[BUG] Communicating with pyarmor-auth failed in docker rootless mode
dongyi-kim opened this issue · comments
Hi there ✋
We are using pyarmor group license and trying to build up docker-based CI system.
And we are using docker rootless mode in our CI server. so we can't directly use namespace like host.docker.internal
.
To inject host IP to pyarmor CLI, we've tried below two methods independently, but both produced same error
method1 in host
docker run -it --add-host=host.docker.internal:10.100.0.xx python:3.11 bash
method2 in container
PYARMOR_DOCKER_HOST=10.100.0.xx pyarmor reg pyarmor-device-regfile-xxxx2.zip
PYARMOR_DOCKER_HOST=10.100.0.xx pyarmor gen --enable-rft foo.py
we've already checked that It works fine in normal ubuntu desktop (without docker-rootless) but this problems happens same with rootless mode.
what's happening
It produces invalid license token
error when I try pyarmor gen
pyarmor auth log on host
dongyi.kim@xxxxx:~/rad-4675-pyarmor-test$ pyarmor-auth pyarmor-device-regfile-xxxx.zip
2024-03-19 03:41:30,913: work path: /home/dongyi.kim/.pyarmor/docker
2024-03-19 03:41:30,914: register "pyarmor-device-regfile-xxxx.zip"
2024-03-19 03:41:30,920: machine id in group license: m56d965f4782ddba2a80d051d38f2e359
2024-03-19 03:41:30,921: got machine id: m56d965f4782ddba2a80d051d38f2e359
# on registration
2024-03-19 03:41:30,921: this machine id matchs group license
2024-03-19 03:41:30,922: listen container auth request on 0.0.0.0:29092
2024-03-19 03:45:56,102: receive request from ('10.100.0.xx', 39372)
2024-03-19 03:45:56,102: send auth result to ('10.100.0.xx', 39372)
# on gen
2024-03-19 03:46:11,289: receive request from ('10.100.0.xx', 53044)
2024-03-19 03:46:11,289: unknown packet b''
container log
Please also provide necessary log (but not full log), for example, the whole command options
pyarmor gen
and first 4 logs in the console, paste the text directly, DO NOT paste IMAGE
it looks like it lost its license after first gen failure
root@f330c4e0cf33:/workdir# pyarmor reg pyarmor-device-regfile-xxxx.zip
INFO Python 3.11.8
INFO Pyarmor 8.5.1 (trial), 000000, non-profits
INFO Platform linux.x86_64
INFO register "pyarmor-device-regfile-xxxx.zip"
INFO machine id in group license: m56d965f4782ddba2a80d051d38f2e359
INFO got machine id: mda9c9a0a148c44948b2b22bdc52a686a
INFO got machine id: lda9c9a0a148c44948b2b22bdc52a686a
INFO got machine id: i23989dddd9f3e5fdfb54f2366d2539c7
INFO got machine id: kef23882c3eb0a873ea2e80345b47e4e9
INFO got machine id: gef23882c3eb0a873ea2e80345b47e4e9
INFO got machine id: b7e6cc801906e02495cfa1a347e31a78e
INFO no machine id matchs this group license
INFO take this machine as docker container, and connect to docker host for authentication...
INFO got docker host machine id: m56d965f4782ddba2a80d051d38f2e359
INFO got docker host machine id: l56d965f4782ddba2a80d051d38f2e359
INFO got docker host machine id: i56d965f4782ddba2a80d051d38f2e359
INFO got docker host machine id: k0ccd3199b2aa88e50940d44994fdb3c0
INFO got docker host machine id: g9cbeee8f182ce55f82d175dfc70415c0
INFO got docker host machine id: b250826e948c6e57264193409412c7586
INFO This license registration information:
License Type : pyarmor-group
License No. : pyarmor-vax-xxxxxx
License To : xxxx Inc.
License Product : xxxx yyyyyy
BCC Mode : Yes
RFT Mode : Yes
Notes
* Offline obfuscation
root@f330c4e0cf33:/workdir# pyarmor gen -O dist --assert-call foo.py
INFO Python 3.11.8
INFO Pyarmor 8.5.1 (group), xxxxxx, xxxx yyyyy
INFO Platform linux.x86_64
INFO search inputs ...
