search

flannel-io / flannel

flannel is a network fabric for containers, designed for Kubernetes
Apache License 2.0
8.81k stars 2.87k forks source link

flannel not working when use etcd2 client-to-server authentication with https client #343

Closed petersunquest closed 9 years ago

petersunquest commented 9 years ago

Hi,

I use CA certificate for etcd2 communication & authentication. Looks Flannel managed container still used http (not https) or use https but not use the CA certificate to access etcd server.

I got a lot of errors like this: Oct 12 21:34:12 master01 sdnotify-proxy[1742]: E1012 21:34:12.193841 00001 network.go:53] Failed to retrieve network config: client: etcd cluster is unavailable or misconfigured

My etcd2 service looks work great: $ etcdctl --cert-file=client.crt --key-file=client.key --ca-file=ca.crt --endpoint=https://127.0.0.1:2379 cluster-health member c1e1bb17e9861eda is healthy: got healthy result from https://xxx.xxx.xxx.xxx:2379 cluster is healthy

My system is: CoreOS alpha-829, user-data: -- name: flanneld.service command: start drop-ins: -- name: 50-network-config.conf content: | [Unit] Requires=etcd2.service [Service] Environment=FLANNELD_ETCD_ENDPOINTS=https://127.0.0.1:2379 Environment=FLANNELD_ETCD_CAFILE=/home/core/ca.crt Environment=FLANNELD_ETCD_CERTFILE=/home/core/client.crt Environment=FLANNELD_ETCD_KEYFILE=/home/core/client.key ExecStartPre=/usr/bin/etcdctl --cert-file=/home/core/client.crt --key-file=/home/core/client.key --ca-file=/home/core/ca.crt --endpoint=https://127.0.0.1:2379 set /coreos.com/network/config '{"Network": "10.244.0.0/16", "Backend": {"Type": "vxlan"}}'

$systemctl status flanneld ● flanneld.service - Network fabric for containers Loaded: loaded (/usr/lib64/systemd/system/flanneld.service; static; vendor preset: disabled) Drop-In: /etc/systemd/system/flanneld.service.d └─50-network-config.conf Active: activating (start) since Mon 2015-10-12 21:33:35 UTC; 46s ago Docs: https://github.com/coreos/flannel Process: 1737 ExecStartPre=/usr/bin/etcdctl --cert-file=/home/core/client.crt --key-file=/home/core/client.key --ca-file=/home/core/ca.crt --endpoint=https://127.0.0.1:2379 set /coreos.com/network/config {"Network": "10.244.0.0/16", "Backend": {"Type": "vxlan"}} (code=exited, status=0/SUCCESS) Process: 1734 ExecStartPre=/usr/bin/touch ${FLANNEL_ENV_FILE} (code=exited, status=0/SUCCESS) Process: 1730 ExecStartPre=/usr/bin/mkdir -p ${ETCD_SSL_DIR} (code=exited, status=0/SUCCESS) Process: 1726 ExecStartPre=/usr/bin/mkdir -p /run/flannel (code=exited, status=0/SUCCESS) Process: 1725 ExecStartPre=/sbin/modprobe ip_tables (code=exited, status=0/SUCCESS) Main PID: 1742 (sdnotify-proxy) Memory: 5.7M CPU: 257ms CGroup: /system.slice/flanneld.service CGroup: /system.slice/flanneld.service ├─3139 /usr/libexec/sdnotify-proxy /run/flannel/sd.sock /usr/bin/docker run --net=host --privileged=true --rm --volume=/run/flannel:/run/flannel --env=NOTIFY_SOCKET=/run/flannel/sd.sock --env=AWS_ACCESS_KEY_ID= --env=AWS_SECRET_ACCESS_KEY= --env-file=/run/flannel/options.env --volume=/usr/share/ca-certificates:/etc/ssl/certs:ro --volume=/etc/ssl/etcd:/etc/ssl/etcd:ro quay.io/coreos/flannel:0.5.3 /opt/bin/flanneld --ip-masq=true └─3144 /usr/bin/docker run --net=host --privileged=true --rm --volume=/run/flannel:/run/flannel --env=NOTIFY_SOCKET=/run/flannel/sd.sock --env=AWS_ACCESS_KEY_ID= --env=AWS_SECRET_ACCESS_KEY= --env-file=/run/flannel/options.env --volume=/usr/share/ca-certificates:/etc/ssl/certs:ro --volume=/etc/ssl/etcd:/etc/ssl/etcd:ro quay.io/coreos/flannel:0.5.3 /opt/bin/flanneld --ip-masq=true

Oct 12 21:34:12 master01 sdnotify-proxy[1742]: E1012 21:34:12.193841 00001 network.go:53] Failed to retrieve network config: client: etcd cluster is unavailable or misconfigured Oct 12 21:34:13 master01 sdnotify-proxy[1742]: E1012 21:34:13.198501 00001 network.go:53] Failed to retrieve network config: client: etcd cluster is unavailable or misconfigured Oct 12 21:34:14 master01 sdnotify-proxy[1742]: E1012 21:34:14.202677 00001 network.go:53] Failed to retrieve network config: client: etcd cluster is unavailable or misconfigured Oct 12 21:34:15 master01 sdnotify-proxy[1742]: E1012 21:34:15.206846 00001 network.go:53] Failed to retrieve network config: client: etcd cluster is unavailable or misconfigured Oct 12 21:34:16 master01 sdnotify-proxy[1742]: E1012 21:34:16.212938 00001 network.go:53] Failed to retrieve network config: client: etcd cluster is unavailable or misconfigured Oct 12 21:34:17 master01 sdnotify-proxy[1742]: E1012 21:34:17.217078 00001 network.go:53] Failed to retrieve network config: client: etcd cluster is unavailable or misconfigured

Thanks

Peter

petersunquest commented 9 years ago

Hi,

I try to clear my problem, It looks working: I think that may be can help someone. This is USER-DATA file: coreos: fleet: interface: $public_ipv4 # etcd_endpoints: https://$private_ipv4:4001 # let CA file to Docker share folder etcd_keyfile: "/etc/ssl/etcd/client.key" # it looks Flannel can access that folder etcd-certfile: "/etc/ssl/etcd/client.crt" etcd-cafile: "/etc/ssl/etcd/ca.crt" units: -- name: flanneld.service drop-ins: -- name: 50-network-config.conf content: | [Service] ExecStartPre=/usr/bin/etcdctl --cert-file=/etc/ssl/etcd/client.crt --key-file=/etc/ssl/etcd/client.key --ca-file=/etc/ssl/etcd/ca.crt --endpoint=https://127.0.0.1:2379 set /coreos.com/network/config '{"Network": "10.244.0.0/16"}' command: start

Perfect working. Thanks Peter