search

canonical / lxd

Powerful system container and virtual machine manager
https://canonical.com/lxd
GNU Affero General Public License v3.0
4.39k stars 932 forks source link

[SOLVED] 'handshake failure' error launching image behind a proxy #1814

Closed diegolagoglez closed 8 years ago

diegolagoglez commented 8 years ago

[SOLVED]

The problem was that the proxy server was set into the client side (lxc), but it must be set into the server side (lxd) using lxc config command:

user@box ~ $ lxc config set core.http_proxy <proxy server>
user@box ~ $ lxc config set core.https_proxy <proxy server>
user@box ~ $ lxc config set core.proxy_ignore_hosts <hosts>

I've installed lxc/lxd trought its official PPA (ppa:ubuntu-lxc/lxd-stable) and I have version 2.0.0.rc6 in a Ubuntu MATE 15.10 (amd64). When I try to download an image (with command sudo -E lxc launch images:centos/6/amd64 my-centos) I always get the same error:

error: Get https://images.linuxcontainers.org/1.0/images/centos/6/amd64: remote error: handshake failure

Full debug output of the command is:

user@host ~ $ sudo -E lxc launch --debug images:centos/6/amd64 my-centos
DBUG[03-23|16:29:16] Raw response: {"type":"sync","status":"Success","status_code":200,"metadata":{"api_extensions":[],"api_status":"development","api_version":"1.0","auth":"trusted","config":{"storage.zfs_pool_name":"lxd-pool"},"environment":{"addresses":[],"architectures":["x86_64","i686"],"certificate":"-----BEGIN CERTIFICATE-----\nMIIFwDCCA6igAwIBAgIRAKHLionIKuqLPMxSzZrE59kwDQYJKoZIhvcNAQELBQAw\nMzEcMBoGA1UEChMTbGludXhjb250YWluZXJzLm9yZzETMBEGA1UEAwwKcm9vdEBk\ndmJveDAeFw0xNjAzMjExMTUwNTBaFw0yNjAzMTkxMTUwNTBaMDMxHDAaBgNVBAoT\nE2xpbnV4Y29udGFpbmVycy5vcmcxEzARBgNVBAMMCnJvb3RAZHZib3gwggIiMA0G\nCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnuiQIbMmbQWyLgaokDlcdDX/hzoNJ\nu6xSKlHskMhjoJDgzJZ+s2ooFMlOjinVXQMiTb4thY41z3BaL1JhD83E+YGlMH5c\n1NCzeJT0Zhqrb+kyDKOdLueC3sekLhILdoXBj+t4feyUs5yo3kWqkzKG5ejkpPVo\nhMG9/knXdnz9I2lNk6DuYzxG3OCvGN+8+f7HAJC43lGtsQoee3vUfNr9To/K1CxZ\nFkDBJUyiFcIjIMmPud8O4EAlxaR1hOXSr11Z19b0IE6qYtoKnBGZ2t+Vu76X+s//\nTC5XyVcLnXQCMbbU7GfTmeeNMzQVYpokZclPUO7w4GSHotqv8sUatj+O061KBtCV\nV/tweqrDLvMlkOd40BgKnn8lEuwoxHtSeHquVSYDSXmbHk0xT+X/Jo2bWIzg6jls\nw2s1vS8B71kz78to7GjhcJ4brESjxrClhMZg99O4WO4Bj7mkarvAQwh4CindI0UY\n1TBg0IK6bFm4wm0YhaheJ+2mPn/1PinLu6UrNHD72J9I8O+c92ISK8aC209AWmcH\nuUjHtMdLWMiU/dGcMiiRJSzYIkjNmWKB0VfV9CJFYeAUo7bZUXuxoj28Iw+/JKyc\nDlu0SSfpleHKNaU1JLIsXe/F2cyraxRCQSgzOLsyyJ0oNM+YFvBM6NoiRfcuRzdN\ngttRhnAqMRrcywIDAQABo4HOMIHLMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAK\nBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMIGVBgNVHREEgY0wgYqCBWR2Ym94ggwx\nMC4wLjIuMTUvMjSCG2ZlODA6OmEwMDoyN2ZmOmZlZDY6NjI2OC82NIIOMTcyLjE3\nLjQyLjEvMTaCHGZlODA6OjQwYTE6NDlmZjpmZWJhOjhiODYvNjSCCzEwLjAuMy4x\nLzI0ghtmZTgwOjoxNGRkOjdmZjpmZTUwOjE5ZTkvNjQwDQYJKoZIhvcNAQELBQAD\nggIBAE7u9y1fkHPNluuaO4IZNGvl0NkOUpsVVQPL2L+AtAjukdb2c2DYsiOLir+x\nKmTkhu6jgUz87Ht/LSQVH3gXAgMRZhDSAhs9UA+t5O7MDQaRuvWEmzt8iw6/xQ6i\nXqKFUq44frNxyfLlTjJK6sphxcHT8gVxbsUxx2HFU2BrFCxlG6QoKIyD0Z+GHTkR\neZGPW+g8gQsWA0UNN/pNrN/cBe15q6eQBio8g4fjtbp22b/RQFFU+h/FvJifzuVs\nkpVenN2J9ox1EZzXy8/gyStjAbDWQBGJVlDnw10o/CgWbuMCVovwejOxUbXbgyf0\nKGVJyFHtFOXxRpt7d0ZVsyyknNyDeYiNyMDeTiHuh/Mxv0fFEFmvFwgKwhDic6+d\ntFYc3cv/E81n7diMwm2XpCIC2y94ow4ncQvDTkaWvUrSUjTms3nF6L4DL/qUBLgW\npB5PzeIZcZ9FdeUOJzg07OrkdJdwmwV4mSUGvxM+bhBsr7YfwJ+eOUsnYFSb4OPu\nIITkbQhaduUNFO3N2YJRx26gwbrJ+/IJ1rAn5ombVqMsyDjqoTKS4asKmelIpYO1\nisYfBrFNaB+9JtFyFiBg7Zw66Wic5tdPNn3PK/iVVoMp6w3IT+QDFDc1ZCs5Wm7x\nBt/GNd10M7w3N8K1BC7uEH4vAAwk9+iUsLbQHdLmWUW6gYDl\n-----END CERTIFICATE-----\n","driver":"lxc","driver_version":"2.0.0.rc12","kernel":"Linux","kernel_architecture":"x86_64","kernel_version":"4.2.0-27-generic","server":"lxd","server_pid":6383,"server_version":"2.0.0.rc5","storage":"zfs","storage_version":"5"},"public":false}}

