search

docker / docker-py

A Python library for the Docker Engine API
https://docker-py.readthedocs.io/
Apache License 2.0
6.78k stars 1.67k forks source link

docker-py does not work respect TLS docker options (fails to connect) #2244

Open ssbarnea opened 5 years ago

ssbarnea commented 5 years ago

Configuring docker to talk over TLS involves 3 environment variables and it seems that docker-py library chokes when it cannot verify the TLS certificates, even if docker works correct, as expected.

This is because DOCKER_TLS variable tells docker to use TLS and to ignore TLS verification. If user wants to enforce TLS validation he must define DOCKER_TLS_VERIFY variable.

The library fails to do this because it used python requests which has verify=True by default.

This is very easy to reproduce

export DOCKER_HOST=tcp://1.2.3.4:2376
export DOCKER_TLS=1
python -c "import docker; docker.from_env().ping()"

This will raise an exception similar to:

Traceback (most recent call last):
File "./py-docker", line 8, in <module>
c.ping()
File "/Users/ssbarnea/os/docker-py/docker/client.py", line 187, in ping
return self.api.ping(*args, **kwargs)
File "/Users/ssbarnea/os/docker-py/docker/api/daemon.py", line 166, in ping
return self._result(self._get(self._url('/_ping'))) == 'OK'
File "/Users/ssbarnea/os/docker-py/docker/utils/decorators.py", line 46, in inner
return f(self, *args, **kwargs)
File "/Users/ssbarnea/os/docker-py/docker/api/client.py", line 225, in _get
return self.get(url, **self._set_request_timeout(kwargs))
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/requests/sessions.py", line 546, in get
return self.request('GET', url, **kwargs)
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/Users/ssbarnea/.pyenv/versions/2.7.15/lib/python2.7/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='1.2.3.4', port=2376): Max retries exceeded with url: /v1.35/_ping (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
shin- commented 5 years ago

The current behavior is defined here: https://github.com/docker/docker-py/blob/master/docker/utils/utils.py#L343-L349

You may want to set DOCKER_TLS_VERIFY= (empty value) in your environment and see if that solves the issue.