I created a private Docker registry POD in my Kubernetes cluster.
Here are the relevant settings for the pod:
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
private-repository-k8s-686564966d-8grr8 1/1 Running 2 (7h10m ago) 9d
$ kubectl describe pods private-repository-k8s-686564966d-8grr8
...
Containers:
private-repository-k8s:
Container ID: docker://faadba7513c6a1bae6ab96480fcc230ae94a1c8e27c20928f3f93bfd2e7b7714
Image: registry:2
Image ID: docker-pullable://registry#sha256:265d4a5ed8bf0df27d1107edb00b70e658ee9aa5acb3f37336c5a17db634481e
Port: 5000/TCP
Host Port: 0/TCP
State: Running
Started: Tue, 05 Oct 2021 14:49:07 -0700
Last State: Terminated
Reason: Error
Exit Code: 2
Started: Sun, 26 Sep 2021 16:36:48 -0700
Finished: Tue, 05 Oct 2021 14:48:43 -0700
Ready: True
Restart Count: 2
Environment:
REGISTRY_HTTP_TLS_CERTIFICATE: /certs/registry.crt
REGISTRY_HTTP_TLS_KEY: /certs/registry.key
Mounts:
/certs from certs-vol (rw)
/var/lib/registry from registry-vol (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-mqknd (ro)
...
Volumes:
certs-vol:
Type: HostPath (bare host directory volume)
Path: /opt/certs
HostPathType: Directory
registry-vol:
Type: HostPath (bare host directory volume)
Path: /opt/registry
HostPathType: Directory
kube-api-access-mqknd:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
I generated the certs on the master as follows:
$ sudo openssl req -newkey rsa:4096 -nodes -sha256 -keyout \
/opt/certs/registry.key -x509 -days 365 -out /opt/certs/registry.crt
Then the folder with the crt and key files are shared via NFS mount across all of the workers.
When I try to push an image from outside the k8s cluster and I get the following error:
$ docker push k8s-master:31320/nginx:1.17 The push refers to repository [k8s-master:31320/nginx]
Get "https://k8s-master:31320/v2/": x509: certificate is not valid for any names, but wanted to match k8s-master
The logs from the POD show this:
$ kubectl logs private-repository-k8s-686564966d-8grr8 -f
...
2021/10/06 05:06:02 http: TLS handshake error from 10.108.82.192:28058: remote error: tls: bad certificate
This proves to me that the request is hitting the POD, but TLS certs weren't setup properly.
I'm doing trying to push the Docker image from my MacOS client to this private Docker registry on a k8s server (each node in the server running Ubuntu).
I'm a bit shaky on the TLS stuff, but my understanding is that I'm using a self-signed cert (which should be fine as I'm only accessing this from my internal network). But I assume I need to do something from my Mac client to setup the TLS certs in order to access the registry. I have already tried adding the crt and key files to my Keychain and that didn't work. I cannot figure out what to do here.
I'm using these instructions:
https://www.linuxtechi.com/setup-private-docker-registry-kubernetes/
I'm running k8s v1.22.0. I have 4 VMs running Ubuntu 20.04.2 LTS inside a single rack server using VMware ESXi: 1 master, 3 worker VMs. I'm trying to push the docker image from my MacBook.
First, I found the CN (Common Name) was not setup property in the certificate (reference: https://github.com/docker/for-linux/issues/248). Once I regenerated the certificate I hit this issue:
$ docker push k8s-master:31320/nginx:1.17 The push refers to repository [k8s-master:31320/nginx]
Get "https://k8s-master:31320/v2/": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
Then I found I needed to add SAN (subjectAltName) to the certificate. I did this as follows:
$ sudo openssl req -newkey rsa:4096 -nodes -sha256 -keyout /opt/certs/registry.key -x509 -days 365 -out /opt/certs/registry.crt -addext "subjectAltName = DNS:k8s-master, DNS:k8s-master.local"
I restarted the registry pod and then I ran into this error:
$ docker push k8s-master:31320/nginx:1.17
The push refers to repository [k8s-master:31320/nginx]
Get "https://k8s-master:31320/v2/": x509: certificate signed by unknown authority
At this point, I realized MacOS client needed the certificate installed into the Keychain. I downloaded the registry.crt file and install it in Keychain (drag and drop). I also had to go into the Keychain, double-clicked on the certificate, opened the "Trust" drop down and selected "Always Trust". Then I restarted Docker on my MacOS.
