Open csckcac opened 1 year ago
Just encountered this issue on MacOS as well. Tried deleting the pki
directory as that is what is suggested in a few threads online. The certificates get generated and Docker Desktop + K8s starts up fine, but all resources (including PVCs) are gone for whatever reason.
This is a huge problem for anyone running databases or whatever using StatefulSets. Why would all resources get wiped if the pki
directory is gone?
hi, any update? I am facing this issue too. I found many solutions to rotate the certificates on Internet but seems not work on docker desktop for Windows.
hi, any update? I am facing this issue too. I found many solutions to rotate the certificates on Internet but seems not work on docker desktop for Windows.
Please check if this works
git clone https://github.com/justincormack/nsenter1.git cd nscenter1 docker build -t yournsenter1 .
docker volume create tmp
docker run -it --rm --privileged --pid=host yournsenter1
ctr namespaces list
ctr --namespace services.linuxkit containers list
ctr --namespace services.linuxkit tasks exec -t --exec-id 3000 docker /bin/sh
kubeadm certs renew all
ls -lha /var/lib/kubeadm/pki/ # updates with kubeadm
ls -lha /run/config/pki/ # doesn't update with kubeadm
cp -R /var/lib/kubeadm/pki/* /var/lib/docker/volumes/tmp/_data/
copy \\wsl$\docker-desktop-data\data\docker\volumes\tmp\_data\*
to %localappdata%\Docker\pki
Restart Docker desktop
hi, any update? I am facing this issue too. I found many solutions to rotate the certificates on Internet but seems not work on docker desktop for Windows.
Please check if this works
Prepare nsenter1 (First time only)
git clone https://github.com/justincormack/nsenter1.git cd nscenter1 docker build -t yournsenter1 .
Create a temporary volume (First time only)
docker volume create tmp
Exec into the Docker VM:
docker run -it --rm --privileged --pid=host yournsenter1
Get ContainerD namespaces from VM:
ctr namespaces list
List ContainerD containers:
ctr --namespace services.linuxkit containers list
Exec on Docker services container:
ctr --namespace services.linuxkit tasks exec -t --exec-id 3000 docker /bin/sh
Renew all certs:
kubeadm certs renew all
This folder will get updated with kubeadm:
ls -lha /var/lib/kubeadm/pki/ # updates with kubeadm
While this folder doesn't get updated:
ls -lha /run/config/pki/ # doesn't update with kubeadm
Copy the new cert to volume tmp:
cp -R /var/lib/kubeadm/pki/* /var/lib/docker/volumes/tmp/_data/
Replace the new cert on windows:
copy
\\wsl$\docker-desktop-data\data\docker\volumes\tmp\_data\*
to%localappdata%\Docker\pki
Restart Docker desktop
I tried. The certs are updated but then after restart docker desktop, Kubernetes failed to start. I found an error from the log
[com.docker.backend.exe][W] cannot create kubernetes PKI: error creating PKI assets: failed to write or validate certificate "apiserver-etcd-client": certificate apiserver-etcd-client is not signed by corresponding CA. Cluster will need to be reset.
I need to reset the k8s cluster. All pods are gone 😢
EDIT:
I checked C:\Users\
Important: ONLY Remove old '_pki' folder if you're sure everything works!
After recreating the pki folder you could run into the issue of mismatching certificate-authority-data, see more here: https://stackoverflow.com/questions/46234295/kubectl-unable-to-connect-to-server-x509-certificate-signed-by-unknown-authori
Credits go to wp4nuv, https://www.reddit.com/r/docker/comments/t2ssqr/issue_windows_trying_to_start_docker_desktop/
Description
Certificate is expired, no actual solutions except reset the Kubernetes which is a workaround.
Certificate under this location is expired.
%LOCALAPPDATA%\Docker\pki\apiserver.crt %LOCALAPPDATA%\Docker\pki\apiserver-etcd-client.crt %LOCALAPPDATA%\Docker\pki\front-proxy-client.crt
Deleting the pki folder will also reset the kubernetes, thus losing data
There is no such tools like kubeadm to renew certificate or any "docker" guide to solve this problem.
Reproduce
Expected behavior
No response
docker version
docker info
Diagnostics ID
DFE7A969-EBA4-4489-AB49-A48BADC30F7A/20230713093613
Additional Info
No response