Fix is required in the DockerFile to support WSS/SSL connections using cli_wallet

Bharathi-Chandrasekaran commented

2023-11-03 18:15:49 +00:00

(Migrated from gitlab.com)

While verifying the steps in the document: https://peerplays.gitbook.io/peerplays-infrastructure-docs/witnesses/installation-guides/docker-install , for run.sh execution in Mainnet 1.6.0 release the following issues were observed:

The image was retrieved from another repository located at the Docker hub
The remote wallet command didn't work

The following work-item explains the issue in detail: https://gitlab.com/PBSA/peerplays/-/work_items/565

To solve the issue, the workaround mentioned below must be added into DockerFile located at:https://gitlab.com/PBSA/peerplays/-/blob/master/Dockerfile.

ENV PATH="${PATH}:/home/peerplays/peerplays-network" RUN sed -i '/^oid_section.*/a openssl_conf=default_conf' /etc/ssl/openssl.cnf RUN sed -i '/^ess_cert_id_alg.*/a\[default_conf]\nssl_conf=ssl_sect\n[ssl_sect]\nsystem_default=system_default_sect\n[system_default_sect]\nMinProtocol=TLSv1\nCipherString=DEFAULT@SECLEVEL=1' /etc/ssl/openssl.cnf

cc: @robert.hedler , Thanks for your verification and workaround to fix the issue.

While verifying the steps in the document: https://peerplays.gitbook.io/peerplays-infrastructure-docs/witnesses/installation-guides/docker-install , for run.sh execution in Mainnet 1.6.0 release the following issues were observed: 1. The image was retrieved from another repository located at the Docker hub 2. The remote wallet command didn't work The following work-item explains the issue in detail: https://gitlab.com/PBSA/peerplays/-/work_items/565 To solve the issue, the workaround mentioned below must be added into DockerFile located at:https://gitlab.com/PBSA/peerplays/-/blob/master/Dockerfile. `ENV PATH="${PATH}:/home/peerplays/peerplays-network" RUN sed -i '/^oid_section.*/a openssl_conf=default_conf' /etc/ssl/openssl.cnf RUN sed -i '/^ess_cert_id_alg.*/a\[default_conf]\nssl_conf=ssl_sect\n[ssl_sect]\nsystem_default=system_default_sect\n[system_default_sect]\nMinProtocol=TLSv1\nCipherString=DEFAULT@SECLEVEL=1' /etc/ssl/openssl.cnf` cc: @robert.hedler , Thanks for your verification and workaround to fix the issue.

Bharathi-Chandrasekaran commented

2023-11-03 18:15:49 +00:00

(Migrated from gitlab.com)

assigned to @Bharathi-Chandrasekaran

Bharathi-Chandrasekaran commented

2023-11-03 18:21:26 +00:00

(Migrated from gitlab.com)

mentioned in commit 6131eed7f5

mentioned in commit 6131eed7f5f34d2d97afcc5f1d08391d9fc23355

Bharathi-Chandrasekaran commented

2023-11-03 18:24:29 +00:00

(Migrated from gitlab.com)

mentioned in merge request !253

Bharathi-Chandrasekaran commented

2023-11-03 19:39:13 +00:00

(Migrated from gitlab.com)

mentioned in issue #565

bobinson commented

2023-11-07 12:46:18 +00:00

(Migrated from gitlab.com)

@Bharathi-Chandrasekaran ,

The image was retrieved from another repository located at the Docker hub

The remote wallet command didn't work

Can you edit the issue to depict only the exact issue at hand ? ie, why is the change/edit to the Dockerfile needed and what exactly happens after the edit. This will help the reviewer's to understand the bug/scenario and also understand why the fix is suggested.

@Bharathi-Chandrasekaran , > 1. The image was retrieved from another repository located at the Docker hub > 2. The remote wallet command didn't work Can you edit the issue to depict only the exact issue at hand ? ie, why is the change/edit to the `Dockerfile` needed and what exactly happens after the edit. This will help the reviewer's to understand the bug/scenario and also understand why the fix is suggested.

Bharathi-Chandrasekaran commented

2023-11-07 13:43:38 +00:00

(Migrated from gitlab.com)

Okay @bobinson .

I will discuss with Robert and update the issue.

Okay @bobinson . I will discuss with Robert and update the issue.

robert.hedler commented

2023-11-07 20:38:44 +00:00

(Migrated from gitlab.com)

@bobinson without: ENV PATH="${PATH}:/home/peerplays/peerplays-network" the docker container fail to start.

Without: RUN sed -i '/^oid_section.\*/a openssl_conf=default_conf' /etc/ssl/openssl.cnf
RUN sed -i '/^ess_cert_id_alg.\*/a\\\[default_conf\]\\nssl_conf=ssl_sect\\n\[ssl_sect\]\\nsystem_default=system_default_sect\\n\[system_default_sect\]\\nMinProtocol=TLSv1\\nCipherString=DEFAULT@SECLEVEL=1' /etc/ssl/openssl.cnf we can not make WSS/SSL connections using cli_wallet.

Is this explanation enough?

