Docker works, docker-compose fails

I ran into a funny issue yesterday. I was attempting to resurrect an old project (made with fig) using fig’s successor project, docker-compose. For reasons that will make sense in a minute, it’s worth noting that I’m on a mac, and all of the software under discussion was installed with homebrew. Running docker on a mac, means I’m also using boot2docker.

Plain old docker works fine:

$ docker run -it debian:latest bash
Unable to find image 'debian:latest' locally
latest: Pulling from debian
39bb80489af7: Pull complete 
df2a0347c9d0: Already exists 
debian:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
Digest: sha256:a25306f3850e1bd44541976aa7b5fd0a29beabc137f65acbac34d6918807fd6e
Status: Downloaded newer image for debian:latest
root@f51234099263:/# 

docker-compose, fails hard:

$ docker-compose up
SSL error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

A certificate problem doesn’t make any sense– docker depends on the same certificate files.

Google produced a number of false leads, but I landed on a discussion thread on Github that suggested that there is something broken about OpenSSL 1.0.2.

The comment I linked to above, suggests that I can use Homebrew to switch back to OpenSSL 1.0.1.

brew switch openssl 1.0.1j_1

But,  that presumes that I had the version in question installed at some point. Homebrew doesn’t actually delete old versions until you tell it to, so you can always use ‘brew switch’ to restore a previously installed version.

How do you install an old version, though? Homebrew doesn’t make this obvious at all. To do that, you need to locate the relevant “recipe”  file in the homebrew git repository, and identify the moment in time (in the form of a commit hash) when the software  version you want was current.

Here is the file in question. It seems like the right commit to use is ‘b5cffc8d5fc41540a41ed4deba23afbb6431435e’.

Now what? You have to roll your entire homebrew install down to that commit. In my case, homebrew was installed in /usr/local/homebrew.

$ cd /usr/local/homebrew/
$ git checkout b5cffc8d5fc41540a41ed4deba23afbb6431435e
Note: checking out 'b5cffc8d5fc41540a41ed4deba23afbb6431435e'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at b5cffc8... openssl: update 1.0.1l bottle.

Then, you can ‘brew install openssl’, and you’ll get the correct version. After that, docker-compose will work.

$ docker-compose up
Creating solr_1...
Building solr...
...

RHEL Notes II: The least asinine way to get Docker on RHEL Workstation?

In the previous dispatch, I whined about Docker not being easily installable on RHEL Workstation. I also spent some time explaining the relationship between Fedora and RHEL.

The solution to my Docker problem comes from another interesting part of the Red Hat ecosystem: ‘rebuild’ distributions.

Just because Red Hat charges a bunch of money for RHEL licenses, it doesn’t stop being Free Software. All of the source code that makes up RHEL is available online. What stops anyone from using that code to compile and sell copies of RHEL? The surprising answer is “trademarks”. You are free to distribute an operating system built from the RHEL source code. You just can’t call it “Red Hat” or “RHEL”, or include any of their other trademarks.

So, several projects have sprung up to do that, most notably Scientific Linux and CentOS. These projects produce operating systems that are functionally identical to RHEL, but are available without licenses and subscriptions. One handy side effect of this, is that a package built for RHEL will work on these derivatives, and likewise, a package built for any of the RHEL-alikes will work just fine on RHEL.

Back to Docker. The CentOS folks have included Docker in their “extras” repository. I created a .repo file (stored in /etc/yum.repos.d) that instructs my system to include CentOS Extras when it searches for software.

[extras]
name=CentOS-7 - Extras
baseurl=http://mirror.centos.org/centos/7/extras/x86_64/
enabled=1
gpgcheck=1
gpgkey=http://mirror.centos.org/centos/7.1.1503/os/x86_64/RPM-GPG-KEY-CentOS-7
priority=1
includepkgs=docker* golang*

Then, it’s a simple matter of:

yum install docker docker-selinux

# if you want to run docker using a non-root account:
groupadd docker
usermod -a -G docker <account name>

# if you're logged into that account, log out and back in a again for the group change to become effective

Then you can docker all damn day.

Running Jenkins in Docker

 

updated 5/14 to include docker-selinux in the install instructions