search

slimtoolkit / slim

Slim(toolkit): Don't change anything in your container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
Apache License 2.0
19.34k stars 726 forks source link

x509: certificate signed by unknown authority #124

Open tata9001 opened 4 years ago

tata9001 commented 4 years ago

When I try to shrink the application docker image based on the node:12-alpine.

After I try to start the slim docker container, it through the error:

Post https://kms.ap-southeast-2.amazonaws.com/: x509: certificate signed by unknown authority

What's wrong with this?

kcq commented 4 years ago

Thanks for opening the issue @wangyun1517 ! Let me investigate and i'll update you asap.

kcq commented 4 years ago

@wangyun1517 it seems like the minified image is missing its certs, so the AWS KMS call failed. Can you describe what your application is doing and when it calls KMS? What kind of application is it? Does it have an HTTP/web interface or is it a command line application? Are those KMS calls triggered when one of the HTTP/web endpoints is called? Did you minify the image with custom HTTP probe instructions in docker-slim? Would you mind sharing the docker-slim build command output?

tata9001 commented 4 years ago

Can you describe what your application is doing and when it calls KMS?

I have used the shush in the dockerfile. It will call kms to decrypt the KMS_ENCRYPTED_XXX ENV when the container start.

What kind of application is it? Does it have an HTTP/web interface or is it a command line application?

It's a node web application.

Are those KMS calls triggered when one of the HTTP/web endpoints is called?

Nope, the kms call happened when the container start.

Did you minify the image with custom HTTP probe instructions in docker-slim?

IDK how to use the custom HTTP probe, I just use the normal one.

Output


$ docker-slim build slim-test:latest

docker-slim[build]: info=http.probe message='using default probe' docker-slim[build]: state=started docker-slim[build]: info=params target=slim-test:latest continue.mode=probe docker-slim[build]: state=image.inspection.start docker-slim[build]: info=image id=sha256:5b866f2ce2a20be419be49db58e83b7ffb9a84d5857c78dd5048f05888f88bfe size.bytes=367583548 size.human=368 MB docker-slim[build]: info=image.users exe='appuser' all='appuser' docker-slim[build]: info=image.stack index=0 name='slim-test:202001151849' id='sha256:5b866f2ce2a20be419be49db58e83b7ffb9a84d5857c78dd5048f05888f88bfe' docker-slim[build]: info=image.exposed_ports list='3001' docker-slim[build]: state=image.inspection.done docker-slim[build]: state=container.inspection.start docker-slim[build]: info=container status=created name=dockerslimk_97715_20200117142247 id=df596861697cb8e7a277faaf243673d39c88d01b31b66f3e4492ffb96fa62da4 docker-slim[build]: info=cmd.startmonitor status=sent docker-slim[build]: info=event.startmonitor.done status=received docker-slim[build]: info=container name=dockerslimk_97715_20200117142247 id=df596861697cb8e7a277faaf243673d39c88d01b31b66f3e4492ffb96fa62da4 target.port.list=[32786] target.port.info=[3001/tcp => 0.0.0.0:32786] message='YOU CAN USE THESE PORTS TO INTERACT WITH THE CONTAINER' docker-slim[build]: state=http.probe.starting message='WAIT FOR HTTP PROBE TO FINISH' docker-slim[build]: info=continue.after mode=probe message='no input required, execution will resume when HTTP probing is completed' docker-slim[build]: info=prompt message='waiting for the HTTP probe to finish' docker-slim[build]: state=http.probe.running docker-slim[build]: info=http.probe.ports count=1 targets='32786' docker-slim[build]: info=http.probe.commands count=1 commands='GET /' docker-slim[build]: info=http.probe.call status=404 method=GET target=http://127.0.0.1:32786/ attempt=1 time=2020-01-17T14:23:00Z docker-slim[build]: info=http.probe.summary total=1 failures=0 successful=1 docker-slim[build]: state=http.probe.done docker-slim[build]: info=event message='HTTP probe is done' docker-slim[build]: state=container.inspection.finishing docker-slim[build]: state=container.inspection.artifact.processing docker-slim[build]: state=container.inspection.done docker-slim[build]: state=building message='building minified image' docker-slim[build]: state=completed docker-slim[build]: info=results status='MINIFIED BY 5.31X [367583548 (368 MB) => 69217884 (69 MB)]' docker-slim[build]: info=results image.name=slim-test.slim image.size='69 MB' data=true docker-slim[build]: info=results artifacts.location='/Users/xxxx/bin/.docker-slim-state/images/5b866f2ce2a20be419be49db58e83b7ffb9a84d5857c78dd5048f05888f88bfe/artifacts' docker-slim[build]: info=results artifacts.report=creport.json docker-slim[build]: info=results artifacts.dockerfile.original=Dockerfile.fat docker-slim[build]: info=results artifacts.dockerfile.new=Dockerfile docker-slim[build]: info=results artifacts.seccomp=slim-test-seccomp.json docker-slim[build]: info=results artifacts.apparmor= slim-test-apparmor-profile docker-slim[build]: state=done docker-slim[build]: info=report file='slim.report.json' ``