Re: accessing secure registry on master isn't possible?
Have you checked with --insecure-flag as well, if the problem exists? On Fri, Apr 8, 2016 at 11:17 AM, Den Cowboy <dencow...@hotmail.com> wrote: > I'm using the ca.crt from /etc/origin/master/ca.crt and > /etc/origin/node/ca.crt > > -- > Date: Fri, 8 Apr 2016 11:02:19 +0200 > > Subject: Re: accessing secure registry on master isn't possible? > From: maszu...@redhat.com > To: dencow...@hotmail.com > CC: users@lists.openshift.redhat.com > > > > On Fri, Apr 8, 2016 at 8:27 AM, Den Cowboy <dencow...@hotmail.com> wrote: > > Yes I performed the same steps on my master as on my nodes. This is the > error: > sudo docker login -u admin -e m...@mail.com \ > > -p token 172.30.xx.xx:5000 > Error response from daemon: invalid registry endpoint > https://172.30.109.95:5000/v0/: unable to ping registry endpoint > https://172.30.xx.xx:5000/v0/ > v2 ping attempt failed with error: Get https://172.30.xx.xx:5000/v2/: > dial tcp 172.30.xx.xx:5000: i/o timeout > v1 ping attempt failed with error: Get > https://172.30.xx.xx:5000/v1/_ping: dial tcp 172.30.xx.xx:5000: i/o > timeout. If this private registry supports only HTTP or HTTPS with an > unknown CA certificate, please add `--insecure-registry 172.30.xx.xx:5000` > to the daemon's arguments. In the case of HTTPS, if you have access to the > registry's CA certificate, no need for the flag; simply place the CA > certificate at /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt > > > Do you have the CA cert in /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt > the log you're seeing is > the usual log that happens when you're using self-singed certs for > registry. Eventually make sure > the above ca is the right one. > > > While on all my 3 nodes: > > sudo docker login -u admin -e m...@mail.com \ > > -p token 172.30.xx.xx:5000 > WARNING: login credentials saved in /root/.docker/config.json > Login Succeeded > > -- > Date: Thu, 7 Apr 2016 22:02:06 +0200 > Subject: Re: accessing secure registry on master isn't possible? > From: maszu...@redhat.com > To: dencow...@hotmail.com > CC: users@lists.openshift.redhat.com > > > Per > https://docs.openshift.org/latest/install_config/install/docker_registry.html#securing-the-registry, > step 11 and 12, > I assume you've copied CA certificate to the Docker certificates directory > on all nodes and restarted docker service, > did you also do that on master as well. Without it any docker operation > will fail with certificate check failure. > What is the error you're seeing and what is the operation you're trying to > do? > > > On Thu, Apr 7, 2016 at 4:20 PM, Den Cowboy <dencow...@hotmail.com> wrote: > > I've created a secur registry on 1.1.6 > For the first time I've created my environment with 1 real master and 3 > nodes (one infra). (The reason for this is because I'm using the community > ansible aws setup. > <https://github.com/openshift/openshift-ansible/blob/master/README_AWS.md.> > https://github.com/openshift/openshift-ansible/blob/master/README_AWS.md > Normally my master is also an unschedulable node. Now I've secured my > registry. > I'm able to login and push to the registry from my nodes but not from my > master? > Is this normal , if yes, why is it that way? > I don't think it's an issue because the images will always be pulled and > pushed on my nodes because only there can run my containers but I want to > know if it's a known thing. > > Thanks > > > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
RE: accessing secure registry on master isn't possible?
I'm using the ca.crt from /etc/origin/master/ca.crt and /etc/origin/node/ca.crt Date: Fri, 8 Apr 2016 11:02:19 +0200 Subject: Re: accessing secure registry on master isn't possible? From: maszu...@redhat.com To: dencow...@hotmail.com CC: users@lists.openshift.redhat.com On Fri, Apr 8, 2016 at 8:27 AM, Den Cowboy <dencow...@hotmail.com> wrote: Yes I performed the same steps on my master as on my nodes. This is the error: sudo docker login -u admin -e m...@mail.com \ > -p token 172.30.xx.xx:5000 Error response from daemon: invalid registry endpoint https://172.30.109.95:5000/v0/: unable to ping registry endpoint https://172.30.xx.xx:5000/v0/ v2 ping attempt failed with error: Get https://172.30.xx.xx:5000/v2/: dial tcp 172.30.xx.xx:5000: i/o timeout v1 ping attempt failed with error: Get https://172.30.xx.xx:5000/v1/_ping: dial tcp 172.30.xx.xx:5000: i/o timeout. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 172.30.xx.xx:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt Do you have the CA cert in /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt the log you're seeing is the usual log that happens when you're using self-singed certs for registry. Eventually make sure the above ca is the right one. While on all my 3 nodes: sudo docker login -u admin -e m...@mail.com \ > -p token 172.30.xx.xx:5000 WARNING: login credentials saved in /root/.docker/config.json Login Succeeded Date: Thu, 7 Apr 2016 22:02:06 +0200 Subject: Re: accessing secure registry on master isn't possible? From: maszu...@redhat.com To: dencow...@hotmail.com CC: users@lists.openshift.redhat.com Per https://docs.openshift.org/latest/install_config/install/docker_registry.html#securing-the-registry, step 11 and 12, I assume you've copied CA certificate to the Docker certificates directory on all nodes and restarted docker service, did you also do that on master as well. Without it any docker operation will fail with certificate check failure. What is the error you're seeing and what is the operation you're trying to do? On Thu, Apr 7, 2016 at 4:20 PM, Den Cowboy <dencow...@hotmail.com> wrote: I've created a secur registry on 1.1.6 For the first time I've created my environment with 1 real master and 3 nodes (one infra). (The reason for this is because I'm using the community ansible aws setup. https://github.com/openshift/openshift-ansible/blob/master/README_AWS.md Normally my master is also an unschedulable node. Now I've secured my registry. I'm able to login and push to the registry from my nodes but not from my master? Is this normal , if yes, why is it that way? I don't think it's an issue because the images will always be pulled and pushed on my nodes because only there can run my containers but I want to know if it's a known thing. Thanks ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: accessing secure registry on master isn't possible?
