Closed ambsw-technology closed 7 years ago
ambsw-technology
commented
7 years ago I debugged (repr again) the command being run:
docker -H http://127.0.0.1:22026 ps --no-trunc --format="{{.ID}}||{{.Image}}||{{.CreatedAt}}||{{.Status}}||{{.Names}}||{{.Command}}||{{.Ports}}" --all=trueWhen I run this manually/locally on the target, I get two issues:
http://ambsw-technology
commented
7 years ago This call is clearly using the CLI (based on the stack trace). However, I discovered that an earlier call was statically linked to the API client. I'll update you once I resolve the first call to figure out if the issues are interrelated.
ambsw-technology
commented
7 years ago This problem persists after fixing the statically linked API client so it's not a config-poisoning issue.
ambsw-technology
commented
7 years ago I'm not sure when, but the error has changed slightly because the command is now:
docker -H http+docker://localunixsocket ps --no-trunc --format="{{.ID}}||{{.Image}}||{{.CreatedAt}}||{{.Status}}||{{.Names}}||{{.Command}}||{{.Ports}}" --all=true
Naturally, the -H flag is still wrong (and unnecessary) but this looks "better" since it's not answering like it's trying to write to a socat port.
merll
commented
7 years ago It seems that there need to be some modifications to the -H argument. However, it is not entirely clear to me how the URL ends up this way. Could you list which env variables starting with docker_ are set and to what values, and which keyword arguments you pass in to container_fabric() or container_cli(), if any?
ambsw-technology
commented
7 years ago I was in the middle of documenting the sequence of events when you replied so I went ahead and finished. I've "flattened" a bunch of function calls, but roughly:
env.docker_fabric_implementation = CLIENT_CLI
docker_client = api.docker_client()
# Debug logs show CLI Client is created correctly.
# in get_connection():
# env.get('host_string') = '<ip of target>'
# kwargs.get('base_url') = None
# env.get('docker_base_url') = None
for container in env.docker_maps.containers:
docker_client.pull(env.docker_maps.containers[container].image)
# These all run correctly and the images are pulled
container_fabric_inst = api.container_fabric(docker_client=docker_client, container_maps=[])
for container in env.docker_maps.containers:
# I don't hit any CLI constructor log messages at this point
container_fabric_inst.startup(container)
# Somewhere in here the CLI Client is recreated with the wrong parameters
# in get_connection():
# env.get('host_string') = '<ip of target>'
# kwargs.get('base_url') = 'http+docker://localunixsocket'
# env.get('docker_base_url') = Nonecorrected inline above, this happens in "startup"
edit: it happens in both but the error in upgrade() happens when it calls docker -H http+docker://localunixsocket pull --insecure-registry=false tianon/true:latest
ambsw-technology
commented
7 years ago ... and my shell has no docker_ env variables
ambsw-technology
commented
7 years ago I don't know if it helps narrow down, but these are (slightly sanitized and annotated) messages around the bad CLI construction:
DEBUG:dockermap.map.client:Passing kwargs to client actions: {}
DEBUG:dockermap.map.state.base:Following dependency path for graylog_map.nginx.
DEBUG:dockermap.map.state.base:Dependency path at graylog_map.graylog, instances [None].
<< in get_connection
'172.24.2.11' << env.get('host_string')
'http+docker://localunixsocket' << kwargs.get('base_url')
None << env.get('docker_base_url')
<< CLI init here
DEBUG:docker.auth.auth:Trying paths: ['/home/<domain>/<user>/.docker/config.json', '/home/<domain>/<user>/.dockercfg']
DEBUG:docker.auth.auth:Found file at path: /home/<domain>/<user>/.docker/config.json
DEBUG:docker.auth.auth:Found 'auths' sectionOK. Looks like the offender is in dockermap.map.state.base line 116. This client_config is generated as part of the clients in 105 or 107. These are generated by the _policy.
I see a policy created in dockermap.map.client on line 102, but am still trying to chase it through the logic to confirm. Perhaps you know definitely either way (and can shortcut my search).
ambsw-technology
commented
7 years ago Removing the docker.Client check in #10 (and not adding it to the CLI class) has resolved the -H issue. The next issue I ran into was the CREATED_AT_PATTERN regex. Specifically, my time component was:
2016-12-06 18:09:58 -0500 EST
The regex pattern doesn't like the - timezone and can be fixed as:
CREATED_AT_PATTERN = re.compile(r'(\d{4})-(\d{2})-(\d{2}) (\d{2}):(\d{2}):(\d{2}) .\d{4} \w+')
I tried (\+|-) but it creates an additional, invalid group. The . will match anything but this isn't too risky since the rest of the pattern has to work.
merll
commented
7 years ago I have created a separate issue for the Regex, while I am still tracking down the client creation.
ambsw-technology
commented
7 years ago The CLI client creation issue was created by my original fix for the docker-map check. I added an inheritance relationship with docker.Client to get past it. When I do that, it's actually docker.Client that injects docker+http://... and was creating the -H issue. This issue went away when I eliminated the inheritance from docker.Client (possible thanks to the different strategy for the docker-map check).
+1 on the experimental CLI client
I'm testing it and ran into the following issue.
The problem is that (the
reprof) the "resource" being returned is the following:Obviously, I'm going to do some digging to see if I can resolve, but I wanted to get the report out there ASAP in case you could shortcut the search.