exception using TLS protected engine created via docker-machine

[iangkent]

I am trying to use maestro to orchestrate docker containers running on machine created using docker-machine. I configured ship for TLS as documented by maestro-ng project.
http://maestro-ng.readthedocs.org/en/latest/

  host:
    ip: 192.168.99.100
    docker_port: 2376
    tls: true
    tls_verify: true
    tls_ca_cert: /root/.docker/ca.pem
    tls_key: /root/.docker/key.pem
    tls_cert: /root/.docker/cert.pem

When I try to start a container via maestro I get the following error:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/maestro/__main__.py", line 173, in execute
    getattr(c, options.command)(**vars(options))
  File "/usr/lib/python2.7/site-packages/maestro/maestro.py", line 299, in start
    auditor=self.auditor).run()
  File "/usr/lib/python2.7/site-packages/maestro/plays/__init__.py", line 148, in run
    self._end()
  File "/usr/lib/python2.7/site-packages/maestro/plays/__init__.py", line 140, in _end
    exceptions.raise_with_tb(self._error)
  File "/usr/lib/python2.7/site-packages/maestro/plays/__init__.py", line 97, in act
    task.run(auditor=self._auditor)
  File "/usr/lib/python2.7/site-packages/maestro/plays/tasks.py", line 91, in run
    exceptions.raise_with_tb()
  File "/usr/lib/python2.7/site-packages/maestro/plays/tasks.py", line 85, in run
    self._run()
  File "/usr/lib/python2.7/site-packages/maestro/plays/tasks.py", line 145, in _run
    result = self._create_and_start_container()
  File "/usr/lib/python2.7/site-packages/maestro/plays/tasks.py", line 177, in _create_and_start_container
    if self.container.is_running():
  File "/usr/lib/python2.7/site-packages/maestro/entities.py", line 477, in is_running
    status = self.status(refresh=True)
  File "/usr/lib/python2.7/site-packages/maestro/entities.py", line 528, in status
    self._status = self.ship.backend.inspect_container(self.name)
  File "/usr/lib/python2.7/site-packages/docker/utils/decorators.py", line 20, in wrapped
    return f(self, resource_id, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/docker/client.py", line 482, in inspect_container
    self._get(self._url("/containers/{0}/json".format(container))),
  File "/usr/lib/python2.7/site-packages/docker/clientbase.py", line 86, in _get
    return self.get(url, **self._set_request_timeout(kwargs))
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 477, in get
    return self.request('GET', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
SSLError: no appropriate commonName or subjectAltName fields were found

This seems to be caused by docker/docker-py#731

The workaround is to disable hostname validation in call to docker-py Client API.
https://docker-py.readthedocs.org/en/latest/boot2docker/

I put the workaround in maestro module entities.py and it worked.
I added this param: assert_hostname=False

to:
https://github.com/signalfuse/maestro-ng/blob/master/maestro/entities.py#L130

[iangkent]

Related issue: docker/machine#1335

[mpetazzoni]

Thanks for reporting this. This seems like something that should be addressed by docker-machine or docker-py though to make sure it's compatible with all setups. As said in docker/docker-py#731, it feels like a security faux-pas to set assert_hostname=False.

[zsuzhengdu]

Since docke-py >=1.4.0 is required in https://github.com/signalfx/maestro-ng/blob/master/requirements.txt#L1 and the fix is included in docker-py 1.9.0, so it is safe to close this issue NOW when docker-py 1.9.0 will be installed by defualt.

[mpetazzoni]

Thanks. I'll keep this open until I bump the docker-py requirement to >= 1.9.0, but I need to assess what that entails first.