Balena preload fails when using certificates

Product support
, ,
1

Hello everyone,

I have a very strange problem I am unable to fix.

I am using balena preload to give my devices a preloaded image of my app.
Now I want to include some self signed certificates while preloading.

I am using docker-compose with multiple containers.

Normally I am using this snippet to preload:
balena preload balena-cloud-viehhofstrasse-raspberrypi3-2.51.1+rev1-dev-v11.4.10.img --app viehhofstrasse

I just attached the options for the certificates now but I am always getting an error:
balena preload balena-cloud-viehhofstrasse-raspberrypi3-2.51.1+rev1-dev-v11.4.10.img --app viehhofstrasse --ca "root-cacert.pem" --cert "viehhofstrasse_gate_01-cert.pem" --key "viehhofstrasse_gate_01.key"

I have run the command with debug option enabled but only getting this as output:
[debug] original argv0="/usr/local/lib/balena-cli/bin/node" argv=[/usr/local/lib/balena-cli/bin/node,/usr/local/lib/balena-cli/bin/run,preload,balena-cloud-viehhofstrasse-raspberrypi3-2.51.1+rev1-dev-v11.4.10.img,–app,viehhofstrasse,–ca,root-cacert.pem,–cert,viehhofstrasse_gate_01-cert.pem,–key,viehhofstrasse_gate_01.key] length=12
(node:4679) ExperimentalWarning: The fs.promises API is experimental
Docker seems to be unavailable. Is it installed and running?

For help, visit our support forums: https://forums.balena.io
For bug reports or feature requests, see: https://github.com/balena-io/balena-cli/issues/

I have upgraded to the latest CLI version which added me the (node:4679) ExperimentalWarning: The fs.promises API is experimental warning.

It always gives me docker is unavailable although the normal command without certificates works.
I already tried specifying dockerHost with docker and dockerPort with 2375 but this did not solve the problem.

I have got following version and os running:
macOS 10.15.5
Docker Desktop 2.3.0.3

I also tried just restarting but this did not solve it.
For me I cannot test the issue but it only happens with the certificates options specified.

Are there other options I need to specify when using certificates?

Thanks in advance
Sebastian

3

Hello,
You can ignore the ExperimentalWarning: The fs.promises API is experimental warnings.

If you want to add some certificates to the preloaded image, you need to use the --add-certificate option, not --ca, --cert and --key, these are for the computer running the cli:

–add-certificate <certificate.crt> Add the given certificate (in PEM format) to /etc/ssl/certs in the preloading container. The file name must end with ‘.crt’ and must not be already contained in the preloader’s /etc/ssl/certs folder. Can be repeated to add multiple certificates.

5

Ah I completely misunderstood the CLI options. This also explains why the CLI thought Docker was not reachable.

6

Oh I am actually receiving another error:

Exception in thread background thread for pid 114:
Traceback (most recent call last):
  File "/usr/lib/python3.6/threading.py", line 916, in _bootstrap_inner
    self.run()
  File "/usr/lib/python3.6/threading.py", line 864, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/lib/python3.6/site-packages/sh.py", line 1540, in wrap
    fn(*args, **kwargs)
  File "/usr/lib/python3.6/site-packages/sh.py", line 2459, in background_thread
    handle_exit_code(exit_code)
  File "/usr/lib/python3.6/site-packages/sh.py", line 2157, in fn
    return self.command.handle_command_exit_code(exit_code)
  File "/usr/lib/python3.6/site-packages/sh.py", line 815, in handle_command_exit_code
    raise exc
sh.ErrorReturnCode_1:

  RAN: /usr/local/bin/dockerd --storage-driver=aufs --data-root=/tmp/tmp8b_s0klh/docker --host=tcp://0.0.0.0:51301

  STDOUT:


  STDERR:
time="2020-07-01T12:28:18.813695843Z" level=warning msg="[!] DON'T BIND ON ANY IP ADDRESS WITHOUT setting --tlsverify IF YOU DON'T KNOW WHAT YOU'RE DOING [!]"
time="2020-07-01T12:28:18.814356046Z" level=info msg="libcontainerd: started new docker-containerd process" pid=135
time="2020-07-01T12:28:18Z" level=info msg="starting containerd" module=containerd revision=89623f28b87a6004d4b785663257362d1658a729 version=v1.0.0
time="2020-07-01T12:28:18Z" level=info msg="setting subreaper..." module=containerd
time="2020-07-01T12:28:18Z" level=info msg="changing OOM score to -500" module=containerd
time="2020-07-01T12:28:18Z" level=info msg="loading plugin "io.containerd.content.v1.content"..." module=containerd type=io.containerd.content.v1
tim... (3787 more, please see e.stderr)

I have run this command:
balena preload balena-cloud-viehhofstrasse-raspberrypi3-2.51.1+rev1-dev-v11.4.10.img --app viehhofstrasse --add-certificate viehhofstrasse_gate_01-cert.crt

7

Hi,

Just to clarify, you have Docker running on your Mac, correct? Are you able to run containers on that (not with balena)? Also, the entry following --app should be the application ID, not its name. Have you tried that? Preload docs.

John

15

Hi,

The app name should be fine in your command, but a colleague pointed out that aufs is needed for preloading RPi 3 images. Docker removed that in later versions for the Mac. You’ll need to either use an older version of Docker < 18.09 (such as 17.03.0) on your Mac or use Ubuntu to get preload to work properly.

John

17

Yes you were right it was because of aufs.
Is there a plan to fix this at some point and not only support aufs?

20

There have been some ongoing work on aufs to overlay2 migration recently, but there is not currently a timeframe we could share on this.