SSL握手不适用于Docker容器

时间:2019-01-15 16:17:21

标签: docker ssl docker-compose

我需要在docker容器上调用一个资源,该资源需要L2TP/IPsec VPN。 VPN设置正常(直接从笔记本电脑调用它时,我得到200状态代码响应)。但是然后我从docker容器连接中塞住了ssl handshake.

我应该如何设置docker so容器,使其行为与笔记本电脑中的行为相同?

Python追溯

Traceback (most recent call last):
  File "/sp/server/env/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 345, in _make_request
    self._validate_conn(conn)
  File "/sp/server/env/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 844, in _validate_conn
    conn.connect()
  File "/sp/server/env/lib/python3.6/site-packages/requests/packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/sp/server/env/lib/python3.6/site-packages/requests/packages/urllib3/util/ssl_.py", line 324, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/local/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/usr/local/lib/python3.6/ssl.py", line 817, in __init__
    self.do_handshake()
  File "/usr/local/lib/python3.6/ssl.py", line 1077, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/local/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
socket.timeout: _ssl.c:835: The handshake operation timed out

dockerfiles / ServerDockerfile 

FROM python:3.6-jessie

RUN pip install virtualenv

ADD . /sp
WORKDIR /sp/server

# Register api port
EXPOSE 8090

CMD make run

docker-compose.yml 

version: '3'
services:
  server:
    restart: always
    build:
      context: .
      dockerfile: dockerfiles/ServerDockerfile
    volumes:
      - .:/sp
    ports:
      - "8090:8090"

我试图从我在计算机上拥有的其他docker容器中调用相同的资源,而且情况始终相同-卡在ssl握手中。

2 个答案:

答案 0 :(得分:1)

您可以跑步

docker logs <container name> -f

并捕获尝试的SSL握手的输出是什么?

您可能需要在容器中使用SSL证书才能使用SSL连接到服务器。您可以使用Dockerfile将证书添加到图像中:

FROM openjdk:8-jre-alpine
COPY target/app.jar /opt/spring-cloud/lib/
COPY certs/ssl.cer $JAVA_HOME/lib/security
RUN \
  cd $JAVA_HOME/lib/security \
  && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias edlscert -file edls.cer
ENTRYPOINT ["/usr/bin/java"]
CMD ["-jar", "/opt/spring-cloud/lib/app.jar"]
VOLUME /var/lib/spring-cloud/config-repo
EXPOSE 9101

但是,这种方法有局限性,更好的解决方案可能是在部署时将.cer作为docker-compose文件的一部分提供。无论如何,您都需要一个证书才能通过SSL / HTTPS与外部服务进行通信。

答案 1 :(得分:1)

我通过将docker-compose.yml network_mode参数值设置为host解决了我的问题。

docker-compose.yml: 

version: '3'
services:
  server:
    restart: always
    build:
      context: .
      dockerfile: dockerfiles/ServerDockerfile
    volumes:
      - .:/sp  # mount repo dir to container for development
    ports:
      - "8090:8090"
    network_mode: "host"
相关问题
最新问题