On Fri, Apr 8, 2016 at 8:27 AM, Den Cowboy <dencow...@hotmail.com> wrote: > Yes I performed the same steps on my master as on my nodes. This is the > error: > sudo docker login -u admin -e m...@mail.com \ > > -p token 172.30.xx.xx:5000 > Error response from daemon: invalid registry endpoint > https://172.30.109.95:5000/v0/: unable to ping registry endpoint > https://172.30.xx.xx:5000/v0/ > v2 ping attempt failed with error: Get https://172.30.xx.xx:5000/v2/: > dial tcp 172.30.xx.xx:5000: i/o timeout > v1 ping attempt failed with error: Get > https://172.30.xx.xx:5000/v1/_ping: dial tcp 172.30.xx.xx:5000: i/o > timeout. If this private registry supports only HTTP or HTTPS with an > unknown CA certificate, please add `--insecure-registry 172.30.xx.xx:5000` > to the daemon's arguments. In the case of HTTPS, if you have access to the > registry's CA certificate, no need for the flag; simply place the CA > certificate at /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt > > Do you have the CA cert in /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt the log you're seeing is the usual log that happens when you're using self-singed certs for registry. Eventually make sure the above ca is the right one. > While on all my 3 nodes: > > sudo docker login -u admin -e m...@mail.com \ > > -p token 172.30.xx.xx:5000 > WARNING: login credentials saved in /root/.docker/config.json > Login Succeeded > > ------ > Date: Thu, 7 Apr 2016 22:02:06 +0200 > Subject: Re: accessing secure registry on master isn't possible? > From: maszu...@redhat.com > To: dencow...@hotmail.com > CC: users@lists.openshift.redhat.com > > > Per > https://docs.openshift.org/latest/install_config/install/docker_registry.html#securing-the-registry, > step 11 and 12, > I assume you've copied CA certificate to the Docker certificates directory > on all nodes and restarted docker service, > did you also do that on master as well. Without it any docker operation > will fail with certificate check failure. > What is the error you're seeing and what is the operation you're trying to > do? > > > On Thu, Apr 7, 2016 at 4:20 PM, Den Cowboy <dencow...@hotmail.com> wrote: > > I've created a secur registry on 1.1.6 > For the first time I've created my environment with 1 real master and 3 > nodes (one infra). (The reason for this is because I'm using the community > ansible aws setup. > <https://github.com/openshift/openshift-ansible/blob/master/README_AWS.md.> > https://github.com/openshift/openshift-ansible/blob/master/README_AWS.md > Normally my master is also an unschedulable node. Now I've secured my > registry. > I'm able to login and push to the registry from my nodes but not from my > master? > Is this normal , if yes, why is it that way? > I don't think it's an issue because the images will always be pulled and > pushed on my nodes because only there can run my containers but I want to > know if it's a known thing. > > Thanks > > > ___ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
RE: accessing secure registry on master isn't possible?
Yes I performed the same steps on my master as on my nodes. This is the error: sudo docker login -u admin -e m...@mail.com \ > -p token 172.30.xx.xx:5000 Error response from daemon: invalid registry endpoint https://172.30.109.95:5000/v0/: unable to ping registry endpoint https://172.30.xx.xx:5000/v0/ v2 ping attempt failed with error: Get https://172.30.xx.xx:5000/v2/: dial tcp 172.30.xx.xx:5000: i/o timeout v1 ping attempt failed with error: Get https://172.30.xx.xx:5000/v1/_ping: dial tcp 172.30.xx.xx:5000: i/o timeout. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry 172.30.xx.xx:5000` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/172.30.xx.xx:5000/ca.crt While on all my 3 nodes: sudo docker login -u admin -e m...@mail.com \ > -p token 172.30.xx.xx:5000 WARNING: login credentials saved in /root/.docker/config.json Login Succeeded Date: Thu, 7 Apr 2016 22:02:06 +0200 Subject: Re: accessing secure registry on master isn't possible? From: maszu...@redhat.com To: dencow...@hotmail.com CC: users@lists.openshift.redhat.com Per https://docs.openshift.org/latest/install_config/install/docker_registry.html#securing-the-registry, step 11 and 12, I assume you've copied CA certificate to the Docker certificates directory on all nodes and restarted docker service, did you also do that on master as well. Without it any docker operation will fail with certificate check failure. What is the error you're seeing and what is the operation you're trying to do? On Thu, Apr 7, 2016 at 4:20 PM, Den Cowboy <dencow...@hotmail.com> wrote: I've created a secur registry on 1.1.6 For the first time I've created my environment with 1 real master and 3 nodes (one infra). (The reason for this is because I'm using the community ansible aws setup. https://github.com/openshift/openshift-ansible/blob/master/README_AWS.md Normally my master is also an unschedulable node. Now I've secured my registry. I'm able to login and push to the registry from my nodes but not from my master? Is this normal , if yes, why is it that way? I don't think it's an issue because the images will always be pulled and pushed on my nodes because only there can run my containers but I want to know if it's a known thing. Thanks ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
