Hi all,

I think the problem is somewhere in the proxy setup (nginx) that the registry 
is running behind. 

When I try it with a registry that does the TLS on it’s own without proxy, but 
with the same certificates I used before, then mesos pulls the docker images 
and executes the job.

Sorry for spamming. I will update you when I know what the problem was.

Thanks,
Ben


> On 27. Aug 2020, at 17:05, Benjamin Wulff <benjamin.wulff...@ieee.org> wrote:
> 
> Hi Jose,
> 
> yes, I configured the registry as an insecure registry. I also verified that 
> I can use the docker command to pull from this registry
> 
> docker pull mother:5000/ben/experiment:1
> 
> But the problem is that Mesos calls curl to query the registry (I suppose) 
> (1). 
> 
> The point where I am at right now is:
> - when using a registry with HTTP: mesos curl fails because it assumes HTTPS 
> and the registry answers in HTTP
> - when using a registry with HTTPS: mesos curl fails because it doesn’t know 
> my CA certificate
> 
> What’s puzzling me is that I have installed the CA cert in the OS’s 
> trust-store and I when I do curl on the command line
> 
> curl https://mother:5000/v2/_catalog
> 
> then it works. I can see in [1] that mesos seems to use the curl that is 
> installed in the host OS, see [1] line 158. It uses Subprocess and calls 
> ‘curl’ which should yield calling the curl that is installed in the OS. That 
> should be the same curl that is available to users in the console.
> 
> Thanks,
> Ben
> 
> 
> 
> (1) 
> https://github.com/apache/mesos/blob/master/src/uri/fetchers/docker.cpp#L104
> 
>> On 27. Aug 2020, at 16:06, Jose Nunez <jnu...@striketechnologies.com> wrote:
>> 
>> Hello,
>> 
>> I do not use Mesos currently  but this is what I did in the Docker settings.
>> 
>> If you don't care about encryption you can tell docker to use an insecure 
>> registry. On /etc/docker/daemon.json:
>> 
>> {
>>  "insecure-registries" : [ "myregistrymachine.domain:port" ],
>>  "features": {
>>      "buildkit": true
>>  }
>> }
>> 
>> Where port is your registry port (5000, etc.)
>> 
>> Then restart Docker daemon (systemctl restart docker.service for example)
>> 
>> And confirm the insecure registry is there: docker info
>> 
>> If you have setup user authentication you can test this with docker login:
>> 
>> docker login myregistrymachine.domain:port
>> 
>> [YYYY@ZXXXX ~]$ docker login myregistrymachine.domain:port
>> Authenticating with existing credentials...
>> WARNING! Your password will be stored unencrypted in 
>> /home/YYYY/.docker/config.json.
>> Configure a credential helper to remove this warning. See
>> https://docs.docker.com/engine/reference/commandline/login/#credentials-store
>> 
>> Login Succeeded
>> 
>> 
>> Hope this helps.
>> 
>> --Jose
>> 
>> -----Original Message-----
>> From: Benjamin Wulff <benjamin.wulff...@ieee.org>
>> Sent: Thursday, August 27, 2020 9:58 AM
>> To: user@mesos.apache.org
>> Subject: Docker registry without HTTPS
>> 
>> Hi all,
>> 
>> I’m running a Docker registry in my cluster network that does plain HTTP, no 
>> HTTPS. I tried to configure it using    docker_registry    and   
>> docker_config     options, providing an http:// address. When I try to run a 
>> Docker image in a task it fails and I see in the log a message that CURL SSL 
>> got a malformed TLS answer. So apparently Mesos still tells curl to do 
>> whatever it should do via HTTPS.
>> 
>> I have seen posts that seem to indicate that it will switch to HTTP 
>> automatically when you provide port ‘:80’ as part of the URI for the 
>> registry. However, I cannot put the registry on 80 because there is already 
>> a Webserver sitting that is used for distributing artefacts in the cluster.
>> 
>> —> Is there a way to tell Mesos that it (respectively curl) use HTTP instead 
>> of HTTPS?
>> 
>> Thanks and best regards,
>> Ben
>> 
>> PS: I also saw in the logs:
>> 
>> curl: option —http1.1: is unknown
>> curl: try ‘curl —help’ or ‘curl —manual’ for more information
>> 
>> ________________________________
>> 
>> CONFIDENTIALITY / PRIVILEGE NOTICE: This transmission and any attachments 
>> are intended solely for the addressee. This transmission is covered by the 
>> Electronic Communications Privacy Act, 18 U.S.C ''2510-2521. The information 
>> contained in this transmission is confidential in nature and protected from 
>> further use or disclosure under U.S. Pub. L. 106-102, 113 U.S. Stat. 1338 
>> (1999), and may be subject to attorney-client or other legal privilege. Your 
>> use or disclosure of this information for any purpose other than that 
>> intended by its transmittal is strictly prohibited, and may subject you to 
>> fines and/or penalties under federal and state law. If you are not the 
>> intended recipient of this transmission, please DESTROY ALL COPIES RECEIVED 
>> and confirm destruction to the sender via return transmittal.
> 

Reply via email to