我通过 Amazon Elastic Container Service 通过 Rust 和 Rocket 提供 API。每当我将对象放入或获取到 Amazon S3 时,它在本地运行良好,但如果部署在 Amazon ECS 上,我会收到以下运行时错误:
HttpDispatch(HttpDispatchError { message: "The OpenSSL library reported an error" })
当我在我的机器上运行 Docker 映像时也会发生这种情况。
我在发生错误的地方添加了评论:
use super::types::SomeCustomType;
use rusoto_core::{DefaultCredentialsProvider, Region, default_tls_client};
use rusoto_s3::{S3, S3Client, GetObjectRequest};
pub fn load_data_from_s3(object_name: String) -> SomeCustomType {
let credentials = DefaultCredentialsProvider::new().unwrap();
let client = S3Client::new(default_tls_client().unwrap(), credentials, Region::UsWest2);
let mut request = GetObjectRequest::default();
request.bucket = "bucket-name".to_string();
request.key = object_name.to_string();
match client.get_object(&request) {
// *** This is going to fail in docker container on run-time ***
Ok(file) => {
// this part is actually not important for this example,
// so code has been omitted
someCustomType
}
Err(e) => {
println!("{:?}", e); // *** errors out here! ***
SomeCustomType::default()
}
}
}
货运.toml
[dependencies]
brotli="1.0.8"
chrono = "0.3.1"
fnv = "1.0.5"
rusted_cypher = "1.1.0"
rocket = { git = "https://github.com/SergioBenitez/Rocket", rev = "614297eb9bc8fa5d9c54f653dc35b8cc3a22891f" }
rocket_codegen = { git = "https://github.com/SergioBenitez/Rocket", rev = "614297eb9bc8fa5d9c54f653dc35b8cc3a22891f" }
rocket_contrib = { git = "https://github.com/SergioBenitez/Rocket", rev = "614297eb9bc8fa5d9c54f653dc35b8cc3a22891f" }
rusoto_core = "0.25.0"
rusoto_s3 = "0.25.0"
serde = "1.0.8"
serde_json = "1.0.2"
serde_derive = "1.0.8"
这就是我在 macOS 上构建 Docker 映像的方式:
cargo clean &&
docker run -v $PWD:/volume -w /volume -t manonthemat/muslrust cargo build --release &&
docker build -t dockerimagename .
Docker 镜像manonthemat/muslrust本质上是clux/muslrust。我必须构建自己的镜像,因为我需要更新的 Rust 夜间构建。
这是(简化的)Dockerfile,到目前为止对我来说效果很好:
FROM scratch
ADD target/x86_64-unknown-linux-musl/release/project /
CMD ["/project"]
我试图解决这个问题的一些事情......
添加
openssl = "0.9.14"到 Cargo.toml。将我的 Dockerfile 更改为:
FROM alpine:edge ADD target/x86_64-unknown-linux-musl/release/project / RUN apk add --no-cache curl perl openssl-dev ca-certificates linux-headers build-base zsh CMD ["/project"]这也没有改变任何东西,但给了我更多的选择来看看里面。
我将交叉编译步骤更改为
cargo clean:docker run -v $PWD:/volume -w /volume -e RUST_LOG="rusoto,hyper=debug" -e OPENSSL_STATIC=1 -e OPENSSL_DIR=/usr/local -t manonthemat/muslrust cargo build --release --features "logging"构建新的 docker 镜像后,获取一个 shell:
docker run -i -e ROCKET_ENV=prod -e ROCKET_ADDRESS=0.0.0.0 -e RUST_LOG="rusoto,hyper=debug" dockerimagename /bin/zsh在那里,我通过为不存在且没有不同效果的 ssl 证书提供不同的路径来执行我的项目。
在下一次运行中,我将它设置为指向不同的路径:
SSL_CERT_DIR=/etc/ssl/certs /project当打印出client.get_object(&request)调用的错误时,我得到了一个有趣的结果:Unknown("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>...我用 aws-sdk-rust crate 替换了 rusoto
thread 'main' panicked at 'Error dispatching request: HttpDispatchError { message: "the handshake failed" }', /checkout/src/libcore/result.rs:860 stack backtrace:
0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace at ./checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
1: std::sys_common::backtrace::_print at ./checkout/src/libstd/sys_common/backtrace.rs:71
2: std::panicking::default_hook::{{closure}} at ./checkout/src/libstd/sys_common/backtrace.rs:60
at ./checkout/src/libstd/panicking.rs:355
3: std::panicking::default_hook
at ./checkout/src/libstd/panicking.rs:371
4: std::panicking::rust_panic_with_hook
at ./checkout/src/libstd/panicking.rs:549
5: std::panicking::begin_panic
at ./checkout/src/libstd/panicking.rs:511
6: std::panicking::begin_panic_fmt
at ./checkout/src/libstd/panicking.rs:495
7: rust_begin_unwind
at ./checkout/src/libstd/panicking.rs:471
8: core::panicking::panic_fmt
at ./checkout/src/libcore/panicking.rs:69
9: core::result::unwrap_failed
10: <aws_sdk_rust::aws::s3::s3client::S3Client<P, D>>::get_object
11: himitsu::ingest::load_data_from_s3
12: himitsu::ingest::load_data
13: himitsu::main
14: __rust_maybe_catch_panic
at ./checkout/src/libpanic_unwind/lib.rs:98
15: std::rt::lang_start
at ./checkout/src/libstd/panicking.rs:433
at ./checkout/src/libstd/panic.rs:361
at ./checkout/src/libstd/rt.rs:59
我在我的 Mac 上通过 VirtualBox 安装了 Linux 发行版,更新了库,安装了 OpenSSL 头文件和 rust,然后导入了项目。现在我马上收到 SignatureDoesNotMatch 错误。我验证了我可以通过主机的 vpn 通过 https 访问 Neo4j 服务器,因此 SSL 似乎至少可以部分工作。
在 Amazon ECS-Optimized Amazon Linux AMI 2017.03.a 上编译和运行该项目有效。构建 docker 镜像也可以。从该系统内运行 docker 映像不会,因为
standard_init_linux.go:178: exec user process caused "no such file or directory"即使文件存在,它也会返回,具有正确的权限,可以在其上运行其他操作等等......只是不执行它。回滚到没有任何 S3/OpenSSL 依赖项的先前状态时也是如此。这适用于scratch基础alpine图像。但是,如果我使用基础镜像构建 docker 镜像ubuntu,我会运行 S3/OpenSSL 之前的版本。对于带有 rusuto 的版本,即使在安装 OpenSSL 库及其头文件时,我也会收到 OpenSSL 错误。在我的 Mac 上编译 Docker 镜像,推送到私有仓库到 docker hub。通过 ssh 会话将该 docker 映像拉到 EC2 实例上(与 6 中的相同)。现在运行它不会像 6 中那样给我“没有这样的文件或目录”错误,而是好的 ol'
HttpDispatch(HttpDispatchError { message: "The OpenSSL library reported an error" })(现在即使将 SSL_CERTS_DIR=/etc/ssl/certs 传递到容器的环境中)