https://pantsbuild.org/ logo
#general
Title
# general
s

strong-refrigerator-32393

08/26/2022, 8:19 AM
I am getting the following issue while trying to build docker image
Copy code
./pants package build-recipees/amazon_cancelations/Dockerfile 
03:14:35.54 [INFO] Initializing scheduler...
03:14:35.71 [INFO] Scheduler initialized.
03:14:35.75 [WARN] Please either set `enabled = true` in the [anonymous-telemetry] section of pants.toml to enable sending anonymous stats to the Pants project to aid development, or set `enabled = false` to disable it. No telemetry sent for this run. An explicit setting will get rid of this message. See <https://www.pantsbuild.org/v2.12/docs/anonymous-telemetry> for details.
03:14:43.55 [INFO] Completed: Building dockerfile_parser.pex from dockerfile-parser_default.lock
03:14:43.55 [ERROR] 1 Exception encountered:

  ProcessExecutionFailure: Process 'Building dockerfile_parser.pex from dockerfile-parser_default.lock' failed with exit code 1.
stdout:

stderr:
Traceback (most recent call last):
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 517, in execute
    exit_value = self._wrap_coverage(self._wrap_profiling, self._execute)
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 422, in _wrap_coverage
    return runner(*args)
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 453, in _wrap_profiling
    return runner(*args)
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 576, in _execute
    EntryPoint.parse("run = {}".format(self._pex_info.entry_point))
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 757, in execute_entry
    return self.execute_entry_point(entry_point)
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/unzipped_pexes/6059500ace72ed792367231dcc84ab6e7c3b99f0/.bootstrap/pex/pex.py", line 788, in execute_entry_point
    return runner()
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/installed_wheels/6242b902db69f59e1092b406655c0fb1634486c47ce563f5fd27277cf4561822/pex-2.1.90-py2.py3-none-any.whl/pex/bin/pex.py", line 768, in main
    env=env,
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/installed_wheels/6242b902db69f59e1092b406655c0fb1634486c47ce563f5fd27277cf4561822/pex-2.1.90-py2.py3-none-any.whl/pex/bin/pex.py", line 788, in do_main
    cache=ENV.PEX_ROOT,
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/installed_wheels/6242b902db69f59e1092b406655c0fb1634486c47ce563f5fd27277cf4561822/pex-2.1.90-py2.py3-none-any.whl/pex/bin/pex.py", line 649, in build_pex
    max_parallel_jobs=pip_configuration.max_jobs,
  File "/Users/gleiryserrano/.cache/pants/named_caches/pex_root/installed_wheels/6242b902db69f59e1092b406655c0fb1634486c47ce563f5fd27277cf4561822/pex-2.1.90-py2.py3-none-any.whl/pex/result.py", line 84, in try_
    raise ResultError(error=result)
pex.result.ResultError: There was 1 error downloading required artifacts:
1. dockerfile 3.2 from <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>
    <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)>
e

enough-analyst-54434

08/26/2022, 12:41 PM
Is this a consistent error if you re-run?:
Copy code
There was 1 error downloading required artifacts:
1. dockerfile 3.2 from <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>
    <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)>
That is a very surprising error since PyPI is used by lots of people and its SSL certificates should ~always be able to be verified.
s

strong-refrigerator-32393

08/26/2022, 2:12 PM
the error appeared suddenly but it keeps happening
e

enough-analyst-54434

08/26/2022, 3:07 PM
What happens when you run:
Copy code
curl -s -D - -O <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>
in the same place you run
./pants package build-recipees/amazon_cancelations/Dockerfile
? I get:
Copy code
$ curl -D - -s -O <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>
HTTP/2 200 
last-modified: Sun, 12 Sep 2021 20:14:54 GMT
etag: "ddaffd905a75838b219c0c626f9df484"
x-goog-generation: 1631477694589562
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1887934
content-type: application/octet-stream
x-goog-hash: crc32c=zMKhvA==
x-goog-hash: md5=3a/9kFp1g4shnAxib530hA==
server: UploadServer
cache-control: max-age=365000000, immutable, public
accept-ranges: bytes
date: Fri, 26 Aug 2022 15:06:10 GMT
age: 2047963
x-served-by: cache-bfi-krnt7300088-BFI, cache-sna10729-LGB
x-cache: HIT, HIT
x-cache-hits: 2, 1
x-timer: S1661526370.198481,VS0,VE5
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: deny
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-robots-header: noindex
access-control-allow-methods: GET, OPTIONS
access-control-allow-headers: Range
access-control-allow-origin: *
content-length: 1887934
$ zipinfo dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl | head -5
Archive:  dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl
Zip file size: 1887934 bytes, number of entries: 7
-rw-r--r--  2.0 unx     2190 b- defN 21-Sep-12 20:11 dockerfile.abi3.h
-rw-r--r--  2.0 unx  5710236 b- defN 21-Sep-12 20:11 dockerfile.abi3.so
-rw-r--r--  2.0 unx     1059 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/LICENSE
s

