I’m trying to execute a local deployment with –insecure option False. When --insecure is True everything works as expected. My docker compose-file looks like the following:
services:
# create a SuperLink service
superlink:
image: flwr/superlink:${FLWR_VERSION:-1.12.0}
command:
# --insecure
--ssl-ca-certfile=certificates/ca.crt
--ssl-certfile=certificates/server.pem
--ssl-keyfile=certificates/server.key
volumes:
- .cache/certificates:/app/certificates:ro
# create a SuperExec service
superexec:
build:
context: ${PROJECT_DIR:-.}
dockerfile_inline: |
FROM flwr/superexec:${FLWR_VERSION:-1.12.0}
# gcc is required for the fastai quickstart example
USER root
RUN apt-get update \
&& apt-get -y --no-install-recommends install \
build-essential \
&& rm -rf /var/lib/apt/lists/*
USER app
WORKDIR /app
COPY --chown=app:app pyproject.toml .
RUN sed -i 's/.*flwr\[simulation\].*//' pyproject.toml \
&& python -m pip install -U --no-cache-dir .
ENTRYPOINT ["flower-superexec"]
ports:
- 9093:9093
command:
- --executor
- flwr.superexec.deployment:executor
# - --insecure
- --executor-config
- superlink="superlink:9091"
- --ssl-ca-certfile=certificates/ca.crt
- --ssl-certfile=certificates/server.pem
- --ssl-keyfile=certificates/server.key
depends_on:
- superlink
volumes:
- .cache/certificates:/app/certificates:ro
# create a two SuperNode service with different node configs
supernode-1:
image: flwr/supernode:${FLWR_VERSION:-1.12.0}
command:
# - --insecure
- --superlink
- superlink:9092
- --supernode-address
- 0.0.0.0:9094
- --isolation
- process
- --node-config
- "partition-id=0 num-partitions=2"
- --root-certificates=certificates/ca.crt
depends_on:
- superlink
volumes:
- .cache/certificates:/app/certificates:ro
supernode-2:
image: flwr/supernode:${FLWR_VERSION:-1.12.0}
command:
# - --insecure
- --superlink
- superlink:9092
- --supernode-address
- 0.0.0.0:9095
- --isolation
- process
- --node-config
- "partition-id=1 num-partitions=2"
- --root-certificates=certificates/ca.crt
depends_on:
- superlink
volumes:
- .cache/certificates:/app/certificates:ro
The problem is that when I run docker compose up --build -d I see the following:
Superlink
2024-11-18 12:03:26 INFO : Starting Flower SuperLink
2024-11-18 12:03:26 INFO : Flower ECE: Starting Driver API (gRPC-rere) on 0.0.0.0:9091
2024-11-18 12:03:26 INFO : Flower ECE: Starting Fleet API (gRPC-rere) on 0.0.0.0:9092
2024-11-18 12:03:27 WARNING: All log messages before absl::InitializeLog() is called are written to STDERR
2024-11-18 12:03:27 E0000 00:00:1731924207.239103 26 ssl_transport_security.cc:2128] No match found for server name: superlink
2024-11-18 12:03:27 E0000 00:00:1731924207.240866 30 ssl_transport_security.cc:2128] No match found for server name: superlink
Supernode
2024-11-18 11:55:54 INFO : Starting Flower SuperNode
2024-11-18 11:55:55 INFO : Starting Flower ClientAppIo gRPC server on 0.0.0.0:9094
2024-11-18 11:55:55 WARNING : Connection attempt failed, retrying...
2024-11-18 11:55:55 WARNING : Connection attempt failed, retrying in 0.81 seconds
2024-11-18 11:55:56 WARNING : Connection attempt failed, retrying in 2.58 seconds
I have manually checked that the certificates are mounted to the created containers.
At first glance, your Docker Compose file looks fine. However, there’s a small issue: the SuperExec does not use the SuperLink certificate to validate the SuperLink identity. I’m guessing you’re using the same set of certificates and keys for both SuperLink and SuperExec, is that correct?
If that’s the case, you’ll need to replace the line in the SuperExec service:
Hey @robert. Thanks for replying back to my question, your instructions have helped me move forward. But now I have another issue.
I followed the commands from this link and the compose files from here and now I don’t get any errors during the build of the containers. However, when I execute the flwr run . local-deployment --stream I get the following error :
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:9093: Ssl handshake failed (TSI_PROTOCOL_FAILURE): SSL_ERROR_SSL: error:1000007d:SSL
routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED"
debug_error_string = "UNKNOWN:Error received from peer {created_time:"2024-11-27T13:18:50.69710094+02:00", grpc_status:14, grpc_message:"failed to connect to all addresses; last error: UNKNOWN:
ipv4:127.0.0.1:9093: Ssl handshake failed (TSI_PROTOCOL_FAILURE): SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED"}"
>
E0000 00:00:1732706340.595075 1726 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706350.594511 1720 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706360.593597 1728 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706370.593564 1724 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706380.592757 1721 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706390.592663 1723 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706405.591836 1720 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706430.591835 1722 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706475.589544 1727 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
E0000 00:00:1732706535.587665 1721 ssl_transport_security.cc:1654] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
I get the same error when I follow the commands from this link. I just used the latest versions of the .yml files from here. Could it be that something is outdated or that I’m using a wrong version of something ?
Alternatively, use the latest Docker Compose setup by cloning the Flower repository with the tag v1.13.1. If you choose this option, also update the Flower CLI to version 1.13.1: