I am getting the following issue while trying to build docke Pants #general

I am getting the following issue while trying to b...

strong-refrigerator-32393

08/26/2022, 8:19 AM

I am getting the following issue while trying to build docker image

Copy code

./pants package build-recipees/amazon_cancelations/Dockerfile 
03:14:35.54 [INFO] Initializing scheduler...
03:14:35.71 [INFO] Scheduler initialized.
03:14:35.75 [WARN] Please either set `enabled = true` in the [anonymous-telemetry] section of pants.toml to enable sending anonymous stats to the Pants project to aid development, or set `enabled = false` to disable it. No telemetry sent for this run. An explicit setting will get rid of this message. See <https://www.pantsbuild.org/v2.12/docs/anonymous-telemetry> for details.
03:14:43.55 [INFO] Completed: Building dockerfile_parser.pex from dockerfile-parser_default.lock
03:14:43.55 [ERROR] 1 Exception encountered:

  ProcessExecutionFailure: Process 'Building dockerfile_parser.pex from dockerfile-parser_default.lock' failed with exit code 1.
stdout:

stderr:
Traceback (most recent call last):
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 517, in execute
    exit_value = self._wrap_coverage(self._wrap_profiling, self._execute)
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 422, in _wrap_coverage
    return runner(*args)
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 453, in _wrap_profiling
    return runner(*args)
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 576, in _execute
    EntryPoint.parse("run = {}".format(self._pex_info.entry_point))
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 757, in execute_entry
    return self.execute_entry_point(entry_point)
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 788, in execute_entry_point
    return runner()
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/installed_wheels/6242b902db69f59e1092b406655c0fb1634486c47ce563f5fd27277cf4561822/pex-2.1.90-py2.py3-none-any.whl/pex/bin/pex.py", line 768, in main
    env=env,
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/installed_wheels/6242b902db69f59e1092b406655c0fb1634486c47ce563f5fd27277cf4561822/pex-2.1.90-py2.py3-none-any.whl/pex/bin/pex.py", line 788, in do_main
    cache=ENV.PEX_ROOT,
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/installed_wheels/6242b902db69f59e1092b406655c0fb1634486c47ce563f5fd27277cf4561822/pex-2.1.90-py2.py3-none-any.whl/pex/bin/pex.py", line 649, in build_pex
    max_parallel_jobs=pip_configuration.max_jobs,
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/installed_wheels/6242b902db69f59e1092b406655c0fb1634486c47ce563f5fd27277cf4561822/pex-2.1.90-py2.py3-none-any.whl/pex/result.py", line 84, in try_
    raise ResultError(error=result)
pex.result.ResultError: There was 1 error downloading required artifacts:
1. dockerfile 3.2 from <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>
    <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)>

enough-analyst-54434

08/26/2022, 12:41 PM

Is this a consistent error if you re-run?:

Copy code

There was 1 error downloading required artifacts:
1. dockerfile 3.2 from <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>
    <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)>

That is a very surprising error since PyPI is used by lots of people and its SSL certificates should ~always be able to be verified.

strong-refrigerator-32393

08/26/2022, 2:12 PM

the error appeared suddenly but it keeps happening

enough-analyst-54434

08/26/2022, 3:07 PM

What happens when you run:

Copy code

curl -s -D - -O <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>

in the same place you run

./pants package build-recipees/amazon_cancelations/Dockerfile

? I get:

Copy code

$ curl -D - -s -O <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>
HTTP/2 200 
last-modified: Sun, 12 Sep 2021 20:14:54 GMT
etag: "ddaffd905a75838b219c0c626f9df484"
x-goog-generation: 1631477694589562
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1887934
content-type: application/octet-stream
x-goog-hash: crc32c=zMKhvA==
x-goog-hash: md5=3a/9kFp1g4shnAxib530hA==
server: UploadServer
cache-control: max-age=365000000, immutable, public
accept-ranges: bytes
date: Fri, 26 Aug 2022 15:06:10 GMT
age: 2047963
x-served-by: cache-bfi-krnt7300088-BFI, cache-sna10729-LGB
x-cache: HIT, HIT
x-cache-hits: 2, 1
x-timer: S1661526370.198481,VS0,VE5
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: deny
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-robots-header: noindex
access-control-allow-methods: GET, OPTIONS
access-control-allow-headers: Range
access-control-allow-origin: *
content-length: 1887934
$ zipinfo dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl | head -5
Archive:  dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl
Zip file size: 1887934 bytes, number of entries: 7
-rw-r--r--  2.0 unx     2190 b- defN 21-Sep-12 20:11 dockerfile.abi3.h
-rw-r--r--  2.0 unx  5710236 b- defN 21-Sep-12 20:11 dockerfile.abi3.so
-rw-r--r--  2.0 unx     1059 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/LICENSE