@bobinson without: `ENV PATH="${PATH}:/home/peerplays/peerplays-network"` the docker container fail to start. Without: `RUN sed -i '/^oid_section.\*/a openssl_conf=default_conf' /etc/ssl/openssl.cnf` `RUN sed -i '/^ess_cert_id_alg.\*/a\\\[default_conf\]\\nssl_conf=ssl_sect\\n\[ssl_sect\]\\nsystem_default=system_default_sect\\n\[system_default_sect\]\\nMinProtocol=TLSv1\\nCipherString=DEFAULT@SECLEVEL=1' /etc/ssl/openssl.cnf` we can not make WSS/SSL connections using cli_wallet. Is this explanation enough?

bobinson commented

2023-11-08 07:08:22 +00:00

(Migrated from gitlab.com)

Hi @robert.hedler - What does the change do to the OpenSSL's behaviour & what is its impact ?

bobinson commented

2023-11-08 14:05:20 +00:00

(Migrated from gitlab.com)

changed title from Fix is required in the DockerFile to s{-olve the issues occurred during run.sh verification for docker installation in Mainnet 1.6.0 release-} to Fix is required in the DockerFile to s{+upport WSS/SSL connections using cli_wallet+}

changed title from **Fix is required in the DockerFile to s{-olve the issues occurred during run.sh verification for docker installation in Mainnet 1.6.0 release-}** to **Fix is required in the DockerFile to s{+upport WSS/SSL connections using cli_wallet+}**

bobinson commented

2023-11-08 14:12:45 +00:00

(Migrated from gitlab.com)

Hi @serkixenos - As discussed please see if we have a permanent long term fix for this via code. In the meantime, this workaround can be documented and used.

christophersanborn commented

2023-11-08 16:18:54 +00:00

(Migrated from gitlab.com)

Joining this convo to summarize two questions raised in other venues.

Surgeon raised (in RocketChat) — "There are two Dockerfiles, [Dockerfile and Dockerfile.18.04], why is the second one not updated?".
- Is a corresponding change needed in Dockerfile.18.04? Or is the problem addressed by the workaround only needed when the image builds from a 20.04 starting image?
Surgeon also raised (in RocketChat PM) — that there might have been a resolution to the SSL problem via an update to the FC library from over a year ago.
- Does latest FC fix the SSL problem?
- Is latest FC utilized in latest core releases?
- Is updating FC a better solution than applying a "workaround" to the Dockerfile?
- (Bobinson, I suspect this is the fix you are referring to in your last comment, but just putting my summary of it here.)

cc: @bobinson @robert.hedler @serkixenos @Bharathi-Chandrasekaran

Joining this convo to summarize two questions raised in other venues. 1. Surgeon raised (in RocketChat) — "There are two Dockerfiles, \[Dockerfile and Dockerfile.18.04\], why is the second one not updated?". * Is a corresponding change needed in Dockerfile.18.04? Or is the problem addressed by the workaround only needed when the image builds from a 20.04 starting image? 2. Surgeon also raised (in RocketChat PM) — that there might have been a resolution to the SSL problem via an update to the FC library from over a year ago. * Does latest FC fix the SSL problem? * Is latest FC utilized in latest core releases? * Is updating FC a better solution than applying a "workaround" to the Dockerfile? * (Bobinson, I suspect this is the fix you are referring to in your last comment, but just putting my summary of it here.) cc: @bobinson @robert.hedler @serkixenos @Bharathi-Chandrasekaran

christophersanborn commented

2023-11-08 16:30:00 +00:00

(Migrated from gitlab.com)

Also there is some question of whether run.sh was pulling the image from the correct source. And indeed, I think there are three different endpoints on Dockerhub where these images are posted, and maybe there are image repos maintained by GitLab as well. So, another question:

What is the correct url to pull the docker images from?

Also there is some question of whether run.sh was pulling the image from the correct source. And indeed, I think there are three different endpoints on Dockerhub where these images are posted, and maybe there are image repos maintained by GitLab as well. So, another question: * _What is_ the correct url to pull the docker images from?

christophersanborn commented

2023-11-08 17:50:17 +00:00

(Migrated from gitlab.com)

OK a bit more followup — Bharathi and I just concluded a call in which we attempted to verify the ./``run.sh build workflow. This is what we found:

We uncovered a misconception. I had assumed that run.sh from the peerplays-docker repo would FIRST retrieve the latest PBSA/peerplays code from GitLab and THEN build the Dockerfile contained within. It does NOT do this. Instead, peerplays-docker has it's own Dockerfile in a subdirectory called dkr/. (Also there's dkr_fullnode/ and dkr_local/ for variations but the Dockerfiles are the same.) What it does is it builds THIS Dockerfile.
The Dockerfile appears to be a copy of what presumable WAS the Dockerfile from core quite some time ago, (differing only in that it retrieves the Peerplays code from GitLab rather than taking it from build context). In short, it's out of date. Among other omissions, it does not build Libbitcoin, and so run.sh build necessarily fails.
A corollary of this is that patching PBSA/peerplays/Dockerfile will not address the problem unless and until that Dockerfile is propagated to peerplays-docker/dkr/Dockerfile.
peerplays-docker/dkr/Dockerfile needs to be updated. Maybe PBSA/peerplays/Dockerfile also needs to be updated.
The "workaround", if needed, could be applied to the updated peerplays-docker/dkr/Dockerfile.
The maintenance cadence needed to keep this Dockerfile up-to-date with PBSA/peerplays/Dockerfile is... confusing.

