Docker OSX build unable to use SSL protected registry

[jakedt]

git:(master) ✗ docker login ssl-enabled-repostory.com
2014/01/20 10:54:57 Invalid Registry endpoint: Get https://ssl-enabled-repository.com/v1/_ping: x509: failed to load system roots and no roots provided

According to go-nuts, this is because the binary requires CGO to talk to the keychain. I have tried the naive approach of switching on CGO for the Darwin binary build, but you can't cross compile a go binary with CGO enabled.

[GermanDZ]

thanks @jakedt, I was suffering the same error. With a custom compiled docker binary for OSX is working fine.

[tianon]

Here's a great thread on the subject: https://groups.google.com/d/topic/golang-nuts/tIK1ON3Pq6s/discussion

I wonder if we should consider bundling the CAs directly in Docker for Darwin (and other cross compiled platforms) as a potential fix.

[benders]

@tianon Thanks for the link to that thread, it really is a great explanation of the issue.

If cross-compiling is the long term plan for clients, then including a CA bundle directly looks like a good solution. Standalone registries have already made HTTPS support important and it will only become more so with HTTPS auth for the Docker process itself in #3068 .

Switching away from cross-compiling clients would also solve the problem, as well as let the client use any other CGO functions. However, since this would significantly complicate the build chain, it seems like more trouble than it is worth if this is the only bug it fixes.

[ferrouswheel]

@GermanDZ How did you custom compile the docker client binary on OSX?

I've tried following several guides that use "go install" (such as https://gist.github.com/mboersma/7954708) but any successful build ends with a binary that has commands prematurely end with a message like 2014/01/30 21:50:56 Error :Not Found. (only with different timestamps)

I'm not very famliar with the go build environment, so I might be doing something really wrong, or I wonder if the changes the use cross compilation for an official docker osx client means the normal "go install" mechanism no longer works.

[GermanDZ]

This instructions for building docker for OSX without cross compiling are from @jakedt:

To build, you'll need a working go environment:
http://golang.org/doc/install

Next, you need to checkout the docker code to a specific revision:

git clone https://github.com/dotcloud/docker.git
cd docker
git fetch --tags
git checkout v0.7.5

Next, you need to "go get" some dependencies:

go get code.google.com/p/go.tools/cmd/cover
go get github.com/dotcloud/docker

Next you need to make the version of docker that was go gotten match your local checkout:

cd $GOPATH/src/github.com/dotcloud/docker/
git checkout v0.7.5

Next you need to build the binary using some flags that I scraped by doing the cross compile on linux:

cd <your docker git checkout>
CC=clang go build -o docker-osx -ldflags "-X main.GITCOMMIT \"c348c04fdfb00e\" -X main.VERSION \"0.7.5\" -w" -tags netgo -a ./docker

Some things to note in the command above:

• you can make the output file called whatever you want, i chose docker-osx to avoid colliding with the official binary that they release
• the CC=clang tells the downstream go build system to link with the clang libraries instead of the gcc ones, since newer versions of xcode don't ship with gcc, they alias gcc to clang
• The version is what will appear in the client section when you type "docker version". I don't know if this is checked anywhere

When you're all done, you'll have a docker-osx binary. There may be typos if you try to follow this as a tutorial. If so, sorry about that.

[jakedt]

I wrote up a blog post here: http://blog.devtable.com/2014/01/using-docker-on-osx-with-private.html

It is basically what @GermanDZ copied from a discussion we had earlier, but I also attached binaries for those who just want to get something working.

[ferrouswheel]

Thanks so much @jakedt and @GermanDZ! 👍

[delfuego]

+1

[crosbymichael]

Just and update here, we are working on this issue.

[joeshaw]

Cross-posting a comment I made on #3946:

A workaround for me was to boot2docker ssh into the VM, then docker login and docker pull my containers by hand in there. All the other docker commands worked ok from OS X.

[joeshaw]

If native compilation is out of the question, I'm in favor of baking in the curl certs (http://curl.haxx.se/ca/cacert.pem). Some example code for how to pull them in is in https://gist.github.com/laher/5795578. (I'd embed them by using https://github.com/jteeuwen/go-bindata)

[crosbymichael]

Just for reference. This is an issue when the client sends out a _ping to the registry when a custom registry is passed via the cli. It does a ping to determine http and https support if the user does not specify it.