Open hmahmood opened 7 years ago
Sounds like a release note to me, @hmahmood. Adding the kind/note flag.
@stuclem yes; forgot to put that label on it yesterday.
Proposed release note:
vSphere Integrated Containers Management Portal cannot pull images from an insecure vSphere Integrated Containers instance when creating a container using vSphere Integrated Containers Engine. #4557
Creating a container in vSphere Integrated Containers Management Portal with vSphere Integrated Containers Engine as the only Docker host results in the error certificate signed by unknown authority
.
Workaround: Specify the vSphere Integrated Containers Registry port when you set the vic-machine create--insecure-registry
option.
@hmahmood is this OK? One question: Since Registry always uses HTTPS and always uses a cert (custom or autogenerated) when deployed with the OVA, is this still an issue for vic-product?
@stuclem this is an issue as long as the cert cannot be validated. The vic-machine create --registry-ca
can be used to add a CA cert that was used to sign the registry's cert. If the cert cannot be validated, and the --insecure-registry
option is used, the port has to specified as Admiral always uses the port, even when it is the standard https port. So two workarounds:
--registry-ca
, or--insecure-registry
Thanks @hmahmood. Updated as below:
vSphere Integrated Containers Management Portal cannot pull images from an insecure vSphere Integrated Containers instance when creating a container using vSphere Integrated Containers Engine. #4706
Creating a container in vSphere Integrated Containers Management Portal with vSphere Integrated Containers Engine as the only Docker host results in the error certificate signed by unknown authority
.
Workarounds: Specify the vSphere Integrated Containers Registry port when you set the vic-machine create--insecure-registry
option, or provide a CA certificate in the --registry-ca
option.
Is this OK now? Thanks!
@stuclem looks good.
Thanks @hmahmood
While creating a container through the Admiral UI with VIC-E as the only docker host, I get the following error:
I created my VCH with
--insecure-registry <harbor-ip>
, i.e. without specifying the port. Looking at the code path (https://github.com/vmware/vic/blob/master/lib/apiservers/engine/backends/image.go#L372), I see that we are matching the hostname we get from the create image request with the ip/host specified in the--insecure-registry
option above; they don't match because the latter has the port missing.Workaround: specify the port when using
--insecure-registry
vic-machine option.