strong-refrigerator-32393

08/26/2022, 5:13 PM
Copy code
$ curl -s -D - -O <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>
HTTP/2 200 
last-modified: Sun, 12 Sep 2021 20:14:54 GMT
etag: "ddaffd905a75838b219c0c626f9df484"
x-goog-generation: 1631477694589562
x-goog-metageneration: 1
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 1887934
content-type: application/octet-stream
x-goog-hash: crc32c=zMKhvA==
x-goog-hash: md5=3a/9kFp1g4shnAxib530hA==
server: UploadServer
cache-control: max-age=365000000, immutable, public
accept-ranges: bytes
date: Fri, 26 Aug 2022 17:08:07 GMT
age: 2055280
x-served-by: cache-bfi-krnt7300088-BFI, cache-dfw-kdfw8210062-DFW
x-cache: HIT, HIT
x-cache-hits: 1, 1
x-timer: S1661533688.513945,VS0,VE4
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: deny
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-robots-header: noindex
access-control-allow-methods: GET, OPTIONS
access-control-allow-headers: Range
access-control-allow-origin: *
content-length: 1887934
$ zipinfo dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl 
Archive:  dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl
Zip file size: 1887934 bytes, number of entries: 7
-rw-r--r--  2.0 unx     2190 b- defN 21-Sep-12 20:11 dockerfile.abi3.h
-rw-r--r--  2.0 unx  5710236 b- defN 21-Sep-12 20:11 dockerfile.abi3.so
-rw-r--r--  2.0 unx     1059 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/LICENSE
-rw-r--r--  2.0 unx     3646 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/METADATA
-rw-r--r--  2.0 unx      110 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/WHEEL
-rw-r--r--  2.0 unx       11 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/top_level.txt
?rw-rw-r--  2.0 unx      554 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/RECORD
7 files, 5717806 bytes uncompressed, 1886962 bytes compressed:  67.0%
gleiryserrano@MacBook-Pro-de-Gleiry:~$ zipinfo dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl | head -5
Archive:  dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl
Zip file size: 1887934 bytes, number of entries: 7
-rw-r--r--  2.0 unx     2190 b- defN 21-Sep-12 20:11 dockerfile.abi3.h
-rw-r--r--  2.0 unx  5710236 b- defN 21-Sep-12 20:11 dockerfile.abi3.so
-rw-r--r--  2.0 unx     1059 b- defN 21-Sep-12 20:11 dockerfile-3.2.0.dist-info/LICENSE
the same, I can download the file
e

enough-analyst-54434

08/26/2022, 5:20 PM
What does this say?:
Copy code
curl -vvv -s -O <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>
That will reveal where curl reads you cert store from and more details about the SSL handshake.
s

strong-refrigerator-32393

08/26/2022, 5:22 PM
Copy code
curl -vvv -s -O <https://files.pythonhosted.org/packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl>

*   Trying 2a04:4e42:8a::319...
* TCP_NODELAY set
* Connected to <http://files.pythonhosted.org|files.pythonhosted.org> (2a04:4e42:8a::319) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [236 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2881 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.<http://pythonhosted.org|pythonhosted.org>
*  start date: Dec 24 19:42:31 2021 GMT
*  expire date: Jan 25 19:42:30 2023 GMT
*  subjectAltName: host "<http://files.pythonhosted.org|files.pythonhosted.org>" matched cert's "*.<http://pythonhosted.org|pythonhosted.org>"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Atlas R3 DV TLS CA H2 2021
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x13100aa00)
> GET /packages/9e/19/0f56ebd6d535832bfbe7c4f16c983c08ab8e01927fe9ae15e1afcfa88996/dockerfile-3.2.0-cp36-abi3-macosx_10_14_x86_64.whl HTTP/2
> Host: <http://files.pythonhosted.org|files.pythonhosted.org>
> User-Agent: curl/7.64.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
< last-modified: Sun, 12 Sep 2021 20:14:54 GMT
< etag: "ddaffd905a75838b219c0c626f9df484"
< x-goog-generation: 1631477694589562
< x-goog-metageneration: 1
< x-goog-stored-content-encoding: identity
< x-goog-stored-content-length: 1887934
< content-type: application/octet-stream
< x-goog-hash: crc32c=zMKhvA==
< x-goog-hash: md5=3a/9kFp1g4shnAxib530hA==
< server: UploadServer
< cache-control: max-age=365000000, immutable, public
< accept-ranges: bytes
< date: Fri, 26 Aug 2022 17:21:25 GMT
< age: 2056077
< x-served-by: cache-bfi-krnt7300088-BFI, cache-dfw-kdfw8210038-DFW
< x-cache: HIT, HIT
< x-cache-hits: 1, 1
< x-timer: S1661534485.002076,VS0,VE4
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< x-content-type-options: nosniff
< x-robots-header: noindex
< access-control-allow-methods: GET, OPTIONS
< access-control-allow-headers: Range
< access-control-allow-origin: *
< content-length: 1887934
< 
{ [1370 bytes data]
* Connection #0 to host <http://files.pythonhosted.org|files.pythonhosted.org> left intact
* Closing connection 0
e

enough-analyst-54434

08/26/2022, 5:27 PM
Does
PANTS_CA_CERTS_PATH=/etc/ssl/cert.pem ./pants ...
help?
s

strong-refrigerator-32393

08/26/2022, 5:36 PM
yes this got solved!!!
e

enough-analyst-54434

08/26/2022, 5:41 PM
Ok. You can embed that in your pants.toml as:
Copy code
[GLOBAL]
ca_certs_path = "/etc/ssl/cert.pem"
See: + https://www.pantsbuild.org/docs/reference-global#section-ca-certs-path + https://www.pantsbuild.org/docs/restricted-internet-access#setting-up-a-certificate-authority
But! If that path is not valid on all machines Pants will be run on in that repo, you need to get more clever.
Just speak up if you need more guidance, but keywords to search 1st if so are .pants.rc and PANTS_CONFIG_FILES.
🙌 1
7 Views