search

dragonflyoss / nydus

Nydus - the Dragonfly image service, providing fast, secure and easy access to container images.
https://nydus.dev/
Apache License 2.0
1.22k stars 205 forks source link

After configuring docker insecure-registries, when pulling an image, the following error occurs: 'failed to authorize: failed to fetch oauth token ...... failed to verify certificate: x509: certificate signed by unknown authority'. #1614

Open jokerwenxiao opened 2 months ago

jokerwenxiao commented 2 months ago 
root@nydus:~# nydusd --version
Version:        v2.2.4
Git Commit:     1c9c819942ce6fb0b1ebf178df0b3966021ae6bb
Build Time:     2023-11-02T11:32:06.442899984Z
Profile:        release
Rustc:          rustc 1.66.1 (90743e729 2023-01-10)
root@nydus:~# containerd-nydus-grpc --version
Version:     v0.13.3
Revision:    0dfc6a45217592e3ac7071634cd8e82ecb458eba
Go version:  go1.19.6
Build time:  2023-10-19T06:12:58
root@nydus:~# docker info
Client: Docker Engine - Community
 Version:    24.0.7
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 0
  Running: 0
  Paused: 0
  Stopped: 0
 Images: 3
 Server Version: 24.0.7
 Storage Driver: nydus
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 61f9fd88f79f081d64d6fa3bb1a0dc71ec870523
 runc version: v1.1.9-0-gccaecfc
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-40-generic
 Operating System: Ubuntu 22.04 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 3.778GiB
 Name: nydus
 ID: 90d15f77-f5ce-4d59-b56b-f4b08a027682
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  192.168.220.127:5002
  127.0.0.0/8
 Live Restore Enabled: false
root@nydus:~# cat /etc/docker/daemon.json
{
  "features": {
    "containerd-snapshotter": true
  },
  "insecure-registries": ["https://192.168.220.127:5002"],
  "storage-driver": "nydus"
}
root@nydus:~# cat /etc/nydus/nydusd-config.json
{
  "device": {
    "backend": {
      "type": "registry",
      "config": {
        "scheme": "https",
        "host": "192.168.220.127:5002",
        "skip_verify": true,
        "auth": "YWRtaW46SGFyYm9yMTIzNDU=",
        "timeout": 5,
        "connect_timeout": 5,
        "retry_limit": 2
      }
    },
    "cache": {
      "type": "blobcache"
    }
  },
  "mode": "direct",
  "digest_validate": false,
  "iostats_files": false,
  "enable_xattr": true,
  "fs_prefetch": {
    "enable": true,
    "threads_count": 8,
    "merging_size": 1048576,
    "prefetch_all": true
  }
}

containerd config:

version = 2
[plugins."io.containerd.grpc.v1.cri".registry.configs]
  [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.220.127:5002".tls]
    insecure_skip_verify = true
  [plugins."io.containerd.grpc.v1.cri".registry.configs."192.168.220.127:5002".auth]
    identitytoken = "YWRtaW46SGFyYm9yMTIzNDU="
    #username = "admin"
    #password = "Harbor12345"

# Plug nydus snapshotter into containerd
[proxy_plugins]
  [proxy_plugins.nydus]
    type = "snapshot"
    address = "/run/containerd-nydus/containerd-nydus-grpc.sock"

root@nydus:~# docker login 192.168.220.127:5002
Authenticating with existing credentials...
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

root@nydus:~# docker pull 192.168.220.127:5002/check/debian:stable
Error response from daemon: failed to resolve reference "192.168.220.127:5002/check/debian:stable": failed to authorize: failed to fetch oauth token: Post "https://192.168.220.127:5002/service/token": tls: failed to verify certificate: x509: certificate signed by unknown authority
imeoer commented 2 months ago

It seems the error not related to nydus, it tells that docker request registry token server did not skip tls cert validation.

guquanheng commented 2 months ago

Me too, the private certificate cannot be used

jokerwenxiao commented 2 months ago

When I don't use nydus and use native Docker configuration, there won't be authentication issues, but when I switch to nydus, the above problems will occur. This issue also occurs in the integration scenario with Dragonfly: if nydus is not deployed, it is normal to pull the private repository image of Dragonfly agent through Docker, but once nydus is deployed, authentication issues may also occur.