DBUG[03-23|16:29:16] Raw response: {"type":"sync","status":"Success","status_code":200,"metadata":{"api_extensions":[],"api_status":"development","api_version":"1.0","auth":"trusted","config":{"storage.zfs_pool_name":"lxd-pool"},"environment":{"addresses":[],"architectures":["x86_64","i686"],"certificate":"-----BEGIN CERTIFICATE-----\nMIIFwDCCA6igAwIBAgIRAKHLionIKuqLPMxSzZrE59kwDQYJKoZIhvcNAQELBQAw\nMzEcMBoGA1UEChMTbGludXhjb250YWluZXJzLm9yZzETMBEGA1UEAwwKcm9vdEBk\ndmJveDAeFw0xNjAzMjExMTUwNTBaFw0yNjAzMTkxMTUwNTBaMDMxHDAaBgNVBAoT\nE2xpbnV4Y29udGFpbmVycy5vcmcxEzARBgNVBAMMCnJvb3RAZHZib3gwggIiMA0G\nCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnuiQIbMmbQWyLgaokDlcdDX/hzoNJ\nu6xSKlHskMhjoJDgzJZ+s2ooFMlOjinVXQMiTb4thY41z3BaL1JhD83E+YGlMH5c\n1NCzeJT0Zhqrb+kyDKOdLueC3sekLhILdoXBj+t4feyUs5yo3kWqkzKG5ejkpPVo\nhMG9/knXdnz9I2lNk6DuYzxG3OCvGN+8+f7HAJC43lGtsQoee3vUfNr9To/K1CxZ\nFkDBJUyiFcIjIMmPud8O4EAlxaR1hOXSr11Z19b0IE6qYtoKnBGZ2t+Vu76X+s//\nTC5XyVcLnXQCMbbU7GfTmeeNMzQVYpokZclPUO7w4GSHotqv8sUatj+O061KBtCV\nV/tweqrDLvMlkOd40BgKnn8lEuwoxHtSeHquVSYDSXmbHk0xT+X/Jo2bWIzg6jls\nw2s1vS8B71kz78to7GjhcJ4brESjxrClhMZg99O4WO4Bj7mkarvAQwh4CindI0UY\n1TBg0IK6bFm4wm0YhaheJ+2mPn/1PinLu6UrNHD72J9I8O+c92ISK8aC209AWmcH\nuUjHtMdLWMiU/dGcMiiRJSzYIkjNmWKB0VfV9CJFYeAUo7bZUXuxoj28Iw+/JKyc\nDlu0SSfpleHKNaU1JLIsXe/F2cyraxRCQSgzOLsyyJ0oNM+YFvBM6NoiRfcuRzdN\ngttRhnAqMRrcywIDAQABo4HOMIHLMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAK\nBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMIGVBgNVHREEgY0wgYqCBWR2Ym94ggwx\nMC4wLjIuMTUvMjSCG2ZlODA6OmEwMDoyN2ZmOmZlZDY6NjI2OC82NIIOMTcyLjE3\nLjQyLjEvMTaCHGZlODA6OjQwYTE6NDlmZjpmZWJhOjhiODYvNjSCCzEwLjAuMy4x\nLzI0ghtmZTgwOjoxNGRkOjdmZjpmZTUwOjE5ZTkvNjQwDQYJKoZIhvcNAQELBQAD\nggIBAE7u9y1fkHPNluuaO4IZNGvl0NkOUpsVVQPL2L+AtAjukdb2c2DYsiOLir+x\nKmTkhu6jgUz87Ht/LSQVH3gXAgMRZhDSAhs9UA+t5O7MDQaRuvWEmzt8iw6/xQ6i\nXqKFUq44frNxyfLlTjJK6sphxcHT8gVxbsUxx2HFU2BrFCxlG6QoKIyD0Z+GHTkR\neZGPW+g8gQsWA0UNN/pNrN/cBe15q6eQBio8g4fjtbp22b/RQFFU+h/FvJifzuVs\nkpVenN2J9ox1EZzXy8/gyStjAbDWQBGJVlDnw10o/CgWbuMCVovwejOxUbXbgyf0\nKGVJyFHtFOXxRpt7d0ZVsyyknNyDeYiNyMDeTiHuh/Mxv0fFEFmvFwgKwhDic6+d\ntFYc3cv/E81n7diMwm2XpCIC2y94ow4ncQvDTkaWvUrSUjTms3nF6L4DL/qUBLgW\npB5PzeIZcZ9FdeUOJzg07OrkdJdwmwV4mSUGvxM+bhBsr7YfwJ+eOUsnYFSb4OPu\nIITkbQhaduUNFO3N2YJRx26gwbrJ+/IJ1rAn5ombVqMsyDjqoTKS4asKmelIpYO1\nisYfBrFNaB+9JtFyFiBg7Zw66Wic5tdPNn3PK/iVVoMp6w3IT+QDFDc1ZCs5Wm7x\nBt/GNd10M7w3N8K1BC7uEH4vAAwk9+iUsLbQHdLmWUW6gYDl\n-----END CERTIFICATE-----\n","driver":"lxc","driver_version":"2.0.0.rc12","kernel":"Linux","kernel_architecture":"x86_64","kernel_version":"4.2.0-27-generic","server":"lxd","server_pid":6383,"server_version":"2.0.0.rc5","storage":"zfs","storage_version":"5"},"public":false}}

