Hi all, I think the problem is somewhere in the proxy setup (nginx) that the registry is running behind.
When I try it with a registry that does the TLS on it’s own without proxy, but with the same certificates I used before, then mesos pulls the docker images and executes the job. Sorry for spamming. I will update you when I know what the problem was. Thanks, Ben > On 27. Aug 2020, at 17:05, Benjamin Wulff <benjamin.wulff...@ieee.org> wrote: > > Hi Jose, > > yes, I configured the registry as an insecure registry. I also verified that > I can use the docker command to pull from this registry > > docker pull mother:5000/ben/experiment:1 > > But the problem is that Mesos calls curl to query the registry (I suppose) > (1). > > The point where I am at right now is: > - when using a registry with HTTP: mesos curl fails because it assumes HTTPS > and the registry answers in HTTP > - when using a registry with HTTPS: mesos curl fails because it doesn’t know > my CA certificate > > What’s puzzling me is that I have installed the CA cert in the OS’s > trust-store and I when I do curl on the command line > > curl https://mother:5000/v2/_catalog > > then it works. I can see in [1] that mesos seems to use the curl that is > installed in the host OS, see [1] line 158. It uses Subprocess and calls > ‘curl’ which should yield calling the curl that is installed in the OS. That > should be the same curl that is available to users in the console. > > Thanks, > Ben > > > > (1) > https://github.com/apache/mesos/blob/master/src/uri/fetchers/docker.cpp#L104 > >> On 27. Aug 2020, at 16:06, Jose Nunez <jnu...@striketechnologies.com> wrote: >> >> Hello, >> >> I do not use Mesos currently but this is what I did in the Docker settings. >> >> If you don't care about encryption you can tell docker to use an insecure >> registry. On /etc/docker/daemon.json: >> >> { >> "insecure-registries" : [ "myregistrymachine.domain:port" ], >> "features": { >> "buildkit": true >> } >> } >> >> Where port is your registry port (5000, etc.) >> >> Then restart Docker daemon (systemctl restart docker.service for example) >> >> And confirm the insecure registry is there: docker info >> >> If you have setup user authentication you can test this with docker login: >> >> docker login myregistrymachine.domain:port >> >> [YYYY@ZXXXX ~]$ docker login myregistrymachine.domain:port >> Authenticating with existing credentials... >> WARNING! Your password will be stored unencrypted in >> /home/YYYY/.docker/config.json. >> Configure a credential helper to remove this warning. See >> https://docs.docker.com/engine/reference/commandline/login/#credentials-store >> >> Login Succeeded >> >> >> Hope this helps. >> >> --Jose >> >> -----Original Message----- >> From: Benjamin Wulff <benjamin.wulff...@ieee.org> >> Sent: Thursday, August 27, 2020 9:58 AM >> To: user@mesos.apache.org >> Subject: Docker registry without HTTPS >> >> Hi all, >> >> I’m running a Docker registry in my cluster network that does plain HTTP, no >> HTTPS. I tried to configure it using docker_registry and >> docker_config options, providing an http:// address. When I try to run a >> Docker image in a task it fails and I see in the log a message that CURL SSL >> got a malformed TLS answer. So apparently Mesos still tells curl to do >> whatever it should do via HTTPS. >> >> I have seen posts that seem to indicate that it will switch to HTTP >> automatically when you provide port ‘:80’ as part of the URI for the >> registry. However, I cannot put the registry on 80 because there is already >> a Webserver sitting that is used for distributing artefacts in the cluster. >> >> —> Is there a way to tell Mesos that it (respectively curl) use HTTP instead >> of HTTPS? >> >> Thanks and best regards, >> Ben >> >> PS: I also saw in the logs: >> >> curl: option —http1.1: is unknown >> curl: try ‘curl —help’ or ‘curl —manual’ for more information >> >> ________________________________ >> >> CONFIDENTIALITY / PRIVILEGE NOTICE: This transmission and any attachments >> are intended solely for the addressee. This transmission is covered by the >> Electronic Communications Privacy Act, 18 U.S.C ''2510-2521. The information >> contained in this transmission is confidential in nature and protected from >> further use or disclosure under U.S. Pub. L. 106-102, 113 U.S. Stat. 1338 >> (1999), and may be subject to attorney-client or other legal privilege. Your >> use or disclosure of this information for any purpose other than that >> intended by its transmittal is strictly prohibited, and may subject you to >> fines and/or penalties under federal and state law. If you are not the >> intended recipient of this transmission, please DESTROY ALL COPIES RECEIVED >> and confirm destruction to the sender via return transmittal. >
