Hi all,

I think the problem is somewhere in the proxy setup (nginx) that the registry 
is running behind. 

When I try it with a registry that does the TLS on it’s own without proxy, but 
with the same certificates I used before, then mesos pulls the docker images 
and executes the job.

Sorry for spamming. I will update you when I know what the problem was.


> On 27. Aug 2020, at 17:05, Benjamin Wulff <benjamin.wulff...@ieee.org> wrote:
> Hi Jose,
> yes, I configured the registry as an insecure registry. I also verified that 
> I can use the docker command to pull from this registry
> docker pull mother:5000/ben/experiment:1
> But the problem is that Mesos calls curl to query the registry (I suppose) 
> (1). 
> The point where I am at right now is:
> - when using a registry with HTTP: mesos curl fails because it assumes HTTPS 
> and the registry answers in HTTP
> - when using a registry with HTTPS: mesos curl fails because it doesn’t know 
> my CA certificate
> What’s puzzling me is that I have installed the CA cert in the OS’s 
> trust-store and I when I do curl on the command line
> curl https://mother:5000/v2/_catalog
> then it works. I can see in [1] that mesos seems to use the curl that is 
> installed in the host OS, see [1] line 158. It uses Subprocess and calls 
> ‘curl’ which should yield calling the curl that is installed in the OS. That 
> should be the same curl that is available to users in the console.
> Thanks,
> Ben
> (1) 
> https://github.com/apache/mesos/blob/master/src/uri/fetchers/docker.cpp#L104
>> On 27. Aug 2020, at 16:06, Jose Nunez <jnu...@striketechnologies.com> wrote:
>> Hello,
>> I do not use Mesos currently  but this is what I did in the Docker settings.
>> If you don't care about encryption you can tell docker to use an insecure 
>> registry. On /etc/docker/daemon.json:
>> {
>>  "insecure-registries" : [ "myregistrymachine.domain:port" ],
>>  "features": {
>>      "buildkit": true
>>  }
>> }
>> Where port is your registry port (5000, etc.)
>> Then restart Docker daemon (systemctl restart docker.service for example)
>> And confirm the insecure registry is there: docker info
>> If you have setup user authentication you can test this with docker login:
>> docker login myregistrymachine.domain:port
>> [YYYY@ZXXXX ~]$ docker login myregistrymachine.domain:port
>> Authenticating with existing credentials...
>> WARNING! Your password will be stored unencrypted in 
>> /home/YYYY/.docker/config.json.
>> Configure a credential helper to remove this warning. See
>> https://docs.docker.com/engine/reference/commandline/login/#credentials-store
>> Login Succeeded
>> Hope this helps.
>> --Jose
>> -----Original Message-----
>> From: Benjamin Wulff <benjamin.wulff...@ieee.org>
>> Sent: Thursday, August 27, 2020 9:58 AM
>> To: user@mesos.apache.org
>> Subject: Docker registry without HTTPS
>> Hi all,
>> I’m running a Docker registry in my cluster network that does plain HTTP, no 
>> HTTPS. I tried to configure it using    docker_registry    and   
>> docker_config     options, providing an http:// address. When I try to run a 
>> Docker image in a task it fails and I see in the log a message that CURL SSL 
>> got a malformed TLS answer. So apparently Mesos still tells curl to do 
>> whatever it should do via HTTPS.
>> I have seen posts that seem to indicate that it will switch to HTTP 
>> automatically when you provide port ‘:80’ as part of the URI for the 
>> registry. However, I cannot put the registry on 80 because there is already 
>> a Webserver sitting that is used for distributing artefacts in the cluster.
>> —> Is there a way to tell Mesos that it (respectively curl) use HTTP instead 
>> of HTTPS?
>> Thanks and best regards,
>> Ben
>> PS: I also saw in the logs:
>> curl: option —http1.1: is unknown
>> curl: try ‘curl —help’ or ‘curl —manual’ for more information
>> ________________________________
>> CONFIDENTIALITY / PRIVILEGE NOTICE: This transmission and any attachments 
>> are intended solely for the addressee. This transmission is covered by the 
>> Electronic Communications Privacy Act, 18 U.S.C ''2510-2521. The information 
>> contained in this transmission is confidential in nature and protected from 
>> further use or disclosure under U.S. Pub. L. 106-102, 113 U.S. Stat. 1338 
>> (1999), and may be subject to attorney-client or other legal privilege. Your 
>> use or disclosure of this information for any purpose other than that 
>> intended by its transmittal is strictly prohibited, and may subject you to 
>> fines and/or penalties under federal and state law. If you are not the 
>> intended recipient of this transmission, please DESTROY ALL COPIES RECEIVED 
>> and confirm destruction to the sender via return transmittal.

Reply via email to