INFO find script foo.py
INFO find 1 top resources
ERROR invalid license token, try to run `pyarmor reg` to register license again
ERROR somthing is wrong
*=============================================================*
* Please enable debug option `-d` to run it again *
* pyarmor -d gen options ... *
* *
* Then check console log to find more information *
* *
* Please also check *
* https://pyarmor.readthedocs.io/en/latest/questions.html *
* or run `pyarmor man` to find solutions quickly *
*=============================================================*
root@f330c4e0cf33:/workdir# pyarmor gen -O dist --assert-call foo.py
INFO Python 3.11.8
INFO Pyarmor 8.5.1 (trial), 000000, non-profits
INFO Platform linux.x86_64
INFO search inputs ...
INFO find script foo.py
INFO find 1 top resources
ERROR request license token failed (3): <h1>Server Error (500)</h1>
ERROR somthing is wrong
*=============================================================*
* Please enable debug option `-d` to run it again *
* pyarmor -d gen options ... *
* *
* Then check console log to find more information *
* *
* Please also check *
* https://pyarmor.readthedocs.io/en/latest/questions.html *
* or run `pyarmor man` to find solutions quickly *
*=============================================================*
Make sure docker container ip address has same network mask as docker host, otherwise it doesn't work
@jondy Thanks for your answer!
To add more info to this, we successfully used pyarmor 8 with docker on a machine with docker rootfull
configured.
We were able to run pyarmor reg ...
and pyarmor gen ...
command from docker following your documentation.
The problem we are facing is when we want to use a machine with docker rootless
(using slirp4netns via RootlessKit).
In this mode, the docker container runs in an isolated namespace and can't access the host directly (the host localhost is not available) so we have to use the external interface of our machine (private IP like 10.100.0.X
in our network) to access the pyarmor auth server with the PYARMOR_DOCKER_HOST
env variable.
With docker rootless
, the first step works well inside the container:
root@a3f9b76703b6:/workdir# PYARMOR_DOCKER_HOST=10.100.0.X pyarmor reg pyarmor-device-regfile-XXX.X.zip
INFO Python 3.11.8
INFO Pyarmor 8.5.1 (trial), 000000, non-profits
INFO Platform linux.x86_64
INFO register "pyarmor-device-regfile-XXX.X.zip"
INFO machine id in group license: XXX
INFO got machine id: XXX
...
INFO no machine id matchs this group license
INFO take this machine as docker container, and connect to docker host for authentication...
INFO got docker host machine id: XXX
...
INFO This license registration information:
License Type : pyarmor-group
License No. : pyarmor-vax-XXX
License To : XXX
License Product : XXX
BCC Mode : Yes
RFT Mode : Yes
Notes
* Offline obfuscation
But the second step does not work as expected and indicates that the token is invalid:
root@a3f9b76703b6:/workdir# PYARMOR_DOCKER_HOST=10.100.0.X pyarmor gen foo.py
INFO Python 3.11.8
INFO Pyarmor 8.5.1 (group), XXX, XXX
INFO Platform linux.x86_64
INFO search inputs ...
INFO find script foo.py
INFO find 1 top resources
ERROR invalid license token, try to run `pyarmor reg` to register license again
ERROR somthing is wrong
...
Here is the stacktrace from the pyarmor.error.log
file:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/pyarmor/cli/__main__.py", line 757, in main
main_entry(sys.argv[1:])
File "/usr/local/lib/python3.11/site-packages/pyarmor/cli/__main__.py", line 745, in main_entry
return args.func(ctx, args)
^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/pyarmor/cli/__main__.py", line 237, in cmd_gen
builder.process(options)
File "/usr/local/lib/python3.11/site-packages/pyarmor/cli/generate.py", line 155, in process
Pytransform3.pre_build(self.ctx)
File "/usr/local/lib/python3.11/site-packages/pyarmor/cli/core/__init__.py", line 120, in pre_build
m = Pytransform3.init(ctx)
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/pyarmor/cli/core/__init__.py", line 100, in init
m.init_ctx(ctx)
RuntimeError: invalid license token, try to run `pyarmor reg` to register license again
I checked the license info in the builder.ctx
and everything looks fine. I can't access the code that runs the license verification (probably inside Pytransform3). Maybe something with the IP check during the pyarmor gen
command?
pyarmor-auth may not work for this case.
If docker container is not running in the docker host, the license check will fail, it's designed feature.