At this point push started to work:
$ docker push k8s-master:31320/nginx:1.17
The push refers to repository [k8s-master:31320/nginx]
65e1ea1dc98c: Pushed
88891187bdd7: Pushed
6e109f6c2f99: Pushed
0772cb25d5ca: Pushed
525950111558: Pushed
476baebdfbf7: Pushed
1.17: digest: sha256:39065444eb1acb2cfdea6373ca620c921e702b0f447641af5d0e0ea1e48e5e04 size: 1570
Related
docker desktop on mac is getting error:
Unable to connect to the server: x509: certificate signed by unknown authority
The following answers didn't helped much:
My system details:
Operating system: macOS Big Sur Version 11.6
Docker desktop version: v20.10.12
Kubernetes version: v1.22.5
When I do:
kubectl get pods
I get the below error:
Unable to connect to the server: x509: certificate signed by unknown authority
Posting the answer from comments
As appeared after additional questions and answers, there was a previous installation of rancher cluster which left its traces: certificate and context in ~/.kube/config.
The solution in this case for local development/testing is to delete entirely ~/.kube folder with configs and init the cluster from the scratch.
If you are using a corporate laptop, and everything you do goes through a proxy, you will get this message. Hence, when docker desktop tries to connect to the server defined in ~/.kube/config, it will try to go through the proxy and you will need the cert issued by the company. Long story short, you are getting blocked by the the company... To fix, you can add the no proxy props, adding what ever value server: internal.docker defined in~/.kube/config . Meaning, if I am connecting to docker cluster which runs locally in my laptop, do not direct my traffic through proxy.
When doing docker info, after setting no proxy, you should see something like this.
docker info | grep -i proxy
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal,localhost,127.0.0.1,.local,.us.example.com,.examplecorp.com,.examplevcn.com,kubernetes.docker.internal
hubproxy.docker.internal:5000
I used LetsEncrypt's certbot to generate the cert and key pems:
sudo certbot certonly -a standalone -d footeware.ca
...and converted them to a p12:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root
I moved the p12 to my development machine into my eclipse project's resources folder.
When I start the application and debug thru sun.security.pkcs12.PKCS12KeyStore#engineIsCertificateEntry, it finds the aliased entry but states it's not an instanceof sun.security.pkcs12.PKCS12KeyStore.CertEntry but rather a sun.security.pkcs12.PKCS12KeyStore$PrivateKeyEntry and so it fails with:
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
keytool -list on the p12:
Alias name: tomcat
Creation date: Jan. 3, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=footeware.ca
Issuer: CN=R3, O=Let's Encrypt, C=US
What have I done wrong? Should the PrivateKeyEntry be something else?
Thanks #Saif for that link.
I did:
sudo update-ca-certificates -f
sudo /var/lib/dpkg/info/ca-certificates-java.postinst configure
...and used my original keystore.p12 (seems there was nothing wrong with it).
The solution was to change my application.properties' values to:
server.ssl.trust-store=file:/etc/ssl/certs/java/cacerts
server.ssl.trust-store-password=changeit
server.ssl.trust-store-type=JKS
I had been setting those properties to the keystore.p12 thinking they were one and the same (noob).
I deployed and started the appication jar, set my router to forward 443 to my server#8443 (instead of 80 to 8090 as it was) and I'm in with a happy https indicator!
Now I just have to fix the broken css that upgrading bootstrap seems to have caused. Pain that the cert prevents me from using localhost now as it only supports footeware.ca.
Any ideas there?
I'm using Gitlab and Docker to get continuous integration to my spring boot application and I'm getting this error:
Cannot connect to the Docker daemon at tcp://xxx.xxx.xx.xxx:2375. Is the docker daemon running?
.development.env:
export SPRING_ACTIVE_PROFILE='development'
export DOCKER_REPO='DOCKER_HUB_ID/app_name:dev'
export APP_NAME='app_name_dev'
export PORT='8080'
export SERVER_IP='xxx.xxx.xx.xxx' #SERVER_IP
export SERVER_SSH_KEY="$DEV_SSH_PRIVATE_KEY"
export DOCKER_HOST='tcp://xxx.xxx.xx.xxx:2375' #SERVER_IP
.gitlab-ci.yml
services:
- docker:19.03.7-dind
stages:
- build and push docker image
docker build:
image: docker:stable
stage: build and push docker image
before_script:
- source .${CI_COMMIT_REF_NAME}.env #.development.env
script:
- docker build --build-arg SPRING_ACTIVE_PROFILE=$SPRING_ACTIVE_PROFILE -t $DOCKER_REPO .
- docker login -u $DOCKER_USER -p $DOCKER_PASSWORD docker.io
- docker push $DOCKER_REPO
This is the whole logs from gitlab:
Running with gitlab-runner 13.5.0 (ece86343)
on gitlab-server JuhWVkPJ
Preparing the "docker" executor
00:38
Using Docker executor with image docker:stable ...
Starting service docker:19.03.7-dind ...
Pulling docker image docker:19.03.7-dind ...
Using docker image sha256:14af3ba31e635475ec8f7fbe17470424514777621e627a91c41bbbe028dbae16 for docker:19.03.7-dind with digest docker#sha256:2683fcdf7480ea101415833f7793fb058c5f20227890a953b0a70bfc350af5bc ...
Waiting for services to be up and running...
*** WARNING: Service runner-juhwvkpj-project-13-concurrent-0-7c99eb8ace2e2ae6-docker-0 probably didn't start properly.
Health check error:
service "runner-juhwvkpj-project-13-concurrent-0-7c99eb8ace2e2ae6-docker-0-wait-for-service" timeout
Health check container logs:
Service container logs:
2020-12-30T03:14:07.879506461Z Generating RSA private key, 4096 bit long modulus (2 primes)
2020-12-30T03:14:08.459745140Z ..............................................++++
2020-12-30T03:14:08.673203110Z ..................++++
2020-12-30T03:14:08.673231544Z e is 65537 (0x010001)
2020-12-30T03:14:08.713960023Z Generating RSA private key, 4096 bit long modulus (2 primes)
2020-12-30T03:14:08.851463609Z ..............++++
2020-12-30T03:14:09.403244538Z .....................................................++++
2020-12-30T03:14:09.403286293Z e is 65537 (0x010001)
2020-12-30T03:14:09.516423752Z Signature ok
2020-12-30T03:14:09.516463300Z subject=CN = docker:dind server
2020-12-30T03:14:09.516471290Z Getting CA Private Key
2020-12-30T03:14:09.536975767Z /certs/server/cert.pem: OK
2020-12-30T03:14:09.553642146Z Generating RSA private key, 4096 bit long modulus (2 primes)
2020-12-30T03:14:09.927078677Z ...................................................++++
2020-12-30T03:14:10.107451624Z ...................++++
2020-12-30T03:14:10.108457646Z e is 65537 (0x010001)
2020-12-30T03:14:10.156096074Z Signature ok
2020-12-30T03:14:10.156125397Z subject=CN = docker:dind client
2020-12-30T03:14:10.156302268Z Getting CA Private Key
2020-12-30T03:14:10.178703934Z /certs/client/cert.pem: OK
2020-12-30T03:14:10.194290163Z mount: permission denied (are you root?)
2020-12-30T03:14:10.194438175Z Could not mount /sys/kernel/security.
2020-12-30T03:14:10.194456604Z AppArmor detection and --privileged mode might break.
2020-12-30T03:14:10.195933829Z mount: permission denied (are you root?)
*********
Pulling docker image docker:stable ...
Using docker image sha256:b0757c55a1fdbb59c378fd34dde3e12bd25f68094dd69546cf5ca00ddbaa7a33 for docker:stable with digest docker#sha256:fd4d028713fd05a1fb896412805daed82c4a0cc84331d8dad00cb596d7ce3e3a ...
Preparing environment
00:01
Running on runner-juhwvkpj-project-13-concurrent-0 via gitlab-server...
Getting source from Git repository
00:03
Fetching changes with git depth set to 50...
Reinitialized existing Git repository in /builds/abdallah/harvis/.git/
Checking out 5568bbc9 as DM_Module...
Skipping Git submodules setup
Executing "step_script" stage of the job script
00:36
$ source .${CI_COMMIT_REF_NAME}.env
$ whoami
root
$ docker build --build-arg SPRING_ACTIVE_PROFILE=$SPRING_ACTIVE_PROFILE -t $DOCKER_REPO .
Cannot connect to the Docker daemon at tcp://xxx.xxx.xx.xxx:2375. Is the docker daemon running?
Cleaning up file based variables
00:01
ERROR: Job failed: exit code 1
I think the error is in DOCKER_HOST, what should I assign it?
I'd appreciate any help or suggestion.
The Docker daemon can listen for Docker Engine API requests via three different types of Socket: unix, tcp, and fd
your docker daemon is trying to connect via tcp (2375), and it seems not enabled.
you need to start docker daemon with -H tcp://<ip>:2375
or put it in /etc/docker/daemon.json
"hosts": ["tcp://<ip>:2375", "unix:///var/run/docker.sock"],
EDIT
Binding to 0.0.0.0 is dangerous as David pointed out.
I'm trying to use Docker with a proxy server that has its own CA cert. I can't figure out how to configure the proxy for all containers running under my user without installing the certificate on each one. Any help with this would be much appreciated!
I'm using Docker Desktop Docker version 19.03.13, build 4484c46d9d, on OS X Catalina 10.15.4. Burp Suite proxies all the HTTP requests on my computer. I have the Burp Suite CA certificate installed in my OS X Login and System keychains. When I configure the proxy in my ~/.docker/config.json file, it points to the correct proxy but I get an error:
Errno::ECONNREFUSED: Failed to open TCP connection to 127.0.0.1:8080
When I install the Burp Suite certificate directly in the Docker container, I'm able to proxy requests with no additional config necessary (including environment variables or config.json changes). However, I run a lot of Docker containers, most of them standardised for multiple dev environments, and don't want to modify every Dockerfile when only my machine needs this.
This is the relevant part of my ~/.docker/config.json file:
{
"proxies": {
"default": {
"httpProxy": "http://127.0.0.1:8080",
"httpsProxy": "https://127.0.0.1:8080"
}
}
}
And this is my Dockerfile:
FROM ruby:2
RUN gem install ronin-support
COPY rails_rce.rb .
Finally, this is the total output when I run docker build .:
Sending build context to Docker daemon 11.26kB
Step 1/3 : FROM ruby:2
---> 343d2dc24f38
Step 2/3 : RUN gem install ronin-support
---> Running in 150bf40c6ad8
ERROR: Could not find a valid gem 'ronin-support' (>= 0), here is why:
Unable to download data from https://rubygems.org/ - Errno::ECONNREFUSED: Failed to open TCP connection to 127.0.0.1:8080 (Connection refused - connect(2) for "127.0.0.1" port 8080) (https://rubygems.org/specs.4.8.gz)
The command '/bin/sh -c gem install ronin-support' returned a non-zero code: 2
I'm new to creating my own Dockerfiles and config.
It's same thing when you need to connect from the container to the host on Mac.
You should use host.docker.internal instead of localhost
So the config will be
{
"proxies": {
"default": {
"httpProxy": "http://host.docker.internal:8080",
"httpsProxy": "http://host.docker.internal:8080"
}
}
}
Also, you need to add BurpSuite CA to your container.
Firstly, convert it to PEM.
openssl x509 -inform der -in cacert.der -out burp_cert.crt
Then add one to trusted CAs in the container with Dockerfile
FROM ruby:2
COPY burp_cert.crt /usr/local/share/ca-certificates/burp.crt
RUN update-ca-certificates
RUN gem install ronin-support
COPY rails_rce.rb
I am trying out microk8s following this
I am getting a certificate error when browsing the dashboard(multipass ls - ip address)
I guess I need to copy and verify kuberneters certificate from multipass host(macos) on macos keychain?