[GODRIVER-1451] Unable to connect to Altas with multiple stage docker build Created: 20/Dec/19  Updated: 10/Jan/20  Resolved: 10/Jan/20

Status: Closed
Project: Go Driver
Component/s: Connections
Affects Version/s: 1.1.3
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Yong Wei Lun Assignee: Divjot Arora (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MacOS Docker Server: 19.03.5
Go: 1.13



 Description   

I was able to connect to Atlas with Single stage docker build. However, when I want to optimise the image, i go for multi stage docker build, it cannot connect to Atlas, without any change on code

 

Go code

 

url := "mongodb+srv://<USERNAME>:<PASSWORD>@cluster0-7odzu.mongodb.net/test?retryWrites=true&w=majority"
 
client, err := mongo.NewClient(options.Client().ApplyURI(url))
log.Println("db client created")
if err != nil {
   log.Fatal(err)
}
 
ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
defer cancel()
err = client.Connect(ctx)
 
if err != nil {
   return nil, err
}
log.Println("db client connected")
 
err = client.Ping(ctx, readpref.Primary())
if err != nil {
   return nil, err
}
log.Println("db client ping")

 

 

Dockerfile

 

FROM golang:1.13 as build-env
RUN mkdir /medicbot
WORKDIR /medicbot
COPY go.mod .
COPY go.sum .
 
RUN go mod download
COPY . .
 
RUN go build -o /go/bin/example
EXPOSE 5000
ENTRYPOINT ["/go/bin/example"]
 
# Build the binary
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -o /go/bin/example
FROM scratch
COPY --from=build-env /go/bin/example /go/bin/example
EXPOSE 5000
ENTRYPOINT ["/go/bin/example"]

 

Current console output

 

2019/12/20 12:00:54 db.go:34: db client created
2019/12/20 12:00:54 db.go:46: db client connected
2019/12/20 12:01:14 main.go:28: context deadline exceeded

 

 

Expected console output (when using single stage docker build)

 

2019/12/20 11:57:28 db client created
2019/12/20 11:57:28 db client connected
2019/12/20 11:57:28 db client ping

 

 



 Comments   
Comment by Divjot Arora (Inactive) [ 10/Jan/20 ]

weilun_95@hotmail.com,

I believe you would have to add the certificate. From what I understand, the issue is that the Docker image requires the certificate to be manually installed. Even if you are using X509-based authentication, the initial TLS handshake will fail because the system doesn't trust the certificate. I'm going to go ahead and close this ticket. Feel free to comment on it again or open a new ticket if you run into any other issues.

 

– Divjot

Comment by Yong Wei Lun [ 10/Jan/20 ]

HI Divjot,
In the case of if I were using X509 enabled clusters, I not need to add the certificate like the comment above right?

Comment by Yong Wei Lun [ 10/Jan/20 ]

Hi Divjot, it works!

Here is the final Dockerfile

 

FROM golang:1.13-alpine as build-env
RUN apk --no-cache add ca-certificates
RUN mkdir /app
WORKDIR /app
COPY go.mod .
COPY go.sum .
COPY . .
 
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -o /go/bin/example
 
FROM scratch
COPY --from=build-env /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build-env /go/bin/example /go/bin/example
EXPOSE 5000
ENTRYPOINT ["/go/bin/example"]

 

 

Comment by Divjot Arora (Inactive) [ 07/Jan/20 ]

Hi weilun_95@hotmail.com,

I did some investigation and it seems like the Docker scratch image requires you to manually install certificates. See https://stackoverflow.com/questions/52969195/docker-container-running-golang-http-client-getting-error-certificate-signed-by for an example. Also, as an aside, I tried spinning up an Atlas M0 cluster with X509 authentication enabled and saw that Atlas only supports X509 auth on M10+ clusters. Can you take a look at the link and see if adding the certificate solves your issue?

Comment by Divjot Arora (Inactive) [ 07/Jan/20 ]

weilun_95@hotmail.com,

Thanks for the output. The root cause seems to be some sort of X509 certificate signing issue. At this point, I'm not sure why this works on one Docker image but not another. I'm investigating what could cause the issue and will write a new comment on this ticket once I have some ideas.

Comment by Yong Wei Lun [ 07/Jan/20 ]

Hi Divjot, here is the error output after switch to context.TODO()  for Connect and Ping operation, with scratch image. 

 

2020/01/07 16:11:11 db.go:33: db client created
2020/01/07 16:11:11 db.go:45: db client connected
2020/01/07 16:11:41 main.go:28: server selection error: server selection timeout
current topology: Type: ReplicaSetNoPrimary
Servers:
Addr: cluster0-shard-00-00-7odzu.mongodb.net:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : x509: certificate signed by unknown authority
Addr: cluster0-shard-00-01-7odzu.mongodb.net:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : x509: certificate signed by unknown authority
Addr: cluster0-shard-00-02-7odzu.mongodb.net:27017, Type: Unknown, State: Connected, Average RTT: 0, Last error: connection() : x509: certificate signed by unknown authoritypanic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xad4275]

 

 

By the way, I am using Atlas Free tier M0 cluster on GCP at Singapore. If that information will help. 

 

It the Ping operation requires something from Linux or C/C++ that are not available at scratch image, so it does not work on scratch, but works on alpine image ?

 

Comment by Divjot Arora (Inactive) [ 07/Jan/20 ]

Hi weilun_95@hotmail.com,

Can you try running this example with context.TODO() instead of the 20-second context? If the Ping operation cannot find a suitable server within 30 seconds, it will return a server selection error, which will report the state of the cluster from the driver's perspective. This error output might help clarify what's going on.

Comment by Yong Wei Lun [ 20/Dec/19 ]

I tried to change the base image from `scratch` to `alpine`. It works. Any reason?

Generated at Thu Feb 08 08:36:25 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.