@bobinson

OK a bit more followup — Bharathi and I just concluded a call in which we attempted to verify the `./``run.sh` `build` workflow. This is what we found: * We uncovered a misconception. I had assumed that run.sh from the `peerplays-docker` repo would FIRST retrieve the latest `PBSA/peerplays` code from GitLab and THEN build the Dockerfile contained within. It does NOT do this. Instead, `peerplays-docker` has it's own Dockerfile in a subdirectory called `dkr/`. (Also there's `dkr_fullnode/` and `dkr_local/` for variations but the Dockerfiles are the same.) What it does is it builds THIS Dockerfile. * The Dockerfile appears to be a copy of what presumable WAS the Dockerfile from core quite some time ago, (differing only in that it retrieves the Peerplays code from GitLab rather than taking it from build context). In short, it's out of date. Among other omissions, it does not build Libbitcoin, and so `run.sh` `build` necessarily fails. * A corollary of this is that patching `PBSA/peerplays/Dockerfile` will not address the problem unless and until that Dockerfile is propagated to `peerplays-docker/dkr/Dockerfile`. * `peerplays-docker/dkr/Dockerfile` needs to be updated. **_Maybe_** `PBSA/peerplays/Dockerfile` _also_ needs to be updated. * The "workaround", if needed, could be applied to the updated `peerplays-docker/dkr/Dockerfile`. * The maintenance cadence needed to keep this Dockerfile up-to-date with `PBSA/peerplays/Dockerfile` is... confusing. @bobinson

bobinson commented

2023-11-09 02:33:46 +00:00

(Migrated from gitlab.com)

Hi @christophersanborn :

What is the correct url to pull the docker images from?

We have to use the Docker Hub container registry at https://hub.docker.com/r/peerplays/ there are tags for testnet and mainnet builds. Occasionally we have also publishes images for alpha/beta releases when someone requested for it. During the mainnet release for 1.6.0 we published only the mainnet image. The testnet image was not published as its not part of my checklist & I have updated the checklist for future purposes.

Also Open to use gitlab registry whenever images are available but for general public use and public releases, we should use the docker hub as it makes installations easy and without additional configurations. There are weird bugs from Docker BuildKit when using different registries on some of the Apple Silicon Platforms + macOSes & may be for other platforms.

Currently our README in the peerplays repository was pointing to the older link and I have corrected it here : https://gitlab.com/PBSA/peerplays/-/issues/570

Hi @christophersanborn : > *What is* the correct url to pull the docker images from? We have to use the Docker Hub container registry at https://hub.docker.com/r/peerplays/ there are tags for testnet and mainnet builds. Occasionally we have also publishes images for alpha/beta releases when someone requested for it. During the mainnet release for 1.6.0 we published only the mainnet image. The testnet image was not published as its not part of my checklist & I have updated the checklist for future purposes. Also Open to use gitlab registry whenever images are available but for general public use and public releases, we should use the docker hub as it makes installations easy and without additional configurations. There are weird bugs from Docker BuildKit when using different registries on some of the Apple Silicon Platforms + macOSes & may be for other platforms. Currently our README in the peerplays repository was pointing to the older link and I have corrected it here : https://gitlab.com/PBSA/peerplays/-/issues/570

bobinson commented

2023-11-09 02:39:17 +00:00

(Migrated from gitlab.com)

Hi @christophersanborn - Your points are correct. the Dockerfiles under peerplays-docker should be modified to reflect the latest releases. Its indeed outdated. When I asked to verify the script, I was expecting that the run.sh install will work out of the box and for run.sh build fixes will be required and for some other options like run.sh install_testnet requests to publish docker images for testnet images would come up. In general I have seen people using the run.sh install and in rare cases using run.sh build.

Hi @christophersanborn - Your points are correct. the Dockerfiles under `peerplays-docker` should be modified to reflect the latest releases. Its indeed outdated. When I asked to verify the script, I was expecting that the `run.sh install` will work out of the box and for `run.sh build` fixes will be required and for some other options like `run.sh install_testnet` requests to publish docker images for testnet images would come up. In general I have seen people using the `run.sh install` and in rare cases using `run.sh build`.

serkixenos commented

2023-11-09 13:13:23 +00:00

(Migrated from gitlab.com)

https://gitlab.com/PBSA/tools-libs/peerplays-fc/-/merge_requests/30

Bharathi-Chandrasekaran commented

2023-11-15 14:25:43 +00:00

(Migrated from gitlab.com)

mentioned in issue PBSA/peerplays-1.0/tools-libs/peerplays-docker#29

Fix is required in the DockerFile to support WSS/SSL connections using cli_wallet #567