search

signalfx / maestro-ng

Orchestration of Docker-based, multi-host environments
https://signalfx.com
Apache License 2.0
685 stars 83 forks source link

Added a check when Login into the registry : if no username is given … #162

Closed acaranta closed 8 years ago

acaranta commented 8 years ago

Hi !

Recently, we have seen a problem when using maestro-ng on a docker >1.9 host and trying to use a non https registry.... no images were pulled and we got the error :

ContainerOrchestrationException: infdb-1: Login to http://insecure-registry.our.company.com:5000 as None failed: 500 Server Error: Internal Server Error ("invalid registry endpoint https://insecure-registry.our.company.com:5000/v0/: unable to ping registry endpoint https://insecure-registry.our.company.com:5000/v0/
v2 ping attempt failed with error: Get https://insecure-registry.our.company.com:5000/v2/: tls: oversized record received with length 20527
v1 ping attempt failed with error: Get https://insecure-registry.our.company.com:5000/v1/_ping: tls: oversized record received with length 20527. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry insecure-registry.our.company.com:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/insecure-registry.our.company.com:5000/ca.crt")

(yes the 1.9 host was configured with the correct --insecure-registry option ;) ... as it was working with a docker 1.4 host.

From what I saw/understood, it was the login attempt that failed. Our old test registry (used in dev here) does not support login ... therefore, the login failed ... and as it failed ... well the execution failed ... I realised that even if you do not specify a username in the maestro-ng configuration file (leaving the username: empty), maestro was still trying to loin to the registry.

Therefore, here is what I changed to make it work : The LoginTask now checks if the username is not empty before trying to login, if no username is supplied then, it stops there.

The trick works perfectly for our needs... therefore I thought it might help orthers and allow us to keep using the original GIT repo of maestro-ng ;)

Thanks for your work !

mpetazzoni commented 8 years ago

Hmm, I understand your problem, but if your registry doesn't require login, you shouldn't need to define it in the registries section of Maestro. Maestro will not try to login to it, and just let Docker do its thing for the image pull. Does that not work?

acaranta commented 8 years ago

Well you see, the problem is that we need to define it .... because not only it does not support login ... but even worse ... it is not even SSL enabled ;) so I need to define in the maestro configuration as an "http://..." registry in order for maestro to raise the 'insecure' flag when docker-py communicates with it.

I could ignore all this, but a/ we currently have the "relicgistry" (and this temporary solution sounds like it's going to stick for a moment :( b/ although it is an odd case, I thought it could be good that maestro-ng could also handle registries http only and without login (to cover everything) ;)

acaranta commented 8 years ago

Oh I forgot ... everything was working fine without this PR when maestro-ng was controlling a 1.4 docker-engine. we upgrading to 1.9.1 ... and I guess the way the engine logs in changed ... therefore it fails ...

acaranta commented 8 years ago

Don't want to be bothering too much ... but err ... do you need more info in any way ? ;)

mpetazzoni commented 8 years ago

Nope, just been busy :) Merged. Thanks a lot!

acaranta commented 8 years ago

Thx for your help ;)