Closed rgl closed 2 years ago
hmmm....I wasn't able to get this PR working. Let me get some notes together for what I ran into.
Oh, the last commit had broken the build. It should work now. Can you please re-run it?
Hey @rgl, thanks for the update. vagrant up
is now working for me. I apologize but I'm not fully understanding what this PR or #105 are trying to resolve.
This branch and the existing mainline branch both behave the same for me in terms of pushing to the local container registry and curl https://192.168.50.4/v2/_catalog
.
I get the following output from both this PR and main.
vagrant@ubuntu2004:~$ docker tag hello-world 192.168.50.4/hello-world
vagrant@ubuntu2004:~$ docker push 192.168.50.4/hello-world
Using default tag: latest
The push refers to repository [192.168.50.4/hello-world]
Get "https://192.168.50.4/v2/": x509: certificate signed by unknown authority
---
vagrant@ubuntu2004:~$ curl https://192.168.50.4/v2/_catalog
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
---
vagrant@ubuntu2004:~$ curl https://192.168.50.4/v2/_catalog -k
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
---
Also, for this PR the initial vagrant up
is successful but shows this:
==> provisioner: Running provisioner: Trust the Tinkerbell CA (shell)...
provisioner: Running: script: Trust the Tinkerbell CA
provisioner: /tmp/vagrant-shell: line 2: docker-compose: command not found
provisioner: Updating certificates in /etc/ssl/certs...
provisioner: 0 added, 0 removed; done.
provisioner: Running hooks in /etc/ca-certificates/update.d...
provisioner: done.
@jacobweinstock, I've now finally actually used sandbox for the first time, and was able to fix it.
This now works:
$ vagrant ssh provisioner
$ docker tag bash:4.4 192.168.50.4/hello-world
$ docker push 192.168.50.4/hello-world
Using default tag: latest
The push refers to repository [192.168.50.4/hello-world]
d0c293cc0edd: Pushed
9f708c6c10e5: Pushed
e2eb06d8af82: Pushed
latest: digest: sha256:f290434b66bde9a4155f882710dab774c557acca4b3faccad7c53327afaebd1a size: 946
$ curl https://192.168.50.4/v2/_catalog
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
Let me known if it works for you.
Hey @rgl, thanks! this is working for me. Would it be possible to move this setup out of the Vagrantfile so that other infrastructure providers like Terraform can consume it? Finding a way to allow docker-compose only consumers to use this would also be ideal. Maybe a new directory for host scripts? Just a brainstorming idea.
I apologize that it's not well documented but the design philosophy here is:
"Vagrant and Terraform are now only responsible for standing up infrastructure and then running docker-compose, not for running any glue scripts. The compose calls single-shot services to do all the glue required to get a fully functional Tinkerbell stack." ref: here
Hey @rgl, thanks! this is working for me. Would it be possible to move this setup out of the Vagrantfile so that other infrastructure providers like Terraform can consume it? Finding a way to allow docker-compose only consumers to use this would also be ideal. Maybe a new directory for host scripts? Just a brainstorming idea.
You mean to move it to a script file at deploy/host/trust-tinkerbell-ca-and-restart-docker.sh
?
Note that the script will modify the host configuration using sudo
, and it assumes the host is running Ubuntu and the systemd docker
service exists. If that's fine, I can do that.
I apologize that it's not well documented but the design philosophy here is:
"Vagrant and Terraform are now only responsible for standing up infrastructure and then running docker-compose, not for running any glue scripts. The compose calls single-shot services to do all the glue required to get a fully functional Tinkerbell stack." ref: here
Can docker-compose.yml
run scripts in the host?
@jacobweinstock, ping? :-)
Hey @rgl, really sorry for the delayed response.
You mean to move it to a script file at deploy/host/trust-tinkerbell-ca-and-restart-docker.sh? That's an option. What do you think? The design idea for this repo is to keep concise as possible layers between what handles
I don't know if there's a clean way to handle this. The code added to the Vagrantfile isnt portable to Terraform right now. So Terraform users arent able to take advantage of this TLS update.
@jacobweinstock, I've refactored the code into deploy/compose/tls/trust.sh which is now shared between Vagrant and Terraform.
Please check it again.
Description
See https://github.com/tinkerbell/sandbox/issues/105
I also took the opportunity to:
Why is this needed
See https://github.com/tinkerbell/sandbox/issues/105
Fixes: #105
How Has This Been Tested?
Tested locally by starting Tinkerbell with compose and vagrant.
How are existing users impacted? What migration steps/scripts do we need?
Should not be impacted.
Checklist:
I have: