There is a way to tell curl (inside Mesos) to use the --insecure flag? (It turns off the CA certificate check) or export SSL_NO_VERIFY=1
But it sounds more like a hack, if you have a certificate it should work. Maybe you need to install the certificate system wide and not just for docker? How did you install it? On Fedora, for example on your Docker node: sudo keytool -printcert -sslserver machinewithcertificate.domain:443 -rfc > /etc/pki/ca-trust/source/anchors/ machinewithcertificate.domain.crt sudo update-ca-trust sudo systemctl restart docker -----Original Message----- From: Benjamin Wulff <benjamin.wulff...@ieee.org> Sent: Thursday, August 27, 2020 11:05 AM To: user@mesos.apache.org Subject: Re: Docker registry without HTTPS Hi Jose, yes, I configured the registry as an insecure registry. I also verified that I can use the docker command to pull from this registry docker pull mother:5000/ben/experiment:1 But the problem is that Mesos calls curl to query the registry (I suppose) (1). The point where I am at right now is: - when using a registry with HTTP: mesos curl fails because it assumes HTTPS and the registry answers in HTTP - when using a registry with HTTPS: mesos curl fails because it doesn’t know my CA certificate What’s puzzling me is that I have installed the CA cert in the OS’s trust-store and I when I do curl on the command line curl https://mother:5000/v2/_catalog then it works. I can see in [1] that mesos seems to use the curl that is installed in the host OS, see [1] line 158. It uses Subprocess and calls ‘curl’ which should yield calling the curl that is installed in the OS. That should be the same curl that is available to users in the console. Thanks, Ben (1) https://github.com/apache/mesos/blob/master/src/uri/fetchers/docker.cpp#L104 > On 27. Aug 2020, at 16:06, Jose Nunez <jnu...@striketechnologies.com> wrote: > > Hello, > > I do not use Mesos currently but this is what I did in the Docker settings. > > If you don't care about encryption you can tell docker to use an insecure > registry. On /etc/docker/daemon.json: > > { > "insecure-registries" : [ "myregistrymachine.domain:port" ], > "features": { > "buildkit": true > } > } > > Where port is your registry port (5000, etc.) > > Then restart Docker daemon (systemctl restart docker.service for > example) > > And confirm the insecure registry is there: docker info > > If you have setup user authentication you can test this with docker login: > > docker login myregistrymachine.domain:port > > [YYYY@ZXXXX ~]$ docker login myregistrymachine.domain:port > Authenticating with existing credentials... > WARNING! Your password will be stored unencrypted in > /home/YYYY/.docker/config.json. > Configure a credential helper to remove this warning. See > https://docs.docker.com/engine/reference/commandline/login/#credential > s-store > > Login Succeeded > > > Hope this helps. > > --Jose > > -----Original Message----- > From: Benjamin Wulff <benjamin.wulff...@ieee.org> > Sent: Thursday, August 27, 2020 9:58 AM > To: user@mesos.apache.org > Subject: Docker registry without HTTPS > > Hi all, > > I’m running a Docker registry in my cluster network that does plain HTTP, no > HTTPS. I tried to configure it using docker_registry and > docker_config options, providing an http:// address. When I try to run a > Docker image in a task it fails and I see in the log a message that CURL SSL > got a malformed TLS answer. So apparently Mesos still tells curl to do > whatever it should do via HTTPS. > > I have seen posts that seem to indicate that it will switch to HTTP > automatically when you provide port ‘:80’ as part of the URI for the > registry. However, I cannot put the registry on 80 because there is already a > Webserver sitting that is used for distributing artefacts in the cluster. > > —> Is there a way to tell Mesos that it (respectively curl) use HTTP instead > of HTTPS? > > Thanks and best regards, > Ben > > PS: I also saw in the logs: > > curl: option —http1.1: is unknown > curl: try ‘curl —help’ or ‘curl —manual’ for more information > > ________________________________ > > CONFIDENTIALITY / PRIVILEGE NOTICE: This transmission and any attachments are > intended solely for the addressee. This transmission is covered by the > Electronic Communications Privacy Act, 18 U.S.C ''2510-2521. The information > contained in this transmission is confidential in nature and protected from > further use or disclosure under U.S. Pub. L. 106-102, 113 U.S. Stat. 1338 > (1999), and may be subject to attorney-client or other legal privilege. Your > use or disclosure of this information for any purpose other than that > intended by its transmittal is strictly prohibited, and may subject you to > fines and/or penalties under federal and state law. If you are not the > intended recipient of this transmission, please DESTROY ALL COPIES RECEIVED > and confirm destruction to the sender via return transmittal. ________________________________ CONFIDENTIALITY / PRIVILEGE NOTICE: This transmission and any attachments are intended solely for the addressee. This transmission is covered by the Electronic Communications Privacy Act, 18 U.S.C ''2510-2521. The information contained in this transmission is confidential in nature and protected from further use or disclosure under U.S. Pub. L. 106-102, 113 U.S. Stat. 1338 (1999), and may be subject to attorney-client or other legal privilege. Your use or disclosure of this information for any purpose other than that intended by its transmittal is strictly prohibited, and may subject you to fines and/or penalties under federal and state law. If you are not the intended recipient of this transmission, please DESTROY ALL COPIES RECEIVED and confirm destruction to the sender via return transmittal.