strong-refrigerator-32393

08/26/2022, 5:13 PM

Copy code

$ curl -s -D - -O <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>
HTTP/2 200 
last-modified: Sun, 12 Sep 2021 20:14:54 GMT
etag: "ddaffd905a75838b219c0c626f9df484"
x-goog-generation: 1631477694589562
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1887934
content-type: application/octet-stream
x-goog-hash: crc32c=zMKhvA==
x-goog-hash: md5=3a/9kFp1g4shnAxib530hA==
server: UploadServer
cache-control: max-age=365000000, immutable, public
accept-ranges: bytes
date: Fri, 26 Aug 2022 17:08:07 GMT
age: 2055280
x-served-by: cache-bfi-krnt7300088-BFI, cache-dfw-kdfw8210062-DFW
x-cache: HIT, HIT
x-cache-hits: 1, 1
x-timer: S1661533688.513945,VS0,VE4
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: deny
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-robots-header: noindex
access-control-allow-methods: GET, OPTIONS
access-control-allow-headers: Range
access-control-allow-origin: *
content-length: 1887934
$ zipinfo dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl 
Archive:  dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl
Zip file size: 1887934 bytes, number of entries: 7
-rw-r--r--  2.0 unx     2190 b- defN 21-Sep-12 20:11 dockerfile.abi3.h
-rw-r--r--  2.0 unx  5710236 b- defN 21-Sep-12 20:11 dockerfile.abi3.so
-rw-r--r--  2.0 unx     1059 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/LICENSE
-rw-r--r--  2.0 unx     3646 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/METADATA
-rw-r--r--  2.0 unx      110 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/WHEEL
-rw-r--r--  2.0 unx       11 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/top_level.txt
?rw-rw-r--  2.0 unx      554 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/RECORD
7 files, 5717806 bytes uncompressed, 1886962 bytes compressed:  67.0%
gleiryserrano@MacBook-Pro-de-Gleiry:~$ zipinfo dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl | head -5
Archive:  dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl
Zip file size: 1887934 bytes, number of entries: 7
-rw-r--r--  2.0 unx     2190 b- defN 21-Sep-12 20:11 dockerfile.abi3.h
-rw-r--r--  2.0 unx  5710236 b- defN 21-Sep-12 20:11 dockerfile.abi3.so
-rw-r--r--  2.0 unx     1059 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/LICENSE

strong-refrigerator-32393

08/26/2022, 5:14 PM

the same, I can download the file

enough-analyst-54434

08/26/2022, 5:20 PM

What does this say?:

Copy code

curl -vvv -s -O <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>

That will reveal where curl reads you cert store from and more details about the SSL handshake.

strong-refrigerator-32393

08/26/2022, 5:22 PM

Copy code

curl -vvv -s -O <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>

*   Trying 2a04:4e42:8a::319...
* TCP_NODELAY set
* Connected to <http://files.pythonhosted.org|files.pythonhosted.org> (2a04:4e42:8a::319) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [236 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2881 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.<http://pythonhosted.org|pythonhosted.org>
*  start date: Dec 24 19:42:31 2021 GMT
*  expire date: Jan 25 19:42:30 2023 GMT
*  subjectAltName: host "<http://files.pythonhosted.org|files.pythonhosted.org>" matched cert's "*.<http://pythonhosted.org|pythonhosted.org>"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA H2 2021
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x13100aa00)
> GET /packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl HTTP/2
> Host: <http://files.pythonhosted.org|files.pythonhosted.org>
> User-Agent: curl/7.64.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
< last-modified: Sun, 12 Sep 2021 20:14:54 GMT
< etag: "ddaffd905a75838b219c0c626f9df484"
< x-goog-generation: 1631477694589562
< x-goog-metageneration: 1
< x-goog-stored-content-encoding: identity
< x-goog-stored-content-length: 1887934
< content-type: application/octet-stream
< x-goog-hash: crc32c=zMKhvA==
< x-goog-hash: md5=3a/9kFp1g4shnAxib530hA==
< server: UploadServer
< cache-control: max-age=365000000, immutable, public
< accept-ranges: bytes
< date: Fri, 26 Aug 2022 17:21:25 GMT
< age: 2056077
< x-served-by: cache-bfi-krnt7300088-BFI, cache-dfw-kdfw8210038-DFW
< x-cache: HIT, HIT
< x-cache-hits: 1, 1
< x-timer: S1661534485.002076,VS0,VE4
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< x-robots-header: noindex
< access-control-allow-methods: GET, OPTIONS
< access-control-allow-headers: Range
< access-control-allow-origin: *
< content-length: 1887934
< 
{ [1370 bytes data]
* Connection #0 to host <http://files.pythonhosted.org|files.pythonhosted.org> left intact
* Closing connection 0

enough-analyst-54434

08/26/2022, 5:27 PM

Does

PANTS_CA_CERTS_PATH=/etc/ssl/cert.pem ./pants ...

help?

strong-refrigerator-32393

08/26/2022, 5:36 PM

yes this got solved!!!

enough-analyst-54434

08/26/2022, 5:41 PM

Ok. You can embed that in your pants.toml as:

Copy code

[GLOBAL]
ca_certs_path = "/etc/ssl/cert.pem"

See: + https://www.pantsbuild.org/docs/reference-global#section-ca-certs-path + https://www.pantsbuild.org/docs/restricted-internet-access#setting-up-a-certificate-authority

enough-analyst-54434

08/26/2022, 5:41 PM

But! If that path is not valid on all machines Pants will be run on in that repo, you need to get more clever.

enough-analyst-54434

08/26/2022, 5:42 PM

Just speak up if you need more guidance, but keywords to search 1st if so are .pants.rc and PANTS_CONFIG_FILES.

🙌 1

7 Views

Open in Slack

Previous Next