search

HCL-TECH-SOFTWARE / connections-automation

Deployment and upgrade automation scripts for HCL Connections 7.0 based on Ansible
Apache License 2.0
17 stars 31 forks source link

Harbor: docker_registry_url #222

Closed stoeps13 closed 1 year ago

stoeps13 commented 1 year ago

The setup creates the entry for "insecure-registries": ["{{ docker_registry_url }}"],, but then the docker service is not starting.

Error message:

Nov 02 07:39:45 cnx8-ora-cp.stoeps.home dockerd[9172]: failed to start daemon: insecure registry hclcr.io/cnx is not valid: invalid host "hclcr.io/cnx"

This should be replaced with "insecure-registries": ["{{ docker_registry_url.split('/')[0] }}"], that just the hostname is set to insecure-registries. Then docker service can be started.

On the other side, I want to discuss this setting when you deploy from harbor. When we put hclcr.io to insecure registries, even when it uses a valid certificate, then you're vulnerable for man in the middle attacks, because the docker daemon does not recognize that the attacker provides a self registered certificate.

sabrina-yee commented 1 year ago

Hi @stoeps13, a change has been pushed to make insecure-registries configurable. With Harbor, Docker is not needed to deploy the Component Pack so it's not a supported use case of this repo, but this change should provide flexibility to address the issue described.

sabrina-yee commented 1 year ago

PR #225 now allows configurable insecure-registries