then attempt to run the install script again.
sudo apt-get install -y ca-certificates
Additional comments:
DD_API_KEY=dummy
to the installer and it should not interfere or cause issues with the installation or running the Agent. It would still need to be corrected afterwards for payloads to be accepted by the backend however.That was one of the steps I tried. I had pulled down install_script_agent7.sh
locally and updated it to install ca-certificates
:
if [ -z "$sudo_cmd" ]; then
# if $sudo_cmd is empty, doing `$sudo_cmd X=Y command` fails with
# `X=Y: command not found`; therefore we don't prefix the command with
# $sudo_cmd at all in this case
DEBIAN_FRONTEND=noninteractive apt-get install -y apt-transport-https curl gnupg ca-certificates
else
$sudo_cmd DEBIAN_FRONTEND=noninteractive apt-get install -y apt-transport-https curl gnupg ca-certificates
fi
...
printf "\033[34m\n* UPDATE STORE BEGIN\n\033[0m\n"
update-ca-certificates
printf "\033[34m\n* UPDATE STORE END\n\033[0m\n"
No errors on the update-ca-certificates
however, same SSL error.
I agree with point 1, however, it's better than having the people workaround for with -k
in general. The certificate install, however, was validated in Chrome visually before installation. An additional check would be good for the certificate install outlined above.
I'll double check the API key, but from what I remember, it was just an MD5 hash for my testing.
I tried using your Dockerfile but mine built successfully; I ran it around Fri May 12 02:30:00 UTC 2023
. Logs here for your reference: https://gist.github.com/ian28223/b8f432325909c704d56a00427db45c3e
I also tried to build it within an Ubuntu VM as well as a Centos VM
Very odd since using the same Docker file, I get the logs outlined above. I just tried again and it reproduces locally, but on a newly setup Azure DevOps Build pipeline, the image build succeeds. I would assume that image building would be consistent and the differences is network related...
I am using Docker Desktop version 4.17.0 (99724).
Below is what I had in mine installed via curl -sSL get.docker.com | sh
Client: Docker Engine - Community
Version: 23.0.6
API version: 1.42
Go version: go1.19.9
Git commit: ef23cbc
Built: Fri May 5 21:18:28 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 23.0.6
API version: 1.42 (minimum version 1.12)
Go version: go1.19.9
Git commit: 9dbdbd4
Built: Fri May 5 21:18:28 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.21
GitCommit: 3dce8eb055cbb6872793272b4f20ed16117344f8
runc:
Version: 1.1.7
GitCommit: v1.1.7-0-g860f061
docker-init:
Version: 0.19.0
GitCommit: de40ad0
OSes tried:
There might have been a recent change in the base image (https://github.com/Azure/azure-functions-docker/pull/895/files#diff-fbc1520a90e119f1edbd6abd0554505c982a79092f5aa2923cffe6c60bdf80b1)
Can you try docker builder prune
and/or docker image prune -a
locally and rebuild?
I had actually run docker prune --all
and double checked that none of my existing images use that base image. I didn't want to run docker image prune -a
since I have other pending work. I did try on a different host and the issue still reproduces on my home and work network with Docker Desktop version 4.17.0 (99724). I'll try updating Docker Desktop.
I was also able to build the Dockerfile successfully through an M1 mac running Rancher version 1.8.1.
@Wind010 I know this is an old issue, but did you find a resolution? I'm currently struggling with something similar.
@cheilamanJHA I suspect this was an issue with corporate firewall and client proxy on the host, since it will build through Azure DevOps and on my personal machine.
Agent Environment Latest using curl -L https://s3.amazonaws.com/dd-agent/scripts/install_script_agent7.sh
Describe what happened: When running the script within a Debian as part of this base image
mcr.microsoft.com/azure-functions/python:4-python3.9-slim
:Logs from Docker build:
Testing the curl command within container running the base image:
Curl -V:
Describe what you expected: That the install_script_agent7.sh runs successfully in the base image.
Steps to reproduce the issue: Example Dockerfile:
docker build --build-arg DD_API_KEY=YOUR_API_KEY
Additional environment details (Operating System, Cloud provider, etc): Windows 11 building the docker image.
Some OS like Debian and Windows may not have the appropriate certificates authorities added to their certificate store. Commands such as:
curl -v https://keys.datadoghq.com/DATADOG_APT_KEY_CURRENT.public and apt-get install datadog-agent
Will fail since since the TLS handshake can't be made due to broken certificate chain:
curl: (60) ssl certificate problem: self signed certificate in certificate chain
The same failure will occur for apt-get with the https://apt.datadoghq.com package repository. The workaround would be to include the
--insecure
flag for curl and-o "Acquire::https::Verify-Peer=false"
for apt-get, but this is problematic for the telemetry since it could send the DD_API_KEY and open for any man-in-the-middle interception due.The safer option is to have the install_script_agent7.sh include population of the expected certificates from
https://*.datadoghq.com
: