Admiral can't pull images from insecure registry (harbor) when creating a container using VIC-E

vmware / vic

vSphere Integrated Containers Engine is a container runtime for vSphere.

http://vmware.github.io/vic

Other

640 stars 173 forks source link

Admiral can't pull images from insecure registry (harbor) when creating a container using VIC-E #4706

Open hmahmood opened 7 years ago

hmahmood commented 7 years ago

While creating a container through the Admiral UI with VIC-E as the only docker host, I get the following error:

Service https://10.192.82.84:2376/v1.21/images/create?fromImage=10.192.92.136:443/library/alpine:latest returned error 500 for POST. id 129958; Reason: Head https://10.192.92.136:443/v2/: x509: certificate signed by unknown authority

I created my VCH with --insecure-registry <harbor-ip>, i.e. without specifying the port. Looking at the code path (https://github.com/vmware/vic/blob/master/lib/apiservers/engine/backends/image.go#L372), I see that we are matching the hostname we get from the create image request with the ip/host specified in the --insecure-registry option above; they don't match because the latter has the port missing.

Workaround: specify the port when using --insecure-registry vic-machine option.

stuclem commented 7 years ago

Sounds like a release note to me, @hmahmood. Adding the kind/note flag.

hmahmood commented 7 years ago

@stuclem yes; forgot to put that label on it yesterday.

stuclem commented 7 years ago

Proposed release note:

vSphere Integrated Containers Management Portal cannot pull images from an insecure vSphere Integrated Containers instance when creating a container using vSphere Integrated Containers Engine. #4557
Creating a container in vSphere Integrated Containers Management Portal with vSphere Integrated Containers Engine as the only Docker host results in the error certificate signed by unknown authority.

Workaround: Specify the vSphere Integrated Containers Registry port when you set the vic-machine create--insecure-registry option.

@hmahmood is this OK? One question: Since Registry always uses HTTPS and always uses a cert (custom or autogenerated) when deployed with the OVA, is this still an issue for vic-product?

hmahmood commented 7 years ago

@stuclem this is an issue as long as the cert cannot be validated. The vic-machine create --registry-ca can be used to add a CA cert that was used to sign the registry's cert. If the cert cannot be validated, and the --insecure-registry option is used, the port has to specified as Admiral always uses the port, even when it is the standard https port. So two workarounds:

Specify the CA cert with --registry-ca, or
Specify the port when using --insecure-registry

stuclem commented 7 years ago

Thanks @hmahmood. Updated as below:

vSphere Integrated Containers Management Portal cannot pull images from an insecure vSphere Integrated Containers instance when creating a container using vSphere Integrated Containers Engine. #4706
Creating a container in vSphere Integrated Containers Management Portal with vSphere Integrated Containers Engine as the only Docker host results in the error certificate signed by unknown authority.

Workarounds: Specify the vSphere Integrated Containers Registry port when you set the vic-machine create--insecure-registry option, or provide a CA certificate in the --registry-ca option.

Is this OK now? Thanks!

hmahmood commented 7 years ago

@stuclem looks good.

stuclem commented 7 years ago

Thanks @hmahmood