error: Get https://images.linuxcontainers.org/1.0/images/centos/6/amd64: remote error: handshake failure

I am behind a proxy server that works well with https addresses but, when I try to download any image, previous error is always shown. I also tested it on a Ubuntu MATE 15.10 (i386) without a proxy and it works perfectly.

Proxy server is configured through the UI (globally) but I also have http_proxy/https_proxy shell variables exported.

The rest of the commands (like lxc image list images:) work well.

lxc info

t=2016-03-28T14:11:52+0200 lvl=info msg=handling url=/1.0 ip=@ method=GET
t=2016-03-28T14:11:52+0200 lvl=info msg=handling method=GET url=/1.0 ip=@
apicompat: 0
auth: trusted
environment:
  addresses: []
  architectures:
  - x86_64
  - i686
  certificate: |
    -----BEGIN CERTIFICATE-----
    MIIFwDCCA6igAwIBAgIRAKHLionIKuqLPMxSzZrE59kwDQYJKoZIhvcNAQELBQAw
    MzEcMBoGA1UEChMTbGludXhjb250YWluZXJzLm9yZzETMBEGA1UEAwwKcm9vdEBk
    dmJveDAeFw0xNjAzMjExMTUwNTBaFw0yNjAzMTkxMTUwNTBaMDMxHDAaBgNVBAoT
    E2xpbnV4Y29udGFpbmVycy5vcmcxEzARBgNVBAMMCnJvb3RAZHZib3gwggIiMA0G
    CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnuiQIbMmbQWyLgaokDlcdDX/hzoNJ
    u6xSKlHskMhjoJDgzJZ+s2ooFMlOjinVXQMiTb4thY41z3BaL1JhD83E+YGlMH5c
    1NCzeJT0Zhqrb+kyDKOdLueC3sekLhILdoXBj+t4feyUs5yo3kWqkzKG5ejkpPVo
    hMG9/knXdnz9I2lNk6DuYzxG3OCvGN+8+f7HAJC43lGtsQoee3vUfNr9To/K1CxZ
    FkDBJUyiFcIjIMmPud8O4EAlxaR1hOXSr11Z19b0IE6qYtoKnBGZ2t+Vu76X+s//
    TC5XyVcLnXQCMbbU7GfTmeeNMzQVYpokZclPUO7w4GSHotqv8sUatj+O061KBtCV
    V/tweqrDLvMlkOd40BgKnn8lEuwoxHtSeHquVSYDSXmbHk0xT+X/Jo2bWIzg6jls
    w2s1vS8B71kz78to7GjhcJ4brESjxrClhMZg99O4WO4Bj7mkarvAQwh4CindI0UY
    1TBg0IK6bFm4wm0YhaheJ+2mPn/1PinLu6UrNHD72J9I8O+c92ISK8aC209AWmcH
    uUjHtMdLWMiU/dGcMiiRJSzYIkjNmWKB0VfV9CJFYeAUo7bZUXuxoj28Iw+/JKyc
    Dlu0SSfpleHKNaU1JLIsXe/F2cyraxRCQSgzOLsyyJ0oNM+YFvBM6NoiRfcuRzdN
    gttRhnAqMRrcywIDAQABo4HOMIHLMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAK
    BggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMIGVBgNVHREEgY0wgYqCBWR2Ym94ggwx
    MC4wLjIuMTUvMjSCG2ZlODA6OmEwMDoyN2ZmOmZlZDY6NjI2OC82NIIOMTcyLjE3
    LjQyLjEvMTaCHGZlODA6OjQwYTE6NDlmZjpmZWJhOjhiODYvNjSCCzEwLjAuMy4x
    LzI0ghtmZTgwOjoxNGRkOjdmZjpmZTUwOjE5ZTkvNjQwDQYJKoZIhvcNAQELBQAD
    ggIBAE7u9y1fkHPNluuaO4IZNGvl0NkOUpsVVQPL2L+AtAjukdb2c2DYsiOLir+x
    KmTkhu6jgUz87Ht/LSQVH3gXAgMRZhDSAhs9UA+t5O7MDQaRuvWEmzt8iw6/xQ6i
    XqKFUq44frNxyfLlTjJK6sphxcHT8gVxbsUxx2HFU2BrFCxlG6QoKIyD0Z+GHTkR
    eZGPW+g8gQsWA0UNN/pNrN/cBe15q6eQBio8g4fjtbp22b/RQFFU+h/FvJifzuVs
    kpVenN2J9ox1EZzXy8/gyStjAbDWQBGJVlDnw10o/CgWbuMCVovwejOxUbXbgyf0
    KGVJyFHtFOXxRpt7d0ZVsyyknNyDeYiNyMDeTiHuh/Mxv0fFEFmvFwgKwhDic6+d
    tFYc3cv/E81n7diMwm2XpCIC2y94ow4ncQvDTkaWvUrSUjTms3nF6L4DL/qUBLgW
    pB5PzeIZcZ9FdeUOJzg07OrkdJdwmwV4mSUGvxM+bhBsr7YfwJ+eOUsnYFSb4OPu
    IITkbQhaduUNFO3N2YJRx26gwbrJ+/IJ1rAn5ombVqMsyDjqoTKS4asKmelIpYO1
    isYfBrFNaB+9JtFyFiBg7Zw66Wic5tdPNn3PK/iVVoMp6w3IT+QDFDc1ZCs5Wm7x
    Bt/GNd10M7w3N8K1BC7uEH4vAAwk9+iUsLbQHdLmWUW6gYDl
    -----END CERTIFICATE-----
  driver: lxc
  driverversion: 2.0.0.rc13
  kernel: Linux
  kernelarchitecture: x86_64
  kernelversion: 4.2.0-27-generic
  server: lxd
  serverpid: 20581
  serverversion: 2.0.0.rc6
  storage: zfs
  storageversion: "5"
config:
  storage.zfs_pool_name: lxd-pool
public: false

/var/log/lxd/lxd.log:

t=2016-03-23T16:21:08+0100 lvl=info msg="Downloading the image" image=centos/6/amd64
t=2016-03-23T16:21:09+0100 lvl=eror msg="Failed to download image metadata" err="Get https://images.linuxcontainers.org/1.0/images/centos/6/amd64: remote error: handshake failure" image=centos/6/amd64
stgraber commented 8 years ago

Yeah, it's unfortunate that the golang error is so cryptic about it...

diegolagoglez commented 8 years ago

Yes… Maybe we should add an issue indicating that errors about TLS/SSL issues are so cryptic, specially when it is using a proxy.

stgraber commented 8 years ago

That would be an upstream golang issue though. LXD reports all it gets from golang so it doesn't have much more of a clue than you do :)

bac commented 6 years ago

@diegolagoglez The solution you provide lxc config set core.http_proxy <proxy server> results in 

error: Bad server config key: 'core.http_proxy'

On https://stgraber.org/2016/03/15/lxd-2-0-installing-and-configuring-lxd-212/, @stgraber has the keys as:

lxc config set core.proxy_http http://squid01.internal:3128
lxc config set core.proxy_https http://squid01.internal:3128
lxc config set core.proxy_ignore_hosts image-server.local

If Stéphane is correct, could you fix the solution you provide above? I am using lxc v2.0.11.