Hello Benjamin,

Can you share your NGINX settings? This seems to work for me:

upstream dockerregistry {
  ip_hash;
  server server1.domain:5000;
  server server2.domain:5000;
  server server3.domain:5000;
}

server {
        listen 5000;
        location / {
            proxy_pass         http://dockerregistry ;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
        }
}

Regards,

--Jose

-----Original Message-----
From: Benjamin Wulff <benjamin.wulff...@ieee.org>
Sent: Friday, August 28, 2020 4:07 AM
To: user@mesos.apache.org
Subject: Re: Docker registry without HTTPS

Hi all,

I think the problem is somewhere in the proxy setup (nginx) that the registry 
is running behind.

When I try it with a registry that does the TLS on it’s own without proxy, but 
with the same certificates I used before, then mesos pulls the docker images 
and executes the job.

Sorry for spamming. I will update you when I know what the problem was.

Thanks,
Ben


> On 27. Aug 2020, at 17:05, Benjamin Wulff <benjamin.wulff...@ieee.org> wrote:
>
> Hi Jose,
>
> yes, I configured the registry as an insecure registry. I also
> verified that I can use the docker command to pull from this registry
>
> docker pull mother:5000/ben/experiment:1
>
> But the problem is that Mesos calls curl to query the registry (I suppose) 
> (1).
>
> The point where I am at right now is:
> - when using a registry with HTTP: mesos curl fails because it assumes
> HTTPS and the registry answers in HTTP
> - when using a registry with HTTPS: mesos curl fails because it
> doesn’t know my CA certificate
>
> What’s puzzling me is that I have installed the CA cert in the OS’s
> trust-store and I when I do curl on the command line
>
> curl https://mother:5000/v2/_catalog
>
> then it works. I can see in [1] that mesos seems to use the curl that is 
> installed in the host OS, see [1] line 158. It uses Subprocess and calls 
> ‘curl’ which should yield calling the curl that is installed in the OS. That 
> should be the same curl that is available to users in the console.
>
> Thanks,
> Ben
>
>
>
> (1)
> https://github.com/apache/mesos/blob/master/src/uri/fetchers/docker.cp
> p#L104
>
>> On 27. Aug 2020, at 16:06, Jose Nunez <jnu...@striketechnologies.com> wrote:
>>
>> Hello,
>>
>> I do not use Mesos currently  but this is what I did in the Docker settings.
>>
>> If you don't care about encryption you can tell docker to use an insecure 
>> registry. On /etc/docker/daemon.json:
>>
>> {
>>  "insecure-registries" : [ "myregistrymachine.domain:port" ],
>>  "features": {
>>      "buildkit": true
>>  }
>> }
>>
>> Where port is your registry port (5000, etc.)
>>
>> Then restart Docker daemon (systemctl restart docker.service for
>> example)
>>
>> And confirm the insecure registry is there: docker info
>>
>> If you have setup user authentication you can test this with docker login:
>>
>> docker login myregistrymachine.domain:port
>>
>> [YYYY@ZXXXX ~]$ docker login myregistrymachine.domain:port
>> Authenticating with existing credentials...
>> WARNING! Your password will be stored unencrypted in 
>> /home/YYYY/.docker/config.json.
>> Configure a credential helper to remove this warning. See
>> https://docs.docker.com/engine/reference/commandline/login/#credentia
>> ls-store
>>
>> Login Succeeded
>>
>>
>> Hope this helps.
>>
>> --Jose
>>
>> -----Original Message-----
>> From: Benjamin Wulff <benjamin.wulff...@ieee.org>
>> Sent: Thursday, August 27, 2020 9:58 AM
>> To: user@mesos.apache.org
>> Subject: Docker registry without HTTPS
>>
>> Hi all,
>>
>> I’m running a Docker registry in my cluster network that does plain HTTP, no 
>> HTTPS. I tried to configure it using    docker_registry    and   
>> docker_config     options, providing an http:// address. When I try to run a 
>> Docker image in a task it fails and I see in the log a message that CURL SSL 
>> got a malformed TLS answer. So apparently Mesos still tells curl to do 
>> whatever it should do via HTTPS.
>>
>> I have seen posts that seem to indicate that it will switch to HTTP 
>> automatically when you provide port ‘:80’ as part of the URI for the 
>> registry. However, I cannot put the registry on 80 because there is already 
>> a Webserver sitting that is used for distributing artefacts in the cluster.
>>
>> —> Is there a way to tell Mesos that it (respectively curl) use HTTP instead 
>> of HTTPS?
>>
>> Thanks and best regards,
>> Ben
>>
>> PS: I also saw in the logs:
>>
>> curl: option —http1.1: is unknown
>> curl: try ‘curl —help’ or ‘curl —manual’ for more information
>>
>> ________________________________
>>
>> CONFIDENTIALITY / PRIVILEGE NOTICE: This transmission and any attachments 
>> are intended solely for the addressee. This transmission is covered by the 
>> Electronic Communications Privacy Act, 18 U.S.C ''2510-2521. The information 
>> contained in this transmission is confidential in nature and protected from 
>> further use or disclosure under U.S. Pub. L. 106-102, 113 U.S. Stat. 1338 
>> (1999), and may be subject to attorney-client or other legal privilege. Your 
>> use or disclosure of this information for any purpose other than that 
>> intended by its transmittal is strictly prohibited, and may subject you to 
>> fines and/or penalties under federal and state law. If you are not the 
>> intended recipient of this transmission, please DESTROY ALL COPIES RECEIVED 
>> and confirm destruction to the sender via return transmittal.
>

________________________________

CONFIDENTIALITY / PRIVILEGE NOTICE: This transmission and any attachments are 
intended solely for the addressee. This transmission is covered by the 
Electronic Communications Privacy Act, 18 U.S.C ''2510-2521. The information 
contained in this transmission is confidential in nature and protected from 
further use or disclosure under U.S. Pub. L. 106-102, 113 U.S. Stat. 1338 
(1999), and may be subject to attorney-client or other legal privilege. Your 
use or disclosure of this information for any purpose other than that intended 
by its transmittal is strictly prohibited, and may subject you to fines and/or 
penalties under federal and state law. If you are not the intended recipient of 
this transmission, please DESTROY ALL COPIES RECEIVED and confirm destruction 
to the sender via return transmittal.

Reply via email to