docker / machine

Machine management for a container-centric world
https://docs.docker.com/machine/
Apache License 2.0
6.63k stars 1.97k forks source link

Azure driver issue from a VM on Azure #3384

Open mrshah-at-ibm opened 8 years ago

mrshah-at-ibm commented 8 years ago

When using docker-machine from a VM on Azure to create new VMs, I cannot auth using the Link & Code provided.

I have tried running the same command on other local machines and it works fine.

Details: Command: docker-machine create --driver azure --azure-subscription-id <subscription_id> <machine_name>

Error:

image

Let me know if I should provide more information.

ahmetb commented 8 years ago

@mrshah-at-ibm it looks like it's the same issue as #3334. Can you please clear cookies listed here: https://github.com/docker/machine/issues/3334#issuecomment-211591118 (or simply use an incognito browser tab)?

mrshah-at-ibm commented 8 years ago

@ahmetalpbalkan thanks for the reply. I tried that already. It gives me the same error.

Also I saw the following behavior:

Works: Remote (ssh) in to any computer (or VM) which is local and run the docker-machine create --driver azure command -> Put the auth code at the web url in the chrome browser on my laptop

Doesn't Work: Remote (ssh) in to any VM on Azure or Softlayer (yet to try amazon) and run the docker-machine create --driver azure command -> Put the auth code at the web url in the chrome browser on my laptop.

Note: If I download azure command-line on the VM on Azure or Softlayer and run azure login, I can auth using the auth code on my laptop.

ahmetb commented 8 years ago

@mrshah-at-ibm it should not be related to the azure command on your laptop. That is interesting, I will forward the issue to the Active Directory team, this may take long, in the meanwhile if you get blocked, you can copy your ~/.docker/machine/credentials directory to the machine that works and it should work for you.

mrshah-at-ibm commented 8 years ago

Thanks @ahmetalpbalkan, I will give it a try.

If you want to reproduce it, create ubuntu VM on azure and try running docker-machine create --driver azure command. Let me know if it works for you.

ahmetb commented 8 years ago

@mrshah-at-ibm I just tried that, created a docker-machine VM on Azure, installed docker-machine, authenticated and it works. (both for my Active Directory account and personal Microsoft account)

I will forward your correlation ID to activedirectory team for investigation.

mrshah-at-ibm commented 8 years ago

@ahmetalpbalkan thanks. I don't know what the problem is.. I am still trying it.

Let me know if you find out something from correlation ID team.

ahmetb commented 8 years ago

@mrshah-at-ibm turns out Active Directory's fantastic logging system does not capture enough details and they asked me if you have Fiddler/mitmproxy dumps. I know it's too much to ask, but if you could record the traffic in browser and send it my way, I'll pass it on.

mrshah-at-ibm commented 8 years ago

Give me sometime, I'll get the dumps for you.

ahmetb commented 8 years ago

@mrshah-at-ibm thanks! we really appreciate it.

ahmetb commented 8 years ago

@mrshah-at-ibm Hey there, for us to continue investigating, if you could get some Fiddler/mitmproxy trace from the browser window during the authentication, that would be great! Let us know if you need anything or the issue does not persist anymore.

mrshah-at-ibm commented 8 years ago

@ahmetalpbalkan Can you keep this open? The issue still exists and we do want to investigate. I got pulled into something else, thus the delay. I will get you the logs.

ahmetb commented 8 years ago

@mrshah-at-ibm I got a response from Active Directory team, saying they are going to add more tracing code to find out why the issue is happening. Unfortunately I'm not sure what is their ETA. When that happens, we shall reach out to you again here and ask you to try again. Until then, I guess you're pretty much out of luck.

My suggestion is, if you are signing in with your personal Microsoft account, try creating an active directory work ID and signing in with it in the Incognito tab. https://azure.microsoft.com/documentation/articles/virtual-machines-windows-create-aad-work-id/ hopefully this would work.

In the meanwhile I am investigating other authentication schemes that do not require you to login through a browser. We already have an open issue about that here.

mrshah-at-ibm commented 8 years ago

@ahmetalpbalkan I am still seeing the issue.. Feel free to close this until I get you the network logs.

ahmetb commented 8 years ago

@mrshah-at-ibm no worries, we can keep it open.

ahmetb commented 8 years ago

@mrshah-at-ibm Are you still hitting this issue? AAD recently has deployed a fix that should be solving this problem. If you are still hitting the problem, I really apprecaite if you can send me the CorrelationID/Timestamp data from the error page.

bertvannuffelen commented 7 years ago

Hi,

I get the same issue here. Today.

I created a VM on the azure cloud (using docker_machine from my laptop). Then installed dockermachine on that VM and then tried to create a new machine from that one. It give me the request to authenticate via the weblogin, but then it fails.

Now while writing the report and doing the steps again, all of a sudden it accepts it. It seems that the whole procedure is vurnable to cookies or other sessions/account settings.

kr,

Bert